Language-Based Security Reading Group

The weekly reading group meeting of the security subgroup of the Software Technology Group at TU Darmstadt. Research areas include both analytical and constructive approaches to software security on a language level.

Topics include:

  • Vulnerability Detection using Static Analysis
  • Risk Assessment of Software Libraries
  • Security Guarantees in Type Systems
  • In-lined Reference Monitors
  • Automatic Identification of Access-control and Information-flow Violations
  • Designing and implementing new programming languages that incorporate security features


We are open to fellow researchers, students and other enthusiasts. Please subscribe to our mailing list.

Next meetings

July 5th, 2016 Copy and Paste Redeemed
by Krishna Narasimhan and Christoph Reichenbach
from ASE 2015
July 12th, 2016 Internal paper reading group
submitted to CCS 2016

Past meetings

June 28th, 2016 To Pin or Not to Pin: Helping App Developers Bullet Proof Their TLS Connections
by Marten Oltrogge, Yasemin Acar, Sergej Dechand, Matthew Smith, and Sascha Fahl
from USENIX 2015
June 21st, 2016 A User-guided Approach To Program Analysis
by Ravi Mangal, Xin Zhang, Aditya V. Nori, and Mayur Naik
from ESEC/FSE 2015
June 7th, 2016 Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection
by Marco Pistoia, Robert J. Flynn, Larry Koved, and Vugranam C. Sreedhar
from ECOOP 2005
May 31st, 2016 More Sound Static Handling of Java Reflection
by Yannis Smaragdakis, George Balatsouras, George Kastrinis, and Martin Bravenboer
from Proceedings of the 13th Asian Symposium, APLAS 2015, Pohang, South Korea, November 30 - December 2, 2015
May 17th, 2016 Security Applications of Formal Language Theory
by Len Sassaman, Meredith L. Patterson, Sergey Bratus, and Michael E. Locasto
from IEEE Systems Journal (Volume 7, Issue 3), 2013
February 23rd, 2016 Verifiable Functional Purity in Java
by Matthew Finifter, Adrian Mettler, Naveen Sastry, and David Wagner
from CCS 2008
February 16th, 2016 Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software
by Moritz Beller, Radjino Bholanath, Shane McIntosh, and Andy Zaidman
from SANER 2016
February 9th, 2016 Purity and Side Effect Analysis for Java Programs
by Alexandru D. Sălcianu and Martin C. Rinard
from VMCAI 2005
February 3rd, 2016 Combining type-analysis with points-to analysis for analyzing Java library source-code
by Nicholas Allen, Padmanabhan Krishnan, and Bernhard Scholz
from SOAP 2015
January 26th, 2016 vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries
by Aravind Prakash, Xunchao Hu, and Heng Yin
from NDSS 2015
January 19th, 2016 Control-Flow Bending: On the Effectiveness of Control-Flow Integrity
by Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross
from USENIX Security Symposium 2015
December 15th, 2015 Undecidability of context-sensitive data-dependence analysis
by Thomas Reps
in TOPLAS Volume 22 Issue 1 (Jan 2000)
December 8th, 2015 Evaluating the Flexibility of the Java Sandbox
by Zack Coker, Michael Maass, Tianyuan Ding, Claire Le Goues, and Joshua Sunshine
from ACSAC 2015
December 1st, 2015 A survey of static analysis methods for identifying security vulnerabilities in software systems
by M. Pistoia, S. Chandra, S. J. Fink, and E. Yahav
in IBM Systems Journal Vol 46, No 2, 2007
November 17th, 2015 Dimensions of Precision in Reference Analysis of Object-oriented Programming Languages
by Barbara G. Ryder
CC 2013
November 10th, 2015 Access Control to Reflection with Object Ownership
by Camille Teruel, Stéphane Ducasse, Damien Cassou, and Marcus Denker
DLS 2015
November 3rd, 2015 Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces
by Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning
October 27th, 2015

