Finding Application Errors and Security Flaws

Using PQL: a Program Query Language

Michael Martin Benjamin Livshits Monica S. Lam
Computer Science Department
Stanford University
{mcmartin,livshits,lam}@cs.stanford.edu
ABSTRACT
A number of effective error detection tools have been built in recent
years to check if a program conforms to certain design rules. An
important class of design rules deals with sequences of events asso-
ciated with a set of related objects. This paper presents a language
called PQL (Program Query Language) that allows programmers
to express such questions easily in an application-specic context.
A query looks like a code excerpt corresponding to the shortest
amount of code that would violate a design rule. Details of the tar-
get applications precise implementation are abstracted away. The
programmer may also specify actions to perform when a match is
found, such as recording relevant information or even correcting an
erroneous execution on the y.
We have developed both static and dynamic techniques to nd
solutions to PQL queries. Our static analyzer nds all potential
matches conservatively using a context-sensitive, ow-insensitive,
inclusion-based pointer alias analysis. Static results are also use-
ful in reducing the number of instrumentation points for dynamic
analysis. Our dynamic analyzer instruments the source program to
catch all violations precisely as the program runs and to optionally
perform user-specied actions.
We have implemented the techniques described in this paper and
found 206 errors in 6 large real-world open-source Java applica-
tions containing a total of nearly 60,000 classes. These errors are
important security aws, resource leaks, and violations of consis-
tency invariants. The combination of static and dynamic analysis
proves effective at addressing a wide range of debugging and pro-
gram comprehension queries. We have found that dynamic analysis
is especially suitable for preventing errors such as security vulner-
abilities at runtime.
Categories and Subject Descriptors
D.2.5 [Software Engineering]: Testing and DebuggingTracing
This work was supported in part by the National Science Founda-
tion under Grant No. 0326227.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for prot or commercial advantage and that copies
bear this notice and the full citation on the rst page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specic
permission and/or a fee.
OOPSLA05, October 1620, 2005, San Diego, California, USA.
Copyright 2005 ACM 1-59593-031-0/05/0010 ...$5.00.
General Terms
Languages, Security, Reliability
Keywords
program traces, pattern matching, web applications, SQL injection,
resource leaks, bug nding
1. INTRODUCTION
Advanced program analysis has been applied fruitfully to nd
large numbers of errors in software [10, 18, 20, 46, 54]. Program
checkers are carefully crafted by experts and, as such, are targeted
at nding patterns common to many application programs. In fact,
these same techniques can also be used effectively to nd error pat-
terns that are specic to individual applications. To exploit the full
potential of this approach, we need to make it easy for application
developers to create their own custom checkers.
This paper presents Program Query Language (PQL), a lan-
guage that allows developers to express a large class of application-
specic code patterns. The system automatically generates from
the query a pair of complementary checkers: a static checker that
nds all potential matches in an application and a dynamic checker
that traps all matches precisely as they occur, and can initiate user-
specied logging or recovery actions upon a match. We have de-
veloped a prototype based on these ideas for Java, and used it to
nd and repair numerous security and resource management errors
in large open-source applications.
1.1 A Simple Example
PQL focuses on the important class of error patterns that deal
with sequences of events associated with a set of related objects.
For example, for security reasons, a password received from the
user should never be written out to disk without encryption. Such
patterns are hard to express using conventional techniques like pro-
gram assertions. The objects of interest may be stored in or passed
between local variables, passed as parameters, or even passed
through generic collections. The sequence of events may be scat-
tered throughout many different methods and guarded by various
predicates. PQL can express these kinds of patterns as the sim-
plest prototypical code that exhibits the sequence of events of in-
terest. The PQL system automatically nds all the matches in a
program that have the equivalent behavior by abstracting away ir-
relevant control ow and disregarding how objects are named in the
code.
As an example, let us consider SQL injection vulnerabilities [5,
27], ranked as one of the top ve external threats to corporate IT
systems [52]. Applications that use user-controlled input strings
directly as database query commands are susceptible to SQL in-
jections. Consider the following code fragment in a Java servlet
hosting a Web service:
con.execute(request.getParameter("query"));
This code reads a parameter from an HTTP request and passes it
directly to a database backend. By supplying an appropriate query,
a malicious user can gain access to unauthorized data, damage the
contents in the database, and in some cases, even execute arbitrary
code on the server.
To catch this kind of vulnerability in applications, we wish to ask
generally if there exist some
object r of type HttpServletRequest,
object c of type Connection, and
object p of type String
in the code such that the result of invoking getParameter on r
yields string p, and that string p is eventually used as a parame-
ter to the invocation of execute on c. We can replace the call to
execute with a custom routine Util.CheckedSQL that validates
the query to ensure that it matches a permissible action. If the
query is deemed invalid, the request is not made. Note that the
two events in the application need not happen consecutively; the
string p can be passed around as a parameter or stored on the heap
before it is eventually used. We can express such a query in PQL
as shown in Figure 1. The input to r.getParameter is immaterial,
and is represented by the dont care symbol _. Once the rst
call has been made, no additional matching is required except for
trapping the nal substitution. Note that SQL injections are more
subtle in general and require more sophisticated patterns. The full
SQL injection problem is discussed in Section 5.3.
Given an input pattern, the PQL system automatically produces
a sound static checker that nds all its potential matches in a
program. This checker uses a state-of-the-art context-sensitive
inclusion-based points-to analysis [59]. The results are ow-
insensitive with respect to the query; that is, for the query in Fig-
ure 1, the static checker would report all cases where the rst argu-
ment of a call to execute is found to point to an object returned
by some call to getParameter. The static checker does not ensure
that the calls occur in the same order. This, combined with the in-
trinsic undecidability of statically matching a query for all possible
runs, means that static results will generally have false positives.
Note that, unlike many currently available static techniques, our
static checkers are sound and will not produce false negatives; any
possible match will be reported.
Dynamic checkers, on the other hand, can only nd matches that
actually occur at runtime, but are precise and permit online recov-
ery actions to be triggered. When used as a dynamic tool, PQL
creates an instrumented version of the input program that reports a
runtime match if and only if there are object instances that match
the query. For the query in Example 1, PQL will instrument the
code to remember all object instances returned by getParameter
and check them against the parameters supplied to execute rou-
query simpleSQLInjection()
uses
object HttpServletRequest r;
object Connection c;
object String p;
matches { p = r.getParameter(_); }
replaces c.execute(p)
with Util.CheckedSQL(c, p);
Figure 1: Simple SQL injection query.
tines. Should a match occur, it will intercept the call to execute
and run the Util.CheckSQL routine instead.
Because the static results are sound and so have no false nega-
tives, any point that the static analysis decides is irrelevant cannot
possibly contribute to a match. The dynamic matcher is thus free
to ignore it. PQL combines the two analyses by using the results of
the static analysis to remove unnecessary instrumentation. In this
example, only those getParameter and execute calls returned as
potential matches by the static analysis need to be instrumented.
1.2 Contributions
PQL permits easy specication of a large class of patterns re-
lated to sequences of events on objects. A developer who needs
to mine information from a program run can use it to produce tar-
geted instrumentation. One who has just discovered a bug that he
suspects also lurks elsewhere in the code can use it to quickly create
a checker that will search for similar problems. To this end, PQL
contributes the following:
Static checkers that leverage powerful analyses. An important
result of this work is that we have placed sophisticated program
analyses in the hands of developers. The developers can express
simple queries and static checkers that use context-sensitive pointer
alias analysis are automatically generated for them. Our analysis is
sound, and as such its answer is guaranteed to include all points
that may be relevant to the query. This allows its results to be used
to optimize the dynamic matcher.
Optimized dynamic instrumentation. PQL automatically gen-
erates a specialized matcher for a query and weaves instrumenta-
tion into the target application to perform the match at runtime.
These matchers differ from previous techniques in two ways. First,
PQL transcends traditional syntax-based approaches by matching
against the history of events witnessed by object instances. Sec-
ond, the higher-level semantics of PQL make possible the use of
static analysis to reduce the overhead of dynamic checking. Our
system combines the dynamic matcher with sound static systems
to produce its checkers.
Dynamic error recovery. PQL queries may specify functions to
execute as a match is found, optionally replacing the last event with
a user-specied function. This functionality can be used to recover
from error conditions or to defend against attempts to breach appli-
cation security.
Experimental evaluation of our approach. All the techniques in
this paper have been implemented in a prototype system that works
on Java programs. We have written tens of queries in the course of
developing the tool and as part of our ongoing work. To explicitly
test its ability to nd bugs in large programs, we applied the tech-
nique to 6 large real-life applications with nearly 60,000 classes
combined and found 206 errors. We found several security vulner-
abilities and object persistence errors in Web applications that can
permit database corruption or denial of service attacks. We also
found resource management errors that eventually lead to memory
exhaustion. The queries to nd these errors were derived by reading
descriptions of the error patterns and APIs of Java libraries, and by
exploring the application code using PQL. The runtime overhead in
these experiments ranged from 9% to 125% in the most heavily in-
strumented case. In the situations where overhead was the greatest,
static analysis was applicable and removed between 82% to 99% of
the instrumentation, and cut the overhead below 40%, and often be-
low 3%. We also performed tests against standard benchmarks and
found that in the extreme where nearly every event in signicant,
slowdown peaks at approximately 19 times.
Our experimental result suggests that the language covers an im-
portant class of program error patterns. Even though we were not
familiar with the benchmarks, we were able to nd errors in this
large code base with relatively little effort.
1.3 Paper Organization
The rest of the paper is organized as follows. Section 2 gives
an overview of the PQL language. Sections 3 and 4 describe our
dynamic and static checkers, respectively. Section 5 provides a de-
tailed experimental evaluation of our analysis approaches, while
Section 6 discusses applications of our analyses in more general
terms. Finally, Section 7 describes related work and Section 8 con-
cludes.
2. PQL LANGUAGE OVERVIEW
The focus of PQL is to track method invocations and accesses
of elds and array elements in related objects. To keep the lan-
guage simple, PQL currently does not allow references to variables
of primitive data types such as integers, oats and characters, nor
primitive operations such as additions and multiplications. This is
acceptable for object-oriented languages like Java because small
methods are used to encapsulate most meaningful groups of primi-
tive operations. The ability to match against primitive objects may
be added to PQL as an extension in the future.
Conceptually, we model the dynamic program execution as a
sequence of primitive events, in which the checkers nd all sub-
sequences that match the specied pattern. We rst describe the
abstract execution trace, then dene the patterns describing subse-
quences of the trace.
2.1 Abstract Execution Traces
We abstract the program execution as a trace of primitive events,
each of which contains a unique event ID, an event type, and a list
of attributes. Objects are named by unique identiers. PQL focuses
on objects, and so it only matches against instructions that directly
dereference objects. We also need to be able to detect the end of
the program in order to match queries that demand that some other
event never occur. As a result, all but the following eight event
types are abstracted away:
Field loads and stores. The attributes of these event types are
the source object, target object, and the eld name.
Array loads and stores. The attributes of these event types
are the source and target objects. The array index is ignored.
Method calls and returns. The attributes of these event types
are the method invoked, the formal objects passed in as ar-
guments and the returned object. The return event parameter
includes the ID of its corresponding call event.
Object creations. The attributes of this event type are the
newly returned object and its class.
End of program. This event type has no attributes and occurs
just before the Java Virtual Machine terminates.
Example 1. Abstract execution trace.
We illustrate the concept of an abstract execution trace with the
code below:
1 int len = names.length;
2 for (int i = 0; i < len; i++) {
3 String s = request.getParameter(names[i]);
4 con.execute(s);
5 }
The code above runs through the array names; for each element, it
reads in a parameter from the HTTP request and executes it. Fig-
ure 2 shows an abstract execution trace for the code in the case
where the names array has two elements. Each event in the trace
is listed with its ID, the ID of the caller in the case of a return, and
Event Caller Call/ Event
ID ID Return
1 o2 = o1[ ]
2 call o4 = o3.getParameter(o2)
3 2 return o4 = o3.getParameter(o2)
4 call o5.execute(o4)
5 4 return o5.execute(o4)
6 o6 = o1[ ]
7 call o7 = o3.getParameter(o6)
8 7 return o7 = o3.getParameter(o6)
9 call o5.execute(o7)
10 9 return o5.execute(o7)
11 call o5.execute(o8)
12 11 return o5.execute(o8)
Figure 2: Abstract execution trace for Example 1.
information on the event type and its attributes. In this execution,
names is bound to object o1; o2 and o6 are elements of array o1
(the precise index is abstracted away); request is bound to object
o3, s is bound to object o4 and o7 in the rst and second iteration,
respectively.
This execution yields two matches to the simpleSQLInjection
query in Figure 1. The rst match is satised with r = o3, c = o5,
p = o4, and the second is satised with p matched to o7, and the
same values for r and c. 2
2.2 PQL Queries
A PQL query is a pattern to be matched on the execution trace
and actions to be performed upon the match. A match to the query
is a set of objects and a subsequence of the trace that together sat-
isfy the pattern.
The grammar of a PQL query is shown in Figure 3. The query
execution pattern is specied with a set of primitive events con-
nected by a number of constructs including sequencing, partial se-
quencing, and alternation. Named subqueries can be used to dene
recursive patterns. Primitive events are described using a Java-like
syntax for readability. A query may declare typed variables, which
will be matched against any values of that type and any of its sub-
types. The use of the same query variable in multiple events indi-
cates that the same object is used in all of the events.
Section 2.2.1 discusses variables in the context of a query, Sec-
tion 2.2.2 outlines how statements are dened and combined, Sec-
tion 2.2.3 describes PQLs subquery mechanism, and Section 2.2.4
discusses the options PQL provides for reacting to a match.
2.2.1 Query Variables
Query variables correspond to objects in the program that are
relevant to a match. They are declared inside of subqueries and are
local to the query they are declared in.
The most common variables represent objects, and represent in-
dividual objects on the heap, Object variables have a class name
that restricts the kind of object instances that they can match. If
that name is prexed with a !, then the object must not be castable
to that type. If the same object variable appears multiple times in a
query, it must be matched to the same object instance. The contents
of the object need not be the same for multiple matches.
queries query*
query query qid ( [decl [, decl]*] )
[returns declList ; ]
[uses declList ; ]
[within methodInvoc )]
[matches { seqStmt }]
[replaces primStmt with methodInvoc ;]*
[executes methodInvoc [, methodInvoc]* ;]*
methodInvoc methodName(idList)
decl object [!] typeName id |
member namePattern id
declList object [!] typeName id ( , id )*|
member namePattern id ( , id )*
stmt primStmt | primStmt |
unifyStmt | { seqStmt }
primStmt eldAccess = id |
id = eldAccess |
id [ ] = id |
id = id [ ] |
id = methodName ( idList ) |
id = new typeName ( idList )
seqStmt ( poStmt ; )*
poStmt altStmt ( , altStmt )*
altStmt stmt ( "|" stmt )*
unifyStmt id := id
( [idList] ) := qid ( idList )
typeName id ( . id )*
idList [ id ( , id )* ]
eldAccess id . id
methodName typeName . id
id,qid [A-Za-z ][0-9A-Za-z_ ]*
namePattern [A-Za-z*_ ][0-9A-Za-z*_ ]*
Figure 3: BNF grammar specication for PQL.
There are also member variables, which represent the name of
a eld or a method. Member variables are declared with textual
pattern that the member name must match. A pattern of will
match any method name. If a member variable occurs multiple
times in a pattern, it must represent the same eld or method name
in each event.
For convenience, we introduce a wildcard symbol _ whose
different occurrences can be matched to different member names
or objects. However, values matched to wildcard symbols cannot
be examined or returned.
Query variables are either arguments (passed in from some other
query that has invoked it), return values (acted upon by the querys
action, or returned to an invoking query, or both), or internal vari-
ables (used inside the query to nd a match, but otherwise isolated
from the rest of the system).
2.2.2 Statements
Most primitive statements in our query language correspond di-
rectly to the event types of the abstract execution trace. Method
invocations are the exception to this; they match all events between
a call to the method and its matching return event. References to
objects in a primitive statement must be declared object query vari-
ables, or the special variable _, which is a wildcard placeholder
for any object not relevant to the query. References to members
may be literals or declared member query variables. A eld or
method in an event need not be declared in the type associated with
its base variable; in such cases, a match can only occur if a subclass
denes it.
Primitive statements may be combined into compound state-
ments, as shown in the grammar. A sequence a; b species that
a is followed by b. Ordinarily, this means any events may occur
between them as wellthe primary focus is on individual objects,
so sequences are, by default, not contiguous. An event may be for-
bidden from occurring at a point in the match by prexing it with
the exclusion operator . Thus, the sequence a; b; c matches
a followed by c if and only if b does not occur between them. Wild-
cards are permissible, so excluding all possible events can force a
sequence to be contiguous in the trace if desired.
The alternation operator is used when we wish to match any of
several events (or compound statements): if a and b are statements,
then a|b is the statement matching either a or b.
To match multiple statements independently of one another, we
use partial-order statements, which separate the statements to be
matched with commas. The statement a, b, c; would match the
three statements a, b, and c in any order. If a clause in a partial-
order statement is a sequence itself, then sequencing within that
clause is enforced as normal.
Of the three combination operators, alternation has the highest
precedence, then partial-order, and lastly sequencing. Braces may
be used to enforce the desired precedence.
The within construct is introduced to allow the specication of
a pattern to fully match within a (dynamic) invocation of a method.
This translates to matching against a method call event, then match-
ing the patternand insisting that the return of the method not oc-
cur at any point between the call and the full match of the pattern.
Queries that end with excluded events represent liveness prop-
erties. If the query is embedded in a within clause, then it will
return a match if and when the end of the invocation of the method
is reached without the excluded event occurring. If the main query
ends with excluded events, then the match cannot be conrmed un-
til the program exits.
Example 2. Forcing closing of stream resources.
Java has many automatic resource management features, but
system-wide resources such as le handles still must be manually
released or the system risks resource exhaustion. Some methodolo-
gies demand that resources allocated in a method must be deallo-
cated before the method ends [58].
query forceClose()
uses object InputStream in;
within _ . _ ();
matches {
in = new InputStream();
in.close();
}
executes in.close();
Figure 4: Checking for potential leaks of le handles.
Shown in Figure 4 is a query that nds all methods that do not
manage InputStream resources according to such a methodology.
Here, a match is found if some invocation to method m creates
an InputStream in, and that in is not closed before the method
ends. Should it escape the allocating method, a call to close is
inserted. Note that close need not be invoked directly by m; it
can be invoked by a method called by m. Ordinarily, the within
clause species a particular method of interest; for this problem,
the pattern applies to all methods, and so both the base object and
the method name are wildcards. 2
2.2.3 Subqueries
Subqueries allow users to specify recursive event sequences or
recursive object relations. Subqueries are dened in a manner anal-
ogous to functions in a programming language. They can return
multiple values, which are bound to variables in the calling query.
By recursively invoking subqueries, each with its own set of vari-
ables, queries can match against an unbounded number of objects.
Values from input and return query variables are transferred
across subqueries by unifying formals with actuals, and return val-
ues with the callers variables. Unication in the context of a PQL
match involves ensuring that the two unied variables are bound
to the same value in any match. If one variable has been bound
by a previous event but the other has not, the undened variable
is bound to the same value. If both have already been bound to
different variables, then no match is possible.
When writing recursive subqueries, it is often necessary for the
base case to force the return value to be equal to one of its argu-
ments. PQL provides a unication statement to express this: the
statement a := b does not correspond to any program event, but
instead unies its parameters a and b.
Example 3. Recursive subqueries.
Recursion is useful for matching against the common idiom of
wrappers in Java. Java exposes higher-level I/O functions by pro-
viding wrappers over base input streams. These wrappers are sub-
classes of the top-level interfaces Reader (for character streams)
and InputStream (for byte streams). For example, to read Java
Objects from some socket s, one might rst wrap the stream with
a BufferedInputStream to cache incoming data, then with an
ObjectInputStream to parse the objects from the stream:
r1 = new BufferedInputStream(s.getInputStream()));
r2 = new ObjectInputStream(r1);
obj = r2.readObject();
In general, there can be arbitrary levels of wrapping. To capture
this, we need to use a recursive pattern, as shown in Figure 5. The
base case in derivedStream subquery declares that any stream can
be considered derived from itself; the other captures a single wrap-
per and then re-invokes derivedStream recursively. 2
query derivedStream(object InputStream x)
returns object InputStream d;
uses object InputStream t;
matches {
d := x
| {t = new InputStream(x);
d := derivedStream(tmp);}
}
query main()
returns method
*
m;
uses
object Socket s;
object InputStream x, y;
object Object v;
matches {
x = s.getInputStream();
y := derivedStream(x);
v = y.readObject();
v.m();
}
executes Util.PrintStackTrace(
*
);
Figure 5: Recursive query for tracking data from sockets.
It is natural to ask how a developer should go about writing a
PQL query. In some cases such as SQL injections, studying the
API of relevant methods is sufcient. Sometimes it is useful to
instead locate objects of interest and see how these objects are used
in the program. PQL makes such explorations easy. For example,
the query shown in Figure 5 nds all methods invoked on objects
read from a network socket. The query rst nds all the streams
derived from the input stream of a socket, then all objects read from
any of the derived streams. It then matches against any method,
represented by the method parameter m, invoked upon the objects
read.
2.2.4 Reacting to a Match
Matches in PQL often correspond to notable or undesirable pro-
gram behavior. PQL provides two facilities to log information
about matches or perform recovery actions.
The simplest version of these is the executes clause, which
names a method to run once the query matches. PQL subqueries
may also have one or more replaces clauses. These name a state-
ment to watch for, and a method representing the action to be exe-
cuted in its place. This method may take query variables as argu-
ments. Passing the special symbol as an argument will pack-
age every variable binding in the match into a collection that can
be handled generically.
Some basic actions are dened as methods in a class Util
as part of the base system; the two most frequently used are
Util.PrintStackTrace, which takes the argument and
dumps information about the variable values and the stack trace
where the nal event occurred, and Util.Abort, which takes no
arguments and terminates the program immediately. Both are in-
tended for the executes clause.
When implementing actions, the method must return void for
executes clauses, or a value of the same type of the replaced event
for replaces. Each argument to the action is represented as an
array of Objects. Arrays are necessary because multiple matches
may complete on a single event. Each index into the argument
array corresponds to a single match that has completed.
2.3 Expressiveness of PQL
PQL as a pattern language is fundamentally concerned with ob-
jects. It seeks to nd a set of heap objects (disregarding how they
are named syntactically in the code) to parameterize a context-
sensitive pattern of events over the execution trace.
The events in these patterns do not refer to primitive values such
as integers or individual characters, and so PQL is not capable of
tracking them.
The subquery mechanism introduces a call chain that permits
the matcher to match context-free grammars. Each production in
such a grammar can be considered to be independently existentially
quantied with respect to objects on the heap. This means that,
despite the fact that any query can only refer to a nite number of
variables, any number of objects may be involved in a match on a
recursive query.
PQL does not directly provide a Kleene-star operator. However,
this facility may be simulated with tail-recursive queries. In prac-
tice, useful queries with loops need to refer to different objects or
chains of objects, and in both cases, a simple Kleene star is insuf-
cient to capture the precise semantics.
The partial-order operator species that the execution stream
must be able to match each of several clauses, which is equiv-
alent to specifying the intersection of the languages specied by
each clause. PQLs class of languages is thus that of the closure of
context-free languages combined with intersection; this class is a
superset of context-free languages.
The default semantics of the sequencing operator in PQL would
also seem to require patterns to be unduly permissive, since they
permit arbitrary blocks of statements to occur between events of
interest. However, due to the object-centric focus of the language,
this usually is precisely the behavior desired. For the occasions
when this is not what is desired, one can use exclusion events to
forbid all intervening events. This permits the language to express
arbitrary patterns on the execution trace, while keeping the most
generally useful patterns the simplest to express.
