Return to Platforms

In order to analyze a computation, all system components have to be considered, including the so-called application code, but also the runtime platform and all runtime services, as some of the key control and data flow relationships are provided by the runtime platform, as the computation flows through the application code into the runtime platform and services and back to the application code. Application code alone in most cases does not provide an adequate picture of the computation, as some segments of the flow are determined by the runtime platform and are not visible in the application code. For example, while a large number of control flow relationships between different activities in the application code are explicit (such as statements in a sequence, or calls from a statement to another procedure), some control flow relations are not visible in the code, including the so-called callbacks, where the application code registers a certain activity with the runtime platform (for example, an event handler or an interrupt handler) and it is the runtime platform that initiates the activity. Without the knowledge of such implicit relationships, the system knowledge is not complete at a very fundamental level, leading to incomplete coverage of code analysis by vulnerability detection tools, and subsequently, to false negative and false positive report findings.