SlideShare a Scribd company logo
Getting to Know You…
Towards a Capability Model for Java
Ben Hermann, Michael Reif,
Michael Eichberg, and Mira Mezini
ESEC/FSE 2015, Bergamo, Italy
Building Systems
We don’t build systems from scratch.
We need an ecosystem of reuse.
Building Systems
We don’t build systems from scratch.
Operating System
CompilerVirtual Machine
Libraries
Frameworks
We need an ecosystem of reuse.
Building Systems
We don’t build systems from scratch.
Operating System
CompilerVirtual Machine
Libraries
Frameworks
We need an ecosystem of reuse.
Libraries are Black Boxes
Libraries are Black Boxes
Libraries are Black Boxes
Libraries are Black Boxes
Libraries are Black Boxes
Libraries are Black Boxes
Inspiration
Inspiration
Transferring this to Java
Transferring this to Java
Transferring this to Java
Transferring this to Java
Capabilities
CLASSLOADING
CLIPBOARD
DEBUG
FS
GUI
NATIVE
NET
PRINT
REFLECTION
SECURITY
SOUND
SYSTEM
UNSAFE
INPUT
Capabilities
CLASSLOADING
CLIPBOARD
DEBUG
FS
GUI
NATIVE
NET
PRINT
REFLECTION
SECURITY
SOUND
SYSTEM
UNSAFE
INPUT
Capabilities
CLASSLOADING
CLIPBOARD
DEBUG
FS
GUI
NATIVE
NET
PRINT
REFLECTION
SECURITY
SOUND
SYSTEM
UNSAFE
INPUT
Capabilities
CLASSLOADING
CLIPBOARD
DEBUG
FS
GUI
NATIVE
NET
PRINT
REFLECTION
SECURITY
SOUND
SYSTEM
UNSAFE
INPUT
Capabilities
CLASSLOADING
CLIPBOARD
DEBUG
FS
GUI
NATIVE
NET
PRINT
REFLECTION
SECURITY
SOUND
SYSTEM
UNSAFE
INPUT
Capabilities
CLASSLOADING
CLIPBOARD
DEBUG
FS
GUI
NATIVE
NET
PRINT
REFLECTION
SECURITY
SOUND
SYSTEM
UNSAFE
INPUT
Capabilities
CLASSLOADING
CLIPBOARD
DEBUG
FS
GUI
NATIVE
NET
PRINT
REFLECTION
SECURITY
SOUND
SYSTEM
UNSAFE
INPUT
Reaching Capabilities 

from Java
Library
Java Class Library (JCL)
JCL native part
OS
library
native
part
Our Approach in a Nutshell
Tag native methods of the JCL
Build call graph
Propagate capability tags
Build footprint
Identifying Capabilities
Bootstrapping the Analysis
Reviewed native implementation
Review documentation
Consider package and method names
List of tagged JCL native method stubs
Identifying Capabilities
Bootstrapping the Analysis
Reviewed native implementation
Review documentation
Consider package and method names
List of tagged JCL native method stubs
Provided in the paper artifact
Identifying Capabilities
Capability # of Methods
CLASSLOADING 24
CLIPBOARD 9
DEBUG 5
FS 377
GUI 449
INPUT 10
NATIVE 419
NET 274
PRINT 54
REFLECTION 78
SECURITY 14
SOUND 36
SYSTEM 126
UNSAFE 85
Some methods are
annotated with more
than one capability
Building the Call Graph
Using OPAL
Includes the JCL, the library and possibly a
usage context
Modified VTA
No whole-program approach
Determine more precise field types and
method return types
Goal: Most precise type information,
yet efficient and scalable
Propagating Capabilities
JCL LibraryNative
Propagating Capabilities
{FS}
{NET}
{CL}
{GUI}
JCL LibraryNative
Propagating Capabilities
{FS}
{NET}
{CL}
{GUI}
{NET}
{NET}
{FS}
{FS}
{FS}
{GUI}
{GUI}
{CL,GUI}{CL}
{CL}
JCL LibraryNative
Propagating Capabilities
{FS}
{NET}
{CL}
{GUI}
{NET}
{NET}
{FS}
{FS}
{FS}
{GUI}
{GUI}
{CL,GUI}{CL}
{CL}
{FS, CL, GUI}
{FS, CL, GUI}
{FS, CL, GUI, NET}
{FS, CL, GUI, NET}
{NET} {NET}
JCL LibraryNative
Propagating Capabilities
void	
  someMethod(Object	
  o)	
  {	
  
o.toString();	
  
}
…
… (1.304 total)
Effects of filters: 2.068.946 call edges reduced to 368.231
Same story for certain interface and abstract types
Evaluation Setup
Developer expectation
Qualitas Corpus subset (70 projects)
Evaluation Setup
Developer expectation
API Documentation
Qualitas Corpus subset (70 projects)
Evaluation Setup
Developer expectation
API Documentation
Expected library footprint
Qualitas Corpus subset (70 projects)
Evaluation Setup
Developer expectation
API Documentation
Expected library footprint
Our analysis
Observed library footprint
Qualitas Corpus subset (70 projects)
Results
�� ���� ���� �� ��������������
����� � � � � � � � � � �
������� � � � � � � � �
����� � � � � � � � �
����� � � � � �
���������� � � � � � � � � � �
����������� � � � � � � � �
���������������� � � � � � � � � �
����������� � � � � � � �
������������� � � � � � � �
Results
�� ���� ���� �� ��������������
����� � � � � � � � � � �
������� � � � � � � � �
����� � � � � � � � �
����� � � � � �
���������� � � � � � � � � � �
����������� � � � � � � � �
���������������� � � � � � � � � �
����������� � � � � � � �
������������� � � � � � � �
Results
�� ���� ���� �� ��������������
����� � � � � � � � � � �
������� � � � � � � � �
����� � � � � � � � �
����� � � � � �
���������� � � � � � � � � � �
����������� � � � � � � � �
���������������� � � � � � � � � �
����������� � � � � � � �
������������� � � � � � � �
Results
�� ���� ���� �� ��������������
����� � � � � � � � � � �
������� � � � � � � � �
����� � � � � � � � �
����� � � � � �
���������� � � � � � � � � � �
����������� � � � � � � � �
���������������� � � � � � � � � �
����������� � � � � � � �
������������� � � � � � � �
Results
�� ���� ���� �� ��������������
����� � � � � � � � � � �
������� � � � � � � � �
����� � � � � � � � �
����� � � � � �
���������� � � � � � � � � � �
����������� � � � � � � � �
���������������� � � � � � � � � �
����������� � � � � � � �
������������� � � � � � � �
Results
�� ���� ���� �� ��������������
����� � � � � � � � � � �
������� � � � � � � � �
����� � � � � � � � �
����� � � � � �
���������� � � � � � � � � � �
����������� � � � � � � � �
���������������� � � � � � � � � �
����������� � � � � � � �
������������� � � � � � � �
Results
�� ���� ���� �� ��������������
����� � � � � � � � � � �
������� � � � � � � � �
����� � � � � � � � �
����� � � � � �
���������� � � � � � � � � � �
����������� � � � � � � � �
���������������� � � � � � � � � �
����������� � � � � � � �
������������� � � � � � � �
Results
�� ���� ���� �� ��������������
����� � � � � � � � � � �
������� � � � � � � � �
����� � � � � � � � �
����� � � � � �
���������� � � � � � � � � � �
����������� � � � � � � � �
���������������� � � � � � � � � �
����������� � � � � � � �
������������� � � � � � � �
Full result set provided in the paper artifact
� �
� �
� �
�
Results
14.1%
Excess
� �� �
� � �
� � �
� � �
� � �
� � �
86.8%
Agreement
3.9%
Miss
Why is this useful?
���������� ������ ������� � � � � � � �
�������� ������ ������� � � � � � � �
�������� ������� ������ � � � � � � � � � �
���� ������� ������ � � � �
����� ������ ������� � � � � � � � � �
��������� ������� ������
����� ������ ������� � � � � � � �
��� ������ ������� � � � � � � � � � � �
������������� ������� ������ � � � � �
������������������� ������ ������ �
������������ ������ ������� � � � � � � � � �
���������������� ������ ������� � � � � � � � �
����� ������� ������ � � � � �
������������� ������� ������ � �
��������� ������ ������ � � � � � � �
������������ ������� �����
���������� ������ ������� � � � � � � � �
����� ������ ������� � � � � � � � � � �
������� ������ ������� � � � � � � � � � �
��������� ������ ������� � � � � � � � �
���� ������� ������ � � � � � � � � �
����� ������ ������� � � � � �
�� ���� ���� �� ��������������
����� ������ ������� � � � � � � � � �
������� ������� ������ � � � � � � �
����� ������ ������� � � � � � � �
����� ������� ������ � � � �
���������� ������ ������� � � � � � � � � �
����������� ������ ������� � � � � � � �
����������������� ������ ������� � � � � � � � �
����������� ������ ������� � � � � � �
������������� ������� ������ � � � � � �
�������������������� ������ ������� � � � � � � � �
����������������� ������ ������ � � � � �
���������� ������ ������ � � � � � � �
������������ ������ ������� � � � � � � � �
��������������� ������ ������� � � � � � � �
Found 2 methods that act as intermediaries for
Class.forName()
Depending on your context this may open your software for
Confused Deputy attacks.
Where to go from here?
Get developer expectations from developers
Infer capabilities directly from the native implementation
Slice libraries down to the used subset
a.k.a. Future Work
Thanks and please try it out
http://www.thewhitespace.de/projects/peaks/capmodel.html
protip: no need to write this down, it is linked in the program
@benhermann
Follow me on Twitter
You can:
Use all our data
Use our source code
Reproduce our experiments

More Related Content

Featured

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Featured (20)

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 

Getting to Know You: Towards a Capability Model for Java

  • 1. Getting to Know You… Towards a Capability Model for Java Ben Hermann, Michael Reif, Michael Eichberg, and Mira Mezini ESEC/FSE 2015, Bergamo, Italy
  • 2. Building Systems We don’t build systems from scratch. We need an ecosystem of reuse.
  • 3. Building Systems We don’t build systems from scratch. Operating System CompilerVirtual Machine Libraries Frameworks We need an ecosystem of reuse.
  • 4. Building Systems We don’t build systems from scratch. Operating System CompilerVirtual Machine Libraries Frameworks We need an ecosystem of reuse.
  • 24. Reaching Capabilities 
 from Java Library Java Class Library (JCL) JCL native part OS library native part
  • 25. Our Approach in a Nutshell Tag native methods of the JCL Build call graph Propagate capability tags Build footprint
  • 26. Identifying Capabilities Bootstrapping the Analysis Reviewed native implementation Review documentation Consider package and method names List of tagged JCL native method stubs
  • 27. Identifying Capabilities Bootstrapping the Analysis Reviewed native implementation Review documentation Consider package and method names List of tagged JCL native method stubs Provided in the paper artifact
  • 28. Identifying Capabilities Capability # of Methods CLASSLOADING 24 CLIPBOARD 9 DEBUG 5 FS 377 GUI 449 INPUT 10 NATIVE 419 NET 274 PRINT 54 REFLECTION 78 SECURITY 14 SOUND 36 SYSTEM 126 UNSAFE 85 Some methods are annotated with more than one capability
  • 29. Building the Call Graph Using OPAL Includes the JCL, the library and possibly a usage context Modified VTA No whole-program approach Determine more precise field types and method return types Goal: Most precise type information, yet efficient and scalable
  • 33. Propagating Capabilities {FS} {NET} {CL} {GUI} {NET} {NET} {FS} {FS} {FS} {GUI} {GUI} {CL,GUI}{CL} {CL} {FS, CL, GUI} {FS, CL, GUI} {FS, CL, GUI, NET} {FS, CL, GUI, NET} {NET} {NET} JCL LibraryNative
  • 34. Propagating Capabilities void  someMethod(Object  o)  {   o.toString();   } … … (1.304 total) Effects of filters: 2.068.946 call edges reduced to 368.231 Same story for certain interface and abstract types
  • 35. Evaluation Setup Developer expectation Qualitas Corpus subset (70 projects)
  • 36. Evaluation Setup Developer expectation API Documentation Qualitas Corpus subset (70 projects)
  • 37. Evaluation Setup Developer expectation API Documentation Expected library footprint Qualitas Corpus subset (70 projects)
  • 38. Evaluation Setup Developer expectation API Documentation Expected library footprint Our analysis Observed library footprint Qualitas Corpus subset (70 projects)
  • 39. Results �� ���� ���� �� �������������� ����� � � � � � � � � � � ������� � � � � � � � � ����� � � � � � � � � ����� � � � � � ���������� � � � � � � � � � � ����������� � � � � � � � � ���������������� � � � � � � � � � ����������� � � � � � � � ������������� � � � � � � �
  • 40. Results �� ���� ���� �� �������������� ����� � � � � � � � � � � ������� � � � � � � � � ����� � � � � � � � � ����� � � � � � ���������� � � � � � � � � � � ����������� � � � � � � � � ���������������� � � � � � � � � � ����������� � � � � � � � ������������� � � � � � � �
  • 41. Results �� ���� ���� �� �������������� ����� � � � � � � � � � � ������� � � � � � � � � ����� � � � � � � � � ����� � � � � � ���������� � � � � � � � � � � ����������� � � � � � � � � ���������������� � � � � � � � � � ����������� � � � � � � � ������������� � � � � � � �
