On Jul 30, 2009, at 10:57 PM, Pravir Chandra wrote:
First, I generally agree that there are many factors that make the true and factual fidelity of static analysis really REALLY difficult.
All good points, to be sure.I'm a pragmatist, perhaps at times to a fault. Let's not overlook in this debate the perspective of the practitioner. Often, analysis of "binaries" (and I'm including here bytecode of various types), is done because the practitioner lacks access to the src (e.g., third party libraries and such). I expect that anyone analyzing a system would at least _want_ to analyze the src code if it is available. That is, among the various things one would want to look at, including dynamic analysis of binaries.
I'm sure this is all glaringly obvious, but what the heck. Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com(This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
