This dissertation introduces novel techniques for verifying that programs conform to their design... more This dissertation introduces novel techniques for verifying that programs conform to their designs. My Hob system, as described in this dissertation, allows developers to statically ensure that implementations preserve certain specified properties. Hob verifies heap-based properties that can express important aspects of a program's design.
Abstract This paper addresses the problem of resolving virtual method and interface calls in Java... more Abstract This paper addresses the problem of resolving virtual method and interface calls in Java bytecode. The main focus is on a new practical technique that can be used to analyze large applications. Our fundamental design goal was to develop a technique that can be solved with only one iteration, and thus scales linearly with the size of the program, while at the same time providing more accurate results than two popular existing linear techniques, class hierarchy analysis and rapid type analysis.
Perfect pre-deployment test coverage is notoriously difficult to achieve for large applications. ... more Perfect pre-deployment test coverage is notoriously difficult to achieve for large applications. With enough end users, many more test cases will be encountered during an application's deployment than during testing. The use of runtime verification after deployment would enable developers to detect and report on unexpected situations. Unfortunately, the prohibitive performance cost of runtime monitors prevents their use in deployed code.
Abstract We present a new role system in which the type (or role) of each object depends on its r... more Abstract We present a new role system in which the type (or role) of each object depends on its referencing relationships with other objects, with the role changing as these relationships change. Roles capture important object and data structure properties and provide useful information about how the actions of the program interact with these properties.
We present an analysis to verify abstract set specifications for programs that use object field v... more We present an analysis to verify abstract set specifications for programs that use object field values to determine the membership of objects in abstract sets. In our approach, each module may encapsulate several data structures and use membership in abstract sets to characterize how objects participate in its data structures. Each module's specification uses set algebra formulas to characterize the effects of its operations on the abstract sets.
Abstract. We propose a novel approach for granting partial access on arbitrary objects at the gra... more Abstract. We propose a novel approach for granting partial access on arbitrary objects at the granularity of methods to remote clients. The applications that we target use Remote Method Invocation (RMI). We automatically build custom proxy objects, and give them to untrusted clients in place of the originals. Proxy objects expose a subset of methods to prevent potentially dangerous calls from clients. We present semantics of our system, an implementation, and its evaluation.
We present a new type system and associated type checker, analysis, and model extraction algorith... more We present a new type system and associated type checker, analysis, and model extraction algorithms for automatically extracting models that capture aspects of a program's design. Our type system enables the developer to place a token on each object; this token serves as the object's representative during the analysis and model extraction.
This tool demonstration presents Hob, a system for verifying data structure consistency for progr... more This tool demonstration presents Hob, a system for verifying data structure consistency for programs written in a general-purpose programming language. Our tool enables the focused application of multiple communicating static analyses to different modules in the same program. Using our tool throughout the program development process, we have successfully identified several bugs in both specifications and implementations of programs.
Abstract Runtime monitoring allows programmers to validate, for instance, the proper use of appli... more Abstract Runtime monitoring allows programmers to validate, for instance, the proper use of application interfaces. Given a property specification, a runtime monitor tracks appropriate runtime events to detect violations and possibly execute recovery code. Although powerful, runtime monitoring inspects only one program run at a time and so may require many program runs to find errors.
Abstract Hob is a program analysis system that enables the focused application of multiple analys... more Abstract Hob is a program analysis system that enables the focused application of multiple analyses to different modules in the same program. In our approach, each module encapsulates one or more data structures and uses membership in abstract sets to characterize how objects participate in data structures.
Abstract We present a static analysis which identifies disjointness relations between collections... more Abstract We present a static analysis which identifies disjointness relations between collections in Java. We have implemented our analysis as a primarily intraprocedural dataflow analysis framework using Soot. We handle method calls using developer-provided annotations, with some inference support. We include experimental results of the from our disjointness analysis on a pair of benchmarks.
