Abstract: Matching function binaries--the process of identifying similar functions among binary executables--is a challenge that underlies many security applications such as malware analysis and patch-based exploit generation. Recent work tries to establish semantic similarity based on static analysis methods. Unfortunately, these methods do not perform well if the compared binaries are produced by different compiler toolchains or optimization levels. In this work, we propose blanket execution, a novel dynamic equivalence testing primitive that achieves complete coverage by overriding the intended program logic. Blanket execution collects the side effects of functions during execution under a controlled randomized environment. Two functions are deemed similar, if their corresponding side effects, as observed under the same environment, are similar too. We implement our blanket execution technique in a system called BLEX. We evaluate BLEX rigorously against the state of the art binary comparison tool BinDiff. When comparing optimized and un-optimized executables from the popular GNU coreutils package, BLEX outperforms BinDiff by up to 3.5 times in correctly identifying similar functions. BLEX also outperforms BinDiff if the binaries have been compiled by different compilers. Using the functionality in BLEX, we have also built a binary search engine that identifies similar functions across optimization boundaries. Averaged over all indexed functions, our search engine ranks the correct matches among the top ten results 77% of the time.

Abstract: The all-important goal of delivering better software at lower cost has led to a vital, enduring quest for ways to find and remove defects efficiently and accurately. To this end, two parallel lines of research have emerged over the last years. Static analysis seeks to find defects using algorithms that process well-defined semantic abstractions of code. Statistical defect prediction uses historical data to estimate parameters of statistical formulae modeling the phenomena thought to govern defect occurrence and predict where defects are likely to occur. These two approaches have emerged from distinct intellectual traditions and have largely evolved independently, in “splendid isolation”. In this paper, we evaluate these two (largely) disparate approaches on a similar footing. We use historical defect data to apprise the two approaches, compare them, and seek synergies. We find that under some accounting principles, they provide comparable benefits; we also find that in some settings, the performance of certain static bug-finders can be enhanced using information provided by statistical defect prediction.

Abstract: Highly-configurable systems allow users to tailor the software to their specific needs. Not all combinations of configuration options are valid though, and constraints arise for technical or non-technical reasons. Explicitly describing these constraints in a variability model allows reasoning about the supported configurations. To automate creating variability models, we need to identify the origin of such configuration constraints. We propose an approach which uses build-time errors and a novel feature-effect heuristic to automatically extract configuration constraints from C code. We conduct an empirical study on four highly-configurable open-source systems with existing variability models having three objectives in mind: evaluate the accuracy of our approach, determine the recoverability of existing variability-model constraints using our analysis, and classify the sources of variability-model constraints. We find that both our extraction heuristics are highly accurate (93% and 77% respectively), and that we can recover 19% of the existing variability-models using our approach. However, we find that many of the remaining constraints require expert knowledge or more expensive analyses. We argue that our approach, tooling, and experimental results support researchers and practitioners working on variability model re-engineering, evolution, and consistency-checking techniques.

Abstract: This paper presents an investigation on the use of quasi-static analyses with explicit integration to evaluate the web crippling behaviour of cold-formed steel beams. Web crippling failure occurs due to the application of transverse concentrated loads, which can be applied statically or dynamically. In the majority of the examples found in the literature, the web crippling phenomenon has been investigated by means of purely static shell finite element (SFE) models with implicit integration. In this work, the ABAQUS code was employed to implement SFE models aimed at replicating an experimental test and quasi-static analyses with an explicit integration scheme were adopted. First, a brief literature review on the topic of the numerical investigation of web crippling of cold-formed steel members is presented. Then, the paper addresses the characterisation of the quasi-static analysis concept with particular emphasis on the control of dynamic effects and the SFE model of a lipped channel beam under External Two Flange (ETF) loading is described. Several conventional parameters of standard SFE analysis, such as the SFE type, mesh selection, steel model, hardening effects due to cold-forming, residual stresses, initial imperfections and support conditions are explained, as well as additional specifications pertaining to the adoption of quasi-static analyses, such as the load rate, mass scaling, contact and friction, smoothed amplitude curves and inhibition of inertia (noise) effects. Finally, the results obtained are presented in the context of the ETF case, including load–displacement curves, curves of kinetic-to-internal energy ratio vs. displacement and beam deformed shapes (failure modes). It is concluded that explicit analysis leads to rigorous simulations of experimental test results, in terms of ultimate load, post-collapse load–deflection curve and failure mechanism. The failure mode obtained with the quasi-static analysis provides a better approximation of the one observed experimentally than its non-linear static analysis counterpart. Indeed, the failure mechanism emerges considerably more clearly when the quasi-static analysis is adopted.

