The document discusses trustworthy systems and trusted AI. It provides background on the Singapore Cybersecurity Consortium and its vision of trustworthy systems. It then summarizes ongoing work, including capabilities for security testing, formal verification of systems, and research on defending against Spectre attacks and fuzz testing. It also discusses model training and robustness, fuzzing for deep neural networks, and research on self-healing systems through specification inference and genetic programming.
Keynote given at the Asia Pacific Software Engineering Conference (APSEC), December 2020, on Automated Program Repair technologies and their applications.
Automated Program Repair, Distinguished lecture at MPI-SWSAbhik Roychoudhury
MPI-SWS Distinguished Lecture 2019. The talk focuses on fuzzing, symbolic execution as background technologies and compares their relative power. Then the use of such technologies for automated program repair is investigated.
Introductory talk given to PhD students starting research at NUS PhD open day 2020. Covers research in Computer Science, and some experience in research on trustworthy software systems.
Keynote given at the Asia Pacific Software Engineering Conference (APSEC), December 2020, on Automated Program Repair technologies and their applications.
Automated Program Repair, Distinguished lecture at MPI-SWSAbhik Roychoudhury
MPI-SWS Distinguished Lecture 2019. The talk focuses on fuzzing, symbolic execution as background technologies and compares their relative power. Then the use of such technologies for automated program repair is investigated.
Introductory talk given to PhD students starting research at NUS PhD open day 2020. Covers research in Computer Science, and some experience in research on trustworthy software systems.
Keynote in KLEE workshop on Symbolic Execution 2018
Systematic greybox fuzzing inspired by ideas from symbolic execution, work at NUS
Covers new usage of symbolic execution in automated program repair, work at NUS
Personal point of view on scikit-learn: past, present, and future.
This talks gives a bit of history, mentions exciting development, and a personal vision on the future.
Performance evaluation of GANs in a semisupervised OCR use caseinovex GmbH
Online vehicle marketplaces are embracing artificial intelligence to ease the process of selling a vehicle on their platform. The tedious work of copying information from the vehicle registration document into some web form can be automated with the help of smart text-spotting systems, in which the seller takes a picture of the document, and the necessary information is extracted automatically.
Florian Wilhelm details the components of a text-spotting system, including the subtasks of object detection and optical character recognition (OCR). Florian elaborates on the challenges of OCR in documents with various distortions and artifacts, which rule out off-the-shelf products for this task. After offering an overview of semisupervised learning based on generative adversarial networks (GANs), Florian evaluates the performance gains of this method compared to supervised learning. More specifically, for a varying amount of labeled data, he compares the accuracy of a convolution neural network (CNN) to a GANthat uses additional unlabeled data during the training phase, showing that GANs significantly outperform classical CNNs in use cases with a lack of labeled data.
What you'll learn:
Understand how semisupervised learning with GANs works
Explore beneficial semisupervised methods based on GANs for use cases with a limited amount of labeled data
Gain insight into an interesting OCR use case of an online vehicle marketplace
Event: O'Reilly Artificial Intelligence Conference, London, 11.10.2018
Speaker: Dr. Florian Wilhelm
Mehr Tech-Vorträge: www.inovex.de/vortraege
Mehr Tech-Artikel: www.inovex.de/blog
LSRepair: Live Search of Fix Ingredients for Automated Program RepairDongsun Kim
Automated program repair (APR) has extensively been developed by leveraging search-based techniques, in which fix ingredients are explored and identified in different granular- ities from a specific search space. State-of-the approaches often find fix ingredients by using mutation operators or leveraging manually-crafted templates. We argue that the fix ingredients can be searched in an online mode, leveraging code search techniques to find potentially-fixed versions of buggy code fragments from which repair actions can be extracted. In this study, we present an APR tool, LSRepair, that automatically explores code repositories to search for fix ingredients at the method-level granularity with three strategies of similar code search. Our preliminary evaluation shows that code search can drive a faster fix process (some bugs are fixed in a few seconds). LSRepair helps repair 19 bugs from the Defects4J benchmark successfully. We expect our approach to open new directions for fixing multiple-lines bugs.
