Simple static analysis techniques for Java - Using latent meaning to find security bugs

Abstract

Source code is rich with signs carrying meaning that is incomprehensible to a compiler, but important to the human programmer. For instance, a compiler does not understand that a variable named privateKey contains confidential data and therefore must be treated with extra care, or that an array populated by a cryptographically secure random number generator has properties that set it apart from other arrays. I present two static analyses that explicitly model such latent meaning, and use it to find bugs. Both analyses are simple; my aim is not to beat the precision of state-of-the-art techniques, but rather to argue that much can be done using simple techniques. To support this claim, I demonstrate the effectiveness of both analyses on test cases from a well-known test suite and a selection of other examples. Further, I argue that the analyses generalise to applications beyond those I investigate. I have implemented the analyses in a proof-of-concept tool, which I contribute as free and open source software.