  • 42. Results �� ���� ���� �� �������������� ����� � � � � � � � � � � ������� � � � � � � � � ����� � � � � � � � � ����� � � � � � ���������� � � � � � � � � � � ����������� � � � � � � � � ���������������� � � � � � � � � � ����������� � � � � � � � ������������� � � � � � � �
  • 43. Results �� ���� ���� �� �������������� ����� � � � � � � � � � � ������� � � � � � � � � ����� � � � � � � � � ����� � � � � � ���������� � � � � � � � � � � ����������� � � � � � � � � ���������������� � � � � � � � � � ����������� � � � � � � � ������������� � � � � � � �
  • 44. Results �� ���� ���� �� �������������� ����� � � � � � � � � � � ������� � � � � � � � � ����� � � � � � � � � ����� � � � � � ���������� � � � � � � � � � � ����������� � � � � � � � � ���������������� � � � � � � � � � ����������� � � � � � � � ������������� � � � � � � �
  • 45. Results �� ���� ���� �� �������������� ����� � � � � � � � � � � ������� � � � � � � � � ����� � � � � � � � � ����� � � � � � ���������� � � � � � � � � � � ����������� � � � � � � � � ���������������� � � � � � � � � � ����������� � � � � � � � ������������� � � � � � � �
  • 46. Results �� ���� ���� �� �������������� ����� � � � � � � � � � � ������� � � � � � � � � ����� � � � � � � � � ����� � � � � � ���������� � � � � � � � � � � ����������� � � � � � � � � ���������������� � � � � � � � � � ����������� � � � � � � � ������������� � � � � � � � Full result set provided in the paper artifact
  • 47. � � � � � � � Results 14.1% Excess � �� � � � � � � � � � � � � � � � � 86.8% Agreement 3.9% Miss
  • 48. Why is this useful? ���������� ������ ������� � � � � � � � �������� ������ ������� � � � � � � � �������� ������� ������ � � � � � � � � � � ���� ������� ������ � � � � ����� ������ ������� � � � � � � � � � ��������� ������� ������ ����� ������ ������� � � � � � � � ��� ������ ������� � � � � � � � � � � � ������������� ������� ������ � � � � � ������������������� ������ ������ � ������������ ������ ������� � � � � � � � � � ���������������� ������ ������� � � � � � � � � ����� ������� ������ � � � � � ������������� ������� ������ � � ��������� ������ ������ � � � � � � � ������������ ������� ����� ���������� ������ ������� � � � � � � � � ����� ������ ������� � � � � � � � � � � ������� ������ ������� � � � � � � � � � � ��������� ������ ������� � � � � � � � � ���� ������� ������ � � � � � � � � � ����� ������ ������� � � � � � �� ���� ���� �� �������������� ����� ������ ������� � � � � � � � � � ������� ������� ������ � � � � � � � ����� ������ ������� � � � � � � � ����� ������� ������ � � � � ���������� ������ ������� � � � � � � � � � ����������� ������ ������� � � � � � � � ����������������� ������ ������� � � � � � � � � ����������� ������ ������� � � � � � � ������������� ������� ������ � � � � � � �������������������� ������ ������� � � � � � � � � ����������������� ������ ������ � � � � � ���������� ������ ������ � � � � � � � ������������ ������ ������� � � � � � � � � ��������������� ������ ������� � � � � � � � Found 2 methods that act as intermediaries for Class.forName() Depending on your context this may open your software for Confused Deputy attacks.
  • 49. Where to go from here? Get developer expectations from developers Infer capabilities directly from the native implementation Slice libraries down to the used subset a.k.a. Future Work
  • 50. Thanks and please try it out http://www.thewhitespace.de/projects/peaks/capmodel.html protip: no need to write this down, it is linked in the program @benhermann Follow me on Twitter You can: Use all our data Use our source code Reproduce our experiments