Code Property Graphs & joern – simple, precise static code analysis

Presented at Summercon 2023, July 15, 2023, 11:30 a.m. (30 minutes)

This talk introduces `kotlin2cpg` – the newest addition to Joern, the platform for robust analysis of source code, byte code and binary code. First, Code Property Graphs are discussed – what they are, how they look like, why they’re the ideal intermediate representation for cross-language code analysis. Second, the capabilities of Joern are shown – the interactive shell, its scripting support and the CPGQL query language. Third, `kotlin2cpg` is put under the microscope – its underlying components are discussed together with the challenges of building a new static analyzer on top of Joern. There will be a step-by-step guide for building a CPGQL query for a previously-undisclosed bug in a fairly prominent Android application [DISCLOSURE COMING SOON].

Presenters:

• Claudiu-Vlad Ursache
  Claudiu-Vlad a core developer on the code analysis platform Joern, author of kotlin2cpg. he has been an engineer for 15 years, switched to security three years ago focusing on static analysis. When it comes to research work – he’s managed to break into consumer-grade routers (and spoke about it at No Hat Conference 2021), and more recently found vulnerabilities in Android apps of prominent publications.

Similar Presentations:

• ToorCon San Diego TwentyOne (2019) / Static code analysis should work for developers, not for you
• VB2018 / Android app deobfuscation using static-dynamic cooperation
• ShmooCon XIII (2017) / ripr - Run Slices of Binary Code from Python