ICSE 2018 – COMB: Computing Relevant Program Behaviors
Abstract: The paper presents COMB, a tool to improve accuracy and efficiency of software engineering tasks that hinge on computing all relevant program behaviors. Computing all behaviors and selecting the relevant ones is computationally intractable. COMB uses Projected Control Graph (PCG) abstraction to derive the relevant behaviors directly and efficiently. The PCG is important as […]
ICISS 2017 – Human-on-the-loop Automation for Detecting Software Side-Channel Vulnerabilities
Abstract: Software side-channel vulnerabilities (SSCVs) allow an attacker to gather secrets by observing the differential in the time or space required for executing the program for different inputs. Detecting SSCVs is like searching for a needle in the haystack, not knowing what the needle looks like. Detecting SSCVs requires automation that supports systematic exploration to […]
APSEC 2017 – Intelligence Amplifying Loop Characterizations for Detecting Algorithmic Complexity Vulnerabilities
Abstract: Algorithmic complexity vulnerabilities (ACVs) can be exploited to cause denial-of-service. Detecting ACVs is hard because of the numerous kinds of loop complexities that cause ACVs. This renders automatic detection intractable for ACVs. State-of-the-art loop analyses aim to obtain precise loop iteration bounds automatically; they can do so for relatively simple loops. This research focuses […]
2017 Winter Simulation Conference – Modeling Lessons from Verifying Large Software Systems for Safety and Security
Abstract: Verifying software in mission-critical Cyber-Physical Systems (CPS) is an important but daunting task with challenges of accuracy and scalability. This paper discusses lessons learned from verifying properties of the Linux kernel. These lessons have raised questions about traditional verification approaches, and have led us to a model-based approach for software verification. These models are […]
VizSec 2017 – Interactive Visualization Toolbox to Detect Sophisticated Android Malware
Abstract: Detecting zero-day sophisticated malware is like searching for a needle in the haystack, not knowing what the needle looks like. This paper describes Android Malicious Flow Visualization Toolbox that empowers a human analyst to detect such malware. Detecting sophisticated malware requires systematic exploration of the code to identify potentially malignant code, conceiving plausible malware […]
MathWorks 2017 Research Summit – Demystifying Cybersecurity for CPS Community
Abstract: It is challenging for the cyber-physical systems (CPS) community to understand the essentials of cybersecurity. “Security Patch” or the “Kill Switch for WannaCry” jargon is at best oversimplified and superficial to convey essential cybersecurity knowledge. Cybersecurity problems are often rooted in the complex CPS software. For the CPS community, the challenge is to understand […]
NIT Patna – Learn to Understand, Analyze, and Verify Large Software
Abstract: Massive software systems are being built the way Egyptians were building pyramids, with the sheer force of human labor. Agile development, programming languages, component libraries, and integrated development environments, help but they have not brought down the cost of developing and maintaining software. Software projects continue to run over projected budgets and schedule. The […]
2017 ACSS Conference Keynote Talk – Euler, the 336 Million Dollar Software Patent: Reflecting on How to Solve Hard Software Problems
Abstract: The size and complexity of software, the labor cost of programming, and the dire consequences of software malfunction have made it a nightmare to maintain software-intensive cyber-physical systems. Agile development, programming languages, component libraries etc. help but they do not suffice to ensure correctness and cost-effective maintenance of complex software. The central question is: […]
ICST 2017 – Transferring state-of-the-art immutability analyses: An experimentation toolbox and accuracy benchmark
Abstract: Immutability analysis is important to software testing, verification and validation (V&V) because it can be used to identify independently testable functions without side-effects. Existing tools for immutability analysis are largely academic prototypes that have not been rigorously tested for accuracy or have not been maintained and are unable to analyze programs written in later […]
APSEC 2016 – Projected Control Graph for Accurate and Efficient Analysis of Safety and Security Vulnerabilities
Abstract: The goal of path-sensitive analysis (PSA) is to achieve accuracy by accounting precisely for the execution behavior along each path of a control flow graph (CFG). A practical adoption of PSA is hampered by two roadblocks: (a) the exponential growth of the number of CFG paths, and (b) the exponential complexity of a path […]