Visible to the public Highly Configurable Systems - April 2017Conflict Detection Enabled

Submitted by Jamie Presken on Mon, 03/13/2017 - 10:07am

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): Jurgen Pfeffer
Co-PI(s): Christian Kastner

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)

Scalability and compositionality

We address scalability of assurances for highly configurable systems with exponentially growing configuration spaces and with massive reuse of third-party libraries that evolve independently. A compositional analysis of
options will allow to scale the analysis; for this it's important to investigate how options are implemented and how they interact. In addition, modular and timely recertification of changes and variations is essential to make security judgements scale in practice.

2) PUBLICATIONS

  • F. Medeiros, M. Ribeiro, R. Gheyi, S. Apel, C. Kastner, B. Ferreira, L. Carvalho, and B. Fonseca. Discipline Matters: Refactoring of Preprocessor Directives in the #ifdef Hell. IEEE Transactions on Software Engineering (TSE), 2017.

- Discusses how to deal with variability implementations that are often written in a form that makes it very difficult to analyze. By refactoring preprocessor directives first, this opens the possibility for using more sophisticated analysis tools that can search for vulnerabilities and bugs across all configurations.

  • Gabriel Ferreira. 2017. Software Certification in Practice: How Are Standards Being Applied? Proceedings of the 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE '17).

- Discuss insights from an interview study with stakeholders in the software certification step (using common criteria and other standards), especially limitations of the current certification processes. The second is an extended abstract for the student research competition.

3) KEY HIGHLIGHTS

  • Completed an interview study with 18 subject matter experts in software certification (Common Criteria security certifications and DO178C safety certification), identifying the key obstacles of todays software certification and providing a baseline for further discussions that could push, among many other issues, compositional and automated analyses.
  • Designed a prototype for dynamically sandboxing of packages in the JavaScript/Node.js ecosystem to assure the absence of certain kinds of malicious package updates in npm packages. This addresses the risk that a attackers with access to an npm account can easily compromise systems that automatically update dependencies by injecting unnoticed malicious code in minor updates. The work defends against such attacks for the commonly used and often very simple packages on npm.

4) COMMUNITY ENGAGEMENTS - if applicable

N/A

5) EDUCATIONAL ADVANCES - if applicable

N/A

Groups: