[Home]

Applying static and dynamic program analysis techniques to finding and preventing critical bugs and security vulnerabilities in today's complex applications.


"Software Design Rules", a recent talk given by Prof. Monica Lam gives a high-level summary of SUIF group's work on finding program errors done at Stanford University.



Programming languages and tools for program analysis • Static and dynamic analysis techniques for bug detection • Static and dynamic analysis techniques for finding security vulnerabilities in programs • Pointer analysis, its practical applications and precision • Role of soundness and precision in static analysis tools • Failure and vulnerability recovery in complex systems, especially Web services • Using alternative sources such as revision histories for program understanding • Applying AI, data mining, and statistical learning techniques to the discovery of correct and erroneous program behavior

Visit the Griffin Project page for more information on my Web application security work.


My research bio and a CV are available.




Attended and presented at a Dagstugl seminar on runtime verification.01/02/07
At long last, my Ph.D. dissertation is officially submitted and posted here for your viewing pleasure (2-sided version available).12/16/06
I started in my new capacity as a researcher at Microsoft Research in Redmond, Washington. I hope to have a new page up shortly.11/06/06
SecuriFly TR has been posted. It describes our runtime system for Web vulnerability prevention and recovery.09/23/06
LAPSE becomes an OWASP project.08/22/06
LAPSE, a lightweight security auditing tool for Java has been released.08/09/06
I successfully defended on June 5th! (slides)06/05/06
Several security advisories issued: 1, 2, 3. I hope to submit more soon.05/22/06
A list of academic papers pertaining to Web application security is now live.05/21/06
Stanford SecurityBench Micro version 1.08 released.05/05/06
Datalog Editing Mode for Eclipse version 1.6 released.04/18/06
"Mining Additions of Method Calls in ArgoUML" I was a co-author on was accepted to MSR Challenge 2006.03/09/06
I was the winner of a recent Web application security contest (see announcement).02/23/06
Datalog Editing Mode for Eclipse added.02/07/06
CV added.01/03/06
Our research in application security has been featured here.12/21/05
Jeremiah Grossman gave a talk on new topics in Web application security at Stanford.11/16/05
The Griffin security project gets a new page.10/31/05
SecuriBench has been released.08/01/05
Checklipse is a tool that checks error patterns in Eclpse plugin code has been released.07/05/05
Viscount is an Eclipse plugin that collects essential code stats and export them to LaTeX (...)09/28/04


  1. Improving Software Security with Precise Static and Runtime Analysis. Benjamin Livshits, Doctoral dissertation
    Stanford University, Stanford, California, December, 2006.

  2. Mining Additions of Method Calls in ArgoUML. Thomas Zimmerman, Silvia Breu, Christian Lindig, and Benjamin Livshits.
    International Workshop on Mining Software Repositories Challenge, Shanghai, China, May, 2006.

  3. Reflection Analysis for Java. Benjamin Livshits, John Whaley and Monica S. Lam
    Presented at the Third Asian Symposium on Programming Languages and Systems, Tsukuba, Japan, November, 2005.

  4. Finding Application Errors and Security Flaws Using PQL: a Program Query Language. Michael Martin, Benjamin Livshits, and Monica S. Lam
    Presented at the 20th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, San Diego, California, October 2005.

  5. DynaMine: Finding Common Error Patterns by Mining Software Revision Histories. Benjamin Livshits and Thomas Zimmermann
    Presented at the ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE 2005), Lisbon, Portugal, September 2005.

  6. Defining a Set of Common Benchmarks for Web Application Security. Benjamin Livshits
    Position paper on Stanford SecuriBench for the Workshop on Defining the State of the Art in Software Security Tools, Baltimore, August 2005.

  7. Finding Security Vulnerabilities in Java Applications with Static Analysis. Benjamin Livshits and Monica S. Lam
    In Proceedings of the Usenix Security Symposium, Baltimore, Maryland, August 2005.

  8. Locating Matching Method Calls by Mining Revision History Data. Benjamin Livshits and Thomas Zimmermann
    In Proceedings of the Workshop on the Evaluation of Software Defect Detection Tools, Chicago, Illinois, June 2005.

  9. Context-Sensitive Program Analysis as Database Queries. Monica S. Lam, John Whaley, Benjamin Livshits, Michael Martin, Dzintars Avots, Michael Carbin, Christopher Unkel.
    In Proceedings of Principles of Database Systems (PODS), Baltimore, Maryland, June 2005.

  10. Improving Software Security with a C Pointer Analysis. Dzintars Avots, Michael Dalton, Benjamin Livshits, Monica S. Lam.
    In Proceedings of the 27th International Conference on Software Engineering (ICSE), May 2005

  11. Turning Eclipse Against Itself: Finding Bugs in Eclipse Code Using Lightweight Static Analysis. Benjamin Livshits
    In Eclipsecon '05 Research Exchange, March 2005.
    I maintain a page devoted to Checklipse, the tool described in the paper.

  12. Finding Security Errors in Java Applications Using Lightweight Static Analysis. Benjamin Livshits.
    In Annual Computer Security Applications Conference, Work-in-Progress Report, November 2004.

  13. Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. Benjamin Livshits and Monica S. Lam
    In Proceedings of the 11th ACM SIGSOFT International Symposium on the Foundations of Software Engineering, September 2003.


  1. SecuriFly: Runtime Protection and Recovery from Web Application Vulnerabilities. Benjamin Livshits, Michael Martin, and Monica S. Lam
    A technical report, which describes the runtime system for vulnerability protection first described in the OOPSLA '05 paper.

  2. Reflection Analysis for Java. Benjamin Livshits, John Whaley, and Monica S. Lam
    A technical report, which represents an extended version of the paper above.

  3. Turning Eclipse Against Itself: Improving the Quality of Eclipse Plugins. Benjamin Livshits
    A technical report, which is an extended version of the paper above.

  4. Finding Security Vulnerabilities in Java Applications with Static Analysis. Benjamin Livshits and Monica S. Lam
    A technical report, which represents an extended version of the paper above.



  1. Finding Application Errors and Security Flaws Using PQL: A Program Query Language.
    [PPT] [PDF]
    Michael Martin, Benjamin Livshits, and Monica Lam.
    Presented at the Dagstugl seminar on Runtime Verification (07011), January 2007.

  2. Reflection Analysis for Java.
    [PPT] [PDF]
    Benjamin Livshits, John Whaley, and Monica S. Lam
    Presented at the Third Asian Symposium on Programming Languages and Systems, Tsukuba, Japan, November, 2005.

  3. Finding Application Errors and Security Flaws Using PQL: a Program Query Language.
    [PPT] [PDF]
    Michael Martin, Benjamin Livshits, and Monica S. Lam
    Presented at the 20th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, San Diego, California, October 2005 (slides and presentation by Michael Martin).

  4. DynaMine: Finding Common Error Patterns by Mining Software Revision Histories.
    [PPT] [PDF]
    Benjamin Livshits and Thomas Zimmermann
    Presented at the ACM SIGSOFT Symposium on the Foundations of Software Engineering, Lisbon, Portugal, September 2005 (slides and presentation by Thomas Zimmermann).

  5. Finding Security Vulnerabilities in Java Applications with Static Analysis.
    [PPT] [PDF]
    Benjamin Livshits and Monica Lam.
    In Usenix Security Symposium, Baltimore, Maryland, August 2005.

  6. DynaMine: Finding Common Error Patterns by Mining Software Revision Histories.
    [PPT] [PDF]
    Benjamin Livshits and Thomas Zimmermann.
    In Dagstugl seminar 05261, June 2005.

  7. Locating Matching Method Calls by Mining Revision History Data.
    [PPT] [PDF]
    Benjamin Livshits and Thomas Zimmermann
    In the Workshop on the Evaluation of Software Defect Detection Tools, Chicago, Illinois, June 2005.

  8. Using Static Analysis to Find Input Validation Errors in Java Programs.
    [PPT] [PDF]
    Benjamin Livshits and Monica S. Lam.
    In Stanford 7th Annual Security Workshop, May 2005.

  9. Turning Eclipse Against Itself: Finding Errors in Eclipse Sources.
    [PPT] [PDF]
    Benjamin Livshits.
    In Eclipsecon '05 Research Exchange, March 2005.

  10. Finding Security Errors in Java Applications Using Lightweight Static Analysis.
    [PPT] [PDF]
    Benjamin Livshits.
    Work-in-Progress Report, Annual Computer Security Applications Conference, November 2004.

  11. Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs.
    [PPT] [PDF]
    Benjamin Livshits and Monica S. Lam
    11th ACM SIGSOFT International Symposium on the Foundations of Software Engineering, September 2003.

  12. Finding Security Violations by Using Precise Source-level Analysis.
    [PPT] [PDF]
    Benjamin Livshits and Monica S. Lam
    In Stanford 5th Annual Security Workshop, May 2003.


  1. Static and Runtime Solutions for Web Application Vulnerabilities.
    [PPT] [PDF]
    Benjamin Livshits.
    A Poster Presented at a Trust Event, April 2006.

  2. Using Eclipse to Detect Security Errors in Web Applications.
    [PPT] [PDF]
    Benjamin Livshits.
    A Poster Presented at Eclipsecon '05, March 2005.



  1. Looking for Memory Leaks.
    [PDF]
    Benjamin Livshits
    An article on detecting memory leaks in Java for Oracle Developer Network as part of the Mastering J2EE Application Development Series, 2005.

  2. Unsupervised Web Page Clustering.
    [PDF]
    Paul Ruhlen, Husrev Tolga Ilhan, and Benjamin Livshits.
    Report for a project in natural language processing at Stanford (CS 224N), Spring 2000.

  3. Applications of Cache-conscious Data Layout to Copying Garbage Collection.
    [PDF]
    Benjamin Livshits and David Louie.
    Report for a graduate project in compilers (CS 612) at Cornell University, May 1999.

  4. Mostly copying garbage collector (MCC) for Java.
    [PDF]
    Benjamin Livshits.
    MCC for Java, Undergraduate final project at Cornell, May 1999.


Copyright notice: The copyrights for journal and conference proceedings papers generally belong to the publisher of the journal or proceedings. All papers may be downloaded for personal or research purposes only. These works may not be reposted without the explicit permission of the copyright holders.


[Counter]

Last modified on 01/08/07. [Home]