Gleb Naumovich

An efficient algorithm for computing MHP information for concurrent Java programs

Information about which statements in a concurrent program may happen in parallel (MHP) has a number of important applications. It can be used in program optimization, debugging, program understanding tools, improving the accuracy of data flow approaches, and detecting synchronization anomalies, such as data races. In this paper we propose a data flow algorithm for computing a conservative estimate of the MHP information for Java programs that has a worst-case time bound that is cubic in the size of the program. We present a preliminary experimental comparison between our algorithm and a reachability analysis algorithm that determines the “ideal” static MHP information for concurrent Java programs. This initial experiment indicates that our data flow algorithm precisely computed the ideal MHP information in the vast majority of cases we examined. In the two out of 29 cases where the MHP algorithm turned out to be less than ideally precise, the number of spurious pairs was small compared to the total number of ideal MHP pairs.

Flow analysis for verifying properties of concurrent software systems

This article describes FLAVERS, a finite-state verification approach that analyzes whether concurrent systems satisfy user-defined, behavioral properties. FLAVERS automatically creates a compact, event-based model of the system that supports efficient dataflow analysis. FLAVERS achieves this efficiency at the cost of precision. Analysts, however, can improve the precision of analysis results by selectively and judiciously incorporating additional semantic information into an analysis.We report on an empirical study of the performance of the FLAVERS/Ada toolset applied to a collection of multitasking Ada systems. This study indicates that sufficient precision for proving system properties can usually be achieved and that the cost for such analysis typically grows as a low-order polynomial in the size of the system.

Preventing piracy, reverse engineering, and tampering

With the advent of networked appliances, mobile code, and pervasive access to the Internet, software protection has gained Increasing Importance. The authors survey current and promising now techniques designed to reliably preserve and protect software data vital to our privacy and security.

A conservative data flow algorithm for detecting all pairs of statements that may happen in parallel

Information about which pairs of statements in a concurrent program can execute in parallel is important for optimizing and debugging programs, for detecting anomalies, and for improving the accuracy of data flow analysis. In this paper, we describe a new data flow algorithm that finds a conservative approximation of the set of all such pairs. We have carried out an initial comparison of the precision of our algorithm and that of the most precise of the earlier approaches, Masticola and Ryders non-concurrency analysis [8], using a sample of 159 concurrent Ada programs that includes the collection assembled by Masticola and Ryder. For these examples, our algorithm was almost always more precise than non-concurrency analysis, in the sense that the set of pairs identified by our algorithm as possibly happening in parallel is a proper subset of the set identified by non-concurrency analysis. In 132 cases, we were able to use reachability analysis to determine exactly the set of pairs of statements that may happen in parallel. For these cases, there were a total of only 10 pairs identified by our algorithm that cannot actually happen in parallel.

Data flow analysis for checking properties of concurrent Java programs

In this paper we show how the FLAVERS data flow analysis technique, originally formulated for systems using a rendezvous concurrency model, can be applied to the various concurrency models used in Java programs. The general approach of FLAVERS is based on modeling a concurrent system as a flow graph and, using a data flow analysis algorithm over this graph, statically checking if a property holds on all (or no) executions of the program. The accuracy of this analysis can be iteratively improved, as needed, by supplying additional constraints, represented as finite state automata, to the data flow analysis algorithm. In this paper we present an approach for analyzing Java programs that uses the constraint mechanism to model the possible communications among threads in Java programs, instead of representing them directly in the flow graph model. We also discuss a number of error-prone thread communication patterns that can arise in Java and describe how FLAVERS can be used to check for the presence of these. A preliminary evaluation of this approach is carried out by analyzing some small concurrent Java programs for these error-prone communication patterns and other, program-specific, faults.

Applying static analysis to software architectures

In this paper we demonstrate how static concurrency analysis techniques can be used to verify application-specific properties of an architecture description. Specifically, we use two concurrency analysis tools, INCA, a flow equation based tool, and FLAVERS, a data flow analysis based tool, to detect errors or prove properties of a WRIGHT architecture description of the gas station problem. Although both these tools are research prototypes, they illustrate the potential of static analysis for verifying that architecture descriptions adhere to important properties, for detecting problems early in the lifecycle, and for helping developers understand the changes that need to be made to satisfy the properties being analyzed.

Obfuscation of design intent in object-oriented applications

Protection of digital data from unauthorized access is of paramount importance. In the past several years, much research has concentrated on protecting data from the standpoint of confidentiality, integrity and availability. Software is a form of data with unique properties and its protection poses unique challenges. First, software can be reverse engineered, which may result in stolen intellectual property. Second, software can be altered with the intent of performing operations this software must not be allowed to perform.With commercial software increasingly distributed in forms from which source code can be easily extracted, such as Java bytecodes, reverse engineering has become easier than ever. Obfuscation techniques have been proposed to impede illegal reverse engineers. Obfuscations are program transformations that preserve the program functionality while obscuring the code, thereby protecting the program against reverse engineering. Unfortunately, the existing obfuscation techniques are limited to obscuring variable names, transformations of local control flow, and obscuring expressions using variables of primitive types. In this paper, we propose obfuscations of design of object-oriented programs.We describe three techniques for obfuscation of program design. The class coalescing obfuscation replaces several classes with a single class. The class splitting obfuscation replaces a single class with multiple classes, each responsible for a part of the functionality of the original class. The type hiding obfuscation uses the mechanism of interfaces in Java to obscure the types of objects manipulated by the program. We show the results of our initial experiments with a prototype implementation of these techniques. In particular, we shown that the runtime overheads of these obfuscations tend to be small.

Static analysis of role-based access control in J2EE applications

This work describes a new technique for analysis of Java 2, Enterprise Edition (J2EE) applications. In such applications, Enterprise Java Beans (EJBs) are commonly used to encapsulate the core computations performed on Web servers. Access to EJBs is protected by application servers, according to role-based access control policies that may be created either at development or deployment time. These policies may prohibit some types of users from accessing specific EJB methods.We present a static technique for analyzing J2EE access control policies with respect to security-sensitive fields of EJBs and other server-side objects. Our technique uses points-to analysis to determine which object fields are accessed by which EJB methods, directly or indirectly. Based on this information, J2EE access control policies are analyzed to identify potential inconsistencies that may lead to security holes.

Role-Based access control consistency validation

Modern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. This paper presents a theoretical foundation for correlating an operation-based RBAC policy with a data-based RBAC policy. Relying on a location consistency property, this paper shows how to infer whether an operation-based RBAC policy is equivalent to any databased RBAC policy. We have built a static analysis tool for Java Platform, Enterprise Edition (Java EE) called Static Analysis for Validation of Enterprise Security (SAVES). Relying on interprocedural pointer analysis and dataflow analysis, SAVES analyzes Java EE bytecode to determine if the associated RBAC policy is location consistent, and reports potential security flaws where location consistency does not hold. The experimental results obtained by using SAVES on a number of production-level Java EE codes have identified several security flaws with no false positive reports.

Verification of concurrent software with FLAVERS

In this demonstration we give a scenario of how FLAVERS, an implementation of the incremental accuracy improving data flow analysis approach [I], is used to verify event sequence properties of concurrent or distributed software programs.