An Empirical Study on Bounded Model Checking
•
0 likes•61 views
Software has bugs and it seems to be unavoidable. To find them we often use code reviews and software testing. However, test an application and find no bugs does not mean the application is correct. Model checking is an automatic technique that can guarantee the absence of bugs (i.e. the correctness of a system) given a formal specification. This presentation shows the results of an empirical study on Bounded Model Checking in security context to verify its ability in identifying vulnerable code regions where multiple vulnerabilities in the code can affect each other in their detection.
Report
Share
Report
Share
Download to read offline
Recommended
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
These slides describe the paper of Henning Perl et. al. about a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. They combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work.
[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...
1. VCC-Finder is a tool that uses machine learning to identify Vulnerability-Contributing Commits (VCCs) in open source projects from version control histories like Git in order to assist code audits.
2. It analyzed 66 open source projects written in C and C++ with over 170,000 commits total, and identified 640 VCCs corresponding to 718 CVEs, with a precision of 99% compared to existing static analysis tools.
3. The tool works by representing commits as bag-of-words models of code changes based on identifiers, then using a linear SVM classifier trained on prior VCCs to label new commits as vulnerability-contributing or not. This
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily obfuscating and, eventually, virtualizing codes using techniques such as CFG, call stack manipulation, dead code, opaque predicate and so on. Understanding these concepts and how they are used with virtualized packers is an advantage to learn the main anti-reversing techniques.
Therefore, to manage complex scenarios as exposed above, we are able to use frameworks such as METASM, MIASM and several dynamic static emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. Additionally, the introduction of dynamic tracing (DTrace) on Windows can help us to having a better understanding about programs and their behavior.
This presentation aims to show concepts and a practical approach on how to handle these reverse engineering challenges and techniques
The Last Line Effect
The Last Line Effect. Abstract: Micro-clones are tiny duplicated pieces of code; they typically comprise only a few statements or lines. In this paper, we expose the “last line effect”, the phenomenon that the last line or statement in a micro-clone is much more likely to contain an error than the previous lines or statements. We do this by analyzing 208 open source projects and reporting on 202 faulty micro-clones.
Intrusion Alert Correlation
The document discusses intrusion alert correlation. It defines key terms like correlation, event, alert, and alert correlation. It outlines that the goals of correlation are to address weaknesses in individual intrusion detection systems like alert flooding, lack of context, and false positives/negatives. The main steps of the correlation process include alert collection, normalization, aggregation, verification, and producing high-level alert structures. Specific correlation techniques are also discussed.
Report on hacking blind
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
Finding Diversity In Remote Code Injection Exploits
1. The document analyzes the diversity among remote code injection exploits by collecting exploit samples from network traces, extracting and emulating shellcodes, and clustering the shellcodes based on an exedit distance metric.
2. It finds that exploits can be grouped into families based on the vulnerability targeted. The LSASS and ISystemActivator exploit families show subtle variations among related exploits, while RemoteActivation exploits exhibit more diversity.
3. Analyzing exploit phylogenies reveals code sharing among families and subtle variations within families, providing insights into the emergence of polymorphism in malware payloads.
Variability, Bugs, and Cognition
The document discusses variability, bugs, and cognition. It summarizes findings from analyzing known variability bugs. Key findings include: bugs often appear in unanticipated configurations that were not considered by programmers; many bugs involve features defined across subsystems rather than locally; and managing variability and large numbers of configurations can negatively impact understandability and maintainability. Controlled experiments are proposed to study how variability affects the time and accuracy of bug finding.
Recommended
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
These slides describe the paper of Henning Perl et. al. about a new method of finding potentially dangerous code in code repositories with a significantly lower false-positive rate than comparable systems. They combine code-metric analysis with metadata gathered from code repositories to help code review teams prioritize their work.
[論文紹介] VCC-Finder: Finding Potential Vulnerabilities in Open-Source Projects ...
1. VCC-Finder is a tool that uses machine learning to identify Vulnerability-Contributing Commits (VCCs) in open source projects from version control histories like Git in order to assist code audits.
2. It analyzed 66 open source projects written in C and C++ with over 170,000 commits total, and identified 640 VCCs corresponding to 718 CVEs, with a precision of 99% compared to existing static analysis tools.
3. The tool works by representing commits as bag-of-words models of code changes based on identifiers, then using a linear SVM classifier trained on prior VCCs to label new commits as vulnerability-contributing or not. This
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily obfuscating and, eventually, virtualizing codes using techniques such as CFG, call stack manipulation, dead code, opaque predicate and so on. Understanding these concepts and how they are used with virtualized packers is an advantage to learn the main anti-reversing techniques.
Therefore, to manage complex scenarios as exposed above, we are able to use frameworks such as METASM, MIASM and several dynamic static emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. Additionally, the introduction of dynamic tracing (DTrace) on Windows can help us to having a better understanding about programs and their behavior.
This presentation aims to show concepts and a practical approach on how to handle these reverse engineering challenges and techniques
The Last Line Effect
The Last Line Effect. Abstract: Micro-clones are tiny duplicated pieces of code; they typically comprise only a few statements or lines. In this paper, we expose the “last line effect”, the phenomenon that the last line or statement in a micro-clone is much more likely to contain an error than the previous lines or statements. We do this by analyzing 208 open source projects and reporting on 202 faulty micro-clones.
