检索结果-内蒙古大学图书馆

arXiv 2021年

作者： Cui, Mohan Chen, Chengjun Xu, Hui Zhou, Yangfan School of Computer Science Fudan University China

Rust is an emerging programming language that aims to prevent memory-safety bugs. However, the current design of Rust also brings side effects which may increase the risk of memory-safety issues. In particular, it employs OBRM (ownership-based resource management) and enforces automatic deallocation of unused resources without the garbage collector. It may therefore falsely deallocate reclaimed memory and lead to use-after-free or double-free issues. In this paper, we study the problem of invalid memory deallocation and propose SafeDrop, a static path-sensitive data-flow analysis approach to detect such bugs. Our approach analyzes each API of a Rust crate iteratively by traversing the control-flow graph and extracting all aliases of each data-flow. To guarantee precision and scalability, we leverage a modified Tarjan algorithm to achieve scalable path-sensitive analysis, and a cache-based strategy to achieve efficient inter-procedural analysis. Our experiment results show that our approach can successfully detect all existing CVEs of such issues with a limited number of false positives. The analysis overhead ranges from 1.0% to 110.7% in comparison with the original compilation time. We further apply our tool to several real-world Rust crates and find 8 Rust crates involved with invalid memory deallocation issues. Copyright © 2021, The Authors. All rights reserved.

关键词： data flow analysis

来源：评论

学校读者我要写书评

暂无评论

CryptoEval: Evaluating the Risk of Cryptographic Misuses in Android Apps with data-flow analysis

arXiv

引用

arXiv 2021年

作者： Sun, Cong Xu, Xinpeng Wu, Yafei Zeng, Dongrui Tan, Gang Ma, Siqi Wang, Peicheng The School of Cyber Engineering Xidian University 710071 China Palo Alto Networks Santa ClaraCA United States The Pennsylvania State University University ParkPA United States The University of New South Wales Canberra Australia

The misunderstanding and incorrect configurations of cryptographic primitives have exposed severe security vulnerabilities to attackers. Due to the pervasiveness and diversity of cryptographic misuses, a comprehensive and accurate understanding of how cryptographic misuses can undermine the security of an Android app is critical to the subsequent mitigation strategies but also challenging. Although various approaches have been proposed to detect cryptographic misuse in Android apps, studies have yet to focus on estimating the security risks of cryptographic misuse. To address this problem, we present an extensible framework for deciding the threat level of cryptographic misuse in Android apps. Firstly, we propose a general and unified specification for representing cryptographic misuses to make our framework extensible and develop adapters to unify the detection results of the state-of-the-art cryptographic misuse detectors, resulting in an adapter-based detection tool chain for a more comprehensive list of cryptographic misuses. Secondly, we employ a misuse-originating data-flow analysis to connect each cryptographic misuse to a set of data-flow sinks in an app, based on which we propose a quantitative data-flow-driven metric for assessing the overall risk of the app introduced by cryptographic misuses. To make the per-app assessment more useful for app vetting at the app-store level, we apply unsupervised learning to predict and classify the top risky threats to guide more efficient subsequent mitigation. In the experiments on an instantiated implementation of the framework, we evaluate the accuracy of our detection and the effect of data-flow-driven risk assessment of our framework. Our empirical study on over 40,000 apps and the analysis of popular apps reveal important security observations on the real threats of cryptographic misuse in Android apps. Copyright © 2021, The Authors. All rights reserved.