Internal paper reading group
submitted to ICSE 2015

October 22nd, 2015 VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits
by Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, and Yasemin Acar
CCS 2015
October 13rd, 2015 Precise identification of side-effect-free methods in Java
by Atanas Rountev
ICSM 2004
October 6th, 2015 Predicting Program Properties from "Big Code"
by Veselin Raychev, Martin Vechev, and Andreas Krause
POPL 2015
September 22nd, 2015 Giga-Scale Exhaustive Points-To Analysis for Java in Under a Minute
by Jens Dietrich, Nicolas Hollingum, and Bernhard Scholz
September 15th, 2015 Use at Your Own Risk: The Java Unsafe API in the Wild
by Luis Mastrangelo, Luca Ponzanelli, Andrea Mocci, Michele Lanza, Matthias Hauswirth, and Nathaniel Nystrom
September 8th, 2015 Suggesting Accurate Method and Class Name
by Militadis Allamanis, Earl T. Barr, Christian Bird, and Charles Sutton
FSE 2015
August 4th, 2015 Combining static and dynamic data flow analysis: a hybrid approach for detecting data leaks in java applications
by Mongiovi, Giannone, Fornaia, Pappalardo, and Tramontana
SAC 2015
July 28th, 2015 Escape Analysis for Java
by Jong-Deok Choi, Manish Gupta, Mauricio Serrano, Vugranam C. Sreedhar, and Sam Midkiff
July 7th, 2015 Encapsulating objects with confined types
by Christian Grothoff, Jens Palsberg, and Jan Vitek
June 30th, 2015 Lightweight generics in embedded systems through static analysis
by Olivier Sallenave and Roland Ducournau
LCTES 2012
June 23rd, 2015 Constructing Call Graphs of Scala Programs
by Karim Ali, Marianna Rapoport, Ondřej Lhoták, Julian Dolby, and Frank Tip
ECOOP 2014
June 16th, 2015 Practical Virtual Method Call Resolution for Java
Vijay Sundaresan, Laurie Hendren, Chrislain Razafimahefa, Raja Vallée-Rai, Patrick Lam, Etienne Gagnon and Charles Godin
June 9th, 2015 Scalable propagation-based call graph construction algorithms
by Frank Tip and Jens Palsberg
June 2nd, 2015 Application-Only Call Graph Construction
by Karim Ali and Ondřej Lhoták
ECOOP 2012
May 12th, 2015 Quantitative Interprocedural Analysis
by Krishnendu Chatterjee, Andreas Pavlogiannis, and Yaron Velner
POPL 2015
April 28th, 2015 The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines
by Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, and Sotiris Ioannidis
NDSS 2015
April 21st, 2015 JMD: A Hybrid Approach for Detecting Java Malware
by Adrian Herrera and Ben Cheney
AISC 2015
April 14th, 2015 ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection
by Charlie Curtsinger, Benjamin Livshits, Benjamin Zorn, Christian Seifert
March 31st, 2015 Demand-driven context-sensitive alias analysis for Java
by Dacong Yan, Guoqing Xu, and Atanas Rountev
ISSTA 2011
March 24th, 2015 Automating Information Flow Analysis of Low Level Code
by Musard Balliu, Mads Dam, and Roberto Guanciale
CCS 2014
February 17th, 2015 Mind your Language(s) - A discussion about languages and security (Long Version)
by Eric Jaeger, Olivier Levillain, and Pierre Chifflier
February 3rd, 2015 Field-sensitive Function Pointer Analysis Using Field Propagation for State Graph Extraction
by Bo Huang, Xiang Ling, and Guoqing Wu
January 27th, 2015 Static Detection of Second-Order Vulnerabilities in Web Applications
by Johannes Dahse and Thorsten Holz
January 13th, 2015 Program analysis for secure big data processing
by Julian James Stephen, Savvas Savvides, Russell Seidel, and Patrick Eugster
December 9th, 2014 ORBS: Language-Independent Program Slicing
by David Binkley, Nicolas Gold, Mark Harman, Syed Islam, Jens Krinke, and Shin Yoo
December 2nd, 2014 ALETHEIA: Improving the Usability of Static Security Analysis
by Omer Tripp, Salvatore Guarnieri, Marco Pistoia, and Alexandr Aravkin
October 28th, 2014 A Static Analysis Framework For Detecting SQL Injection Vulnerabilities
by Xiang Fu, Xin Lu, Boris Peltsverger, Shijun Chen, Kai Qian, and Lixin Tao
October 21st, 2014 Proving Termination and Memory Safety for Programs with Pointer Arithmetic
by Thomas Ströder, Jürgen Giesl, Marc Brockschmidt, Florian Frohn, Carsten Fuhs, Jera Hensel, and Peter Schneider-Kamp
October 14th, 2014 Language-Based Architectural Control
by Jonathan Aldrich, Cyrus Omar, Alex Potanin and Du Li
October 7th, 2014 A conservative algorithm for computing the flow of permissions in Java programs
by Gleb Naumovich
July 29th, 2014 Declarative Policies for Capability Control
by Christos Dimoulas, Scott Moore, Aslan Askarov, and Stephen Chong
July 8th, 2014 Program analysis as constraint solving
by Sumit Gulwani, Saurabh Srivastava, and Ramarathnam Venkatesan
June 24th, 2014 Verifying the Safety of User Pointers Using Static Typing
by Etienne Millon, Emmanuel Chailloux, and Sarah Zennou
May 27th, 2014 ILEA: Inter-Language Analysis across Java and C
by Gang Tan and Greg Morrisett
May 13th, 2014 Java Bytecode Verification: An Overview
by Xavier Leroy
April 29th, 2014 Bringing java's wild native world under control
by Mengtao Sun, Gang Tan, Joseph Siefers, Bin Zeng and Greg Morrisett
April 14th, 2014 Language-based information-flow security
by Andrei Sabelfeld and Andrew C. Myers