Blog Archives

ICISS 2017 – Human-on-the-loop Automation for Detecting Software Side-Channel Vulnerabilities

Abstract: Software side-channel vulnerabilities (SSCVs) allow an attacker to gather secrets by observing the differential in the time or space required for executing the program for different inputs. Detecting SSCVs is like searching for a needle in the haystack, not knowing what the needle looks like. Detecting SSCVs requires automation that supports systematic exploration to […]

Categories: Papers, Upcoming

APSEC 2017 – Intelligence Amplifying Loop Characterizations for Detecting Algorithmic Complexity Vulnerabilities

Abstract: Algorithmic complexity vulnerabilities (ACVs) can be exploited to cause denial-of-service. Detecting ACVs is hard because of the numerous kinds of loop complexities that cause ACVs. This renders automatic detection intractable for ACVs. State-of-the-art loop analyses aim to obtain precise loop iteration bounds automatically; they can do so for relatively simple loops. This research focuses […]

Categories: Papers, Upcoming

2017 Winter Simulation Conference – Modeling Lessons from Verifying Large Software Systems for Safety and Security

Abstract: Verifying software in mission-critical Cyber-Physical Systems (CPS) is an important but daunting task with challenges of accuracy and scalability. This paper discusses lessons learned from verifying properties of the Linux kernel. These lessons have raised questions about traditional verification approaches, and have led us to a model-based approach for software verification. These models are […]

Categories: Papers, Upcoming

VizSec 2017 – Interactive Visualization Toolbox to Detect Sophisticated Android Malware

Abstract: Detecting zero-day sophisticated malware is like searching for a needle in the haystack, not knowing what the needle looks like. This paper describes Android Malicious Flow Visualization Toolbox that empowers a human analyst to detect such malware. Detecting sophisticated malware requires systematic exploration of the code to identify potentially malignant code, conceiving plausible malware […]

Categories: Papers, Upcoming

ICST 2017 – Transferring state-of-the-art immutability analyses: An experimentation toolbox and accuracy benchmark

Abstract: Immutability analysis is important to software testing, verification and validation (V&V) because it can be used to identify independently testable functions without side-effects. Existing tools for immutability analysis are largely academic prototypes that have not been rigorously tested for accuracy or have not been maintained and are unable to analyze programs written in later […]

Categories: Papers

APSEC 2016 – Projected Control Graph for Accurate and Efficient Analysis of Safety and Security Vulnerabilities

Abstract: The goal of path-sensitive analysis (PSA) is to achieve accuracy by accounting precisely for the execution behavior along each path of a control flow graph (CFG). A practical adoption of PSA is hampered by two roadblocks: (a) the exponential growth of the number of CFG paths, and (b) the exponential complexity of a path […]

Categories: Papers

FVPE 2016 – Insights for Practicing Engineers from a Formal Verification Study of the Linux Kernel

Abstract: Formal verification of large software has been an illusive target, riddled with the problem of scalability. Even if the obstacle of scale may be cleared, major challenges remain to adopt formal verification in practice. This paper presents an empirical study using a top-rated formal verification tool for Linux, and draws insights from the study […]

Categories: Papers

SCAM 2016 – Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities

Abstract:  Algorithmic Complexity (AC) vulnerabilities can be exploited to cause a denial of service attack. Specifically, an adversary can design an input to trigger excessive (space/time) resource consumption. It is not possible to build a fully automated tool to detect AC vulnerabilities. Since it is an open-ended problem, a human-in-loop exploration is required to find […]

Categories: Papers

SERIP 2016 – Software Engineering Research Lab to Airplanes, Orion and Beyond: One professor’s journey shaped by industry-university collaboration

Abstract: This paper is a short story of my adventures of the past 20 years trying to integrate academic research with software engineering problems in industry. I share the challenges I encountered on the way, my failures and successes, evolution of my research, and its adoption in industry. Though I faced many hardships, I feel […]

Categories: Papers

ICSE 2016 – Let’s Verify Linux: Accelerated Learning of Analytical Reasoning through Automation and Collaboration

Abstract: We describe our experiences in the classroom using the internet to collaboratively verify a significant safety and security property across the entire Linux kernel. With 66,609 instances to check across three versions of Linux, the naive approach of simply dividing up the code and assigning it to students does not scale, and does little […]

Categories: Papers