DIY Static Code Analyzer: Building your own security tools with Joern

Retour à la liste des conférenciers et sessions
Écoutez la diffusion
Bug hunting needs to scale in speed and accuracy as agile software development methods take over the world. While existing tools for static analysis code scanning are effective, the ability to customize security scanning to the context of applications is becoming increasingly important given the vast quantity and diversity in modern code. In this lab, we will demonstrate how we can use the open-source framework Joern ( to create a custom static code analyzer.

In this lab, we will discuss how code can be represented in a graphical format, which can then be queried interactively to find security bugs in code. We will then use the open-source project Joern (Open-Source Code Querying Engine for C/C++) to build a DIY SAST tool. Joern has been used extensively to hunt bugs in Linux Kernel, Cisco DCNM, and recent Amnesia:33 set of bugs by Forescout. It exposes a very easy to use Scala API to build custom tools around it and hence the choice!

We will begin by introducing common vulnerabilities and how to create a mental model to identify them when investigating code and binaries. We will explore a sample program's control and data flow and see potential cases of security bugs that can be modeled and discovered using a graph representation of the source code.

The interactive portion of the lab includes an in-depth walk-through of the data and control flow of a sample program along with instruction on using the Joern framework to uncover potential vulnerabilities in that code. Lab attendees will use Joern to uncover bugs and create new build rules and scripts for future bug hunting. We will eventually create a complete custom static code analyzer for a sample use-case and see it in action.

Lab Outline

  • Introduction to graph data structures for static analysis
  • How to identify patterns that indicate vulnerabilities in code
  • Mapping source code to a graph database and querying the database
  • Intro to the Joern framework
  • Interactive bug hunting using Joern Shell
  • Creating a custom SAST tool with Joern


As they finish the workshop, the attendees,

  • Understand fundamentals of code analysis and how to understand code for performing "static analysis for security debugging"
  • Understand how current static analysis tools are built and how they leverage graphical representations of code
  • Can perform basic interactive analysis using Joern to query code and obtain security relevant insights
  • Are able to build a small tool (such as a double-free detector) using Joern queries and package it for distribution
  • Run their own tool on provided sample code and get results
  • Gain confidence to write complex tools and run them on your own code
Pre-requisites/assumed knowledge:

Intermediate developers/application security professionals with basic understanding of programs and compilers (A quick programming language structures refresher will be provided before actual hands-on sessions commence which explains various graphical representations of code and how they fit together)

Participants should prepare by:

Participants should install Joern ( in advance if possible.

Suchakra Sharma Staff Scientist, ShiftLeft Inc.

Suchakra Sharma is Staff Scientist at ShiftLeft Inc. where he builds code analysis tools and and hunts security bugs. He completed his Ph.D. in Computer Engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. As part of his research, he also developed one of the first hardware-trace based virtual machine analysis techniques. He has delivered talks and trainings at venues such as RSA, USENIX LISA, SCALE, Papers We Love, Tracing Summit, etc. When not playing with computers, he hikes and writes poems.

Vickie Li Developer Evangelist, ShiftLeft

Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts “Security Simplified”, a developer education series focusing on web security: