Results 1  10
of
157
Precise analysis of string expressions
 In Proc. 10th International Static Analysis Symposium, SAS ’03, volume 2694 of LNCS
, 2003
"... We perform static analysis of Java programs to answer a simple question: which values may occur as results of string expressions? The answers are summarized for each expression by a regular language that is guaranteed to contain all possible values. We present several applications of this analysis, ..."
Abstract

Cited by 221 (18 self)
 Add to MetaCart
We perform static analysis of Java programs to answer a simple question: which values may occur as results of string expressions? The answers are summarized for each expression by a regular language that is guaranteed to contain all possible values. We present several applications of this analysis, including statically checking the syntax of dynamically generated expressions, such as SQL queries. Our analysis constructs flow graphs from class files and generates a contextfree grammar with a nonterminal for each string expression. The language of this grammar is then widened into a regular language through a variant of an algorithm previously used for speech recognition. The collection of resulting regular languages is compactly represented as a special kind of multilevel automaton from which individual answers may be extracted. If a program error is detected, examples of invalid strings are automatically produced. We present extensive benchmarks demonstrating that the analysis is e#cient and produces results of useful precision.
Boolean and Cartesian Abstraction for Model Checking C Programs
, 2001
"... The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemente ..."
Abstract

Cited by 194 (12 self)
 Add to MetaCart
The problem of model checking a specification in form of a C program with recursive procedures and many thousands of lines of code has not been addressed before. In this paper, we show how we attack this problem using an abstraction that is formalized with the Cartesian abstraction. It is implemented through a sourcetosource transformation into a `Boolean' C program; we give an algorithm to compute the transformation with a cost that is exponential in its theoretical worstcase complexity but feasible in practice.
Analysis of Recursive State Machines
 In Proceedings of CAV 2001
, 2001
"... . Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive proc ..."
Abstract

Cited by 140 (29 self)
 Add to MetaCart
(Show Context)
. Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive procedure calls. They can be viewed as a visual notation extending Statechartslike hierarchical state machines, where concurrency is disallowed but recursion is allowed. They are also related to various models of pushdown systems studied in the verification and program analysis communities. After introducing RSMs, we focus on whether statespace analysis can be performed efficiently for RSMs. We consider the two central problems for algorithmic analysis and model checking, namely, reachability (is a target state reachable from initial states) and cycle detection (is there a reachable cycle containing an accepting state). We show that both these problems can be solved in time O(n` 2 ) and space O(n`), where n is the size of the recursive machine and ` is the maximum, over all component state machines, of the minimum of the number of entries and the number of exits of each component. We also study the precise relationship between RSMs and closely related models. 1
Static Approximation of Dynamically Generated Web Pages
, 2005
"... Serverside programming is one of the key technologies that support today's WWW environment. It makes it possible to generate Web pages dynamically according to a user's request and to customize pages for each user. However, the flexibility obtained by serverside programming makes it much ..."
Abstract

Cited by 122 (3 self)
 Add to MetaCart
Serverside programming is one of the key technologies that support today's WWW environment. It makes it possible to generate Web pages dynamically according to a user's request and to customize pages for each user. However, the flexibility obtained by serverside programming makes it much harder to guarantee validity and security of dynamically generated pages.
Pointer analysis: Haven’t we solved this problem yet?
 PASTE'01
, 2001
"... During the past twentyone years, over seventyfive papers and nine Ph.D. theses have been published on pointer analysis. Given the tomes of work on this topic one may wonder, "Haven't we solved this problem yet?" With input from many researchers in the field, this paper describes iss ..."
Abstract

Cited by 119 (1 self)
 Add to MetaCart
During the past twentyone years, over seventyfive papers and nine Ph.D. theses have been published on pointer analysis. Given the tomes of work on this topic one may wonder, "Haven't we solved this problem yet?" With input from many researchers in the field, this paper describes issues related to pointer analysis and remaining open problems.
Refinementbased contextsensitive pointsto analysis for Java
 PLDI’06
, 2006
"... ..."
(Show Context)
Recursive Markov chains, stochastic grammars, and monotone systems of nonlinear equations
 IN STACS
, 2005
"... We define Recursive Markov Chains (RMCs), a class of finitely presented denumerable Markov chains, and we study algorithms for their analysis. Informally, an RMC consists of a collection of finitestate Markov chains with the ability to invoke each other in a potentially recursive manner. RMCs offer ..."
Abstract

