Monday November 3, 2003, 10:30-11:30, 4760 Boelter Hall. Beyond Code Generation: using compiler technology for security and software defect identification Larry Koved IBM T.J. Watson Research Center Compiler and optimization technology has a rich history. Traditional use of the technology has been for code generation through a variety of intra- and inter-procedural code analyses. We have been exploring the use of the same basic techniques to address hard problems in security and software defect identification. A number of factors make the analysis problems more challenging. A significant trend in software development is the reuse of components -- from libraries to entire applications. Often the source code for these components is not available. The size and complexity of the software to be analyzed can be quite large, making the analysis even more challenging. This talk will give a high level overview of two of our projects that use whole program control and data flow analyses: We have been developing a variety of security analyses of Java applications (e.g., servlets, applets, applications). For example, one of the most difficult challenges for an application developer or system administrator is identifying the security authorization requirements of Java applications ("Permissions" to grant the application). The traditional approach is either to turn off security or to run test cases to observe authorization failures and add the required Permissions to the authorization database until the application no longer fails. This talk describes a better approach that automatically computes the authorization policy for an application. Another project, called SABER, uses whole program analysis to identify coding defects in application code. Saber identifies code that may result in performance problems, outright failure of an application, or violates "best practices" (coding conventions). For example, a performance problem may result when an application uses a class or method that is known to result in poor performance when used in a particular context (e.g., calling the garbage collector during garbage collection). This talk will give an overview of the types of defects that SABER can discover. About the speaker: Larry Koved is a Research Staff Member in the Security, Privacy and Cryptography department at the T.J. Watson Research Center in Hawthorne, New York. His current interests include software engineering and its application to developing and maintaining secure software and systems. Host: Jens Palsberg