Blog Archives

MILCOM 2018 – Systematic Exploration of Critical Software for Catastrophic Cyber-Physical Malware

Abstract: With the advent of highly sophisticated cyber-physical malware (CPM), a cyber-attack can cripple critical services virtually paralyze the nation. In differentiating CPM from traditional malware, the difference really comes from the open-ended possibilities for malware triggers resulting from the wide spectrum of sensor inputs, and the almost limitless application-specific possibilities for designing malicious payloads. […]

Categories: Tutorials, Upcoming

DySDoc3 – DynaDoc: Automated On-Demand Context-Specific Documentation

Abstract: This 2018 DOCGEN Challenge paper describes DynaDoc, an automated documentation system for on-demand context-specific documentation. A key novelty is the use of graph database technology with an eXtensible Common Software Graph Schema (XCSG). Using XCSG-based query language, DynaDoc can mine efficiently and accurately a variety of program artifacts and graph abstractions from millions of […]

Categories: Papers, Upcoming

Science of Computer Programming – Projected Control Graph for Computing Relevant Program Behaviors

Abstract: Many software engineering tasks require analysis and verification of all behaviors relevant to the task. For example, all relevant behaviors must be analyzed to verify a safety or security property. An efficient algorithm must compute the relevant behaviors directly without computing all the behaviors. This is crucial in practice because it is computationally intractable […]

Categories: Papers, Upcoming

Springer Verlag Publishers – Catastrophic Cyber-Physical Malware

Abstract: With the advent of highly sophisticated cyber-physical malware (CPM) such as Industroyer, a cyberattack could be as destructive as the terrorist attack on 9/11, it would virtually paralyze the nation. We discuss as the major risks the vulnerability of: telecommunication infrastructure, industrial control systems (ICS), and mission-critical software. In differentiating CPM from traditional malware, […]

Categories: Book Chapters

ICSE 2018 – COMB: Computing Relevant Program Behaviors

Abstract: The paper presents COMB, a tool to improve accuracy and efficiency of software engineering tasks that hinge on computing all relevant program behaviors. Computing all behaviors and selecting the relevant ones is computationally intractable. COMB uses Projected Control Graph (PCG) abstraction to derive the relevant behaviors directly and efficiently. The PCG is important as […]

Categories: Papers

ICISS 2017 – Human-on-the-loop Automation for Detecting Software Side-Channel Vulnerabilities

Abstract: Software side-channel vulnerabilities (SSCVs) allow an attacker to gather secrets by observing the differential in the time or space required for executing the program for different inputs. Detecting SSCVs is like searching for a needle in the haystack, not knowing what the needle looks like. Detecting SSCVs requires automation that supports systematic exploration to […]

Categories: Papers

APSEC 2017 – Intelligence Amplifying Loop Characterizations for Detecting Algorithmic Complexity Vulnerabilities

Abstract: Algorithmic complexity vulnerabilities (ACVs) can be exploited to cause denial-of-service. Detecting ACVs is hard because of the numerous kinds of loop complexities that cause ACVs. This renders automatic detection intractable for ACVs. State-of-the-art loop analyses aim to obtain precise loop iteration bounds automatically; they can do so for relatively simple loops. This research focuses […]

Categories: Papers

2017 Winter Simulation Conference – Modeling Lessons from Verifying Large Software Systems for Safety and Security

Abstract: Verifying software in mission-critical Cyber-Physical Systems (CPS) is an important but daunting task with challenges of accuracy and scalability. This paper discusses lessons learned from verifying properties of the Linux kernel. These lessons have raised questions about traditional verification approaches, and have led us to a model-based approach for software verification. These models are […]

Categories: Papers

VizSec 2017 – Interactive Visualization Toolbox to Detect Sophisticated Android Malware

Abstract: Detecting zero-day sophisticated malware is like searching for a needle in the haystack, not knowing what the needle looks like. This paper describes Android Malicious Flow Visualization Toolbox that empowers a human analyst to detect such malware. Detecting sophisticated malware requires systematic exploration of the code to identify potentially malignant code, conceiving plausible malware […]

Categories: Papers

MathWorks 2017 Research Summit – Demystifying Cybersecurity for CPS Community

Abstract: It is challenging for the cyber-physical systems (CPS) community to understand the essentials of cybersecurity. “Security Patch” or the “Kill Switch for WannaCry” jargon is at best oversimplified and superficial to convey essential cybersecurity knowledge. Cybersecurity problems are often rooted in the complex CPS software. For the CPS community, the challenge is to understand […]

Categories: Talks