static analysis of java dynamic proxies
play

Static Analysis of Java Dynamic Proxies George Fourtounis - PowerPoint PPT Presentation

Aug 28, 2023 •172 likes •403 views

Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis (gkastrinis@di.uoa.gr) Yannis Smaragdakis (yannis@smaragd.org) University of Athens, Greece ISSTA18, July 17, 2018, Amsterdam, Netherlands Dynamic

  1. Static Analysis of Java Dynamic Proxies George Fourtounis (gfour@di.uoa.gr) George Kastrinis (gkastrinis@di.uoa.gr) Yannis Smaragdakis (yannis@smaragd.org) University of Athens, Greece ISSTA’18, July 17, 2018, Amsterdam, Netherlands

  2. Dynamic proxies in Java ● GoF, “Proxy” design pattern: “ P r o v i d e a s u r r o g a t e o r p l a c e h o l d e r f o r a n o t h e r o b j e c t t o c o n t r o l a c c e s s t o i t . ” ● Proxy objects can be pregenerated at compile- time or dynamically generated at runtime (more fmexibility) ● Java 1.3 introduced an API to generate dynamic proxies 2 Static analysis of Java dynamic proxies

  3. Java dynamic proxies API ● “Give me some interfaces and method dispatch logic and I'll dynamically generate a class that implements all such interfaces” ● Method dispatch logic = the “invocation handler”, essentially an interpreter that refmectively handles all attempted method calls ● API + invocation handler = implemented API ● Using dynamic code generation/loading 3 Static analysis of Java dynamic proxies

  4. Example class A implements I { Object getField() ... float mult(float x, float y) ... } interface I { Object getField(); float mult(float x, float y); } 4 Static analysis of Java dynamic proxies

  5. Example class A implements I { Object getField() ... class AHandler implements InvocationHandler { float mult(float x, float y) ... private A a; } public AHandler(A a) { this.a = a; } public Object invoke(Object proxy, Method method, Object[] args) { if (method.getName().equals("getField")) return new B(); else if (method.getName().equals("mult") { interface I { float x = ((Float)args[0]).floatValue(); Object getField(); float y = ((Float)args[1]).floatValue(); float mult(float x, float y); return a.mult(x, y); } } else return null; }} 5 Static analysis of Java dynamic proxies

  6. Example class A implements I { Object getField() ... class AHandler implements InvocationHandler { float mult(float x, float y) ... private A a; } public AHandler(A a) { this.a = a; } public Object invoke(Object proxy, Method method, Object[] args) { if (method.getName().equals("getField")) return new B(); else if (method.getName().equals("mult") { interface I { float x = ((Float)args[0]).floatValue(); Object getField(); float y = ((Float)args[1]).floatValue(); float mult(float x, float y); return a.mult(x, y); } } else return null; handler = new AHandler(new A()); }} proxy = newProxyInstance({I.class}, handler); 6 Static analysis of Java dynamic proxies

  7. Points-to static analysis What values does “proxy” point to? I proxy = newProxyInstance(interfaces, handler); Problems: – newProxyInstance() is a black box: dynamic code generation means no statically-available classes – generated class depends on interfaces and handler, which are runtime values 7 Static analysis of Java dynamic proxies

  8. Dynamic proxies are a problem In a recent survey of 461 open-source Java projects, Landman et al. fjnd that 21% of them use dynamic proxies ● “very harmful for static analysis” ● “avoid the use of dynamic proxies at any cost” ● “no clear solution seems to be on the horizon” Davy Landman, Alexander Serebrenik, and Jurgen J. Vinju. C h a l l e n g e s f o r S t a t i c . ICSE 2017. A n a l y s i s o f J a v a R e fl e c t i o n - L i t e r a t u r e R e v i e w a n d E m p i r i c a l S t u d y 8 Static analysis of Java dynamic proxies

  9. We have a solution! ● Don't analyze the body of newProxyInstance() , model instead the Proxy API semantics ● To model the API we need: – a points-to analysis – good support for Java refmection – exception analysis 9 Static analysis of Java dynamic proxies

  10. Our solution ● Doop, a static analysis framework for Java – analyses written in Datalog – already provides a points-to analysis (with several context-sensitivity fmavors), a refmection analysis (with substring analysis), and an exception analysis ● Add rules to model dynamic proxies – mutually recursive: the new rules use existing analyses but also inform them 10 Static analysis of Java dynamic proxies

  11. A core rule (informally) handler = new AHandler(new A()) proxy = newProxyInstance({I.class}, handler) If: ● an instruction i calls newProxyInstance(), ● the interfaces argument points to an array that contains the Class for interface t_i, ● the handler argument points to a value obj_handler, and ● the instruction returns a value in v_ret, then v_ret points to an object that proxies t_i using obj_handler 11 Static analysis of Java dynamic proxies

