Presentation is loading. Please wait.

Presentation is loading. Please wait.

Johannes Lerch, Johannes Späth, Eric Bodden, and Mira Mezini

Published byΦαίδρα Ζάνος Modified over 6 years ago

Similar presentations

Presentation on theme: "Johannes Lerch, Johannes Späth, Eric Bodden, and Mira Mezini"— Presentation transcript:

1 Johannes Lerch, Johannes Späth, Eric Bodden, and Mira Mezini
Access-Path Abstraction: Scaling Field-Sensitive Data-Flow Analysis With Unbounded Access Paths Johannes Lerch, Johannes Späth, Eric Bodden, and Mira Mezini @stg_darmstadt 30. November 2018 | Software Technology Group

2 Scalable Field-Sensitive Taint Analysis
Based on IFDS-Framework [Reps et al. 1995] Context Sensitive Flow Sensitive Field Sensitive  Scalability Issues Contributions of this work: Identification of problematic cases Approach solving these: IFDS-APA 1 taint analysis based on IFDS 2 field sensitive 3 scalability issues 4 contributions 30. November 2018 | Software Technology Group

3 Tracking Fields A a1 = new A() A a2 = new A() x = source() a1.f = x y = a2.f sink(y) Field Sensitive Field Based x x x, a1.f x, A.f x, a1.f x, y, A.f Assume taint analysis: from source to sink 1-4 field sensitive 5-7 field based Preferable to be field sensitive False Warnings 30. November 2018 | Software Technology Group

4 Loops x = source() do { b = new A() b.f = x x = b } while(…) x x
x.f, b.f x, b.f x.f, b.f.f x.f, b.f x.f.f, b.f.f Fixpoint Iteration Finite Domain required! x.f, b.f, x.f.f, b.f.f, 30. November 2018 | Software Technology Group

5 K-limiting a.f.f.....f.f a.f.f.....f.* k k x = source() do {
k-limiting [Jones et al. 1981]: a.f.f.....f.f a.f.f.....f.* k k x = source() do { b = new A() b.f = x x = b } while(…) x x x.f, b.f x, b.f x.f, b.f.f x.f, b.f x.f.f, b.f.f x.f, b.f, x.f.f, b.f.f,

6 K-limiting a.f.f.....f.f a.f.f.....f.* k k x = source() do {
k-limiting [Jones et al. 1981]: a.f.f.....f.f a.f.f.....f.* k k x = source() do { b = new A() b.f = x x = b } while(…) x x x.f, b.f x.f.*, b.f.* x, b.f x.f, b.f.* x.f.*, b.f.* x.f, b.f x.f.*, b.f.* x.f.*, b.f.* x.f, b.f, x.f.*, b.f.*, Large k  many facts k-limiting with k = 1

7 Over-Approximation foo() { a.f = source() a.f b.a = a c = b.a.g b.a.*
bar(c) } bar(c) { sink(c) a.f b.a.* c.* c.* Issue may occur for any k ! (e.g. loop on previous slide) Small k  taints spread k-limiting with k = 1 30. November 2018 | Software Technology Group

8 Amount of facts explodes
State Explosion a = source() while(…) { if(…) a.f = a else a.g = a } a a, a.f, a.g a.f.f, a.f.g, a.g.f, a.g.g a.f.f.f, a.f.f.g, a.f.g.f, … For n=10 and k=3 generates over 1000 facts yields different Access Paths for n fields and k-limiting Amount of facts explodes 30. November 2018 | Software Technology Group

9 <<interface>>
State Explosion <<interface>> Foo X bar(X) calls calls FooA FooB X bar(X) X bar(X) writes field a writes field b

10 Summaries not reusable
foo() { a.f = source() b = id(a) sink(b) } bar() { a.g = source() a.f p.f id(A p) { return p } p.f p.g p.g a.g Summaries not reusable

11 Identified Problems Finite Domain Reusability of Summaries
K-limiting has several issues -> maybe not the right solution: general problem: finite domain Start by addressing summaries State Explosion 30. November 2018 | Software Technology Group

12 Abstract Summaries foo() { a.f = source() b = id(a) sink(b) } bar() { a.g = source() p.f id(A p) { return p } p p.g p .g Idea/Solution fails if fields are read or written 30. November 2018 | Software Technology Group

