Variant Analysis with QL

  • Pavel AvgustinovEmail author
  • Kevin Backhouse
  • Man Yue Mo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10951)


As new security problems and innovative attacks continue to be discovered, program analysis remains a burgeoning area of research. QL builds on previous attempts to enable declarative program analysis through Datalog, but solves some of the traditional challenges: Its object-oriented nature enables the creation of extensive libraries, and the query optimizer minimizes the performance cost of the abstraction layers introduced in this way. QL enables agile security analysis, allowing security response teams to find all variants of a newly discovered vulnerability. Their work can then be leveraged to provide automated on-going checking, thus ensuring that the same mistake never makes it into the code base again. This paper demonstrates declarative variant analysis by example.


Code Base Burgeoning Area Traditional Challenges Extensive Library Analytical Building Blocks 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Avgustinov, P., de Moor O., Jones, M.P., Schäfer. M.: QL: object-oriented queries on relational data. In: Krishnamurthi, S., Lerner, B.S. (eds.) 30th European Conference on Object-Oriented Programming, ECOOP 2016, LIPIcs, Rome, Italy, 18–22 July 2016, vol. 56, pp. 2:1–2:25. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2016)Google Scholar
  2. 2.
    Backhouse, K.: Using QL to find a memory exposure vulnerability in Apple’s macOS XNU kernel. In: blog (2017).
  3. 3.
    Bravenboer, M., Smaragdakis, Y.: Strictly declarative specification of sophisticated points-to analyses. In: OOPSLA (2009)CrossRefGoogle Scholar
  4. 4.
    Frohoff, C., Lawrence, G.: Deserialize My Shorts, Or How I Learned to Start Worrying and Hate Java Object Deserialization. In: AppSec California (2015)Google Scholar
  5. 5.
    Mo, M.Y.: Using QL to find a remote code execution vulnerability in Apache Struts. blog (2017).
  6. 6.
    Whaley, J., Avots, D., Carbin, M., Lam, M.S.: Using datalog with binary decision diagrams for program analysis. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 97–118. Springer, Heidelberg (2005). Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Pavel Avgustinov
    • 1
    Email author
  • Kevin Backhouse
    • 1
  • Man Yue Mo
    • 1
  1. 1.Semmle Ltd.OxfordUK

Personalised recommendations