Omniscient Debugging for Static Analysis

Master Thesis

Thesis description:

In order to resolve security flaws in applications, organizations must be able to identify the broadest possible array of potentially exploitable vulnerabilities. One of the primary methods to accomplish this is static analysis. Writing an analysis is hard, as it requires thorough knowledge about both the analysis code and the analysed code.

To support analysis writers, we have developed VisuFlow [1], a framework that helps writing and debugging static analyses in the Eclipse IDE. VisuFlow contains debugging features such as graph representations, access to the Jimple intermediate representation, breakpoints and stepping functionalities in both the analysis and the analysed code, etc.

In this thesis, you will research the application of omniscient debugging [2,3] for static analysis, where two code bases (analysis code and analysed code) instead of one are of interest. You will integrate this functionality in the VisuFlow debugging environment, allowing developers to step back-in-time when debugging. A large part of the thesis will be dedicated to making the approach scalable to real-world programs. 


Requirements:

    • Good understanding of the Java language.
    • Prior knowledge of Eclipse plugin development is helpful, but not required.
    • Prior knowledge of static analysis is helpful, but not required.

    Language:

    The thesis will be written in English.

     Learning outcomes:

    • Implement data-flow analyses with the Soot framework.
    • Develop an Eclipse plugin.
    • Assimilate and apply knowledge from relevant literature.
    • Plan, implement and document an independent project.

    Contact:

    Lisa Nguyen (lisa.nguyen@iem.fraunhofer.de)

    Prof. Dr. Eric Bodden: (eric.bodden@uni-paderborn.de)

    References:

    [1] https://blogs.uni-paderborn.de/sse/tools/visuflow-debugging-static-analysis/

    [2] Guillaume Pothier, Éric Tanter, and José Piquer. 2007. Scalable omniscient debugging. SIGPLAN Not. 42, 10 (October 2007), 535-552. DOI: doi.org/10.1145/1297105.1297067

    [3] G. Pothier and É. Tanter, "Back to the Future: Omniscient Debugging," in IEEE Software, vol. 26, no. 6, pp. 78-85, Nov.-Dec. 2009. doi: 10.1109/MS.2009.169