Web applications are the most common way to make services and data available on the Internet. Unfortunately, with the increase in the number and complexity of these applications, there has also been an increase in the number and complexity of vulnerabilities. Current techniques to identify security problems in web applications have mostly focused on input validation flaws, such as crosssite scripting and SQL injection, with much less attention devoted to application logic vulnerabilities. Application logic vulnerabilities are an important class of defects that are the result of faulty application logic. These vulnerabilities are specific to the functionality of particular web applications, and, thus, they are extremely difficult to characterize and identify. In this paper, we propose a first step toward the automated detection of application logic vulnerabilities. To this end, we first use dynamic analysis and observe the normal operation of a web application to infer a simple set of behavioral specifications. Then, leveraging the knowledge about the typical execution paradigm of web applications, we filter the learned specifications to reduce false positives, and we use model checking over symbolic input to identify program paths that are likely to violate these specifications under specific conditions, indicating the presence of a certain type of web application logic flaws. We developed a tool, called Waler, based on our ideas, and we applied it to a number of web applications, finding previously-unknown logic vulnerabilities. 1

Calling context—the set of active methods on the stack—is critical for understanding the dynamic behavior of large programs. Dynamic program analysis tools, however, are almost exclusively context insensitive because of the prohibitive cost of representing calling contexts at run time. Deployable dynamic analyses, in particular, are limited to reporting only static program locations. This paper presents Breadcrumbs, an efficient technique for recording and reporting dynamic calling contexts. It builds on an existing technique for computing a compact (one word) encoding of each calling context that client analyses can use in place of a program location. The key feature of our system is a search algorithm that can reconstruct a calling context from its encoding using only a static call graph and a small amount of dynamic information collected in cold methods. Breadcrumbs requires no offline training or program modifications, and handles all language features, including dynamic class loading. On average, it adds 10% to 20 % overhead to existing dynamic analyses, depending on how much additional information it collects: more information slows down execution, but improves the decoding algorithm. We use Breadcrumbs to add context sensitivity to two dynamic analyses: a race detector and an analysis that identifies the origins of null pointer exceptions. Our system can reconstruct nearly all of the contexts for the reported bugs in a few seconds. These calling contexts are non-trivial, and they significantly improve both the precision of the analyses and the quality of the bug reports. 1.

I am excited by the challenge of making software significantly more reliable, scalable, and secure than it is today and thus helping achieve advances in areas such as science, education, health, and energy. I have focused on the problem of software bugs, which cause errors that cost billions of dollars annually and sometimes result in injury or death. These bugs are pervasive in modern software, which is only becoming more complex as developers add features, integrate components, and write concurrent software. State-of-the-art testing, static analysis, and modern language features eliminate some but not all bugs. In particular, thorough in-house testing cannot test all possible environments, configurations, and thread interleavings. Deployed software thus contains bugs that are hard to reproduce, find, and fix. Deployed systems need support for improving reliability in order to achieve highly robust software. My interests lie in solving these problems with programming languages and runtime systems. I focus on building analyses and systems that help developers and users make software more reliable and effective. I am particularly interested in approaches that are lightweight and flexible enough to run alongside deployed systems and that provide rigorous guarantees about accuracy and performance. My dissertation work introduces broadly applicable techniques that help developers find and fix bugs in deployed systems and help users by automatically tolerating the effects of errors. Two significant contributions are (1) efficient techniques that add context sensitivity to a broad set of analyses for reliability and security (first section below), and (2) an automatic approach for minimizing the effects of programmers’