Java Vulnerability Detection


  • The JVD project started in 2013 with the aim to find security vulnerabilities in the Java Platform (i.e., the Java Development Kit).

    Key findings

    We have created a classification of security vulnerabilities that are derived from the Java Secure Coding Guidelines. The classification is mainly focused on access-control issues but also consider other topics such as information-flow. We use static program-analysis techniques to detect the various security vulnerabilities.

    To enable the Java product group to detect vulnerabilities, the static analysis tool, Parfait is enhanced with various Java security specific analyses. In order to have a highly scalable, precise and accurate analysis we use a mixture of object-based, field-sensitive context-sensitive/context-insensitive, flow-sensitive/flow-insensitive analyses which are designed specifically for libraries. Parfait also supports cross language analyses to detect a class of JNI related vulnerabilities

    Other outcomes include using points-to analysis for libraries in the context of call-graph construction, taint and escape analysis, techniques to make the points-to analysis scalable and the role of information-flow in Java related vulnerabilities.

    The project also developed and evolved a mechanism for continuous technology transfer. The research aspects of this project were fully transferred to the Parfait team in April 2017. Parfait is integrated into the development processes and is used by numerous developers in the Java product group.


  • Dec 2012 - Sep 2015 Andrew Santosa


  • April 2013- Dec 2015: Assoc. Prof. Bernhard Scholz, University of Sydney
  • Jul 2014: Professor Thomas Fahringer, Innsbruck University


  • Aug 2015 - Jan 2016: Stepan Sindelar, Charles University, Prague
  • Jun 2015 - Dec 2015: Behnaz Hassanshahi, National University of Singapore
  • Sep 2014 - Jun 2015: Sora Bae, Korea Advanced Institute of Science and Technology
  • Feb 2014 - May 2014: Nicholas Daniels, Queensland University of Technology
  • Jul 2013 - May 2014: James Venning, The University of Queensland
  • Jul 2013 - Jan 2014: Dominic Ferreira, Queensland University of Technology


  • July 2016 - Jun 2017: Rebecca O'Donoghue, The University of Queensland
  • Jan 2015 - Jun 2015: Jerome Loh, The University of Queensland
  • Jan 2014 - Dec 2015: Nicholas Hollingum, The University of Sydney
  • Feb 2014 - Dec 2014: Brandon Warwick, The University of Queensland
  • Nov 2013 - Jun 2014: Sarp Kaya, Queensland University of Technology
  • Nov 2013 - Jun 2014: Edward Evans, Queensland University of Technology
  • Jul 2013 - Jan 2014: Carl Hattenfels, The University of Queensland