Only RK

Price: 0

Number of applications: 0

Decision acceptance deadline

22.12.25 (inclusive)

Form of award

monetary

Product status

Idea

Task type

ICT tasks

Сфера применения

Произвольный код

Область задачи

Information processing and transformation

Type of product

Software/ IS

Problem description

Let's consider an arbitrary program P in one of the supported languages. Let's define the semantic property of S(P): "there is a execution of P and input data x, which generates a vulnerable data stream (for example, an unprepared SQL query with user input)." Customer's requirement for the Check(P) algorithm: • if S(P) is true, Check(P) must return VULNERABLE; • if S(P) is false, Check(P) must return SAFE; • Check(P) always completes in a finite amount of time. The S property is a non—trivial semantic property of program behavior, not the syntax of the source code. Classical results of computability theory (in particular, Rice's theorem) state that for any nontrivial semantic characteristic there is no universal algorithm that correctly solves the problem for all programs. This directly hits the original requirement: universal Check(P) is strictly impossible.

Expected effect

In fact, we were expected to solve a class of problems that are theoretically unsolvable for arbitrary programs. We can: • severely limit supported languages and code patterns; • assume the probabilistic nature of the conclusions (heuristic mode); • Rely on a combination of static and dynamic analysis. But a universal "oracle of vulnerabilities" that correctly responds SAFE/VULNERABLE for any possible program cannot exist. This is what makes the initial task fundamentally unsolvable, and not just "difficult to implement."

Full name of responsible person

Sergeev I.A.

Purpose and description of task (project)

Several dozen repositories are linked to the customer (Go, Kotlin, TypeScript, some C++). Manual code review does not have time to catch critical vulnerabilities. We were required to design a static analyzer that: • is guaranteed to find all vulnerabilities of a certain class (SQL injection, XSS, secret leaks); • does not give false positives (0 false positive); • runs for a limited time (up to 60 seconds per medium-sized repository); • applicable to any code in supported languages without additional training for a specific project. In other words, we were expected to have a universal "oracle of vulnerabilities."

Note