Node.js has given JavaScript a new resurgence as a server-side language. No longer just for image rollovers and AJAX, JS is now available as a platform for creating lightning-fast, lightweight, networked applications. In this session, we will move beyond Node’s base web servers and Twitter applications, and into module development: those small, reusable components that are the foundation for every business application on every platform. Learn how to create a module within Node.js, how to test your module and validate functionality, and how to get your creation distributed into the wild. With this knowledge, you can make the next great Node package and become famous.
If you don’t test it, how do you know it works? Over the past few years, we have been compelled to write unit and integration tests for our applications--code that validates code--and it is these tests that change a one-off tool into a well-architected, robust, business-ready application. Yet, every new framework requires a new testing framework, so in this session, we will discuss testing frameworks for node.js. You will walk away with a solid understanding of how to write tests against your node.js applications and modules, leading to confidence that your work is business-ready.
Zach Pinter - Caching and Synchronization with Flex360|Conferences
In this talk, I'll show how to combine weak references, hashes, binding and item renderers to produce an elegant solution to the problem of keeping objects synchronized and reducing calls to the server.
Outline:
*
The WeakReference class
o
Allows cached objects to be garbage collected
o
Briefly explain difference between hard references and soft references
*
The EntityWrapper class
o
Gives item renderers an object that they can immediately bind to while potentially waiting for the server to respond
*
The EntityCache
o
Central location for all VO objects currently referenced by the application
o
Used to coordinate updates to client-side data
+
Recursively scan an incoming object for VO objects that can be used to fill/update the cache
+
Looks at all properties, properties of properties, etc
o
When querying for a specific object by its id, first check the cache
+
A cache hit returns the object
+
A cache miss queues a call to the server
+
All cache misses in a given frame are grouped together to reduce server load
o
Deals with duplicate objects
+
If an entity is already represented by an object in the cache, update the existing object's properties and discard the new object
+
Use the cache to make sure there's only ever one authoritative object instance
#
Everything binds to the authoritative instance
#
When that instance gets updated, so does the rest of the application
*
Taking advantage of the behavior of item renderers inside lists
o
Only the visible rows are fetched, makes the app more responsive
o
(Optional) Talk about server-side datagrid sorting to make sure the client doesn't have to have all the data fetched locally
Node.js has given JavaScript a new resurgence as a server-side language. No longer just for image rollovers and AJAX, JS is now available as a platform for creating lightning-fast, lightweight, networked applications. In this session, we will move beyond Node’s base web servers and Twitter applications, and into module development: those small, reusable components that are the foundation for every business application on every platform. Learn how to create a module within Node.js, how to test your module and validate functionality, and how to get your creation distributed into the wild. With this knowledge, you can make the next great Node package and become famous.
If you don’t test it, how do you know it works? Over the past few years, we have been compelled to write unit and integration tests for our applications--code that validates code--and it is these tests that change a one-off tool into a well-architected, robust, business-ready application. Yet, every new framework requires a new testing framework, so in this session, we will discuss testing frameworks for node.js. You will walk away with a solid understanding of how to write tests against your node.js applications and modules, leading to confidence that your work is business-ready.
Zach Pinter - Caching and Synchronization with Flex360|Conferences
In this talk, I'll show how to combine weak references, hashes, binding and item renderers to produce an elegant solution to the problem of keeping objects synchronized and reducing calls to the server.
