More and more web applications suffer the presence of cross-site scripting vulnerabilities that could be exploited by attackers to access sensitive information (such as credentials or credit card numbers). Hence proper tests are required to assess the security of web applications. In this paper, we resort to a search based approach for security testing web applications. We take advantage of static analysis to detect candidate cross-site scripting vulnerabilities. Input values that expose these vulnerabilities are searched by a genetic algorithm and, to help the genetic algorithm escape local optima, symbolic constraints are collected at run-time and passed to a solver. Search results represent test cases to be used by software developers to understand and fix security problems. We implemented this approach in a prototype and evaluated it on real world PHP code.
{"title":"Security Testing of Web Applications: A Search-Based Approach for Cross-Site Scripting Vulnerabilities","authors":"Andrea Avancini, M. Ceccato","doi":"10.1109/SCAM.2011.7","DOIUrl":"https://doi.org/10.1109/SCAM.2011.7","url":null,"abstract":"More and more web applications suffer the presence of cross-site scripting vulnerabilities that could be exploited by attackers to access sensitive information (such as credentials or credit card numbers). Hence proper tests are required to assess the security of web applications. In this paper, we resort to a search based approach for security testing web applications. We take advantage of static analysis to detect candidate cross-site scripting vulnerabilities. Input values that expose these vulnerabilities are searched by a genetic algorithm and, to help the genetic algorithm escape local optima, symbolic constraints are collected at run-time and passed to a solver. Search results represent test cases to be used by software developers to understand and fix security problems. We implemented this approach in a prototype and evaluated it on real world PHP code.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115352718","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose an approach that derives interactive visualization scenarios from descriptions of code analysis tasks. The scenario derivation is treated as an optimization process. In this context, we evaluate different possibilities of using a given visualization tool to perform the analysis task, and select the scenario that requires the least effort from the analyst. Our approach was applied successfully to various analysis tasks such as design defect detection and feature location.
{"title":"What You See is What You Asked for: An Effort-Based Transformation of Code Analysis Tasks into Interactive Visualization Scenarios","authors":"Ahmed Sfayhi, H. Sahraoui","doi":"10.1109/SCAM.2011.6","DOIUrl":"https://doi.org/10.1109/SCAM.2011.6","url":null,"abstract":"We propose an approach that derives interactive visualization scenarios from descriptions of code analysis tasks. The scenario derivation is treated as an optimization process. In this context, we evaluate different possibilities of using a given visualization tool to perform the analysis task, and select the scenario that requires the least effort from the analyst. Our approach was applied successfully to various analysis tasks such as design defect detection and feature location.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"58 3","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120815760","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Source Code Analysis and Manipulation (SCAM) underpins virtually every operational software system. Despite the impact and ubiquity of SCAM principles and techniques in software engineering, there are still frontiers to be explored. Looking "inward" to existing techniques, one finds frontiers of performance, efficiency, accuracy, and usability, looking "outward" one finds new languages, new problems, and thus new approaches. This paper presents a reflective framework for characterizing source languages and domains. It draws on current research projects in music program analysis, musical score processing, and machine knitting to identify new frontiers for SCAM. The paper also identifies opportunities for SCAM to inspire, and be inspired by, problems and techniques in other domains.
{"title":"Knitting Music and Programming: Reflections on the Frontiers of Source Code Analysis","authors":"N. Gold","doi":"10.1109/SCAM.2011.10","DOIUrl":"https://doi.org/10.1109/SCAM.2011.10","url":null,"abstract":"Source Code Analysis and Manipulation (SCAM) underpins virtually every operational software system. Despite the impact and ubiquity of SCAM principles and techniques in software engineering, there are still frontiers to be explored. Looking \"inward\" to existing techniques, one finds frontiers of performance, efficiency, accuracy, and usability, looking \"outward\" one finds new languages, new problems, and thus new approaches. This paper presents a reflective framework for characterizing source languages and domains. It draws on current research projects in music program analysis, musical score processing, and machine knitting to identify new frontiers for SCAM. The paper also identifies opportunities for SCAM to inspire, and be inspired by, problems and techniques in other domains.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115048244","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Analysis of software is essential to addressing problems of correctness, efficiency, and security. Existing source code analysis tools are very useful for such purposes, but there are many instances where high-level source code is not available for software that needs to be analyzed. A need exists for tools that can analyze assembly code, whether from disassembled binaries or from handwritten sources. This paper describes an equational reasoning system for assembly code for the ubiquitous Intel x86 architecture, focusing on various problems that arise in low-level equational reasoning, such as register-name aliasing, memory indirection, condition-code flags, etc. Our system has successfully been applied to the problem of simplifying execution traces from obfuscated malware executables.
