Simple static analysis techniques for Java - Using latent meaning to find security bugs
Abstract
Source code is rich with signs carrying meaning that is incomprehensible to acompiler, but important to the human programmer. For instance, a compiler doesnot understand that a variable named privateKey contains confidential dataand therefore must be treated with extra care, or that an array populated by acryptographically secure random number generator has properties that set it apartfrom other arrays. I present two static analyses that explicitly model such latentmeaning, and use it to find bugs. Both analyses are simple; my aim is not to beatthe precision of state-of-the-art techniques, but rather to argue that much can bedone using simple techniques. To support this claim, I demonstrate the effectivenessof both analyses on test cases from a well-known test suite and a selectionof other examples. Further, I argue that the analyses generalise to applicationsbeyond those I investigate. I have implemented the analyses in a proof-of-concepttool, which I contribute as free and open source software.