Abstract: In an embodiment, a threat detection and prevention system comprises a network-traffic static analysis logic and a classification engine. The network-traffic static analysis logic is configured to conduct an analysis of a multi-flow object by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object is associated with a malicious attack such as being indicative of an exploit for example. The classification engine is configured to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is associated with a malicious attack.

Abstract: According to one embodiment, a malware detection system is integrated with at least a static analysis engine and a dynamic analysis engine. The static analysis engine is configured to automatically determine an object type of a received object. The dynamic analysis engine is configured to automatically launch the object after selecting an action profile based on the object type. The dynamic analysis engine is further configured to, provide simulated user interaction to the object based on the selected action profile either in response to detecting a request for human interaction or as a result of a lapse of time since a previous simulated human interaction was provided.

Abstract: The scale and complexity of modern software systems complicate manual security auditing. Automated analysis tools are gradually becoming a necessity. Specifically, static security analyses carry the promise of efficiently verifying large code bases. Yet, a critical usability barrier, hindering the adoption of static security analysis by developers, is the excess of false reports. Current tools do not offer the user any direct means of customizing or cleansing the report. The user is thus left to review hundreds, if not thousands, of potential warnings, and classify them as either actionable or spurious. This is both burdensome and error prone, leaving developers disenchanted by static security checkers. We address this challenge by introducing a general technique to refine the output of static security checkers. The key idea is to apply statistical learning to the warnings output by the analysis based on user feedback on a small set of warnings. This leads to an interactive solution, whereby the user classifies a small fragment of the issues reported by the analysis, and the learning algorithm then classifies the remaining warnings automatically. An important aspect of our solution is that it is user centric. The user can express different classification policies, ranging from strong bias toward elimination of false warnings to strong bias toward preservation of true warnings, which our filtering system then executes. We have implemented our approach as the Aletheia tool. Our evaluation of Aletheia on a diversified set of nearly 4,000 client-side JavaScript benchmarks, extracted from 675 popular Web sites, is highly encouraging. As an example, based only on 200 classified warnings, and with a policy biased toward preservation of true warnings, Aletheia is able to boost precision by a threefold factor (x 2.868), while reducing recall by a negligible factor (x 1.006). Other policies are enforced with a similarly high level of efficacy.

Abstract: The popularity of Android software has grown dramatically in the last few years. It is essential for researchers in programming languages and compilers to contribute new techniques in this increasingly important area. Such techniques require a foundation of program analyses for Android. The target of our work is static object reference analysis, which models the flow of object references. Existing reference analyses cannot be applied directly to Android because the software is component-based and event-driven.An Android application is driven by a graphical user interface (GUI), with GUI objects responding to user actions. These objects and the event handlers associated with them ultimately determine the possible flow of control and data. We propose the first static analysis to model GUI-related Android objects, their flow through the application, and their interactions with each other via the abstractions defined by the Android platform. A formal semantics for the relevant Android constructs is developed to provide a solid foundation for this and other analyses. Next, we propose a constraint-based reference analysis based on the semantics. The analysis employs a constraint graph to model the flow of GUI objects, the hierarchical structure of these objects, and the effects of relevant Android operations. Experimental evaluation on real-world Android applications strongly suggests that the analysis achieves high precision with low cost.The analysis enables static modeling of control/data flow that is foundational for compiler analyses, instrumentation for event/interaction profiling, static error checking, security analysis, test generation, and automated debugging. It provides a key component to be used by compile-time analysis researchers in the growing area of Android software.

Abstract: We study thread-modular static analysis by abstract interpretation to infer the values of variables in concurrent programs. We show how to go beyond the state of the art and increase an analysis precision by adding the ability to infer some relational and history-sensitive properties of thread interferences. The fundamental basis of this work is the formalization by abstract interpretation of a rely-guarantee concrete semantics which is thread-modular, constructive, and complete for safety properties. We then show that previous analyses based on non-relational interferences can be retrieved as coarse computable abstractions of this semantics; additionally, we present novel abstraction examples exploiting our ability to reason more precisely about interferences, including domains to infer relational lock invariants and the monotonicity of counters. Our method and domains have been implemented in the AstreeA static analyzer that checks for run-time errors in embedded concurrent C programs, where they enabled a significant reduction of the number of false alarms.

