Open Source Summit + ELC North America 2020

Static analysis tools can dramatically improve the reliability of software, but are often dismissed as onerous to setup and use. Static analysis is particularly useful for cryptography projects and other critical systems, which tend to have a tight focus and require very clean code style. This talk discusses tools and approaches that were helpful during the development of an open source elliptic curve pairing-based library, ECDAA [1], for privacy-preserving signatures such as are used by the FIDO Alliance. The emphasis of the talk is on concrete lessons for improving the reliability of critical code while fitting seamlessly into a modern development process. Tools discussed include venerable standbys Valgrind and cppcheck, as well as modern examples like scan-build and Infer. The lessons learned are of interest to developers of many types of projects, not just cryptography libraries.
[1] www.github.com/xaptum/ecdaa