ESEC/FSE 2019 – DISCOVER: Detecting Algorithmic Complexity Vulnerabilities
Abstract: Algorithmic Complexity Vulnerabilities (ACV) are a class of vulnerabilities that enable Denial of Service Attacks. ACVs stem from asymmetric consumption of resources due to complex loop termination logic, recursion, and/or resource intensive library APIs. Completely automated detection of ACVs is intractable and it calls for tools that assist human analysts. We present DISCOVER, a […]
ICSE 2019 – Mockingbird: A Framework for Enabling Targeted Dynamic Analysis of Java Programs
Abstract: The paper presents the Mockingbird framework that combines static and dynamic analyses to yield an efficient and scalable approach to analyze large Java software. The framework is an innovative integration of existing static and dynamic analysis tools and a newly developed component called the Object Mocker that enables the integration. The static analyzers are […]
MILCOM 2018 – Systematic Exploration of Critical Software for Catastrophic Cyber-Physical Malware
Abstract: With the advent of highly sophisticated cyber-physical malware (CPM), a cyber-attack can cripple critical services virtually paralyze the nation. In differentiating CPM from traditional malware, the difference really comes from the open-ended possibilities for malware triggers resulting from the wide spectrum of sensor inputs, and the almost limitless application-specific possibilities for designing malicious payloads. […]
SecDSM – Recent Trends in Program Analysis for Bug Hunting and Exploitation
Abstract: Software is pervasive, and for better or worse, it now controls most of daily lives. Developing and maintaining secure software is of the upmost importance, but it seems that despite our best efforts we just haven’t gotten it right yet. More importantly we should ask ourselves why haven’t we solved this problem yet? This […]
USCC 2018 – Program Analysis for Cybersecurity II
Abstract: From bug hunting to exploit development to securing software systems, program analysis is a common thread that ties together multiple fields of software security. This training is targeted at individuals with little or no program analysis experience. Instead of simply learning how to break things, this training focuses on the challenges involved in securing […]
DySDoc3 – DynaDoc: Automated On-Demand Context-Specific Documentation
Abstract: This 2018 DOCGEN Challenge paper describes DynaDoc, an automated documentation system for on-demand context-specific documentation. A key novelty is the use of graph database technology with an eXtensible Common Software Graph Schema (XCSG). Using XCSG-based query language, DynaDoc can mine efficiently and accurately a variety of program artifacts and graph abstractions from millions of […]
ISEA II – Cyber Security Awareness and Cyber Security Challenge Competition
Abstract: Day 1: Binary Exploitation Day 2: Web Security Day 3: Program Analysis Day 2: Bug Hunting Day 5: Cybersecurity Competition Venue: ISEA II Bilateral / International Cooperation, MNIT, Jaipur, India, July 2018. Authors: Benjamin Holland Materials: https://github.com/benjholla/PACSeminar2018
Springer Verlag Publishers – Catastrophic Cyber-Physical Malware
Abstract: With the advent of highly sophisticated cyber-physical malware (CPM) such as Industroyer, a cyberattack could be as destructive as the terrorist attack on 9/11, it would virtually paralyze the nation. We discuss as the major risks the vulnerability of: telecommunication infrastructure, industrial control systems (ICS), and mission-critical software. In differentiating CPM from traditional malware, […]
ICSE 2018 – COMB: Computing Relevant Program Behaviors
Abstract: The paper presents COMB, a tool to improve accuracy and efficiency of software engineering tasks that hinge on computing all relevant program behaviors. Computing all behaviors and selecting the relevant ones is computationally intractable. COMB uses Projected Control Graph (PCG) abstraction to derive the relevant behaviors directly and efficiently. The PCG is important as […]
ICISS 2017 – Human-on-the-loop Automation for Detecting Software Side-Channel Vulnerabilities
Abstract: Software side-channel vulnerabilities (SSCVs) allow an attacker to gather secrets by observing the differential in the time or space required for executing the program for different inputs. Detecting SSCVs is like searching for a needle in the haystack, not knowing what the needle looks like. Detecting SSCVs requires automation that supports systematic exploration to […]