Abstract: We demonstrate by a case study of an industrial distributed system how performance, resource consumption, and deployment on the cloud can be formally modeled and analyzed using the abstract behavioral specification language Real-Time ABS. These non-functional aspects of the system are integrated with an existing formal model of the functional system behavior, achieving a separation of concerns between the functional and non-functional aspects in the integrated model. The resource costs associated with execution in the system depend on the size of local data structures, which evolve over time; we derive corresponding worst-case cost estimations by static analysis techniques and integrate them into our resource-sensitive model. The model is further parameterized with respect to deployment scenarios which capture different application-level management policies for virtualized resources. The model is validated against the existing system's performance characteristics and used to simulate, analyze, and compare deployment scenarios on the cloud.

Abstract: Android's popularity has given rise to myriad application analysis techniques to improve the security and robustness of mobile applications, motivated by the evolving adversarial landscape. These techniques have focused on identifying undesirable behaviors in individual applications, either due to malicious intent or programmer error. We present a collection of tools that provide a static information flow analysis across a set of applications, showing a holistic view of all the applications destined for a particular device. The techniques we present include a static binary single-app analysis, a security lint tool to mitigate the limits of static binary analysis, a multi-app information flow analysis, and an evaluation engine to detect information flows that violate specified security policies.We show that our single-app analysis is comparable with the leading approaches on the DroidBench benchmark suite; we present a brief listing of lint-like heuristics used to show the limits of the single-app analysis in the context of an application; we present a multi-app analysis, and demonstrate information flows that cannot be detected by single-app analyses; and we present a policy evaluation engine to automatically detect violations in collections of Android apps.

Abstract: This paper addresses the problem of detecting JavaScript security vulnerabilities in the client side of Web applications. Such vulnerabilities are becoming a source of growing concern due to the rapid migration of server-side business logic to the client side, combined with new JavaScript-backed Web technologies, such as AJAX and HTML5. Detection of client-side vulnerabilities is challenging given the dynamic and event-driven nature of JavaScript. We present a hybrid form of JavaScript analysis, which augments static analysis with (semi-)concrete information by applying partial evaluation to JavaScript functions according to dynamic data recorded by the Web crawler. The dynamic component rewrites the program per the enclosing HTML environment, and the static component then explores all possible behaviors of the partially evaluated program (while treating user-controlled aspects of the environment conservatively). We have implemented this hybrid architecture as the JSA analysis tool, which is integrated into the IBM AppScan Standard Edition product. We formalize the static analysis and prove useful properties over it. We also tested the system across a set of 170,000 Web pages, comparing it with purely static and dynamic alternatives. The results provide conclusive evidence in favor of our hybrid approach. Only 10% of the reports by JSA are false alarms compared to 63% of the alarms flagged by its purely static counterpart, while not a single true warning is lost. This represents a reduction of 94% in false alarms. Compared with a commercial testing algorithm, JSA detects vulnerabilities in >4x more Web sites with only 4 false alarms.

Abstract: Implementations of static analyses are usually tailored toward a single goal to be efficient, hampering reusability and adaptability of the components of an analysis. To solve these issues, we propose to implement static analyses as highly-configurable software product lines (SPLs). Furthermore, we also discuss an implementation of an SPL for static analyses -- called OPAL -- that uses advanced language features offered by the Scala programming language to get an easily adaptable and (type-)safe software product line.OPAL is a general purpose library for static analysis of Java Bytecode that is already successfully used. We present OPAL and show how a design based on software produce line engineering benefits the implementation of static analyses with the framework.

Abstract: The C programming language does not prevent out-of-bounds memory accesses There exist several techniques to secure C programs; however, these methods tend to slow down these programs substantially, because they populate the binary code with runtime checks To deal with this problem, we have designed and tested two static analyses - symbolic region and range analysis - which we combine to remove the majority of these guards In addition to the analyses themselves, we bring two other contributions First, we describe live range splitting strategies that improve the efficiency and the precision of our analyses Secondly, we show how to deal with integer overflows, a phenomenon that can compromise the correctness of static algorithms that validate memory accesses We validate our claims by incorporating our findings into AddressSanitizer We generate SPEC CINT 2006 code that is 17% faster and 9% more energy efficient than the code produced originally by this tool Furthermore, our approach is 50% more effective than Pentagons, a state-of-the-art analysis to sanitize memory accesses

Abstract: Communication traces are increasingly important, both for parallel applications' performance analysis/optimization, and for designing next-generation HPC systems. Meanwhile, the problem size and the execution scale on supercomputers keep growing, producing prohibitive volume of communication traces. To reduce the size of communication traces, existing dynamic compression methods introduce large compression overhead with the job scale. We propose a hybrid static-dynamic method that leverages information acquired from static analysis to facilitate more effective and efficient dynamic trace compression. Our proposed scheme, Cypress, extracts a program communication structure tree at compile time using inter-procedural analysis. This tree naturally contains crucial iterative computing features such as the loop structure, allowing subsequent runtime compression to "fill in", in a "top-down" manner, event details into the known communication template. Results show that Cypress reduces intra-process and inter-process compression overhead up to 5× and 9× respectively over state-of-the-art dynamic methods, while only introducing very low compiling overhead.

Abstract: Model transformations play a prominent role in Model-Driven Engineering (MDE), where they are used to transform models between languages, to refactor and simulate models, or to generate code from models. However, while the reliability of any MDE process depends on the correctness of its transformations, methods helping in detecting errors in transformations and automate their verification are still needed. To improve this situation, we propose a method for the static analysis of one of the most widely used model transformation languages: ATL. The method proceeds in three steps. Firstly, it infers typing information from the transformation and detects potential errors statically. Then, it generates OCL path conditions for the candidate errors, stating the requirements for a model to hit the problematic statements in the transformation. Last, it relies on constraint solving to generate a test model fragment or witness that exercises the transformation, making it execute the problematic statement. Our method is supported by a prototype tool that integrates a static analyzer, a testing tool and a constraint solver. We have used the tool to analyse medium and large-size third-party ATL transformations, discovering a wide number of errors.

Abstract: The RTCA standard (DO-178C) for developing avionic software and getting certification credits includes an extension (DO-333) that describes how developers can use static analysis in certification. In this paper, we give an overview of the IKOS static analysis framework that helps developing static analyses that are both precise and scalable. IKOS harnesses the power of Abstract Interpretation and makes it accessible to a larger class of static analysis developers by separating concerns such as code parsing, model development, abstract domain management, results management, and analysis strategy. The benefits of the approach is demonstrated by a buffer overflow analysis applied to flight control systems.

Abstract: Static detection of memory leaks in a managed language such as Java is attractive because it does not rely on any leak-triggering inputs, allowing compile-time tools to find leaks before software is released. A long-standing issue that prevents practical static memory leak detection for Java is that it can be very expensive to statically determine object liveness in large applications. We present a novel (and the first practical) static leak detection technique that bypasses this problem by considering a common leak pattern. In many cases severe leaks occur in loops where, in each iteration, some objects created by the iteration are unnecessarily referenced by objects external to the loop. These unnecessary references are never used in later loop iterations. Based on this insight, we shift our focus from computing liveness, which is very difficult to achieve precisely and efficiently for large programs, to the easier goal of identifying objects that flow out of a loop but never flow back in. We formalize this analysis using a type and effect system and present its key properties. The analysis was implemented in a tool called LeakChecker and used to detect leaks in eight real-world programs, such as Eclipse, Derby, and log4j. LeakChecker not only identified known leaks, but also discovered new ones whose causes were unknown beforehand, while exhibiting a false positive rate suitable for practical use.

Abstract: Static source code analysis is a common feature in automated grading and tutoring systems for programming exercises. Different approaches and tools are used in this area, each with individual benefits and drawbacks, which have direct influence on the quality of assessment feedback. In this paper, different principal approaches and different tools for static analysis are presented, evaluated and compared regarding their usefulness in learning scenarios. The goal is to draw a connection between the technical outcomes of source code analysis and the didactical benefits that can be gained from it for programming education and feedback generation.

Abstract: This paper proposes an Android malware detection approach based on attack tree. Attack tree model is extended to provide a novel way to organize and exploit behavior rules. Connections between attack goals and application capability are represented by an attack tree structure and behavior rules are assigned to every attack path in the attack tree. In this way, fine-grained and comprehensive static capability estimation and dynamic behavior detection can be achieved. This approach employs a hybrid static-dynamic analysis method. Static analysis tags attack tree nodes based on application capability. It filters the obviously benign applications and highlights the potential attacks in suspicious ones. Dynamic analysis selects rules corresponding to the capability and conducts detection according to runtime behaviors. In dynamic analysis, events are simulated to trigger behaviors based on application components, and hence it achieves high code coverage. Finally, in this way, we implement an automatic malware detection prototype system called AM Detector. The experiment result shows that the true positive rate is 88.14% and the false positive rate is as low as 1.80%.

