Java Vulnerability Detection


  • The aim of the JVD project is find security vulnerabilities in the Java Platform (i.e., the Java Development Kit).

    How it works

    The process begins when we define security vulnerabilities that are typically derived from the Java Secure Coding Guidelines. We use static program-analysis techniques to detect such vulnerabilities.

    The project has two main tasks:

    To enable the Java product group to start detecting vulnerabilities quickly. For this work, Parfait is enhanced with various analyses.

    To identify some fundamental limitations of the Java security model. The JVD project will develop analyses to detect the extent of these limitations. It will also develop solutions to overcome them. Ultimately, these analyses will be integrated with Parfait.

    Our main challenges

    A precise definition: Because there is no well-established definition of a security vulnerability, we developed an initial classification scheme based on access control. This scheme must be extended to fix problems with information flow.

    Highly accurate analyses: To reduce the percentage of false negatives, we need a suitable abstraction for the heap (also called points-to analysis). Currently, we use an object-based context-sensitive analysis that is both flow insensitive and field sensitive.

    Highly precise analyses: We need to reduce the percentage of false reports. Because the heap abstraction used is not sufficiently refined for certain aspects of security, it generates many incorrect warnings.

    Scalable analyses: We have to analyse large codebases with reasonable resources (time and memory consumption) so that Parfait can be integrated into the users' development processes.

    Our plan is to develop a complete understanding of access-control issues in Java, and develop language features that prevent information leakage.

    To find out more, contact Paddy Krishnan.




  • Dec 2012 - Sep 2015 Andrew Santosa


  • April 2013- Dec 2015: Assoc. Prof. Bernhard Scholz, University of Sydney
  • Jul 2014: Professor Thomas Fahringer, Innsbruck University


  • Aug 2015 - Jan 2016: Stepan Sindelar, Charles University, Prague
  • Jun 2015 - Dec 2015: Behnaz Hassanshahi, National University of Singapore
  • Sep 2014 - Jun 2015: Sora Bae, Korea Advanced Institute of Science and Technology
  • Feb 2014 - May 2014: Nicholas Daniels, Queensland University of Technology
  • Jul 2013 - May 2014: James Venning, The University of Queensland
  • Jul 2013 - Jan 2014: Dominic Ferreira, Queensland University of Technology


  • Jan 2015 - Jun 2015: Jerome Loh, The University of Queensland
  • Jan 2014 - Dec 2015: Nicholas Hollingum, The University of Sydney
  • Feb 2014 - Dec 2014: Brandon Warwick, The University of Queensland
  • Nov 2013 - Jun 2014: Sarp Kaya, Queensland University of Technology
  • Nov 2013 - Jun 2014: Edward Evans, Queensland University of Technology
  • Jul 2013 - Jan 2014: Carl Hattenfels, The University of Queensland