GIAN 2016 – Managing Complexity, Security, and Safety of Large Software
Abstract: Software malfunctions can have catastrophic consequences and enormous costs. The error-prone and laborious manual practices of developing and maintaining large software must change to cope with ever increasing complexity of software, and the enormous safety and security challenges it poses. Formal verification is not a practical alternative for large software; it is riddled with problems […]
ASE 2016 – Learn to Build Automated Software Analysis Tools with Graph Paradigm and Interactive Visual Framework
Abstract: Software analysis has become complex enough to be intimidating to new students and professionals. It can be difficult to know where to start with over three decades of staggering research in data and control flow analyses and a plethora of analysis frameworks to choose from, ranging in maturity, support, and usability. While textbooks, surveys […]
DEFCON 24 – Developing Managed Code Rootkits for the Java Runtime Environment
Abstract: Managed Code Rootkits (MCRs) are terrifying post-exploitation attacks that open the doors for cementing and expanding a foothold in a target network. While the concept isn’t new, practical tools for developing MCRs don’t currently exist. Erez Metula released ReFrameworker in 2010 with the ability to inject attack modules into the C# runtime, paving the […]
SERIP 2016 – Software Engineering Research Lab to Airplanes, Orion and Beyond: One professor’s journey shaped by industry-university collaboration
Abstract: This paper is a short story of my adventures of the past 20 years trying to integrate academic research with software engineering problems in industry. I share the challenges I encountered on the way, my failures and successes, evolution of my research, and its adoption in industry. Though I faced many hardships, I feel […]
ICSE 2016 – Let’s Verify Linux: Accelerated Learning of Analytical Reasoning through Automation and Collaboration
Abstract: We describe our experiences in the classroom using the internet to collaboratively verify a significant safety and security property across the entire Linux kernel. With 66,609 instances to check across three versions of Linux, the naive approach of simply dividing up the code and assigning it to students does not scale, and does little […]
ICPC 2016 – Human-Machine Resolution of Invisible Control Flow
Abstract: Invisible Control Flow (ICF) results from dynamic binding and asynchronous processing. For modern software replete with ICF, the ability to analyze and resolve ICF is crucial for verifying software. A fully automated analysis to resolve ICF suffers from imprecision and high computational complexity. As a practical alternative, we present a novel solution of interactive […]
ICSE 2016 – Rethinking Verification: Accuracy, Efficiency and Scalability through Human-Machine Collaboration
Abstract: With growing dependence on software in embedded and cyber-physical systems where vulnerabilities and malware can lead to disasters, efficient and accurate verification has become a crucial need for safety and cybersecurity. Formal verification of large software has remained an elusive target, riddled with problems of low accuracy and high computational complexity. The need for […]
ICISS 2015 – FlowMiner: Automatic Summarization of Library Data-Flow for Malware Analysis
Abstract: FlowMiner is a tool for automatically mining expressive, fine-grained data-flow summaries from Java library bytecode. FlowMiner captures enough information to enable context, type, field, object and flow-sensitive partial program analysis of applications using the library. FlowMiner’s summaries are compact- flow details of a library that are non-critical for future partial program analysis of applications are elided into simple […]
ICISS 2015 – Program Analysis and Reasoning for Hard to Detect Software Vulnerabilities
Abstract: Software is everywhere and so are software vulnerabilities, affecting individuals, companies and nations. Deliberately planted software vulnerabilities (“malware”) have ravaged nuclear reactors and unintended software vulnerabilities (“bugs”) have recently caused all American Airlines planes to be grounded for hours. Software vulnerabilities elude regression testing because their occurrence often depends on intricate sequences of low-probability […]
ISSRE 2015 – Hard Problems at the Intersection of Cybersecurity and Software Reliability
Abstract: This tutorial is aimed at the audience interested in knowing how software reliability and cybersecurity converge in terms of intrinsic hard problems, and how that knowledge can be useful for advancing the research and practice in both fields. This tutorial is based on our research in three Defense Advanced Research Projects Agency (DARPA) projects […]