Upcoming Talk: Jens Dietrich of Victoria University of Wellington (Te Herenga Waka) on Static Program Analysis Blind Spots

Symbolic picture for the article. The link opens the image in a large view.

We will host a talk on “Static Program Analysis Blind Spots” in FAU’s computer science colloquium. The talk is free and open to the public.

  • by: Jens Dietrich, Victoria University of Wellington (Te Herenga Waka)
  • about: Static Program Analysis Blind Spots
  • on: April 27th, 2023, 16:15-17:45 Uhr
  • on: Zoom (direct access, no registration necessary)
  • or: Vorstandszimmer Informatik
  • as part of: Dept. Informatik Kolloquium

Abstract: Static program analyses usually overapproximate program behaviour, i.e. they are sound but not precise, and research has traditionally focused on boosting precision and scalability. However, modern programming languages have dynamic features necessary to make them suitable to write generic programs that can adapt to context. In the case of Java, those features include reflection, dynamic code generation and class loading, dynamic proxies, deserialisation, the use of native code, and the infamous Unsafe utility. This makes static analyses also unsound, and the best we can hope for is to make analyses “soundy”, i.e. sound under additional assumptions about the program. We report on a study designed to measure “how unsound” a foundational program analysis – call graph construction – is, and what the major sources of unsoundness are. The idea is to use soundness oracles obtained from complementary dynamic analyses such as the instrumented execution of tests, or stacktraces obtained from bug reports. We will also briefly discuss some of our more recent work that illustrates the benefit of designing hybrid analyses combining static and dynamic techniques in two rather different areas: (1) null pointer analyses – the inference of Nullable annotations to support static checkers like infer eradicate and uber nullaway, and (2) a novel software composition analysis to detect vulnerabilities in Java artifacts often missed by standard vulnerability scanners such as dependabot, snyk and OWASP dependency check.

Speaker: Jens Dietrich is an Associate Professor at Victoria University of Wellington (Te Herenga Waka) in New Zealand since 2018. He has a MSc in Mathematics and a PhD in Computer Science, both from the University of Leipzig. Prior to his current position, he worked as Consultant in various roles in Germany, Switzerland, the UK and Namibia, and has held academic positions at Massey University in New Zealand. His research interests are mainly in automated program analyses, software ecosystems and software evolution.