关键词： data flow analysis

来源：评论

学校读者我要写书评

暂无评论

Optimal and perfectly parallel algorithms for on-demand data-flow analysis

arXiv

引用

arXiv 2020年

作者： Chatterjee, Krishnendu Goharshady, Amir Kafshdar Ibsen-Jensen, Rasmus Pavlogiannis, Andreas IST Austria Klosterneuburg Austria University of Liverpool Liverpool United Kingdom Aarhus University Aarhus Denmark

Interprocedural data-flow analyses form an expressive and useful paradigm of numerous static analysis applications, such as live variables analysis, alias analysis and null pointers analysis. The most widely-used framework for interprocedural data-flow analysis is IFDS, which encompasses distributive data-flow functions over a finite domain. On-demand data-flow analyses restrict the focus of the analysis on specific program locations and data facts. This setting provides a natural split between (i) an offline (or preprocessing) phase, where the program is partially analyzed and analysis summaries are created, and (ii) an online (or query) phase, where analysis queries arrive on demand and the summaries are used to speed up answering queries. In this work, we consider on-demand IFDS analyses where the queries concern program locations of the same procedure (aka same-context queries). We exploit the fact that flow graphs of programs have low treewidth to develop faster algorithms that are space and time optimal for many common data-flow analyses, in both the preprocessing and the query phase. We also use treewidth to develop query solutions that are embarrassingly parallelizable, i.e. the total work for answering each query is split to a number of threads such that each thread performs only a constant amount of work. Finally, we implement a static analyzer based on our algorithms, and perform a series of on-demand analysis experiments on standard benchmarks. Our experimental results show a drastic speed-up of the queries after only a lightweight preprocessing phase, which significantly outperforms existing techniques. Copyright © 2020, The Authors. All rights reserved.

关键词： data flow analysis

来源：评论

学校读者我要写书评

暂无评论

Automated data-flow analysis and validation in process automation projects 18

Automated data-flow analysis and validation in process autom...

引用

18th International Conference on New Trends in Intelligent Software Methodologies, Tools and Techniques, SoMeT 2019

作者： Beyer, Lars Dageförde, Jan C. Kuchen, Herbert Usener, Claus A. Viadee Unternehmensberatung AG Anton-Bruchausen-Str. 8 Münster Germany ERCIS Leonardo-Campus 3 Münster Germany

ISBN: (纸本)9781643680125

Process-driven applications (PDAs) rely on a combination of executable process models and code that implements individual process steps. These step implementations rely on process variables that maintain state across process steps and are used to take decisions on alternative execution paths, i. e. they hold data received from and saved to (external) backend systems. As a result, the data flow of a PDA can become complex even if each step implementation is kept simple. Complexity arises from various possibilities for manipulating process variables, in addition to the variety of execution paths that make it difficult to keep track of process variables. We propose a static analysis approach for managing or reducing complexity by limiting the solution space of implementations. It checks assertions on the data flow in PDAs while taking process variables into account. Assertions are specified using our novel data-flow validation language (DFVL). For demonstration, DFVL and automated assertion checking are implemented as part of an open source process application validation tool. The tool facilitates the use of DFVL for automated static analyses in the same way as unit tests are used for software testing. A short evaluation shows the applicability of our approach and tool. © 2019 The authors and IOS Press. All rights reserved.

关键词： data flow analysis

来源：评论

学校读者我要写书评

暂无评论

data flow analysis on android platform with fragment lifecycle modeling 12th

Data flow analysis on android platform with fragment lifecyc...

引用

12th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2016

作者： Li, Yongfeng Ouyang, Jinbin Guo, Shanqing Mao, Bing State Key Laboratory for Novel Software Technology Department of Computer Science and Technology Nanjing University Nanjing China School of Computer Science and Technology Shandong University Jinan China

