Abstract: A method includes receiving multiple security framework requirements, mapping the security framework requirements to a predicate, mapping the predicate to a system-specific implementation, evaluating, using a runtime system, the target system by analyzing a multitude of build files using the system-specific implementation, and presenting a report indicating whether the security framework requirements are satisfied.

Abstract: A method may include identifying, by executing an application, an entry point corresponding to a Universal Resource Locator (URL) path, extracting, from the application, an entry point declaration corresponding to the entry point, determining, by performing a static analysis starting at the entry point declaration, that a parameter is accessible by the application, and inferring, by the static analysis, a type of the parameter by analyzing usage of the parameter by the application.

Abstract: A method may include sending, to an entry point of an instrumented web application, a first request including a first value of a parameter. The first value may correspond to a first vulnerability category. The method may further include receiving, from the instrumented web application, first taint analysis results, determining that the first taint analysis results include a sink function corresponding to a second vulnerability category, and sending, to the entry point, a second request including a second value of the parameter. The second value may correspond to the second vulnerability category. The method may further include receiving, from the instrumented web application and in response to sending the second request, second taint analysis results including the sink function, and detecting, in the instrumented web application and using the second taint analysis results, a vulnerability corresponding to the sink function and the second vulnerability category.

Abstract: A method may include generating a callgraph by performing a static analysis of code that includes event handlers, and selecting, using the callgraph, a state of the code, selecting, using the callgraph, an event enabled in the selected state. The event corresponds to an event handler. The method may further include obtaining an input, obtaining a next state by executing the event handler with the obtained input in the selected state, in response to executing the event handler, generating an input modification rule using the obtained input, and generating, using the input modification rule and the obtained input, a modified input that bypasses a guard in the code that controls access to the point of interest.

Abstract: A method may include sending, to an entry point of an instrumented web application, a first request including a first value of a parameter. The first value may correspond to a first vulnerability category. The method may further include receiving, from the instrumented web application, first taint analysis results, determining that the first taint analysis results include a sink function corresponding to a second vulnerability category, and sending, to the entry point, a second request including a second value of the parameter. The second value may correspond to the second vulnerability category. The method may further include receiving, from the instrumented web application and in response to sending the second request, second taint analysis results including the sink function, and detecting, in the instrumented web application and using the second taint analysis results, a vulnerability corresponding to the sink function and the second vulnerability category.

Abstract: A method may include identifying, by executing an application, an entry point corresponding to a Universal Resource Locator (URL) path, extracting, from the application, an entry point declaration corresponding to the entry point, determining, by performing a static analysis starting at the entry point declaration, that a parameter is accessible by the application, and inferring, by the static analysis, a type of the parameter by analyzing usage of the parameter by the application.

Abstract: A method may include obtaining, from a runtime system that executes code, a source value at a source point of the code and a sink value at a sink point of the code, identifying a potential taint flow from the source point to the sink point by performing a series of taint inferences that each infer a relationship between the source value and the sink value, and determining whether the potential taint flow is an actual taint flow by performing a series of taint checks that each analyze the execution of the code using the source value and the sink value.

Abstract: A method may include obtaining a list of to-be-analyzed modules of an application. The list of to-be-analyzed modules may include a first module including a statement. The method may further include generating initial results by performing an initial iteration of a static analysis that analyzes each module in the list of to-be-analyzed modules, determining, by the initial iteration, that the statement is a function call to a second module not in the list of to-be-analyzed modules, in response to the determination, assigning, by the initial iteration, an abstract value to a memory address associated with the statement, adding, to the abstract value, a tag including a name of the second module, updating, using the tag and the initial results, the list of to-be-analyzed modules, and generating next results by performing a next iteration of the static analysis that analyzes each module in the updated list of to-be-analyzed modules.

Abstract: A method may include generating a callgraph by performing a static analysis of code that includes event handlers, and selecting, using the callgraph, a state of the code, selecting, using the callgraph, an event enabled in the selected state. The event corresponds to an event handler. The method may further include obtaining an input, obtaining a next state by executing the event handler with the obtained input in the selected state, in response to executing the event handler, generating an input modification rule using the obtained input, and generating, using the input modification rule and the obtained input, a modified input that bypasses a guard in the code that controls access to the point of interest.

Abstract: A method may include obtaining a list of to-be-analyzed modules of an application. The list of to-be-analyzed modules may include a first module including a statement. The method may further include generating initial results by performing an initial iteration of a static analysis that analyzes each module in the list of to-be-analyzed modules, determining, by the initial iteration, that the statement is a function call to a second module not in the list of to-be-analyzed modules, in response to the determination, assigning, by the initial iteration, an abstract value to a memory address associated with the statement, adding, to the abstract value, a tag including a name of the second module, updating, using the tag and the initial results, the list of to-be-analyzed modules, and generating next results by performing a next iteration of the static analysis that analyzes each module in the updated list of to-be-analyzed modules.

Abstract: A method may include obtaining, from a runtime system that executes code, a source value at a source point of the code and a sink value at a sink point of the code, identifying a potential taint flow from the source point to the sink point by performing a series of taint inferences that each infer a relationship between the source value and the sink value, and determining whether the potential taint flow is an actual taint flow by performing a series of taint checks that each analyze the execution of the code using the source value and the sink value.

Abstract: A method for points-to program analysis includes extracting a kernel from a program, performing a fixed object sensitive points to analysis of the kernel to obtain fixed analysis results, and assigning, for a first candidate object in the kernel, a first context depth to the first candidate object. The candidate objects are identified using the fixed analysis results. The method further includes assigning, for a second candidate object, a second context depth to the second candidate object. The second context depth is different than the first context depth. The method further includes performing, to obtain selective analysis results, a selective object sensitive points to analysis using the first context depth for the first candidate object and the second context depth for the second candidate object, and performing an action based on the selective analysis results.

Abstract: A method for points-to program analysis includes extracting a kernel from a program, performing a fixed object sensitive points to analysis of the kernel to obtain fixed analysis results, and assigning, for a first candidate object in the kernel, a first context depth to the first candidate object. The candidate objects are identified using the fixed analysis results. The method further includes assigning, for a second candidate object, a second context depth to the second candidate object. The second context depth is different than the first context depth. The method further includes performing, to obtain selective analysis results, a selective object sensitive points to analysis using the first context depth for the first candidate object and the second context depth for the second candidate object, and performing an action based on the selective analysis results.