Tim Bächle

Context: Software Product Lines (SPLs) enable the derivation of multiple software products for different environments from a shared, configurable codebase. While this approach improves reuse and flexibility, it also increases the complexity of the underlying system due to the presence of variability. This added complexity complicates static analysis and can lead to security vulnerabilities remaining undetected. The importance of timely vulnerability detection is highlighted by prominent incidents such as the Heartbleed vulnerability, which remained unnoticed for years despite its severe impact. Query-Based Static Application Security Testing (Q-SAST) tools, such as Joern, provide a powerful means to identify vulnerabilities by searching code property graphs (CPGs) for patterns indicative of security issues. However, existing Q-SAST tools are limited to analyzing individual product variants and lack support for family-based analysis of SPLs, where variability is considered explicitly.

Goal: Extend the Q-SAST tool Joern to support family-based analysis of SPLs by incorporating variability into the underlying data structures and analysis process. In particular, design and implement an extension of the code property graph that encodes variability information, enabling the analysis of all variants simultaneously. Develop a corresponding parsing approach for configurable C code and investigate how existing vulnerability queries can be adapted or lifted to operate on the extended representation. Evaluate the feasibility of the proposed approach using a prototype implementation and assess whether it preserves the information required for vulnerability detection across all variants.

Requirements: Basic knowledge of static program analysis and software security is helpful but not required. Prior experience with configurable software systems or software product lines is beneficial but not mandatory.