Prof. Dr. Eric Bodden

In a new publication for the Information Security Conference we describe how to securely offload computations from a private to a public cloud:

Abstract: A hybrid cloud combines a trusted private cloud with a public cloud owned by an untrusted cloud provider. This is problematic: When a hybrid cloud shifts computation from its private to its public part, it must trust the public part to execute the computation as intended. We show how public-cloud providers can use dynamic anomaly detection to increase their clients’ trust in outsourced computations. The client first defines the computation’s reference behavior by running an automated dynamic analysis in the private cloud. The cloud provider then generates an application profile when executing the outsourced computation for its client, persisted in tamper-proof storage. When in doubt, the client checks the profile against the recorded reference behavior. False positives are identified by re-executing the dubious computation in the trusted private cloud, and are used to re-fine the description of the reference behavior. The approach is fully automated. Using 3,000 harmless and 118 malicious inputs to different Java applications, we show that our approach is effective. In particular, different characterizations of behavior can yield anything from low numbers of false positives to low numbers of false negatives, effectively trading trustworthiness for computation cost in the private cloud.

Download the paper here.

Our TOPLAS paper has just appeared. Just 18 months turnaround time – given the 52 pages this was fast!

The calls for papers for the Industry Track and the Research Results track for AOSD 2013 are now online! Here are the important dates:

We have put together an exciting program together for this year’s WODA. Alex Orso will be giving an invited talk on In-house Debugging of Field Failures. Note that the early registration deadline is today!

Come see our presentation on RefaFlex at this year’s ISSTA…

We have made available a new Technical Report giving information about the current state of the art of our programming language for Join Point Interfaces:

In current aspect-oriented systems, aspects usually carry, through their pointcuts, explicit references to the base code. Those references are fragile and give up important software engineering properties such as modular reasoning and independent evolution of aspects and base code. In this work, we introduce a novel abstraction called Join Point Interfaces, which, by design, supports modular reasoning and independent evolution by decoupling aspects from base code and by providing a modular type-checking algorithm. Join point interfaces can be used both with implicit announcement through pointcuts, and with explicit announcement, using closure join points. Join point interfaces further offer polymorphic dispatch on join points, with an advice-dispatch semantics akin to multi-methods. In this work, we show how our proposal solves a large number of problems observed in previous related approaches. We have implemented join point interfaces as an open-source extension to AspectJ. A first study on existing aspect-oriented programs supports our initial design in general, but also highlights some limitations, which we then address by introducing parametric polymorphism and a more permissive quantification mechanism. As a result, join point interfaces are a safe and practical way of decoupling aspects.

Download the report here.

Soon to appear at ACM TOPLAS:

Finite-state properties account for an important class of program properties, typically related to the order of operations invoked on objects. Many library implementations therefore include manually-written finite-state monitors to detect violations of finite-state properties at runtime. Researchers have recently proposed the explicit specification of finite-state properties and automatic generation of monitors from the specification. However, runtime monitoring only shows the presence of violations, and typically cannot prove their absence. Moreover, inserting a runtime monitor into a program under test can slow down the program by several orders of magnitude.
In this work, we therefore present a set of four static whole-program analyses that partially evaluate runtime monitors at compile time, with increasing cost and precision. As we show, ahead-of-time evaluation can often evaluate the monitor completely statically. This may prove that the program cannot violate the property on any execution or may prove that violations do exist. In the remaining cases, the partial evaluation converts the runtime monitor into a residual monitor. This monitor only receives events from program locations that the analyses failed to prove irrelevant. This makes the residual monitor much more efficient than a full monitor, while still capturing all property violations at runtime.
We implemented the analyses in Clara, a novel framework for the partial evaluation of AspectJ-based runtime monitors, and validated our approach by applying Clara to finite-state properties over several large-scale Java programs. Clara proved that most of the programs never violate our example properties. Some programs required monitoring, but in those cases Clara could often reduce the monitoring overhead to below 10%. We observed that several programs did violate the stated properties.

Download a preprint here.

And here is our second paper to appear at SOAP… Hope to see you all at Beijing!

The IFDS and IDE frameworks by Reps, Horwitz and Sagiv are two general frameworks for the inter-procedural analysis of data-flow problems with distributive flow functions over finite domains. Many data-flow problems do have distributive flow functions and are thus expressible as IFDS or IDE problems, reaching from basic analyses like truly-live variables to complex analyses for problems from the current literature such as typestate and secure information-flow.
In this work we describe our implementation of a generic IFDS/IDE solver on top of Soot and contrast it with an IFDS implementation in the Watson Libraries for Analysis (WALA), both from a user’s perspective and in terms of the implementation. While WALA’s implementation is geared much towards memory efficiency, ours is currently geared more towards extensibility and ease of use and we focus on efficiency as a secondary goal.
We further discuss possible extensions to our IFDS/IDE implementation that may be useful to support a wider range of analyses.

Download the paper here.

Accepted for publication at SOAP:

Java Specification Request (JSR) 292, which was realized with Java 7, defines a new java bytecode called invokedynamic, which can be used to call methods by name, without determining statically where the implementation of the called method is to be found. This mechanism eases the implementation of highly dynamic languages for the Java Virtual Machine.

In this work we explain how we extended the Soot framework for static analysis and transformation of Java programs to properly handle invokedynamic bytecodes. Our implementation required changes on all levels of Soot, as all intermediate representations needed to be adapted appropriately. We comment on the design decisions taken and how users can use our implementation to statically process or generate invokedynamic instructions.

Our support has been integrated into Soot release 2.5.0 and is thus already available for everyone to use.

Download the paper here.

Andreas Thies and I have just had accepted a paper for publication at this year’s ISSTA. I have just put our camera-ready copy online. We describe an approach to ensuring the correctness of refactorings for Java programs that use reflection:

If programs access types and members through reflection, refactoring tools cannot guarantee that refactorings on those programs are behavior preserving. Refactoring approaches for highly reflective languages like Smalltalk therefore check behavior preservation using regression testing.