Home > Research Groups > Software Engineering > Teaching > Lecture Archive > SS2017 > Designing code analyses for large-scale software systems (DECA) SS2017

Designing code analyses for large-scale software systems (DECA) SS2017

Course number and language


The teaching language will be English. Questions in German will be permitted.

Signing up for oral exam

In order to sign up for an examination slot for your oral exam, you should contact Vera Meyer. This website here tells you the kind of information we require:


Please send the appropriate appointment request to: Vera Meyer <sek-swt@hni.uni-paderborn.de>

Registering and asking questions

To attend the course, you have to register in the PAUL system as a participant. To ask questions, please use the discussion forum in KOALA, so that others can benefit from the answers as well.

Time and Place


Thu 11:00-13:00 at F0.530

The first lecture will be held on April 27th, 2017.

A preliminary schedule is available here.

Exercise sessions:

Tue 13:30-15:30 at F1.110

The first exercise session will be held on May 2nd, 2017.


Static code analysis has the goal of finding programming mistakes automatically, by searching for suspicious anti-patterns in a program’s code. This course will explain how to design static code analyses that are inter-procedural, i.e., consider the whole program, across procedure boundaries. Designing such analyses is challenging, as they need to handle millions of program statements efficiently and precisely. Example applications are drawn from the area of IT security. 


The course Software Analysis is a recommended but not required prerequisite. A mature understanding of the Java programming language and object-oriented programming will be helpful.


Topics covered include:

  • Intra-procedural data-flow analysis
  • Call-graph construction algorithms
  • Context-insensitive inter-procedural data-flow analysis
  • Context-sensitivity using the call-strings approach
  • Value-based contexts
  • Context-sensitivity using the functional approach
  • Efficiently solving distributed problems in the IFDS and IDE frameworks
  • Current challenges in inter-procedural static program analysis

Throughout the course and the exercice sessions, we will discuss applications to software security.

Learning outcomes

After having attended this course, students will have learned…

  • how to make educated design decisions when designing automated code analysis for large-scale software systems,
  • which algorithms have which properties when using them to implement static code-analyses,
  • how to design real–world code analyses for practical problem cases from the area of IT security
  • how to interpret important terminology such as context, flow, field and object sensitivity
  • how to evaluate and explain the important limitations of static code analysis
  • which typical security code analyses exist (OWASP Top 10 etc.) and how they relate to the analysis frameworks explained in the course.

Exercise Sessions

The weekly exercise classes serve the following purposes: Applying the notions seen during the lecture to concrete analyses, solving open problems on the current topic, deepen your knowledge and understanding, and preparing you to present your knowledge (with respect to the final oral exam). 

If you have questions to the organisation of the course, the topic, to the exercises or you get stuck during solving the exercises, please use the forum in KOALA. We try to answer on a regular basis and as soon as possible.

Recommended reading material

We will not be able to provide a script for this course. We will provide powerpoint slides where available, but will develop some concepts also on the blackboard. Students are highly encouraged to take their own copies during their lecture.

A lot of the material is also covered in the following books and papers, however, those publications present the material in a more complex manner than in the lectures, which is why they should mostly be used for deeper personal study.