Traditionally, program analysis is for experts only: it is hard to create non-trivial yet accurate analyses. lgtm changes that, and makes the power of deep program analysis available to everyone, by treating source code as a database, and analyses as concise queries in an object-oriented query language. A common use case is to use it to find variants of vulnerabilities: for example this one in ChakraCore was found that way, and also this remote code execution vulnerability in Apache Struts. In this talk, I’ll discuss examples such as these, both from open source and commercial customers. I’ll also speculate why the technology behind lgtm succeeded, where previous attempts to use queries for program analysis did not. A free instance of lgtm is running at lgtm.com, continuously analysing all commits on over 50,000 open source projects, and including an in-browser IDE for creating new queries.
Oege de Moor is the CEO and Founder of Semmle. Semmle’s mission is to secure the software that runs the world. From 1994 to 2014, Oege was a professor of computer science at the University of Oxford, where he did research in programming languages and tools. Semmle’s products are used by Microsoft, Google, NASA, NASDAQ, Credit Suisse, Dell, and many other leading software organisations. It has offices in Oxford, Copenhagen, Valencia, New York, San Francisco and Seattle. The technology at Semmle is a fun combination of deep theory (if you like lattice theory, you’ll like our engine), good engineering (making it work on some of the largest code bases on the planet) and cool applications (like the 0-days we report in open source). Semmle is always on the look-out for new team members.
Thu 19 Jul
|09:00 - 09:15|
|09:15 - 10:15|
Oege de MoorSemmle