Friday, September 09, 2011

Short note on static analysis and lobbying

After getting annoyed with Twitters 140-char limit to make a sane point, I switch back to an old-school medium that allows actual arguments ;)

I was commenting on the dishonesty in lobbying for legally mandated static analysis with "cyber security" as an underlying argument.

I think this is a total bullshit argument.

Static analysis is good at removing a large number of low-hanging fruit when it comes to both reliability and security bugs. But: Static analysis alone fails to significantly increase the resilience of real-world systems against determined attacks (although it may increase the resilience to really casual attacks).

So I think it is good & sane to mandate static analysis for some pieces of code for reliability reasons. I'd rather fly in an airplane with formally verified avionics code.

The reality is though that even the most sophisticated static analysis systems nowadays are not terribly good at dealing with dynamically allocated memory, suffer from grotesque overapproximation as a result of summarizing dynamically allocated memory, and in general don't deal with many common programming patterns very well.

Avionics code without dynamic memory allocation and a team of people getting a static analyzer going profits a lot from static analysis. The browser that I am typing this in profits much less: It uses a gazillion programming idioms that are notoriously hard to analyze. No existing and generally available static analysis will significantly impact the difficulty of finding a remotely exploitable bug in this browser.

So, in short: Using SA can have great benefits in particular scenarios. Verifying an avionics system is a great example. Verifying a microkernel that allows me to safely sandbox my terribly buggy browser is another example. Mandating SA for general software development is insanity, though: The current state of research (let's not even speak about available products) isn't capable of impacting the resiliency (against determined attack) of a browser or document viewer significantly. Let's not kid ourselves: The technology just isn't there, and won't be for another few years.

Tuesday, March 01, 2011

Wow ...

The company that produces your favourite security researchers' favourite tools has been acquired by Google. You, dear reader, have every right to be surprised; we ourselves are still recovering from the happy surprise.

"In mathematics, you don't understand things. You just get used to them."

-- John von Neumann


Old Jonny was right, but you might substitute "mathematics" with "life" in the above.

zynamics was never designed to be acquired. To be quite honest, zynamics wasn't designed at all -- it mostly just "happened". We never had a plan outside of "build the tools that we want to have, others will then want to have them too". We never took venture capital, and the only business plan I ever created was a half-baked attempt made with wizard software. It was never updated. The fact that we exceeded the forecasts was mostly due to me being an overly pessimistic planner.

Calling our structure engineering-centric would be an understatement; our everything-to-engineering ratio is roughly 7% (if I may still count myself as an engineer).

As we grew, the problems that we wanted to solve grew too -- at a much faster rate than our resources to solve them. The result was that I spent more and more time running around managing, doing sales, and acquiring resources so that my team could do the technical work that I love and am good at. I wanted the chance to focus on technical issues again.

So at some point in this process we started talking with Google, much to our own surprise. We had not anticipated this -- we are not web-centric, we are far away from their core business: At first glance the acquisition seemed like a strange choice for both sides.

Yes, we have excellent technology and a core of great engineers; we were just surprised about the fact that Google would be interested. It was certainly not an obvious pick.

Then again, Google shares an engineering-centric culture, and has just the resources we're lacking.

"The purpose of computing is insight, not numbers."

-- Richard Hamming


A friend of mine (rightfully) mocked me for trying to perform serious computation on something that strongly resembles a pocket calculator. According to him, there's roughly one and a half computers in this world -- and Google happens to have one of them. I tend to concur.

So, as of today, I can say that the entire zynamics team has joined Google. I am looking forward to tackling problems with the resources that Google can provide.

While there will be some changes, our products are not going away - on the contrary !


"Et si tu me demandes quel est donc ce 'propos' que je poursuis a longeur a mille pages, je repondrai: c'est de faire le recit, et par la-meme la decouverte, de l'aventure interieure qu'a ete et qu'est ma vie."

-- Alexandre Grothendiek


Running zynamics with my team was an exciting experience, but I have no doubt that the future will be every bit as exciting.