Visible to the public Biblio

Filters: Keyword is code analysis  [Clear All Filters]
2022-07-28
Obert, James, Loffredo, Tim.  2021.  Efficient Binary Static Code Data Flow Analysis Using Unsupervised Learning. 2021 4th International Conference on Artificial Intelligence for Industries (AI4I). :89—90.
The ever increasing need to ensure that code is reliably, efficiently and safely constructed has fueled the evolution of popular static binary code analysis tools. In identifying potential coding flaws in binaries, tools such as IDA Pro are used to disassemble the binaries into an opcode/assembly language format in support of manual static code analysis. Because of the highly manual and resource intensive nature involved with analyzing large binaries, the probability of overlooking potential coding irregularities and inefficiencies is quite high. In this paper, a light-weight, unsupervised data flow methodology is described which uses highly-correlated data flow graph (CDFGs) to identify coding irregularities such that analysis time and required computing resources are minimized. Such analysis accuracy and efficiency gains are achieved by using a combination of graph analysis and unsupervised machine learning techniques which allows an analyst to focus on the most statistically significant flow patterns while performing binary static code analysis.
2021-09-30
Boespflug, Etienne, Ene, Cristian, Mounier, Laurent, Potet, Marie-Laure.  2020.  Countermeasures Optimization in Multiple Fault-Injection Context. 2020 Workshop on Fault Detection and Tolerance in Cryptography (FDTC). :26–34.
Fault attacks consist in changing the program behavior by injecting faults at run-time, either at hardware or at software level. Their goal is to change the correct progress of the algorithm and hence, either to allow gaining some privilege access or to allow retrieving some secret information based on an analysis of the deviation of the corrupted behavior with respect to the original one. Countermeasures have been proposed to protect embedded systems by adding spatial, temporal or information redundancy at hardware or software level. First we define Countermeasures Check Point (CCP) and CCPs-based countermeasures as an important subclass of countermeasures. Then we propose a methodology to generate an optimal protection scheme for CCPs-based countermeasure. Finally we evaluate our work on a benchmark of code examples with respect to several Control Flow Integrity (CFI) oriented existing protection schemes.
2021-01-20
Hazhirpasand, M., Ghafari, M., Nierstrasz, O..  2020.  CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs. 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER). :632—636.

Research has shown that cryptographic APIs are hard to use. Consequently, developers resort to using code examples available in online information sources that are often not secure. We have developed a web platform, named CryptoExplorer, stocked with numerous real-world secure and insecure examples that developers can explore to learn how to use cryptographic APIs properly. This platform currently provides 3 263 secure uses, and 5 897 insecure uses of Java Cryptography Architecture mined from 2 324 Java projects on GitHub. A preliminary study shows that CryptoExplorer provides developers with secure crypto API use examples instantly, developers can save time compared to searching on the internet for such examples, and they learn to avoid using certain algorithms in APIs by studying misused API examples. We have a pipeline to regularly mine more projects, and, on request, we offer our dataset to researchers.

2019-09-26
Jackson, K. A., Bennett, B. T..  2018.  Locating SQL Injection Vulnerabilities in Java Byte Code Using Natural Language Techniques. SoutheastCon 2018. :1-5.

With so much our daily lives relying on digital devices like personal computers and cell phones, there is a growing demand for code that not only functions properly, but is secure and keeps user data safe. However, ensuring this is not such an easy task, and many developers do not have the required skills or resources to ensure their code is secure. Many code analysis tools have been written to find vulnerabilities in newly developed code, but this technology tends to produce many false positives, and is still not able to identify all of the problems. Other methods of finding software vulnerabilities automatically are required. This proof-of-concept study applied natural language processing on Java byte code to locate SQL injection vulnerabilities in a Java program. Preliminary findings show that, due to the high number of terms in the dataset, using singular decision trees will not produce a suitable model for locating SQL injection vulnerabilities, while random forest structures proved more promising. Still, further work is needed to determine the best classification tool.

2019-02-22
Yamamoto, Ryota, Yoshida, Norihiro, Takada, Hiroaki.  2018.  Towards Static Recovery of Micro State Transitions from Legacy Embedded Code. Proceedings of the 1st ACM SIGSOFT International Workshop on Automated Specification Inference. :1-4.

During the development of an embedded system, state transition models are frequently used for modeling at several abstraction levels. Unfortunately, specification documents including such model are often lost or not up to date during maintenance/reuse. Based on our experience in industrial collaboration, we present Micro State Transition Table (MSTT) to help developers understanding embedded code based on a fine-grained state transition model. We also discuss the challenges of static recovery of an MSTT.

2018-06-07
Chistyakov, Alexander, Pripadchev, Artem, Radchenko, Irina.  2017.  On Development of a Framework for Massive Source Code Analysis Using Static Code Analyzers. Proceedings of the 13th Central & Eastern European Software Engineering Conference in Russia. :20:1–20:3.
Authors describe architecture and implementation of an automated source code analyzing system which uses pluggable static code analyzers. The paper presents a module for gathering and analyzing the source code massively in a detailed manner. Authors also compare existing static code analyzers for Python programming language. A common format of storing results of code analysis for subsequent processing is introduced. Also, authors discuss methods of statistical processing and visualizing of raw analysis data.
2018-05-24
Hummel, Oliver, Burger, Stefan.  2017.  Analyzing Source Code for Automated Design Pattern Recommendation. Proceedings of the 3rd ACM SIGSOFT International Workshop on Software Analytics. :8–14.

Mastery of the subtleties of object-oriented programming lan- guages is undoubtedly challenging to achieve. Design patterns have been proposed some decades ago in order to support soft- ware designers and developers in overcoming recurring challeng- es in the design of object-oriented software systems. However, given that dozens if not hundreds of patterns have emerged so far, it can be assumed that their mastery has become a serious chal- lenge in its own right. In this paper, we describe a proof of con- cept implementation of a recommendation system that aims to detect opportunities for the Strategy design pattern that developers have missed so far. For this purpose, we have formalized natural language pattern guidelines from the literature and quantified them for static code analysis with data mined from a significant collection of open source systems. Moreover, we present the re- sults from analyzing 25 different open source systems with this prototype as it discovered more than 200 candidates for imple- menting the Strategy pattern and the encouraging results of a pre- liminary evaluation with experienced developers. Finally, we sketch how we are currently extending this work to other patterns.

2018-02-27
Nembhard, F., Carvalho, M., Eskridge, T..  2017.  A Hybrid Approach to Improving Program Security. 2017 IEEE Symposium Series on Computational Intelligence (SSCI). :1–8.

The security of computer programs and systems is a very critical issue. With the number of attacks launched on computer networks and software, businesses and IT professionals are taking steps to ensure that their information systems are as secure as possible. However, many programmers do not think about adding security to their programs until their projects are near completion. This is a major mistake because a system is as secure as its weakest link. If security is viewed as an afterthought, it is highly likely that the resulting system will have a large number of vulnerabilities, which could be exploited by attackers. One of the reasons programmers overlook adding security to their code is because it is viewed as a complicated or time-consuming process. This paper presents a tool that will help programmers think more about security and add security tactics to their code with ease. We created a model that learns from existing open source projects and documentation using machine learning and text mining techniques. Our tool contains a module that runs in the background to analyze code as the programmer types and offers suggestions of where security could be included. In addition, our tool fetches existing open source implementations of cryptographic algorithms and sample code from repositories to aid programmers in adding security easily to their projects.