Outline:
*
The WeakReference class
o
Allows cached objects to be garbage collected
o
Briefly explain difference between hard references and soft references
*
The EntityWrapper class
o
Gives item renderers an object that they can immediately bind to while potentially waiting for the server to respond
*
The EntityCache
o
Central location for all VO objects currently referenced by the application
o
Used to coordinate updates to client-side data
+
Recursively scan an incoming object for VO objects that can be used to fill/update the cache
+
Looks at all properties, properties of properties, etc
o
When querying for a specific object by its id, first check the cache
+
A cache hit returns the object
+
A cache miss queues a call to the server
+
All cache misses in a given frame are grouped together to reduce server load
o
Deals with duplicate objects
+
If an entity is already represented by an object in the cache, update the existing object's properties and discard the new object
+
Use the cache to make sure there's only ever one authoritative object instance
#
Everything binds to the authoritative instance
#
When that instance gets updated, so does the rest of the application
*
Taking advantage of the behavior of item renderers inside lists
o
Only the visible rows are fetched, makes the app more responsive
o
(Optional) Talk about server-side datagrid sorting to make sure the client doesn't have to have all the data fetched locally
Building complex async applications is really hard. Whether you use callbacks, Promises, or EventEmitters, Error objects should have a place in your utility belt. They are indispensable when it comes to managing work flows in a highly asynchronous environment.
This talk covers patterns for using JavaScript Error (with a capital E) objects to build resilient applications, and introduce some modules that can be used to build errors with an elegant history of stack traces even through multiple asynchronous operations. Try/catch, callbacks, and other error handling mechanisms will be examined, revealing some potential deficiencies in the JavaScript language for dealing with errors.
Video: https://www.youtube.com/watch?v=PyCHbi_EqPs
Approximating Change Sets at Philips Healthcare: A Case StudyRahul Premraj
Talk presented on March 4, 2011 at the 15th European Conference on Software Maintenance and Reengineering in Oldenburg, Germany.
Abstract: A single development task such as solving a bug or implementing a new feature often involves changing a number of entities, also known together as a change set. Change sets can be approximated from the version control system. They are then used by the architects and developers to take important decisions. So change sets need to be approximated carefully. It is common to assume that two entities checked-in less than a small time interval from each other, and having the same meta-data associated with them, belong to the same transaction. Transactions may be good approximations of change sets if developers commit change sets in one go and if the required meta-data is available. This is however not the case in the industrial environment (Philips Healthcare) we study. Our paper presents a case study in which we investigated how change sets can be approximated in an environment with a complex workflow and limited meta-data in the version repositories. We found that, dependent on the commit practices used, a suitable time intervals between check-in timestamps of files has to be determined and leveraged to reliably approximate change sets.
Mining the Modern Code Review Repositories: A Dataset of People, Process and ...Norihiro Yoshida
Slides for the data paper "Mining the Modern Code Review Repositories: A Dataset of People, Process and Product" in the proceedings of the 13th International Conference on Mining Software Repositories (MSR 2016), Austin, TX, May 2016.
[우리가 데이터를 쓰는 법] 온라인 서비스 개선을 위한 데이터 활용법 - 마이크로소프트 김진영 데이터과학자Dylan Ko
Gonnector(고넥터) 고영혁 대표가 주최한 스타트업 데이터 활용 세미나 '우리가 데이터를 쓰는 법' 의 두 번째 발표 자료
세미나 : 우리가 데이터를 쓰는 법 (How We Use Data)
일시 : 2016년 4월 12일 화요일 10:00 ~ 18:00
장소 : 마루180 (Maru180) B1 Think 홀
제목 : 온라인 서비스 개선을 위한 데이터 활용법
연사 : 마이크로소프트 김진영 데이터과학자
Building complex async applications is really hard. Whether you use callbacks, Promises, or EventEmitters, Error objects should have a place in your utility belt. They are indispensable when it comes to managing work flows in a highly asynchronous environment.
This talk covers patterns for using JavaScript Error (with a capital E) objects to build resilient applications, and introduce some modules that can be used to build errors with an elegant history of stack traces even through multiple asynchronous operations. Try/catch, callbacks, and other error handling mechanisms will be examined, revealing some potential deficiencies in the JavaScript language for dealing with errors.
Video: https://www.youtube.com/watch?v=PyCHbi_EqPs
Approximating Change Sets at Philips Healthcare: A Case StudyRahul Premraj
Talk presented on March 4, 2011 at the 15th European Conference on Software Maintenance and Reengineering in Oldenburg, Germany.
Abstract: A single development task such as solving a bug or implementing a new feature often involves changing a number of entities, also known together as a change set. Change sets can be approximated from the version control system. They are then used by the architects and developers to take important decisions. So change sets need to be approximated carefully. It is common to assume that two entities checked-in less than a small time interval from each other, and having the same meta-data associated with them, belong to the same transaction. Transactions may be good approximations of change sets if developers commit change sets in one go and if the required meta-data is available. This is however not the case in the industrial environment (Philips Healthcare) we study. Our paper presents a case study in which we investigated how change sets can be approximated in an environment with a complex workflow and limited meta-data in the version repositories. We found that, dependent on the commit practices used, a suitable time intervals between check-in timestamps of files has to be determined and leveraged to reliably approximate change sets.
Mining the Modern Code Review Repositories: A Dataset of People, Process and ...Norihiro Yoshida
Slides for the data paper "Mining the Modern Code Review Repositories: A Dataset of People, Process and Product" in the proceedings of the 13th International Conference on Mining Software Repositories (MSR 2016), Austin, TX, May 2016.
[우리가 데이터를 쓰는 법] 온라인 서비스 개선을 위한 데이터 활용법 - 마이크로소프트 김진영 데이터과학자Dylan Ko
Gonnector(고넥터) 고영혁 대표가 주최한 스타트업 데이터 활용 세미나 '우리가 데이터를 쓰는 법' 의 두 번째 발표 자료
세미나 : 우리가 데이터를 쓰는 법 (How We Use Data)
일시 : 2016년 4월 12일 화요일 10:00 ~ 18:00
장소 : 마루180 (Maru180) B1 Think 홀
제목 : 온라인 서비스 개선을 위한 데이터 활용법
연사 : 마이크로소프트 김진영 데이터과학자
Mining public datasets using opensource tools: Zeppelin, Spark and Jujuseoul_engineer
There are plenty of public datasets out there available and the number is growing. Few recent and most useful of BigData ecosystem tools are showcased: Apache Zeppelin (incubating), Apache Spark and Juju.
TAROT2013 Testing School - Leonardo Mariani presentationHenry Muccini
TAROT 2013 9th International Summer School on Training And Research On Testing, Volterra, Italy, 9-13 July, 2013
These slides summarize Leonardo Mariani's presentation about "Automated Failure Analysis in Absence of Specification"
Neal Ford Emergent Design And Evolutionary ArchitectureThoughtworks
ThoughtWorks Luminary and Conference Presenter Extraordinaire Neal Ford will be presenting:
Emergent Design & Evolutionary Architecture
Most of the software world has realised that Big Design Up Front (BDUF) doesn’t work well in software. But lots of developers struggle with this notion when it applies to architecture and design, surely you can’t start coding, right? You need some level of understanding before you can start work.
This seminar will explore the current thinking about Emergent Design and Evolutionary Architecture, including:
• Proactive approaches with test driven development
• Reactive approaches including both refactoring and composed methods
• Strategies and techniques for allowing design to emerge from projects as they proceed, keeping your code in sync with the problem domain
• Real world examples of these techniques in action
Neal Ford, Software Architect and Meme Wrangler, ThoughtWorks
Neal is an acclaimed international speaker and expert on designing and building of large-scale enterprise applications. Neal has spoken at over 100 conferences worldwide, delivering more than 600 talks. Neal is also the designer and developer of applications, instructional materials, magazine articles, courseware, video/DVD presentations and author and/or editor of 6 books spanning a variety of technologies, including the most recent The Productive Programmer.
Hidden pearls for High-Performance-PersistenceSven Ruppert
Small UseCases with a significant amount of data for internal company usage, most developers had this in their career, already. However, no Ops Team, no Kubernetes, no Cluster is available as part of the solution.
In this talk, I will show a few tech stacks that are helping to deal with persistent data without dealing with the classic horizontal scaling tech monsters like Kubernetes, Hadoop and many more.
