Analysis Tools¶
Analysis tools examine software for defects, vulnerabilities, and quality issues using techniques that range from mathematical reasoning over source code to runtime observation of executing programs. This section surveys the major categories of analysis tools used in vulnerability research and software assurance.
Taxonomy¶
Analysis tools divide into three broad categories based on whether they examine code at rest, observe it in motion, or combine both strategies.
Static analysis tools examine source code, bytecode, or binaries without executing them. They use techniques such as dataflow analysis, abstract interpretation, and pattern matching to identify potential bugs. Static tools can reason about all possible program paths but must approximate, which can produce false positives. They excel at finding known vulnerability patterns at scale and integrate naturally into CI/CD pipelines. Mature tools in this category include CodeQL, Coverity, Infer, and Semgrep.
Dynamic analysis tools detect bugs by instrumenting and observing programs during execution. Because they observe actual behavior, their findings are highly precise, a reported bug is a real bug. However, they can only find bugs triggered by the inputs they run, leaving untested paths uncovered. The sanitizer family (ASan, MSan, TSan, UBSan), Valgrind, and Frida are key tools in this space.
Hybrid approaches combine static and dynamic techniques to overcome the limitations of each. Static analysis can pre-filter code for suspicious patterns, and dynamic analysis can confirm or reject those findings. Tools like Frama-C, Triton, and IKOS represent different strategies for bridging this divide, from formal verification with dynamic validation to concolic execution that interleaves symbolic reasoning with concrete runs.
flowchart TD
A["Analysis Tools"] --> B["Static Analysis"]
A --> C["Dynamic Analysis"]
A --> D["Hybrid Approaches"]
B --> B1["AST / Pattern Matching"]
B --> B2["Dataflow Analysis"]
B --> B3["Abstract Interpretation"]
B --> B4["Query-Based (CodeQL)"]
C --> C1["Compile-Time Sanitizers"]
C --> C2["Binary Instrumentation"]
C --> C3["Process Injection"]
D --> D1["Formal Verification"]
D --> D2["Concolic Execution"]
D --> D3["Static Pre-filter + Dynamic Validation"]
style A fill:#1a1a2e,stroke:#16213e,color:#e0e0e0
style B fill:#0f3460,stroke:#16213e,color:#e0e0e0
style C fill:#533483,stroke:#16213e,color:#e0e0e0
style D fill:#0a6847,stroke:#16213e,color:#e0e0e0Section Contents¶
| Page | Description |
|---|---|
| Static Analysis | Source-code analysis tools, CodeQL, Coverity, Infer, Semgrep, Clang Static Analyzer, and Checkmarx. Comparison of query-based, dataflow, and pattern-matching approaches. |
| Dynamic Analysis | Runtime analysis tools, sanitizers (ASan, MSan, TSan, UBSan), Valgrind, Frida, DynamoRIO, and Intel Pin. Compile-time vs. runtime instrumentation trade-offs. |
| Hybrid Approaches | Tools and workflows that combine static and dynamic techniques, Frama-C, Triton, IKOS, and practical hybrid pipelines. |
How Analysis Tools Relate to Fuzzing¶
Analysis tools and fuzzing tools are deeply complementary. Fuzzers generate inputs to trigger bugs; analysis tools (particularly sanitizers) detect those bugs at runtime. The combination of a coverage-guided fuzzer with AddressSanitizer has become the standard methodology for automated vulnerability discovery in C/C++ software.
Static analysis also informs fuzzing strategy. Dataflow analysis can identify high-value targets (functions that process untrusted input, for instance) helping researchers focus their fuzzing efforts. Emerging work in AI/ML-assisted fuzzing takes this further, using program analysis to guide intelligent input generation.
Convergence Trend
The boundaries between analysis tools and fuzzing tools are blurring. Modern platforms increasingly combine static analysis, dynamic instrumentation, and automated input generation into unified workflows. Understanding all three categories (and how they complement each other) is essential for building an effective vulnerability research program.
