12,474 research outputs found
Adaptive just-in-time code diversification
We present a method to regenerate diversified code dynamically in a Java bytecode JIT compiler, and to update the diversification frequently during the execution of the program. This way, we can significantly reduce the time frame in which attackers can let a program leak useful address space information and subsequently use the leaked information in memory exploits. A proof of concept implementation is evaluated, showing that even though code is recompiled frequently, we can achieved smaller overheads than the previous state of the art, which generated diversity only once during the whole execution of a program
Source File Set Search for Clone-and-Own Reuse Analysis
Clone-and-own approach is a natural way of source code reuse for software
developers. To assess how known bugs and security vulnerabilities of a cloned
component affect an application, developers and security analysts need to
identify an original version of the component and understand how the cloned
component is different from the original one. Although developers may record
the original version information in a version control system and/or directory
names, such information is often either unavailable or incomplete. In this
research, we propose a code search method that takes as input a set of source
files and extracts all the components including similar files from a software
ecosystem (i.e., a collection of existing versions of software packages). Our
method employs an efficient file similarity computation using b-bit minwise
hashing technique. We use an aggregated file similarity for ranking components.
To evaluate the effectiveness of this tool, we analyzed 75 cloned components in
Firefox and Android source code. The tool took about two hours to report the
original components from 10 million files in Debian GNU/Linux packages. Recall
of the top-five components in the extracted lists is 0.907, while recall of a
baseline using SHA-1 file hash is 0.773, according to the ground truth recorded
in the source code repositories.Comment: 14th International Conference on Mining Software Repositorie
ImageJ2: ImageJ for the next generation of scientific image data
ImageJ is an image analysis program extensively used in the biological
sciences and beyond. Due to its ease of use, recordable macro language, and
extensible plug-in architecture, ImageJ enjoys contributions from
non-programmers, amateur programmers, and professional developers alike.
Enabling such a diversity of contributors has resulted in a large community
that spans the biological and physical sciences. However, a rapidly growing
user base, diverging plugin suites, and technical limitations have revealed a
clear need for a concerted software engineering effort to support emerging
imaging paradigms, to ensure the software's ability to handle the requirements
of modern science. Due to these new and emerging challenges in scientific
imaging, ImageJ is at a critical development crossroads.
We present ImageJ2, a total redesign of ImageJ offering a host of new
functionality. It separates concerns, fully decoupling the data model from the
user interface. It emphasizes integration with external applications to
maximize interoperability. Its robust new plugin framework allows everything
from image formats, to scripting languages, to visualization to be extended by
the community. The redesigned data model supports arbitrarily large,
N-dimensional datasets, which are increasingly common in modern image
acquisition. Despite the scope of these changes, backwards compatibility is
maintained such that this new functionality can be seamlessly integrated with
the classic ImageJ interface, allowing users and developers to migrate to these
new methods at their own pace. ImageJ2 provides a framework engineered for
flexibility, intended to support these requirements as well as accommodate
future needs
RAFDA: A Policy-Aware Middleware Supporting the Flexible Separation of Application Logic from Distribution
Middleware technologies often limit the way in which object classes may be
used in distributed applications due to the fixed distribution policies that
they impose. These policies permeate applications developed using existing
middleware systems and force an unnatural encoding of application level
semantics. For example, the application programmer has no direct control over
inter-address-space parameter passing semantics. Semantics are fixed by the
distribution topology of the application, which is dictated early in the design
cycle. This creates applications that are brittle with respect to changes in
distribution. This paper explores technology that provides control over the
extent to which inter-address-space communication is exposed to programmers, in
order to aid the creation, maintenance and evolution of distributed
applications. The described system permits arbitrary objects in an application
to be dynamically exposed for remote access, allowing applications to be
written without concern for distribution. Programmers can conceal or expose the
distributed nature of applications as required, permitting object placement and
distribution boundaries to be decided late in the design cycle and even
dynamically. Inter-address-space parameter passing semantics may also be
decided independently of object implementation and at varying times in the
design cycle, again possibly as late as run-time. Furthermore, transmission
policy may be defined on a per-class, per-method or per-parameter basis,
maximizing plasticity. This flexibility is of utility in the development of new
distributed applications, and the creation of management and monitoring
infrastructures for existing applications.Comment: Submitted to EuroSys 200
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
Weaving Rules into [email protected] for Embedded Smart Systems
Smart systems are characterised by their ability to analyse measured data in
live and to react to changes according to expert rules. Therefore, such systems
exploit appropriate data models together with actions, triggered by
domain-related conditions. The challenge at hand is that smart systems usually
need to process thousands of updates to detect which rules need to be
triggered, often even on restricted hardware like a Raspberry Pi. Despite
various approaches have been investigated to efficiently check conditions on
data models, they either assume to fit into main memory or rely on high latency
persistence storage systems that severely damage the reactivity of smart
systems. To tackle this challenge, we propose a novel composition process,
which weaves executable rules into a data model with lazy loading abilities. We
quantitatively show, on a smart building case study, that our approach can
handle, at low latency, big sets of rules on top of large-scale data models on
restricted hardware.Comment: pre-print version, published in the proceedings of MOMO-17 Worksho
- âŠ