Creating ‘Best in Class’ Tools for Static Code Analysis – Q&A with Sun Chan, CTO

7 Jan 2021 | By Sun Chan

As Chief Technical Officer and Co-Founder of Xcalibyte, Sun directs the core R&D team in China and is in charge of the creation of static code analysis tools. These tools are used by developers, testers, QA (quality assurance) professionals and senior IT management for in-depth source code defects and vulnerability detection.

Q: As the driving force behind Xcalibyte’s powerful technology, can you tell us a little about yourself?

Sun: I have been working in the field of compiler technologies for more than 30 years. Compilers differ according to the systems architecture the software is deployed on. There are two kinds of computer architectures, one is a reduced instruction set (RISC), and the other is a complex instruction set (CISC). The reduced instruction set was proposed by two professors in the early 1980s. They won the Nobel Prize in the computer industry, ‘The Turing Prize’, a few years ago. One of these two professors, American computer scientist John Hennessy, created the first computer architecture with a reduced instruction set. In order to make a computer that runs much faster than the existing complex architecture at the time, that requires strong technical support from the compiler.

I was part of Professor John Hennessey’s original senior development team, along with Mr. Liu Shinming, another co-founder of Xcalibyte. Before joining Xcalibyte, I was the Director of the Intel-Tsinghua University Joint Laboratory, mainly researching on cutting-edge mobile computing technology, and later, embedded systems. During these 30+ years, I have led teams to develop multiple iterative versions of state-of-the-art software tools for many Fortune 500 companies.

Q: Xcalibyte’s flagship solution, Xcalscan, is a Static Application Security Testing (SAST) tool. What is the relationship between SAST and compiler technologies?

Sun: Our tool analyses source code in a static state. In other words, we check the software for errors before it has been compiled and before it operates in runtime. So, in order to do this, we have looked beyond programming language syntax. It is not about checking the ‘grammar and spelling’ of source code, it is also about checking how the data flows through the system. By applying compiler technology to our tool, we emulate how the data will flow in the software and detect issues that will appear during runtime without actually being in runtime. Essentially, we go further down the compiler steps from the Abstract Syntax Tree (AST) to the Intermediate Representation (IR) level, before binary code, so we can see flows and actions that couldn’t be seen in the programming language code alone.

Q:Xcalibyte will be working hard to further upgrade its technological competitiveness and will expand its offering to include IAST tools. What are the main technological differences and benefits?

Sun: IAST stands for Interactive Application Security Testing. Another testing technology is Dynamic Application Security Testing (DAST), which is currently one of the most widely used security testing technologies for checking software at runtime after the code has been compiled. IAST combines elements of SAST and DAST and does the analysis from within the application itself. It can complete security testing while performing application functional testing and has the advantages of high accuracy with low false positives.

Existing programming languages can be divided into two types, one is static languages such as C or C++, which we can analyze and generate results very quickly at compile time. The other is dynamic languages such as JavaScript, the features of which cannot be analyzed at compile time.

Once we support dynamic languages such as JavaScript, we first need to expand the scope of research and increase the time to analyze the program, but there will always be things that cannot be analyzed until runtime. Therefore, IAST and DAST are used. For some static information, we can determine at compile time that the input may be from an external source, or some data that was generated whilst the program was in operation, thus changing the program flow. Collaborative analysis from static time to dynamic time is the best method.

Q: As you are a very experienced compiler and technology expert, have you encountered any bottlenecks in the R&D process?

Sun: There are always unsolved problems. One problem that has been in the back of my mind for more than 10 years is the issue of cross-file analysis. This was a real challenge but fortunately, we were able to resolve this issue in Xcalscan. With our new algorithm, we can analyze programs across procedural boundaries and even cross file boundaries. This is close to being able to analyze a program’s runtime behaviour, even though the software is static. For example, being able to analyze program flow where input is normally required in runtime.

Another major concern that goes beyond programming languages is how we can apply business logic verification. This is not a compiler or language problem. Our challenge has been on how we can incorporate the specific business logic required to meet a company’s business focus. This could be, for example, the sequence of events that occur when a visitor is checking out on an eCommerce website which must be strictly adhered to. This is where precision and customized rule bases come in. We can model side effects and analyze user-defined rules through a symbolic framework.

Q: What industry sectors are Xcalibyte focused on in the coming year?

Sun: Now, we are focusing on the embedded market. For example, today, in China and the entire world, Artificial Intelligence (AI) chip design is becoming very popular, and many start-ups have sprung up all over the place. We found that they are facing many challenges in program analysis, compilation, and performance optimization. We hope to be able to help them. This is the original intention of creating Xcalibyte.

Besides the AI sector, another category we are interested in is Internet of Things (IoT). There are many smart devices coming out, such as smart speakers and smart-pens. When these small smart devices come out, the information security of enterprises may have problems. Once smart devices with untrusted input are used by a company’s customers, corporate information faces a huge risk of being leaked, and corporate activity may also be secretly monitored by criminals. Data breaches most commonly occur because of errors in the application code.

Q: What do you think makes a good developer?

Sun: Being able to make things simple is so crucial. Good developers are those who can simplify complex things and then achieve their goals quickly and well. Those who can make things easy and less complex are willing to take the time to solve difficult problems, which also allow them to discover core issues we really face. So, I think analytical and reasoning skills are good qualities for any type of programmer or engineer. At Xcalibyte, we welcome people who possess these traits and ways of thinking.

You might be interested in

OWASP #3 Sensitive Data Exposure

9 Jun 2021 | By Xcalibyte

The next blog article in our OWASP Top Ten series is number 3, Sensitive Data. When your data is at rest, in transit or in...

read the story

Embedded Programming and IoT – Memory Management Criticality

18 May 2021 | By Tan Rahman & Jane Yang

In this blog article, we explore some of the pitfalls faced by developers when using lower-level compiled languages with the Internet of Things...

read the story

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy