Static analysis of Java enterprise applications: frameworks and caches, the elephants in the room

Antoniadis, Anastasios; Filippakis, Nikos; Krishnan, Paddy; Ramesh, Raghavendra; Allen, Nicholas; Smaragdakis, Yannis

doi:10.1145/3385412.3386026

Cited by 30 publications

(9 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The OWASP WebGoat is a deliberately insecure application aiming to teach developers about relevant security vulnerabilities. As a Java Spring application 7 , it is popular in the community and has been used for evaluating static analyses (Antoniadis et al, 2020). We used this application to evaluate the applicability of fluentTQL on real-world scenario, including specifying taint-flow queries and running our Boomerang-based and FlowDroid-based taint analysis.…”

Section: Rq4 Analyzing Java/android Applicationsmentioning

confidence: 99%

Fluently specifying taint-flow queries with fluentTQL

Piskachev¹,

Späth²,

Budde³

et al. 2022

Preprint

View full text Add to dashboard Cite

Previous work has shown that taint analyses are only useful if correctly customized to the context in which they are used. Existing domainspecific languages (DSLs) allow such customization through the definition of deny-listing data-flow rules that describe potentially vulnerable or malicious taint-flows. These languages, however, are designed primarily for security experts who are expected to be knowledgeable in taint analysis. Software developers, however, consider these languages to be complex.This paper thus presents fluentTQL, a query specification language particularly for taint-flow. fluentTQL is internal Java DSL and uses a fluentinterface design. fluentTQL queries can express various taint-style vulnerability types, e.g. injections, cross-site scripting or path traversal. This paper describes fluentTQL's abstract and concrete syntax and defines its runtime semantics. The semantics are independent of any underlying analysis and allows evaluation of fluentTQL queries by a variety of taint analyses. Instantiations of fluentTQL, on top of two taint analysis solvers, Boomerang and FlowDroid, show and validate fluentTQL expressiveness.Based on existing examples from the literature, we have used fluentTQL to implement queries for 11 popular security vulnerability types in Java. Using our SQL injection specification, the Boomerang-based taint analysis found all 17 known taint-flows in the OWASP WebGoat application, whereas with Flow-Droid 13 taint-flows were found. Similarly, in a vulnerable version of the Java Spring PetClinic application, the Boomerang-based taint analysis found all seven expected taint-flows. In seven real-world Android apps with 25 expected malicious taint-flows, 18 taint-flows were detected. In a user study with 26

show abstract

Section: Rq4 Analyzing Java/android Applicationsmentioning

confidence: 99%

Fluently specifying taint-flow queries with fluentTQL

Piskachev¹,

Späth²,

Budde³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…This study was from an enterprise information specialist's perspective exploring artificial intelligence functionality regarding a novel algorithm integrating into a Java-based software imaging application. The Java programming language significantly contributed to enterprise applications' success (Antoniadis et al, 2020). This study included invoking a Java imaging application as a suggestion for integrating the state-of-the-art neural network technique.…”

Section: Problem Statementmentioning

confidence: 99%

An Exploration of a Virtual Connection for Researchers and Educators by Exploring Strategies Enterprise Information Systems Specialists Need to Integrate Novel Neural Network Algorithms Into an Imaging Application – A Design Science Study

Quindazzi,

Sambasivam

2022

InSITE Conference

View full text Add to dashboard Cite

Aim/Purpose: The problem statement in the proposed study focuses on what strategies enterprise information systems specialists need to integrate novel algorithms into an imaging application that had not yet been identified. The aim is to demonstrate that a cross-convolutional neural network can be implemented within the home laboratory – an exploration of a virtual connection for re-search. An analysis of the works provides the basis for future extensibility of the software application for ImageJ2. Background: The study was guided by the research question: What strategies do enterprise information systems specialists need to integrate novel algorithms into an imaging application? This study demonstrates how to bring a lab-tested application online within a home laboratory to further build upon those findings. Methodology: A conceptual analysis was utilized for the artifact’s creation within the umbrella of design science to aid in the data interpretation segment. A conceptual framework was developed to determine relevant subject matter, such as useful software applications and technological enhancements to an image application. A research sample was not used in this study. Contribution: This research contributed to the body of knowledge by using a cross-convolutional neural network to explore novel algorithms as an enterprise information system specialist and set up the imaging application called Im-ageJ2 for development. The study’s setup is documented in a series of steps to demonstrate the how-to set up such a study. Findings: The findings were that it is possible to implement an existing work from within the home laboratory, steps of which are outlined for those to follow. Future work can be extended from the baseline workings. Furthermore, an analysis of the existing code was determined to see if the existing PyTorch code could be developed within Java to act as an extension to ImageJ2 later. By examining the programming code and the cross-convolutional functionality, a determination was made on the best Java mapping. A set of highlights of the processes used are included. Recommendations for Practitioners: The study intersects two differing realms: artificial intelligence and the enterprise information systems network. This study builds upon an AWS system and details the steps to implement an artificial intelligence system on the Amazon Web Service (AWS) platform. The researcher investigated existing soft-ware imaging Java applications and probed the areas of potential extensibility for implementing the artificial intelligence novel algorithms. Recommendations for Researchers: The concept of being able to bring online a turnkey set of computer hard-ware off-the-shelf within the home laboratory may be an unexplored avenue to some researchers. The recommendation is to encourage researchers to see past the constraints that a lack of hardware may bring about for computer science research. The researcher no longer has to be within an office laboratory on campus to access power computers. The doors are open to exploring a whole new world. It explores how to move through the various linkage is-sues with old libraries and new systems. Other avenues this research can enhance are extending the ImageJ libraries as a Java plugin with the novel algorithms such as the cross-convolutional network implemented on the AWS platform. Impact on Society: Expanding the accessibility to the researcher and practitioner field could be profound. No longer is the researcher or practitioner constrained to the office laboratory. This work shows how to move through the issues to invoke the software to produce and investigate existing software. The findings and guidance of this study are profound. Future Research: Future research should focus on implementing the mappings table as deter-mined in previous research. A future design could be pursued from the analysis and implementation of a Java neural network algorithm as a basic implementation. Java can chain elements to begin replicating the algorithm by Xue et al. (2019). The cross-convolutional element should have further analysis to ensure the full replication within Java. A cross-convolutional neural network (CCNN) Java algorithm could be implemented and trial run within the code; this would allow for the leverage of the heavy lifting of the program code to predict image motion. There seemed to be few approaches regarding predicting motion frames of a future image, and such predictions could be a giant leap for the health care world regarding microscopic and x-ray images.

show abstract

“…The main flavors of context sensitivity are call-site-sensitivity [31,32], object-sensitivity [28], and typesensitivity [33]. Of these, object-sensitivity has been shown to be remarkably precise for analyzing object-oriented programs like Java [33,34]. Object-sensitivity qualifies contexts using the object allocation site the current method was invoked on, e.g., in Fig.…”

Section: Context Sensitivitymentioning

confidence: 99%

“…Further, these techniques use off-the-shelf static analysis tools such as SOOT [22] and WALA 2 which are known to ignore crucial features used by enterprise java applications such as dependency injection [23], and centralized object store [24], among others. This often results in a sparse coverage of several critical sections of the application [25]. To overcome this challenge, certain approaches construct a dynamic call graph by instrumenting the program to amass light-weight traces as the application's many use-cases are exercised [6,26].…”

Section: Introductionmentioning

confidence: 99%

CARGO: AI-Guided Dependency Analysis for Migrating Monolithic Applications to Microservices Architecture

Asthana¹,

Ray²,

Krishna³

2022

Preprint

View full text Add to dashboard Cite

Microservices Architecture (MSA) has become a de-facto standard for designing cloud-native enterprise applications due to its efficient infrastructure setup, service availability, elastic scalability, dependability, and better security. Existing (monolithic) systems must be decomposed into microservices to harness these characteristics. Since manual decomposition of large scale applications can be laborious and error-prone, AI-based systems to detect decomposition strategies are gaining popularity. However, the usefulness of these approaches is limited by the expressiveness of the program representation and their inability to model the application's dependency on critical external resources such as databases. Consequently, partitioning recommendations offered by current tools result in architectures that result in (a) distributed monoliths, and/or (b) force the use of (often criticized) distributed transactions. This work attempts to overcome these challenges by introducing CARGO (short for Context-sensitive lAbel pRopaGatiOn)-a novel un-/semi-supervised partition refinement technique that uses a context-and flow-sensitive system dependency graph of the monolithic application to refine and thereby enrich the partitioning quality of the current state-of-the-art algorithms. CARGO was used to augment four state-of-the-art microservice partitioning techniques that were applied on five Java EE applications (one of which was a industrial scale proprietary project). Experiments demostrate that CARGO can improve the partition quality of all modern microservice partitioning techniques. Further, CARGO substantially reduces distributed transactions and a real-world performance evaluation of a benchmark application (deployed under varying loads) shows that CARGO also lowers the overall the latency of the deployed microservice application by 11% and increases throughput by 120% on average, across various sequences of simulated user actions.

show abstract

Static analysis of Java enterprise applications: frameworks and caches, the elephants in the room

Cited by 30 publications

References 16 publications

Fluently specifying taint-flow queries with fluentTQL

Fluently specifying taint-flow queries with fluentTQL

An Exploration of a Virtual Connection for Researchers and Educators by Exploring Strategies Enterprise Information Systems Specialists Need to Integrate Novel Neural Network Algorithms Into an Imaging Application – A Design Science Study

CARGO: AI-Guided Dependency Analysis for Migrating Monolithic Applications to Microservices Architecture

Contact Info

Product

Resources

About