Open & reproducible research - What can we do in practice?Felix Z. Hoffmann
Talk on my project within the Open Science Fellowship program, held at the Bordeaux Neurocampus on April 2018.
Note: For working videos, please refer to the GitHub source code http://bit.ly/bx18s
Impact of Tool Support in Patch ConstructionDongsun Kim
Anil Koyuncu, Tegawendé F. Bissyandé, Dongsun Kim, Jacques Klein, Martin Monperrus, and Yves Le Traon, “Impact of Tool Support in Patch Construction,” in Proceedings of the 26th International Symposium on Software Testing and Analysis (ISSTA 2017), Santa Barbara, California, United States, July 10-14, 2017.
To protect and ensure the availability of network services in charge to control critical infrastructure of organizations
The SIMOC is a platform that allows the creation of segregated cyber environments, with FOCUS on SECURITY.
Keynote in KLEE workshop on Symbolic Execution 2018
Systematic greybox fuzzing inspired by ideas from symbolic execution, work at NUS
Covers new usage of symbolic execution in automated program repair, work at NUS
Personal point of view on scikit-learn: past, present, and future.
This talks gives a bit of history, mentions exciting development, and a personal vision on the future.
Performance evaluation of GANs in a semisupervised OCR use caseinovex GmbH
Online vehicle marketplaces are embracing artificial intelligence to ease the process of selling a vehicle on their platform. The tedious work of copying information from the vehicle registration document into some web form can be automated with the help of smart text-spotting systems, in which the seller takes a picture of the document, and the necessary information is extracted automatically.
Florian Wilhelm details the components of a text-spotting system, including the subtasks of object detection and optical character recognition (OCR). Florian elaborates on the challenges of OCR in documents with various distortions and artifacts, which rule out off-the-shelf products for this task. After offering an overview of semisupervised learning based on generative adversarial networks (GANs), Florian evaluates the performance gains of this method compared to supervised learning. More specifically, for a varying amount of labeled data, he compares the accuracy of a convolution neural network (CNN) to a GANthat uses additional unlabeled data during the training phase, showing that GANs significantly outperform classical CNNs in use cases with a lack of labeled data.
What you'll learn:
Understand how semisupervised learning with GANs works
Explore beneficial semisupervised methods based on GANs for use cases with a limited amount of labeled data
Gain insight into an interesting OCR use case of an online vehicle marketplace
Event: O'Reilly Artificial Intelligence Conference, London, 11.10.2018
Speaker: Dr. Florian Wilhelm
Mehr Tech-Vorträge: www.inovex.de/vortraege
Mehr Tech-Artikel: www.inovex.de/blog
LSRepair: Live Search of Fix Ingredients for Automated Program RepairDongsun Kim
Automated program repair (APR) has extensively been developed by leveraging search-based techniques, in which fix ingredients are explored and identified in different granular- ities from a specific search space. State-of-the approaches often find fix ingredients by using mutation operators or leveraging manually-crafted templates. We argue that the fix ingredients can be searched in an online mode, leveraging code search techniques to find potentially-fixed versions of buggy code fragments from which repair actions can be extracted. In this study, we present an APR tool, LSRepair, that automatically explores code repositories to search for fix ingredients at the method-level granularity with three strategies of similar code search. Our preliminary evaluation shows that code search can drive a faster fix process (some bugs are fixed in a few seconds). LSRepair helps repair 19 bugs from the Defects4J benchmark successfully. We expect our approach to open new directions for fixing multiple-lines bugs.
Open & reproducible research - What can we do in practice?Felix Z. Hoffmann
Talk on my project within the Open Science Fellowship program, held at the Bordeaux Neurocampus on April 2018.
Note: For working videos, please refer to the GitHub source code http://bit.ly/bx18s
Impact of Tool Support in Patch ConstructionDongsun Kim
Anil Koyuncu, Tegawendé F. Bissyandé, Dongsun Kim, Jacques Klein, Martin Monperrus, and Yves Le Traon, “Impact of Tool Support in Patch Construction,” in Proceedings of the 26th International Symposium on Software Testing and Analysis (ISSTA 2017), Santa Barbara, California, United States, July 10-14, 2017.
To protect and ensure the availability of network services in charge to control critical infrastructure of organizations
The SIMOC is a platform that allows the creation of segregated cyber environments, with FOCUS on SECURITY.
Jiangping Xu, Microsoft
With a rapid growing of M365 Office customers, the security scanning coverage has been tripled in years and it keeps scaling. Making all Office service machines compliant and security patching up to date within different product environments is challenging and require a growing mindset and scalable engineering solution. In this session, we introduce approaches and security scanning infrastructures we build to support large scale of service machines. We will discuss how to detect unhealthy scanners and hosts across M365 services and how to make monitoring and alerts intelligent and action based.
Cybersecurity is a compulsory, tough and expensive task for all organizations, private and public, large , medium and small.
No one can ignore it anymore, and building a viable Cybersecurity strategy is a complex task that needs to balance budget, keeping up with attacker technologies, available skills and a plethora of expensive tools on the market.
Let's discus s on how available Opensource solutions may greatly help ours organizations to be more effective in implementing their Cybersecurity posture, while optimizing available budget.
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
Asset owners today want to understand how investments made in people, process, or technology are progressing the maturity of their ICS security programs to validate those investments. Whether asset owners are spending one dollar, one million dollars, or one hour of their time, understanding which investments are actually improving the overall ICS security posture and reducing risk is essential to determine where to spend valuable (and sometimes limited) resources.
The NIST Cybersecurity Framework helps asset owners measure security control maturity in both IT and OT domains, and can be useful to help understand whether certain ICS security investments are working or not. This talk will break down all five NIST CSF functions and dive into specific forward thinking use cases used to help jumpstart many of Forescout's industry leading customers.
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity Software Ireland
This webinar was co-hosted by fourTheorem and Curiosity Software on 18th January 2023. Watch the on demand recording here: https://www.curiositysoftware.ie/coverage-guesswork-targeted-test-generation-webinar
Assuring quality pre-release hinges on one question: Did you run the optimal set of tests to de-risk changes made in that iteration? Too often, testing cannot answer this question, due to poor traceability between tests, user stories, code and data. This limited traceability underpins a raft of challenges:
1. Test coverage is unmeasurable, or based on partially-educated guesses.
2. Updating tests is slow, manual, and unstructured, leading to mounting technical debt.
3. Shallow test assertions cannot say whether tests got the right results for the right reasons, especially at the code and database levels.
This webinar will set out how you can measure and consistently hit the right in-sprint test coverage. Curiosity’s CTO, James Walker, and Peter Elger, CEO of fourTheorem, will set out techniques for linking tests, user stories, code and data, generating targeted tests based on changes across the SDLC. You will see how:
1. Automated test generation can target tests based on changing user stories and code.
2. Tracking tests at the code and data level boosts observability and creates close traceability.
3. Database comparisons verify that UI and API tests produce the right results in critical back-end systems.
Join James and Peter to discover how you can make every release with confidence!
Watch the on demand webinar: https://www.curiositysoftware.ie/coverage-guesswork-targeted-test-generation-webinar
A practical guide to building secure composable SaaS solutions with Sitecore in the cloud. Learn the methodology, process, and get the blueprints for building secure exterprise applications with Sitecore XM Cloud in Azure Cloud.
In this session, we'll unravel the core and essential pillars of any 'secure' Kubernetes cluster, that you absolutely can't ignore if you are running Kubernetes in production (or plan to). You'll discover the key concepts and strategies pivotal to safeguarding your Kubernetes environments. Our focus will be on practical, real-world applications, demystifying complex security challenges. Regardless if you are from a large organisation or from a small start-up, a seasoned DevOps professiyou will walk away with foundational knowledge and actionable insights, ready to implement stronger security measures in their Kubernetes deployments. Whether you're a seasoned DevOps professional or new to the cloud native arena, this talk will enhance your understanding of Kubernetes security, ensuring you're prepared for the evolving landscape of cloud native security.
Greybox fuzzing methods to find security vulnerabilities in software systems are discussed in this talk. We discuss how fuzz testing methods can be inspired by ideas from symbolic execution and model checking to go beyond conventional fuzzing methods, without sacrificing the efficiency of fuzzing.
Overview of Fuzz Testing and the latest advances in the field are discussed. Fuzz testing is a popular method to find security vulnerabilities in software systems.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Singapore International Cyberweek 2020
1. Trustworthy Systems to
Trusted AI
Prof. Abhik Roychoudhury
Provost’s Chair Professor
National University of Singapore
1
Cybersecurity R&D Workshop 2020
2. Outline
• Background: Singapore Cyber-security Consortium
• Vision of Trustworthy Systems
• Ongoing work on Trustworthy Systems and Trusted AI
2
3. Encourage
problem-inspired research
Singapore Cybersecurity Consortium (SGCSC)
Est. 1 September 2016
A nation-wide platform for engagement
between industry, academia, and government
towards greater awareness, adoption, and translation
of cybersecurity technologies
Upgrade capabilities
through technology adoption
Grow an
innovation ecosystem
Industry
Academia
Agencies
3
About
4. Singapore public agencies
Open participation
Industry members
Singapore-registered companies with interest or expertise in
cybersecurity are eligible to apply for membership
Agencies
Industry
Academia
Institutes of Higher Learning and Research Institutes
Open participation
4
Structure
Structure
5. S I LV E R
P L AT I N U M G O L D
5
Industry Members As of 15 Sep 2020
6. National
Satellites of
Excellence
Local and
International
Research Grants
National
Cybersecurity
R&D Laboratory
&
iTrust Labs
Singapore
Cybersecurity
Consortium
Cybersecurity
Postgraduate
Scholarship
National Cybersecurity R&D (NCR) Programme
https://www.nrf.gov.sg/programmes/national-cybersecurity-r-d-programme
SGCSC, a component of the NCR programme,
helps members gain awareness and exposure to
various resources and support for cybersecurity R&D
available under the programme.
6
Ecosystem
7. Annual
WILD & CRAZY IDEAS DAY
Research ideas
Problem statements
Annual
CYBERSECURITY CAMP
Workshop on trending topics
Industry applications
Hands-on learning
MEMBER RATE
Quarterly
TECHNOLOGY TALKS
Latest technologies and trends
Project showcases
EXPOSURE OPPORTUNITIES
SPECIAL INTEREST GROUPS
Knowledge and idea exchange
R&D partnership exploration
MEMBER ONLY
Annual
SEED GRANT CALL
Funding for joint R&D
(Industry-Academia pair)
Approx. $100 – 150K
1- to 1.5-year projects
MEMBER ONLY
CYBERSECURITY TRACK
Pre- / early start-up mentorship
Business + Technical discussions
Training and tech update
Discussions to alleviate
pain points in existing work
Dream up new projects –
Translation-oriented research
Maturity slope
7
Activities
8. Seed Grant 2020 Award
Deep Learning-based Side Channel Attacks on
SoC Architecture for Hardware Assurance
EarAuth: Designing Usable Security for the Next Billion Users
(NBUs):
A Novel Multi-Factor Authentication Solution using Smart
Earables
This project enables comprehensive and inexpensive
security evaluation for IoT devices.
This project aims to develop an authentication framework
using smart wearables around the ear, to enable
password-less logins for swift usability.
CONGRATULATIONS!!
9. Outline
• Background: Singapore Cyber-security Consortium
• Vision of Trustworthy Systems
• Ongoing work on Trustworthy Systems & Trusted AI
9
10. Trustworthy software
10
Creativity Precision+
- Solving differential equations for an examination
- Painting a landscape of the lush greenery or a landscape.
Compare these activities with crafting software systems
11. Engendering Trust
Formal Verification
• Formally verified Software Stack
• Verified Operating Systems: seL4 project
• Verified file systems: BesFS, work at NUS
Trust from COTS
11
12. Chronological Evolution of Capabilities
Point Projects
MINDEF, MoE…
[2009-12, 2011-14,
2013-15]
Targeted Capability
NCR 1
TSUNAMi
(2015 –20)
National Satellite of
Excellence
(2019- )
12
13. Our Capability Stack
13
Security Testing and
Analysis
(TSUNAMi, NRF NCR)
Formal Verification of Systems
(Securify, NRF NCR)
[Core] Certified Trustworthy Systems
– Call 1
Regression
analysis
(MoE)
Symbolic
analysis
(DIRP, DSO)
[App] Secure Smart Nation –
Call 2
Modeling
and
Verification
(FSTD)
Scalable
MC (NTU)
20092015201820192020
[App] Challenge from
Call 2
National Satellite of
Excellence
15. 15
Malware
&Rootkit
Analysis
Internet
File
System
Account &
Protection
Kernel &
Process
Function
Call
System
Call
Program &
Service
strace
Buffer
Overflow
Fuzzing
Binary
Analysis
gdb
SPIKE
BitBlaze/QEMU
ls, cd, mv,
ps, vi, …
Password
Cracking
john
Scanning
ping,
traceroute,
nmap
Sniffing
WireShark
Spoofing &
Session
Hijacking
netwox
nc
Denial of
Service
VM
simulation
Firewall &
NAT
iptables
Web attacks:
SQL injection,
CSRF, XSS
TamperData,
Paros Proxy
System
Security
Software
Security
Network Security
Web Security
Education: module at NUS
16. National Satellite of
Excellence
The NSoE-TSS aims to enhance Singapore's national capabilities in
trustworthy smart system infrastructures.
We seek to build on our combined strengths in software security, and smart
systems to build consolidated technologies, related to software assurance for
smart systems.
The certification can take on a range of flavours including functionality
certification, checking against crashes and vulnerabilities, measuring and
certifying resilience against malicious inputs and environments, as well as
checking and certifying for absence of information leakage via extra-
functional mechanisms such as side channels.
https://www.comp.nus.edu.sg/~nsoe-tss/index.htm
17. Mission
17
Technology
• Deep tech.
capabilities for
software sys.
certification
• Functional and
non-functional
properties
Innovation
• Show-case
innovative uses of
certified software
sys. for secure
smart nation
• Deployment
scenarios
Policy
• Enhance and aid
regulatory
processes for
critical software
systems
• Feedback to
public agencies
18. Outline
• Background: Singapore Cyber-security Consortium
• Vision of Trustworthy Systems
• Ongoing work on Trustworthy Systems & Trusted AI: Capabilities
• Spectre Attacks
• Fuzz Testing
• Fuzzing for DNNs
• Self-Healing Systems
18
19. Defense against Spectre attacks
19
Taint
Sources
list
Code
repair
<TB , RS, LS>
<TB, RS>
<TB> …
Binary
New
Binary
Source
code
Taint
analysis
BAP
Spectre
Detector
Report
Assembly
code (.s)
Assemble
& link
Repaired
assembly
code (.s)
Compile Code
Matcher
Disassembly
code (.asm)
Objdump
• Spectre attacks exploit the vulnerabilities of a program to steal the sensitive data through speculative execution.
• oo7 is a static analysis framework that can mitigate Spectre attacks by detecting potentially vulnerable code snippets in
program binaries and protecting them against the attack.
Spectre variant 1
The detection condition of Spectre variant 1
oo7
20. Fuzzing
20
� Model-Based
Blackbox
Fuzzing
Input model
Peach, Spike …
Seed Input
�
�
�
Pass al l check s
Sat i sf y so m e check s
Sat i sf y so m e check s
Mutated Inputs
Mutators
Test suite
Mutated files
Input Queue
EnqueueDequeue
ProgramInput
21. AFLFast
• Design power schedules to regulate the
“energy” to gravitate path exploration
towards low-frequency paths
• Integrated into AFL Fuzzer, used in DARPA
CGC.
• Intuition is simple – deprioritize the common
paths, works directly on binaries.
21
if (condition1)
return // frequented by inputs
else if (condition2)
exit // frequented by many inputs
else ….
• Directed Fuzzing as an optimization problem (No constraint so
• Program analysis moved to instrumentation time
to retain efficiency of greybox fuzzing.
• Distance to targets efficiently computed at runtime.
• Find global minimum using search meta-heuristic – Simulated An
• Results: outperforms KATCH and BugRedux. 17 CVEs assign
• Application: patch testing, crash reproduction, information flow
Mutators
Test suite
Mutated files
Input Queue
EnqueueDequeue
22. Deployment
22
Independent evaluation found crashes 19x faster on
DARPA Cyber Grand Challenge (CGC) binaries
Integrated into main-line of AFL fuzzer within a year of publication (CCS16), which is
used on a daily basis by corporations for finding vulnerabilities
23. Model Training and Model Robustness
� �
0 -20 -10 0 10 20 30
-30 -20 -10 0 10 20 30
-30 -20 -10 0 10 20 30
2.21
1.72
1.23
0.74
0.49
0.25
0.00
2.21
1.72
1.23
0.74
0.49
0.25
0.00
7.47
5.69
4.80
3.03
2.14
1.25
0.53
-3
-2
-1
0
1
2
3
-3
-2
-1
0
1
2
3
-3
-2
-1
0
1
2
3
rotaterotate
translate
translate
rotate
translate
� �
-30 -20 -10 0 10 20 30
-30 -20 -10 0 10 20 30
-30 -20 -10 0 10 20 30
2.21
1.72
1.23
0.74
0.49
0.25
0.00
2.21
1.72
1.23
0.74
0.49
0.25
0.00
7.47
5.69
4.80
3.03
2.14
1.25
0.53
-3
-2
-1
0
1
2
3
-3
-2
-1
0
1
2
3
-3
-2
-1
0
1
2
3
rotaterotate
translate
translate
rotate
translate
• Neural Network can be fooled with simple special transformation (rotation, translate)
rotate by
labels are different
Adversarial
learning
Program synthesis
Complete features
Complete
specifications
Test case
generation
Data
augmentation
• Model training can be regarded as AI-based program synthesis. Given a set of specs (training data), it
generates a program (model) satisfying all the specs.
23
24. Mutator
Mutated inputs
} Selector
model
Seed pool
Fuzz-based Data Augmentation to Improve Robustness
• Generate representative perturbations using genetic algorithm to augment training data
• The goal is to maximize the diversity of samples in the distribution
Dataset Standard Acc Random Augment Sensei
GTSRB 1.9% 73.3% 88.2%
CIFAR-10 1.8% 73.3% 81.5%
• Result in terms of robust accuracy[*]
[*] Exploring the Landscape of Spatial Robustness. L. Engstrom, B. Tran, D. Tsipras, L. Schmidt, and A. Madry ICML 19’ 24
Training data-
set (Seeds)
Interesting
inputs
25. Intelligent software!
25
In the absence of formal specifications, analyze the
buggy program and its artifacts to glean a specification
about what could have gone wrong!
Specification Inference
(application: self-healing)
Buggy
Program
Tests
26. (very Non-exhaustive) History of AI
Symbolic AI
• 1958 LISP
• 1965 Resolution theorem proving
• 1970 Prolog
• 1982-92 Fifth Generation Comp Sys
• 1995 - … Advances in SAT, SMT solving
• 2005 - … Symbolic Execution
Biologically inspired AI
• 1959 Perceptron
• 1970 - … Genetic Algorithm
• 1980 -… Neural Networks
• 1992 Genetic Programming
• 1997 Deep Blue
• 2012 AlexNet work on CNN
26
31. The future for autonomous systems?
31
Can autonomous software test and repair itself autonomously to
cater for corner cases? Can autonomous software repair itself
subject to changes in environment?