Wed 17 Jul 2019 18:00 - 19:30 at Mancy - Poster session

Static program analysis is known to yield many false positives, for example due to over-approximations (e.g., if a single array cell contains potentially malicious data, the entire array is considered dangerous). As analyses grow more complex with time, their set of internal rules becomes more intricate. To ensure that analysis tools perform well, dedicated developer teams typically configure them before they are deployed in a company. Such teams set up how analysis results are displayed (e.g., how to group warnings together, or decide which ones are more important than others), and edit the analysis rules to customize them for their codebases. With this poster, we explore how to assist developers when configuring a static analysis. In13particular, through the tasks of (1) understanding and (2) classifying warnings, and in finding (3) weak or (4) missing analysis rules. We argue that—to that end—explainability is a core notion: an analysis interprets the source code and builds its own understanding of how it works. Sometimes, this understanding may not match the developer’s, which results in uncertainties, a wrong treatment of critical warnings, wrong tool configurations, or even tool abandonment. Traditional analysis tools typically improve warning explainability by post-processing them using information that is external to the analysis rules, such as the warning type (e.g., SQL injection) or its location in the code. In an effort to help developers understand the analysis’ reasoning, we instead propose to make use of internal information: how the internal rules of an analysis handle the analyzed code. Focusing on data-flow analysis—one of the most complex types of static analysis used in practice, we introduce the concept of rule graphs that characterize analysis warnings and expose information about the internal rules of data-flow analyses, which we use to support our four configuration tasks. In a user study on 22 participants with our IntelliJ plugin Mudarri, we observe that the use of rule graphs can significantly improve the understandability of an analysis warning. A complementary empirical evaluation on 986 Android applications shows that in combination with machine learning, rule graphs can be used to classify analysis warnings (e.g., we are able to differentiate true from false positives in Android with a precision of 0.712 and recall of 0.733), and discover weak analysis rules such as array over-approximations. The empirical evaluation also shows that similarities between rule graphs can also help developers discover missing analysis rules that can cause false positives.