Intrusion Alert Correlation
The document discusses intrusion alert correlation. It defines key terms like correlation, event, alert, and alert correlation. It outlines that the goals of correlation are to address weaknesses in individual intrusion detection systems like alert flooding, lack of context, and false positives/negatives. The main steps of the correlation process include alert collection, normalization, aggregation, verification, and producing high-level alert structures. Specific correlation techniques are also discussed.
Report on hacking blind
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
Finding Diversity In Remote Code Injection Exploits
1. The document analyzes the diversity among remote code injection exploits by collecting exploit samples from network traces, extracting and emulating shellcodes, and clustering the shellcodes based on an exedit distance metric.
2. It finds that exploits can be grouped into families based on the vulnerability targeted. The LSASS and ISystemActivator exploit families show subtle variations among related exploits, while RemoteActivation exploits exhibit more diversity.
3. Analyzing exploit phylogenies reveals code sharing among families and subtle variations within families, providing insights into the emergence of polymorphism in malware payloads.
Variability, Bugs, and Cognition
The document discusses variability, bugs, and cognition. It summarizes findings from analyzing known variability bugs. Key findings include: bugs often appear in unanticipated configurations that were not considered by programmers; many bugs involve features defined across subsystems rather than locally; and managing variability and large numbers of configurations can negatively impact understandability and maintainability. Controlled experiments are proposed to study how variability affects the time and accuracy of bug finding.
A tale of experiments on bug prediction
Report on two experiment using change and source code metrics to predict bug-prone source files and methods.
iFixR: Bug Report Driven Program Repair
Issue tracking systems are commonly used in modern software development for collecting feedback from users and developers. An ultimate automation target of software maintenance is then the systematization of patch generation for user-reported bugs. Although this ambition is aligned with the momentum of automated program repair, the literature has, so far, mostly focused on generate-and- validate setups where fault localization and patch generation are driven by a well-defined test suite. On the one hand, however, the common (yet strong) assumption on the existence of relevant test cases does not hold in practice for most development settings: many bugs are reported without the available test suite being able to reveal them. On the other hand, for many projects, the number of bug reports generally outstrips the resources available to triage them. Towards increasing the adoption of patch generation tools by practitioners, we investigate a new repair pipeline, iFixR, driven by bug reports: (1) bug reports are fed to an IR-based fault localizer; (2) patches are generated from fix patterns and validated via regression testing; (3) a prioritized list of generated patches is proposed to developers. We evaluate iFixR on the Defects4J dataset, which we enriched (i.e., faults are linked to bug reports) and carefully-reorganized (i.e., the timeline of test-cases is naturally split). iFixR generates genuine/plausible patches for 21/44 Defects4J faults with its IR-based fault localizer. iFixR accurately places a genuine/plausible patch among its top-5 recommendation for 8/13 of these faults (without using future test cases in generation-and-validation).
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
This document discusses deliberately un-dependable applications (DUDA) that are aimed at facilitating fault attacks on cryptographic devices. It proposes that dependability metrics like failure rates can be influenced by workload characteristics such as computational load, memory usage, and application code properties. A DUDA could exploit these relationships to effectively increase the probability of faults occurring without directly inducing faults. This could impact security policies by reducing the lifetimes recommended for cryptographic keys if faults become more likely to expose secret key material. It may also influence security standards if fault probabilities are higher than what testing currently assumes.
Linux binary analysis and exploitation
Demonstrates remote code execution in the presence of modern OS security features. Stresses the importance of secure programming. Explains the binary reverse engineering process.
Cryptography IEEE 2015 Projects
List of Cryptography IEEE 2015 Projects. It Contains the IEEE Projects in the Domain Cryptography for the year 2015
Magic behind the numbers - software metrics in practice
We use static code analysis tools more often these days that create great reports and funky graphs. But do we understand what it all mean?
Software metrics tends to be magic numbers for a lot of people, but they don't really have to be. Let me introduce you to a few basic and
most popular software metric and tools and explain you what they mean and how you can use them to produce better software.
Cryptography IEEE 2015 Projects
List of Cryptography IEEE 2015 Projects. It Contains the IEEE Projects in the Domain Cryptography for the year 2015
Bench4BL: Reproducibility Study on the Performance of IR-Based Bug Localization
Jaekwon Lee, Dongsun Kim, Tegawendé F. Bissyandé, Woosung Jung and Yves Le Traon, “Bench4BL: Reproducibility Study on the Performance of IR-Based Bug Localization”, in Proceedings of the 27th International Symposium on Software Testing and Analysis (ISSTA 2018), Amsterdam, Netherlands, July 16 – 21, 2018.
ACSAC2016: Code Obfuscation Against Symbolic Execution Attacks
Slides from the 2016 Annual Computer Security Applications Conference (ACSAC), about the paper entitled "Code Obfuscation Against Symbolic Execution Attacks"
Buffer overflow attacks
This document discusses buffer overflow attacks. It begins with an introduction that defines a buffer overflow and examples like the Morris worm. It then explains how buffer overflows work by corrupting the stack and overwriting return addresses. Methods for implementing buffer overflows using Metasploit and injecting shellcode are provided. Countermeasures like stack canaries and bounds checking are described. The document concludes that while defenses have improved, legacy systems remain vulnerable and buffer overflows remain a problem.
