25 research outputs found
Thread-Modular Static Analysis for Relaxed Memory Models
We propose a memory-model-aware static program analysis method for accurately
analyzing the behavior of concurrent software running on processors with weak
consistency models such as x86-TSO, SPARC-PSO, and SPARC-RMO. At the center of
our method is a unified framework for deciding the feasibility of inter-thread
interferences to avoid propagating spurious data flows during static analysis
and thus boost the performance of the static analyzer. We formulate the
checking of interference feasibility as a set of Datalog rules which are both
efficiently solvable and general enough to capture a range of hardware-level
memory models. Compared to existing techniques, our method can significantly
reduce the number of bogus alarms as well as unsound proofs. We implemented the
method and evaluated it on a large set of multithreaded C programs. Our
experiments showthe method significantly outperforms state-of-the-art
techniques in terms of accuracy with only moderate run-time overhead.Comment: revised version of the ESEC/FSE 2017 pape
BCFA: Bespoke Control Flow Analysis for CFA at Scale
Many data-driven software engineering tasks such as discovering programming
patterns, mining API specifications, etc., perform source code analysis over
control flow graphs (CFGs) at scale. Analyzing millions of CFGs can be
expensive and performance of the analysis heavily depends on the underlying CFG
traversal strategy. State-of-the-art analysis frameworks use a fixed traversal
strategy. We argue that a single traversal strategy does not fit all kinds of
analyses and CFGs and propose bespoke control flow analysis (BCFA). Given a
control flow analysis (CFA) and a large number of CFGs, BCFA selects the most
efficient traversal strategy for each CFG. BCFA extracts a set of properties of
the CFA by analyzing the code of the CFA and combines it with properties of the
CFG, such as branching factor and cyclicity, for selecting the optimal
traversal strategy. We have implemented BCFA in Boa, and evaluated BCFA using a
set of representative static analyses that mainly involve traversing CFGs and
two large datasets containing 287 thousand and 162 million CFGs. Our results
show that BCFA can speedup the large scale analyses by 1%-28%. Further, BCFA
has low overheads; less than 0.2%, and low misprediction rate; less than 0.01%.Comment: 12 page
You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications
SQL injection (SQLi) attacks pose a significant threat to the security of web
applications. Existing approaches do not support object-oriented programming
that renders these approaches unable to protect the real-world web apps such as
Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid
static-dynamic analysis for PHP web applications that limits each PHP function
for accessing the database. Our tool, SQLBlock, reduces the attack surface of
the vulnerable PHP functions in a web application to a set of query descriptors
that demonstrate the benign functionality of the PHP function. We implement
SQLBlock as a plugin for MySQL and PHP. Our approach does not require any
modification to the web app. W evaluate SQLBlock on 11 SQLi vulnerabilities in
Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that
SQLBlock successfully prevents all 11 SQLi exploits with negligible performance
overhead (i.e., a maximum of 3% on a heavily-loaded web server)Comment: Accepted in ASIACCS 202
PPAndroid-Benchmarker: Benchmarking Privacy Protection Systems on Android Devices
Mobile devices are ubiquitous in today's digital world. While people enjoy the convenience brought by mobile devices, it has been proven that many mobile apps leak personal information without user consent or even awareness. That can occur due to many reasons, such as careless programming errors, intention of developers to collect private information, infection of innocent apps by malware, etc. Thus, the research community has proposed many methods and systems to detect privacy leakage and prevent such detected leakage on mobile devices. This is a to do note at margin While it is obviously essential to evaluate the accuracy and effectiveness of privacy protection systems, we are not aware of any automated system that can benchmark performance of privacy protection systems on Android devices. In this paper, we report PPAndroid-Benchmarker, the first system of this kind, which can fairly benchmark any privacy protection systems dynamically (i.e., in run time) or statically. PPAndroid-Benchmarker has been released as an open-source tool and we believe that it will help the research community, developers and even end users to analyze, improve, and choose privacy protection systems on Android devices. We applied PPAndroid-Benchmarker in dynamic mode to 165 Android apps with some privacy protection features, selected from variant app markets and the research community, and showed effectiveness of the tool. We also illustrate two components of PPAndroid-Benchmarker on the design level, which are Automatic Test Apps Generator for benchmarking static analysis based tools and Reconfigurability Engine that allows any instance of PPAndroid-Benchmarker to be reconfigured including but not limited to adding and removing information sources and sinks. Furthermore, we give some insights about current status of mobile privacy protection and prevention in app markets based upon our analysis
Turning Eclipse against Itself: Finding Bugs in Eclipse Code Using Lightweight Static Analysis
this paper do not immediately exhibit themselves and are often discovered after deploymen
Improving Software Security with a C Pointer Analysis
This paper presents a context-sensitive, inclusion-based, field-sensitive points-to analysis for C and uses the analysis to detect and prevent security vulnerabilities in programs. In addition to a conservative analysis, we propose an optimistic analysis that assumes a more restricted C semantics that reflects common C usage to increase the precision of the analysis
Finding Security Vulnerabilities in Java Applications with Static Analysis
This paper proposes a static analysis technique for detecting many recently discovered application vulnerabilities such as SQL injections, cross-site scripting, and HTTP splitting attacks. These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications. We propose a static analysis approach based on a scalable and precise points-to analysis. In our system, user-provided specifications of vulnerabilities are automatically translated into static analyzers. Our approach finds all vulnerabilities matching a specification in the statically analyzed code. Results of our static analysis are presented to the user for assessment in an auditing interface integrated within Eclipse, a popular Java development environment. Our static analysis found 29 security vulnerabilities in nine large, popular open-source applications, with two of the vulnerabilities residing in widely-used Java libraries. In fact, all but one application in our benchmark suite had at least one vulnerability.Context sensitivity, combined with improved object naming, proved instrumental in keeping the number of false positives low. Our approach yielded very few false positives in our experiments: in fact, only one of our benchmarks suffered from false alarms
Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs
This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively manipulated pointers held in local variables and parameters accurately with path and context sensitivity and handles pointers stored in recursive data structures less precisely but efficiently. We make the unsound assumption that pointers passed into a procedure, in parameters, global variables, and locations reached by applying simple access paths to parameters and global variables, are all distinct from each other and from any other locations. This assumption matches the semantics of many functions, reduces spurious aliases and speeds up the analysis. We present a program representation..