ISBN: (纸本)9783319596075

Smartphones carry a large quantity of sensitive information to satisfy people’s various requirements, but the way of using information is important to keep the security of users’ privacy. There are two kinds of misuses of sensitive information for apps. On the one hand, careless programmers may leak the data by accident. On the other hand, the attackers develop malware to collect sensitive data intentionally. Many researchers apply data flow analysis to detect data leakages of an app. However, data flow analysis on Android platform is quite different from the programs on desktop. Many researchers have solved some problems of data flow analysis on Android platform, like Activity lifecycle, callback methods, inter-component communication. We find that Fragment’s lifecycle also has an effect on the data flow analysis of Android apps. Some data will be leaked if we don’t take Fragment’s lifecycle into consideration when performing data flow analysis in Android apps. So in this paper, we propose an approach to model Fragment’s lifecycle and its relationship with Activity’s lifecycle, then introduce a tool called FragDroid based on flowDroid [7]. We conduct some experiments to evaluate the effectiveness of our tool and the results show that there are 8% of apps in our data set using Fragment. In particular, for popular apps, the result is 50.8%. We also evaluate the performance of using FragDroid to analyze Android apps, the result shows the average overhead is 17%. © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2017.

关键词： data flow analysis

来源：评论

学校读者我要写书评

暂无评论

An extensible framework for collaborative e-governance platform workflow modeling using data flow analysis

引用

INFORMATION TECHNOLOGY FOR DEVELOPMENT 2017年第3期23卷 415-437页

作者： Liu, Luning Ju, Jingrui Feng, Yuqiang Harbin Inst Technol Sch Management Dept Management Sci & Engn Room 61213 Fayuan St Harbin 150001 Heilongjiang Peoples R China

As IT-enabled collaborative technologies facilitate the transformation from government to governance, governments are working to establish collaborative e-governance platforms across organizational boundaries in different contexts, especially in developed countries. In contrast, most developing countries are still at a nascent stage of platform construction. There is little research investigating the function-oriented across-organization platform modeling required to drive platform design and development for developing countries. Therefore, we propose a framework for collaborative e-governance platform workflow modeling, including three level-extensible dimensions of requirement, method, and model. Specifically, we identify four basic functions and eight patterns, extend a method of object-oriented workflow modeling using data flow analysis, and separately model the platform on the top level and object level. Finally, we apply the framework to a citizen appeal processing platform to validate its utility. The framework provides an operable method and reusable function object models, which contribute to the contextualized collaborative e-governance platform modeling for developing regions.

关键词： Collaborative e-governance platform workflow modeling data flow analysis function object object-oriented

来源：评论

学校读者我要写书评

暂无评论

Towards certified data flow analysis of business processes 9

Towards certified data flow analysis of business processes

引用

9th Central European Workshop on Services and their Composition, ZEUS 2017

作者： Heinze, Thomas S. Friedrich Schiller University Jena Jena07743 Germany

data flow analysis allows for the static analysis of business processes. Certified data flow analysis would even allow for a trustwhorty analysis, as the analysis comes with a machine-checkable correctness proof. In t... 详细信息

关键词： data flow analysis

来源：评论

学校读者我要写书评

暂无评论

Structurally Defined Conditional data-flow Static analysis 24th

Structurally Defined Conditional Data-Flow Static Analysis

引用

24th International Conference on Tools and Algorithms for the Construction and analysis of Systems (TACAS) Held as Part of the 21st European Joint Conferences on Theory and Practice of Software (ETAPS)

作者： Sherman, Elena Dwyer, Matthew B. Boise State Univ Boise ID 83706 USA Univ Nebraska Lincoln NE 68588 USA

ISBN: (纸本)9783319899633;9783319899633

data flow analysis (DFA) is an important verification technique that computes the effect of data values propagating over program paths. While more precise than flow-insensitive analyses, such an analysis is time-consuming. This paper investigates the acceleration of DFA by structural decomposition of the underlying control flow graph. Specifically, we explore the cost and effectiveness of dividing program paths into subsets by partitioning path suffixes at conditional statements, applying a DFA on each subset, and then combining the resulting invariants. This yields a family of independent DFA problems that are solved in parallel and where the partial results of each problem represent safe program invariants. Empirical evaluations reveal that depending on the DFA type and its conditional implementation the invariants for a large fraction of program points can be computed in less time than traditional DFA. This work suggests a strategy for an "anytime DFA" algorithm: computing safe program invariants as the analysis proceeds.