Poster and abstract (poster.pdf)1.61MiB

Wed 17 Jul

ecoop-2019-Posters
18:00 - 19:30: Posters - Poster session at Mancy
ecoop-2019-Posters18:00 - 19:30
Poster
Linghui LuoPaderborn University, Julian DolbyIBM Research, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Alexander Asp BockIT University of Copenhagen
ecoop-2019-Posters18:00 - 19:30
Poster
Willem PenninckxKU Leuven, Amin Timanyimec-Distrinet KU-Leuven, Bart JacobsKU Leuven
ecoop-2019-Posters18:00 - 19:30
Poster
Suvam MukherjeeIndian Institute of Science, Nitin John RajInternational Institute of Information Technology, Hyderabad, Krishnan GovindrajMicrosoft Research, Pantazis DeligiannisMicrosoft Research, Chandramouleswaran RavichandranMicrosoft Azure, Akash LalMicrosoft Research India, Aseem RastogiMicrosoft Research, Raja KrishnaswamyMicrosoft Azure
ecoop-2019-Posters18:00 - 19:30
Poster
Luca FranceschiniDIBRIS, University of Genova, Italy
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Manas ThakurIIT Madras, V Krishna NandivadaIIT Madras
ecoop-2019-Posters18:00 - 19:30
Poster
Yossi GilTechnion—Israel Institute of Technology, Ori RothTechnion
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Juan FumeroUniversity of Manchester, UK, Michail PapadimitriouUniversity of Manchester, UK, Christos KotselidisUniversity of Manchester, UK
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Thodoris SotiropoulosAthens University of Economics and Business, Benjamin LivshitsImperial College London, UK
ecoop-2019-Posters18:00 - 19:30
Poster
ecoop-2019-Posters18:00 - 19:30
Poster
Tetsuo KaminaOita University, Tomoyuki AotaniTokyo Institute of Technology
ecoop-2019-Posters18:00 - 19:30
Poster
Kang Hong JinSchool of Information Systems, Singapore Management University, Ferdian Thung, Julia LawallInria/LIP6, Gilles MullerLIP6-INRIA/UPMC, Lingxiao JiangSingapore Management University, David LoSingapore Management University
ecoop-2019-Posters18:00 - 19:30
Poster
Philipp Dominik SchubertHeinz Nixdorf Institut, Paderborn University
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Abhishek TiwariUniversity of Potsdam, Sascha GroßUniversity of Potsdam, Christian HammerUniversity of Potsdam
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Daniel PelsmaekerDelft University of Technology, Netherlands, Hendrik van AntwerpenTU Delft, Eelco VisserDelft University of Technology
ecoop-2019-Posters18:00 - 19:30
Poster
Matthias Eichholz, Eric CampbellCornell University, Nate FosterCornell University, Guido SalvaneschiTU Darmstadt, Mira MeziniTU Darmstadt, Germany
ecoop-2019-Posters18:00 - 19:30
Poster
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Lisa Nguyen Quang DoPaderborn University, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Dhruv MakwanaUnaffiliated, Neel KrishnaswamiComputer Laboratory, University of Cambridge
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Jonas De BleserSofware Languages Lab, Vrije Universiteit Brussel, Coen De RooverVrije Universiteit Brussel
ecoop-2019-Posters18:00 - 19:30
Poster
Xiaoli LiangIBM Canada, Daryl MaierIBM Canada
ecoop-2019-Posters18:00 - 19:30
Poster
Jafar Haminimec-DistriNet, Depatrmant of Computer Science, KU Leuven, Belgium, Bart JacobsRadboud University Nijmegen
ecoop-2019-Posters18:00 - 19:30
Poster
Alex VillazónUniversidad Privada Boliviana, Bolivia, Haiyang SunUniversità della Svizzera italiana, Andrea RosàUniversity of Lugano, Switzerland, Eduardo RosalesUniversity of Lugano, Switzerland, Daniele BonettaOracle Labs, Isabella DefilippisUniversidad Privada Boliviana (UPB), Sergio OportoUniversidad Privada Boliviana (UPB), Walter BinderUniversity of Lugano, Switzerland
ecoop-2019-Posters18:00 - 19:30
Poster
Noah Van EsSofware Languages Lab, Vrije Universiteit Brussel, Quentin StiévenartVrije Universiteit Brussel, Belgium, Coen De RooverVrije Universiteit Brussel
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Amir ShaikhhaUniversity of Oxford, Lionel ParreauxEPFL
ecoop-2019-Posters18:00 - 19:30
Poster
Carmen Torres LopezVrije Universiteit Brussel, Robbert Gurdeep SinghUniversiteit Gent, Belgium, Stefan MarrUniversity of Kent, Elisa Gonzalez BoixVrije Universiteit Brussel, Belgium, Christophe ScholliersUniversiteit Gent, Belgium
ecoop-2019-Posters18:00 - 19:30
Poster
Shawn MeierUniversity of Colorado, Boulder, Sergio MoverEcole Polytechnique, Bor-Yuh Evan ChangUniversity of Colorado Boulder
ecoop-2019-Posters18:00 - 19:30
Poster
Pascal WeisenburgerTechnische Universität Darmstadt, Guido SalvaneschiTU Darmstadt
ecoop-2019-Posters18:00 - 19:30
Poster
Andrew CraikIBM Canada, Rahil ShahIBM Canada, Ben ThomasIBM Canada, Devin PapineauIBM Canada
ecoop-2019-Posters18:00 - 19:30
Poster
Felix PauckPaderborn University, Germany
Media Attached
ecoop-2019-Posters18:00 - 19:30
Poster
Matthias SpringerTokyo Institute of Technology, Hidehiko MasuharaTokyo Institute of Technology
ecoop-2019-Posters18:00 - 19:30
Poster
Kiko Fernandez-ReyesUppsala University, Dave ClarkeUppsala Univ. Sweden and KU Leuvern, Ludovic HenrioCNRS, Einar Broch JohnsenUniversity of Oslo, Tobias WrigstadUppsala University
File Attached
ecoop-2019-Posters18:00 - 19:30
Poster
George FourtounisUniversity of Athens, Yannis SmaragdakisUniversity of Athens