tojarrett
-
@ Not that we Wahoos know from experience, or anything (cough Wilder cough).
about 16 hours ago
from Tweetie
in reply to ggreeneva
-
@ Come to Boaton. Amazing Italian marzipan in 3 or 4 bakeries in the North End.
about 16 hours ago
from Tweetie
in reply to johnedgarpark
-
@ Thx for the pointer. Not that hard to check conditional logic if you model the control flow. That's hard to do with strings.
about 16 hours ago
from Tweetie
in reply to frama_c
-
RT @: FYI "Grackle68k" = new Twitter client for 68K Macs w/ System 6 through Mac OS 9. <-
6:48 AM Nov 19th
from Tweetie
-
@ Do you mean this A3?
5:58 AM Nov 17th
from TweetDeck
in reply to frama_c
-
Last thought on this: finding private API usage is trivial. Finding sensitive data exfiltration is not & requires real static analysis.
7:42 PM Nov 16th
from web
-
@ Now, if you're saying Apple has written their own static binary analyzer that is not commercially available, that's another thing.
7:07 PM Nov 16th
from Tweetie
in reply to mdhughes
-
@ ...and the claim I was originally responding to was that Apple was using static analysis tools on App Store submissions.
7:06 PM Nov 16th
from Tweetie
in reply to mdhughes
-
@ You're right, there are lots of ways to find things in binaries. dtrace is one of them, but it's a dynamic tool, not static.
7:05 PM Nov 16th
from Tweetie
in reply to mdhughes
-
@ (cont'd) ... and Apple can't use those tools to find flaws in app store binaries they didn't write, is all I was trying to say.
6:56 PM Nov 16th
from Tweetie
in reply to mdhughes
-
@ A dev can use one of those tools to analyze code he wrote, but can't find flaws in libraries he didn't.... (cont'd)
6:55 PM Nov 16th
from Tweetie
in reply to mdhughes
-
@ (cont'd) You don't need to know the arguments to know if an API is being called, just that the function is being called.
6:53 PM Nov 16th
from Tweetie
in reply to DavidWLocke
-
@ I said, without source. Checkmarx, Coverity, DMS, Fortify, GrammaTech, Klocwork, Ounce all analyze source. Veracode does binary.
6:53 PM Nov 16th
from Tweetie
in reply to mdhughes
-
@ Names of external functions called by an application are listed in the app's import table. (cont'd)
6:51 PM Nov 16th
from Tweetie
in reply to DavidWLocke
-
@ I'm unaware of another commercial offering that does static binary analysis, with data & control flow, w/o source. Enlighten me.
6:36 PM Nov 16th
from Tweetie
in reply to mdhughes
-
@ Apple may be performing some level of analysis on the binary (checking strings to find called functions). Prob not reversing.
6:33 PM Nov 16th
from Tweetie
in reply to DavidWLocke
-
@ Yup. Which is why I think calling it "static analysis" is a stretch at best, misleading at worst.
10:14 AM Nov 16th
from TweetDeck
in reply to chriseng
-
Of course, what is probably going on here is that someone has confused "static analysis" with "looking at the strings in the binary."
10:10 AM Nov 16th
from TweetDeck
-
And we haven't heard of anyone doing static binary on Objective C. I'd be interested to be proven wrong on this.
10:10 AM Nov 16th
from TweetDeck
-
Static BINARY analysis (not requiring source) is real on some languages (Java/C#). But only @ can do it on C/C++ binaries.
10:09 AM Nov 16th
from TweetDeck
|
- Name tojarrett
- Location iPhone: 42.426417,-71.185224
- Web http://wp.jarrett...
- Bio Product manager for Veracode -- on demand application security assessments. Tireless selfpublisher, amateur vocalist.
|