Almost all high-performance system software are written in unsafe languages C/C++. e.g., browsers, media players, operating systems, and almost all GNU tools. Unfortunately, high performance comes at the cost of security. By default, these programs do not have the safety guarantees provided by high-level languages, like Java and Python (such as memory safety and integer safety). Most of the bugs in these programs manifest as vulnerabilities, which could be exploited to achieve arbitrary code execution.
We need techniques to check the security properties of software written in unsafe languages. However, system software has a complex setup and several runtime configurations which impose considerable challenges to program testing and dynamic analysis. Static analysis is a well-known method to compute a program’s properties without executing it.
In this literature review, I will present:
1. How static analysis techniques have been used to improve the security of the programs written in unsafe languages.
2. How and why these techniques evolved to the current state of the art.
3. What are the challenges involved in the static analysis of current system software.
4. What are promising directions in static analysis research to solve the above challenges.