Access Type

Open Access Thesis

Date of Award

January 2015

Degree Type


Degree Name



Computer Science

First Advisor

Marwan Abi-Antoun


The cost of security vulnerabilities of a software system is high. As a result,

many techniques have been developed to find the vulnerabilities at development time. Of particular interest are static analysis techniques that can consider all possible executions of a system. But, static analysis can suffer from a large number of false positives.

A recently developed approach, Scoria, is a semi-automated static analysis that requires security architects to annotate the code, typecheck the annotations, extract a hierarchical object graph and write constraints in order to find security vulnerabilities in a system.

This thesis evaluates Scoria on three systems (sizes 6 KLOC, 6 KLOC and

25 KLOC) from different application domains (Android and Web) and confirms that Scoria can find security vulnerabilities in those systems without an excessive number of false positives.