Designing code analyses for large-scale software systems (DECA) SS2016

L.079.05804

In case you have already earned the required 50% of points in the exercises, you may now start signing up for an examination slot for your oral exam. This website here tells you the kind of information we require:

https://cs.uni-paderborn.de/en/studies/formalities/examination-dates/registering-for-examinations/

Please send the appropriate appointment request to: Jutta Haupt <jutta@uni-paderborn.de>

Note: In the Computer Science Master you can choose to be examined within two modules, Modellbasierte Softwareentwicklung and Analytische Methoden des Software Engineering. If you choose the first option, Modellbasierte Softwareentwicklung, this will make it easier for us to find an appointment slot, because in this module we can arrange oral exams with a single professor at a time. Hence, for us that would be the preferred option.

So far we have reserved examination slots on the following days: 

• Thu Aug 4th
• Fri Aug 5th
• Thu Aug 18th
• Mon Aug 29th
• Tue Aug 30th

We would prefer if any of those days would work for you.

The slides and exercise sheets will be uploaded before each lecture on the course's KoaLA page.

The teaching language will be English. Questions in German will be permitted.

Lectures:

Wed 09:00-11:00 at F0.530

A preliminary schedule is available here.

Exercise classes:

Wed 11:00-12:00 at F2.211
Wed 12:00-13:00 at F2.211

To attend the course, you have to register in the PAUL system as a participant. To ask questions, please use the discussion forum in KOALA, so that others can benefit from the answers as well.

Static code analysis has the goal of finding programming mistakes automatically, by searching for suspicious anti-patterns in a program’s code. This course will explain how to design static code analyses that are inter-procedural, i.e., consider the whole program, across procedure boundaries. Designing such analyses is challenging, as they need to handle millions of program statements efficiently and precisely. Example applications are drawn from the area of IT security. 

The course Software Analysis is a recommended but not required prerequisite. A mature understanding of the Java programming languages and object-oriented programming will be helpful.

Topics covered include:

• Intra-procedural data-flow analysis
• Call-graph construction algorithms
• Context-insensitive inter-procedural data-flow analysis
• Context-sensitivity using the call-strings approach
• Value-based contexts
• Context-sensitivity using the functional approach
• Efficiently solving distributed problems in the IFDS and IDE frameworks
• Current challenges in inter-procedural static program analysis

Throughout, we will discuss applications to software security.

After having attended this course, students will have learned…

• how to make educated design decisions when designing automated code analysis for large-scale software systems,
• which algorithms have which properties when using them to implement static code-analyses,
• how to design real–world code analyses for practical problem cases from the area of IT security
• how to interpret important terminology such as context, flow, field and object sensitivity
• how to evaluate and explain the important limitations of static code analysis
• which typical security code analyses exist (OWASP Top 10 etc.) and how they relate to the analysis frameworks explained in the course.

We will not be able to provide a script for this course. We will provide powerpoint slides where available, but will develop some concepts also on the blackboard. Students are highly encouraged to take their own copies during their lecture.

A lot of the material is also covered in the following books and papers, however, those publications present the material in a more complex manner than in the lectures, which is why they should mostly be used for deeper personal study.

• Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. POPL '95
• Shmuel Sagiv, Thomas W. Reps, and Susan Horwitz. 1995. Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation. TAPSOFT '95
• Akash Lal, Thomas Reps, and Gogul Balakrishnan. 2005. Extended weighted pushdown systems. CAV 2005
• Nomair A. Naeem, Ondrej Lhoták, and Jonathan Rodriguez. 2010. Practical extensions to the IFDS algorithm. CC 2010
• Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick your contexts well: understanding object-sensitivity. POPL 2011
• Eric Bodden. 2012. Inter-procedural data-flow analysis with IFDS/IDE and Soot. SOAP 2012
• Rohan Padhye, Uday P. Khedker. Interprocedural Data Flow Analysis in Soot using Value Contexts. SOAP 2013
• FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps (Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, Patrick McDaniel), In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259–269, PLDI ’14, ACM, 2014
• FlowTwist: Efficient Context-sensitive Inside-out Taint Analysis for Large Codebases (Johannes Lerch, Ben Hermann, Eric Bodden, Mira Mezini), In Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 98–108, FSE 2014, ACM, 2014.
• Access-Path Abstraction: Scaling Field-Sensitive Data-Flow Analysis With Unbounded Access Paths (Johannes Lerch‡, Johannes Späth, Eric Bodden, Mira Mezini‡), In IEEE/ACM International Conference on Automated Software Engineering (ASE 2015), 2015.