Visible to the public Biblio

Filters: Keyword is supply chain risk assessment  [Clear All Filters]
2022-09-09
Hong, TingYi, Kolios, Athanasios.  2020.  A Framework for Risk Management of Large-Scale Organisation Supply Chains. 2020 International Conference on Decision Aid Sciences and Application (DASA). :948—953.
This paper establishes a novel approach to supply chain risk management (SCRM), through establishing a risk assessment framework addressing the importance of SCRM and supply chain visibility (SCV). Through a quantitative assessment and empirical evidence, the paper also discusses the specific risks within the manufacturing industry. Based on survey data collected and a case study from Asia, the paper finds that supplier delays and poor product quality can be considered as prevailing risks relevant to the manufacturing industry. However, as supply chain risks are inter-related, one must increase supply chain visibility to fully consider risk causes that ultimately lead to the risk effects. The framework established can be applied to different industries with the view to inform organisations on prevailing risks and prompt motivate improvement in supply chain visibility, thereby, modify risk management strategies. Through suggesting possible risk sources, organisations can adopt proactive risk mitigation strategies so as to more efficiently manage their exposure.
Kirillova, Elena A., Shavaev, Azamat A., Wenqi, Xi, Huiting, Guo, Suyu, Wang.  2020.  Information Security of Logistics Services. 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS). :103—106.

Information security of logistics services. Information security of logistics services is understood as a complex activity aimed at using information and means of its processing in order to increase the level of protection and normal functioning of the object's information environment. At the same time the main recommendations for ensuring information security of logistics processes include: logistics support of processes for ensuring the security of information flows of the enterprise; assessment of the quality and reliability of elements, reliability and efficiency of obtaining information about the state of logistics processes. However, it is possible to assess the level of information security within the organization's controlled part of the supply chain through levels and indicators. In this case, there are four levels and elements of information security of supply chains.

Kieras, Timothy, Farooq, Muhammad Junaid, Zhu, Quanyan.  2020.  Modeling and Assessment of IoT Supply Chain Security Risks: The Role of Structural and Parametric Uncertainties. 2020 IEEE Security and Privacy Workshops (SPW). :163—170.

Supply chain security threats pose new challenges to security risk modeling techniques for complex ICT systems such as the IoT. With established techniques drawn from attack trees and reliability analysis providing needed points of reference, graph-based analysis can provide a framework for considering the role of suppliers in such systems. We present such a framework here while highlighting the need for a component-centered model. Given resource limitations when applying this model to existing systems, we study various classes of uncertainties in model development, including structural uncertainties and uncertainties in the magnitude of estimated event probabilities. Using case studies, we find that structural uncertainties constitute a greater challenge to model utility and as such should receive particular attention. Best practices in the face of these uncertainties are proposed.

2022-08-26
VanYe, Christopher M., Li, Beatrice E., Koch, Andrew T., Luu, Mai N., Adekunle, Rahman O., Moghadasi, Negin, Collier, Zachary A., Polmateer, Thomas L., Barnes, David, Slutzky, David et al..  2021.  Trust and Security of Embedded Smart Devices in Advanced Logistics Systems. 2021 Systems and Information Engineering Design Symposium (SIEDS). :1—6.

This paper addresses security and risk management of hardware and embedded systems across several applications. There are three companies involved in the research. First is an energy technology company that aims to leverage electric- vehicle batteries through vehicle to grid (V2G) services in order to provide energy storage for electric grids. Second is a defense contracting company that provides acquisition support for the DOD's conventional prompt global strike program (CPGS). These systems need protections in their production and supply chains, as well as throughout their system life cycles. Third is a company that deals with trust and security in advanced logistics systems generally. The rise of interconnected devices has led to growth in systems security issues such as privacy, authentication, and secure storage of data. A risk analysis via scenario-based preferences is aided by a literature review and industry experts. The analysis is divided into various sections of Criteria, Initiatives, C-I Assessment, Emergent Conditions (EC), Criteria-Scenario (C-S) relevance and EC Grouping. System success criteria, research initiatives, and risks to the system are compiled. In the C-I Assessment, a rating is assigned to signify the degree to which criteria are addressed by initiatives, including research and development, government programs, industry resources, security countermeasures, education and training, etc. To understand risks of emergent conditions, a list of Potential Scenarios is developed across innovations, environments, missions, populations and workforce behaviors, obsolescence, adversaries, etc. The C-S Relevance rates how the scenarios affect the relevance of the success criteria, including cost, schedule, security, return on investment, and cascading effects. The Emergent Condition Grouping (ECG) collates the emergent conditions with the scenarios. The generated results focus on ranking Initiatives based on their ability to negate the effects of Emergent Conditions, as well as producing a disruption score to compare a Potential Scenario's impacts to the ranking of Initiatives. The results presented in this paper are applicable to the testing and evaluation of security and risk for a variety of embedded smart devices and should be of interest to developers, owners, and operators of critical infrastructure systems.

2020-01-27
Yang, Kun, Forte, Domenic, Tehranipoor, Mark M..  2017.  CDTA: A Comprehensive Solution for Counterfeit Detection, Traceability, and Authentication in the IoT Supply Chain. ACM Transactions on Design Automation of Electronic Systems (TODAES). 22:42:1-42:31.

The Internet of Things (IoT) is transforming the way we live and work by increasing the connectedness of people and things on a scale that was once unimaginable. However, the vulnerabilities in the IoT supply chain have raised serious concerns about the security and trustworthiness of IoT devices and components within them. Testing for device provenance, detection of counterfeit integrated circuits (ICs) and systems, and traceability of IoT devices are challenging issues to address. In this article, we develop a novel radio-frequency identification (RFID)-based system suitable for counterfeit detection, traceability, and authentication in the IoT supply chain called CDTA. CDTA is composed of different types of on-chip sensors and in-system structures that collect necessary information to detect multiple counterfeit IC types (recycled, cloned, etc.), track and trace IoT devices, and verify the overall system authenticity. Central to CDTA is an RFID tag employed as storage and a channel to read the information from different types of chips on the printed circuit board (PCB) in both power-on and power-off scenarios. CDTA sensor data can also be sent to the remote server for authentication via an encrypted Ethernet channel when the IoT device is deployed in the field. A novel board ID generator is implemented by combining outputs of physical unclonable functions (PUFs) embedded in the RFID tag and different chips on the PCB. A light-weight RFID protocol is proposed to enable mutual authentication between RFID readers and tags. We also implement a secure interchip communication on the PCB. Simulations and experimental results using Spartan 3E FPGAs demonstrate the effectiveness of this system. The efficiency of the radio-frequency (RF) communication has also been verified via a PCB prototype with a printed slot antenna.

Xuefeng, He, Chi, Zhang, Yuewu, Jing, Xingzheng, Ai.  2019.  Risk Evaluation of Agricultural Product Supply Chain Based on BP Neural Network. 2019 16th International Conference on Service Systems and Service Management (ICSSSM). :1–8.

The potential risk of agricultural product supply chain is huge because of the complex attributes specific to it. Actually the safety incidents of edible agricultural product emerge frequently in recent years, which expose the fragility of the agricultural product supply chain. In this paper the possible risk factors in agricultural product supply chain is analyzed in detail, the agricultural product supply chain risk evaluation index system and evaluation model are established, and an empirical analysis is made using BP neural network method. The results show that the risk ranking of the simulated evaluation is consistent with the target value ranking, and the risk assessment model has a good generalization and extension ability, and the model has a good reference value for preventing agricultural product supply chain risk.

Xue, Hong, Wang, Jingxuan, Zhang, Miao, Wu, Yue.  2019.  Emergency Severity Assessment Method for Cluster Supply Chain Based on Cloud Fuzzy Clustering Algorithm. 2019 Chinese Control Conference (CCC). :7108–7114.

Aiming at the composite uncertainty characteristics and high-dimensional data stream characteristics of the evaluation index with both ambiguity and randomness, this paper proposes a emergency severity assessment method for cluster supply chain based on cloud fuzzy clustering algorithm. The summary cloud model generation algorithm is created. And the multi-data fusion method is applied to the cloud model processing of the evaluation indexes for high-dimensional data stream with ambiguity and randomness. The synopsis data of the emergency severity assessment indexes are extracted. Based on time attenuation model and sliding window model, the data stream fuzzy clustering algorithm for emergency severity assessment is established. The evaluation results are rationally optimized according to the generalized Euclidean distances of the cluster centers and cluster microcluster weights, and the severity grade of cluster supply chain emergency is dynamically evaluated. The experimental results show that the proposed algorithm improves the clustering accuracy and reduces the operation time, as well as can provide more accurate theoretical support for the early warning decision of cluster supply chain emergency.

