Static flow-sensitive & context-sensitive information-flow analysis for software product lines: position paper

Authors:
Eric Bodden
Affiliations:
Technische Universität Darmstadt, Darmstadt, Germany
Venue:
Proceedings of the 7th Workshop on Programming Languages and Analysis for Security
Year:
2012

Citing 7
Cited 4

Precise interprocedural dataflow analysis via graph reachability

POPL '95 Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Precise interprocedural dataflow analysis with applications to constant propagation

TAPSOFT '95 Selected papers from the 6th international joint conference on Theory and practice of software development
Model checking lots of systems: efficient verification of temporal properties in software product lines

Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1
Static Information Flow Analysis with Handling of Implicit Flows and a Study on Effects of Implicit Flows vs Explicit Flows

CSMR '10 Proceedings of the 2010 14th European Conference on Software Maintenance and Reengineering
Analyzing the discipline of preprocessor annotations in 30 million lines of C code

Proceedings of the tenth international conference on Aspect-oriented software development
Saving the world wide web from vulnerable JavaScript

Proceedings of the 2011 International Symposium on Software Testing and Analysis
Intraprocedural dataflow analysis for software product lines

Proceedings of the 11th annual international conference on Aspect-oriented Software Development

Inter-procedural data-flow analysis with IFDS/IDE and Soot

Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis
Toward variability-aware testing

FOSD '12 Proceedings of the 4th International Workshop on Feature-Oriented Software Development
SPLLIFT: statically analyzing software product lines in minutes instead of years

Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Intraprocedural dataflow analysis for software product lines

Transactions on Aspect-Oriented Software Development X

Quantified Score

Hi-index	0.00

Visualization

Abstract

A software product line encodes a potentially large variety of software products as variants of some common code base, e.g., through the use of #ifdef statements or other forms of conditional compilation. Traditional information-flow analyses cannot cope with such constructs. Hence, to check for possibly insecure information flow in a product line, one currently has to analyze each resulting product separately, of which there may be thousands, making this task intractable. We report about ongoing work that will instead enable users to check the security of information flows in entire software product lines in one single pass, without having to generate individual products from the product line. Executing the analysis on the product line promises to be orders of magnitude more faster than analyzing products individually. We discuss the design of our information-flow analysis and our ongoing implementation using the IFDS/IDE framework by Reps, Horwitz and Sagiv.