Static Extraction Of Dataflow Communication For Security

The cost of security vulnerabilities in widely-deployed code such as mobile applications is high. As a result, many companies are using Architectural Risk Analysis (ARA) to find security vulnerabilities before releasing their applications. The existing analyses are focused on finding local coding bugs such as a hard-coded password, rather than architectural flaws such as bypassing the authentication component. During ARA, to find vulnerabilities that are architectural flaws, security architects use a forest-level view of the runtime architecture instead of reading the code. Unfortunately, such a view is often missing from the documentation or is inconsistent with the code. This thesis contributes Scoria, a semi-automated approach for finding architectural flaws that uses a static analysis to extract from code with annotations an approximation of the runtime architecture as an abstract object graph with dataflow edges that refer to abstract objects. The annotations express local, modular hints about architectural tiers, logical containment, and strict encapsulation, such that the extracted object graph is hierarchical, which provides architects with both high-level and detailed understanding of the runtime architecture. Moreover, the abstract object graph is sound such that it has unique representatives for all objects and dataflow communication that may exist at runtime. Architects assisted by Scoria can write as machine-checkable constraints various security policies that are documented only informally. The constraints are in terms of object provenance and indirect communication and can find vulnerabilities missed by constraints that focus only on the presence or the absence of communication, or constraints that track only information flow from sources to sinks. The evaluation consists of expressing several rules from the CERT Secure Coding Standard for Java for which automated detection was previously unavailable. Scoria is also being used to find information disclosure in open-source Android apps. Based on an existing benchmark, Scoria performs better than commercial and research tools in terms of precision and recall. Scoria is thus making Architectural Risk Analysis, which is today mostly manual and informal, a more rigorous, principled and repeatable activity

Static Extraction Of Dataflow Communication For Security

The cost of security vulnerabilities in widely-deployed code such as mobile applications is high. As a result, many companies are using Architectural Risk Analysis (ARA) to find security vulnerabilities before releasing their applications. The existing analyses are focused on finding local coding bugs such as a hard-coded password, rather than architectural flaws such as bypassing the authentication component. During ARA, to find vulnerabilities that are architectural flaws, security architects use a forest-level view of the runtime architecture instead of reading the code. Unfortunately, such a view is often missing from the documentation or is inconsistent with the code. This thesis contributes Scoria, a semi-automated approach for finding architectural flaws that uses a static analysis to extract from code with annotations an approximation of the runtime architecture as an abstract object graph with dataflow edges that refer to abstract objects. The annotations express local, modular hints about architectural tiers, logical containment, and strict encapsulation, such that the extracted object graph is hierarchical, which provides architects with both high-level and detailed understanding of the runtime architecture. Moreover, the abstract object graph is sound such that it has unique representatives for all objects and dataflow communication that may exist at runtime. Architects assisted by Scoria can write as machine-checkable constraints various security policies that are documented only informally. The constraints are in terms of object provenance and indirect communication and can find vulnerabilities missed by constraints that focus only on the presence or the absence of communication, or constraints that track only information flow from sources to sinks. The evaluation consists of expressing several rules from the CERT Secure Coding Standard for Java for which automated detection was previously unavailable. Scoria is also being used to find information disclosure in open-source Android apps. Based on an existing benchmark, Scoria performs better than commercial and research tools in terms of precision and recall. Scoria is thus making Architectural Risk Analysis, which is today mostly manual and informal, a more rigorous, principled and repeatable activity

Metrics to Identify Where Object-Oriented Program Comprehension Benefits from the Runtime Structure

Abstract-To evolve object-oriented code, developers often need to understand both the code structure in terms of classes and packages, as well as the runtime structure in terms of abstractions of objects. Recent empirical studies have shown that for some code modifications tasks, developers do benefit from having access to information about the runtime structure. However, there is no good sense of when object-oriented program comprehension clearly depends on information about the runtime structure. We propose using metrics to identify cases in object-oriented program comprehension that benefit from information about the runtime structure. The metrics relate properties observed on a statically extracted hierarchical object graph to the type structures declared in the code and highlight key differences between the runtime structure and the code structure

COVID-19: disease pathways and gene expression changes predict methylprednisolone can improve outcome in severe cases.

MOTIVATION: COVID-19 has several distinct clinical phases: a viral replication phase, an inflammatory phase, and in some patients, a hyper-inflammatory phase. High mortality is associated with patients developing cytokine storm syndrome. Treatment of hyper-inflammation in these patients using existing, approved therapies with proven safety profiles could address the immediate need to reduce mortality. RESULTS: We analyzed the changes in the gene expression, pathways and putative mechanisms induced by SARS-CoV2 in NHBE, and A549 cells, as well as COVID-19 lung vs. their respective controls. We used these changes to identify FDA approved drugs that could be repurposed to help COVID-19 patients with severe symptoms related to hyper-inflammation. We identified methylprednisolone (MP) as a potential leading therapy. The results were then confirmed in five independent validation data sets including Vero E6 cells, lung and intestinal organoids, as well as additional patient lung sample vs. their respective controls. Finally, the efficacy of MP was validated in an independent clinical study. Thirty-day all-cause mortality occurred at a significantly lower rate in the MP-treated group compared to control group (29.6% vs. 16.6%, p = 0.027). Clinical results confirmed the in silico prediction that MP could improve outcomes in severe cases of COVID-19. A low number needed to treat (NNT = 5) suggests MP may be more efficacious than dexamethasone or hydrocortisone. AVAILABILITY: iPathwayGuide is available at https://ipathwayguide.advaitabio.com/. SUPPLEMENTARY INFORMATION: Supplementary data are available at Bioinformatics online

Extracting Dataflow Objects and other Flow Objects

Finding architectural flaws in object-oriented code requires a runtime architecture that shows multiple components of the same type that are used in different contexts. Previous work showed that a runtime architecture can be approximated by an abstract object graph that a static analysis extracts from code with Ownership Domain annotations. To find architectural flaws, it is not enough to reason about the presence or absence of communication. Additional work is needed to reason about the content of the communication. The contribution of this paper is a static analysis that extracts a hierarchical object graph with dataflow edges that refer to objects. The extraction analysis combines the aliasing precision provided by Ownership Domains with a domainsensitive value flow analysis. We evaluate the extraction analysis on an open-source Android application and discuss examples of dataflow edges that refer to objects that are in actual domains or to flow objects that are in domains corresponding to unique annotations

Ownership Object Graphs with Dataflow Edges

Abstract—During architectural risk analysis, security experts look for architectural flaws based on a documented runtime structure, which for object-oriented systems can be approximated by an object graph. Architectural risk analysis involves thinking about worst-case scenarios, and thus requires a sound object graph, which shows all possible objects and dataflow communication between them. Extracting a sound object graph that conveys architectural abstraction is challenging. One solution is to apply a hierarchy to the object graph to convey both high-level understanding and detail. Achieving soundness requires a static analysis, but architectural hierarchy is not available in general purpose programming languages. To achieve hierarchy, we annotate the program with ownership types and use abstract interpretation to extract a global, sound, hierarchical object graph that has dataflow communication edges showing the flow of objects due to field reads, field writes, and method invocations. We formalize the static analysis, prove its soundness, then show that the extracted edges are similar to those drawn by a security expert. Keywords-architectural risk analysis; hierarchical object graph; sound static analysis; dataflow communication I