Sinclair, Dara, Shahriar, Hossain, Zhang, Chi.  2019.  Security Requirement Prototyping with Hyperledger Composer for Drug Supply Chain: A Blockchain Application. Proceedings of the 3rd International Conference on Cryptography, Security and Privacy. :158–163.

Blockchain may have a potential to prove its value for the new US FDA regulatory requirements defined in the Drug Supply Chain Security Act (DSCSA) as innovative solutions are needed to support the highly complex pharmaceutical industry supply chain as it seeks to comply. In this paper, we examine how blockchain can be applied to meet with the security compliance requirement for the pharmaceutical supply chain. We explore the online playground of Hyperledger Composer, a set of tools for building blockchain business networks, to model the data and access control rules for the drug supply chain. Our experiment shows that this solution can provide a prototyping opportunity for compliance checking with certain limitations.

Shamsi, Kaveh, Li, Meng, Plaks, Kenneth, Fazzari, Saverio, Pan, David Z., Jin, Yier.  2019.  IP Protection and Supply Chain Security through Logic Obfuscation: A Systematic Overview. ACM Transactions on Design Automation of Electronic Systems (TODAES). 24:65:1-65:36.

The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defences and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.

Sekine, Junko, Campos-Náñnez, Enrique, Harrald, John R., Abeledo, Hernán.  2006.  A Simulation-Based Approach to Trade-off Analysis of Port Security. Proceedings of the 38th Conference on Winter Simulation. :521–528.

Motivated by the September 11 attacks, we are addressing the problem of policy analysis of supply-chain security. Considering the potential economic and operational impacts of inspection together with the inherent difficulty of assigning a reasonable cost to an inspection failure call for a policy analysis methodology in which stakeholders can understand the trade-offs between the diverse and potentially conflicting objectives. To obtain this information, we used a simulation-based methodology to characterize the set of Pareto optimal solutions with respect to the multiple objectives represented in the decision problem. Our methodology relies on simulation and the response surface method (RSM) to model the relationships between inspection policies and relevant stakeholder objectives in order to construct a set of Pareto optimal solutions. The approach is illustrated with an application to a real-world supply chain.

Salamai, Abdullah, Hussain, Omar, Saberi, Morteza.  2019.  Decision Support System for Risk Assessment Using Fuzzy Inference in Supply Chain Big Data. 2019 International Conference on High Performance Big Data and Intelligent Systems (HPBD IS). :248–253.

Currently, organisations find it difficult to design a Decision Support System (DSS) that can predict various operational risks, such as financial and quality issues, with operational risks responsible for significant economic losses and damage to an organisation's reputation in the market. This paper proposes a new DSS for risk assessment, called the Fuzzy Inference DSS (FIDSS) mechanism, which uses fuzzy inference methods based on an organisation's big data collection. It includes the Emerging Association Patterns (EAP) technique that identifies the important features of each risk event. Then, the Mamdani fuzzy inference technique and several membership functions are evaluated using the firm's data sources. The FIDSS mechanism can enhance an organisation's decision-making processes by quantifying the severity of a risk as low, medium or high. When it automatically predicts a medium or high level, it assists organisations in taking further actions that reduce this severity level.

Nakamura, Emilio, Ribeiro, Sérgio.  2019.  Risk-Based Attributed Access Control Modelling in a Health Platform: Results from Project CityZen. 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC). :391–398.

This paper presents an access control modelling that integrates risk assessment elements in the attribute-based model to organize the identification, authentication and authorization rules. Access control is complex in integrated systems, which have different actors accessing different information in multiple levels. In addition, systems are composed by different components, much of them from different developers. This requires a complete supply chain trust to protect the many existent actors, their privacy and the entire ecosystem. The incorporation of the risk assessment element introduces additional variables like the current environment of the subjects and objects, time of the day and other variables to help produce more efficient and effective decisions in terms of granting access to specific objects. The risk-based attributed access control modelling was applied in a health platform, Project CityZen.

Akinrolabu, Olusola, New, Steve, Martin, Andrew.  2019.  Assessing the Security Risks of Multicloud SaaS Applications: A Real-World Case Study. 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom). :81–88.

