Improving dynamic analysis with data flow analysis

dc.contributor.advisorLin, Yun Calvinen
dc.contributor.committeeMemberMcKinley, Kathrynen
dc.contributor.committeeMemberBrowne, James C.en
dc.contributor.committeeMemberKhurshid, Sarfrazen
dc.contributor.committeeMemberMyers, Andrewen
dc.creatorChang, Walter Chochenen
dc.date.accessioned2010-10-26T15:01:44Zen
dc.date.available2010-10-26T15:01:44Zen
dc.date.available2010-10-26T15:01:51Zen
dc.date.issued2010-08en
dc.date.submittedAugust 2010en
dc.date.updated2010-10-26T15:01:51Zen
dc.descriptiontexten
dc.description.abstractMany challenges in software quality can be tackled with dynamic analysis. However, these techniques are often limited in their efficiency or scalability as they are often applied uniformly to an entire program. In this thesis, we show that dynamic program analysis can be made significantly more efficient and scalable by first performing a static data flow analysis so that the dynamic analysis can be selectively applied only to important parts of the program. We apply this general principle to the design and implementation of two different systems, one for runtime security policy enforcement and the other for software test input generation. For runtime security policy enforcement, we enforce user-defined policies using a dynamic data flow analysis that is more general and flexible than previous systems. Our system uses the user-defined policy to drive a static data flow analysis that identifies and instruments only the statements that may be involved in a security vulnerability, often eliminating the need to track most objects and greatly reducing the overhead. For taint analysis on a set of five server programs, the slowdown is only 0.65%, two orders of magnitude lower than previous taint tracking systems. Our system also has negligible overhead on file disclosure vulnerabilities, a problem that taint tracking cannot handle. For software test case generation, we introduce the idea of targeted testing, which focuses testing effort on select parts of the program instead of treating all program paths equally. Our “Bullseye” system uses a static analysis performed with respect to user-defined “interesting points” to steer the search down certain paths, thereby finding bugs faster. We also introduce a compiler transformation that allows symbolic execution to automatically perform boundary condition testing, revealing bugs that could be missed even if the correct path is tested. For our set of 9 benchmarks, Bullseye finds bugs an average of 2.5× faster than a conventional depth-first search and finds numerous bugs that DFS could not. In addition, our automated boundary condition testing transformation allows both Bullseye and depth-first search to find numerous bugs that they could not find before, even when all paths were explored.en
dc.description.departmentComputer Science
dc.format.mimetypeapplication/pdfen
dc.identifier.urihttp://hdl.handle.net/2152/ETD-UT-2010-08-1586en
dc.language.isoengen
dc.subjectData flowen
dc.subjectSoftware testingen
dc.subjectSoftware securityen
dc.subjectDynamic analysisen
dc.subjectStatic analysisen
dc.subjectTest input generationen
dc.titleImproving dynamic analysis with data flow analysisen
dc.type.genrethesisen
thesis.degree.departmentComputer Sciencesen
thesis.degree.disciplineComputer Sciencesen
thesis.degree.grantorUniversity of Texas at Austinen
thesis.degree.levelDoctoralen
thesis.degree.nameDoctor of Philosophyen

Access full-text files

Original bundle

Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
CHANG-DISSERTATION.pdf
Size:
824.6 KB
Format:
Adobe Portable Document Format

License bundle

Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
2.12 KB
Format:
Plain Text
Description: