There is a nice block by Robert MacIntosh intended for PhD students at:

He describes light at the end of the research tunnel.  There are some steps in the tunnel, forming a scientific framework for research people to follow:

  • Ontology … to do with our assumptions about how the world is made up and the nature of things
  • Epistemology … to do with our beliefs about how one might discover knowledge about the world
  • Methodology … to do with the tools and techniques of research

The author claims that ontology, epistemology and methodoly are three pillars of the thesis.

An extended framework with the applications for symbolic analysis

We define symbolic analysis as a framework (light in the tunnel) in 10 levels as follows:

  1. Ontology is a set of symbols as well as concepts made by the user.  Obs. Concepts are higher level symbols, non-grounded.
  2. Epistemology is a set of transformation rules for symbols, in order to get knowledge. They describe semantics of each symbol in the ontology.
  3. Paradigm is here symbolic analysis: how to describe ontology and epistemology and the theories and methods. Its “competitors” are static and dynamic analyses.
  4. Methodology is a set of theories how ontology will be transformed using epistemology to information, capable of expressing knowledge. There are theories for parsing, making a symbolic model, simulating the model etc.
  5. Method is any way to use the methodology in practice. Some methods are control flow analysis, making a call tree etc.
  6. Tool is a specific means to apply the method in practice. A tool can be any tool, which applies (here) symbolic execution or symbolic analysis, for example for simulating code.
  7. Activity is a human interaction intended for understanding code. Some activities are finding a bug, browsing code in order to understand some principles etc.
  8. Action is a piece of activity of activity, for example browsing items or selecting a view or making a hypothesis.
  9. Sub-action is a part of an action. Lowest sub-actions are primitives like reading an item, making a decision etc.
  10. Lowest level is practical data for the method, tool, activity, action and sub-action. In symbolic analysis practical data can be non-symbolic or symbolic. Non-symbolic data in a program can have any type of the type system of the original source code. Symbolic data can have at most any type in the ontology. It is then very much richer than the non-symbolic notation.

Using the levels 1-10 a complete conceptual framework for any programming language and any operating system  can be written. There are however, some limitations, how to reverse engineer different kinds of features of source code. In order to alleviate these problems/ shortcuts, symbolic analysis has its rather expressive format: each relation is expressed as a Prolog predicate, which can implicitely point to its neighbour symbols, even though there is no defintion for their semantics.

The levels 7-9 tie the framework into action theory, which is empiric research.

Some links