3. DYNAMIC MATCHER
A direct, nave approach to nding matches to PQL queries dy-
namically consists of the following three steps:
1. Translate each subquery into a non-deterministic state ma-
chine which takes an input event sequence, nds subse-
quences that match the query and reports the values bound
to all the returned query variables for each match. If there is
only a main query, this can be a simple nite state machine.
More complicated queries require additional machinery, de-
scribed in Section 3.1.
2. Instrument the target application to produce the full abstract
execution trace.
3. Use a query recognizer to interpret all the state machines over
the execution trace to nd all matches.
The procedure as described is quite inefcient. To reduce instru-
mentation overhead, we perform the following optimizations. First,
instrumentation code is inserted only at those program points that
might generate an event of interest for the specic query. A simple
type analysis excludes operations on types not related to objects
in the query. We use the results of our static analysis, described
in Section 4, to further reduce the instrumentation by excluding
statements that cannot refer to objects involved in any match of the
query. Also, instead of collecting full traces, our system tracks all
the partial matches as the program executes and takes action imme-
diately upon recognizing a match.
3.1 Translation From Queries To State
Machines
A state machine representing a query is composed of: a set of
states, which includes a start state, a fail state, and an accept state;
a set of state transitions; and a set of variable parameters. A partial
match is given by a current state and a set of bindingsa map-
ping from variables in a PQL query to objects in the heap at run
time. A state transition species the event for which under which
a current state and current bindings transition to the next state and
a new set of bindings. Because the same event may be interpreted
in different ways by different transitions, a state machine may non-
deterministically transition to different states given the same input.
To represent partial-order statements, states can be made to be
join points: in these cases, the state machine must determine that
every incoming transition has a compatible partial match. Each
outgoing match from such a state is a combination of one incom-
ing match from each transition; every possible consistent combina-
tion is formed. A combination is consistent if and only if no two
matches dene the same variable to different values. In the extreme
case where no incoming transition binds any variable bound by any
other transition, the outgoing matches are the cartesian product of
all incoming matches.
State transitions generally represent a single primitive statement
corresponding to a single event in the execution trace. There are
three special kinds of transitions:
Skip transitions. A query species a subsequence of events to
match. Unless noted otherwise with an exclusion statement, an
arbitrary number of events of any kind are allowed in between con-
? ?
d := x
start
return (t = InputStream.<init>) Subquery(derived) call (t = InputStream.<init>)
![return (t = InputStream.<init>)]
finish
Figure 6: State machine for the derivedStream query.
secutive matched statements. We represent this notion with a skip
transition, which connects a state back to itself on any event that
doesnt match the set of excluded events. Note that the accept
state does not have a skip transition, so matches are reported only
once. We label skip transitions with a ? to indicate that they may
match any event, or with ![event] to indicate that the transition
will match any event but the one listed.
Null transitions. A null () transition does not correspond to any
event; it is taken immediately when encountered. Any state with
outgoing transitions must have all outgoing transitions be . They
may optionally carry a predicate; the transition may only be taken
if the predicate is true. If it is not, the matcher transitions directly
into the fail state.
Subquery invocation transitions. These behave mostly like ordi-
nary transitions, but correspond to the matches of entire, possibly
recursive, queries.
We preprocess the queries to ease translation. No subquery may,
directly or indirectly, invoke itself without any intervening events.
So, rst we eliminate such situations, a process analogous to the
elimination of left-recursion from a context-free grammar [1]. Sec-
ond, excluded events are propagated forward through subquery
calls and returns so that each set of excluded events is either at
the end of main or immediately before a primitive statement.
We now present a syntax-directed approach to constructing the
state machine for a query. Associated with each statement s in
the query are two states, denoted bef (s) and aft(s), to refer to
the states just before and after s is matched. For a query with state-
ment s, the start and accept states of the query are states bef (s) and
aft(s), respectively. As an example, the derivedStream query
from Figure 5 is translated to the state machine shown in Figure 6.
Array and eld operations. These are the primitive statements
that correspond to single events in the trace. For a primitive state-
ment s of type t, the transition from bef (s) to aft(s) is predicated
by getting an input event also of type t and that the attributes in e
must be uniable with those in statement s and the current bind-
ings. An attribute in e with value x is uniable with s and current
bindings if
1. either the corresponding attribute in s has a literal value x
2. or it refers to a parameter variable v that is either unbound or
bound to value x.
If the attribute refers to an unbound variable v, the pair (v, x) is
added to the set of known bindings.
Exclusion. For an excluded primitive statement of the form s

,
bef (s) = aft(s). The default skip transition is modied to be
predicated upon not matching s

.
Sequencing. If s = s1; s2, then bef (s) = bef (s1), aft(s) =
aft(s2), and aft(s1) = bef (s2).
Alternation. If s = s1|s2, then bef (s) provides transitions to
bef (s1) and bef (s2); similarly, aft(s1) and aft(s2) each have an
transition to aft(s).
Partial order. Partial orders resemble alternation statements: if
s = s1, s2, then bef (s) provides transitions to bef (s1) and
bef (s2); similarly, aft(s1) and aft(s2) each have an transition
to aft(s). The primary difference is that the aft(s) state is a join
point.
Method invocation. If s is a method invocation statement, we
must match the call and return events for that method, as well as
all events between them. To do this, we create a fresh state t and a
new event variable v. We create a transition from bef (s) to t that
matches the call event, and bind v to the ID of the event. We cre-
ate another transition from t to aft(s) that matches a return event
with ID v. The skip transition from t back to itself is modied to
exclude the match of the return event. Call and return events are
unied in a manner analogous to array and eld operations.
Creation points. Object creation is handled in Java by invoking
the method < init >, and is translated like any other method
invocation.
Context. The within clause is represented by nesting the automaton
representing the body between a pair of matching call and return
event pairs. The skip transitions are modied to not match the re-
turn, forcing the failure of any match that does not complete within
the call.
Unication statements. A unication statement is represented by
a predicated transition that requires that the two variables on the
left and right have the same value. If one is unbound, it will acquire
the value of the other.
Subquery invocation. Subquery invocations are treated as if it
the subquery match were a primitive event in its own right. The
recognizer handles subquery calls and returns on its own. More
details are discussed in Section 3.3.
3.2 Instrumenting the Application
The system instruments all instructions in the target application
that match any primitive event or any exclusion event in the query.
At an instrumentation point, the pending event and all relevant ob-
jects are marshalled and sent to the query recognizer. The recog-
nizer will update the state of all pending matches and then return
control to the application.
The recognizer does not interfere with the behavior of the ap-
plication except via completed matches; therefore, any instrumen-
tation point that can be statically proven to not contribute to any
match need not be instrumented. In particular, we can optimize
away instrumentation where the referenced objects have statically
declared types that conict with the query. More sophisticated op-
timization techniques are discussed in Section 4.
3.3 The Query Recognizer
The recognizer begins with a single partial match at the begin-
ning of the main query, with no values for any variables. It receives
events from the instrumented application and updates all currently
active partial matches. For each partial match, each transition from
its current state that can unify with the event produces a new pos-
sible partial match where that transition is taken. A single event
may be uniable with multiple transitions from a state, so multiple
new partial matches are possible. If a skip transition is present and
its predicates pass, the match will persist unchanged. If the skip
transition is present but a predicate fails the match transitions to the
fail state. If the skip transition is present but a predicates value is
unknown because the variables it refers to as are of yet unbound,
then the variable is bound to a value representing any object that
does not violate the predicate. Predicates accumulate if two such
objects are unied; unication with any object that satises all such
predicates replaces the predicates with that object.
If the new state has transitions, they are processed immediately.
If a transition representing a subquery call is available from the
new state, a new partial match based on the subquerys state ma-
chine is generated. This partial match begins in the subquerys start
state and has initial bindings corresponding to the arguments the
subquery was invoked with. A unique subquery ID is generated for
the subquery call and associated with the subquery callers partial
match, with the subquery callees partial match, and with any par-
tial match that results from taking transitions within the subquery
callee.
Join points are handled by nding the latest state that dominates
the join point and treating it as the split point. Each incoming tran-
sition to the join point has a submachine representing all paths from
the split point to that transition. When a split point is reached, each
of these submachines is matched independently in a manner similar
to subqueries. The join point then collects and combines matches
as they complete, and propagates combined matches once all of
them have completed.
Once a partial match transitions into an accept state, it begins
to wait for events named in replaces clauses. When a targeted
event is encountered, the instruction is skipped and the substituted
method is run instead. An executes clause runs immediately once
the accept state is reached.
When a subquery invocation completes, the subquery ID is used
to locate the transition that triggered the subquery invocation. The
variables assigned by the query invocation are then unied with the
return values, and the subquery invocation transition is completed.
The original calling partial match remains active to accept any ad-
ditional subquery matches that may occur later.
In order for this matcher to scale over long input traces, it is
critical to be able to quickly acquire all relevant partial matches
to an event. We use a hash map to quickly access partial matches
affected by each kind of event. This map is keyed not only on the
specic transition, but also on all variables known to have values at
that point in the query. For queries whose partial matches consist
of at most one variable-value pair of binding, our implementation
is very efcient as it needs to perform only one single hash lookup.
4. STATIC CHECKER & OPTIMIZER
PQL makes it easy for developers to take advantage of context-
sensitive points-to analysis results. We have developed an algo-
rithm to automatically translate PQL queries into queries on a
pointer analysis result, shielding the user from the need to directly
operate on the program representation or the context-sensitive re-
sults. This translation approach is very exible: even though
our checkers are currently ow-insensitive, ow sensitivity can be
added in the future to improve precision without needing to modify
the queries themselves.
Accurate interprocedural pointer alias analysis is critical to the
precision of PQL static checkers, because events relevant for a par-
ticular query may be widely separated in the program. The an-
alysis for PQL must be sound, because false negatives mean the
results are unusable for optimization. This is in contrast to many
recently developed practical static checkers [10, 18, 62] which use
unsound analyses and thus produce both false-negative and false-
positive warnings.
Our checkers use pointer information from a sound cloning-
based context-sensitive inclusion-based pointer alias analysis due
to Whaley and Lam [59]. This analysis computes the points-to
relations for each distinct call path for programs without recur-
sion. Call paths in recursive programs are reduced by treating
each strongly connected component as a single node. The points-
to information is stored in a deductive database called bddbddb.
The data are compactly represented with binary decision diagrams
(BDDs), and can be accessed efciently with queries written in the
logic programming language Datalog.
4.1 The bddbddb Program Database
All inputs and results for the static analyzer are stored as rela-
tions in the bddbddb database. The domains in the database in-
clude bytecodes B, variables V , methods M, contexts C, heap ob-
jects named by their allocation site H, and integers Z. The context
domain represents the various call chains that can occur in the pro-
gram, and is used to qualify pointer information. Two pointer re-
lations that are true in the same calling context are associated with
the same value in C. For a further treatment of this, see [59].
The source program is represented as a number of input rela-
tions: actual , ret, dld, dst, arrayld, arrayst represent param-
eter passing, method returns, eld loads, eld stores, array loads,
and array stores, respectively. There is a one-to-one correspon-
dence between attributes of primitive statements in the query lan-
guage and those in the relations.
In the following, we say that predicate A(x1, . . . , xn) is true if
tuple (x1, . . . , xn) is in relation A. Below we show the denitions
of three of the relations; the remaining ones are dened similarly.
dld: BV M V . dld(b, v1, m, v2), means that bytecode
b executes v1 = v2.m.
actual : B Z V . actual (b, z, v) means that variable v is zth
argument of the method call at bytecode b.
ret: BV . ret(b, v), means that variable v is the return result of
the method call at bytecode b.
The context-sensitive points-to analysis produces a numbering
of the calling contexts, the invocation graph of the context-sensitive
call graph, and nally the points-to results:
IE: C BC M is the context-sensitive invocation relation.