Abstract This paper presents Soot, a framework for optimizing Java bytecode. The framework is imp... more Abstract This paper presents Soot, a framework for optimizing Java bytecode. The framework is implemented in Java and supports three intermediate representations for representing Java bytecode: Baf, a streamlined representation of bytecode which is simple to manipulate; Jimple, a typed 3-address intermediate representation suitable for optimization; and Grimp, an aggregated version of Jimple suitable for decompilation.
Researchers have developed a number of runtime verification tools that generate runtime monitors ... more Researchers have developed a number of runtime verification tools that generate runtime monitors in the form of AspectJ aspects. In this work, we present C lara, a novel framework to statically optimize such monitoring aspects with respect to a given program under test. C lara uses a sequence of increasingly precise static analyses to automatically convert a monitoring aspect into a residual runtime monitor. The residual monitor only watches events triggered by program locations that the analyses failed to prove safe at compile time.
Abstract Java programmers write applications and applets in plain English-like text, and then app... more Abstract Java programmers write applications and applets in plain English-like text, and then apply a java compiler to the text to obtain class les. Class les, which are typically transmitted across the web, are a low-level representation of the original text; they are not human-readable. Consider a compiler as a function from text to class les. My goal is to compute the inverse function: given the compiled class le, I wish to nd the best approximation to the original text possible. This is called decompilation.
Abstract Pointer analyses enable many subsequent program analyses and transformations, since they... more Abstract Pointer analyses enable many subsequent program analyses and transformations, since they enable compilers to statically disambiguate references to the heap. Extra precision enables pointer analysis clients to draw stronger conclusions about programs. Flow-sensitive pointer analyses are typically quite precise. Unfortunately, flow-sensitive pointer analyses are also often too expensive to run on whole programs.
Page 1. < Soot, a Tool for Analyzing and Transforming Java Bytecode Laurie Hendren, Patrick Lam, ... more Page 1. < Soot, a Tool for Analyzing and Transforming Java Bytecode Laurie Hendren, Patrick Lam, Jennifer Lhot´ak, Ondrej Lhot´ak and Feng Qian McGill University Special thanks to John Jorgensen and Navindra Umanee for help in preparing Soot 2.0 and this tutorial. Soot development has been supported, in part, by research grants from NSERC, FCAR and IBM http://www.sable.mcgill.ca/soot/ Soot, a Tool for Analyzing and Transforming Java Bytecode – p.
Abstract Runtime monitoring enables developers to specify code that executes whenever certain seq... more Abstract Runtime monitoring enables developers to specify code that executes whenever certain sequences of events occur during program execution. Tracematches, a Java language extension, permit developers to specify and execute runtime monitors. Tracematches consist of regular expressions over events, where each event may specify free variables that are bound to run-time objects. Naıve implementations of runtime monitoring are expensive and can cause prohibitive slowdowns.
Abstract Sets of objects are an intuitive foundation for many object-oriented design formalisms, ... more Abstract Sets of objects are an intuitive foundation for many object-oriented design formalisms, serving as a key concept for describing elements of the design and promoting communication between members of the development team. It may be natural for the sets of the objects in the design to correspond to the sets of objects in the implementation. In practice, however, the object structure of the implementation is much more complex than that of the design.
Abstract We describe an approach for combining theorem proving techniques with static analysis to... more Abstract We describe an approach for combining theorem proving techniques with static analysis to analyze data structure consistency for programs that manipulate heterogeneous data structures. Our system uses interactive theorem proving and shape analysis to verify that data structure implementations conform to set interfaces. A simpler static analysis then uses the verified set interfaces to verify properties that characterize how shared objects participate in multiple data structures.
Abstract We propose a new approach for applying Role-Based Access Control (RBAC) to methods in ob... more Abstract We propose a new approach for applying Role-Based Access Control (RBAC) to methods in objects in the Java programming language. In our approach, a policy implementer (usually a developer) annotates methods, interfaces, and classes with roles. Our system automatically creates proxy objects which only contain methods to which a client is authorized access based on the role specifications. Potentially untrusted clients that use Remote Method Invocation (RMI) then receive proxy objects rather than the originals.
This dissertation introduces novel techniques for verifying that programs conform to their design... more This dissertation introduces novel techniques for verifying that programs conform to their designs. My Hob system, as described in this dissertation, allows developers to statically ensure that implementations preserve certain specified properties. Hob verifies heap-based properties that can express important aspects of a program's design.
Abstract This paper addresses the problem of resolving virtual method and interface calls in Java... more Abstract This paper addresses the problem of resolving virtual method and interface calls in Java bytecode. The main focus is on a new practical technique that can be used to analyze large applications. Our fundamental design goal was to develop a technique that can be solved with only one iteration, and thus scales linearly with the size of the program, while at the same time providing more accurate results than two popular existing linear techniques, class hierarchy analysis and rapid type analysis.
Perfect pre-deployment test coverage is notoriously difficult to achieve for large applications. ... more Perfect pre-deployment test coverage is notoriously difficult to achieve for large applications. With enough end users, many more test cases will be encountered during an application's deployment than during testing. The use of runtime verification after deployment would enable developers to detect and report on unexpected situations. Unfortunately, the prohibitive performance cost of runtime monitors prevents their use in deployed code.
Abstract We present a new role system in which the type (or role) of each object depends on its r... more Abstract We present a new role system in which the type (or role) of each object depends on its referencing relationships with other objects, with the role changing as these relationships change. Roles capture important object and data structure properties and provide useful information about how the actions of the program interact with these properties.
We present an analysis to verify abstract set specifications for programs that use object field v... more We present an analysis to verify abstract set specifications for programs that use object field values to determine the membership of objects in abstract sets. In our approach, each module may encapsulate several data structures and use membership in abstract sets to characterize how objects participate in its data structures. Each module's specification uses set algebra formulas to characterize the effects of its operations on the abstract sets.
Abstract. We propose a novel approach for granting partial access on arbitrary objects at the gra... more Abstract. We propose a novel approach for granting partial access on arbitrary objects at the granularity of methods to remote clients. The applications that we target use Remote Method Invocation (RMI). We automatically build custom proxy objects, and give them to untrusted clients in place of the originals. Proxy objects expose a subset of methods to prevent potentially dangerous calls from clients. We present semantics of our system, an implementation, and its evaluation.
We present a new type system and associated type checker, analysis, and model extraction algorith... more We present a new type system and associated type checker, analysis, and model extraction algorithms for automatically extracting models that capture aspects of a program's design. Our type system enables the developer to place a token on each object; this token serves as the object's representative during the analysis and model extraction.
This tool demonstration presents Hob, a system for verifying data structure consistency for progr... more This tool demonstration presents Hob, a system for verifying data structure consistency for programs written in a general-purpose programming language. Our tool enables the focused application of multiple communicating static analyses to different modules in the same program. Using our tool throughout the program development process, we have successfully identified several bugs in both specifications and implementations of programs.
Abstract Runtime monitoring allows programmers to validate, for instance, the proper use of appli... more Abstract Runtime monitoring allows programmers to validate, for instance, the proper use of application interfaces. Given a property specification, a runtime monitor tracks appropriate runtime events to detect violations and possibly execute recovery code. Although powerful, runtime monitoring inspects only one program run at a time and so may require many program runs to find errors.
Abstract Hob is a program analysis system that enables the focused application of multiple analys... more Abstract Hob is a program analysis system that enables the focused application of multiple analyses to different modules in the same program. In our approach, each module encapsulates one or more data structures and uses membership in abstract sets to characterize how objects participate in data structures.
Abstract We present a static analysis which identifies disjointness relations between collections... more Abstract We present a static analysis which identifies disjointness relations between collections in Java. We have implemented our analysis as a primarily intraprocedural dataflow analysis framework using Soot. We handle method calls using developer-provided annotations, with some inference support. We include experimental results of the from our disjointness analysis on a pair of benchmarks.