关键词： data flow analysis

来源：评论

学校读者我要写书评

暂无评论

Exploring context-sensitive data flow analysis for early vulnerability detection

引用

JOURNAL OF SYSTEMS AND SOFTWARE 2016年 113卷 337-361页

作者： Sampaio, Luciano Garcia, Alessandro Pontif Catholic Univ Rio de Janeiro PUC Rio Rua Marques de Sao Vicente 225 BR-22453900 Rio De Janeiro Brazil

Secure programming is the practice of writing programs that are resistant to attacks by malicious people or programs. Programmers of secure software have to be continuously aware of security vulnerabilities when writing their program statements. In order to improve programmers' awareness, static analysis techniques have been devised to find vulnerabilities in the source code. However, most of these techniques are built to encourage vulnerability detection a posteriori, only when developers have already fully produced (and compiled) one or more modules of a program. Therefore, this approach, also known as late detection, does not support secure programming but rather encourages posterior security analysis. The lateness of vulnerability detection is also influenced by the high rate of false positives yielded by pattern matching, the underlying mechanism used by existing static analysis techniques. The goal of this paper is twofold. First, we propose to perform continuous detection of security vulnerabilities while the developer is editing each program statement, also known as early detection. Early detection can leverage his knowledge on the context of the code being created, contrary to late detection when developers struggle to recall and fix the intricacies of the vulnerable code they produced from hours to weeks ago. Second, we explore context-sensitive data flow analysis (DFA) for improving vulnerability detection and mitigate the limitations of pattern matching. DFA might be suitable for finding if an object has a vulnerable path. To this end, we have implemented a proof-of-concept Eclipse plugin for continuous DFA-based detection of vulnerabilities in Java programs. We also performed two empirical studies based on several industry-strength systems to evaluate if the code security can be improved through DFA and early vulnerability detection. Our studies confirmed that: (i) the use of context-sensitive DFA significantly reduces the rate of false positives when c

关键词： Early detection data flow analysis Secure programming

来源：评论

学校读者我要写书评

暂无评论

Vector data flow analysis for SIMD optimizations on OpenCL programs

引用

CONCURRENCY AND COMPUTATION-PRACTICE & EXPERIENCE 2016年第5期28卷 1629-1654页

作者： Lin, Yu-Te Lee, Jenq-Kuen Natl Tsing Hua Univ Dept Comp Sci Hsinchu 30013 Taiwan

Multi-core systems equipped with micro processing units and accelerators such as digital signal processors (DSPs) and graphics processing units (GPUs) have become a major trend in processor design in recent years in attempts to meet ever-increasing application performance requirements. Open Computing Language (OpenCL) is one of the programming languages that include new extensions proposed to exploit the computing power of these kinds of processors. Among the newly extended language features, the single-instruction multiple-data (SIMD) linguistics and vector types are added to OpenCL to exploit hardware features of the accelerators. The addition makes it necessary to consider how traditional compiler data flow analysis can be adopted to meet the optimization requirements of vector linguistics. In this paper, we propose a calculus framework to support the data flow analysis of vector constructs for OpenCL programs that compilers can use to perform SIMD optimizations. We model OpenCL vector operations as data access functions in the style of mathematical functions. We then show that the data flow analysis for OpenCL vector linguistics can be performed based on the data access functions. Based on the information gathered from data flow analysis, we illustrate a set of SIMD optimizations on OpenCL programs. The experimental results incorporating our calculus and our proposed compiler optimizations show that the proposed SIMD optimizations can provide average performance improvements of 22% on x86 CPUs and 4% on advanced micro devices GPUs. For the selected 15 benchmarks, 11 of them are improved on x86 CPUs, and six of them are improved on advanced micro devices GPUs. The proposed framework has the potential to be used to construct other SIMD optimizations on OpenCL programs. Copyright (c) 2015 John Wiley & Sons, Ltd.

关键词： OpenCL compilers SIMD optimizations GPU data access functions data flow analysis

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：