{"title":"Java组件中数据机密性的字段转义分析","authors":"Aiwu Shi, G. Naumovich","doi":"10.1109/APSEC.2007.56","DOIUrl":null,"url":null,"abstract":"This paper presents an extension of escape analysis for static detection of threats to data confidentiality in Java components, called field escape analysis. We augment existing escape analyses, which are typically based on points-to analysis for reference (or pointer) type, with data and control dependence analyses with respect to primitive type. To meet the demand of security analysis, we propose a graph representation, called primitive value dependence graph (PVDG), and a novel semantics for dependence analysis. We have built a static analysis tool for Java components called SecDetector. In the experimental evaluation, using different combinations of underlying analysis techniques (e.g., points-to analysis, dependence analysis), we evaluated trades-offs between precision and performance on five publicly-available J2EE applications. On the benchmarks examined, there are few false positives in our study. It provides evidence of the usefulness of our approach.","PeriodicalId":273688,"journal":{"name":"14th Asia-Pacific Software Engineering Conference (APSEC'07)","volume":"57 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-12-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Field Escape Analysis for Data Confidentiality in Java Components\",\"authors\":\"Aiwu Shi, G. Naumovich\",\"doi\":\"10.1109/APSEC.2007.56\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper presents an extension of escape analysis for static detection of threats to data confidentiality in Java components, called field escape analysis. We augment existing escape analyses, which are typically based on points-to analysis for reference (or pointer) type, with data and control dependence analyses with respect to primitive type. To meet the demand of security analysis, we propose a graph representation, called primitive value dependence graph (PVDG), and a novel semantics for dependence analysis. We have built a static analysis tool for Java components called SecDetector. In the experimental evaluation, using different combinations of underlying analysis techniques (e.g., points-to analysis, dependence analysis), we evaluated trades-offs between precision and performance on five publicly-available J2EE applications. On the benchmarks examined, there are few false positives in our study. It provides evidence of the usefulness of our approach.\",\"PeriodicalId\":273688,\"journal\":{\"name\":\"14th Asia-Pacific Software Engineering Conference (APSEC'07)\",\"volume\":\"57 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-12-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"14th Asia-Pacific Software Engineering Conference (APSEC'07)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/APSEC.2007.56\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"14th Asia-Pacific Software Engineering Conference (APSEC'07)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/APSEC.2007.56","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Field Escape Analysis for Data Confidentiality in Java Components
This paper presents an extension of escape analysis for static detection of threats to data confidentiality in Java components, called field escape analysis. We augment existing escape analyses, which are typically based on points-to analysis for reference (or pointer) type, with data and control dependence analyses with respect to primitive type. To meet the demand of security analysis, we propose a graph representation, called primitive value dependence graph (PVDG), and a novel semantics for dependence analysis. We have built a static analysis tool for Java components called SecDetector. In the experimental evaluation, using different combinations of underlying analysis techniques (e.g., points-to analysis, dependence analysis), we evaluated trades-offs between precision and performance on five publicly-available J2EE applications. On the benchmarks examined, there are few false positives in our study. It provides evidence of the usefulness of our approach.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
