Ask HN: Logical Vulnerability Discovery?

by alcover on 12/18/2021, 5:18 PM with 6 comments

I understand fuzzing is bombarding with malformed or corner-case inputs. But are there tools that, given target source and language model, will systematically pinpoint (at least some) logical vulnerabilities ?

    User list[10];
    int id = read(input);
    print(list[id]); // WARN unbounded user-controlled index !

  • by trinovantes on 12/18/2021, 7:50 PM

    Symbolic execution will be able to detect these kinds of errors. I'm not aware of any widely used commercial application as it's still mostly a research topic

    https://en.wikipedia.org/wiki/Symbolic_execution

  • by thesuperbigfrog on 12/18/2021, 5:27 PM

    Perl has "taint mode":

    http://man.he.net/man1/perlsec

    It is not exactly what you are looking for, but I am not aware of anything else that matches what you want.

  • by tossaway9000 on 12/18/2021, 5:26 PM

    CodeQL will do this for some languages, the kind of bugs I've seen it identify have been pretty impressive, I'm sure there are some other static analyzers that can do this as well.