Test versus security @ IEEE Concept
This document discusses security risks related to testing integrated circuits. It describes how scan-based side-channel attacks can exploit design-for-testability infrastructure to reveal confidential information by observing scan chains. The document also covers different types of attackers, common attack procedures, and known attacks against cryptographic primitives. Finally, it discusses how test interfaces like JTAG can be misused to facilitate scan-based attacks or upload malicious firmware.
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
A glimpse into the top security researches in the top global academia - Prof. Indranil Sengupta, IIT Kharagpur
FIREWALL
A firewall is a choke point that controls and monitors interconnects between networks with differing trust levels. It imposes restrictions on network services to only allow authorized traffic and can implement alarms for abnormal behavior. Firewalls are classified based on the protocol level they control, including packet filtering, circuit gateways, and application gateways. Packet filtering firewalls filter network packets based on their header values.
Aizatulin slides-4-3
The document describes a goal of developing a tool for automated security analysis of cryptographic protocol implementations written in C. It aims to take source code as input, perform a sound and scalable analysis, and output either known security flaws or a proof of security. Symbolic execution is proposed as a method to simplify programs and extract their meaning, mapping low-level C code to a formal language model that can be analyzed by existing tools like ProVerif. Current status is that symbolic execution has been implemented for fixed bitstring lengths and linear control flow. Further work is needed to support variable lengths, arbitrary control flow, and full format abstraction before integrating with a protocol verifier.
Re usable continuous-time analog sva assertions
This paper shows how SystemVerilog Assertions (SVA) modules can be bound to analog IP blocks, shall they be at behavioral or transistor-level, enabling the assertions to become a true IP deliverable that can be reused at SoC level. It also highlights how DPIs can fix analog assertions specificities, such as getting rid of hierarchical paths, especially when probing currents. This paper also demonstrates how to flawlessly switch models between digital (wreal) and analog models without breaking the assertions. Finally, it demonstrates how one can generate an adaptive clock to continuously assert analog properties whose stability over time is critical, such as current or voltage references or supplies.
Verification of Security for Untrusted Third Party IP Cores
This document proposes a technique to formally verify third-party IP cores for hardware Trojans that leak sensitive information. It begins with background on the threat of untrusted third parties inserting Trojans, and limitations of existing detection techniques. The proposed technique uses bounded model checking to check if the IP core violates the property "does not leak any sensitive information". If a violation is found, the model checker generates an input sequence that triggers the Trojan. The document motivates the technique with an example AES Trojan, and refines the property checked to make it computationally feasible for large key sizes. Formalizing Trojan detection as a property checking problem allows exhaustive verification of IP cores for information-leaking Trojans.
SGXMonitor Presentation - ACSAC 2022
- SgxMonitor is a provenance analysis tool for SGX enclaves that provides attack-resistant tracing without introducing new attack surfaces.
- It models SGX enclaves as finite state machines including global states, extracted using symbolic execution and static analysis.
- Evaluation shows it identifies attacks in tested malware with no false positives, and incurs limited overhead in benchmarks.
Dependability Benchmarking by Injecting Software Bugs
Benchmarks are an established practice for performance evaluation in the computer industry since decades. Examples of successful benchmarking initiatives are the TPC (Transaction Processing Performance Council) and the SPEC (Standard Performance Evaluation Corporation). More recently, the research community developed the notion of dependability benchmarking, which evaluates the quality of service (throughput, availability, etc.) of competing products in the presence of faults, by using fault injection. The idea of dependability benchmarking has been applied in several domains including transaction processing, telecom, automotive, etc.
Given that software faults (bugs) are a major cause of failures, it becomes important to assess dependability against these faults. However, emulating software faults in a controlled fault injection experiment is a difficult problem, since bugs originate from human error. This presentation discusses about the open challenges and the recent advances in the field of emulating software bugs in a representative way.
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These devices mainly comprise RFID (Radio-Frequency Identification) or WSN (Wireless Sensor Networks) components. Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT devices (which has very limited processing and storage capacities).In this paper, we introduce a new authentication protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses simple and lightweight algorithms. We also prove that RMAC is at least as secure as the MM protocol and thus secure against man-in-the-middle attacks.
20100309 03 - Vulnerability analysis (McCabe)
Vulnerability analysis involves discovering parts of a program's input that can be exploited by malicious users to drive the program into an insecure state. Potential vulnerabilities exist in locations with known weaknesses that are dependent on or influenced by user input and can be reached during program execution. Vulnerability analysis aims to identify exploitable vulnerabilities by examining the paths in a program's control flow graph that connect points where untrusted data can enter and vulnerable functions can be reached.
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
This document discusses building a transparent sandbox for malware analysis using virtual machines (VMs). It describes how malware can detect security utilities running in the same VM environment. The document proposes monitoring malware behavior from outside the VM using virtual machine introspection techniques on emulation-based and virtualization-based VMs. It also discusses using behavior comparison across multiple VM systems to detect malware that checks for virtual machine environments.
Advanced System Security and Digital Forensics
The document describes experiments related to system security and digital forensics.
The first experiment involves using static code analysis tools like RATS and Flawfinder to analyze code samples for vulnerabilities. The second experiment describes installing and using the vulnerability scanner Nessus to scan systems for known vulnerabilities.
The third experiment explores using the website copier HTTrack to download a website from the internet to a local directory while preserving the directory structure and links. The fourth experiment demonstrates configuring router security using passwords and access lists on Cisco Packet Tracer to filter traffic between VLANs and networks.
