Despite years of research and practice, modern static analysis techniques still cannot detect oldest and extremely well understood software bugs such as the Heartbleed, one of the most “spectacular” security flaws of the recent decade. A remedy, as what we have attempted through the successful commercialization of the Pinpoint platform (PLDI 18), is to make static program analysis aware of the basic characteristics of the modern enterprise-scale software system. The talk focuses on discussing these characteristics and how Pinpoint addresses them pragmatically as well as its future directions. Pinpoint is a LLVM-based cross-language static analysis platform and deployed in major Chinese tech companies such as Tencent, Baidu, Huawei, and Alibaba.

This will be the same talk shared from the REBASE-track.

My general research interest centers around the use of both static and dynamic programming analysis techniques for making complex software systems more secure and reliable. I’m an Associate Professor and director of the Cybersecurity Lab at HKUST. My research received an ICSE and a PLDI distinguished paper award, as well as the ACM SIGSOFT Doctoral Dissertation Award, and IBM PhD fellowships. I co-founded and served as the chairman of Sourcebrella Inc, a static analysis tool vendor.