The workshop will be broken into several modules; introductory modules will cover the workshop organization and administrative matters (installing and configuring the tools used in the workshop). Subsequent modules will give an outline of what vulnerability reachability is and why it is important and compare/contrast the two main ways of understanding reachability (static call graphs and runtime analysis).

Next, the workshop will present two short exercises, intended for the attendees to gain hands-on experience using both types of tools against real applications with real vulnerabilities. Interpreted languages (Java) and compiled languages (C/C++/Go) will be covered. Subsequently, the following module will walk through how to interpret the results obtained from the exercises and draw conclusions. The languages chosen are merely representative; the skills learned in the workshop are equally applicable to other languages.

The workshop will conclude with two modules which will present a short overview of commercial tools and a conclusion/wrap-up/Q&A session.

Workshop Outline:

I. Overview (10 minutes)
A. Workshop organization
B. About the tools and sample applications
1. What are the tools and applications we are going to use?
C. Obtaining/installing the tools and sample applications
1. Cloning from the github repo
D. Goals of the workshop (what you will learn)
1. Be able to understand the importance of vulnerability
reachability and how it helps prioritize remediation strategy
2. Become familiar with some of the tools available to help with
vulnerability reachability
3. Learn where you can reach out to for more help in these areas
after the completion of the workshop
II. Types of reachability analysis (10 minutes)
A. Static analysis / call graphs
1. What is a call graph?
2. What information does a call graph provide to you
B. Runtime analysis
C. Language and environment considerations
1. Things to consider when choosing a reachability analysis
solution
a. Types of applications being analyzed (COTS vs self-written)
b. Availability of source code
c. Robustness of test environment
III. Static call graph analysis exercise (20 minutes)
A. Using static call graph analysis in IntelliJ/Eclipse to analyze a
Java application
B. Using Go callgraph to analyze a Go application
C. How to correlate a call graph with an SBOM
IV. Dynamic/runtime analysis exercise (20 minutes)
A. Using a Java agent to analyze runtime reachability in a running
Java application
B. Using valgrind/KCacheGrind to analyze a running C/C++ application
C. How to correlate runtime analysis with an SBOM
V. Results comparison (10 minutes)
A. Using the results of each exercise to determine if vulnerable
code was used
1. How to use the output of each tool to understand what
vulnerabilities need to be prioritized
B. Benefits and limitations of each approach
VI. Commercial tools (10 minutes)
A. Overview of commercial tools
B. Commercial tools examples
VII. Conclusion & Q&A (10 minutes)

Outcome/Learnings
Understand what vulnerability reachability is and why it is important
Compare/contrast the two main ways of understanding reachability (static call graphs and runtime analysis)
Via hands-on experience, use both types of tools against real applications with real vulnerabilities. Interpreted languages (Java) and compiled languages (C/C++/Go) will be covered.
Learn how to interpret the results obtained from the exercises and draw conclusions