IE(c1, i, c2, m) means that invocation site i in context c1
may invoke method m in context c2.
vP: C V H is the variable points-to relation. vP(c, v, h)
means that variable v in context c may point to heap object
h.
A Datalog query consists of a set of rules, written in a Prolog-
style notation, where a predicate is dened as a conjunction of other
predicates. For example, the Datalog rule
D(w, z) : A(w, x), B(x, y), C(y, z).
says that D(w, z) is true if A(w, x), B(x, y), and C(y, z) are all
true.
Example 4. Statically detecting basic SQL injections.
We can express a ow-insensitive approximation of the basic SQL
injection query in Figure 1 as follows:
simpleSQLInjection(b1, b2, h) :
IE(c1, b1, _, getParameter),
ret(b1, v1), vP(c1, v1, h),
IE(c2, b2, _, execute),
actual (b2, 1, v2), vP(c2, v2, h).
The Datalog rule says that an object h is a cause of an injection
if b1 is a call to getParameter, b2 is a call of execute, and the
return result of getParameter v1 in some context c1 points to the
same heap object h as v2, the rst parameter of the call to execute
in some context c2. 2
4.2 Translation from PQL to Datalog
We perform static analysis by translating PQL queries into Dat-
alog and using bddbddb to resolve the queries. Datalog is a highly
expressive language, including the ability to recursively specify
properties, meaning that PQL queries may be translated to Data-
log approximation using a simple syntax-directed approach.
In the beginning of the translation process, we normalize the in-
put PQL queries so that the matches part of each query is an alter-
nation of sequence statements; in other words, the top most level
statement of the matches clause is an altStmt each of which clauses
is a seqStmt and altStmts mentioned in Figure 3 are used only at the
top level. Any event affected by a replaces clause is treated by
this process as being a possible nal event in the query. This is
equivalent to appending an alternation of all such statements to the
end of the matches clause before normalization.
Each PQL query becomes a Datalog relation dened over byte-
codes, eld/method names, and heap variables; one bytecode for
every program point in the longest possible sequence of events
through the query, one eld or method name for each member vari-
able in the PQL query, and one heap variable for each object vari-
able in the PQL query. Literals and wildcards are translated from
PQL into Datalog without change. We summarize the handling of
individual PQL constructs below:
Primitive statements. Each primitive statement in the query is
translated into one or more Datalog predicates. A syntax-directed
translation of PQL queries into Datalog is shown in Figure 7. The
left side of the table lists a PQL primitive statement and the right
hand side shows its Datalog translation. All of these translations
have the same basic form. The PQL statement refers to some heap
object hi. The bddbddb system, however, represents instructions in
terms of actual program variables. We must therefore rst extract
the program variables into some fresh Datalog variable v
hi
and then
query the vP relation to determine the possible values for hi. If a
eld or method name refers to a PQL member variable, it may be
referenced directly in the statement.
Alternation. Since the input queries are normalized so that alter-
nation statements are used only at the top level, each clause in an
alternative is represented by a separate Datalog rule with the same
head goal.
Sequencing. Because the static analysis is ow-insensitive, we do
not track sequencing directly, and instead merely demand that all
events in the sequence occur at some point. This can be done by
simply replacing the sequence operator ; with the Datalog con-
junction operator ,. Since there is no guarantee that the same
program variables are used in each event in the sequence, the vx, i,
and c Datalog variables must be fresh for each event. The hx and
m variables correspond to PQL constructs and so keep the same
name. Each event includes a reference to a bytecode where the
event occurs, and this bytecode is bound to one of the bytecode
attributes of the subquery relation. If bytecode parameters are left
unbound (for example, in the base case for the derivedStream
query in Figure 5, the unused bytecode parameters are set to NULL,
representing no program location.
Partial order. Similarly, because the static analysis is ow-
insensitive, the translation of a partial-order statement can simply
treat all its clauses as part of a sequence.
Exclusion. With ow-insensitivity, no guarantees about ordering
can be made. This means that we cannot deduce that an excluded
event (denoted with a ) occurs between two points in a sequence;
as a result, all excluded events are ignored. This is a source of
imprecision in our current analysis, but it is a conservative approx-
imation that maintains soundness.
Primitive Statement Datalog translation
primStmt h
1
.m = h
2
dst(_, v
1
, m, v
2
),
vP(c, v
1
, h
1
),
vP(c, v
2
, h
2
)
primStmt h
1
= h
2
.m dld(_, v
1
, m, v
2
),
vP(c, v
2
, h
1
),
vP(c, v
1
, h
2
)
primStmt h
1
[ ] = h
2
arrayst (_, v
1
, v
2
),
vP(c, v
1
, h
1
),
vP(c, v
2
, h
2
)
primStmt h
1
= h
2
[ ] arrayld(_, v
1
, v
2
),
vP(c, v
2
, h
1
),
vP(c, v
1
, h
2
)
primStmt h
0
= m ( h
1
, . . ., hn ) ret(i, h
0
), IE(c, i, _, m),
actual (i, 1, v
1
), vP(c, v
1
, h
1
),

actual (i, n, vn), vP(c, vn, hn)
primStmt h
0
= new typeName ( h
1
, . . ., hn ) ret(i, h
0
), IE(c, i, _, typeName.< init >),
actual (i, 1, v
1
), vP(c, v
1
, h
1
),

actual (i, n, vn), vP(c, vn, hn)
Figure 7: Translation of primitive statements primStmt from PQL (left) into Datalog (right) for static analysis and optimization.
Within. The within m construct is handled by requiring that
matching bytecodes be found in methods transitively called from
m. This involves querying a call graph; such a call graph is avail-
able as part of the pointer analysis.
Unication. Unication of objects is translated into equality of
heap allocation sites.
Subqueries. Invocations of PQL subqueries are represented by
referring to the equivalent Datalog relation. The program points
and any variables that are not parameters in the PQL subquery are
matched to wildcards and projected away.
Figure 8 shows a full translation of the query from Figure 5 into
Datalog. The rst rule is a translation of the main query, which has
only one path. It also involves three events, one member variable,
and four object variables. Each of the four PQL statements is trans-
lated in turn, and combined they form the core of the main query.
The derivedStream query is somewhat more interesting, as it has
two possible sequences, each with a different length. The base case
is given rst, which simply asserts the equality of its arguments
(the unication statement) and then returns immediately. As there
is no event in this path, the bytecode argument for derivedStream
is set to NULL. The second rule handles the recursive case and is
similar to mains translation.
The mainRelevant and derivedRelevant relations express
which bytecodes are actually part of the nal solution, and will
be explained in detail at the end of the next section.
4.3 Extracting the Relevant Bytecodes
The bddbddb system resolves each query more or less indepen-
dently; as a result, each subquery nds program points and heap
variables for any set of arguments, regardless of whether or not the
subquery can be invoked with those arguments. It is thus necessary,
when extracting the list of relevant bytecodes, to extract only those
bytecodes that actually participate in a match of the full query. This
is a two-step process. In the rst step, we determine which sub-
query invocations contribute to the nal result; in the second we
project the relevant subqueries onto the bytecode domain.
Finding relevant subquery matches. Relevant subqueries are de-
termined inductively: All members of the main relation is relevant,
and any member of any query relation that appears as a clause in a
relevant relation as the result of translating a subquery invocation is
relevant. This translates to one rule for each invocation statement
and an additional rule to express that all results of main are rele-
vant. In Figure 8, the single rule for mainRelevant declares any
solution to main to be relevant. There are two invocations of the
derivedStream subquery, and each gets its own rule. The rst han-
dles the recursive subquery inside derivedStream, and the second
deals with the call from main.
Extracting relevant program locations. Gathering the relevant
program locations is straightforward once the previous step is per-
formed; any program location that occurs in a relevant solution
to any query is relevant. For the special case of the main query,
we need not check for relevance because all solutions to the main
query are relevant. Figure 8 uses the relevant relation to express
this; the rst rule says that a bytecode is relevant if it is part of a
derivedStream relation that has been proven relevant, and the nal
three project any bytecode involved in main into the set of relevant
bytecodes.
5. EXPERIENCES WITH PQL
Many of the error patterns found in the literature can be ex-
pressed easily in PQL. We have selected four important and rep-
resentative error patterns to illustrate the use of PQL.
1. Serialization errors: a data corruption bug in web servers
that can be exploited to mount denial-of-service attacks.
main(b0, b1, b2, mm, hs, hv, hx, hy) :
IE(c0, b0, _, getInputStream),
actual(b0, 0, vs0), ret(b0, vx),
vP(c0, vx, hx), vP(c0, vs0, hs),
derivedStream(_, hx, hy, _),
IE(c1, b1,, readObject),
actual(b1, 0, vy1), ret(b1, vv1),
vP(c1, vv1, hv), vP(c1, vy1, hy),
IE(c2, b2, _, mm), actual(b2, 0, vv2),
vP(c2, vv2, hv).
derivedStream(b, hx, h
d
, _) :
hx = h
d
, b = NULL.
derivedStream(b, hx, h
d
, ht) :
IE(c, b, _, InputStream. < init > ),
actual (b, 1, vx), ret(b, vt),
vP(c, vx, hx), vP(c, vt, ht),
derivedStream(_, ht, h
d
, _).
mainRelevant(mm, hs, hv, hx, hy) :
main(_, _, _, mm, hs, hv, hx, hy).
derivedRelevant (ht, h
d
, h3) :
derivedRelevant (_, h
d
, ht),
derivedStream(_, ht, h
d
, h3).
derivedRelevant (hx, hy, h3) :
mainRelevant(_, _, _, hx, hy),
derivedStream(_, hx, hy, h3).
relevant (b) : derivedStream(b, hx, h
d
, ht),
derivedRelevant (hx, h
d
, ht).
relevant (b) : main(_, _, b, _, _, _, _, _).
relevant (b) : main(_, b, _, _, _, _, _, _).
relevant (b) : main(b, _, _, _, _, _, _, _).
Figure 8: Datalog translation of Figure 5.
These errors are instances of the simple pattern do not store
object of type X in Y [45].
2. SQL injections: a major threat to the security of database
servers, as discussed in Section 1. This is an instance of
taint analysis where the use of data obtained in some man-
ner is restricted.
3. Mismatched method pairs: some APIs require that meth-
ods be invoked in a certain order. Matching pairs of methods
that follow the pattern a call to method A must always be
followed by a call to method B such as install always
followed by uninstall are common in large systems. Fail-
ing to properly match method calls leads to resource leaks
and data structure inconsistencies. Patterns of this kind are
simple to specify, but are often difcult to check statically in
large applications.
4. Lapsed listeners: a common memory leakage pattern in
Java that may lead to resource exhaustion and crashes in
long-running applications. Listeners follow a more complex
pattern where event A invoked on an object is required to
be followed by event B invoked on a related, but different
object.
These examples considered together show the complementary na-
ture of static and dynamic analysis. Static analysis can solve sim-
ple problems like the serialization error query precisely, whereas
dynamic analysis becomes more useful for more complex queries
like matched method pairs and lapsed listeners.
5.1 Experimental Setup
For our experiments, we use several large open-source Java
applications whose characteristics are summarized in Figure 9.
webgoat is a test application designed to demonstrate potential se-
curity aws in Java. road2hibernate is a test program that exer-
cises the rather large hibernate object persistence library, which
is now a major component of the JBoss suite. snipsnap, roller,
and personalblog are widely deployed weblog and wiki appli-
cations. Eclipse is the current premier open-source Java IDE; all
Eclipse experiments in this paper were run on version 3.0.0.
All of our static analyses were done on an AMD Opteron 150
machine with 4GB of memory running Linux. Dynamic tests were
performed on a 2 GHz AMD Athlon XP with 256MB of memory
running Linux. First, we apply the context-sensitive pointer an-
alysis on our benchmarks. As shown in Figure 10, it takes up to
34 minutes to represent the program as BDD relations and com-
pute the points-to results. Fortunately, this preprocessing step only
needs to be performed once for all queries. Note that even though
road2hibernate consists of only 137 lines of code, the prepro-
cessing time is dominated by the analysis of large libraries it uses.