Sit down, relax and enjoy the journey through a bunch of lightning-fast persistence alternatives for pure java devs.
Test First Refresh Second: Test-Driven Development in GrailsTim Berglund
Grails provides solid support for unit testing of parts of your application that are usually very difficult to test. Learn how to enable test-first development practices using the Grails framework.
Advanced Topics in Continuous DeploymentMike Brittain
Like what you've read? We're frequently hiring for a variety of engineering roles at Etsy. If you're interested, drop me a line or send me your resume: mike@etsy.com.
http://www.etsy.com/careers
Continuous Deployment: The Dirty DetailsMike Brittain
Presented at ALM Summit 3 in Redmond, WA. January 2013.
Like what you've read? We're frequently hiring for a variety of engineering roles at Etsy. If you're interested, drop me a line or send me your resume: mike@etsy.com.
http://www.etsy.com/careers
Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Docker, Inc.
Riot builds a lot of software. At the start of 2015 we were looking at 3000 build jobs over a hundred different applications and dozens of teams. We were handling nearly 750 jobs per hour and our build infrastructure needed to grow rapidly to meet demand. We needed to give teams total control of the “stack” used to build their applications and we needed a solution that enabled agile delivery to our players. On top of that, we needed a scalable system that would allow a team of four engineers to support over 250.
After as few explorations, we built an integrated Docker solution using Jenkins that accepts docker images submitted as build environments by engineers around the company . Our “containerized” farm now creates over 10,000 containers a week and handles nearly 1000 jobs at a rate of about 100 jobs an hour.
In this occasionally technical talk, we’ll explore the decisions that led Riot to consider Docker, the evolutionary stages of our build infrastructure, and how the open source and in-house software we combined to achieve our goals at scale. You’ll come away with some best practices, plenty of lessons learned, and insight into some of the more unique aspects of our system (like automated testing of submitted build environments, or testing node.js apps in containers with Chromium and xvfb).
GeeCON 2017 - TestContainers. Integration testing without the hassleAnton Arhipov
TestContainers is a Java library that supports JUnit tests, providing lightweight, throwaway instances of common databases, Selenium web browsers, or anything else that can run in a Docker container.
The Ember.js Framework - Everything You Need To KnowAll Things Open
All Things Open 2014 - Day 2
Thursday, October 23rd, 2014
Yehuda Katz
Founder of Tilde
Front Dev 1
The Ember.js Framework - Everything You Need To Know
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"Daniel Bryant
It’s easy to get seduced by being able to quickly deploy and scale applications by using containers. However, when things inevitably go wrong, how do you debug your application? This session covers various pro bug hunting tips and tricks. It shows live demos of tools such as the Docker stats API, Docker exec (and top, vmstat, and netstat), and how to use the ELK stack for centralized logging. It also dives into other more sophisticated tools that operate at the application and (micro)service layer, such as Twitter’s Zipkin tracing app, Spring Boot’s Actuator, and DropWizard’s Metrics library. Keep those container-based nightmares away by ensuring that when the worst does happen, you have the tools, info, and experience to debug containerized applications.
Presented at JavaOne 2015 with Steve Poole
Genomic Computation at Scale with Serverless, StackStorm and Docker SwarmDmitri Zimine
Presented on SuperComputing SC17 on Nov 14/2017 by Dmitri Zimine.
This talk is a story of bio-tech meeting DevOps to produce genomic computations, economically, and at scale.
Genomic computation is growing in demand as it comes to the mainstream practices of bio-technology, agriculture, and personal medicine. It also explodes the demand for compute resources. In fact, with inexpensive next-gen sequencing, some labs sequence over 1,000,000 billion bases per year. Genetic data banks are growing over 10x annually. How to compute the genomic data at massive scale, and do it in a cost-efficient way?
