Soufflé is a Datalog-based system for developing static analyses. It is currently being employed for industrial-strength static analysis problems (1) at Oracle Labs, where it is used as a rapid program analysis environment for security properties on the OpenJDK and (2) at Amazon Web Services, where it is used as a backend solver for a cloud security analysis tool.

A major challenge in such use cases is the ability to produce static analyses that are both customisable and scalable. While hand-crafted solutions (e.g., implemented in C++) have been shown to scale to large problem sizes, they lack the ability for users to easily define custom static analyses. Conversely, DSL-based analysers that are highly customisable, typically struggle to perform on a par with hand-crafted analysers.

In this talk I present Soufflé. Soufflé allows users to succinctly describe a static analysis via a highly flexible Datalog-based DSL and yet produce static analysers that exhibits the performance of state-of-the-art hand crafted tools. Soufflé has performed large scale static analyses typically deemed too difficult for Datalog-based solvers, including points-to analysis on the OpenJDK7 (1.4M program variables, 350K objects, 160K methods) in under a minute and security analysis of large Amazon VPC networks (10,000 Instances) in under 15 minutes.

This is joint work with Bernhard Scholz and Herbert Jordan.