In Figure 13 we show characteristics of the checkers for the three
queries in our experiment. For static analysis, we show the time
taken just to resolve the Datalog query and the total time taken,
which is often considerably higher, as it includes loading and sav-
ing of large relations. Dynamic analysis is run only if warnings
from the static analysis are not immediately obvious as errors. The
times for the Web applications reect the average amount of time
required to serve a single page, as measured by the standard pro-
ling tool JMeter. road2hibernate is a command-line program
and its time is a simple start-to-nish timing.
Our performance numbers indicate that our approach on real ap-
plications is quite efcient. Unoptimized dynamic overhead is gen-
erally noticeable, but not crippling; after optimization it often be-
comes no longer measurable, though may still be as high as 37%
in heavily instrumented code. Likewise, our static analysis times
are in line with expectations for a context-sensitive pointer analysis
run over tens of thousands of classes.
5.2 Serialization Errors
In a three-year study of production software, Reimer et al. found
that a large class of high-impact coding errors violate design rules
of the form only store objects of type X in objects of type
Y [45]. Such rules can be easily expressed in PQL. The serial-
ization error we study is an instance of such a pattern. Specically,
HttpSession, a runtime representation of a Web session, is sup-
posed to be a persistent object to allow the Web server to save and
restore sessions when the load is too high. As a consequence, only
objects implementing the interface Serializable can be stored
within an HttpSession, via the setAttribute method. The PQL
query corresponding to this design rule is shown in Figure 11.
Violations of this rule will cause the persistence operation to fail,
either with exceptions or via data corruption. The former may be
exploited by a malicious user to mount a denial-of-service attack;
the latter may cause intermittent problems that are hard to test be-
cause session objects are written out only under high load. One
such problem in enterprise Java code reportedly took a team of en-
gineers close to two weeks to detect [45].
Source Source Library Total
Benchmark Description LOC classes classes classes
webgoat Sample Web application with known security aws 19,440 35 986 1,021
personalblog Blogging application based on J2EE 5,591 59 5,177 5,236
road2hibernate Test application for Hibernate, an object persistence library 138 2 7,060 7,062
snipsnap Blogging application based on J2EE 57,350 804 10,047 10,851
roller Blogging application based on J2EE 52,089 247 16,112 16,359
Eclipse Open-source Java IDE (GUI application) 2,834,133 19,439 19,439
Figure 9: Summary of information about benchmark Java programs.
Program relation Pointer Total
Benchmark generation analysis time
webgoat 65 13 78
personalblog 213 218 431
road2hibernate 767 512 1,279
snipsnap 170 151 321
roller 978 1,011 2,029
Figure 10: Static preprocessing time, in seconds.
As shown in Figure 12, a total of 61 calls to method
HttpSession.setAttribute are found in four benchmarks. Af-
ter the optimizer was run, only 12 remain as potential matches to
our query. This shows how pointer analysis is useful in suppressing
false warnings: the static checker is able to deduce that the concrete
types of the instances stored implement Serializable in some
cases, even though their declared type is not. 8 of the remaining
calls to setAttribute are obvious errors that can immediately be
seen to not be correct on any run. When our dynamic checker is ap-
plied to snipsnap, which contains the 4 unconrmed warnings, a
runtime match is found for one of these suspicious sites, conrming
that it is indeed an error.
5.3 Finding Security Flaws: SECURIFLY
Shown in Figure 14 is a more realistic example of the SQL in-
jection vulnerability rst mentioned in Section 1.1. Having control
over the username and pwd variables, the user can cause arbitrary
SQL code to be run or bypass access restrictions. SQL injection is
an instance of taint analysis which requires tracking the ow of
data from a set of sources to a set of sinks.
For applications written in the J2EE framework, we
have examined the J2EE APIs to identify the sources and
sinks for the case of SQL injections. Sources, listed in
query UserSource in Figure 15, include return results of
HttpServletRequests methods such as getParameter.
Sinks, enumerated in the replaces clause, include argu-
ments of method java.sql.Statement.execute(String sql),
java.sql.Connection.prepareStatement(String sql), and
so forth.
Because a user-controlled string may be incorporated into other
strings, the main query asks if a user-controlled string (subquery
query main()
returns
object !java.io.Serializable obj;
object javax.servlet.http.HttpSession session;
matches {
session.setAttribute(_, obj);
}
Figure 11: Query for nding serialization errors.
Total Static Stat. Dynam.
Benchmark calls warnings conrmed conrmed
errors errors
webgoat 5 1 1
personalblog 2 0 0
snipsnap 29 10 6 1
roller 25 1 1
Total 61 12 8 1
Figure 12: Results for the serialization error query. Calls refer
to invocations of HttpSession.setAttibute. indicates that
dynamic checking is unnecessary.
UserSource), can be propagated one or more times (subquery
StringPropStar) to create a string used in an SQL query (the ac-
tions in the replaces clauses of the main query). Unsafe database
accesses are replaced with routines that rst quote every metachar-
acter in every instance of the user string in the SQL command, thus
transforming possible attacks into legitimate commands.
Note that the string propagation query StringPropStar is
not specic to SQL injection, and can be used for a variety of
taint queries that involve propagation of Strings. It invokes the
StringProp query, which handles all the ways in which one string
can be derived from another.
Using PQL we have developed a runtime security protection sys-
tem for Web applications called SECURIFLY
1
. The system pre-
sented here can address the problem of SQL injection as well as
other vulnerabilities such as cross-site scripting and path traversal
attacks described in [33]. However, we have only performed a de-
tailed experimental study of runtime overhead for SQL injections.
Commonly used dynamic techniques such as application re-
walls [37] that rely on pattern-matching and monitor trafc ow-
ing in and out of the application are a poor solution for SQL in-
jection [35]. In contrast, SECURIFLY can detect attacks because it
observes how data ows through the application. Moreover, SECU-
RIFLY can gracefully recover from vulnerabilities before they can
do any harm by sanitizing tainted input whenever necessary. There
are some inherent advantages the dynamic approach has over the
static one.
SECURIFLY can be integrated with the server so that when-
ever a new Web application is added, it is instrumented auto-
matically. This removes the apprehension related to deploy-
ing unfamiliar potentially insecure Web applications. This
obviates the issue present with static tools of the code being
changed without the tool being rerun. This is particularly
important because analyzing Web applications statically can
prove to be difcult because of issues such as handling re-
ection.
1
The name SECURIFLYcomes from the idea of providing security
on the y.
Static analysis time Instrumentation points Runtime Overhead
Query Total Unopti- Opti- Uninstru- Unopti- Opti- Unopti- Optimi-
Benchmark resolution time mized mized mented mized mized mized mized
BAD STORES
webgoat 5 12 1 0
personalblog 23 34 1 0
snipsnap 48 67 18 3 .073 .074 .073 1% < 1%
roller 61 84 12 0
SQL INJECTIONS
webgoat 1 46 604 69 .024 .054 .033 125% 37%
personalblog 2 74 3,209 36 .040 .069 .049 72% 22%
road2hibernate 4 113 4,146 779 2.224 2.443 2.362 9% 3%
snipsnap 3 79 3,305 542 .073 .096 .080 31% 9%
roller 4 147 2,960 96 .008 .012 .008 50% < 1%
Figure 13: Summary of static analysis times, runtimes, dynamic overhead, and the number of instrumentation points with and without
optimizations. is used to indicate that no dynamic run was necessary because a static solution was sufcient. All times are in seconds.
SECURIFLY does not require changes to the original pro-
gram and does not need access to anything other than the
nal bytecode. This can be especially advantageous when
dealing with applications that rely on libraries whose source
is unavailable.
The dynamic checker for the SQL injection query will match
whenever a user controlled string ows in some way to a suspected
sink, regardless of whether a user input is harmful in a particular
execution. It will then react to replace the potentially dangerous
string with a safe one.
The errors located with our tool involved the applications build-
ing SQL strings out of data either sent in from the command line
or generated as parameters of an HTTP request. The former can be
exploited if the program can be executed by the malicious user. The
latter are vulnerable to the more common crafted-HTTP-request at-
tacks.
5.3.1 Importance of Static Optimization
Without static optimization, many program locations need to be
instrumented. This is because routines that cause one String to
be derived from another are very common. Heavily processed user
inputs that do not ever reach the database will also be carefully
tracked at runtime, introducing signicant overhead to the analysis.
Fortunately, the static optimizer effectively removes instrumen-
tation on calls to string processing routines that are not on a path
from user input to database access. Exploiting pointer information
dramatically reduces both the number of instrumentation points and
the overhead of the system, as shown in Figure 13. The reduction
in the number of instrumentation points due to static optimization
can be as high as 97% in roller and 99% in personalblog. As
shown in Figure 13, reduction in the number of instrumentation
points results in a smaller overhead. For instance, in webgoat, the
overhead is cut almost in half in the optimized version.
public void authenticate(HttpServletRequest request){
String username = request.getParameter("user");
java.sql.Statement stmt = con.createStatement();
String query =
"select
*
from users where username = " +
username + "and password = " + pwd + "";
stmt.execute(query);
... // process the result of SELECT
}
Figure 14: A classic example of SQL injection.
Note that the query does no direct checking of the value that
has been provided by the user, so if harmless data is passed along a
feasible injection vector, it will still trigger a match to the query. As
a result of this, drastic responses such as aborting the application
are not suitable outside of a debugging context.
5.3.2 Applying Input Sanitization
As seen in Figure 15, each operation that can unsafely use tainted
data receives a replaces clauses in the query main. When a pos-
sibly relevant sink is reached, any matches that have completed and
which are consistent with the instruction are gathered, and if such
matches are present, the replacing method is executed instead.
The SafePrepare and SafeExecute methods themselves nd
all substrings in the sink variable that match any of the possible
values for source. They then produce a new SQL Query string
identical to the old, but it quotes all the SQL metacharacters such
as

. This forces them to be treated as literal characters instead

of, for instance, a string terminator. This new, safe query is then
passed to prepareStatement or executeQuery, respectively.
Using this technique we were able to defend against the two SQL
injections for which we had derived effective attacks: the two in
webgoat and road2hibernate.
5.4 Matching Method Pairs in Eclipse
Many APIs have methods that must be invoked in pairs in order
for to remain internally consistent or to prevent resource leaks. This
implies a set of rules that take the form a call to A must always
be followed by a call to B. Developers are required to ensure
that calls to A are followed by calls to B on all execution pathsa
highly error-prone task, especially in the presence of exceptions.
The problem is complicated further when calls to A and B occur in
different classes, or when a subclass overrides the method that calls
B but not the one that calls A. As a result, not only is the process
error-prone, it is difcult to debug with traditional techniques.
Eclipse, a large open-source Java IDE, uses a windowing toolkit
called SWT [41], which has many examples of such method pairs.
Programming guides and bug reports directed us to eight examples
of paired initialize/uninitialize methods that were often violated.
For example, calls to createWidget must always be followed to
a call to destroyWidget on the same object. We instrumented
Eclipse to search for instances of the rst with no corresponding
call to the second. This is done with a query body of the form
{o.A(); o.B(); }
As these are liveness queries that rely critically on excluding the
second event, and our static analysis is ow-insensitive, we cannot
query main()
returns
object Object source, sink;
uses
object java.sql.Connection con;
object java.sql.Statement stmt;
matches {
source := UserSource();
sink := StringPropStar(source);
} replaces con.prepareStatement(sink)
with SQL.SafePrepare(con, source, sink);
replaces stmt.executeQuery(sink)
with SQL.SafeExecute(stmt, source, sink);
query StringProp(object Object x)
returns
object Object y;
matches
y.append(x)
| y = new String(x)
| y = new StringBuffer(x)
| y = x.toString()
| ...
query StringPropStar(object Object x)
returns
object Object y;
uses
object Object temp;
matches
y := x |
{
temp := StringProp(x);
y := StringPropStar(temp);
}
query UserSource()
returns
object Object tainted;
uses
object ServletRequest req;
matches
tainted = req.getParameter() |
| tainted = req.getHeader() | ...
Figure 15: Full SQL injection query.
optimize the dynamic matcher. However, even without optimiza-
tion, there are still relatively few instrumentation points because
the interesting events are conned to the creation and destruction
of GUI elements. Our approach is powerful because this one-line
query can pick the handful of points out of nearly 64 MB of class-
les that actually need to be instrumented for the query directly.
The results of running the instrumented IDE for each method
pair are summarized in Figure 16, together with the number of in-
strumentation points and dynamic violations of each patterns. The
number of dynamically discovered errors reported in the table is
the number of concrete types of object o that violated the pattern.
A total of 56 types in Eclipse had pattern violations, most of which
were due to missing calls to destroyWidget. In extended runs,
these bugs will lead to resource leaks.
5.5 Memory Leaks: Lapsed Listeners
Paired method queries, while useful, do not require many of
PQLs features to perform. To demonstrate the ability of PQL to
correlate objects in widely spaced events, we formed a query to
discover memory leaks in Eclipse. Despite being garbage collected,
Java programs can still have memory leaks [51]. A Java program
can maintain a link to an object that is never used again, causing the
garbage collector to never reclaim that object. Finding such kinds
of memory leaks is difcult, but it is important to nd them because
they can gradually cause resource exhaustion in long-running ap-
plications such as Web servers, leading to instability and crashes.
Event listeners in Java GUI programs are a common source of
memory leaks. Event listeners are a common way to specify actions
that should occur when a user interface event such as a mouse click
occurs on a given GUI component. This is achieved by registering a
listener with a GUI component; when the component is destroyed,
the listener should be unregistered. If a listener is not unregistered,
it will preserve a link to the GUI component. In Swing and SWT,
the listener is reachable from a global listener table, thus making
the GUI component also reachable and therefore considered live
by the garbage collector. This is referred to in the literature as the
lapsed listener problem [51].
5.5.1 Listeners in Eclipse
Eclipses GUI library is vulnerable to the lapsed listener prob-
lem. Some lapsed listener errors have been featured on Eclipses
bug tracking system. The usual technique for nding these errors
is to spend a lot of time inspecting code and using heap debuggers.
The API in Eclipse works as follows. Components (ViewParts)
are created and destroyed with the createPartControl and
dispose methods. Listeners must be registered within
createPartControl, and unregistered within dispose. A query
for this is given in Figure 17. (The actual query has many possibili-
ties for the registration and deregistration of listeners; for simplicity
our example uses one representative method for each.)
Like paired methods, this query relies heavily on the use of
excluded events, which the static analysis currently ignores. As
a result, the static analysis will simply report the presence of
createPartControl calls that register listeners, and are then
disposed, which is not useful. We thus again apply only unop-
timized dynamic analysis to Eclipse. Overhead was not perceptible
during runs of the instrumented application.
The results of this are shown in the last line of Fig-
ure 18. Matches were collected by type. After perform-
ing work in the Java, Resource, and CVS perspectives, 136
ViewPart/Component/Listener type triples were found that
were not disposed of according to the model.
This experiment demonstrated that PQL queries can be used ef-
fectively even on extremely large programs, and to nd properties
that resist most forms of analysis.
5.6 Summary
In this section we have described four applications representing
a spectrum as far as being amenable to static and dynamic analysis.
Serialization errors can be addressed statically with a high degree
of precision using high-quality pointer information. SQL injection,
while benetting from static analysis to reduce the amount of in-
strumentation, cannot generally be fully and precisely addressed
using our static technique, but is a good match for dynamic mon-
itoring optimized with the help of static results. Finally, liveness
properties such as paired methods and lapsed listener problems
found in Eclipse lend themselves most naturally to dynamic an-
alysis. Furthermore, instrumented executables produced by PQL
provide protection against query violations at run time. We have
discovered a total of 9 serialization errors, 5 SQL injections, and
nearly 200 errors in Eclipse, all of which were previously unknown.
Query {o.A; o.B} Instrumentation Dynamically
Method A Method B points discovered errors
createWidget destroyWidget 28 35
register deregister 93 7
acquireXMLParsing releaseXMLParsing 2 0
acquireDocument releaseDocument 12 0
install uninstall 184 10
installBundle uninstallBundle 11 0
start stop 120 4
startup shutdown 41 0
Total 491 56
Figure 16: Result summary for running matching pair queries on Eclipse.
query creation(object ViewPart vp)
returns
object Object obj;
object Object listener;
within vp.createPartControl() matches {
obj.registerListener(listener);
}
query destroy(object ViewPart vp, object Object obj,
object Object listener)
within vp.dispose() matches {
obj.unregisterListener(listener);
}
query main()
returns
object ViewPart vp;
object Object obj;
object Object listener;
matches {
(obj, listener) := creation(vp);
obj.unregisterListener(listener);
() := destroy(vp, obj, listener);
}
Figure 17: Lapsed listener query.
6. APPLICATIONS OF PQL
The topics covered in Section 5 focused narrowly on specic
types of errors. In this section, we move to a higher vantage point
and discuss more general uses of PQL.
6.1 Debugging and Testing
We primarily envision PQL being used under development or de-
bugging conditions. When a developer nds a bug in their code,
they will often suspect that similar bugs lurk elsewhere in their
code base. Over time, the collection of such rules that encodes de-
velopers knowledge of system-specic rules grows. The essence
of many bug patterns, from simple mistakes that manifest on sin-
gle lines (like the serialization errors in Section 5.2, or ensuring
that private data members cannot be modied because references
to them escape [22]) to ordering constraints across the life of the
entire program (as demonstrated in Sections 5.4 and 5.5), is of-
ten directly expressible as a simple PQL query. However, in large
projects with multiple authors, nding all similar instances of the
error is not a trivial task, and one with which our system can help
considerably.
Instrumentation Points Dynamically discovered errors
13,661 136
Figure 18: Result summary for lapsed listeners in Eclipse.
In general, automatically discovering system-specic rules is a
challenging problem well-represented in the literature [16, 57, 32].
Below we outline some queries gleaned from the literature and our
own programming experience.
6.1.1 Taint Queries
The SQL injection problem, discussed in Section 5.3 is an in-
stance of a general class of tainted data problems, where data orig-
inates at a source, is propagated via various techniques, and then
used as a sink. Many other practical security problems fall into
this class. In the Web application domain, cross-site scripting [50]
and HTTP splitting [26] attacks are two more techniques that use
unsanitized data in order to mount the attack. Below we discuss
several other applications of taint queries for security.
Unsafe manipulation of password strings. It is not uncommon
to have methods in Java APIs that take char[ ] arrays representing
passwords as a parameter. Several such functions from publicly
available APIs are listed in Table 19. Character arrays are recom-
mended over Strings as a way to reduce the window of vulnerabil-
ity; character arrays are zeroed-out after the function returns. This
way, the duration of time when the password is in memory is min-
imized, reducing the window of opportunity for a hacker combing
through memory looking for clear-text passwords [34].
However, in practice many developers using these APIs are un-
aware of this security hazard and construct password strings by
calling String.getChars(). The character array representing in-
ternals of the String remains in memory after the return result of
getChars() has been zeroed-out, thus defeating the point of pass-
ing in a char[ ] in the rst place. This security issue is another
instance of the tainted data problem: the set of sources for this taint
problem is the return results of String.getChars(); a sample set
of sinks is the password parameters of functions in Table 19.
Leaking sensitive data. Data such as user login and password or
nancial information like credit card numbers need to be protected
from unauthorized access. If this data is saved in cookies or appli-
cation logs without being properly encrypted, eavesdroppers may
be able to gain access to this potentially sensitive data. Therefore,
output sanitization that removes sensitive data is required before
saving.
Another common error pattern that involves reporting sensitive
data back to the user by showing extra information in an exception
trace [56]. It is therefore crucial to nd how data obtained from
databases propagates to output functions pertaining to le or socket
output streams or API-specic functions such as J2EE routines for
manipulating cookie data. This example too is expressed as a taint
problem similar to the queries used in Section 5.3.
javax.crypto.spec.PBEKeySpec(char[ ] password)
gnu.crypto.keyring.PasswordAuthenticatedEntry.authenticate(char[ ] password)
edu.uidaho.hummer.util.DefaultKeyStore.loadData(char[ ] password)
com.mindbright.security.keystore.PKCS12KeyStore.deriveKey(char[ ] password, ...)
Figure 19: Public API functions taking char[ ] password parameters.
6.1.2 Fault Injection
So far, all the event replacement situations we have discussed in-
volve replacing unsafe arguments with safe ones to ensure security.
One could also deliberately attempt to insert unsafe values to test
the robustness of a system. Fault injection is a testing technique
that injects unexpected data into the application in order to cause
logical or security errors and crashes [14, 15, 53, 61]. PQLs event
replacement functionality allows the user to easily describe fault
injection rules and create fully functional testing frameworks.
For example, Java applications may be compromised by passing
potentially unexpected parameters to native Java calls. There are
hundreds of native calls in public Java APIs that take Object or
array parameters. All these methods are typically implemented in C
or C++ on the platform to which the APIs are ported, thus creating
a potential for buffer overrun attacks in the native code. In the past,
fault injection attacks that pass very large arrays or null objects to
native methods have been used to successfully compromise JDK
implementations from multiple vendors [48]. These attacks often
result in the Java Virtual Machine crashing, and can also result in
obtaining root privileges if a hacker manages to craft an appropriate
array parameter.
6.2 Program Exploration
Developers beginning work on a large existing project usually
have a daunting task ahead of them. Determining how pieces of
a large system t together through code inspection is difcult and
time-consuming. PQL can be used to extract information about
how objects are actually used as the program runs. We have our-
selves used this approach when developing and testing PQL, to de-
termine if perceived program invariants actually held reliably.
6.2.1 Finding Application Entry Points
Modern middleware systems are designed to support multi-
ple user-provided components; these include plugins in Eclipse,
servlets in J2EE, and modules in Apache. In many cases, the un-
derlying structure is complex and it is often unclear in what way
the user-provided code gets called by the system. Analyzing such
modules statically, however, generally requires information on ap-
plication entry points to prime the analysis.
There are two strategies one can follow to nd this information
dynamically in PQL. One is to instrument the framework and look
for calls where the this pointer is of a type dened by the target
module, and log such information. The other is to trap calls within
the application and then examine the stack trace for where control
transfers from the framework to the application.
6.2.2 Discovering Data Validation Strategies
Most Web-based applications use some sort of a validation
scheme to prevent user-provided data from being used in the pro-
gram in unsafe ways as described in Section 5.3. Typically, user-
provided data is checked using regular expressions or encoded us-
ing URL-encoding or similar schemes. Furthermore, sometimes
data is stored or passed around in an encrypted format. PQL can
help us discover what perturbations occur to data after it has en-
tered the application. Our preliminary experiments reveal that in
many cases URL-encoding and regular expression pattern match-
ing is applied on user-provided data as a means of cleansing it.
6.2.3 Finding Instantiated Types
Java libraries frequently export only abstract types to the appli-
cation layer so that varying library implementations may be con-
nected to the same class. It is, by design, unclear precisely which
classes are actually being used in such an application. This com-
plicates many interprocedural static analyses, because they cannot
readily nd a useful call graph.
This problem is particularly pernicious in the presence of reec-
tion, because call graph information is often contained in cong-
uration les instead of the code itself. It can be convenient to
extract from runs of the program precisely which classes are be-
ing loaded reectively, and use this to construct the analysiss call
graph. In Java, the method Class.forName(String className)
is used to get an object of type Class that represents the type
named in className, and then the newInstance() method ac-
tually constructs the object. The result of this is typically then cast
to the an abstract class or interface that the application then uses
thereafter.
If one wishes to focus on instances of a specic supertype, the
query may be focused easily. For example, in the process of explor-
ing the SQL injection issue in Section 5.3, it was necessary to nd
which subclasses of java.sql.Statement were instantiated for a
given program.
