Oracle Parfait: The Flavour of Real-World Vulnerability Detection

paddy_K

Paddy Krishnan
Oracle Labs, Australia

Abstract

The Parfait static code analysis tool focuses on detecting vulnerabilities that affect C, C++, Java and PL/SQL languages. Parfait is used everyday around the world by thousands of Oracle developers. Its focus has been on four key items expected of a commercial tool that lives in a commercial organisation:

– precision of results (i.e., high true positive rate),
– scalability (i.e., being able to quickly scan millions of lines of code),
– incremental analysis (i.e., run over deltas of the code quickly), and
– usability (i.e., ease of integration into standard build processes and reporting).

In this presentation, we will sample a flavour of Parfait. We explore some real-world challenges faced in the creation of a robust vulnerability detection tool, we look into two examples of vulnerabilities that severely affected the Java platform in 2012-13 and most machines in 2017-18, and we conclude by recounting what matters to developers for integration into today’s continuous integration and continuous delivery (CI/CD) pipelines.

Speaker’s Bio

Paddy Krishnan is a senior researcher at Oracle Labs in Brisbane. The Lab focuses on the use of Program Analysis to detect security vulnerabilities in software and enhancing the productivity of developers. Paddy has worked on detecting vulnerabilities in the JDK and Java-based web applications. He is also interested in automatic test generation and the use of machine-learning in program analysis. Prior to joining Oracle Labs, he was an academic for over 20 years with industrial research experience at Siemens Research, Germany and Tata Research (TRDDC), India. He is a Senior Member of both the ACM and the IEEE.

Machine Learning – The Same, but Different

tony-lindsay-e1535866134961

Dr. Tony Lindsay
Director, STELaRLab, Lockheed Martin Australia

Abstract

Machine Learning algorithms have made impressive progress, especially over the last five years.  They have captured the imagination of the media, and the public.  This talk will provide an outline of the machine learning phenomenon, discuss some of the challenges associated with software maintenance of such data-driven algorithms, and present some of the approaches that might enable the next generation of intelligent systems.

Speaker’s Bio

Tony Lindsay is Director of the Science, Technology, Engineering Leadership and Research Laboratory (STELaRLab) for Lockheed Martin Corporation. STELaRLab is Lockheed Martin’s first international multidisciplinary Research and Development (R&D) Laboratory.
Prior to his role at Lockheed, Tony was with the Defence Science and Technology Group for twenty eight years. His last position was Chief of the National Security and Intelligence, Surveillance and Reconnaissance Division. In that role he was responsible for R&D programs supporting Australian Defence Organisation (ADO) ISR Projects including major surveillance acquisitions and intelligence programs.
He has held the diplomatic post of Counsellor, Defence Science, at the Australian Embassy in Washington DC, and was Research Leader for Airborne Electronic Warfare (EW) R&D for the Royal Australian Air Force’s survivability programs. In 2006 Tony received the ADO’s highest award for R&D, the Defence Minister’s Award for Defence Science, for his leadership in enhancing the survivability of Australian Defence Force aircraft.
Tony began his career in EW, where his research included wide bandwidth photonic-based radio frequency (RF) signal processing, ultrafast sampling of RF signals, and development of advanced technology demonstrators for electronic support and electronic attack systems.
He graduated from James Cook University of North Queensland with a BSc double major in Physics and Mathematics, followed by a BSc (Hons) in Physics and a PhD in atomic physics.
He is a Fellow of the Australian Academy of Technology and Engineering, a Senior Member of the Institute of Electrical and Electronic Engineers, and a Member of the Association of Old Crows.

 

Human-centric Software Engineering

JGrundyMay2016-small-138x150.jpg

Professor John Grundy
Monash University, Australia

Abstract

Humans are a key part of software development, including customers, designers, coders, testers and end users. In this talk I discuss several examples from our recent work on handling human-centric issues when engineering software systems. This includes personality impact on aspects of software development, specifically testing and pair-programming; understanding interpersonal issues in agile practices ; incorporating end user emotions into software requirements engineering; reporting usability defects; providing proactive design critics in software tools to augment human decision making; and finally to the use of human-centric, domain-specific visual models for non-technical experts to specify and generate systems, without the need for software engineers at all. I assess the usefulness of these approaches and discuss key future directions.

Speaker’s Bio

Professor John Grundy is the Senior Deputy Dean for the Faculty of Information Technology and a Professor of Software Engineering at Monash University. Professor Grundy holds the BSc(Hons), MSc and PhD degrees, all in Computer Science, from the University of Auckland. Professor Grundy is a Fellow of Automated Software Engineering, Fellow of Engineers Australia, Certified Professional Engineer, Engineering Executive, Member of the ACM and Senior Member of the IEEE. His research is in the area of software engineering, primarily software tools and techniques, software architecture, model-driven software engineering, visual languages, software security engineering, service-based and component-based systems and user interfaces. His work is mostly applied and he does research, R&D and consulting work with a range of companies. These have included, among many others, Unisono, Uniting AgeWell, Mailguard, NICTA, Thales Australia, CA Labs, XSol, Orion Health, Peace Software, and Whitecloud Systems.

Automated Program Repair

Abhik_Roychoudhury_Crop-min-130x150

Professor Abhik Roychoudhury
National University of Singapore

Abstract

Software systems, are prone to vulnerabilities which can be exploited. One of the key difficulties in building trustworthy software systems – is the lack of specifications, or intended behavior, or a description of how the software system is supposed to behave. In our work, we have developed semantic analysis techniques to extract or discover specifications from an erroneous or vulnerable program. Such a specification discovery process helps in automatically generating repairs, thereby moving closer to the goal of self-healing software systems. As more and more of our daily functionalities become software controlled, and with the impending arrival of technology like personalized drones, the need for self-healing software has never been greater. There exist exciting possibilities for combining semantics based repair approaches with search-based repair, and this is under investigation in our research team. We envision that automated repair capabilities should be integrated into programming environments in the future. We will also discuss the possibility of using automated repair for grading and teaching of introductory programming to various learner groups

Speaker’s Bio

Abhik Roychoudhury is a Professor of Computer Science at National University of Singapore. His research focuses on software testing and analysis, software security and trust-worthy software construction. His research group has built scalable techniques for testing, debugging and repair of programs using systematic semantic analysis. He has been an ACM Distinguished Speaker (2013-19). He is currently leading a large five-year long targeted research effort funded by National Research Foundation in the domain of trust-worthy software. He is the Lead Principal Investigator of the Singapore Cyber-security Consortium, which is a consortium of over 35 companies in the cyber-security space engaging with academia for research and collaboration. He has served as Program Chair of ACM International Symposium on Software Testing and Analysis (ISSTA) 2016 and Editorial Board member of IEEETransactions on Software Engineering (TSE) from 2014 to 2018. Abhik received his Ph.D. in Computer Science from the State University of New York at Stony Brook in 2000.

The Unbearable Fragility of Software Documentation

martin-may-2017.jpg

Professor Martin Robillard
McGill University, Canada

Abstract

Software documentation is possibly one of the most fragile of human constructions: Changing a single line in the documented software can invalidate its documentation. Yet we do need software documentation, sometimes crucially. In this talk I will discuss what makes software documentation so fragile, and how we could get rid of this fragility by rethinking the role that documentation plays in the life-cycle of a software system.

Speaker’s Bio

Martin Robillard is a Professor of Computer Science at McGill University. His current research focuses on problems related to software evolution, architecture and design, and software reuse. He served as the Program Co-Chair for the 20th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE 2012) and the 39th ACM/IEEE International Conference on Software Engineering (ICSE 2017). He received his Ph.D. and M.Sc. in Computer Science from the University of British Columbia and a B.Eng. from École Polytechnique de Montréal

The Threat in your Pocket: Trends, Challenges, and Solutions in Mobile Application Security

SamMalek-135x150.jpg

Professor Sam Malek
University of California, USA

Abstract

Mobile devices are ubiquitous, with billions of smartphones and tablets used worldwide. Fueling the popularity of such devices is the abundance of apps available on a variety of markets (e.g., Google Play). This abundance of apps arises, in large part, due to the platform’s low barrier to entry for amateur and professional developers alike, where a re-usable infrastructure enables relatively quick production of apps. However, this low barrier to entry is associated with an increased risk of apps with defects, particularly in the form of security vulnerabilities. Consequently, developers and designers of such apps are in need of appropriate approaches, tools, and frameworks that aid them in producing secure apps. In this talk, I will first provide an overview of the security vulnerabilities in Android and the attacks that exploit them. I will then describe a few promising approaches that aim to resolve these security threats. Finally, I will conclude the talk with the lessons learned and the avenues for future research.

Speaker’s Bio

Sam Malek is an Associate Professor in the Informatics Department within the School of Information and Computer Sciences at the University of California, Irvine. He is also Director of the Institute for Software Research and Software Engineering and Analysis Laboratory. Malek’s general research interests are in the field of software engineering, and to date his focus has spanned the areas of software architecture, autonomic computing, mobile computing, security, and software analysis and testing. The underlying theme of his research has been to devise techniques and tools that aid with the construction, analysis, and maintenance of large-scale software systems. Malek received his Ph.D. and M.S. degrees in Computer Science from the University of Southern California and his B.S. degree in Information and Computer Science from the University of California, Irvine. He has received numerous awards for his research contributions, including the National Science Foundation CAREER award (2013), GMU Emerging Researcher/Scholar/Creator award (2013), and GMU Computer Science Department Outstanding Faculty Research Award (2011). Malek is currently on the editorial board of the ACM Transactions on Software Engineering and MethodologyACM Transactions on Autonomous and Adaptive Systems, and Springer Journal of Computing. He provides software expert witness consulting through Quandary Peak Research. Malek is a member of the Association for Computing Machinery (ACM), ACM Special Interest Group on Software Engineering (SIGSOFT), and the Institute of Electrical and Electronics Engineers (IEEE).