Cloud computing is widely believed to be the future of computing. It has grown from being a promising idea to one of the fastest research and development paradigms of the computing industry. However, security and privacy concerns represent a significant hindrance to the widespread adoption of cloud computing services. Likewise, the attributes of the cloud such as multi-tenancy, dynamic supply chain, limited visibility of security controls and system complexity, have exacerbated the challenge of assessing cloud risks. In this paper, we conduct a real-world case study to validate the use of a supply chaininclusive risk assessment model in assessing the risks of a multicloud SaaS application. Using the components of the Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, we show how the model enables cloud service providers (CSPs) to identify critical suppliers, map their supply chain, identify weak security spots within the chain, and analyse the risk of the SaaS application, while also presenting the value of the risk in monetary terms. A key novelty of the CSCCRA model is that it caters for the complexities involved in the delivery of SaaS applications and adapts to the dynamic nature of the cloud, enabling CSPs to conduct risk assessments at a higher frequency, in response to a change in the supply chain.

2020-01-21
Hou, Ye, Such, Jose, Rashid, Awais.  2019.  Understanding Security Requirements for Industrial Control System Supply Chains. 2019 IEEE/ACM 5th International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS). :50–53.

We address the need for security requirements to take into account risks arising from complex supply chains underpinning cyber-physical infrastructures such as industrial control systems (ICS). We present SEISMiC (SEcurity Industrial control SysteM supply Chains), a framework that takes into account the whole spectrum of security risks - from technical aspects through to human and organizational issues - across an ICS supply chain. We demonstrate the effectiveness of SEISMiC through a supply chain risk assessment of Natanz, Iran's nuclear facility that was the subject of the Stuxnet attack.

2018-12-03
Molka-Danielsen, J., Engelseth, P., Olešnaníková, V., Šarafín, P., Žalman, R..  2017.  Big Data Analytics for Air Quality Monitoring at a Logistics Shipping Base via Autonomous Wireless Sensor Network Technologies. 2017 5th International Conference on Enterprise Systems (ES). :38–45.
The indoor air quality in industrial workplace buildings, e.g. air temperature, humidity and levels of carbon dioxide (CO2), play a critical role in the perceived levels of workers' comfort and in reported medical health. CO2 can act as an oxygen displacer, and in confined spaces humans can have, for example, reactions of dizziness, increased heart rate and blood pressure, headaches, and in more serious cases loss of consciousness. Specialized organizations can be brought in to monitor the work environment for limited periods. However, new low cost wireless sensor network (WSN) technologies offer potential for more continuous and autonomous assessment of industrial workplace air quality. Central to effective decision making is the data analytics approach and visualization of what is potentially, big data (BD) in monitoring the air quality in industrial workplaces. This paper presents a case study that monitors air quality that is collected with WSN technologies. We discuss the potential BD problems. The case trials are from two workshops that are part of a large on-shore logistics base a regional shipping industry in Norway. This small case study demonstrates a monitoring and visualization approach for facilitating BD in decision making for health and safety in the shipping industry. We also identify other potential applications of WSN technologies and visualization of BD in the workplace environments; for example, for monitoring of other substances for worker safety in high risk industries and for quality of goods in supply chain management.
Larsson, A., Ibrahim, O., Olsson, L., Laere, J. van.  2017.  Agent based simulation of a payment system for resilience assessments. 2017 IEEE International Conference on Industrial Engineering and Engineering Management (IEEM). :314–318.

We provide an agent based simulation model of the Swedish payment system. The simulation model is to be used to analyze the consequences of loss of functionality, or disruptions of the payment system for the food and fuel supply chains as well as the bank sector. We propose a gaming simulation approach, using a computer based role playing game, to explore the collaborative responses from the key actors, in order to evoke and facilitate collective resilience.

Matta, R. de, Miller, T..  2018.  A Strategic Manufacturing Capacity and Supply Chain Network Design Contingency Planning Approach. 2018 IEEE Technology and Engineering Management Conference (TEMSCON). :1–6.

We develop a contingency planning methodology for how a firm would build a global supply chain network with reserve manufacturing capacity which can be strategically deployed by the firm in the event actual demand exceeds forecast. The contingency planning approach is comprised of: (1) a strategic network design model for finding the profit maximizing plant locations, manufacturing capacity and inventory investments, and production level and product distribution; and (2) a scenario planning and risk assessment scheme to analyze the costs and benefits of alternative levels of manufacturing capacity and inventory investments. We develop an efficient heuristic procedure to solve the model. We show numerically how a firm would use our approach to explore and weigh the potential upside benefits and downside risks of alternative strategies.

Shearon, C. E..  2018.  IPC-1782 standard for traceability of critical items based on risk. 2018 Pan Pacific Microelectronics Symposium (Pan Pacific). :1–3.

Traceability has grown from being a specialized need for certain safety critical segments of the industry, to now being a recognized value-add tool for the industry as a whole that can be utilized for manual to automated processes End to End throughout the supply chain. The perception of traceability data collection persists as being a burden that provides value only when the most rare and disastrous of events take place. Disparate standards have evolved in the industry, mainly dictated by large OEM companies in the market create confusion, as a multitude of requirements and definitions proliferate. The intent of the IPC-1782 project is to bring the whole principle of traceability up to date and enable business to move faster, increase revenue, increase productivity, and decrease costs as a result of increased trust. Traceability, as defined in this standard will represent the most effective quality tool available, becoming an intrinsic part of best practice operations, with the encouragement of automated data collection from existing manufacturing systems which works well with Industry 4.0, integrating quality, reliability, product safety, predictive (routine, preventative, and corrective) maintenance, throughput, manufacturing, engineering and supply-chain data, reducing cost of ownership as well as ensuring timeliness and accuracy all the way from a finished product back through to the initial materials and granular attributes about the processes along the way. The goal of this standard is to create a single expandable and extendable data structure that can be adopted for all levels of traceability and enable easily exchanged information, as appropriate, across many industries. The scope includes support for the most demanding instances for detail and integrity such as those required by critical safety systems, all the way through to situations where only basic traceability, such as for simple consumer products, are required. A key driver for the adoption of the standard is the ability to find a relevant and achievable level of traceability that exactly meets the requirement following risk assessment of the business. The wealth of data accessible from traceability for analysis (e.g.; Big Data, etc.) can easily and quickly yield information that can raise expectations of very significant quality and performance improvements, as well as providing the necessary protection against the costs of issues in the market and providing very timely information to regulatory bodies along with consumers/customers as appropriate. This information can also be used to quickly raise yields, drive product innovation that resonates with consumers, and help drive development tests & design requirements that are meaningful to the Marketplace. Leveraging IPC 1782 to create the best value of Component Traceability for your business.

Ma, Y..  2018.  Constructing Supply Chains in Open Source Software. 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion). :458–459.

The supply chain is an extremely successful way to cope with the risk posed by distributed decision making in product sourcing and distribution. While open source software has similarly distributed decision making and involves code and information flows similar to those in ordinary supply chains, the actual networks necessary to quantify and communicate risks in software supply chains have not been constructed on large scale. This work proposes to close this gap by measuring dependency, code reuse, and knowledge flow networks in open source software. We have done preliminary work by developing suitable tools and methods that rely on public version control data to measure and comparing these networks for R language and emberjs packages. We propose ways to calculate the three networks for the entirety of public software, evaluate their accuracy, and to provide public infrastructure to build risk assessment and mitigation tools for various individual and organizational participants in open sources software. We hope that this infrastructure will contribute to more predictable experience with OSS and lead to its even wider adoption.

Palmer, D., Fazzari, S., Wartenberg, S..  2017.  A virtual laboratory approach for risk assessment of aerospace electronics trust techniques. 2017 IEEE Aerospace Conference. :1–8.

This paper describes a novel aerospace electronic component risk assessment methodology and supporting virtual laboratory structure designed to augment existing supply chain management practices and aid in Microelectronics Trust Assurance. This toolkit and methodology applies structure to the unclear and evolving risk assessment problem, allowing quantification of key risks affecting both advanced and obsolete systems that rely on semiconductor technologies. The impacts of logistics & supply chain risk, technology & counterfeit risk, and faulty component risk on trusted and non-trusted procurement options are quantified. The benefits of component testing on part reliability are assessed and incorporated into counterfeit mitigation calculations. This toolkit and methodology seek to assist acquisition staff by providing actionable decision data regarding the increasing threat of counterfeit components by assessing the risks faced by systems, identifying mitigation strategies to reduce this risk, and resolving these risks through the optimal test and procurement path based on the component criticality risk tolerance of the program.

Schlüter, F., Hetterscheid, E..  2017.  A Simulation Based Evaluation Approach for Supply Chain Risk Management Digitalization Scenarios. 2017 International Conference on Industrial Engineering, Management Science and Application (ICIMSA). :1–5.

Supply Chain wide proactive risk management based on real-time risk related information transparency is required to increase the security of modern, volatile supply chains. At this time, none or only limited empirical/objective information about digitalization benefits for supply chain risk management is available. A method is needed, which draws conclusion on the estimation of costs and benefits of digitalization initiatives. The paper presents a flexible simulation based approach for assessing digitalization scenarios prior to realization. The assessment approach is integrated into a framework and its applicability will be shown in a case study of a German steel producer, evaluating digitalization effects on the Mean Lead time-at-risk.

Khayyam, Y. E., Herrou, B..  2017.  Risk assessment of the supply chain: Approach based on analytic hierarchy process and group decision-making. 2017 International Colloquium on Logistics and Supply Chain Management (LOGISTIQUA). :135–141.

Faced with a turbulent economic, political and social environment, Companies need to build effective risk management systems in their supply chains. Risk management can only be effective when the risks identification and analysis are enough accurate. In this perspective, this paper proposes a risk assessment approach based on the analytic hierarchy process and group decision making. In this study, a new method is introduced that will reduce the impact of incoherent judgments on group decision-making, It is, the “reduced weight function” that decreases the weight associated to a member of the expert panel based on the consistency of its judgments.

2017-10-27
Przybylek, Michal Roman, Wierzbicki, Adam, Michalewicz, Zbigniew.  2016.  Multi-hard Problems in Uncertain Environment. Proceedings of the Genetic and Evolutionary Computation Conference 2016. :381–388.
Real-world problems are usually composed of two or more (potentially NP-Hard) problems that are interdependent on each other. Such problems have been recently identified as "multi-hard problems" and various strategies for solving them have been proposed. One of the most successful of the strategies is based on a decomposition approach, where each of the components of a multi-hard problem is solved separately (by state-of-the-art solver) and then a negotiation protocol between the sub-solutions is applied to mediate a global solution. Multi-hardness is, however, not the only crucial aspect of real-world problems. Many real-world problems operate in a dynamically-changing, uncertain environment. Special approaches such as risk analysis and minimization may be applied in cases when we know the possible variants of constraints and criteria, as well as their probabilities. On the other hand, adaptive algorithms may be used in the case of uncertainty about criteria variants or probabilities. While such approaches are not new, their application to multi-hard problems has not yet been studied systematically. In this paper we extend the benchmark problem for multi-hardness with the aspect of uncertainty. We adapt the decomposition-based approach to this new setting, and compare it against another promising heuristic (Monte-Carlo Tree Search) on a large publicly available dataset. Our comparisons show that the decomposition-based approach outperforms the other heuristic in most cases.
2017-05-17
Mahmud, Gazi.  2016.  Making Invisible Things Visible: Tracking Down Known Vulnerabilities at 3000 Companies (Showcase). Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. :25–25.

This year, software development teams around the world are consuming BILLIONS of open source and third-party components. The good news: they are accelerating time to market. The bad news: 1 in 17 components they are using include known security vulnerabilities. In this talk, I will describe what Sonatype, the company behind The Central Repository that supports Apache Maven, has learned from analyzing how thousands of applications use open source components. I will also discuss how organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security and how organizations can balance the need for speed with quality and security early in the development cycle.

Azriel, Leonid, Ginosar, Ran, Gueron, Shay, Mendelson, Avi.  2016.  Using Scan Side Channel for Detecting IP Theft. Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. :1:1–1:8.

We present a process for detection of IP theft in VLSI devices that exploits the internal test scan chains. The IP owner learns implementation details in the suspect device to find evidence of the theft, while the top level function is public. The scan chains supply direct access to the internal registers in the device, thus making it possible to learn the logic functions of the internal combinational logic chunks. Our work introduces an innovative way of applying Boolean function analysis techniques for learning digital circuits with the goal of IP theft detection. By using Boolean function learning methods, the learner creates a partial dependency graph of the internal flip-flops. The graph is further partitioned using the SNN graph clustering method, and individual blocks of combinational logic are isolated. These blocks can be matched with known building blocks that compose the original function. This enables reconstruction of the function implementation to the level of pipeline structure. The IP owner can compare the resulting structure with his own implementation to confirm or refute that an IP violation has occurred. We demonstrate the power of the presented approach with a test case of an open source Bitcoin SHA-256 accelerator, containing more than 80,000 registers. With the presented method we discover the microarchitecture of the module, locate all the main components of the SHA-256 algorithm, and learn the module's flow control.