  12. A core rule (in Doop) VarPointsTo(v_ret , obj_proxy), ProxyObjectHandler(obj_proxy, obj_handler) ← Call(i, "Proxy.newProxyInstance"), ActualArg(i, 1, arg_ifaces), VarPointsTo(arg_ifaces, obj_ifaces), ArrayContentsPointTo(obj_ifaces , Class_i), ReifiedType(t_i , Class_i), ActualArg(i, 2, arg_handler), VarPointsTo(arg_handler, obj_handler), AssignRetValue(i, v_ret), ReifiedProxyInstance(t_i, i, obj_proxy). 12 Static analysis of Java dynamic proxies

  13. A core rule (in Doop) VarPointsTo(v_ret , obj_proxy), ProxyObjectHandler(obj_proxy, obj_handler) ← Call(i, "Proxy.newProxyInstance"), ActualArg(i, 1, arg_ifaces), VarPointsTo(arg_ifaces, obj_ifaces), ArrayContentsPointTo(obj_ifaces , Class_i), ReifiedType(t_i , Class_i), ActualArg(i, 2, arg_handler), VarPointsTo(arg_handler, obj_handler), AssignRetValue(i, v_ret), ReifiedProxyInstance(t_i, i, obj_proxy). 13 Static analysis of Java dynamic proxies

  14. A core rule (in Doop) VarPointsTo(v_ret , obj_proxy), ProxyObjectHandler(obj_proxy, obj_handler) ← Call(i, "Proxy.newProxyInstance"), ActualArg(i, 1, arg_ifaces), VarPointsTo(arg_ifaces, obj_ifaces), ArrayContentsPointTo(obj_ifaces , Class_i), ReifiedType(t_i , Class_i), ActualArg(i, 2, arg_handler), VarPointsTo(arg_handler, obj_handler), AssignRetValue(i, v_ret), ReifiedProxyInstance(t_i, i, obj_proxy). 14 Static analysis of Java dynamic proxies

  15. A core rule (in Doop) VarPointsTo(v_ret , obj_proxy), ProxyObjectHandler(obj_proxy, obj_handler) ← Call(i, "Proxy.newProxyInstance"), ActualArg(i, 1, arg_ifaces), VarPointsTo(arg_ifaces, obj_ifaces), ArrayContentsPointTo(obj_ifaces , Class_i), ReifiedType(t_i , Class_i), ActualArg(i, 2, arg_handler), VarPointsTo(arg_handler, obj_handler), AssignRetValue(i, v_ret), ReifiedProxyInstance(t_i, i, obj_proxy). 15 Static analysis of Java dynamic proxies

  16. A core rule (in Doop) VarPointsTo(v_ret , obj_proxy), ProxyObjectHandler(obj_proxy, obj_handler) ← Call(i, "Proxy.newProxyInstance"), ActualArg(i, 1, arg_ifaces), VarPointsTo(arg_ifaces, obj_ifaces), ArrayContentsPointTo(obj_ifaces , Class_i), ReifiedType(t_i , Class_i), ActualArg(i, 2, arg_handler), VarPointsTo(arg_handler, obj_handler), AssignRetValue(i, v_ret), ReifiedProxyInstance(t_i, i, obj_proxy). 16 Static analysis of Java dynamic proxies

  17. A core rule (in Doop) VarPointsTo(v_ret , obj_proxy), ProxyObjectHandler(obj_proxy, obj_handler) ← Call(i, "Proxy.newProxyInstance"), ActualArg(i, 1, arg_ifaces), VarPointsTo(arg_ifaces, obj_ifaces), ArrayContentsPointTo(obj_ifaces , Class_i), ReifiedType(t_i , Class_i), ActualArg(i, 2, arg_handler), VarPointsTo(arg_handler, obj_handler), AssignRetValue(i, v_ret), ReifiedProxyInstance(t_i, i, obj_proxy). 17 Static analysis of Java dynamic proxies

  18. Looks simple! ● If you already have all the other analyses ● And interfacing with them is easy ● Mutual recursion ( VarPointsTo in last slide) ● In total, 29 Datalog rules (also taking care of corner cases, such as argument boxing, special java.lang.Object methods, proxy spec exceptions) 18 Static analysis of Java dynamic proxies

  19. Evaluation 1: XCorpus XCorpus, a suite of Java programs containing: – binaries ready for static analysis – entry points with good code coverage – report about calls to newProxyInstance() Taking the XCorpus report as ground truth, does our analysis resolve calls to proxies? J. Dietrich, H. Schole, L. Sui, E. Tempero. X C o r p u s – A n e x e c u t a b l e C o r p u s o f J a v a . jot.fm vol 16, no. 4. P r o g r a m s 19 Static analysis of Java dynamic proxies