Cited by 95 (13 self)
 Add to MetaCart
We define Recursive Markov Chains (RMCs), a class of finitely presented denumerable Markov chains, and we study algorithms for their analysis. Informally, an RMC consists of a collection of finitestate Markov chains with the ability to invoke each other in a potentially recursive manner. RMCs offer a natural abstract model for probabilistic programs with procedures. They generalize, in a precise sense, a number of well studied stochastic models, including Stochastic ContextFree Grammars (SCFG) and MultiType Branching Processes (MTBP). We focus on algorithms for reachability and termination analysis for RMCs: what is the probability that an RMC started from a given state reaches another target state, or that it terminates? These probabilities are in general irrational, and they arise as (least) fixed point solutions to certain (monotone) systems of nonlinear equations associated with RMCs. We address both the qualitative problem of determining whether the probabilities are 0, 1 or inbetween, and
Detecting manipulated remote call streams
 In 11th USENIX Security Symposium
, 2002
"... In the Internet, mobile code is ubiquitous and includes such examples as browser plugins, Java applets, and document macros. In this paper, we address an important vulnerability in mobile code security that exists in remote execution systems such as Condor, Globus, and SETI@Home. These systems sche ..."
Abstract

Cited by 88 (11 self)
 Add to MetaCart
(Show Context)
In the Internet, mobile code is ubiquitous and includes such examples as browser plugins, Java applets, and document macros. In this paper, we address an important vulnerability in mobile code security that exists in remote execution systems such as Condor, Globus, and SETI@Home. These systems schedule user jobs for execution on remote idle machines. However, they send most of their important system calls back to the local machine for execution. Hence, an evil process on the remote machine can manipulate a user’s job to send destructive system calls back to the local machine. We have developed techniques to remotely detect such manipulation. Before the job is submitted for remote execution, we construct a model of the user’s binary program using static analysis. This binary analysis is applicable to commodity remote execution systems and applications. During remote job execution, the model checks all system calls arriving at the local machine. Execution is only allowed to continue while the model remains valid. We begin with a finitestate machine model that accepts sequences of system calls and then build optimizations into the model to improve its precision and efficiency. We also propose two program transformations, renaming and null call insertion, that have a significant impact on the precision and efficiency. As a desirable sideeffect, these techniques also obfuscate the program, thus making it harder for the adversary to reverse engineer the code. We have implemented a simulated remote execution environment to demonstrate how optimizations and transformations of the binary program increase the precision and efficiency. In our test programs, unoptimized models increase runtime by 0.5 % or less. At moderate levels of optimization, runtime increases by less than 13 % with precision gains reaching 74%.
TypeBased Flow Analysis: From Polymorphic Subtyping to CFLReachability.
 In Proceedings of the 28th Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages
, 2001
"... We present a novel approach to scalable implementation of typebased flow analysis with polymorphic subtyping. Using a new presentation of polymorphic subtyping with instantiation constraints, we are able to apply contextfree language (CFL) reachability techniques to typebased flow analysis. We de ..."
Abstract

Cited by 70 (1 self)
 Add to MetaCart
We present a novel approach to scalable implementation of typebased flow analysis with polymorphic subtyping. Using a new presentation of polymorphic subtyping with instantiation constraints, we are able to apply contextfree language (CFL) reachability techniques to typebased flow analysis. We develop a CFLbased algorithm for computing flow information in time O(n 3 ), where n is the size of the typed program. The algorithm substantially improves upon the best previously known algorithm for flow analysis based on polymorphic subtyping with complexity O(n 8 ). Our technique also yields the first demanddriven algorithm for polymorphic subtypebased flowcomputation. It works directly on higherorder programs with structured data of finite type (unbounded data structures are incorporated via finite approximations), supports contextsensitive, global flow summarization and includes polymorphic recursion.