More Related Content
What's hot
A tale of experiments on bug prediction
Report on two experiment using change and source code metrics to predict bug-prone source files and methods.
iFixR: Bug Report Driven Program Repair
Issue tracking systems are commonly used in modern software development for collecting feedback from users and developers. An ultimate automation target of software maintenance is then the systematization of patch generation for user-reported bugs. Although this ambition is aligned with the momentum of automated program repair, the literature has, so far, mostly focused on generate-and- validate setups where fault localization and patch generation are driven by a well-defined test suite. On the one hand, however, the common (yet strong) assumption on the existence of relevant test cases does not hold in practice for most development settings: many bugs are reported without the available test suite being able to reveal them. On the other hand, for many projects, the number of bug reports generally outstrips the resources available to triage them. Towards increasing the adoption of patch generation tools by practitioners, we investigate a new repair pipeline, iFixR, driven by bug reports: (1) bug reports are fed to an IR-based fault localizer; (2) patches are generated from fix patterns and validated via regression testing; (3) a prioritized list of generated patches is proposed to developers. We evaluate iFixR on the Defects4J dataset, which we enriched (i.e., faults are linked to bug reports) and carefully-reorganized (i.e., the timeline of test-cases is naturally split). iFixR generates genuine/plausible patches for 21/44 Defects4J faults with its IR-based fault localizer. iFixR accurately places a genuine/plausible patch among its top-5 recommendation for 8/13 of these faults (without using future test cases in generation-and-validation).
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
This document discusses deliberately un-dependable applications (DUDA) that are aimed at facilitating fault attacks on cryptographic devices. It proposes that dependability metrics like failure rates can be influenced by workload characteristics such as computational load, memory usage, and application code properties. A DUDA could exploit these relationships to effectively increase the probability of faults occurring without directly inducing faults. This could impact security policies by reducing the lifetimes recommended for cryptographic keys if faults become more likely to expose secret key material. It may also influence security standards if fault probabilities are higher than what testing currently assumes.
Linux binary analysis and exploitation
Demonstrates remote code execution in the presence of modern OS security features. Stresses the importance of secure programming. Explains the binary reverse engineering process.
Cryptography IEEE 2015 Projects
List of Cryptography IEEE 2015 Projects. It Contains the IEEE Projects in the Domain Cryptography for the year 2015
Magic behind the numbers - software metrics in practice
We use static code analysis tools more often these days that create great reports and funky graphs. But do we understand what it all mean?
Software metrics tends to be magic numbers for a lot of people, but they don't really have to be. Let me introduce you to a few basic and
most popular software metric and tools and explain you what they mean and how you can use them to produce better software.
Cryptography IEEE 2015 Projects
List of Cryptography IEEE 2015 Projects. It Contains the IEEE Projects in the Domain Cryptography for the year 2015
Bench4BL: Reproducibility Study on the Performance of IR-Based Bug Localization
Jaekwon Lee, Dongsun Kim, Tegawendé F. Bissyandé, Woosung Jung and Yves Le Traon, “Bench4BL: Reproducibility Study on the Performance of IR-Based Bug Localization”, in Proceedings of the 27th International Symposium on Software Testing and Analysis (ISSTA 2018), Amsterdam, Netherlands, July 16 – 21, 2018.
ACSAC2016: Code Obfuscation Against Symbolic Execution Attacks
Slides from the 2016 Annual Computer Security Applications Conference (ACSAC), about the paper entitled "Code Obfuscation Against Symbolic Execution Attacks"
What's hot (9)
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Magic behind the numbers - software metrics in practice
Magic behind the numbers - software metrics in practice
Bench4BL: Reproducibility Study on the Performance of IR-Based Bug Localization
Bench4BL: Reproducibility Study on the Performance of IR-Based Bug Localization
ACSAC2016: Code Obfuscation Against Symbolic Execution Attacks
ACSAC2016: Code Obfuscation Against Symbolic Execution Attacks
Similar to An Empirical Study on Bounded Model Checking
Buffer overflow attacks
This document discusses buffer overflow attacks. It begins with an introduction that defines a buffer overflow and examples like the Morris worm. It then explains how buffer overflows work by corrupting the stack and overwriting return addresses. Methods for implementing buffer overflows using Metasploit and injecting shellcode are provided. Countermeasures like stack canaries and bounds checking are described. The document concludes that while defenses have improved, legacy systems remain vulnerable and buffer overflows remain a problem.
Test versus security @ IEEE Concept
This document discusses security risks related to testing integrated circuits. It describes how scan-based side-channel attacks can exploit design-for-testability infrastructure to reveal confidential information by observing scan chains. The document also covers different types of attackers, common attack procedures, and known attacks against cryptographic primitives. Finally, it discusses how test interfaces like JTAG can be misused to facilitate scan-based attacks or upload malicious firmware.
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
A glimpse into the top security researches in the top global academia - Prof. Indranil Sengupta, IIT Kharagpur
FIREWALL
A firewall is a choke point that controls and monitors interconnects between networks with differing trust levels. It imposes restrictions on network services to only allow authorized traffic and can implement alarms for abnormal behavior. Firewalls are classified based on the protocol level they control, including packet filtering, circuit gateways, and application gateways. Packet filtering firewalls filter network packets based on their header values.
