Incremental Support of Target Code in VisuFlow

Master Thesis

Thesis description:

In order to resolve security flaws in applications, organizations must be able to identify the broadest possible array of potentially exploitable vulnerabilities. One of the primary methods to accomplish this is static analysis. Writing an analysis is hard, as it requires thorough knowledge about both the code to be analyzed and the code of the analysis.

To support analysis writers, we have developed VisuFlow, a framework written on top of the Soot[1] analysis framework. VisuFlow helps writing and debugging static analyses in the Eclipse IDE. Static analyses can take a long time to fully terminate: minutes to hours to days according to the size of the analyzed code. To support analysis writers in their IDE, we cannot afford to re-run the entire analysis at each change in the analyzed code. Incremental analysis[2] accelerates the analysis process, by only recomputing the parts that changed.

In this thesis, you will be introducing incremental support to the VisuFlow framework so that changes to the analyzed code are reflected immediately in the UI. To do so, you will integrate Reviser, an existing incremental framework in VisuFlow, implement incremental analysis its the base framework : Soot, and evaluate the efficiency of your changes.

Requirements:

• Good understanding of the Java language.
• Experience with software design and efficient programming.
• Prior knowledge of Eclipse plugin development is helpful, but not required.
• Prior knowledge of static analysis is helpful, but not required.

Language:

The thesis will be written in English.

 Learning outcomes:

• Assimilate and apply knowledge from relevant literature.
• Plan, implement and document an independent project.
• Eclipse plugin development.
• UI design.
• Basics of data-flow analysis.

Contact:

Lisa Nguyen (lisa.nguyen@iem.fraunhofer.de)

Stefan Krüger (stefan.krueger@upb.de)

References:

[1] Patrick Lam, Eric Bodden, Lhotak Ondrej, Laurie Hendren. 2011. The Soot Framework for Java Program Analysis: a Retrospective. CETUS11.

[2] Steven Arzt and Eric Bodden. 2014. Reviser: efficiently updating IDE-/IFDS-based data-flow analyses in response to incremental program changes. ICSE14.