We provide the PVS-Studio analyzer to security experts

Unexpectedly for ourselves, we realized that we could cooperate with experts in the field of information security in a mutually beneficial manner. Those of them who are looking for vulnerabilities in the application code can use the free version of the PVS-Studio analyzer for their research. In turn, if vulnerabilities are found, our analyzer will become very popular. PVS-Studio can be used for research projects written in C and C ++.

It all started with an open letter " The PVS-Studio team is ready to work on the Tizen project ", with which we wanted to attract the interest of Samsung Electronics. Samsung is interested in the reliability and security of the Tizen operating system, and conducts various research studies related to this topic. For example, the company has invested more than $ 10 million in the Svace static analyzer being developed at ISP RAS. We decided that the PVS-Studio analyzer can also be useful to the Tizen developers, once it finds errors in this project.

By the way, according to my calculations, we can identify and fix about 27,000 errors in Tizen. But this is a separate story, about which I will tell later, but for now you can just look at the presentation with the calculations: RU: pptx , slideshare ; EN: pptx , slideshare .

After that, we were contacted by Amihai Neiderman ( @AAAAAAmihai ), who became interested in the capabilities of the PVS-Studio analyzer. Amihai Neiderman a month ago, just spoke at a conference with a report on vulnerabilities in the operating system Tizen: Breaking Tizen .
')
We talked to him and issued a license to the PVS-Studio analyzer for his further research in the area of ​​searching for vulnerabilities. It is not known whether he will be lucky to find any vulnerabilities with our analyzer or not, but why not try, because everyone is winning. Amihai Neiderman will have a new tool that identifies suspicious code in which vulnerabilities may be hidden. If you are lucky and the vulnerability is found, then at the next speech he will have a reason to mention the PVS-Studio analyzer. This will be a great additional advertising of our tool.

And here we had a good idea. It is strange that it did not arise earlier, however, this is a frequent phenomenon for many good thoughts :). It is necessary to develop similar cooperation with other experts who are engaged in search of vulnerabilities.

If the reader of this article is a public security expert and is looking for vulnerabilities, then he can write to us and get a license for the PVS-Studio analyzer. We will help him with the verification of various projects and in general we will provide support. If vulnerabilities are found, we will be grateful to the researcher if he mentions us in his publications or speeches.

Those who want to get a license and support, will have to confirm that they are engaged in security issues and conduct public activities, for example, write articles. However, we think this will be clarified in the course of communication. For those who are interested in this topic, please write to us at support [@] viva64.com.

Not all analyzer warnings will detect errors that are worth studying from a security point of view. For example, it is unlikely that the V665 warning will help in the search for vulnerabilities. But such warnings are easy to turn off and study only interesting messages of the analyzer. And, as mentioned above, we are ready to come to the aid of any questions.

Note. Previously, we did not position our analyzer as a tool to prevent vulnerabilities. We have written articles on the search for ordinary errors. Now we want the programmers to perceive PVS-Studio not only as a tool for searching for typos and other blunders, but also as a tool that helps prevent many vulnerabilities. The PVS-Studio analyzer finds many errors classified according to the CWE ( example ). Under certain circumstances, CWE may turn into a CVE. Therefore, using PVS-Studio, a programmer not only eliminates code from errors and thereby reduces development costs, but also additionally prevents many vulnerabilities.

References:

• PVS-Studio analyzer. Download version for: Windows , Linux .
• An updated list of articles in which we talk about errors found with PVS-Studio in open source projects.
• Errors detected in Open Source projects by PVS-Studio developers using static analysis: the base of errors .