In this lecture, Dr. Marco Pistoia and Dr. Julian Dolby will cover Program Analysis for Security (approximately 2 hours) as well as their static-analysis engine, WALA, and its applications (approximately 1 hour). Special Lecture: Program Analysis for Access Control and WALA Date: 29th, Aug. 2007 Time: 13:00-16:00 Meeting Place: Meeting Room 1 on 20F at NII TITLE: Program Analysis for Access Control and Information Flow SPEAKER: Dr. Marco Pistoia ABSTRACT: Security is a critical application of program analysis. Static and dynamic analysis have successfully been applied to different security contexts, for example to guarantee that an application does not run with too many access rights (a violation of the Principle of Least Privilege) or too few access rights (a stability problem, which can lead to run-time authorization failures and potential program termination). Enforcing the Principle of Least Privilege is a critical problem when it comes to Web applications, which are particularly vulnerable to active attackers (attackers that can modify parts of the code). This talk discusses how to use program analysis for automatic determination of access control policies for component-based programs, automatic identification of access-control policy inconsistencies, and automatic information-flow-policy inference. This talk focuses on traditional access control as well as Role-Based Access Control. BIOGRAPHY: Marco Pistoia, Ph.D. has worked for IBM Corporation since 1996 and is currently a Research Staff Member in the Programming Languages and Software Engineering Department at the IBM Thomas J. Watson Research Center in Hawthorne, New York, where he has worked since 1999. He has written ten books, flied seventeen patents, and published numerous papers and journal articles on various aspects of program analysis and language-based security. Most recently, he has published his Ph.D. thesis, and has been the lead author of the books "Enterprise Java Security", published by Addison-Wesley in 2004 (and now available in Chinese), and "Java 2 Network Security", published by Prentice Hall PTR in 1999. He has published and presented at numerous conferences worldwide, including OOPSLA, ECOOP, the IEEE Symposium on Security and Privacy, ICSE, and ISSTA, and has been invited to lecture at several research institutions worldwide, including Harvard University (Cambridge, Massachusetts) and Ecole Normale Superieure (Paris France). In July 2007, he received an ACM SIGSOFT Distinguished Paper Award. =================================================== TITLE: A Tour of WALA and its Applications SPEAKER: Dr. Julian Dolby ABSTRACT: In this talk, I shall present the Watson Libraries for Analysis (WALA), and provide a tour of the range of functionality it provides. This includes state-of-the-art interprocedural analyses---such as pointer analysis and call graph construction---which already exist for multiple languages (Java, JavaScript, PHP) and are designed to be reusable across new languages as well. These analyses are built on an internal representation (IR) based on SSA form and designed to be extended for new languages. WALA also includes a range of building blocks for analysis, such as both fixpoint and IFDS dataflow solvers and control-dependence graphs and dominator computation. These are all built on a library of efficient underlying data structures, such as bit vectors, graphs and collections. I shall provide a high-level overview of these features, and touch on some of the projects currently using them. BIOGRAPHY Julian Dolby, Ph.D., has worked at the IBM Thomas J. Watson Research Center since 2000, where he currently works on language design, program analysis and ontologies. Past projects include the Jikes Research Virtual Machine, and current projects include the SHER scalable ontology reasoner and the WALA program analysis infrastructure. Recent co-authored papers include "Declarative Object Identity Using Relation Types" at ECOOP 2007, "Scalable Semantic Retrieval Through Summarization and Refinement" at AAAI 2007, and "Finding Bugs Efficiently with a SAT Solver" at FSE 2007.