Aizatulin slides-4-3
The document describes a goal of developing a tool for automated security analysis of cryptographic protocol implementations written in C. It aims to take source code as input, perform a sound and scalable analysis, and output either known security flaws or a proof of security. Symbolic execution is proposed as a method to simplify programs and extract their meaning, mapping low-level C code to a formal language model that can be analyzed by existing tools like ProVerif. Current status is that symbolic execution has been implemented for fixed bitstring lengths and linear control flow. Further work is needed to support variable lengths, arbitrary control flow, and full format abstraction before integrating with a protocol verifier.
Re usable continuous-time analog sva assertions
This paper shows how SystemVerilog Assertions (SVA) modules can be bound to analog IP blocks, shall they be at behavioral or transistor-level, enabling the assertions to become a true IP deliverable that can be reused at SoC level. It also highlights how DPIs can fix analog assertions specificities, such as getting rid of hierarchical paths, especially when probing currents. This paper also demonstrates how to flawlessly switch models between digital (wreal) and analog models without breaking the assertions. Finally, it demonstrates how one can generate an adaptive clock to continuously assert analog properties whose stability over time is critical, such as current or voltage references or supplies.
Verification of Security for Untrusted Third Party IP Cores
This document proposes a technique to formally verify third-party IP cores for hardware Trojans that leak sensitive information. It begins with background on the threat of untrusted third parties inserting Trojans, and limitations of existing detection techniques. The proposed technique uses bounded model checking to check if the IP core violates the property "does not leak any sensitive information". If a violation is found, the model checker generates an input sequence that triggers the Trojan. The document motivates the technique with an example AES Trojan, and refines the property checked to make it computationally feasible for large key sizes. Formalizing Trojan detection as a property checking problem allows exhaustive verification of IP cores for information-leaking Trojans.
SGXMonitor Presentation - ACSAC 2022
- SgxMonitor is a provenance analysis tool for SGX enclaves that provides attack-resistant tracing without introducing new attack surfaces.
- It models SGX enclaves as finite state machines including global states, extracted using symbolic execution and static analysis.
- Evaluation shows it identifies attacks in tested malware with no false positives, and incurs limited overhead in benchmarks.
Dependability Benchmarking by Injecting Software Bugs
Benchmarks are an established practice for performance evaluation in the computer industry since decades. Examples of successful benchmarking initiatives are the TPC (Transaction Processing Performance Council) and the SPEC (Standard Performance Evaluation Corporation). More recently, the research community developed the notion of dependability benchmarking, which evaluates the quality of service (throughput, availability, etc.) of competing products in the presence of faults, by using fault injection. The idea of dependability benchmarking has been applied in several domains including transaction processing, telecom, automotive, etc.
Given that software faults (bugs) are a major cause of failures, it becomes important to assess dependability against these faults. However, emulating software faults in a controlled fault injection experiment is a difficult problem, since bugs originate from human error. This presentation discusses about the open challenges and the recent advances in the field of emulating software bugs in a representative way.
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These devices mainly comprise RFID (Radio-Frequency Identification) or WSN (Wireless Sensor Networks) components. Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT devices (which has very limited processing and storage capacities).In this paper, we introduce a new authentication protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses simple and lightweight algorithms. We also prove that RMAC is at least as secure as the MM protocol and thus secure against man-in-the-middle attacks.
20100309 03 - Vulnerability analysis (McCabe)
Vulnerability analysis involves discovering parts of a program's input that can be exploited by malicious users to drive the program into an insecure state. Potential vulnerabilities exist in locations with known weaknesses that are dependent on or influenced by user input and can be reached during program execution. Vulnerability analysis aims to identify exploitable vulnerabilities by examining the paths in a program's control flow graph that connect points where untrusted data can enter and vulnerable functions can be reached.
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
This document discusses building a transparent sandbox for malware analysis using virtual machines (VMs). It describes how malware can detect security utilities running in the same VM environment. The document proposes monitoring malware behavior from outside the VM using virtual machine introspection techniques on emulation-based and virtualization-based VMs. It also discusses using behavior comparison across multiple VM systems to detect malware that checks for virtual machine environments.
Advanced System Security and Digital Forensics
The document describes experiments related to system security and digital forensics.
The first experiment involves using static code analysis tools like RATS and Flawfinder to analyze code samples for vulnerabilities. The second experiment describes installing and using the vulnerability scanner Nessus to scan systems for known vulnerabilities.
The third experiment explores using the website copier HTTrack to download a website from the internet to a local directory while preserving the directory structure and links. The fourth experiment demonstrates configuring router security using passwords and access lists on Cisco Packet Tracer to filter traffic between VLANs and networks.
Classic Formal Methods Model Checking
This document provides an introduction to classic model checking. It discusses that classic model checking refers to set of non-execution based algorithmic approaches for checking properties expressed as linear temporal logic, computational tree logic, or finite state automata against a finite state model. It outlines some of the key concepts of classic model checking including modeling the system as a finite state machine or Kripke structure, specifying properties in temporal logic, and using algorithms to automatically verify the system exhaustively. The document also discusses some of the challenges of classic model checking including state explosion, difficulty in modeling complex systems, and interpreting error traces.
SmartphoneHacking_Android_Exploitation
Security from both sides of the fence – a discussion of techniques, such as fuzzing, to reduce the likelihood of an attacker
discovering exploits on smartphones and PCs;
plus a demonstration of approaches hackers may use to weaponize and exploit vulnerabilities.
