A recap on our research progress in 2012

Eric | December 21, 2012

The year is coming to an end, and in fact some believe so may the world, so I thought I would give everyone a recap of what we have worked on and accomplished in 2012. What an exciting year this was! Through funding by EC SPRIDE and my new Emmy Noether Group RUNSECURE, my group grew from a single PhD student to five! This was obviously quite an exciting but also challenging shift for me, coordinating such a large and new group is not an easy task – but at the end of the year I have to say that I think I am getting the hang of it.

In a collaboration with Andreas Thies from Fernuni Hagen, we were able to develop the first system that can guarantee to some decent extent the correctness of refactorings in the presence of reflective method invocations. Our Eclipse plugin RefaFlex is available for download. Our ISSTA publication on the topic received the SIGSOFT Distinguished Paper Award.

Around the beginning of the year we started quite fruitful collaborations with the groups of Jacques Klein and Patrick McDaniel to work on an analysis infrastructure for Android based on Soot. Alexandre Bartel has just released our current versions of a pair of Dex-to-Jimple and Jimple-to-Dex converters, which in combination allow for arbitrarily precise analyses and transformations on Dalvik bytecode. (The Jimple-to-Dex converter is a contribution by Thomas Pilot, developed as his MSc thesis.) We plan to publish interesting analyses based on this framework soon. If you are interested in playing around with it yourself, check out our development branch.

We have also recently released Heros, a brand new IFDS/IDE solver implementation which integrates with Soot but can also be used with other program-analysis frameworks. The solver allows for very precise and scalable flow-sensitive inter-procedural data-flow analyses. The solver is open source in the hope that others will help us extend and maintain it.

Another very fruitful collaboration is the one with Claus Brabrand, the group of Paulo Borba and with Mira Mezini. In this collaboration we developed a way to transparently reuse any IFDS-based program analysis for software product lines without having to change a single line of analysis code. The approach outperforms the traditional generate-and-analyze approach by several orders of magnitude. Our results are currently under submission but are already available in a technical report. Our implementation is directly based on Heros (see above). Recently we have started to team up with Sven Apel‘s group to allow for similar analyses on C code bases that use #ifdefs.

In a project funded jointly by the DAAD and the Norges Forskningsrådet, together with Volker Stolz from UiO we investigated how runtime monitors can be expressed as features in an ABS product line. Our results have been published at ISoLA. Volker now continues to collaborate with us within the RUNSECURE project.

Together with Eric Tanter and Milton Inostroza from the University of Chile, we continued our work on Join Point Interfaces. We have now arrived at a language design which we are really happy with and which results in a language which I would seriously consider “AspectJ as it should have been“. Our approach allows for both flexible quantification but also modular and sound type checking (the latter of which AspectJ does not support). The work is currently under submission but a Tech Report is available. Our compiler is available online, too.

In a collaboration with Stefan Katzenbeisser’s and Mira Mezini’s groups, we were able to develop a system for dynamic anomaly detection in hybrid-cloud scenarios. It can be used for what we call behavioral attestation. You can find the appropriate publication here.

My new PhD students have also started to take on their topics, and the more experienced once have made good progress on theirs. Here is our current lineup:

Steven Arzt (from Darmstadt) joined in Fall and is working on updating IDE-based analyses to incremental program changes (based on Heros). First results are very promising and we expect to publish first results by the summer.

Kevin Falzon (from Malta) started in Spring and has started to work on the idea of defining a unified formal framework for identifying and mitigating side channels in virtual execution environments.

Andreas Follner (from Vienna) started in Summer and is working on methods to reliably identify string buffers in X86 binary code. In a second step he will then implement techniques to identify and avoid overflows of those buffers. (In case you thought buffer overflows are a solved problem – if you ask people in industry then they clearly are not.)

Kirill Kononenko (from Moscow) already started in Summer 2011. Since then, he has been working on constructive techniques to mitigate timing channels in X86 code. He recently performed an internship at IBM Haifa with Dorit Nuzman, which was quite helpful in that respect. (Thanks Dorit!)

Siegfried Rasthofer (from Passau) started in Fall and is working primarily on the RUNSECURE project. In this Emmy Nother project we develop a policy/programming language for defining practical enforcement monitors that can enforce security and privacy properties for running programs. A first position paper on the topic is available. For starters, we will apply this technology to the Android framework.

A couple of students also completed their master theses in 2012:

In a collaboration with SAP Research, Fabian Richter developed a very practical system for model-based testing of web applications. The work builds on existing tools but implements quite a few twists that turned out to be absolutely crucial to actually make the approach viable in practice.

Kamil Erhard developed Dynamate, a framework for using InvokeDynamic in a more reusable and disciplined manner. The framework targets programming-language engineers and allows them to make use of InvokeDynamic more easily. Because the framework defines common interfaces, it also restores some hope for static discovery and optimization of InvokeDynamic call sites.

As I told you… an exciting year. So now let’s all hope that the Maya were wrong so that we can continue with as much excitement in 2013. In case you are interested in collaborating with us on one of the topics mentioned above, please don’t hesitate to contacting us!

So long, Merry Christmas and a Happy New Year!