Abstract This paper presents Soot, a framework for optimizing Java bytecode. The framework is imp... more Abstract This paper presents Soot, a framework for optimizing Java bytecode. The framework is implemented in Java and supports three intermediate representations for representing Java bytecode: Baf, a streamlined representation of bytecode which is simple to manipulate; Jimple, a typed 3-address intermediate representation suitable for optimization; and Grimp, an aggregated version of Jimple suitable for decompilation.
Researchers have developed a number of runtime verification tools that generate runtime monitors ... more Researchers have developed a number of runtime verification tools that generate runtime monitors in the form of AspectJ aspects. In this work, we present C lara, a novel framework to statically optimize such monitoring aspects with respect to a given program under test. C lara uses a sequence of increasingly precise static analyses to automatically convert a monitoring aspect into a residual runtime monitor. The residual monitor only watches events triggered by program locations that the analyses failed to prove safe at compile time.
Abstract Java programmers write applications and applets in plain English-like text, and then app... more Abstract Java programmers write applications and applets in plain English-like text, and then apply a java compiler to the text to obtain class les. Class les, which are typically transmitted across the web, are a low-level representation of the original text; they are not human-readable. Consider a compiler as a function from text to class les. My goal is to compute the inverse function: given the compiled class le, I wish to nd the best approximation to the original text possible. This is called decompilation.
Abstract Pointer analyses enable many subsequent program analyses and transformations, since they... more Abstract Pointer analyses enable many subsequent program analyses and transformations, since they enable compilers to statically disambiguate references to the heap. Extra precision enables pointer analysis clients to draw stronger conclusions about programs. Flow-sensitive pointer analyses are typically quite precise. Unfortunately, flow-sensitive pointer analyses are also often too expensive to run on whole programs.
Page 1. < Soot, a Tool for Analyzing and Transforming Java Bytecode Laurie Hendren, Patrick Lam, ... more Page 1. < Soot, a Tool for Analyzing and Transforming Java Bytecode Laurie Hendren, Patrick Lam, Jennifer Lhot´ak, Ondrej Lhot´ak and Feng Qian McGill University Special thanks to John Jorgensen and Navindra Umanee for help in preparing Soot 2.0 and this tutorial. Soot development has been supported, in part, by research grants from NSERC, FCAR and IBM http://www.sable.mcgill.ca/soot/ Soot, a Tool for Analyzing and Transforming Java Bytecode – p.
Abstract Runtime monitoring enables developers to specify code that executes whenever certain seq... more Abstract Runtime monitoring enables developers to specify code that executes whenever certain sequences of events occur during program execution. Tracematches, a Java language extension, permit developers to specify and execute runtime monitors. Tracematches consist of regular expressions over events, where each event may specify free variables that are bound to run-time objects. Naıve implementations of runtime monitoring are expensive and can cause prohibitive slowdowns.
Abstract Sets of objects are an intuitive foundation for many object-oriented design formalisms, ... more Abstract Sets of objects are an intuitive foundation for many object-oriented design formalisms, serving as a key concept for describing elements of the design and promoting communication between members of the development team. It may be natural for the sets of the objects in the design to correspond to the sets of objects in the implementation. In practice, however, the object structure of the implementation is much more complex than that of the design.
Abstract We describe an approach for combining theorem proving techniques with static analysis to... more Abstract We describe an approach for combining theorem proving techniques with static analysis to analyze data structure consistency for programs that manipulate heterogeneous data structures. Our system uses interactive theorem proving and shape analysis to verify that data structure implementations conform to set interfaces. A simpler static analysis then uses the verified set interfaces to verify properties that characterize how shared objects participate in multiple data structures.
Abstract We propose a new approach for applying Role-Based Access Control (RBAC) to methods in ob... more Abstract We propose a new approach for applying Role-Based Access Control (RBAC) to methods in objects in the Java programming language. In our approach, a policy implementer (usually a developer) annotates methods, interfaces, and classes with roles. Our system automatically creates proxy objects which only contain methods to which a client is authorized access based on the role specifications. Potentially untrusted clients that use Remote Method Invocation (RMI) then receive proxy objects rather than the originals.
Uploads
Papers by Patrick Lam