Abstract: Analyzing Android applications for malicious behavior is an important area of research, and is made difficult, in part, by the increasingly large number of applications available for the platform. While techniques exist to perform static analysis on a large number of applications, dynamic analysis techniques are relatively limited in scale due to the computational resources required to emulate the full Android system to achieve accurate execution. We present Andlantis, a scalable dynamic analysis system capable of processing over 3000 Android applications per hour. During this processing, the system is able to collect valuable forensic data, which helps reverse-engineers and malware researchers identify and understand anomalous application behavior. We discuss the results of running 1261 malware samples through the system, and provide examples of malware analysis performed with the resulting data.

Abstract: In dynamic languages, objects are open–they support iteration over and dynamic addition/deletion of their attributes. Open objects, because they have an unbounded number of attributes, are difficult to abstract without a priori knowledge of all or nearly all of the attributes and thus pose a significant challenge for precise static analysis. To address this challenge, we present the HOO (Heap with Open Objects) abstraction that can precisely represent and infer properties about open-object-manipulating programs without any knowledge of specific attributes. It achieves this by building upon a relational abstract domain for sets that is used to reason about partitions of object attributes. An implementation of the resulting static analysis is used to verify specifications for dynamic language framework code that makes extensive use of open objects, thus demonstrating the effectiveness of this approach.

Abstract: The present article deals with static and dynamic behavior of functionally graded skew plates based on the three-dimensional theory of elasticity. On the basis of the principle of minimum potential energy and the Rayleigh Ritz method, the equations of motion are derived in conjunction with the graded finite element approach. Solution of the resulted system of equations in time domain is carried out via Newmark's time integration method. Calculations are applied for fully clamped boundary condition. In the present paper, two different sets of distributions for material properties are considered. For the static analysis, material properties are considered to vary through the thickness direction according to an exponential law. In the case of dynamic analysis, variations of the volume fractions through the thickness are assumed to obey a power law function. Thus, the effective material properties at each point are determined by the Mori-Tanaka scheme. In case of dynamic analysis, the results are obtained for uniform step loadings. The effects of material gradient index and skew angle on displacement components and stress response are studied. Results of present formulations are verified by available results of a functionally graded rectangular plate for different boundary conditions and also compared with result of a homogenous skew plate by commercial FEM software.

Abstract: A fully geometrically nonlinear finite element (FE) model is developed using large rotation shell theory for static analysis of composite and piezoelectric laminated thin-walled structures. The proposed large rotation theory is based on the first-order shear deformation (FOSD) hypothesis. It has six independent kinematic parameters which are expressed by five mechanical nodal degrees of freedom (DOFs). Linear electro-mechanically coupled constitutive equations with a constant electric field distribution through the thickness of each smart material layer are considered. Eight-node quadrilateral plate/shell elements with five mechanical DOFs per node and one electrical DOF per smart material layer are employed in the FE modeling. The present large rotation FE model is implemented into static analysis of both composite and piezoelectric laminated plates and shells. The equilibrium equation is solved by Newton–Raphson algorithm with system matrices updated in every iteration. The results are compared with those presented in the literature and others calculated by various simplified nonlinear shell theories. They indicate that large rotation theory has to be considered for the calculation of displacements and sensor output voltages of smart structures undergoing large deflections, since other simplified nonlinear theories fail to predict the static response precisely in many cases.

Abstract: We develop a formal perspective on how regular expression matching works in Java, a popular representative of the category of regex-directed matching engines. In particular, we define an automata model which captures all the aspects needed to study such matching engines in a formal way. Based on this, we propose two types of static analysis, which take a regular expression and tell whether there exists a family of strings which makes Java-style matching run in exponential time.

Abstract: A large number of tools that automate the process of finding errors in programs has recently emerged in the software development community Many of them use static analysis as the main method for analyzing and capturing faults in the source code Static analysis is deployed as an approximation of the programs’ runtime behavior with inherent limitations regarding its ability to detect actual code errors It belongs to the class of computational problems which are undecidable [2] For any such analysis, the major issues are: (1) the programming language of the source code where the analysis is applied (2) the type of errors to be detected (3) the effectiveness of the analysis and (4) the efficiency of the analysis