7. RELATED WORK
7.1 Model Extraction
Some work has been done on automatically inferring state mod-
els on components of software systems. The Strauss system [4]
uses machine learning techniques to infer a state machine repre-
senting the proper sequence of function calls in an interface. Re-
dux [38] studies a program as it runs and builds up a tree of value
dependencies that capture the essence of the computation. Wha-
ley et al. [60] hardcode a restricted model paradigm so that proba-
ble models of object-oriented interfaces can be easily automatically
extracted. Alur et al. [3] generalize this to automatically produce
small, expressive nite state machines with respect to certain pred-
icates over an object. Lam et al. use a type system-based approach
to statically extract interfaces [28]. Their work is more concerned
with high-level system structure rather than low-level life-cycle
constraints [47]. Daikon is able to validate correlations between
values at runtime and is therefore able to validate patterns [16].
Weimer et al. use exceptional control-ow paths to guide the dis-
covery of temporal error patterns with considerable success [57];
they also provide a comparison with other existing specication
mining work. DynaMine uses CVS history mining combined with
dynamic analysis to discover good patterns and to detect pattern
violations [32].
In contrast to these, the PQL system places the burden of model
generation on the user. However, partial models may be used to
develop queries that provide information that suggests how to ex-
tend the model. With suitable actions attached to the queries, a
PQL query can be used to implement a specialized model extractor
directly.
7.2 Aspect-Oriented Programming
PQL attaches user-specied actions to subquery matches; this
capability puts PQL in the class of aspect-oriented programming
languages [25, 43]. Maya [7] and AspectJ [25] attach actions based
on syntactic properties of individual statements in the source code.
The DJ system [43] denes aspects as traversals over a graph rep-
resenting the program structure. Our system may be considered as
an aspect-oriented system that denes its aspects with respect to
the dynamic history of sets of objects. An extension of AspectJ
to include dataow pointcuts [36] has been proposed to repre-
sent a statement that receives a value from a specic source; PQL
can represent these with a two-statement query, and permits much
more complex concepts of data ow. Walker and Veggers [55] in-
troduce the concept of declarative event patterns, in which regular
expressions of traditional pointcuts are used to specify when ad-
vice should run. Allan et al. [2] extend this further by permitting
PQL-like free variables in the patterns.
The primary focus in the AspectJ extensions is in permitting a
developer to specify application development concerns very nely.
As a result, they devote a great deal of work to ensuring proper-
ties such as guarantees that memory allocated by the matching ma-
chinery will eventually be available for collection. PQL, with its
genesis focusing on detecting application errors, pays less atten-
tion to this. (For example, one of the patterns they warn against
involves paired methods across objects, because such patterns are
intrinsically leaky. This class, however, includes our lapsed listener
example.)
PQL differs from these systems in that its matching machinery
can recognize nonregular languages, and in exploiting advanced
pointer analysis to prove points irrelevant to eventual matches.
7.3 Program Defect Detection
A vast amount of work has been done in bug detection. C and
C++ code in particular is prone to buffer overrun and memory man-
agement errors; tools such as PREx [10] and Clouseau [20] are
representative examples of systems designed to nd specic classes
of bugs (pointer errors and object ownership violations respec-
tively). Dynamic systems include Purify [19], which traps heap er-
rors, and Eraser [46], which detects race conditions. Both of these
analyses have been implemented as standard uses of the Valgrind
system [39]. Many of these bug classes are outside the purview
of the PQL language at present, focusing as they do on the use of
individual pointer variables or on synchronization primitives. PQL
also targets Java, which means
Web applications carry their own set of security risks [44]. Var-
ious systems have been developed to help secure web applications.
SABER [45] is a static tool that detects a large number of common
design errors based on instantiations of a number of error pattern
templates. WebSSARI [23] and Nguyen-Tuong et al. [40] are dy-
namic systems that detects failures to validate input and output in
PHP applications. While PQL does not handle PHP, in principle
these analyses perform sequencing, type, or tainting analysis and
as such are easily amenable to representation as PQL queries di-
rectly. The latter project is suitable for tracking taintedness at a
much ner granularity. congurable to express alternate patterns.
7.4 Event-based Analysis
The queries in our system are dened with respect to a con-
ceptual abstract execution trace consisting of a stream of events.
The implications of this paradigm for debugging are covered ex-
tensively in the EBBA system [9]; later tools have expanded on the
basic concept to provide additional power. Dalek [42] is a debug-
ger that denes compound events out of simpler ones, and permits
breakpoints to occur only when a compound event has executed.
PQL follows Dalek in building its queries out of patterns of simple
events, and builds upon it by permitting the events to be recursively
(and, indeed, even mutually recursively) dened.
7.5 Other Program Query Languages
Systems like ASTLOG [13] and JQuery [24] permit patterns to
be matched against source code; Liu et al. [31] extend this con-
cept to include parametric pattern matching [6]. These systems,
however, generally check only for source-level patterns and cannot
match against widely-spaced events. A key contribution of PQL is
a pattern matcher that combines object-based parametric matching
across widely-spaced events.
Lencevicius et al. developed an interactive debugger based on
queries over the heap structure [29]. This analysis approach is or-
thogonal both to the previous systems named in this section as well
as to PQL; however, like PQL, its query language is explicitly de-
signed to resemble code in the language being debugged.
7.5.1 Partiqle
The Partiqle system [17] uses a SQL-like syntax to extract indi-
vidual elements of an execution stream. It does not directly com-
bine complex events out of smaller ones, instead placing boolean
constraints between primitive events to select them as sets directly.
Variables of primitive types are handled easily by this paradigm,
and nearly arbitrary constraints can be placed on them easily, but
strict ordering constraints require many clauses to express.
This reliance on individual predicates makes their language easy
to extend with unusual primitives; in particular, the Partiqle sys-
tem is capable of trapping events characterized by the amount of
absolute time that has passed, a capability not present in the other
systems discussed. However, like most other systems, it can still
only quantify over a nite number of variables. PQLs recursive
subquery mechanism makes it possible to specify arbitrarily long
chains of data relations.
For comparison purposes, we reproduced their StringConcats
experiment in PQL, which is the only query they performed that
operates solely on objects. The PQL query itself is a single straight-
line sequence of calls, chained together ve times; we applied the
query to a number of the SPECJVM98 benchmarks, including all
of the four that do extensive string processing. The overhead, ex-
pressed as a ratio between instrumented and uninstrumented run-
time, is given in Figure 20.
The worst-case scenario for the PQL matcher is one in which
many instances of the beginning of a pattern appear, thus produc-
ing a large number of partial matches to track. This query begins
matching any time a StringBuffer is created, which is a very
common operation. In the highest-overhead case herethe jack
benchmarka complete match occurs for every execution of the
inner loop of the code reading the input le. This loop reads a sin-
gle character each iteration, producing thousands of matches over
the course of the run.
In cases where string use is clear, amenable to static pointer
analysis, and does not contribute to matchessuch as jess and
compressstatic optimization is able to lessen overhead dramati-
cally, often to the point that overhead is lost in the instrumentation
noise.
In programs where string processing is simply rare, such as db,
no measurable cost is ever imposed.
7.6 Analysis Generators
PQL follows in a tradition of powerful tools that take small
specications and use them to automatically generate analyses.
Benchmark mtrt jess compress db jack javac
Unoptimized 1.1 2.3 1.1 1.0 19 2.7
Optimized 1.0 1.2 1.0 1.0 19 2.7
Figure 20: Overhead ratios for the string concatenation query on SPECJVM.
Metal [18] and SLIC [8] both dene state machines with respect
to variables. These machines are used to congure a static analy-
sis that searches the program for situations where error transitions
can occur. Metal restricts itself to nite state machines, but has
more exible event denitions and can handle pointers (albeit in an
unsound manner).
The Rhodium language [30] uses denitions of dataow facts
combined with temporal logic operators to permit the denition of
analyses whose correctness may be readily automatically veried.
As such, its focus is signicantly different from the other systems,
as its intent is to make it easier to directly implement correct com-
piler passes than to determine properties of or nd bugs in existing
applications. Likewise, though it is primarily intended as a vehi-
cle for predened analyses, Valgrind [39] also presents a general
technique for dynamic analyses on binaries.
7.7 Model Checkers
Model checking systems such as SPIN [21] are powerful and
widespread tools for capturing complicated program properties.
Model checkers generally operate upon abstract languages such as
Promela; the Bandera project [11] abstracts Java code into a form
amenable to SPIN and other model checkers. These systems rep-
resent queries over the models as LTL formulas on predicates
Bandera ties these predicates to expressions dened in the code
itself [12].
This paradigm does not lend itself well to direct comparison with
PQL, as the predicates implied by a PQL query relate to object
identity across statements and to the histories of those objects or
sets of objects. It is possible to consider any individual PQL query
as a temporal logic equation describing the events themselves, ex-
istentially quantied over objects on the heap. Arbitrary LTL equa-
tions on such a set of predicates would not be directly translatable
into PQL. Also, LTL-based model checkers quantify universally
over paths (ensure the specied formula holds on all paths), while
PQL quanties existentially over paths and over the heap (nd a
set of objects such that the pattern is matched over some path).
PQLs subquery mechanism permits already-determined matches
to be treated as atomic propositions for higher-level (or even re-
cursive) queries, which makes expressing many properties much
easier.
Further research by the Bandera group into the utility of LTL
for program analysis has resulted in a catalogue of specication
patterns [49]idioms in LTL that are particularly prevalent in use-
ful queriesand these idioms correspond to presence, absence, or
sequencing of individual events. These patterns are directly repre-
sentable in PQL via the use of nothing more than the sequencing
operator and match exclusion.
Thus, PQLs language can be viewed as complementary to LTL-
based systems: both are capable of expressing the natural practi-
cal queries for application programs, but the underlying concepts
are different (LTLs concept of predicates changing truth values
over time compared to PQLs concept of objects evolving through
various states with time) and each system thus generalizes into dif-
ferent sets of applications.
8. CONCLUSIONS
We have presented a new language called PQL, with which users
can pose application-specic questions about events patterns at run-
time. The language is intuitive to use by application developers and
provides a bridge to powerful analysis techniques.
We systematically convert PQL queries into efcient online
checkers by using a combination of static and dynamic techniques.
In so doing, we demonstrate an application for pointer analysis in
bug-nding in which the soundness of the analysis is critical.
Using PQL, we have found numerous previously unknown se-
curity vulnerabilities and resource leaks in large open-source Java
applications. Our experience suggests that the synergistic combi-
nation of static and dynamic checking is a powerful one. Static
analysis can nd all potential errors in some of the cases; in oth-
ers, it can prove that the pattern will never match. In more difcult
cases, dynamic monitoring can guarantee that applications can trap
any instance of a certain class of errors. Static analysis is also useful
here for reducing dynamic analysis overhead. With static optimiza-
tions, we have found dynamic checking to often have a low enough
overhead to be incorporated in production code.
9. REFERENCES
[1] A. V. Aho, R. Sethi, and J. D. Ullman. Compilers:
Principles, Techniques, and Tools. Addison-Wesley, 1988.
[2] C. Allan, P. Augustinov, A. S. Christensen, L. Hendren,
S. Kuzins, O. Lhot ak, O. de Moor, D. Sereni,
G. Sittampalam, and J. Tibble. Adding Trace Matching with
Free Variables to AspectJ. In OOPSLA 05: Proceedings of
the 20th ACM SIGPLAN Conference on Object-Oriented
Programming, Systems, Languages, and Applications, 2005.
[3] R. Alur, P.

Cern y, P. Madhusudan, and W. Nam. Synthesis of
Interface Specications for Java Classes. In POPL 05:
Proceedings of the 32nd ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, pages
98109, 2005.
[4] G. Ammons, R. Bodik, and J. Larus. Mining Specications.
In Proceedings of the 29th ACM Symposium on Principles of
Programming Languages, pages 416, 2002.
