VUB | SOFT
You are here: Home \ Partners \ VUB | SOFT

I. Description of  VUB/SOFT

The Software Languages Lab of the Vrije Universiteit Brussel (VUB/SOFT) originates from the 2009 merger of the Programming Technology Lab with the Systems and Software Engineering Lab, each founded in 1987.

The Software Languages Lab is currently headed by Prof. Dr. Theo D’Hondt, Prof. Dr. Viviane Jonckers, Prof. Dr. Wolfgang De Meuter, Prof. Dr. Elisa Gonzalez Boix, and Prof. Dr. Coen De Roover. Broadly speaking, the lab is active in the design, implementation and application of better languages to support the software engineering life cycle. This includes programming languages, formal languages, meta languages, modeling languages, etc.

The Software Languages Lab covers all themes in the corresponding research spectrum, including:

  • design of languages (e.g., support for advanced modularity, distribution, etc.)
  • efficient implementation of languages (e.g., virtual machines, parallel execution, etc.)
  • application domains of languages (e.g., cloud-based and mobile software, meta-level programming, etc.)
  • tool support for languages (e.g., bug detection tools, refactoring tools, etc.)
  • formal study of languages (e.g., type systems, static analysis, etc.)

Over the years, VUB/SOFT has grown to an internationally acclaimed research group with expertise in programming language design and software engineering. Testament to this expertise is its track record of successful fundamental (FWO), strategic basic (IWT-SBO and Innoviris) and European research funding. Over 40 PhDs and a multitude of high-end publications at international conferences and in international journals have resulted. The team itself has organized multiple conferences such as AOSD and ECOOP in the past. It has also active collaborations with other universities and research labs; within Belgium and in France, Germany, Switzerland, the United Kingdom, the United States, and several Latin-American countries.

II. Key persons in the project

Prof. Dr. Elisa Gonzalez Boix is a full-time professor at the Software Languages Lab (SOFT) of the VUB. She has expertise in the design and application of meta-level interfaces for distributed programming languages and software tools like debuggers and dynamic program analysis tooling. She has published over 40 peer-reviewed papers in top conferences and internationally renowned journals, and regularly serves on PC of top conferences such as OOPSLA 2017, DLS 2016, 2017 and COORDINATION 2019. She has also chaired events like Onward! 2018 Papers conference co-located at SPLASH 2018, and co-organized several international workshops including the Meta-Programming Techniques and Reflection series of workshops since its first edition at SPLASH 2016.

Prof. Dr. Coen De Roover is a full-time professor at the Software Languages Lab (SOFT) of the VUB. The central theme of his research is the design of static program analyses, and their application to problems in software quality such as vulnerability detection. He has published over 70 peer-reviewed articles in the domain, and is actively involved in several collaborative research projects of a fundamental, strategic, or applied nature. He frequently serves on the program committee for international conferences such as MSR, ICSME, SANER, VISSOFT and SCAM. He also founded and regularly co-organizes the “Programming Technology for the Future Web” (ProWeb) workshop series, and is a member of the steering committee of the “Seminar Series on Advanced Techniques & Tools for Software Evolution” (SATToSE).

Dr. Jens Nicolay is a part-time professor at the Software Languages Lab of the VUB, and before that a software consultant for over 10 years. His main expertise is static analysis of functional and object-oriented languages. Jens coordinated the programming perspective of the SeCloud project. In 2015 his research paper on detecting function purity in JavaScript programs won best research paper award at the Source Code Analysis and Manipulation conference. He is the titular of the “Higher-Order Programming” and “Cloud Computing and Big Data” courses taught in the Master programme of computer science at VUB.
Angel Luis Scull Pupo is a Phd student at the Software Languages Lab of the VUB. He is working on web application security by means of dynamic analysis. He also studies how to use the JavaScript reflective features to enforce security properties. He is also working on static analysis, mainly to provide means of verifying security policies ahead of time using abstract interpretation. He is assistant of the “Cloud Computing and Big Data” course taught in the Master programme of computer science at VUB.

