Oracle Parfait: The Flavour of Real-World Vulnerability Detection

paddy_K

Paddy Krishnan
Oracle Labs, Australia

Abstract

The Parfait static code analysis tool focuses on detecting vulnerabilities that affect C, C++, Java and PL/SQL languages. Parfait is used everyday around the world by thousands of Oracle developers. Its focus has been on four key items expected of a commercial tool that lives in a commercial organisation:

– precision of results (i.e., high true positive rate),
– scalability (i.e., being able to quickly scan millions of lines of code),
– incremental analysis (i.e., run over deltas of the code quickly), and
– usability (i.e., ease of integration into standard build processes and reporting).

In this presentation, we will sample a flavour of Parfait. We explore some real-world challenges faced in the creation of a robust vulnerability detection tool, we look into two examples of vulnerabilities that severely affected the Java platform in 2012-13 and most machines in 2017-18, and we conclude by recounting what matters to developers for integration into today’s continuous integration and continuous delivery (CI/CD) pipelines.

Speaker’s Bio

Paddy Krishnan is a senior researcher at Oracle Labs in Brisbane. The Lab focuses on the use of Program Analysis to detect security vulnerabilities in software and enhancing the productivity of developers. Paddy has worked on detecting vulnerabilities in the JDK and Java-based web applications. He is also interested in automatic test generation and the use of machine-learning in program analysis. Prior to joining Oracle Labs, he was an academic for over 20 years with industrial research experience at Siemens Research, Germany and Tata Research (TRDDC), India. He is a Senior Member of both the ACM and the IEEE.