20080501 software verification_sharygina_lecture01
This document discusses model checking as a technique for assuring software quality. It provides an overview of model checking, including its development in the 1980s, advantages over other verification methods, and the state explosion problem. It also discusses challenges in applying model checking to software verification, such as handling data structures, pointers, and concurrency, and describes the SATABS tool which uses abstraction and refinement to address these challenges.
Surreptitiously weakening cryptographic systems
This document discusses surreptitiously weakening cryptographic systems through sabotage. It provides an overview of this domain using historical examples to develop a taxonomy for comparing different approaches to sabotage. The taxonomy characterizes weaknesses along dimensions like secrecy, utility, and scope. Understanding avenues for and defenses against deliberate cryptographic weakening is important given allegations that governments have subverted cryptographic standards.
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
A Zero-day (0-day) vulnerability is a computer-software vulnerability introduced during the development process and not yet discovered by the developers. Zero-day vulnerabilities can be exploited by hackers, thus affecting the company's reputation. Developers should seek to minimize the number of defects leading to such vulnerabilities. PVS-Studio, a static code analyzer for C, C++, C#, and Java code, is one of the tools capable of detecting security issues.
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
This document summarizes a new tool called Whoop that statically analyzes device drivers for concurrency bugs like data races. Whoop uses symbolic pairwise lockset analysis to check if pairs of driver entry points could potentially race on shared memory locations. It then leverages any guarantees of race-freedom to accelerate the precise bug-finding tool Corral. The authors applied Whoop to 16 Linux drivers, finding some potential races. They showed Whoop significantly accelerated Corral by up to 20 times through sound partial-order reduction.
Kroening et al, v2c a verilog to c translator
The document describes v2c, a tool that translates Verilog to C. v2c accepts synthesizable Verilog as input and generates equivalent C code called a "software netlist". The translation is based on Verilog's synthesis semantics and preserves cycle accuracy and bit precision. The generated C code can then be used for hardware property verification, co-verification, simulation, and equivalence checking by leveraging software verification techniques.
Similar to An Empirical Study on Bounded Model Checking (20)
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
Dependability Benchmarking by Injecting Software Bugs
Dependability Benchmarking by Injecting Software Bugs
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICES
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
20080501 software verification_sharygina_lecture01
20080501 software verification_sharygina_lecture01
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
More from Stefano Dalla Palma
Design for Testability
1. The document discusses designing code for testability. It emphasizes dependency injection and mocking to easily instantiate classes and invoke methods during testing without dependencies.
2. It also discusses avoiding private and static methods when possible since they cannot be overridden or replaced, making the code harder to test. Following good design practices like the SOLID principles leads to more testable code.
3. The document provides examples of refactoring code to make it more testable through dependency injection and interfaces. This allows dependencies to be mocked or stubbed during testing and makes the code easier to extend.
Introduction to Mutation Testing
Mutation testing involves deliberately injecting faults into a program and running test cases to determine if they can detect the faults. It is a technique for evaluating test suite quality. Key aspects include generating mutant programs by making small syntactic changes to the original, running test cases against mutants, and calculating a mutation score based on the percentage of mutants detected. While useful for evaluation, mutation testing has limitations such as requiring significant computing resources and not accounting for equivalent or trivial mutants.
Artificial Neural Networks
Artificial neural networks (ANNs) are a subset of machine learning algorithms inspired by the human brain. ANNs consist of interconnected artificial neurons that can learn complex patterns from data. The document introduces ANNs and perceptrons, the simplest type of ANN for binary classification. It discusses how perceptrons use weighted inputs and an activation function to make predictions. The perceptron learning rule is then explained, showing how weights are updated during training to minimize errors by calculating delta weights through gradient descent. This allows perceptrons to learn logical functions like AND, OR, and NOT from examples.
Decision Tree learning
The document describes a scenario involving four men sentenced to death who must guess the color of their hats to survive. They are lined up without being able to see each other's hats or communicate. Person D does not answer in the first minute, allowing person C to deduce that D saw hats of two different colors in front of him. Therefore, if person B has a white hat, person C must have a black hat, and vice versa. This allows one of them to correctly guess the color of their hat and survive.
Introduction to Machine Learning with examples in R
A deep introduction to supervised and unsupervised Machine Learning with examples in R.
Techniques covered for Regression:
- Linear Regression
- Polynomial Regression
Techniques covered for Classification:
- Simple and Multiple Logistic Regression
- Linear and Quadratic Discriminant Analysis
- K-Nearest Neighbors
Clustering:
- K-Means clustering
- Hierarchical clustering
Introduction to Machine Learning concepts
A brief introduction of the main Machine Learning concepts, including supervised and unsupervised learning, and reinforcement learning
Apache Mahout Architecture Overview
Mahout is an open source machine learning java library from Apache Software Foundation, and therefore platform independent, that provides a fertile framework and collection of patterns and ready-made component for testing and deploying new large-scale algorithms.
With these slides we aims at providing a deeper understanding of its architecture.
UML, ER and Dimensional Modelling
The document discusses several modeling techniques used in software development including the Unified Modeling Language (UML), Entity-Relationship (ER) modeling, and dimensional modeling. It provides an overview of UML diagrams including use case, class, sequence, activity, and other diagrams. It also explains the basic concepts of ER modeling such as entities, attributes, relationships, and cardinalities. Finally, it gives an example of modeling a company database using ER diagrams with entities for departments, projects, employees, and their attributes and relationships.