In the presentation, we describe and demonstrate a serverless solution built with Docker, Docker Swarm, StackStorm and other tools from the DevOps toolchain on AWS. The solution offers a new take on creating and computing a bio-informatic pipelines that can run at high scale and at optimal cost.
http://sc17.supercomputing.org/presentation/?id=exforum106&sess=sess150
Find out how to configure and package clustered Payara Micro with load balancing, automatic scaling and dedicated storage for building cloud-native microservices. Then with the help of cloud scripting and triggering, automate CI/CD for the deployed application and emulate the load to check the scaling and performance results.
Similar to Mining Software Archives to Support Software Development (20)
A preview of the MSR 2013 conference, May 18-19, 2013, in San Francisco, CA. REGISTER NOW! Early registration discounts until April 14. http://msrconf.org
Empirical Software Engineering at Microsoft ResearchThomas Zimmermann
An invited talk that I gave in Tokyo. Very special thanks to Shuji Morisaki who was my translator during the session. Many thanks to Chris Bird, Nachi Nagappan, Rahul Premraj, and Sascha Just who provided slides for this talk.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
12. eROSE
Related Changes
(ICSE 2004, TSE 2005)
Tom Zimmermann • Saarland University
Peter Weißgerber • University of Trier
Stephan Diehl • University of Trier
Andreas Zeller • Saarland University
18. eROSE: Guiding Developers
Developers who
Customers who
changed this function
bought this item also
also changed...
bought...
Version
Purchase
Archive
History
42. Evaluation
EROSE predicts 33% of all changed entities.
GIMP
(files: 44%)
In 70% of all transactions, EROSE’s topmost
three suggestions contain a changed entity.
PostgreSQL
(files: 72%)
KOffice
jEdit
43. Evaluation
EROSE predicts 33% of all changed entities.
GIMP
(files: 44%)
In 70% of all transactions, EROSE’s topmost
three suggestions contain a changed entity.
PostgreSQL
(files: 72%)
EROSE learns quickly (within 30 days).
KOffice
jEdit
44. eROSE
Related Changes
(ICSE 2004, TSE 2005)
guides developers
non-program elements
(documentation)
learns quickly
45. BugCache
Predicting Defects
(ASE 2006, ICSE 2007)
`
Sung Kim • MIT
Tom Zimmermann • Saarland University
Jim Whitehead • Univ. of California SC
Andreas Zeller • Saarland University
46. The Problem
How should we
allocate our resources
for quality assurance?
47. One Solution
List with elements that
(will) have defects
List is adaptive, i.e.,
it changes over time
48. One Solution
List with elements that
(will) have defects
Cache
List is adaptive, i.e.,
it changes over time
49. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
50. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
51. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
52. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
53. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Hypothesis: Temporal locality between defects
54. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Miss
Hypothesis: Temporal locality between defects
55. The BugCache Model
What is loaded in the
cache?
Cache size: 2
Miss
Hypothesis: Temporal locality between defects
68. Loading Elements
Temporal locality – as shown before
Spatial locality – load “nearby” elements
(i.e., co-changed before)
Changed-entity locality – load changed elements
New-entity locality – load new elements
Initial pre-fetch – start with a loaded cache
74. BugCache
Predicting Defects
(ASE 2006, ICSE 2007)
temporal locality
adaptive
hit rates of 71%~95%
75. Vulture
Predicting
Security Vulnerabilities
(Work in Progress)
Stephan Neuhaus • Saarland University
Tom Zimmermann • Saarland University
Andreas Zeller • Saarland University
81. Vulnerabilities
Security Advisory 2005-12
Title: Livefeed bookmarks can steal cookies
Impact: High
Products: Firefox
Description: Earlier versions of Firefox allowed
javascript: and data: URLs as Livefeed bookmarks.
When they updated the URL would be run in the
context of the current page and could be used to
steal cookies or data displayed on the page. If the
user were on a page with elevated privileges (for
example, about:config) when the Livefeed was
updated, the feed URL could potentially run
arbitrary code on the user's machine.