{"title":"Equational Reasoning on x86 Assembly Code","authors":"Kevin Coogan, S. Debray","doi":"10.1109/SCAM.2011.15","DOIUrl":"https://doi.org/10.1109/SCAM.2011.15","url":null,"abstract":"Analysis of software is essential to addressing problems of correctness, efficiency, and security. Existing source code analysis tools are very useful for such purposes, but there are many instances where high-level source code is not available for software that needs to be analyzed. A need exists for tools that can analyze assembly code, whether from disassembled binaries or from handwritten sources. This paper describes an equational reasoning system for assembly code for the ubiquitous Intel x86 architecture, focusing on various problems that arise in low-level equational reasoning, such as register-name aliasing, memory indirection, condition-code flags, etc. Our system has successfully been applied to the problem of simplifying execution traces from obfuscated malware executables.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124542536","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jens Nicolay, Coen De Roover, W. Meuter, V. Jonckers
The multi-core revolution heralds a challenging era for software maintainers. Manually parallelizing large sequential code bases is often infeasible. In this paper, we present a program transformation that automatically parallelizes real-life Scheme programs. The transformation has to be instantiated with an interprocedural dependence analysis that exposes parallelization opportunities in a sequential program. To this end, we extended a state-of-the art analysis that copes with higher-order procedures and side effects. Our parallelizing transformation exploits all opportunities for parallelization that are exposed by the dependence analysis. Experiments demonstrate that this brute-force approach realizes scalable speedups in certain benchmarks, while others would benefit from a more selective parallelization.
{"title":"Automatic Parallelization of Side-Effecting Higher-Order Scheme Programs","authors":"Jens Nicolay, Coen De Roover, W. Meuter, V. Jonckers","doi":"10.1109/SCAM.2011.13","DOIUrl":"https://doi.org/10.1109/SCAM.2011.13","url":null,"abstract":"The multi-core revolution heralds a challenging era for software maintainers. Manually parallelizing large sequential code bases is often infeasible. In this paper, we present a program transformation that automatically parallelizes real-life Scheme programs. The transformation has to be instantiated with an interprocedural dependence analysis that exposes parallelization opportunities in a sequential program. To this end, we extended a state-of-the art analysis that copes with higher-order procedures and side effects. Our parallelizing transformation exploits all opportunities for parallelization that are exposed by the dependence analysis. Experiments demonstrate that this brute-force approach realizes scalable speedups in certain benchmarks, while others would benefit from a more selective parallelization.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122533690","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The srcML toolkit for lightweight transformation and fact-extraction of source code is described. srcML is an XML format for C/C++/Java source code. The open source toolkit that includes the source-to-srcML and srcML-to-source translators for round-trip reverse engineering is freely available. The direct use of XPath and XSLT is supported, an archive format for large projects is included, and a rich set of input and output formats through a command-line interface is available. Applying transformations and formulating queries using srcML is very convenient. Application use-cases of transformations and fact-extraction are shown and demonstrated to be practical and scalable.