Detecting controversy in microposts: an approach based on word similarity wit...
Descrizione di ATOMIC, un approccio introduttivo per la rilevazione della controversia nei social media. L'analisi è stata effettuata sulla piattaforma twitter.com.
Prolog in a nutshell
Una veloce introduzione alla sintassi ed ai costrutti di base di Prolog, con esempi di applicazione al linguaggio naturale.
More from Stefano Dalla Palma (10)
Introduction to Machine Learning with examples in R
Introduction to Machine Learning with examples in R
Detecting controversy in microposts: an approach based on word similarity wit...
Detecting controversy in microposts: an approach based on word similarity wit...
Recently uploaded
Using Query Store in Azure PostgreSQL to Understand Query Performance
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
What next after learning python programming basics
What next after learning python programming basics
Measures in SQL (SIGMOD 2024, Santiago, Chile)
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
原版定制【微信:bwp0011】《(hull学位证书)英国赫尔大学毕业证硕士文凭》【微信:bwp0011】成绩单 、雅思、外壳、留信学历认证永久存档查询,采用学校原版纸张、特殊工艺完全按照原版一比一制作(包括:隐形水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠,文字图案浮雕,激光镭射,紫外荧光,温感,复印防伪)行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备,十五年致力于帮助留学生解决难题,业务范围有加拿大、英国、澳洲、韩国、美国、新加坡,新西兰等学历材料,包您满意。
【业务选择办理准则】
一、工作未确定,回国需先给父母、亲戚朋友看下文凭的情况,办理一份就读学校的毕业证【微信bwp0011】文凭即可
二、回国进私企、外企、自己做生意的情况,这些单位是不查询毕业证真伪的,而且国内没有渠道去查询国外文凭的真假,也不需要提供真实教育部认证。鉴于此,办理一份毕业证【微信bwp0011】即可
三、进国企,银行,事业单位,考公务员等等,这些单位是必需要提供真实教育部认证的,办理教育部认证所需资料众多且烦琐,所有材料您都必须提供原件,我们凭借丰富的经验,快捷的绿色通道帮您快速整合材料,让您少走弯路。
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
【关于价格问题(保证一手价格)】
我们所定的价格是非常合理的,而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子 我给客户的都是第一手的代理价格,因为我想坦诚对待大家 不想跟大家在价格方面浪费时间
对于老客户或者被老客户介绍过来的朋友,我们都会适当给一些优惠。
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM 🐰
14 th Edition of International conference on computer vision
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
WWDC 2024 Keynote Review: For CocoaCoders Austin
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Presented at NLJUG's J-Spring 2024.
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
UMN硕士毕业证成绩单【微信95270640】购买(明尼苏达大学毕业证成绩单硕士学历)Q微信95270640代办UMN学历认证留信网伪造明尼苏达大学学位证书精仿明尼苏达大学本科/硕士文凭证书补办明尼苏达大学 diplomaoffer,Transcript购买明尼苏达大学毕业证成绩单购买UMN假毕业证学位证书购买伪造明尼苏达大学文凭证书学位证书,专业办理雅思、托福成绩单,学生ID卡,在读证明,海外各大学offer录取通知书,毕业证书,成绩单,文凭等材料:1:1完美还原毕业证、offer录取通知书、学生卡等各种在读或毕业材料的防伪工艺(包括 烫金、烫银、钢印、底纹、凹凸版、水印、防伪光标、热敏防伪、文字图案浮雕,激光镭射,紫外荧光,温感光标)学校原版上有的工艺我们一样不会少,不论是老版本还是最新版本,都能保证最高程度还原,力争完美以求让所有同学都能享受到完美的品质服务。
#毕业证成绩单 #毕业証 #成绩单 #學生卡 #OFFER录取通知书 #雅思#托福等……
国外大学明尼苏达大学明尼苏达大学毕业证offer制作方法(一对一专业服务)
1客户提供办理信息:姓名生日专业学位毕业时间等(如信息不确定可以咨询顾问:我们有专业老师帮你查询);
2开始安排制作毕业证成绩单电子图;
3毕业证成绩单电子版做好以后发送给您确认;
4毕业证成绩单电子版您确认信息无误之后安排制作成品;
5成品做好拍照或者视频给您确认;
6快递给客户(国内顺丰国外DHLUPS等快读邮寄)
— — 制作工艺 【高仿真】— —
凭借多年的制作经验本公司制作明尼苏达大学明尼苏达大学毕业证offer《激光》《水印》《钢印》《烫金》《紫外线》凹凸版uv版等防伪技术一流高精仿度几乎跟学校100%相同!让您绝对满意。
— — -公司理念 【诚信为主】— — —
我們以質量求生存.以服务求发展有雄厚的实力专业的团队咨询顾问为您细心解答可详谈是真是假眼见为实让您真正放心平凡人生,尽我所能助您一臂之力让我們携手圆您梦想!