tags: - glossary
Glossary¶
| Term | Definition |
|---|---|
| AFL | American Fuzzy Lop, coverage-guided fuzzer |
| ASan | AddressSanitizer, memory error detector |
| CVE | Common Vulnerabilities and Exposures |
| AFL++ | Community-maintained successor to AFL, the de facto standard coverage-guided fuzzer |
| AEG | Automatic Exploit Generation, automated creation of working exploits from vulnerability information |
| ANTLR | ANother Tool for Language Recognition, parser generator used by grammar-aware fuzzers like Superion |
| AST | Abstract Syntax Tree, tree representation of source code structure used by static analyzers |
| BOF | Buffer Overflow, writing data beyond allocated memory bounds, a common memory safety vulnerability |
| CFG | Control Flow Graph, directed graph representing all possible execution paths through a program |
| CGC | Cyber Grand Challenge, DARPA competition for autonomous vulnerability detection and patching |
| ClusterFuzz | Google's distributed fuzzing infrastructure that powers OSS-Fuzz |
| CodeQL | GitHub's query-based static analysis engine that treats code as a queryable database |
| Concolic | Concrete + Symbolic, execution that runs concrete values while tracking symbolic constraints |
| Corpus | Collection of seed inputs used by a coverage-guided fuzzer as the basis for mutation |
| Coverity | Synopsys commercial static analysis platform with deep interprocedural analysis |
| CPG | Code Property Graph, unified representation combining AST, CFG, and data-flow graph, used by Joern |
| CVSS | Common Vulnerability Scoring System, standard for rating vulnerability severity |
| CWE | Common Weakness Enumeration, categorization of software weakness types |
| DAST | Dynamic Application Security Testing, testing running applications for vulnerabilities |
| DBI | Dynamic Binary Instrumentation, modifying program behavior at runtime without recompilation |
| DFG | Data Flow Graph, graph representing how data values propagate through a program |
| DPA | Differential Power Analysis, extracting cryptographic keys by analyzing power consumption variations |
| Frida | Dynamic instrumentation toolkit for injecting scripts into running processes |
| Harness | Glue code connecting a fuzzer to its target, defining how fuzzed input is delivered |
| HWASAN | Hardware-assisted AddressSanitizer, ARM-based variant of ASan with lower overhead |
| IAST | Interactive Application Security Testing, combines elements of SAST and DAST during testing |
| Infer | Meta's open-source static analyzer based on separation logic and bi-abduction |
| KLEE | Symbolic execution engine built on LLVM for automatic test generation |
| LLM | Large Language Model, neural network trained on text/code, used for bug detection and code generation |
| LSAN | LeakSanitizer, detector for memory leaks, often used alongside AddressSanitizer |
| Meltdown | CPU vulnerability exploiting out-of-order execution to read kernel memory from user space |
| MITRE | Non-profit organization that maintains CVE, CWE, and ATT&CK frameworks |
| MSan | MemorySanitizer, detector for reads of uninitialized memory |
| NVD | National Vulnerability Database, NIST-maintained repository of vulnerability data |
| NIST | National Institute of Standards and Technology, US agency maintaining security standards and NVD |
| OSS-Fuzz | Google's free continuous fuzzing service for open-source software |
| OWASP | Open Worldwide Application Security Project, community producing security guides and tools |
| RCE | Remote Code Execution, vulnerability allowing an attacker to run arbitrary code on a target system |
| RL | Reinforcement Learning, ML paradigm where agents learn through reward-based feedback |
| S2E | Selective Symbolic Execution, whole-system analysis platform combining QEMU with KLEE |
| SARIF | Static Analysis Results Interchange Format, standard for exchanging static analysis findings |
| SAST | Static Application Security Testing, analyzing source code for vulnerabilities without execution |
| SCA | Software Composition Analysis, identifying known vulnerabilities in third-party dependencies |
| Seed | Initial input provided to a fuzzer as the starting point for mutation |
| Semgrep | Lightweight open-source static analysis tool using pattern-matching rules |
| Side-channel | Attack vector exploiting physical implementation artifacts rather than algorithmic flaws |
| SMT | Satisfiability Modulo Theories, solver used by symbolic execution to find inputs satisfying path constraints |
| Spectre | Family of CPU vulnerabilities exploiting speculative execution to leak data across security boundaries |
| SQLi | SQL Injection, injecting malicious SQL into queries via unsanitized user input |
| SSRF | Server-Side Request Forgery, tricking a server into making requests to unintended destinations |
| SymCC | Compilation-based symbolic execution tool that is 2--3 orders of magnitude faster than KLEE |
| Taint analysis | Tracking the flow of untrusted data from sources to security-sensitive sinks |
| TOCTOU | Time-of-Check-Time-of-Use, race condition between validating a resource and using it |
| TSan | ThreadSanitizer, detector for data races in multithreaded programs |
| UAF | Use-After-Free, accessing memory after it has been deallocated |
| UBSan | UndefinedBehaviorSanitizer, detector for undefined behavior in C/C++ |
| Valgrind | Dynamic binary instrumentation framework for memory debugging and profiling |
| XSS | Cross-Site Scripting, injecting malicious scripts into web pages viewed by other users |
| Fine-tuning | Adapting a pre-trained ML model to a specific task using additional training data |
| Abstract interpretation | Mathematical framework for approximating program behavior using abstract domains |
| Dataflow analysis | Tracking how values propagate through a program to detect bugs like taint violations |