III. Contributions to the project

VUB/SOFT contributed to WP2, which concerns the investigation of programming technology that can be applied at a sustainable effort to safeguard application-specific security concerns. VUB/SOFT. More specifically, VUB/SOFT created a language for specifying application-specific security policies and developed techniques and tools for statically (before running the program) and dynamically (while running the program) analyzing web and cloud applications to detect whether these security policies are violated or not.

1. Policy Specification language and dynamic enforcement

VUB/SOFT created Guardia, a JavaScript library for the specification and runtime enforcement of application-specific security policies. Both access control and information flow control policies are expressible in Guardia through the use of a DSL embedded in JavaScript. Security policies are composable, and we have created a library of reusable security policies found in related publications on security for web applications. Guardia enforces its security policies through a combination of object wrapping and code instrumentation. Object wrapping wraps sensitive objects, and the wrapper acts as a gatekeeper to check whether certain access (reading or writing of values, or invoking certain operations) is permitted. Code instrumentation enables the tracking of values by tagging them with labels, which can then be used to verify that sensitive information (e.g., a password) does not end up in unwanted places such as the log file of an application.

  • D2.1.1 describes the interface for implementing and composing security policies in Guardia, and presents an overview of security policies found in related work expressed in Guardia. A paper is available that introduces Guardia as a DSL (Domain-Specific Language) in JavaScript.
  • D2.1.2 describes how Guardia policies are enforced in a running web application, and presents an evaluation of Guardia on production web sites. We published a paper explaining the underlying wrapping mechanism using JavaScript proxies, together with a demonstrator on this work. We also published a paper on a monitoring mechanism for detecting unwanted information flows in web applications. Information flow control is also covered in this demonstrator.

2. Static verification of security policies

VUB/SOFT developed JIPDA, a static analyzer for JavaScript web and cloud applications. The goal of static program analysis for security is to determine security-relevant program properties that hold for all possible program executions without actually executing the program. JIPDA takes an application (JavaScript or HTML source code) as input and models the runtime behavior of that application as a graph in which each node represents a program “step”. This graph can then be queried for specific application properties of interest. In addition to a program, JIPDA can also take an interaction model as input to be able to reason about any interactions of the analyzed web or cloud application with other (often external third-party) services.  Because static analysis of any non-trivial program requires a lot of computation and therefore time, we investigated a modular (function-per-function) variant of a flow analysis that, with similar precision, captures the same program information as our whole-program analysis but faster.

  • D2.2.1 describes the foundations of the whole-program static analysis for JavaScript. A demonstrator illustrates the underlying ideas and concepts. This paper presents a side-effect analysis based on the same analysis technique. Another publication introduces JS-QL, a framework based on JIPDA for detecting user-specified security vulnerabilities in JavaScript applications. Finally, we also published a paper on a modular variant of flow analyses such as JIPDA to significantly improve their performance.
  • D2.2.3 presents the extensions to the JavaScript static analysis to make it suitable for use in a cloud setting. The implementation of the analyzer is also available. We also published a paper on static analysis for event-driven programs that serves as the foundation for a tool that warns about potential leaks of sensitive information.

3. A hybrid (static/dynamic) approach for optimizing policy enforcement

VUB/SOFT combined its static verification and dynamic enforcement approach to obtain a hybrid solution that attempts to prune as many dynamic policy enforcement checks as possible in a running application to avoid the associated performance overhead. First, a JavaScript web application containing Guardia security policy specifications is statically analyzed to determine which policies are certainly not violated by the application. Only the checks for policies that could not be deemed as verified by static analysis need to be inserted in the application.

  • D2.2.6 describes a dynamic check-pruner based on Guardia and JIPDA that eliminates redundant runtime checks in web applications, and also provides an implementation.

Institute: Vrije Universiteit Brussel

Research Unit: SOFT

Projects: SPICESSeCloud