If it works, it’s legacy: analysis of legacy code

David A. Wheeler - Institute for Defense Analyses (IDA)

Dr. Wheeler will provide an overview of how sound static analysis approaches can facilitate the development of higher quality and more secure versions of existing software.  He will discuss the balance of risk and expense that must be considered when contemplating total redevelopment. Given, these systems can be: large, are not designed to be analyzed, and are often written in languages difficult to analyze, an engineering mindset, rather than a scientific or mathematical mindset is indicated.  Examples of approaches that can help include: lightweight formal methods (which emphasize partial specification and focused application), sound analysis of high-level models (particularly of protocols), easing the combination of sound analysis with other approaches (e.g., strengthening tests, human review, and start-up checks), analysis of prevention/hardening/detection/response mechanisms, improving tools to handle scale and real constructs (not subset), providing useful feedback on "how to change the code to be analyzable," and improving the interactions between developers and makers of sound tools.  Releasing sound analysis tools as open source software (OSS) enables users to improve the tools so that they be purposed or repurposed to a specific use. Perhaps most importantly, supporting incremental application greatly eases adoption and use.

Download this presentation

David Wheeler

About David A. Wheeler

Dr. David A. Wheeler is a recognized expert on developing secure software and open source software (OSS). He is often consulted by the US Senate and House on these rapidly evolving areas of applied research. His work on developing secure software include "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation 2016," "Secure Programming HOWTO," and "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC)".  He leads the Linux Foundation Core Infrastructure Initiative (CII) Best Practices project. He is a researcher at the Institute for Defense Analyses (IDA) and teaches graduate courses in developing secure software at George Mason University (GMU). Dr. Wheeler has a PhD in Information Technology, a Master's in Computer Science, a certificate in Information Security, and a B.S. in Electronics Engineering, all from GMU, and is a Certified Information Systems Security Professional (CISSP).  He lives in Northern Virginia.