0
Vulnerabilities
83. Vulnerabilities
Security Advisory 2005-13
Title: Window Injection Spoofing
Severity: Low
Products: Firefox, Mozilla Suite
Description: A website can inject content into a
popup opened by another site if the target name
of the popup window is known. An attacker who
knows you are going to visit that other site could
spoof the contents of the popup.
0
Vulnerabilities
84. Vulnerabilities
Security Advisory 2005-15
2005-41
2005-16
2006-76
2005-14
Title: Heap overflow possible security dialogs
Title: Spoofing escalation via DOM property
XSS quot;secure sitequot;window's Function
Privilege download and in UTF8 to object
SSL using outer indicator spoofing
Impact: Moderate
Unicode conversion
overrides High
with overlapping windows
Severity:
Products:Critical 2.0
Severity: High
Products: Firefox Mozilla Suite
Firefox,
Description:Various schemesdemonstrated
Products: Firefox, Thunderbird, Mozilla Suitethat
Description: moz_bug_r_a4 were reported
Mozilla Suite
Description: It thepossible forreportedstringin
the Function prototype regressionlock icon to with
that could causeMichael Kraxsitequot; UTF8 several
moz_bug_r_a4 a described
is quot;secure demonstrates that
the download dialog trigger details overflow be
bug 355161 couldto and security dialogs the
exploitsand show attacker the ability tothe wrong
invalid sequences certificate a heap bypass can of
appear giving an be exploited to for install
malicious could be data. by requiring would
spoofed byUnicode cross Exploitability only
convertedcode or steal data,phishers to an that
site. These against used site script (XSS)
protections partially covering them with make
injection, which could be used to particularly a
the user do commonplace users get click onin
overlapping window. Some actionsstealthe string
depend on the attackers abilityto may not notice
their spoofs look more legitimate, like credentials
or the buggyhide the and browser or perform
link or window from arbitrary sitescommon
thesensitive the context menu. Theshowing the
intoOS opendataborderaddress barweb content is
windows that converter. General statusbar
destructive actions on privileged rule out
cause in what appears to be of a logged-in and
bisectingeach case was behalf a single dialog,user.
converted elsewhere but we can'tUI code the be
true location.
(quot;chromequot;) being overly attack.
convinced by the spoofing text of the top-most
possibility of a successfultrusting of DOM nodes
from the content window.
window to click on the quot;Allowquot; or quot;Openquot; button
of the window below.
0
Vulnerabilities
111. Research Questions
• How well do imports predict vulnerabilities?
• Can imports be used for
− classification (vulnerable or not) and for
− regression (number of vulnerabilities)?
112. Input Data
nsCOMArray 0
nsIDocument.h 1
nspr_md.h 0
nsDOMClassInfo 10
EmbedGTKTools 0
MozillaControl.cpp 0
nsDOMClassInfo has had 10
vulnerability-related bug reports
113. Input Data
e. am t.h
h
e.
re Fr c
bt ack nne
e
or
St o
di h
s/fi h
m
ns PC
st le.
9, h
ut o.h
sy pl.
9
il.h
IX
Im
05
ns
ss
nsCOMArray 0 1 0 0 0 1 0 0
nsIDocument.h 1 0 0 1 0 0 1 0
nspr_md.h 0 0 1 1 0 0 1 0
nsDOMClassInfo 10 0 0 1 0 1 0 0
EmbedGTKTools 0 0 0 0 0 1 0 0
MozillaControl.cpp 0 0 1 0 1 0 0 0
nsDOMClassInfo has had 10 nsDOMClassInfo imports
vulnerability-related bug reports “nsIXPConnect.h”
114. Distribution
ibution of MFSAs Distribution of Bug Reports
300
Number of Components
20 50
5
12
5 7 9 11 13 13579 13 17 24
umber of MFSAs Number of Bug Reports
115. Experiments
• 40 randomtraining set, 3,484 rows in validation set
splits
6,968 rows in
• Classification recall and precision
Train SVM, compute
• Regression rank correlation on top 1%
Train SVM, compute
• SVM: linear kernel10GB ofdefault parameters
with
R implementation (up to main memory)