Program Analysis and Mining Software Repositories

Program Analysis and Mining Software Repositories

Ongoing Research

PEAKS is an acronym for “Platform for the Efficient Analysis and Secure Composition of Software Components”. A fundamental building block in making software engineering more efficient is the reuse of existing components and libraries. Applications are composed of a stack of libraries in conjunction with the respective business code. But as the code of the libraries becomes a part of the control flow of the application, it will run in the same process and thus in the same security context as the main application regardless of the actual need for such a privilege. We aim to build a tool to detect these unnecessary permissions in software libraries and to recommend procedures to limit these privileges or their impact.
[more…]
FlowTwist’s primary goal is to develop a highly precise and scalable automated code analysis that is able to detect security vulnerabilities in the Java Runtime Library. The main challenge is that existing techniques are either precise or scale to huge applications, but usually not both. Therefore, new techniques are being developed as part of the project that are not only applicable in the projects specific context, but in general.
[more…]
OPAL is a new project to develop an integrated set of tools for analyzing software programs. OAPL aims to support analyses ranging from simple bug detectors to analyses depending on complex control- and data-flow information. As part of OPAL, a runtime environment is implemented that enables the efficient specification and execution of such analyses and which will also be the foundation for a wide range of software engineering tools. OPAL is targeted towards analyzing programs that are executed on top of the Java Virtual Machine. OPAL particularly supports the analysis of programs written in Java like languages.
[more…]
The Eko project is part of the Software Campus, a program funded by the German government that supports young researchers and brings academia and industry together. We cooperate with DHL IT Services to develop an approach for API misuse detection. The goal is to mine usage patterns from existing software code, to detect violations in code under development, and to propose fixes for the findings.
[more…]
The KaVE project is part of the Software Campus, a program funded by the German government that supports young researchers and brings academia and industry together. We work together with an industry partner and develop a recommender system for Visual Studio/C#. The term “KaVE” is an abbreviation for the German title “Kombination automatisierter Verfahren mit Expertenwissen” (“Combination of automated approaches with experts knowledge”). The goal of the project is to enrich statically mined models with feedback provided by experts.
[more…]

Associated Research

Code Recommenders supports developers on learning new APIs by providing tools which learn correct API usages or valuable API usage patterns by analyzing example code and re-integrates this regained knowledge back into your IDE by means of intelligent code completion, extended javadocs, smart bug detectors, stacktrace search engines and others…
[more…]
Soot is a Java optimization framework. It provides four intermediate representations for analyzing and transforming Java bytecode: 1. Baf: a streamlined representation of bytecode which is simple to manipulate. 2. Jimple: a typed 3-address intermediate representation suitable for optimization. 3. Shimple: an SSA variation of Jimple. 4. Grimp: an aggregated version of Jimple suitable for decompilation and code inspection. Soot can be used as a stand alone tool to optimize or inspect class files, as well as a framework to develop optimizations or transformations on Java bytecode. Soot was developed by Laurie Hendren's and Clark Verbrugge's Sable Research Group of McGill University. However, the project is now mostly maintained by Eric Bodden, who was a Ph.D. student at McGill before he moved to the STG. Eric will happily answer all Soot-related questions.
[more…]
TamiFlex is a tool suite to facilitate static analyses of Java programs that use reflection and custom class loaders. The suite consists of two agents that use the java.lang.instrument API, one Play-out Agent and one Play-in Agent. The Play-out Agent allows you to monitor a Java program using any Java-6 compliant JVM, (1) dumping a reflection trace file, providing information about reflective calls on the program run, and (2) dumping all classes that the virtual machine loaded on this run, including runtime-generated classes. With the Play-in Agent you can cause the virtual machine to load classes from a specified directory instead of from they would normally be loaded from. This is useful for replacing classes by statically optimized classes irrespective of the program's class-loading setup.
[more…]