EXPLORER : query- and demand-driven exploration of interprocedural control flow properties

This paper describes a general framework and its implementation in a tool called EXPLORER for statically answering a class of interprocedural control flow queries about Java programs. EXPLORER allows users to formulate queries about feasible callstack configurations using regular expressions, and it employs a precise, demand-driven algorithm for answering such queries. Specifically, EXPLORER constructs an automaton A that is iteratively refined until either the language accepted by A is empty (meaning that the query has been refuted) or until no further refinement is possible based on a precise, context-sensitive abstraction of the program. We evaluate EXPLORER by applying it to three different program analysis tasks, namely, (1) analysis of the observer design pattern in Java, (2) identification of a class of performance bugs, and (3) analysis of inter-component communication in Android applications. Our evaluation shows that EXPLORER is both efficient and precise.

[1]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[2]  Xin Zheng,et al.  Demand-driven alias analysis for C , 2008, POPL '08.

[3]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[4]  Calvin Lin,et al.  Client-Driven Pointer Analysis , 2003, SAS.

[5]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[6]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[7]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[8]  Yepang Liu,et al.  Characterizing and detecting performance bugs for smartphone applications , 2014, ICSE.

[9]  SridharanManu,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006 .

[10]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[11]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[12]  Christel Baier,et al.  Principles of model checking , 2008 .

[13]  Ondrej Lhoták,et al.  Application-Only Call Graph Construction , 2012, ECOOP.

[14]  Sorin Lerner,et al.  Automated soundness proofs for dataflow analyses and transformations via local rules , 2005, POPL '05.

[15]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[16]  Eric V. Denardo,et al.  Flows in Networks , 2011 .

[17]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[18]  Rajiv Gupta,et al.  Demand-driven computation of interprocedural data flow , 1995, POPL '95.

[19]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[20]  Hao Tang,et al.  Summary-Based Context-Sensitive Data-Dependence Analysis in Presence of Callbacks , 2015, POPL.

[21]  Flemming Nielson,et al.  Interprocedural Control Flow Analysis , 1999, ESOP.

[22]  Thomas A. Henzinger,et al.  Software Verification with BLAST , 2003, SPIN.

[23]  Java design patterns: a tutorial , 2000 .

[24]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[25]  ZhengXin,et al.  Demand-driven alias analysis for C , 2008 .

[26]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[27]  DiwanAmer,et al.  The DaCapo benchmarks , 2006 .

[28]  SridharanManu,et al.  Demand-driven points-to analysis for Java , 2005 .

[29]  David F. Bacon,et al.  Fast static analysis of C++ virtual function calls , 1996, OOPSLA '96.

[30]  Eran Yahav,et al.  Static Specification Mining Using Automata-Based Abstractions , 2007, IEEE Transactions on Software Engineering.

[31]  Amer Diwan,et al.  The DaCapo benchmarks: java benchmarking development and analysis , 2006, OOPSLA '06.

[32]  Olin Shivers,et al.  Control flow analysis in scheme , 1988, PLDI '88.

[33]  Stephan Merz,et al.  Model Checking , 2000 .

[34]  Manu Sridharan,et al.  Demand-driven points-to analysis for Java , 2005, OOPSLA '05.

[35]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[36]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[37]  F SweeneyPeter,et al.  Fast static analysis of C++ virtual function calls , 1996 .

[38]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[39]  Ondrej Lhoták,et al.  Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[40]  Atanas Rountev,et al.  Demand-driven context-sensitive alias analysis for Java , 2011, ISSTA '11.

[41]  Barbara G. Ryder,et al.  Parameterized object sensitivity for points-to analysis for Java , 2005, TSEM.

[42]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[43]  Yan Wang,et al.  Static Control-Flow Analysis of User-Driven Callbacks in Android Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[44]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[45]  Olivier Tardieu,et al.  Demand-driven pointer analysis , 2001, PLDI '01.

[46]  Sriram K. Rajamani,et al.  SLIC: A Specification Language for Interface Checking (of C) , 2002 .

[47]  Gagan Agrawal,et al.  Evaluating a Demand Driven Technique for Call Graph Construction , 2002, CC.

[48]  S LamMonica,et al.  Finding application errors and security flaws using PQL , 2005 .

[49]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .