{"title":"Field Escape Analysis for Data Confidentiality in Java Components","authors":"Aiwu Shi, G. Naumovich","doi":"10.1109/APSEC.2007.56","DOIUrl":null,"url":null,"abstract":"This paper presents an extension of escape analysis for static detection of threats to data confidentiality in Java components, called field escape analysis. We augment existing escape analyses, which are typically based on points-to analysis for reference (or pointer) type, with data and control dependence analyses with respect to primitive type. To meet the demand of security analysis, we propose a graph representation, called primitive value dependence graph (PVDG), and a novel semantics for dependence analysis. We have built a static analysis tool for Java components called SecDetector. In the experimental evaluation, using different combinations of underlying analysis techniques (e.g., points-to analysis, dependence analysis), we evaluated trades-offs between precision and performance on five publicly-available J2EE applications. On the benchmarks examined, there are few false positives in our study. It provides evidence of the usefulness of our approach.","PeriodicalId":273688,"journal":{"name":"14th Asia-Pacific Software Engineering Conference (APSEC'07)","volume":"57 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-12-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"14th Asia-Pacific Software Engineering Conference (APSEC'07)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/APSEC.2007.56","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
This paper presents an extension of escape analysis for static detection of threats to data confidentiality in Java components, called field escape analysis. We augment existing escape analyses, which are typically based on points-to analysis for reference (or pointer) type, with data and control dependence analyses with respect to primitive type. To meet the demand of security analysis, we propose a graph representation, called primitive value dependence graph (PVDG), and a novel semantics for dependence analysis. We have built a static analysis tool for Java components called SecDetector. In the experimental evaluation, using different combinations of underlying analysis techniques (e.g., points-to analysis, dependence analysis), we evaluated trades-offs between precision and performance on five publicly-available J2EE applications. On the benchmarks examined, there are few false positives in our study. It provides evidence of the usefulness of our approach.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
