Biblio

Risk management is an essential part of software security. Assemblyline is a software security tool developed by the Canadian Centre for Cyber Security (CCCS) for malware detection and analysis. In this paper, we examined the performance of Assemblyline for assessing the risk of executable files. We developed and examined use-cases where Assemblyline is included as part of a security safety net assessing vulnerabilities that would lead to risk. Finally, we considered Assemblyline’s utility in a continuous integration / delivery context using our test results.

IoT devices such as Google Home and Amazon Echo provide great convenience to our lives. Many of these IoT devices collect data including Personal Identifiable Information such as names, phone numbers, and addresses and thus IoT security is important. However, conducting security analysis on IoT devices is challenging due to the variety, the volume of the devices, and the special skills required for hardware and software analysis. In this research, we create and demonstrate a dynamic analysis security testing infrastructure for capturing network traffic from IoT devices. The network traffic is automatically mirrored to a server for live traffic monitoring and offline data analysis. Using the dynamic analysis security testing infrastructure, we conduct extensive security analysis on network traffic from Google Home and Amazon Echo. Our testing results indicate that Google Home enforces tighter security controls than Amazon Echo while both Google and Amazon devices provide the desired security level to protect user data in general. The dynamic analysis security testing infrastructure presented in the paper can be utilized to conduct similar security analysis on any IoT devices.

Like any other software engineering activity, assessing the security of a software system entails prioritizing the resources and minimizing the risks. Techniques ranging from the manual inspection to automated static and dynamic analyses are commonly employed to identify security vulnerabilities prior to the release of the software. However, none of these techniques is perfect, as static analysis is prone to producing lots of false positives and negatives, while dynamic analysis and manual inspection are unwieldy, both in terms of required time and cost. This research aims to improve these techniques by mining relevant information from vulnerabilities found in the app markets. The approach relies on the fact that many modern software systems, in particular mobile software, are developed using rich application development frameworks (ADF), allowing us to raise the level of abstraction for detecting vulnerabilities and thereby making it possible to classify the types of vulnerabilities that are encountered in a given category of application. By coupling this type of information with severity of the vulnerabilities, we are able to improve the efficiency of static and dynamic analyses, and target the manual effort on the riskiest vulnerabilities.

This paper presents software visualization tool that utilizes the modified city metaphor to represent software system and related analysis data in virtual reality environment. To better address all three kinds of software aspects we propose a new layouting algorithm that provides a higher level of detail and position the buildings according to the coupling between classes that they represent. Resulting layout allows us to visualize software metrics and source code modifications at the granularity of methods, visualize method invocations involved in program execution and to support the remodularization analysis. To further reduce the cognitive load and increase efficiency of 3D visualization we allow users to observe and interact with our city in immersive virtual reality environment that also provides a source code browsing feature. We demonstrate the use of our approach on two open-source systems.

Software structure analysis is crucial in software testing. Using complex network theory, we present a series of methods and build a two-layer network model for software analysis, including network metrics calculation and features extraction. Through identifying the critical functions and reused modules, we can reduce nearly 80% workload in software testing on average. Besides, the structure network shows some interesting features that can assist to understand the software more clearly.