Preventing SQL Injection through Automatic Query Sanitization with ASSIST

Web applications are becoming an essential part of our everyday lives. Many of our activities are dependent on the functionality and security of these applications. As the scale of these applications grows, injection vulnerabilities such as SQL injection are major security challenges for developers today. This paper presents the technique of automatic query sanitization to automatically remove SQL injection vulnerabilities in code. In our technique, a combination of static analysis and program transformation are used to automatically instrument web applications with sanitization code. We have implemented this technique in a tool named ASSIST (Automatic and Static SQL Injection Sanitization Tool) for protecting Java-based web applications. Our experimental evaluation showed that our technique is effective against SQL injection vulnerabilities and has a low overhead.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330

Reify Your Collection Queries for Modularity and Speed!

Modularity and efficiency are often contradicting requirements, such that programers have to trade one for the other. We analyze this dilemma in the context of programs operating on collections. Performance-critical code using collections need often to be hand-optimized, leading to non-modular, brittle, and redundant code. In principle, this dilemma could be avoided by automatic collection-specific optimizations, such as fusion of collection traversals, usage of indexing, or reordering of filters. Unfortunately, it is not obvious how to encode such optimizations in terms of ordinary collection APIs, because the program operating on the collections is not reified and hence cannot be analyzed. We propose SQuOpt, the Scala Query Optimizer--a deep embedding of the Scala collections API that allows such analyses and optimizations to be defined and executed within Scala, without relying on external tools or compiler extensions. SQuOpt provides the same "look and feel" (syntax and static typing guarantees) as the standard collections API. We evaluate SQuOpt by re-implementing several code analyses of the Findbugs tool using SQuOpt, show average speedups of 12x with a maximum of 12800x and hence demonstrate that SQuOpt can reconcile modularity and efficiency in real-world applications.Comment: 20 page

JBMC: a bounded model checking tool for verifying java bytecode

We present a bounded model checking tool for verifying Java bytecode, which is built on top of the CPROVER framework, named Java Bounded Model Checker (JBMC). JBMC processes Java bytecode together with a model of the standard Java libraries and checks a set of desired properties. Experimental results show that JBMC can correctly verify a set of Java benchmarks from the literature and that it is competitive with two state-of-the-art Java verifiers

Improving Energy Consumption Of Java Programs

Information and Communications Technologies (ICT) amounts for 10% of the world energy which will keep on growing in the future and 3% of the overall carbon footprint which is now more than the level of CO2 emission as that of the aviation industry. For many past years, the focus was on hardware to optimize the energy consumption of ICT systems. This includes dynamic adaptation of hardware techniques such as fine-grain clock gating, power gating, and dynamic voltage/frequency scaling. However, recent demands of exascale computation, as well as the increasing carbon footprint, require new breakthroughs to make ICT systems more energy-efficient. This is not possible by only making the hardware energy-efficient. As a result, the focus is shifting on software now. Software is one of the most critical bottlenecks while trying to optimize the energy consumption of any ICT system. Software energy consumption can be optimized in several ways like choosing the energy-efficient option in a programming language, using an energy-efficient programming language or choosing an energy-efficient compiling option. In this work, we concentrate on the energy-efficient options and command-line options to optimize software energy consumption. Today’s programming languages provide software developers with several options to perform the same task. For example, in Java, an Array can be copied to other Array either manually or using Java methods. However, not every option available is energy-efficient and the software developers lack the knowledge to choose the best energy-efficient option. We perform various analyses to decide on choosing the best option for different components of Java programming language. These components include data types, operators, control statements, String, exceptions, objects, and Arrays. Java has different command-line options that can be used to tune the JVM. These options can significantly affect the energy behavior of Java applications. We conduct a comprehensive study to evaluate the energy efficiency of Java command-line options. We first stabilize the idle energy consumption of two ICT systems and then evaluate the active energy consumption of SPECjvm2008 benchmarks using different JDKs (Open and Oracle) and Java command-line options. The Java command-line options include client, server, Xbatch, Xcomp, Xfuture, Xint, Xmixed, Xrs, AggressiveOpts, AggressiveHeap, Inline, AlwaysPreTouch, Xnoclassgc, UseSerialGC, UseParallelGC, UseConcMarkSweepGC, and UseG1GC. Next, we present Java Energy Profiler and Optimizer (JEPO) tool to help software developers to write energy-efficient code. This tool is an Eclipse IDE plugin and provides energy efficiency suggestions for Java programming language. It can provide suggestions dynamically while writing code or statically to refactor already written code. For providing suggestions, it analyzes each line of Java file and matches it to the pool of suggestions. JEPO can also help the software developers to automatically measure energy consumption at method granularity to determine the energy-hungry Java methods in software. We hope our findings and tool can help software developers to write energy-efficient code in the future

Optimizing Java Code for Mobile Computing: The Android Example

Atualmente os dispositivos móveis são utilizados em todo o mundo, e o número de utilizadores cresce diariamente. Apesar da evolução das funcionalidades dos dispositivos móveis e do seu poder de processamento, a portabilidade e consumo de energia ainda são uma preocupação. Os utilizadores pretendem que os seus dispositivos móveis sejam capazes de tirar o máximo de vantagens dos recursos mas sem perda da portabilidade. Para isso, é de extrema importância a otimização do software executado nestes dispositivos. O Android é um sistema operativo móvel utilizado por um diverso leque de fabricantes, e as aplicações nativas são desenvolvidas utilizando a linguagem de programação Java. As aplicações nativas utilizam melhor os recursos disponibilizados pelos dispositivos. Esta dissertação foca otimizações de código Java que podem ser usadas para melhorar o desempenho de aplicações Java executadas em dispositivos Android. A proposta consiste no desenvolvimento de um protótipo de software que aplica automaticamente um conjunto de otimizações de código Java. Os eventuais ganhos de desempenho obtidos pela ferramenta desenvolvida serão posteriormente medidos e analisados.Currently mobile platforms are worldwide used and the number of users is growing daily. Although mobile devices are growing in functionalities and processing power, their portability and power consumption are still an issue. Users want their mobile devices able to take advantages of their capabilities but without losing portability. To do so it is of paramount importance the optimization of the software running on those devices. Android is a mobile operating system largely used by many manufactures, and the native applications are developed in Java programming language. Native applications use better Android devices resources. This dissertation focus on Java optimizations that can be used to improve performance of Java applications running in Android platforms. The proposal consists in developing a software prototype that can apply automatically a set of Java code optimizations. The eventual gains of performance obtained by the developed tool will be measured and analyzed

Optimising Unicode Regular Expression Evaluation with Previews

The jsre regular expression library was designed to provide fast matching of complex expressions over large input streams using user-selectable character encodings. An established design approach was used: a simulated non-deterministic automaton (NFA) implemented as a virtual machine, avoiding exponential cost functions in either space or time. A deterministic automaton (DFA) was chosen as a general dispatching mechanism for Unicode character classes and this also provided the opportunity to use compact DFAs in various optimization strategies. The result was the development of a regular expression Preview which provides a summary of all the matches possible from a given point in a regular expression in a form that can be implemented as a compact DFA and can be used to further improve the performance of the standard NFA simulation algorithm. This paper formally defines a preview and describes and evaluates several optimizations using this construct. They provide significant speed improvements accrued from fast scanning of anchor positions, avoiding retesting of repeated strings in unanchored searches, and efficient searching of multiple alternate expressions which in the case of keyword searching has a time complexity which is logarithmic in the number of words to be searched