本文描述了用于源代码的轻量级转换和事实提取的srcML工具包。srcML是用于C/ c++ /Java源代码的XML格式。开源工具包包括用于往返逆向工程的从源代码到srcml和srcml到源代码的翻译器,可以免费获得。它支持直接使用XPath和XSLT,包括用于大型项目的归档格式,并且通过命令行接口提供了丰富的输入和输出格式集。使用srcML应用转换和制定查询非常方便。转换和事实提取的应用程序用例被展示出来,并被证明是实用的和可伸缩的。
{"title":"Lightweight Transformation and Fact Extraction with the srcML Toolkit","authors":"M. Collard, M. J. Decker, Jonathan I. Maletic","doi":"10.1109/SCAM.2011.19","DOIUrl":"https://doi.org/10.1109/SCAM.2011.19","url":null,"abstract":"The srcML toolkit for lightweight transformation and fact-extraction of source code is described. srcML is an XML format for C/C++/Java source code. The open source toolkit that includes the source-to-srcML and srcML-to-source translators for round-trip reverse engineering is freely available. The direct use of XPath and XSLT is supported, an archive format for large projects is included, and a rich set of input and output formats through a command-line interface is available. Applying transformations and formulating queries using srcML is very convenient. Application use-cases of transformations and fact-extraction are shown and demonstrated to be practical and scalable.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125994082","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The recent meteoric rise in the use of smart phones and other mobile devices has led to a new class of applications, i.e., micro-apps, that are designed to run on devices with limited processing, memory, storage and display resources. Given the rapid succession of mobile technologies and the fierce competition, micro-app vendors need to release new features at break-neck speed, without sacrificing product quality. To understand how different mobile platforms enable such a rapid turnaround-time, this paper compares three pairs of feature-equivalent Android and Blackberry micro-apps. We do this by analyzing the micro-apps along the dimensions of source code, code dependencies and code churn. BlackBerry micro-apps are much larger and rely more on third party libraries. However, they are less susceptible to platform changes since they rely less on the underlying platform. On the other hand, Android micro-apps tend to concentrate code into fewer files and rely heavily on the Android platform. On both platforms, code churn of micro-apps is very high.
{"title":"Exploring the Development of Micro-apps: A Case Study on the BlackBerry and Android Platforms","authors":"Mark D. Syer, Bram Adams, Ying Zou, A. Hassan","doi":"10.1109/SCAM.2011.25","DOIUrl":"https://doi.org/10.1109/SCAM.2011.25","url":null,"abstract":"The recent meteoric rise in the use of smart phones and other mobile devices has led to a new class of applications, i.e., micro-apps, that are designed to run on devices with limited processing, memory, storage and display resources. Given the rapid succession of mobile technologies and the fierce competition, micro-app vendors need to release new features at break-neck speed, without sacrificing product quality. To understand how different mobile platforms enable such a rapid turnaround-time, this paper compares three pairs of feature-equivalent Android and Blackberry micro-apps. We do this by analyzing the micro-apps along the dimensions of source code, code dependencies and code churn. BlackBerry micro-apps are much larger and rely more on third party libraries. However, they are less susceptible to platform changes since they rely less on the underlying platform. On the other hand, Android micro-apps tend to concentrate code into fewer files and rely heavily on the Android platform. On both platforms, code churn of micro-apps is very high.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"44 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134266629","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Experienced programmers choose identifier names carefully, in the attempt to convey information about the role and behavior of the labeled code entity in a concise and expressive way. In fact, during program understanding the names given to code entities represent one of the major sources of information used by developers. We conjecture that lexicon bad smells, such as, extreme contractions, inconsistent term use, odd grammatical structure, etc., can hinder the execution of maintenance tasks which rely on program understanding. We propose an approach to determine the extent of this impact and instantiate it on the task of concept location. In particular, we conducted a study on two open source software systems where we investigated how lexicon bad smells affect Information Retrieval-based concept location. In this study, the classes changed in response to past modification requests are located before and after lexicon bad smells are identified and removed from the source code. The results indicate that lexicon bad smells impact concept location when using IRbased techniques.