此贴长年有效【贴心专线/微-信: 95270640】敬请保留此联系方式以备用!如有不在线请给我们留言!我们将在第一时间给您回复!上散发着一抹抹的光晕而这每处自然形成的细节融合在一起浑然天成的美实在令人心生愉悦小道的周边无秩序的生长着几株艳丽的野花红的粉的紫的虽混乱无章却给这幅美景更增添一份性感夹杂着一份纯洁的妖娆毫无违和感实在给人带来一份悠然幸福的心情如果说现在的审美已经断然拒绝了无声的话那么在树林间飞掠而过的小鸟叽叽咋咋的叫声是否就是这最后的点睛之笔悠然走在林间的小路上宁静与清香一丝丝的盛夏气息吸入身体昔日生活里的繁忙多
How to write a program in any programming language
How to write a program in any programming language
Enums On Steroids - let's look at sealed classes !
These are slides for my session"Enums On Steroids - let's look at sealed classes !" - delivered among others, on Devoxx UK 2024 conference
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Consistent toolbox talks are critical for maintaining workplace safety, as they provide regular opportunities to address specific hazards and reinforce safe practices.
These brief, focused sessions ensure that safety is a continual conversation rather than a one-time event, which helps keep safety protocols fresh in employees' minds. Studies have shown that shorter, more frequent training sessions are more effective for retention and behavior change compared to longer, infrequent sessions.
Engaging workers regularly, toolbox talks promote a culture of safety, empower employees to voice concerns, and ultimately reduce the likelihood of accidents and injuries on site.
The traditional method of conducting safety talks with paper documents and lengthy meetings is not only time-consuming but also less effective. Manual tracking of attendance and compliance is prone to errors and inconsistencies, leading to gaps in safety communication and potential non-compliance with OSHA regulations. Switching to a digital solution like Safelyio offers significant advantages.
Safelyio automates the delivery and documentation of safety talks, ensuring consistency and accessibility. The microlearning approach breaks down complex safety protocols into manageable, bite-sized pieces, making it easier for employees to absorb and retain information.
This method minimizes disruptions to work schedules, eliminates the hassle of paperwork, and ensures that all safety communications are tracked and recorded accurately. Ultimately, using a digital platform like Safelyio enhances engagement, compliance, and overall safety performance on site. https://safelyio.com/
zOS Mainframe JES2-JES3 JCL-JECL Differences
Document which explains the difference between Jes2 and Jes3
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
In today's business landscape, digital integration is ubiquitous, demanding swift innovation as a necessity rather than a luxury. In a fiercely competitive market with heightened customer expectations, the timely launch of flawless digital products is crucial for both acquisition and retention—any delay risks ceding market share to competitors.
Microservice Teams - How the cloud changes the way we work
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Artificia Intellicence and XPath Extension Functions
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Recently uploaded (20)
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
What next after learning python programming basics
What next after learning python programming basics
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
How to write a program in any programming language
How to write a program in any programming language
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
An Empirical Study on Bounded Model Checking
- 1. An Empirical Study on Bounded Model Checking in Security Context Stefano DALLA PALMA Rocco OLIVETO Earl BARR
- 2. Software systems are not so safe and secure as one might think
- 3. Testing can only show the presence of bugs, but it cannot prove their absence “ Edsger Dijkstra ” Bugs in software seem to be unavoidable
- 4. Model Checker yes no (witness path) (counterexample) model specification property (logical formula)
- 5. In Bounded Model Checking the model is treat as a finite state machine with at most k states for some constant k Given a finite state machine M and a property P, either show a counterexample for P with at most k state transitions or argue there is no such example new problem
- 6. CBMC The GOAL of the empirical study was to analyse the PRECISION of BOUNDED MODEL CHECKING to understand its real capabilities in the DETECTION vulnerable code regions OF
- 7. Is the distribution of the safety properties among known vulnerabilities significantly different ? RQ1
- 8. Vulnerability Number of fails Property cwe 121 15 p1 cwe 122 20 p1 cwe 123 8 p1 … … … cwe 121 1 p2 cwe 122 0 p2 cwe 123 3 p2 … … … The failure scores differ between properties
- 9. The properties distribution is significantly different among vulnerability types
- 10. Does the presence of multiple vulnerabilities affect the detection of a given vulnerability ? RQ2
- 11. Vulnerability Name Properties cwe 121 Stack-based buffer overflow bounds-check, pointer-check, pointer-overflow-check cwe 190 Integer overflow signed-overflow-check, unsigned-overflow-check cwe 194 Unexpected sign extension conversion-check cwe 369 Divide by zero div-by-zero-check cwe 401 Memory leak memory-leak-check cwe 476 Null pointer dereference pointer-check
- 12. Pure dataset Injected dataset Belong to the same class of vulnerability Belong to different classes of vulnerability
- 13. The presence of multiple vulnerabilities in the source code affect the detection of correlated vulnerabilities
- 14. Which are optimal values of loop unwinds for which precision and recall are maximized ? RQ3
- 15. int main() { if ( condition ) // first unwind Body; if ( condition ) // second unwind Body; if ( condition ) // third unwind Body; assert ( !condition ); // unwinding assertion } Is it possible to model the computation of the programs up to a particular depth k int main() { while ( condition ) Body; } k = 3
- 16. Small values for loop unwinds are enough to maximize precision and recall Recall Precision Loop unwind Unwind Completedverifications
- 17. Agenda ✓ Replication study on open-source projects ✓ User study
- 18. An Empirical Study on Bounded Model Checking in Security Context Stefano DALLA PALMA Rocco OLIVETO Earl BARR Questions ?