STAMP is a static analysis tool for Android apps that was developed at Stanford and is now licensed by Quixey Inc. It uses models of the Android platform to summarize relevant app behavior and enable scalable, cost-effective identification of malware and vulnerabilities. STAMP analyzes Dalvik bytecode to construct an inter-procedural control flow graph and check for data flows between modeled sources and sinks using a context-free grammar. It has models for over 1300 methods across 176 Android classes.
Mining Fix Patterns for FindBugs ViolationsDongsun Kim
Several static analysis tools, such as Splint or FindBugs, have been proposed to the software development community to help detect security vulnerabilities or bad programming practices. However, the adoption of these tools is hindered by their high false positive rates. If the false positive rate is too high, developers may get acclimated to violation reports from these tools, causing concrete and severe bugs being overlooked. Fortunately, some violations are actually addressed and resolved by developers. We claim that those violations that are recurrently fixed are likely to be true positives, and an automated approach can learn to repair similar unseen violations. However, there is lack of a systematic way to investigate the distributions on existing violations and fixed ones in the wild, that can provide insights into prioritizing violations for developers, and an effective way to mine code and fix patterns which can help developers easily understand the reasons of leading violations and how to fix them.
In this paper, we first collect and track a large number of fixed and unfixed violations across revisions of software. The empirical analyses reveal that there are discrepancies in the distributions of violations that are detected and those that are fixed, in terms of occurrences, spread and categories, which can provide insights into prioritizing violations. To automatically identify patterns in violations and their fixes, we propose an approach that utilizes convolutional neural networks to learn features and clustering to regroup similar instances. We then evaluate the usefulness of the identified fix patterns by applying them to unfixed violations. The results show that developers will accept and merge a majority (69/116) of fixes generated from the inferred fix patterns. It is also noteworthy that the yielded patterns are applicable to four real bugs in the Defects4J major benchmark for software testing and automated repair.
Learning to Spot and Refactor Inconsistent Method NamesDongsun Kim
To ensure code readability and facilitate software maintenance, program methods must be named properly. In particular, method names must be consistent with the corresponding method implementations. Debugging method names remains an important topic in the literature, where various approaches analyze commonalities among method names in a large dataset to detect inconsistent method names and suggest better ones. We note that the state-of-the-art does not analyze the implemented code itself to assess consistency. We thus propose a novel automated approach to debugging method names based on the analysis of consistency between method names and method code. The approach leverages deep feature representation techniques adapted to the nature of each artifact. Experimental results on over 2.1 million Java methods show that we can achieve up to 15 percentage points improvement over the state-of-the-art, establishing a record performance of 67.9% F1-measure in identifying inconsistent method names. We further demonstrate that our approach yields up to 25% accuracy in suggesting full names, while the state-of-the-art lags far behind at 1.1% accuracy. Finally, we report on our success in fixing 66 inconsistent method names in a live study on projects in the wild.
TBar: Revisiting Template-based Automated Program RepairDongsun Kim
We revisit the performance of template-based APR to build comprehensive knowledge about the effectiveness of fix patterns, and to highlight the importance of complementary steps such as fault localization or donor code retrieval. To that end, we first investigate the literature to collect, summarize and label recurrently-used fix patterns. Based on the investigation, we build TBar, a straightforward APR tool that systematically attempts to apply these fix patterns to program bugs. We thoroughly evaluate TBar on the Defects4J benchmark. In particular, we assess the actual qualitative and quantitative diversity of fix patterns, as well as their effectiveness in yielding plausible or correct patches. Eventually, we find that, assuming a perfect fault localization, TBar correctly/plausibly fixes 74/101 bugs. Replicating a standard and practical pipeline of APR assessment, we demonstrate that TBar correctly fixes 43 bugs from Defects4J, an unprecedented performance in the literature (including all approaches, i.e., template-based, stochastic mutation-based or synthesis-based APR).
This presentation offers a first, in-breadth survey and comparison of current aspect mining tools and techniques. It focuses mainly on automated techniques that mine a program’s static or dynamic structure for candidate aspects. We present an initial comparative framework for distinguishing aspect mining techniques, and assess known techniques against this framework. The results of this assessment may serve as a roadmap to potential users of aspect mining techniques, to help them in selecting an appropriate technique. It also helps aspect mining researchers to identify remaining open research questions, possible avenues for future research, and interesting combinations of existing techniques.
Effective Fault-Localization Techniques for Concurrent SoftwareSangmin Park
The document describes techniques for fault localization in concurrent software. It presents three techniques: FALCON, which localizes single-variable faults; UNICORN, which extends FALCON to localize multi-variable faults; and GRIFFIN, which provides fault explanations by identifying memory access patterns, calling contexts, and suspicious methods. These techniques are implemented in debugging tools Tracer, Unicorn and Griffin. An empirical user study is conducted to evaluate whether the tools help developers understand and fix concurrency bugs.
Griffin: Grouping Suspicious Memory-Access Patterns to Improve Understanding...Sangmin Park
Griffin is a technique that aims to improve the understanding of concurrency bugs by grouping suspicious memory access patterns from failing tests. It first performs fault localization to generate ranked lists of memory access patterns, then clusters related tests together based on similarity of patterns. Finally, it reconstructs bugs by clustering patterns based on call stack similarity and identifying suspicious methods and a bug graph.
The document discusses various static and dynamic techniques for aspect mining, which is the process of identifying crosscutting concerns in existing source code. Static techniques discussed include fan-in analysis, clustering methods, clone detection, natural language processing analysis, and formal concept analysis. Dynamic techniques discussed include analyzing execution patterns in traces from program executions and applying formal concept analysis to execution traces. The goal of aspect mining is to facilitate migrating existing code to an aspect-oriented paradigm by identifying crosscutting concerns.
