Static program analysis tools, such as Synopsis’ Coverity SAST, Semmle‘s Code Analysis Platform, and Facebook’s Infer, promise to increase the pace of software development by finding bugs earlier in the development process, so they can be fixed inexpensively. A research study by Facebook found that by integrating analysis tool results with continuous integration processes, developers fixed more than 70% of flagged issues.
Analysis tools typically require access to an application’s source code. This requirement has the unfortunate consequence that when an application uses third-party machine code libraries, the analysis tool will ignore them. This means it can miss bugs (or falsely signal them) involving the interaction between the application and the library.
Affix is a software tool that addresses this problem by automatically generating a source-code model from machine code for the library, so that it can be analyzed along with the application. In doing so, it reveals library code behaviors to the analysis tool, and makes it possible to avoid missed bugs or false alarms in the application.
The accompanying video demonstrates how Affix works.
Demonstration of Affix