NIT Patna – Learn to Understand, Analyze, and Verify Large Software
Abstract: Massive software systems are being built the way Egyptians were building pyramids, with the sheer force of human labor. Agile development, programming languages, component libraries, and integrated development environments, help but they have not brought down the cost of developing and maintaining software. Software projects continue to run over projected budgets and schedule. The […]
2017 ACSS Conference Keynote Talk – Euler, the 336 Million Dollar Software Patent: Reflecting on How to Solve Hard Software Problems
Abstract: The size and complexity of software, the labor cost of programming, and the dire consequences of software malfunction have made it a nightmare to maintain software-intensive cyber-physical systems. Agile development, programming languages, component libraries etc. help but they do not suffice to ensure correctness and cost-effective maintenance of complex software. The central question is: […]
ICST 2017 – Transferring state-of-the-art immutability analyses: An experimentation toolbox and accuracy benchmark
Abstract: Immutability analysis is important to software testing, verification and validation (V&V) because it can be used to identify independently testable functions without side-effects. Existing tools for immutability analysis are largely academic prototypes that have not been rigorously tested for accuracy or have not been maintained and are unable to analyze programs written in later […]
APSEC 2016 – Projected Control Graph for Accurate and Efficient Analysis of Safety and Security Vulnerabilities
Abstract: The goal of path-sensitive analysis (PSA) is to achieve accuracy by accounting precisely for the execution behavior along each path of a control flow graph (CFG). A practical adoption of PSA is hampered by two roadblocks: (a) the exponential growth of the number of CFG paths, and (b) the exponential complexity of a path […]
MILCOM 2016 – Discovering Information Leakage Using Visual Program Models
Abstract: This tutorial is about new genera of information leakage vulnerabilities, far more difficult to detect than the vulnerabilities that have previously dominated the software security landscape. We will survey attacks that have exploited information leakage vulnerabilities to steal sensitive information. We will show how to discover information leakage vulnerabilities using techniques and tools for […]
ISU Cybersecurity Seminar Series – Exploring the space in between bugs and malware
Abstract: We live in an age of software problems with catastrophic consequences. An extra goto in Apple’s SSL implementation compromised certificate checks for the better part of a year. An erroneous integer conversion in the Ariane 5 launch destroyed the European Space Agency rocket and its cargo valued at 500 million dollars. Often the problem […]
ISSRE 2016 – Mission-Critical Software Assurance Engineering Beyond Testing, Bug Finders, Metrics, Reliability Analysis, and Formal Verification
Abstract: Today, mission-critical software assurance engineering must encompass both safety and cyber-security. Critical missions, whether in defense, government, banking, or healthcare depend on ensuring that a system meets safety requirements, and it does not fail under cyber attack. Mobile, cloud and Internet of Things (IoT) have made software assurance integral to our everyday lives, whether […]
FVPE 2016 – Insights for Practicing Engineers from a Formal Verification Study of the Linux Kernel
Abstract: Formal verification of large software has been an illusive target, riddled with the problem of scalability. Even if the obstacle of scale may be cleared, major challenges remain to adopt formal verification in practice. This paper presents an empirical study using a top-rated formal verification tool for Linux, and draws insights from the study […]
IASTATE/ECPE 2016 – Euler, the 336 Million Dollar Software Patent, and Reflecting on How to Solve Hard Software Problems
Abstract: The size and complexity of software, the labor cost of programming, and the dire consequences of software malfunctioning have made it a nightmare to maintain software-intensive cyber-physical systems. Agile development, programming languages, component libraries etc. help but they do not suffice to ensure correctness and cost-effective maintenance of complex software. The central question is: […]
SCAM 2016 – Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities
Abstract: Algorithmic Complexity (AC) vulnerabilities can be exploited to cause a denial of service attack. Specifically, an adversary can design an input to trigger excessive (space/time) resource consumption. It is not possible to build a fully automated tool to detect AC vulnerabilities. Since it is an open-ended problem, a human-in-loop exploration is required to find […]