Blog Archives

ESEC/FSE 2019 – DISCOVER: Detecting Algorithmic Complexity Vulnerabilities

Abstract: Algorithmic Complexity Vulnerabilities (ACV) are a class of vulnerabilities that enable Denial of Service Attacks. ACVs stem from asymmetric consumption of resources due to complex loop termination logic, recursion, and/or resource intensive library APIs. Completely automated detection of ACVs is intractable and it calls for tools that assist human analysts. We present DISCOVER, a […]

Categories: Papers

ICSE 2019 – Mockingbird: A Framework for Enabling Targeted Dynamic Analysis of Java Programs

Abstract: The paper presents the Mockingbird framework that combines static and dynamic analyses to yield an efficient and scalable approach to analyze large Java software. The framework is an innovative integration of existing static and dynamic analysis tools and a newly developed component called the Object Mocker that enables the integration. The static analyzers are […]

Categories: Papers

MILCOM 2018 – Systematic Exploration of Critical Software for Catastrophic Cyber-Physical Malware

Abstract: With the advent of highly sophisticated cyber-physical malware (CPM), a cyber-attack can cripple critical services virtually paralyze the nation. In differentiating CPM from traditional malware, the difference really comes from the open-ended possibilities for malware triggers resulting from the wide spectrum of sensor inputs, and the almost limitless application-specific possibilities for designing malicious payloads. […]

Categories: Tutorials

Invited Talk @ UBC – An 18th-century Mathematician, a $336 Million Patent, and Software Experimentation

Abstract: What does software experimentation have to do with an 18th-century Swiss mathematician? Come hear the story that starts with Leonhard Euler, progresses to a software patent worth hundreds of millions, and ends with new ideas for experiment-driven software engineering. The construction of software usually involves many people and programs that need to be maintained […]

Categories: Talks

Science of Computer Programming – Projected Control Graph for Computing Relevant Program Behaviors

Abstract: Many software engineering tasks require analysis and verification of all behaviors relevant to the task. For example, all relevant behaviors must be analyzed to verify a safety or security property. An efficient algorithm must compute the relevant behaviors directly without computing all the behaviors. This is crucial in practice because it is computationally intractable […]

Categories: Papers

SecDSM – Recent Trends in Program Analysis for Bug Hunting and Exploitation

Abstract: Software is pervasive, and for better or worse, it now controls most of daily lives. Developing and maintaining secure software is of the upmost importance, but it seems that despite our best efforts we just haven’t gotten it right yet. More importantly we should ask ourselves why haven’t we solved this problem yet? This […]

Categories: Talks

USCC 2018 – Program Analysis for Cybersecurity II

Abstract: From bug hunting to exploit development to securing software systems, program analysis is a common thread that ties together multiple fields of software security. This training is targeted at individuals with little or no program analysis experience. Instead of simply learning how to break things, this training focuses on the challenges involved in securing […]

Categories: Tutorials

DySDoc3 – DynaDoc: Automated On-Demand Context-Specific Documentation

Abstract: This 2018 DOCGEN Challenge paper describes DynaDoc, an automated documentation system for on-demand context-specific documentation. A key novelty is the use of graph database technology with an eXtensible Common Software Graph Schema (XCSG). Using XCSG-based query language, DynaDoc can mine efficiently and accurately a variety of program artifacts and graph abstractions from millions of […]

Categories: Papers

ISEA II – Cyber Security Awareness and Cyber Security Challenge Competition

Abstract: Day 1: Binary Exploitation Day 2: Web Security Day 3: Program Analysis Day 2: Bug Hunting Day 5: Cybersecurity Competition Venue: ISEA II Bilateral / International Cooperation, MNIT, Jaipur, India, July 2018. Authors: Benjamin Holland Materials: https://github.com/benjholla/PACSeminar2018

Categories: Short Courses

ICSE 2018 – Demystifying Cyber-Physical Malware

Abstract:  The traditional notion of malware is too narrow, and the prevalent characterizations (virus, worm, trojan horse, spyware etc.) are neither precise nor comprehensive enough to characterize cyber-physical malware (CPM). Detecting sophisticated CPM is like searching for a needle in the haystack without knowing what the needle looks like. This technical briefing congregates interdisciplinary knowledge […]

Categories: Papers