{"title":"The Effect of Lexicon Bad Smells on Concept Location in Source Code","authors":"S. Abebe, S. Haiduc, P. Tonella, Andrian Marcus","doi":"10.1109/SCAM.2011.18","DOIUrl":"https://doi.org/10.1109/SCAM.2011.18","url":null,"abstract":"Experienced programmers choose identifier names carefully, in the attempt to convey information about the role and behavior of the labeled code entity in a concise and expressive way. In fact, during program understanding the names given to code entities represent one of the major sources of information used by developers. We conjecture that lexicon bad smells, such as, extreme contractions, inconsistent term use, odd grammatical structure, etc., can hinder the execution of maintenance tasks which rely on program understanding. We propose an approach to determine the extent of this impact and instantiate it on the task of concept location. In particular, we conducted a study on two open source software systems where we investigated how lexicon bad smells affect Information Retrieval-based concept location. In this study, the classes changed in response to past modification requests are located before and after lexicon bad smells are identified and removed from the source code. The results indicate that lexicon bad smells impact concept location when using IRbased techniques.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122322307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
When analyzing software systems we face the challenge of how to implement a particular analysis for different programming languages. A solution for this problem is to write a single analysis using a code query language, abstracting from the specificities of languages being analyzed. Over the past ten years many code query technologies have been developed, based on different formalisms. Each technology comes with its own query language and set of features. To determine the state of the art of code querying we compare the languages and tools for seven code query technologies: Grok, Rscript, JRelCal, Semmle Code, JGraLab, CrocoPat and JTransformer. The specification of a package stability metric is used as a running example to compare the languages. The comparison involves twelve criteria, some of which are concerned with properties of the query language (paradigm, types, parametrization, polymorphism, modularity, and libraries), and some of which are concerned with the tool itself (output formats, interactive interface, API support, interchange formats, extraction support, and licensing). We contextualize the criteria in two usage scenarios: interactive and tool integration. We conclude that there is no particularly weak or dominant tool. As important improvement points, we identify the lack of library mechanisms, interchange formats, and possibilities for integration with source code extractors.
{"title":"A Comparative Study of Code Query Technologies","authors":"Tiago L. Alves, Jurriaan Hage, P. Rademaker","doi":"10.1109/SCAM.2011.14","DOIUrl":"https://doi.org/10.1109/SCAM.2011.14","url":null,"abstract":"When analyzing software systems we face the challenge of how to implement a particular analysis for different programming languages. A solution for this problem is to write a single analysis using a code query language, abstracting from the specificities of languages being analyzed. Over the past ten years many code query technologies have been developed, based on different formalisms. Each technology comes with its own query language and set of features. To determine the state of the art of code querying we compare the languages and tools for seven code query technologies: Grok, Rscript, JRelCal, Semmle Code, JGraLab, CrocoPat and JTransformer. The specification of a package stability metric is used as a running example to compare the languages. The comparison involves twelve criteria, some of which are concerned with properties of the query language (paradigm, types, parametrization, polymorphism, modularity, and libraries), and some of which are concerned with the tool itself (output formats, interactive interface, API support, interchange formats, extraction support, and licensing). We contextualize the criteria in two usage scenarios: interactive and tool integration. We conclude that there is no particularly weak or dominant tool. As important improvement points, we identify the lack of library mechanisms, interchange formats, and possibilities for integration with source code extractors.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124313609","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Check Pointer is a memory access validator for checking spatial and temporal pointer usage errors in multi-threaded applications by tracking meta data and validating pointer dereferences at run-time. The tool uses source-to source transformations implemented with DMS to instrument the source code of the application to be validated with meta data checks. Libraries available only in binary form are handled by using function wrappers that check meta data immediately before calling a library function and update meta data as necessary immediately after the library function returns.
{"title":"CheckPointer - A C Memory Access Validator","authors":"M. Mehlich","doi":"10.1109/SCAM.2011.8","DOIUrl":"https://doi.org/10.1109/SCAM.2011.8","url":null,"abstract":"Check Pointer is a memory access validator for checking spatial and temporal pointer usage errors in multi-threaded applications by tracking meta data and validating pointer dereferences at run-time. The tool uses source-to source transformations implemented with DMS to instrument the source code of the application to be validated with meta data checks. Libraries available only in binary form are handled by using function wrappers that check meta data immediately before calling a library function and update meta data as necessary immediately after the library function returns.","PeriodicalId":286433,"journal":{"name":"2011 IEEE 11th International Working Conference on Source Code Analysis and Manipulation","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123320506","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: