Scalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions

Scalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions

Nathan Keynes, Francois Gauthier, Nicholas Allen, Diane Corney, Padmanabhan Krishnan, Cristina Cifuentes

21 February 2022

Parfait is a static analysis tool originally developed to find defects in C/C++ systems code. It has since been extended to detect injection attacks in Java and PL/SQL applications. Parfait has been deployed internally at Oracle, is used by thousands of developers, and can be integrated at commit-time, in the nightly build or used standalone. Commit-time integration brings security closer to developers, and provides them with the opportunity to fix defects before they are merged. This poster presents some of the challenges we encountered in the process of extending Parfait from a defect analyser for C/C++ to a security analyser for Java and PL/SQL, and the solutions that enabled us to analyse a variety of commercial enterprise applications in a fast and precise way.


Venue : Cyber Defence Next Generation Technology 2021