Reading Group Spring 2007

From PROLANGS Wiki

Jump to: navigation, search


Prolangs: A Light Seminar on
Program Analysis for Software Security

Spring 2007
198:500:04 index 48086
Thursdays, 1:30pm-3:15pm, CoRE B

Information

This light seminar will cover research papers about analyses for security of software systems. The programming languages being considered are C, C++, and Java primarily. Most of these analyses are compile-time techniques. Our focus will be on recent research papers, but we also will cover journal articles of interest. An initial list will be posted soon of possible papers to be read.

Participants in this seminar are expected to present at least one research paper during the term. We will meet once every week for approximately 90 minutes on Thursday afternoons, 1:30-3:15pm in the CoRE B conference room.

If you have any questions regarding this light seminar, please contact Prof. Ryder (ryder@cs) by email; our organizational meeting will be on Thursday, January 19, 2006 at 1:30pm. Our first session on Thursday, January 25th will be an overview talk by Prof Ryder on ideas/concepts from static analysis of OO programs; attendance will be manadatory for all registrants. Our research paper sessions will start on Thursday, Feb 1st.

List of Papers

List Of Papers

Schedule

  • Jan 18
Organizational meeting
  • Jan 25
Overview lecture on the language of static analysis: dataflow analysis, reference analysis, dependence analysis nomenclature, with examples
Slides: pdf
  • Feb 1
Presenter: Barbara Ryder
Paper: M. Pistoia, S. Chandra, S. Fink and E. Yahav, "Using Static Analysis for Security Compliance Management", To appear.
Slides: pdf
  • Feb 8
Presenter: Chen Fu
Paper: M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. "Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection", ECOOP 2005.
Slides: pdf
  • Feb 15
No class, Prof Ryder at IBM Workshop
  • Feb 22
Guest speaker: Marco Pistoia, IBM T.J. Watson Research Center
Slides: pdf
  • Mar 1
Cancelled
  • Mar 8
Tom:
  • Mar 22
Robert: D. E. Denning, P. J. Denning, "Certification of Programs for Secure Information Flow", CACM '77.
Qian: Z. Su, G. Wassermann, "The essence of command injection attacks in web applications", POPL '06.
  • Mar 29
Xiang: M. Christodorescu, S. Jha, "Static Analysis of Executables to Detect Malicious Patterns", Usenix Security Symposium 2003.
Desiree: V. B. Livshits, M. S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis", USENIX Security Symposium 2005.
  • Apr 5
Weilei:
G. Snelting, T. Robschink, J. Krinke "Efficient Path Conditions in Dependence Graphs for Software Safety Analysis", TOSEM'06.
The TOSEM paper is an extended version of an ICSE'02 paper: "Efficient path conditions in dependence graphs".
There is also a related work: C. Hammer, J. Krinke, and G. Snelting, "Information Flow Control for Java Based on Path Conditions in Dependence Graphs", ISSSE '06.
Slides: [1]


  • Apr 12
Xiaoxia: A. Sabelfeld, A. C. Myers, "Language-Based Information-Flow Security", IEEE Journal on Selected Areas in Communications, vol. 21, no. 1, pp. 5–19, Jan. 2003.
Slides: pdf
  • Apr 19
Pradip: K. Ashcraft, D. R. Engler, "Using Programmer-Written Compiler Extensions to Catch Security Holes", IEEE Symposium on Security and Privacy 2002.
Ophelia: C. Gould, Z. Su, P. Devanbu, "Static Checking of Dynamically Generated Queries in Database Applications", ICSE'04.
  • Apr 26
Bruno: Y. Xie, A. Aiken, "Static Detection of Security Vulnerabilities in Scripting Languages", USENIX Security Symposium 2006.
Chris: U. Shankar, K. Talwar, J. S. Foster, and D. Wagner, "Detecting Format String Vulnerabilities with Type Qualifiers", USENIX Security Symposium 2001.
Retrieved from "http://www.prolangs.rutgers.edu/wiki/index.php/Reading_Group_Spring_2007"
Personal tools