[5] C. Anley. Advanced SQL Injection in SQL Server
Applications, 2002.
[6] B. S. Baker. Parameterized Pattern Matching by
Boyer-Moore Type Algorithms. In Proceedings of the Sixth
Annual ACM-SIAM Symposium on Discrete Algorithms,
pages 541550, 1995.
[7] J. Baker and W. C. Hsieh. Runtime Aspect Weaving Through
Metaprogramming. In Proceedings of the First International
Conference on Aspect-Oriented Software Development,
2002.
[8] T. Ball and S. Rajamani. SLIC: A Specication Language for
Interface Checking (of C). Technical Report
MSR-TR-2001-21, Microsoft Research, January 2002.
[9] P. Bates. Debugging Heterogeneous Distributed Systems
Using Event-Based Models of Behavior. In Proceedings of
the 1988 ACM SIGPLAN and SIGOPS workshop on Parallel
and Distributed Debugging, pages 1122, 1988.
[10] W. R. Bush, J. D. Pincus, and D. J. Sielaff. A Static Analyzer
for Finding Dynamic Programming Errors. Software -
Practice and Experience (SPE), 30:775802, 2000.
[11] J. C. Corbett, M. B. Dwyer, J. Hatcliff, S. Laubach, C. S.
P as areanu, Robby, and H. Zheng. Bandera: Extracting
Finite-State Models from Java Source Code. In ICSE 00:
Proceedings of the 22nd International Conference on
Software Engineering, pages 439448, 2000.
[12] J. C. Corbett, M. B. Dwyer, J. Hatcliff, and Robby. A
Language Framework for Expressing Checkable Properties
of Dynamic Software. In SPIN 00: Proceedings of the 7th
SPIN Workshop, pages 205223, 2000.
[13] R. F. Crew. ASTLOG: A Language for Examining Abstract
Syntax Trees. In Proceedings of the USENIX Conference on
Domain-Specic Languages, pages 229242, 1997.
[14] W. Du and A. P. Mathur. Vulnerability Testing of Software
System Using Fault Injection. Technical report, COAST,
Purdue University, West Lafayette, IN, US, April 1998.
[15] W. Du and A. P. Mathur. Testing for Software Vulnerability
Using Environment Perturbation. In Proceedings of the
International Conference on Dependable Systems and
Networks (DSN 2000), Workshop On Dependability Versus
Malicious Faults, pages 603612, New York City, NY, June
2000.
[16] M. D. Ernst, A. Czeisler, W. G. Griswold, and D. Notkin.
Quickly Detecting Relevant Program Invariants. In ICSE
2000, Proceedings of the 22nd International Conference on
Software Engineering, pages 449458, Limerick, Ireland,
June 79, 2000.
[17] S. Goldsmith, R. OCallahan, and A. Aiken. Relational
Queries Over Program Traces. In Proceedings of the ACM
SIGPLAN 2005 Conference on Object-Oriented
Programming, Systems, Languages, and Applications
(OOPSLA), 2005.
[18] S. Hallem, B. Chelf, Y. Xie, and D. Engler. A System and
Language for Building System-Specic, Static Analyses. In
Proceedings of the ACM SIGPLAN 2002 Conference on
Programming Language Design and Implementation (PLDI),
pages 6982, 2002.
[19] R. Hastings and B. Joyce. Purify: Fast Detection of Memory
Leaks and Access Errors. In Proceedings of the Winter
USENIX Conference, pages 125136, December 1992.
[20] D. Heine and M. S. Lam. A Practical Flow-Sensitive and
Context-Sensitive C and C++ Memory Leak Detector. In
Proceedings of the ACM SIGPLAN 2003 Conference on
Programming Language Design and Implementation (PLDI),
pages 168181, 2003.
[21] G. J. Holzmann. The Model Checker SPIN. Software
Engineering, 23(5):279295, 1997.
[22] D. Hovemeyer and W. Pugh. Finding Bugs is Easy. In
Proceedings of the Onward! Track of the ACM Conference
on Object-Oriented Programming, Systems, Languages, and
Applications (OOPSLA), 2004.
[23] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and
S.-Y. Kuo. Securing Web Application Code by Static
Analysis and Runtime Protection. In Proceedings of the 13th
Conference on the World Wide Web, pages 4052, 2004.
[24] D. Janzen and K. de Volder. Navigating and Querying Code
Without Getting Lost. In Proceedings of the 2nd Annual
Conference on Aspect-Oriented Software Development
(AOSD), pages 178187, 2003.
[25] G. Kiczales, E. Hilsdale, J. Hugunin, M. Kersten, J. Palm,
and W. G. Griswold. An Overview of AspectJ. Lecture Notes
in Computer Science, 2072:327355, 2001.
[26] A. Klein. Divide and Conquer: HTTP Response Splitting,
Web Cache Poisoning Attacks, and Related Topics. http:
//www.packetstormsecurity.org/papers/
general/whitepaper httpresponse.pdf, 2004.
[27] S. Kost. An Introduction to SQL Injection Attacks for Oracle
Developers, 2004.
[28] P. Lam and M. Rinard. A Type System and Analysis for the
Automatic Extraction and Enforcement of Design
Information. In Proceedings of the 17th European
Conference on Object-Oriented Programming, pages
275302, Darmstadt, Germany, July 2003.
[29] R. Lencevicius, U. H olzle, and A. K. Singh. Query-Based
Debugging of Object-Oriented Programs. In OOPSLA 97:
Proceedings of the 12th ACM SIGPLAN Conference on
Object-Oriented Programming, Systems, Languages, and
Applications, pages 304317, New York, NY, USA, 1997.
ACM Press.
[30] S. Lerner, T. Millstein, E. Rice, and C. Chambers.
Automated Soundness Proofs for Dataow Analyses and
Transformations Via Local Rules. In POPL 05:
Proceedings of the 32nd ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, pages
364377, 2005.
[31] Y. A. Liu, T. Rothamel, F. Yu, S. D. Stoller, and N. Hu.
Parametric Regular Path Queries. In Proceedings of the ACM
SIGPLAN 2004 Conference on Programming Language
Design and Implementation (PLDI), pages 219230, 2004.
[32] B. Livshits and T. Zimmermann. DynaMine: A Framework
for Finding Common Bugs by Mining Software Revision
Histories. In Proceedings of the ACM SIGSOFT 2005
Symposium on the Foundations of Software Engineering
(FSE), Sept. 2005.
[33] V. B. Livshits and M. S. Lam. Finding Security Errors in
Java Programs with Static Analysis. In Proceedings of the
14th Usenix Security Symposium, Aug. 2005.
[34] Q. H. Mahmoud. Password Masking in the Java
Programming Language.
http://java.sun.com/developer/
technicalArticles/Security/pwordmask/, July
2004.
[35] F.-M. S. mailing list. Vulnerability Scanner for SQL
injection.
http://www.derkeiler.com/Mailing-Lists/
securityfocus/focus-ms/2003-09/0110.html,
2003.
[36] H. Masuhara and K. Kawauchi. Dataow Pointcut in
Aspect-Oriented Programming. In APLAS03 - the First
Asian Symposium on Programming Languages and Systems,
pages 105121, 2003.
[37] Netcontinuum, Inc. Web Application Firewall: How
NetContinuum Stops the 21 Classes of Web Application
Threats. http://www.netcontinuum.com/
products/whitePapers/getPDF.cfm?n=
NC WhitePaper WebFirewall.pdf, 2004.
[38] N. Nethercote and A. Mycroft. Redux: A Dynamic Dataow
Tracer. In O. Sokolsky and M. Viswanathan, editors,
Electronic Notes in Theoretical Computer Science,
volume 89. Elsevier, 2003.
[39] N. Nethercote and J. Seward. Valgrind: A Program
Supervision Framework. In O. Sokolsky and
M. Viswanathan, editors, Electronic Notes in Theoretical
Computer Science, volume 89. Elsevier, 2003.
[40] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and
D. Evans. Automatically Hardening Web Applications Using
Precise Tainting. In Proceedings of the 20th IFIP
International Information Security Conference, 2005.
[41] S. Northover and M. Wilson. SWT : The Standard Widget
Toolkit, Volume 1. Addison-Wesley Professional, 2004.
[42] R. A. Olsson, R. H. Cawford, and W. W. Ho. A Dataow
Approach to Event-Based Debugging. Software - Practice
and Experience, 21(2):209230, 1991.
[43] D. Orleans and K. Lieberherr. DJ: Dynamic Adaptive
Programming in Java. In Reection 2001: Meta-level
Architectures and Separation of Crosscutting Concerns ,
Kyoto, Japan, September 2001. Springer Verlag. 8 pages.
[44] OWASP. Ten Most Critical Web Application Security
Vulnerabilities, 2004.
[45] D. Reimer, E. Schonberg, K. Srinivas, H. Srinivasan,
B. Alpern, R. D. Johnson, A. Kershenbaum, and L. Koved.
SABER: Smart Analysis Based Error Reduction. In
Proceedings of International Symposium on Software Testing
and Analysis, 2004.
[46] S. Savage, M. Burrows, G. Nelson, P. Sobalvarro, and
T. Anderson. Eraser: A Dynamic Data Race Detector for
Multithreaded Programs. ACM Trans. Comput. Syst.,
15(4):391411, 1997.
[47] S. R. Schach. Object-Oriented and Classical Software
Engineering. McGraw-Hill Science/Engineering/Math, 2004.
[48] M. Schonefeld. Hunting Flaws in JDK. In Blackhat Europe,
2003.
[49] http://patterns.projects.cis.ksu.edu/.
[50] K. Spett. Cross-Site Scripting: Are Your Web Applications
Vulnerable.
http://www.spidynamics.com/support/
whitepapers/SPIcross-sitescripting.pdf,
2002.
[51] B. A. Tate. Bitter Java. Manning Publications Co., 2002.
[52] M. Vernon. Top Five Threats. ComputerWeekly.com
(http://www.computerweekly.com/Article129980.htm), April
2004.
[53] J. Voas and G. McGraw. Software Fault Injection:
Innoculating Programs Against Errors. John Wiley and
Sons, 1997.
[54] D. Wagner, J. Foster, E. Brewer, and A. Aiken. A First Step
Towards Automated Detection of Buffer Overrun
Vulnerabilities. In Proceedings of Network and Distributed
Systems Security Symposium, pages 317, 2000.
[55] R. J. Walker and K. Viggers. Implementing Protocols Via
Declarative Event Patterns. In SIGSOFT 04/FSE-12:
Proceedings of the 12th ACM SIGSOFT International
Symposium on Foundations of Software Engineering, pages
159169, New York, NY, USA, 2004. ACM Press.
[56] Web Application Security Consortium. Threat Classication.
http:
//www.webappsec.org/tc/WASC-TC-v1 0.pdf,
2004.
[57] W. Weimer and G. Necula. Mining Temporal Specications
for Error Detection. In Proceedings of the 11th International
Conference on Tools and Algorithms For The Construction
And Analysis Of Systems, pages 461476, Apr. 2005.
[58] W. Weimer and G. C. Necula. Finding and Preventing
Run-Time Error Handling Mistakes. In 19th Annual ACM
Conference on Object-Oriented Programming, Systems,
Languages, and Applications (OOPSLA 04), Oct. 2004.
[59] J. Whaley and M. S. Lam. Cloning-Based Context-Sensitive
Pointer Alias Analysis Using Binary Decision Diagrams. In
Proceedings of the ACM SIGPLAN 2004 Conference on
Programming Language Design and Implementation (PLDI),
2004.
[60] J. Whaley, M. Martin, and M. S. Lam. Automatic Extraction
of Object-Oriented Component Interfaces. In Proceedings of
the International Symposium of Software Testing and
Analysis, pages 218228, 2002.
[61] J. A. Whittaker and H. H. Thompson. How to Break Software
Security. Addison Wesley, 2003.
[62] Y. Xie and A. Aiken. Scalable Error Detection Using
Boolean Satisability. In Proceedings of the 32nd ACM
Symposium on Principles of Programming Languages, 2005.