Efficient path conditions in dependence graphs for software safety analysis

Snelting, Gregor; Robschink, Torsten; Krinke, Jens

doi:10.1145/1178625.1178628

Cited by 116 publications

(132 citation statements)

References 31 publications

Supporting

Mentioning

132

Contrasting

Order By: Relevance

“…Snelting et al [28] make the observation that Program Dependence Graphs (PDGs) and noninterference are related in that dom(s 1 ) dom(s 2 ) implies s 1 / ∈ backslice(s 2 ), where backslice is maps each statement s to its static backwards slice. Based on this observation, Hammer et al [14] present an algorithm for verifying noninterference: For output statement s, backslice(s) must contain only statements whose security label is lower than s. Though promising, this approach has not been shown to scale.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Andromeda: Accurate and Scalable Security Analysis of Web Applications

Tripp

Pistoia

Cousot

et al. 2013

Fundamental Approaches to Software Engineering

101

View full text Add to dashboard Cite

Abstract. Security auditing of industry-scale software systems mandates automation. Static taint analysis enables deep and exhaustive tracking of suspicious data flows for detection of potential leakage and integrity violations, such as cross-site scripting (XSS), SQL injection (SQLi) and log forging. Research in this area has taken two directions: program slicing and type systems. Both of these approaches suffer from a high rate of false findings, which limits the usability of analysis tools based on these techniques. Attempts to reduce the number of false findings have resulted in analyses that are either (i) unsound, suffering from the dual problem of false negatives, or (ii) too expensive due to their high precision, thereby failing to scale to real-world applications.In this paper, we investigate a novel approach for enabling precise yet scalable static taint analysis. The key observation informing our approach is that taint analysis is a demand-driven problem, which enables lazy computation of vulnerable information flows, instead of eagerly computing a complete data-flow solution, which is the reason for the traditional dichotomy between scalability and precision. We have implemented our approach in ANDROMEDA, an analysis tool that computes data-flow propagations on demand, in an efficient and accurate manner, and additionally features incremental analysis capabilities. ANDROMEDA is currently in use in a commercial product. It supports applications written in Java, .NET and JavaScript. Our extensive evaluation of ANDROMEDA on a suite of 16 production-level benchmarks shows ANDROMEDA to achieve high accuracy and compare favorably to a state-of-the-art tool that trades soundness for precision.

show abstract

Section: Related Workmentioning

confidence: 99%

“…However, many of the published approaches are not readily applicable to industrial Web applications. Solutions based on type systems tend to be overly complex and conservative [34,20,27], and are therefore unlikely to enjoy broad adoption, whereas those based on program slicing are often unsound [33] or limited in scalability [14,28].…”

Section: Introductionmentioning

confidence: 99%

Andromeda: Accurate and Scalable Security Analysis of Web Applications

Tripp

Pistoia

Cousot

et al. 2013

Fundamental Approaches to Software Engineering

101

View full text Add to dashboard Cite

show abstract

“…A more scalable but not fully path-sensitive approach is described by Snelting et al [20,17,19]. They compute the dependency between two program points y and x using the Program Dependence Graph (PDG) [11] and apply the following rule to remove spurious dependencies: I(y, x) ⇒ ∃v : PC(y, x), where I(y, x) stands for y influences x (i.e., there is a dependency at x on y),v is some assignment of values to program variables and PC(y, x) is the path condition from y to x.…”

Section: Related Workmentioning

confidence: 99%

“…1(a), [20,17,19] would proceed as follows. In the PDG there will be a dependency edge from 8 0∧PC(4, 8)))) 8 , which is not unsatisfiable.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Path-Sensitive Backward Slicing

et al. 2012

View full text Add to dashboard Cite

Abstract. Backward slicers are typically path-insensitive (i.e., they ignore the evaluation of predicates in guards), or they are only partial sometimes producing too big slices. Though the value of path-sensitivity is always desirable, the major challenge is that there are, in general, an exponential number of predicate combinations to be considered. We present a path-sensitive backward slicer and demonstrate its practicality with real C programs. The core is a symbolic execution-based algorithm that excludes spurious dependencies lying on infeasible paths while pruning paths that cannot improve the accuracy of the dependencies already computed by other paths.

show abstract

An empirical evaluation of several test‐a‐few strategies for testing particular conditions

Chan

Poon

et al. 2011

Softw Pract Exp

View full text Add to dashboard Cite

SUMMARY Existing specification‐based testing techniques often generate comprehensive test suites to cover diverse combinations of test‐relevant aspects. Such a test suite can be prohibitively expensive to execute exhaustively because of its large size. A pragmatic strategy often adopted in practice, called test‐once strategy, is to identify certain particular conditions from the specification and to test each such condition once only. This strategy is implicitly based on the uniformity assumption that the implementation will process a particular condition uniformly, regardless of other parameters or inputs. As the decision of adopting the test‐once strategy is often based on the specification, whether the uniformity assumption actually holds in the implementation needs to be critically assessed, or else the risk of inadequate testing could be non‐negligible. As viable alternatives to reduce such a risk, a family of test‐a‐few strategies for the testing of particular conditions is proposed in this paper. Two rounds of experiments that evaluate the effectiveness of the test‐a‐few strategies as compared with the test‐once strategy are further reported. Our experiments do the following: (1) provide clear evidence that the uniformity assumption often, but not always, holds and that the assumption usually fails to hold when the implementation is faulty; (2) demonstrate that all our proposed test‐a‐few strategies are statistically more reliable than the test‐once strategy in revealing faulty programs; (3) show that random sampling is already substantially more effective than the test‐once strategy; and (4) indicate that, compared with other test‐a‐few strategies under study, choice coverage seems to achieve a better trade‐off between test effort and effectiveness. Copyright © 2011 John Wiley & Sons, Ltd.

show abstract

Efficient path conditions in dependence graphs for software safety analysis

Cited by 116 publications

References 31 publications

Andromeda: Accurate and Scalable Security Analysis of Web Applications

Andromeda: Accurate and Scalable Security Analysis of Web Applications

Path-Sensitive Backward Slicing

An empirical evaluation of several test‐a‐few strategies for testing particular conditions

Contact Info

Product

Resources

About