13 Field Read a.g a a.f bar(a) { b = a.f return b } a a.f b

14 Field Read – Transitive Check
x foo(x) { ... bar(y) } x x.f x.g y y.f a a a.f bar(a) { b = a.f return b } a b

15 Field Write a.f a a^f bar(a) { a.f = null return a } a a.g a^f
a^f short for a.*\{f}

16 Field Write – Transitive Check
x foo(x) { ... bar(y) } x x^f x.f y y^f a a a^f bar(a) { a.f = null return a } a a^f a^f short for a.*\{f}

17 Identified Problems Finite Domain Reusability of Summaries
State Explosion

18 Abstraction Points foo(a) { while(…) { b = new A() b.x = a a = b }
c = a.x d = c.x SP: a<SP> L1: a<L1> a<L1> b.x<L1> a.x<L1> We abstracted at method start points -> generalize to arbitrary abstraction points (loop entries, return edges) Solves finite domain c<L1> d<x:L1> 30. November 2018 | Software Technology Group

19 Identified Problems Finite Domain Reusability of Summaries
Solves state explosion as well Abstracts away written fields State Explosion 30. November 2018 | Software Technology Group

20 Evaluation SecuriBench Benchmark consisting of 7 web applications
Including all their dependencies especially the Java Class Library Taint analysis for SQL injection, command injection, path traversal, unchecked redirection

21 Evaluation – SecuriBench Including Dependencies
Project IFDS-APA K-limiting Field Based k=3 k=2 k=1 k=0 blueblog 1.21 OoM 54.56 43.54 27.15 1.05 jboard 322.70 228.84 40.81 pebble 108.38 138.40 17.13 personalblog 202.08 236.65 24.92 roller 478.81 102.83 35.19 snipsnap 307.65 203.16 113.01 webgoat 57.75 253.56 98.14 30.86 6.70 Run Time in Seconds

22 Visited Interprocedural Control-Flow Graph Edges
Application Libraries Method Call Edge

23 Evaluation – SecuriBench Including Dependencies
Project ICFG Edges IFDS-APA K-limiting Field Based k=3 k=2 k=1 k=0 blueblog 3% OoM 29% 46% 8% jboard 14% 61% 30% pebble 13% 62% 27% personalblog 15% 28% roller 56% snipsnap 63% webgoat 16% 44% 41% 52% 20% Visited Interprocedural Control-Flow Graph Edges

24 Take away: More precise does not automatically mean more expensive
Summary State Explosion Reusability of Summaries Finite Domain Caller Dependent Paused Edges Scales as well as Field Based Abstraction Points Take away: More precise does not automatically mean more expensive

Download ppt "Johannes Lerch, Johannes Späth, Eric Bodden, and Mira Mezini"

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
(c) 2007 Mauro Pezzè & Michal Young Ch 5, slide 1 Finite Models.

(c) 2007 Mauro Pezzè & Michal Young Ch 5, slide 1 Finite Models.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
7-5 solving quadratic equations

7-5 solving quadratic equations
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.

Approach #1 to context-sensitivity Keep information for different call sites separate In this case: context is the call site from which the procedure is.
KQS More exercises/practice What about research frontier? Reading material Meetings for project Post notes more promptly.

KQS More exercises/practice What about research frontier? Reading material Meetings for project Post notes more promptly.
Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.

Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.
Spring 2010CS 2251 Design Patterns. Spring 2010CS 2252 What is a Design Pattern? a general reusable solution to a commonly occurring problem in software.

Spring 2010CS 2251 Design Patterns. Spring 2010CS 2252 What is a Design Pattern? "a general reusable solution to a commonly occurring problem in software.
Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.

Staged Information Flow for JavaScript Ravi Chugh, Jeff Meister, Ranjit Jhala, Sorin Lerner UC San Diego.
Recap from last time g() { lock; } h() { unlock; } f() { h(); if (...) { main(); } } main() { g(); f(); lock; unlock; } mainfgh ;;;;;;; u u ” ”””” ” ”

Recap from last time g() { lock; } h() { unlock; } f() { h(); if (...) { main(); } } main() { g(); f(); lock; unlock; } mainfgh ;;;;;;; u u ” ”””” ” ”
ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.

ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://

Similar presentations

Ads by Google