  20. Evaluation 1: XCorpus Def- vs. Opt-refmective: full refmection vs. naive refmection support for scalability ● Both miss the same benchmark ( squirrel ) due to lack of coverage by the ● XCorpus entry points 20 Static analysis of Java dynamic proxies

  21. Evaluation 2: okhttp/guice ● Ground truth from manual inspection ● OkHttp, a popular HTTP library – OpenJDK/Android portability with dynamic proxies – we analyze okhttp-mockwebserver (its test server) ● Google Guice, dependency injection (DI) framework – we analyze guice-jndi (standalone test JNDI client) – many call-graph edges, as in XCorpus picocontainer (another DI library) 21 Static analysis of Java dynamic proxies

  22. Conclusion ● Dynamic proxies are no longer a source of unsoundness in static analysis! ● We can analyze code with proxies using limited support of refmection ● Writing analyses in mutual-recursive style is easy 22 Static analysis of Java dynamic proxies

  23. Thank you! 23 Static analysis of Java dynamic proxies

Recommend

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static and dynamic verification Static and dynamic V&V Software inspections Concerned

Static and dynamic verification Static and dynamic V&V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
PYTHON VS. JAVA: DYNAMIC VS. STATIC In Python, typing is determined dynamically, at runtime In

PYTHON VS. JAVA: DYNAMIC VS. STATIC In Python, typing is determined dynamically, at runtime In

PYTHON VS. JAVA: DYNAMIC VS. STATIC In Python, typing is determined dynamically, at runtime In Java, typing is determined statically, at compile-time: This means every variable must be rst declared with a particular type, and you're not

197 views • 6 slides
Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science & Artificial Intelligence Lab http://pag.csail.mit.edu/~mernst/ PASTE June 7, 2004 Michael Ernst, page 1 Goals Theme: Static and dynamic analyses

451 views • 34 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow

Fundamentals of (Static ic and Dynamic ic) ) Software Verif ific icatio ion Control-flow Analysis Data-flow Analysis Static VS Dynamic Analysis Software Testing Control Con ol Flow ow Gr Graph entry S1 Procedure AVG S1 count =

1.08k views • 104 slides
Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have to worry about types (+ Dynamic) Dependent on input (- Dynamic) Runtime overhead (- Dynamic) Serve as documentation (+ Static)

572 views • 24 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Static Analysis of XML Transformations in Java Christian Kirkegaard, Anders Mller*, and Michael

Static Analysis of XML Transformations in Java Christian Kirkegaard, Anders Mller*, and Michael

IEEE TRANSACTIONS ON SOFTWARE ENGINEERING 1 Static Analysis of XML Transformations in Java Christian Kirkegaard, Anders Mller*, and Michael I. Schwartzbach parts and, for example, transform the results into other XML Abstract XML documents

325 views • 16 slides
Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program Analysis Extracting information, in order to present abstractions of, or answer questions about, a software system Static Analysis: Examines the

754 views • 32 slides
Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner Hhnle Software Engineering Group Department of Computer Science Technische Universitt Darmstadt http://www.se.tu-darmstadt.de/

239 views • 23 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - JML p.1/17 ESC/Java Extended static checker by Rustan Leino et.al. [Compaq]. tries to prove

334 views • 22 slides
Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr, Peter Libi and Petr Tma Charles University in Prague Context: Dynamic Monitoring of Production Systems Dynamic Monitoring of Production Systems

999 views • 61 slides
Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic

Software Model Checking Software Model Checking via Static and Dynamic via Static and Dynamic Program Analysis Program Analysis Patrice Godefroid Godefroid Patrice Bell Laboratories, Lucent Technologies Bell Laboratories, Lucent

1.05k views • 56 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations cs6363 1 The Nature of static analysis --- approximation Static program analysis --- predict the dynamic behavior of programs without running

368 views • 19 slides
CS653 Static and Dynamic Program Analysis Instructor: Michelle Strout mstrout@cs.colostate.edu

CS653 Static and Dynamic Program Analysis Instructor: Michelle Strout mstrout@cs.colostate.edu

CS653 Static and Dynamic Program Analysis Instructor: Michelle Strout mstrout@cs.colostate.edu USC 227 Office hours: 3-4 Tuesday, 2-3 Thursday URL: http://www.cs.colostate.edu/~cs653 These notes are loosely based on Amer Diwans CSCI 7135

299 views • 8 slides
Numerical static analysis with Soot Gianluca Amato Universit` a G. dAnnunzio di

Numerical static analysis with Soot Gianluca Amato Universit` a G. dAnnunzio di

Numerical static analysis with Soot Gianluca Amato Universit` a G. dAnnunzio di ChietiPescara ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis SOAP 2013 (joint work with Francesca Scozzari and

859 views • 62 slides

More recommend