Hey there! tojarrett is using Twitter.

Twitter is a free service that lets you keep in touch with people through the exchange of quick, frequent answers to one simple question: What's happening? Join today to start receiving tojarrett's tweets.

Already using Twitter
from your phone? Click here.

tojarrett

@ggreeneva Not that we Wahoos know from experience, or anything (cough Wilder cough). about 16 hours ago from Tweetie in reply to ggreeneva
@johnedgarpark Come to Boaton. Amazing Italian marzipan in 3 or 4 bakeries in the North End. about 16 hours ago from Tweetie in reply to johnedgarpark
@frama_c Thx for the pointer. Not that hard to check conditional logic if you model the control flow. That's hard to do with strings. about 16 hours ago from Tweetie in reply to frama_c
RT @MarkKriegsman: FYI "Grackle68k" = new Twitter client for 68K Macs w/ System 6 through Mac OS 9. http://is.gd/4YMiD <- #whaa #brainhurts 6:48 AM Nov 19th from Tweetie
@frama_c Do you mean this A3? http://bit.ly/2Errzo 5:58 AM Nov 17th from TweetDeck in reply to frama_c
Last thought on this: finding private API usage is trivial. Finding sensitive data exfiltration is not & requires real static analysis. 7:42 PM Nov 16th from web
@mdhughes Now, if you're saying Apple has written their own static binary analyzer that is not commercially available, that's another thing. 7:07 PM Nov 16th from Tweetie in reply to mdhughes
@mdhughes ...and the claim I was originally responding to was that Apple was using static analysis tools on App Store submissions. 7:06 PM Nov 16th from Tweetie in reply to mdhughes
@mdhughes You're right, there are lots of ways to find things in binaries. dtrace is one of them, but it's a dynamic tool, not static. 7:05 PM Nov 16th from Tweetie in reply to mdhughes
@mdhughes (cont'd) ... and Apple can't use those tools to find flaws in app store binaries they didn't write, is all I was trying to say. 6:56 PM Nov 16th from Tweetie in reply to mdhughes
@mdhughes A dev can use one of those tools to analyze code he wrote, but can't find flaws in libraries he didn't.... (cont'd) 6:55 PM Nov 16th from Tweetie in reply to mdhughes
@DavidWLocke (cont'd) You don't need to know the arguments to know if an API is being called, just that the function is being called. 6:53 PM Nov 16th from Tweetie in reply to DavidWLocke
@mdhughes I said, without source. Checkmarx, Coverity, DMS, Fortify, GrammaTech, Klocwork, Ounce all analyze source. Veracode does binary. 6:53 PM Nov 16th from Tweetie in reply to mdhughes
@DavidWLocke Names of external functions called by an application are listed in the app's import table. (cont'd) 6:51 PM Nov 16th from Tweetie in reply to DavidWLocke
@mdhughes I'm unaware of another commercial offering that does static binary analysis, with data & control flow, w/o source. Enlighten me. 6:36 PM Nov 16th from Tweetie in reply to mdhughes
@DavidWLocke Apple may be performing some level of analysis on the binary (checking strings to find called functions). Prob not reversing. 6:33 PM Nov 16th from Tweetie in reply to DavidWLocke
@chriseng Yup. Which is why I think calling it "static analysis" is a stretch at best, misleading at worst. 10:14 AM Nov 16th from TweetDeck in reply to chriseng
Of course, what is probably going on here is that someone has confused "static analysis" with "looking at the strings in the binary." 10:10 AM Nov 16th from TweetDeck
And we haven't heard of anyone doing static binary on Objective C. I'd be interested to be proven wrong on this. 10:10 AM Nov 16th from TweetDeck
Static BINARY analysis (not requiring source) is real on some languages (Java/C#). But only @Veracode can do it on C/C++ binaries. 10:09 AM Nov 16th from TweetDeck

Name tojarrett
Location iPhone: 42.426417,-71.185224
Web http://wp.jarrett...
Bio Product manager for Veracode -- on demand application security assessments. Tireless selfpublisher, amateur vocalist.