[Soot-list] Incomplete Call Graph for Web Application

Bernhard Berger berber at tzi.de
Thu Dec 13 08:15:59 EST 2012 

Hi Marc-André,

I did not release it, yet. My goal is to finish the publication in the next two to three months. Afterwards I wanted to publish the code. The current problem is the lack of automation of the code since I have not found a way to determine automatically which preprocessing steps have to be done. Maybe we can exchange some information offline or find a way to collaborate.

Bernhard

Am 13.12.2012 um 11:46 schrieb Marc-Andre Laverdiere-Papineau <marc-andre.laverdiere-papineau at polymtl.ca>:

> Hello,
> 
> Thanks for sharing. Since my PhD research is all about analyzing JEE 
> webapps, I take a lot of interest when people tell me what challenges 
> they are facing. And what solutions they found.
> 
> I found the same lot of challenges when I was preparing my to-do list. 
> My thinking is along the same lines as yours, actually.
> 
> So you are using program transformations to convert the program to a 
> saner form. I started coding that and I'm barely scratching the surface. 
> Its a couple months of work just to get started... so that brings me to 
> the logical question:
> 
> Have you released that code yet?  :D
> 
> 
> Marc-André Laverdière-Papineau
> Doctorant - PhD Candidate
> 
> On 12-12-13 04:09 PM, Bernhard Berger wrote:
>> Hi,
>> 
>> I've analyzed JEE applications (Java 5 and Java 1.4) and some Android applications -which have similar problems- in the past and currently writing down the results to publish them. For enterprise systems there are different hurdles to take. If you have a Web-Frontend you have to deal with Java Servlets and their special life cycle. There you have to take JSP into account, too (some sort of precompiling is necessary since they may contain normal Java code). In the next step you have to connect the front end with the business logic (aka session beans), having their own life cycles. Depending on the JEE version this is quite challenging (for older versions there is no dependency between the implementation and the interface). Furthermore, you have to look for the additional container magic, such as dependency injection, pooling, security mechanisms, interceptors and so forth.
>> During my recent work I created some kind of app-specific container abstraction to allow soot (and other frameworks) to analyze the code and to measure the effects to the call graph and analyses results. In contrast to Marc-Andrés suggestion it is done in a preprocessing step, containing different static analysis to extract all necessary facts, to generate a modified version of the app containing the container model.
>> 
>> Regards,
>> 
>> Bernhard

More information about the Soot-list mailing list