Systems, methods and computer program products for string analysis with
security labels for vulnerability detection. Exemplary embodiments
include a method in a computer system configured to analyze
security-labeled strings and to detect vulnerability, the method
including receiving a program with security labels, translating the
program into a static single assignment form, constructing a control flow
graph having basic blocks as nodes, extracting instructions relating to
string functions and object variables, calculating pre-conditions of
variables for the basic blocks, extracting constraints among the
variables subject to a rule set for translating pre-conditions, solving
the constraints and obtaining a set of strings that he object variables
form as a context-free grammar to obtain a set of security-labeled
strings, checking if the set of security-labeled strings satisfies a rule
of the rule set for translating pre-conditions and identifying locations
in the program where a vulnerability is detected.