System Testing of Timing Requirements based on Use Cases and Timed AutomataLionel Briand
The document describes a technique called TAUC that combines use case specifications and timed automata to automatically generate test cases for validating timing requirements of safety-critical systems. TAUC models the system functionality and environment as timed automata, identifies test inputs from use case scenarios to trigger state transitions, and employs a coverage-based and metaheuristic search approach to generate a test suite that stresses timing constraints. An evaluation on a case study shows TAUC achieves a 91% fault detection rate, significantly outperforming random and manual testing.
Mining Fix Patterns for FindBugs ViolationsDongsun Kim
Several static analysis tools, such as Splint or FindBugs, have been proposed to the software development community to help detect security vulnerabilities or bad programming practices. However, the adoption of these tools is hindered by their high false positive rates. If the false positive rate is too high, developers may get acclimated to violation reports from these tools, causing concrete and severe bugs being overlooked. Fortunately, some violations are actually addressed and resolved by developers. We claim that those violations that are recurrently fixed are likely to be true positives, and an automated approach can learn to repair similar unseen violations. However, there is lack of a systematic way to investigate the distributions on existing violations and fixed ones in the wild, that can provide insights into prioritizing violations for developers, and an effective way to mine code and fix patterns which can help developers easily understand the reasons of leading violations and how to fix them.
In this paper, we first collect and track a large number of fixed and unfixed violations across revisions of software. The empirical analyses reveal that there are discrepancies in the distributions of violations that are detected and those that are fixed, in terms of occurrences, spread and categories, which can provide insights into prioritizing violations. To automatically identify patterns in violations and their fixes, we propose an approach that utilizes convolutional neural networks to learn features and clustering to regroup similar instances. We then evaluate the usefulness of the identified fix patterns by applying them to unfixed violations. The results show that developers will accept and merge a majority (69/116) of fixes generated from the inferred fix patterns. It is also noteworthy that the yielded patterns are applicable to four real bugs in the Defects4J major benchmark for software testing and automated repair.
Learning to Spot and Refactor Inconsistent Method NamesDongsun Kim
To ensure code readability and facilitate software maintenance, program methods must be named properly. In particular, method names must be consistent with the corresponding method implementations. Debugging method names remains an important topic in the literature, where various approaches analyze commonalities among method names in a large dataset to detect inconsistent method names and suggest better ones. We note that the state-of-the-art does not analyze the implemented code itself to assess consistency. We thus propose a novel automated approach to debugging method names based on the analysis of consistency between method names and method code. The approach leverages deep feature representation techniques adapted to the nature of each artifact. Experimental results on over 2.1 million Java methods show that we can achieve up to 15 percentage points improvement over the state-of-the-art, establishing a record performance of 67.9% F1-measure in identifying inconsistent method names. We further demonstrate that our approach yields up to 25% accuracy in suggesting full names, while the state-of-the-art lags far behind at 1.1% accuracy. Finally, we report on our success in fixing 66 inconsistent method names in a live study on projects in the wild.
TBar: Revisiting Template-based Automated Program RepairDongsun Kim
We revisit the performance of template-based APR to build comprehensive knowledge about the effectiveness of fix patterns, and to highlight the importance of complementary steps such as fault localization or donor code retrieval. To that end, we first investigate the literature to collect, summarize and label recurrently-used fix patterns. Based on the investigation, we build TBar, a straightforward APR tool that systematically attempts to apply these fix patterns to program bugs. We thoroughly evaluate TBar on the Defects4J benchmark. In particular, we assess the actual qualitative and quantitative diversity of fix patterns, as well as their effectiveness in yielding plausible or correct patches. Eventually, we find that, assuming a perfect fault localization, TBar correctly/plausibly fixes 74/101 bugs. Replicating a standard and practical pipeline of APR assessment, we demonstrate that TBar correctly fixes 43 bugs from Defects4J, an unprecedented performance in the literature (including all approaches, i.e., template-based, stochastic mutation-based or synthesis-based APR).
This presentation offers a first, in-breadth survey and comparison of current aspect mining tools and techniques. It focuses mainly on automated techniques that mine a program’s static or dynamic structure for candidate aspects. We present an initial comparative framework for distinguishing aspect mining techniques, and assess known techniques against this framework. The results of this assessment may serve as a roadmap to potential users of aspect mining techniques, to help them in selecting an appropriate technique. It also helps aspect mining researchers to identify remaining open research questions, possible avenues for future research, and interesting combinations of existing techniques.
Effective Fault-Localization Techniques for Concurrent SoftwareSangmin Park
The document describes techniques for fault localization in concurrent software. It presents three techniques: FALCON, which localizes single-variable faults; UNICORN, which extends FALCON to localize multi-variable faults; and GRIFFIN, which provides fault explanations by identifying memory access patterns, calling contexts, and suspicious methods. These techniques are implemented in debugging tools Tracer, Unicorn and Griffin. An empirical user study is conducted to evaluate whether the tools help developers understand and fix concurrency bugs.
Griffin: Grouping Suspicious Memory-Access Patterns to Improve Understanding...Sangmin Park
Griffin is a technique that aims to improve the understanding of concurrency bugs by grouping suspicious memory access patterns from failing tests. It first performs fault localization to generate ranked lists of memory access patterns, then clusters related tests together based on similarity of patterns. Finally, it reconstructs bugs by clustering patterns based on call stack similarity and identifying suspicious methods and a bug graph.
The document discusses various static and dynamic techniques for aspect mining, which is the process of identifying crosscutting concerns in existing source code. Static techniques discussed include fan-in analysis, clustering methods, clone detection, natural language processing analysis, and formal concept analysis. Dynamic techniques discussed include analyzing execution patterns in traces from program executions and applying formal concept analysis to execution traces. The goal of aspect mining is to facilitate migrating existing code to an aspect-oriented paradigm by identifying crosscutting concerns.
System Testing of Timing Requirements based on Use Cases and Timed AutomataLionel Briand
The document describes a technique called TAUC that combines use case specifications and timed automata to automatically generate test cases for validating timing requirements of safety-critical systems. TAUC models the system functionality and environment as timed automata, identifies test inputs from use case scenarios to trigger state transitions, and employs a coverage-based and metaheuristic search approach to generate a test suite that stresses timing constraints. An evaluation on a case study shows TAUC achieves a 91% fault detection rate, significantly outperforming random and manual testing.
What did functional programming ever do for us (software engineers)? An overview of advantages of functional programming, with code examples in Scala. See recorded presentation at https://youtu.be/glDudJ3fqLk
Validation of Derived Features and Well-Formedness Constraints in DSLsDaniel Varro
We propose an automated mapping of EMF metamodels enriched with derived features and well-formedness constraints captured as graph queries in EMF-IncQuery into an effectively propositional fragment of first-order logic which can be efficiently analyzed by the Z3 SMT-solver.
(Presented at the IEEE/ACM MODELS 2013 conference)
Search-driven String Constraint Solving for Vulnerability DetectionLionel Briand
The document presents a search-driven approach to solving string constraints for vulnerability detection. State-of-the-art solvers like Z3-str2 have limitations in supporting complex string operations. The proposed approach decomposes constraints and leverages an automata-based solver to reduce the search space, before using a search-based solver to find satisfying assignments. An evaluation on 43 programs shows the approach significantly improves vulnerability detection effectiveness over baseline solvers, with affordable time costs. The automata-based solver plays a key role in the effectiveness of the search-based procedure.
The document summarizes a dissertation defense about adaptive bug prediction by analyzing project history. It discusses the motivation for leveraging project history and software configuration management data for bug prediction. It also describes creating a corpus by identifying bug-fix changes and bug-introducing changes from commits. The dissertation proposes using a "bug cache" to predict likely locations of future bugs based on past bug occurrences.
HDR Defence - Software Abstractions for Parallel ArchitecturesJoel Falcou
Performing large, intensive or non-trivial computing on array like data
structures is one of the most common task in scientific computing, video game
development and other fields. This matter of fact is backed up by the large number
of tools, languages and libraries to perform such tasks. If we restrict ourselves to
C++ based solutions, more than a dozen such libraries exists from BLAS/LAPACK
C++ binding to template meta-programming based Blitz++ or Eigen.
If all of these libraries provide good performance or good abstraction, none of
them seems to fit the need of so many different user types. Moreover, as parallel
system complexity grows, the need to maintain all those components quickly
become unwieldy. This thesis explores various software design techniques - like
Generative Programming, MetaProgramming and Generic Programming - and their
application to the implementation of various parallel computing libraries in such a
way that abstraction and expressiveness are maximized while efficiency overhead is
minimized.
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
We briefly present the theorem proving environment HOL-OCL. The HOL-OCL system is an interactive proof environment for object-oriented (i.e., UML/OCL) specifications that is build on top of Isabelle/HOL. Overall, we introduce the overall system architecture and, in more detail, our extensible encoding of object-oriented data models into HOL.
While our extensible encoding is inspired by the extensible record package of Isabelle/HOL, its implementation is not directly based on it. In this talk, we will discuss how our approach differs from the existing one and discuss how it serves as a basis for implementing allows for implementing Isabelle-based tools for object-oriented models.
Effective Test Suites for ! Mixed Discrete-Continuous Stateflow ControllersLionel Briand
The document describes algorithms for generating effective test suites for mixed discrete-continuous controllers modeled in Stateflow. It introduces the challenges of testing cyber-physical systems with both discrete and continuous behaviors. It then presents six test generation algorithms, including ones based on input diversity, state/transition coverage, and output diversity/stability/continuity. An evaluation of these algorithms on three industrial case studies examines their fault detection abilities, how they compare to each other, and how test suite size impacts results. The best performing algorithms focused on maximizing differences between output signals.
Test Case Prioritization for Acceptance Testing of Cyber Physical SystemsLionel Briand
1) The document describes a multi-objective search-based approach for minimizing and prioritizing acceptance test cases for cyber physical systems to address challenges like time overhead, uncertainties in execution time, and risks of hardware damage.
2) The approach models acceptance tests, minimizes test cases by removing redundant operations, and prioritizes test cases using Monte Carlo simulation to estimate execution times while optimizing for criticality and risk.
3) An empirical evaluation on an industrial case study of in-orbit satellite testing shows the approach generates test suites that cover more test cases and have lower hardware risk within time budgets compared to manually created test suites.
Incremental Reconfiguration of Product Specific Use Case Models for Evolving ...Lionel Briand
1. The document discusses an approach for incrementally reconfiguring product-specific use case models when configuration decisions evolve over time.
2. Product-specific models are regenerated by focusing only on the changed decisions and their side effects, preserving unaffected parts and existing trace links.
3. The approach involves matching decision model elements before and after changes, calculating differences, and using these to reconfigure use case diagrams and specifications while generating an impact report.
DRONE: A Tool to Detect and Repair Directive Defects in Java APIs DocumentationSebastiano Panichella
DRONE is a tool that detects and repairs defects in API documentation by analyzing documentation directives and source code. It uses natural language processing techniques to extract constraints from documentation and builds abstract syntax trees from code to classify parameter usage. DRONE was evaluated on 8 Java libraries and Android APIs, detecting 1291 real defects with a precision over 76%, recall over 84%, and F-measure over 80%. It also provides repair recommendations for the detected defects based on predefined templates.
Making property-based testing easier to read for humansLaura M. Castro
Agile practices have taught us that both stakeholder involvement and early testing are key to quality software. However, it is usually the case that tools for good communication are not that good for testing, and vice-versa.
In this talk, readSpec (one of the results of the PF7 EU PROWESS project) is presented, a tool that attempts to fill in this gap.
Testing of Cyber-Physical Systems: Diversity-driven StrategiesLionel Briand
Lionel Briand discusses strategies for testing cyber-physical systems using diversity-driven approaches. He outlines challenges in verifying controllers and decision-making components in cyber-physical systems due to large input spaces and expensive model execution. Briand proposes maximizing diversity of test cases to improve fault detection. He describes using diversity of input signals, output signals, and failure patterns to generate test cases. Search algorithms are used to find test cases that maximize diversity or reveal specific failure patterns. The strategies are shown to significantly outperform coverage-based and random testing on Simulink models.
Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++.
A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks
Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677
Enjoy!
Static analysis works for mission-critical systems, why not yours? Rogue Wave Software
Take a deep dive into the world of static code analysis (SCA) by immersing yourself into different analysis techniques, examples of the problems they find, and learning how SCA fits into various types of environments, from the developer desktop to the QA team. The goal is to provide a solid foundation for you to make the best decision for testing technology and process selection, including: Types of defects found by SCA;
Typical myths and barriers to adoption; and How SCA aligns to different testing maturity levels.
The Jax project from 1998-2003 aimed to shrink Java applications for faster downloading and use on embedded devices. It used static analysis and program transformations like method inlining and class merging to remove unused code. Its call graph construction relied on type-based algorithms like CHA, RTA, and XTA. Jax was used by IBM teams and integrated into Smartlinker to optimize apps for IBM's WebSphere. It reduced app sizes by 30-50% and improved performance. Lessons included debloating being broadly applicable and future work in scenario-based modular optimization.
The document discusses Open-DO, an open source initiative for developing safety-critical software. It provides an overview of Open-DO concepts like FLOSS, agile development practices, and high-integrity certification. Updates on Open-DO include new community projects, conferences, and tools to support qualifications. Formal methods like Couverture and Hi-Lite are presented as ways to verify properties and generate verification conditions for proof.
The document discusses a presentation on the benefits of type hints in Python. It provides an outline of the presentation which includes an introduction to type hints, how to use type hints, and the benefits of type hints. Some key benefits mentioned are improved code completion, the ability to catch type errors without running code, and using type hint tools for static type analysis.
The Use of Static Code Analysis When Teaching or Developing Open-Source SoftwareAndrey Karpov
The document discusses using static code analysis when teaching or developing open-source software. It outlines how static analysis can help instructors check student homework and projects more efficiently, and help students learn about error patterns. When using static analysis for open-source projects, it recommends integrating it into developers' workflows locally and via continuous integration systems. Regular use is key to maximizing its benefits for finding and fixing bugs.
This document discusses code analysis and techniques for predicting runtime errors in source code. It describes existing solutions like detecting uninitialized variables, overflows, divide by zeros, incorrect argument data types. It also discusses detecting out-of-bounds array and pointer references, memory allocation/deallocation errors, and memory leaks. The document outlines the design of a code analyzer that takes C code as input, performs lexical and syntax analysis to generate intermediate code, and then uses the intermediate code to predict possible runtime errors. Further work mentioned includes evaluating the intermediate code to perform data and control flow analysis for error prediction.
Does static analysis need machine learning?Andrey Karpov
This document discusses whether static analysis needs machine learning. It begins with an introduction to static analysis and outlines existing static analysis solutions like DeepCode, Infer, SapFix, Embold, Source{d}, Clever-Commit, and CodeGuru. It then addresses problems with learning manually or from real large code bases, like outdated code and lack of documentation. Finally, it discusses promising approaches like analyzing code style, collecting additional metrics, and best practices for specific frameworks.
What did functional programming ever do for us (software engineers)? An overview of advantages of functional programming, with code examples in Scala. See recorded presentation at https://youtu.be/glDudJ3fqLk
Validation of Derived Features and Well-Formedness Constraints in DSLsDaniel Varro
We propose an automated mapping of EMF metamodels enriched with derived features and well-formedness constraints captured as graph queries in EMF-IncQuery into an effectively propositional fragment of first-order logic which can be efficiently analyzed by the Z3 SMT-solver.
(Presented at the IEEE/ACM MODELS 2013 conference)
Search-driven String Constraint Solving for Vulnerability DetectionLionel Briand
The document presents a search-driven approach to solving string constraints for vulnerability detection. State-of-the-art solvers like Z3-str2 have limitations in supporting complex string operations. The proposed approach decomposes constraints and leverages an automata-based solver to reduce the search space, before using a search-based solver to find satisfying assignments. An evaluation on 43 programs shows the approach significantly improves vulnerability detection effectiveness over baseline solvers, with affordable time costs. The automata-based solver plays a key role in the effectiveness of the search-based procedure.
The document summarizes a dissertation defense about adaptive bug prediction by analyzing project history. It discusses the motivation for leveraging project history and software configuration management data for bug prediction. It also describes creating a corpus by identifying bug-fix changes and bug-introducing changes from commits. The dissertation proposes using a "bug cache" to predict likely locations of future bugs based on past bug occurrences.
HDR Defence - Software Abstractions for Parallel ArchitecturesJoel Falcou
Performing large, intensive or non-trivial computing on array like data
structures is one of the most common task in scientific computing, video game
development and other fields. This matter of fact is backed up by the large number
of tools, languages and libraries to perform such tasks. If we restrict ourselves to
C++ based solutions, more than a dozen such libraries exists from BLAS/LAPACK
C++ binding to template meta-programming based Blitz++ or Eigen.
If all of these libraries provide good performance or good abstraction, none of
them seems to fit the need of so many different user types. Moreover, as parallel
system complexity grows, the need to maintain all those components quickly
become unwieldy. This thesis explores various software design techniques - like
Generative Programming, MetaProgramming and Generic Programming - and their
application to the implementation of various parallel computing libraries in such a
way that abstraction and expressiveness are maximized while efficiency overhead is
minimized.
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
We briefly present the theorem proving environment HOL-OCL. The HOL-OCL system is an interactive proof environment for object-oriented (i.e., UML/OCL) specifications that is build on top of Isabelle/HOL. Overall, we introduce the overall system architecture and, in more detail, our extensible encoding of object-oriented data models into HOL.
While our extensible encoding is inspired by the extensible record package of Isabelle/HOL, its implementation is not directly based on it. In this talk, we will discuss how our approach differs from the existing one and discuss how it serves as a basis for implementing allows for implementing Isabelle-based tools for object-oriented models.
Effective Test Suites for ! Mixed Discrete-Continuous Stateflow ControllersLionel Briand
The document describes algorithms for generating effective test suites for mixed discrete-continuous controllers modeled in Stateflow. It introduces the challenges of testing cyber-physical systems with both discrete and continuous behaviors. It then presents six test generation algorithms, including ones based on input diversity, state/transition coverage, and output diversity/stability/continuity. An evaluation of these algorithms on three industrial case studies examines their fault detection abilities, how they compare to each other, and how test suite size impacts results. The best performing algorithms focused on maximizing differences between output signals.
Test Case Prioritization for Acceptance Testing of Cyber Physical SystemsLionel Briand
1) The document describes a multi-objective search-based approach for minimizing and prioritizing acceptance test cases for cyber physical systems to address challenges like time overhead, uncertainties in execution time, and risks of hardware damage.
2) The approach models acceptance tests, minimizes test cases by removing redundant operations, and prioritizes test cases using Monte Carlo simulation to estimate execution times while optimizing for criticality and risk.
3) An empirical evaluation on an industrial case study of in-orbit satellite testing shows the approach generates test suites that cover more test cases and have lower hardware risk within time budgets compared to manually created test suites.
Incremental Reconfiguration of Product Specific Use Case Models for Evolving ...Lionel Briand
1. The document discusses an approach for incrementally reconfiguring product-specific use case models when configuration decisions evolve over time.
2. Product-specific models are regenerated by focusing only on the changed decisions and their side effects, preserving unaffected parts and existing trace links.
3. The approach involves matching decision model elements before and after changes, calculating differences, and using these to reconfigure use case diagrams and specifications while generating an impact report.
DRONE: A Tool to Detect and Repair Directive Defects in Java APIs DocumentationSebastiano Panichella
DRONE is a tool that detects and repairs defects in API documentation by analyzing documentation directives and source code. It uses natural language processing techniques to extract constraints from documentation and builds abstract syntax trees from code to classify parameter usage. DRONE was evaluated on 8 Java libraries and Android APIs, detecting 1291 real defects with a precision over 76%, recall over 84%, and F-measure over 80%. It also provides repair recommendations for the detected defects based on predefined templates.
Making property-based testing easier to read for humansLaura M. Castro
Agile practices have taught us that both stakeholder involvement and early testing are key to quality software. However, it is usually the case that tools for good communication are not that good for testing, and vice-versa.
In this talk, readSpec (one of the results of the PF7 EU PROWESS project) is presented, a tool that attempts to fill in this gap.
Testing of Cyber-Physical Systems: Diversity-driven StrategiesLionel Briand
Lionel Briand discusses strategies for testing cyber-physical systems using diversity-driven approaches. He outlines challenges in verifying controllers and decision-making components in cyber-physical systems due to large input spaces and expensive model execution. Briand proposes maximizing diversity of test cases to improve fault detection. He describes using diversity of input signals, output signals, and failure patterns to generate test cases. Search algorithms are used to find test cases that maximize diversity or reveal specific failure patterns. The strategies are shown to significantly outperform coverage-based and random testing on Simulink models.
Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++.
A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks
Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677
Enjoy!
Static analysis works for mission-critical systems, why not yours? Rogue Wave Software
Take a deep dive into the world of static code analysis (SCA) by immersing yourself into different analysis techniques, examples of the problems they find, and learning how SCA fits into various types of environments, from the developer desktop to the QA team. The goal is to provide a solid foundation for you to make the best decision for testing technology and process selection, including: Types of defects found by SCA;
Typical myths and barriers to adoption; and How SCA aligns to different testing maturity levels.
The Jax project from 1998-2003 aimed to shrink Java applications for faster downloading and use on embedded devices. It used static analysis and program transformations like method inlining and class merging to remove unused code. Its call graph construction relied on type-based algorithms like CHA, RTA, and XTA. Jax was used by IBM teams and integrated into Smartlinker to optimize apps for IBM's WebSphere. It reduced app sizes by 30-50% and improved performance. Lessons included debloating being broadly applicable and future work in scenario-based modular optimization.
The document discusses Open-DO, an open source initiative for developing safety-critical software. It provides an overview of Open-DO concepts like FLOSS, agile development practices, and high-integrity certification. Updates on Open-DO include new community projects, conferences, and tools to support qualifications. Formal methods like Couverture and Hi-Lite are presented as ways to verify properties and generate verification conditions for proof.
The document discusses a presentation on the benefits of type hints in Python. It provides an outline of the presentation which includes an introduction to type hints, how to use type hints, and the benefits of type hints. Some key benefits mentioned are improved code completion, the ability to catch type errors without running code, and using type hint tools for static type analysis.
The Use of Static Code Analysis When Teaching or Developing Open-Source SoftwareAndrey Karpov
The document discusses using static code analysis when teaching or developing open-source software. It outlines how static analysis can help instructors check student homework and projects more efficiently, and help students learn about error patterns. When using static analysis for open-source projects, it recommends integrating it into developers' workflows locally and via continuous integration systems. Regular use is key to maximizing its benefits for finding and fixing bugs.
This document discusses code analysis and techniques for predicting runtime errors in source code. It describes existing solutions like detecting uninitialized variables, overflows, divide by zeros, incorrect argument data types. It also discusses detecting out-of-bounds array and pointer references, memory allocation/deallocation errors, and memory leaks. The document outlines the design of a code analyzer that takes C code as input, performs lexical and syntax analysis to generate intermediate code, and then uses the intermediate code to predict possible runtime errors. Further work mentioned includes evaluating the intermediate code to perform data and control flow analysis for error prediction.
Does static analysis need machine learning?Andrey Karpov
This document discusses whether static analysis needs machine learning. It begins with an introduction to static analysis and outlines existing static analysis solutions like DeepCode, Infer, SapFix, Embold, Source{d}, Clever-Commit, and CodeGuru. It then addresses problems with learning manually or from real large code bases, like outdated code and lack of documentation. Finally, it discusses promising approaches like analyzing code style, collecting additional metrics, and best practices for specific frameworks.
A seminar in advanced Software Engineering concerning using models to guide the development process, and QVT to transfer a model into another model automatically
This document discusses dynamic analysis techniques for understanding the runtime behavior of object-oriented programs. It describes various sources of runtime information, such as program output, resource usage, and internal instrumentation. Common tools for dynamic analysis include loggers, debuggers, and profilers. Reverse engineering techniques can combine static and dynamic views. Feature-based analysis aims to map features to source code by comparing execution traces.
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
Dynamic binary instrumentation (DBI) is a technique for analysing the behaviour of a binary application at runtime through the injection of instrumentation code. This instrumentation code is designed to be transparent towards the instrumented application and it executes as a part of the normal execution flow without significant runtime overhead. Moreover, there are no limitations for the instrumentation code - a user can implement even a complex logic to observe execution flow, memory layout, etc. Certainly, such a flexible and powerful technique can and should be used for malware analysis. However, while there are several open-source tools (PoCs) implemented on top of DBI frameworks, their application for malware analysis is very limited.
In the talk the author will discuss the pros and cons of malicious code instrumentation and his experience of how DBI can be used to perform investigation of sophisticated banking trojans such as Gootkit and EmbusteBot as well as dozens of other malicious samples in practice.
Moreover, the author will release a new tool for transparent and lightweight dynamic malware analysis and will demonstrate, using examples, how this tool can help researchers to easily reveal important behaviour details of sophisticated malicious samples. EmbusteBot (a new banking trojan from Brazil found and reported by the author in 2017) was investigated using only this tool without even starting a debugger or disassembler.
Survey of Program Transformation TechnologiesChunhua Liao
This document provides an overview of program transformation techniques, including string-based transformations using scripting languages, compiler-based transformations through direct modification of intermediate representations, rule-based term rewriting, and semantic patching. It discusses challenges in applying program transformations at scale and the need for reusable transformation infrastructures. Example tools that apply different techniques are described, such as Stratego/XT for term rewriting and Coccinelle for semantic patching of C code.
This document provides an overview of the Model-Driven Engineering (MDE) research activities at the MISO group at the Autonomous University of Madrid. The MISO group conducts research in (meta-)modeling, domain-specific languages, and model transformations. Their work includes multi-level modeling, a-posteriori typing, modeling through social networks, active DSLs, transformation analysis, and techniques for improving the reusability of model transformations.
The document summarizes a presentation given by Theo Jungeblut on the topic of clean code. It discusses why clean code is important for maintainability. It also provides an overview of tools like Resharper, FxCop, StyleCop, GhostDoc and Code Contracts that can help write clean code. Principles of clean code like KISS, DRY, SoC and patterns like dependency injection are explained. The presentation emphasizes that maintainability is key to preventing code from bringing a development organization to its knees.
Model-based Analysis of Large Scale Software RepositoriesMarkus Scheidgen
1) The document discusses a model-based framework for analyzing large scale software repositories. It involves reverse engineering software from version control systems to create abstract syntax tree models, applying transformations and queries to derive metrics and insights, and using Scala for flexible queries and transformations.
2) Two example analyses are described: calculating design structure matrices and propagation costs, and detecting cross-cutting concerns by analyzing co-changed methods within commits.
3) The goal is to enable scalable, language-independent analysis of ultra-large repositories through model-based techniques instead of analyzing raw code directly. This allows abstracting different languages and repositories with common models and analyses.
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...Yandex
В докладе речь пойдёт о применении алгоритмов машинного обучения для обнаружения вредоносных приложений для Android. Я расскажу, как на базе Матрикснета в Яндексе был спроектирован высокопроизводительный инструмент для решения этой задачи. А также продемонстрирую, в каких случаях аналитические методы выявления вредоносного ПО помогают блокировать множество простых образцов вирусного кода. Затем мы поговорим о том, как можно усовершенствовать такие методы для обнаружения более хитроумных вредных программ.
Fast detection of Android malware: machine learning approachYury Leonychev
This is a my presentation for YaC 2013 about machine learning based system for fast classification of Android applications. Covered themes: how to find malware around thousands of applications in Store.
This document summarizes Praveen Varma's seminar on slicing object-oriented programs. It introduces different types of program slicing including static, dynamic, backward, and forward slicing. It discusses approaches to slicing like control flow graph based and dependence graph based methods. It also covers interprocedural slicing, static and dynamic slicing of object-oriented programs, and applications of program slicing. Limitations of existing work on object-oriented program slicing are presented along with the motivation, objectives, and work done on developing more efficient slicing techniques for object-oriented programs.
This document discusses program slicing techniques for object-oriented programs. It outlines previous approaches to static and dynamic slicing of OOPs and their limitations. The key points are:
1) Early approaches used system dependence graphs but had issues distinguishing between objects and imprecisely modeled polymorphism.
2) Newer work proposes an object-oriented system dependence graph (OSDG) that models objects as trees with members to address earlier limitations.
3) The document also discusses developing efficient algorithms for dynamic slicing of concurrent object-oriented programs.
Revisiting Code Ownership and Its Relationship with Software Quality in the S...The University of Adelaide
This work was presented at The 38th International Conference on Software Engineering (ICSE2016).
Abstract: Code ownership establishes a chain of responsibility for modules in large software systems. Although prior work uncovers a link between code ownership heuristics and software quality, these heuristics rely solely on the authorship of code changes. In addition to authoring code changes, developers also make important contributions to a module by reviewing code changes. Indeed, recent work shows that reviewers are highly active in modern code review processes, often suggesting alternative solutions or providing updates to the code changes. In this paper, we complement traditional code ownership heuristics using code review activity. Through a case study of six releases of the large Qt and OpenStack systems, we find that: (1) 67%-86% of developers did not author any code changes for a module, but still actively contributed by reviewing 21%-39% of the code changes, (2) code ownership heuristics that are aware of reviewing activity share a relationship with software quality, and (3) the proportion of reviewers without expertise shares a strong, increasing relationship with the likelihood of having post-release defects. Our results suggest that reviewing activity captures an important aspect of code ownership, and should be included in approximations of it in future studies.
Using static code analysis tools and detecting and fixing identified issues is very important in order to improve the quality and security of the code baseline.
CodeChecker (https://github.com/Ericsson/codechecker ) is an open source analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.
It provides a number of additional features:
- Good visualization of problems in the code
- Overview of results for the whole product
- Filtering
- Cross translational unit analysis and statistical checkers support
- Suppression handling
- And many others...
These features simplify the follow up of results and make it more efficient.
In the video, an overview of features and capabilities of CodeChecker is demonstrated as well as a description and recommendation of how to introduce new tools.
Recording of the demo: https://youtu.be/sQ2Qj0kHoRY published in C++ Dublin User group https://www.youtube.com/channel/UCZ4UNE_1IMUFfAhcdq7CMOg/
Useful links:
open source project: https://github.com/Ericsson/codechecker
http://codechecker-demo.eastus.cloudapp.azure.com/login.html#
demo/demo
https://codechecker.readthedocs.io/en/latest/
http://clang-analyzer.llvm.org/available_checks.html
http://clang.llvm.org/extra/clang-tidy/checks/list.html
Other related videos about Clang Static Analyzer and CodeChecker that goes a bit more deeply into how Clang Static Analyzer works:
Clang Static Analysis - Meeting C++ 2016 Gabor Horvath
https://www.youtube.com/watch?v=UcxF6CVueDM
CppCon 2016: Gabor Horvath “Make Friends with the Clang Static Analysis Tools"
https://www.youtube.com/watch?v=AQF6hjLKsnM
4. Update Cycle of Apps
> 100K: 10 days
1K - 100K: 17 days
https://www.nowsecure.com/blog/2015/06/09/understanding-android-s-application-update-cycles/
4
5. Program Analysis Tools for
Cost-effective and Timely
Identification of
Malware and Vulnerable Apps
5
6. STAMP
• A tool for static analysis of Android apps.
• Was developed as part of a DARPA project
at Stanford
• Is licensed by Quixey Inc.
• Can be licensed for commercial use:
http://techfinder.stanford.edu/technology_detail.php?ID=30312
• I was responsible for end-to-end design
and implementation of its core components. 6
16. API Model
No source-to-sink flow if List class no models
String deviceId = getDeviceId();
List list = new LinkedList();
l.add(deviceId);
String s = l.get(0);
sendToInternet(s);
16
17. API Model
• Models flow of
values across app-
framework
boundary
• Based on abstract
semantics of
analysis
java.util.LinkedList.java:
private Object elem;
public void add(Object elem){
this.elem = elem;
}
public void get(int i){
return this.elem;
}
17
18. Callback Model
Flow is not detected if onClick is not reachable.
button.setOnClickListener(
new OnClickListener(){
public void onClick(){
String deviceId = getDeviceId();
sendToInternet(deviceId);
}
});
18
19. Callback Model
public void callCallbacks()
{
onKeyDown(…);
onTouchDown(…);
….
}
Model for View class Example app code
19
View v = new View(…);
20. Callback Model
public void callCallbacks()
{
onKeyDown(…);
onTouchDown(…);
….
}
View v = new View(…);
v.callCallbacks();
Model for View class Example app code
20
21. Callgraph Construction in Java
21
class A {
void foo(){ }
}
class B extends A {
void foo(){ }
}
A x = new B();
x.foo();
A y = new A();
y.foo();
B:foo is called
A:foo is called
22. Phantom Objects Model
• p does not point to any object
• So, no outgoing call edge from p.foo()
T p = aMethodWithoutModel();
p.foo();
22
23. • Returns a special
abstract object
• Default model for
methods that don’t
have any model
• Required to build
sound call graph
Phantom Objects Model
23
T aMethodWithoutModel()
{
return new AnySubTypeOfT();
}
24. Talk Outline
• Models in Stamp
• Analysis Overview
• Implementation and Experiments
• Semantic Signatures for Malware Detection
24
25. Example
m = source();
n = foo(m);
sink(n);
Is there a flow from source to sink?
@Flow(from=”u”,to=”@return”)
B foo(A u){
y = new B();
return y;
}
@Flow(from=”z”,to=”!SINK”)
void sink(B z){
}
@Flow(from=”$SRC”,to=”@return”)
A source(){
x = new A();
return x;
}
Yes
Model of method foo
25
32. Putting Graphs Together
Rsource
z
Rfoo u
m
assign
assign
n
assign
assign
B y
Rfoo u
xfer
new
assign
!SINKz sink
A x
new
Rsource
assign
$SRC
src
new
new
assign
new assign
32
33. Checking CFL Membership
Rsource
z
Rfoo u
m
assign
assign
n
assign
assign
B y
Rfoo u
xfer
new
assign
!SINKz sink
A x
new
Rsource
assign
$SRC
src
new
new
assign
new assign
src assign new new assign assign assign
xfer assign new new assign
assign asign sink
S$SRC -> !SINK:
33
34. Checking CFL Membership
There is a flow from
$SRC to !SINK iff
S$SRC->!SINK is in a
context-free
language C.
src assign new new assign assign assign
xfer assign new new assign
assign asign sink
S$SRC -> !SINK:
34
36. Why Context-free Language?
Context-free language enforces field-sensitivity.
m.f = source();
x = m.f;
sink(x);
m.f = source();
x = m.g;
sink(x);
Flow exists Flow does not exists
36
37. Need for Context Sensitivity
pfoo1 fooret
a
m
n
b
Rsource$SRC
src
!SINK
sink
a = source();
n = foo(a);
m = foo(b);
sink(m);
Object foo(Object p){
return p;
}
37
38. Need for Context Sensitivity
pfoo1 fooret
a
m
n
b
Rsource$SRC
src
!SINK
sink
a = source();
n = foo(a);
m = foo(b);
sink(m);
Object foo(Object p){
return p;
}
pfoo1 fooret
38
39. Context Sensitivity in STAMP
• Cloning-based approach: clone subgraph
for a method for each of its context
• Contexts are either a k-length sequence of
callsites or abstract objects (i.e., object-
sensitive)
• Abstract objects are cloned per context
(i.e., support heap cloning)
41
40. Context Sensitivity in STAMP
• Size of resulting relations (e.g., graph) is
huge (e.g., billions of edges for k = 2)
• Relations are compactly stored as Binary
Decision Diagram (BDD)
• Analysis rules are written in Datalog
42
41. Talk Outline
• Models in STAMP
• Analysis Overview
• Implementation and Experiments
• Semantic Signatures for Malware Detection
43
42. STAMP Implementation
• Analyzes Dalvik bytecode (uses Soot’s
Dexpler front end)
• Currently has models for ~1300 methods in
176 Android classes
• ~13K lines of Java on top of open-source
tools like soot and apk-tool
48
45. Symantec Experiment
• 84 apps collected from the wild
• Goal: report source-sink flows
o sources: Phone number, Contacts, Call log, SMS
messages, Location
o sinks: Internet, SMS
• 124 actual flows identified using proprietary
tools
49
46. False Positive/Negatives of STAMP
16%14%
False positive rateFalse negative rate
Green - Flows reported by STAMP
Red - Actual flows that apps have 50
49. Scalability Experiment
• About 90% apps are of
size 10M or less.
• For 90 of the 94 apps
that are of size 10M or
less and that are in
the set of 100 randomly
picked apps, Stamp
takes at most 10
minutes.
53
50. Lessons Learned
Manually identifying which models are missing
and need to be added is very hard.
Enabled STAMP to recommend
• methods that potentially require models
• potential transfer annotations
• potential callback methods
50
51. Identifying Missing Transfer Models
Method m potentially requires a model if
m is a method in the Android framework
m does not have a model yet
one or more parameters of m are tainted
51
52. Identifying Missing Callback Models
Method m is a potential callback if
m is a method in the app code
m is unreachable (currently)
m overrides a method in the Android framework
52
53. Sometimes a simple tweak to the app can
eliminate a lot of imprecision.
Lessons Learned
52
Runnable r = new Runnable(){ …};
r.run();
Runnable r = new Runnable(){ …};
myactivity.runOnOnUIThread(r);
55. Talk Outline
• Models in STAMP
• Analysis Overview
• Implementation and Experiments
• Semantic Signatures for Malware Detection
63
56. Commercial AV tools Obfuscated
Malware Samples
• 17 known malware apps, each from a
different family
• Three types of syntactic transformations
1. Change the names of components, classes,
methods, and fields.
2. Redirect all invocations to methods of android.*
classes through proxy methods.
3. Encode string constants
64
57. Commercial AV tools on Obfuscated
Malware
Comparison between Apposcopy and other AV tools on obfuscated malware
65
58. GoldDream Malware Signature
1. App registers a receiver for system events
such as SMS messages or outgoing phone
calls.
2. When these events trigger, the code in the
receiver starts a background service.
3. The service sends private user information,
such as the phone's unique IMEI number
and subscriber id to a remote server. 66
63. Mostly-benign Apps
• 11,215 apps from Google Play
• Apposcopy identified 16 apps as malware
• Compared against VirusTotal, (provides
aggregated reports from ~50 AV tools)
• 13 apps are confirmed malicious
• Remaining 3 are classified as Adware by
VirusTotal tools
71
64. Acknowledgement
Prof. Alex Aiken
Prof. John Mitchell
Prof. Mayur Naik
Prof. Isil Dillig
Prof. Tom Dillig
Dr. Jason Franklin
Osbert Bastani
Manolis Papadakis
Lazaro Clapp
Patrick Mutchler
Yu Feng
Ravi Mangal
66. Minimize Manual Effort
1. Only a small number of methods require
explicit models.
2. Models are easy to write, debug, and
maintain.
3. Stamp points out methods that might be
missing models.
4. Many models can be automatically inferred.
62
67. Model Inference
Rsource
z
Rfoo u
m
assign
assign
n
assign
assign
B y
Rfoo u
xfer
new
assign
!SINKz sink
A x
new
Rsource
assign
$SRC
src
new
new
assign
new assign
src assign new new assign assign assign
xfer assign new new assign
assign asign sink
S$SRC -> !SINK:
58
• Osbert Bastani’s work
75. Other Analysis Configuration
• Context sensitivity
• Callsite- or object-sensitivity?
• Use same type of context-sensitivity for all
callsites?
• What value of K in context sensitivity
• Same K for every call site?
• Use heap cloning for all allocation sites (including
phantom objects)?
46
76. Other Analysis Configuration
• Which type of analysis: exhaustive,
demand-driven, client-driven, etc.?
• Resolve reflection?
• Handle exceptional control and data flow?
• How to handle special types of enitities:
• Variables of String and StringBuffer types
• String, class constants
• … 47