Ownership Object Graphs with Dataflow Edges

During architectural risk analysis, security experts look for architectural flaws based on a documented runtime structure, which for object-oriented systems can be approximated by an object graph. Architectural risk analysis involves thinking about worst-case scenarios, and thus requires a sound object graph, which shows all possible objects and dataflow communication between them. Extracting a sound object graph that conveys architectural abstraction is challenging. One solution is to apply a hierarchy to the object graph to convey both high-level understanding and detail. Achieving soundness requires a static analysis, but architectural hierarchy is not available in general purpose programming languages. To achieve hierarchy, we annotate the program with ownership types and use abstract interpretation to extract a global, sound, hierarchical object graph that has dataflow communication edges showing the flow of objects due to field reads, field writes, and method invocations. We formalize the static analysis, prove its soundness, then show that the extracted edges are similar to those drawn by a security expert.