Program synthesis and vulnerability injection using a Grammar VAE

The ability to automatically detect and repair vulnerabilities in code before deployment has become the subject of increasing attention. Some approaches to this problem rely on machine learning techniques, however the lack of datasets–code samples labeled as containing a vulnerability or not–presents a barrier to performance. We design and implement a deep neural network based on the recently developed Grammar Variational Autoencoder (VAE) architecture to generate an arbitrary number of unique C functions labeled in the aforementioned manner. We make several improvements on the original Grammar VAE: we guarantee that every vector in the neural network’s latent space decodes to a syntactically valid C function; we extend the Grammar VAE into a context-sensitive environment; and we implement a semantic repair algorithm that transforms syntactically valid C functions into fully semantically valid C functions that compile and execute. Users can control the semantic qualities of output functions with our constraint system. Our constraints allow users to modify the return type, change control flow structures, inject vulnerabilities into generated code, and more. We demonstrate the advantages of our model over other program synthesis models targeting similar applications. We also explore alternative applications for our model, including code plagiarism detection and compiler fuzzing, testing, and optimization

Impacts and Risk of Generative AI Technology on Cyber Defense

Generative Artificial Intelligence (GenAI) has emerged as a powerful technology capable of autonomously producing highly realistic content in various domains, such as text, images, audio, and videos. With its potential for positive applications in creative arts, content generation, virtual assistants, and data synthesis, GenAI has garnered significant attention and adoption. However, the increasing adoption of GenAI raises concerns about its potential misuse for crafting convincing phishing emails, generating disinformation through deepfake videos, and spreading misinformation via authentic-looking social media posts, posing a new set of challenges and risks in the realm of cybersecurity. To combat the threats posed by GenAI, we propose leveraging the Cyber Kill Chain (CKC) to understand the lifecycle of cyberattacks, as a foundational model for cyber defense. This paper aims to provide a comprehensive analysis of the risk areas introduced by the offensive use of GenAI techniques in each phase of the CKC framework. We also analyze the strategies employed by threat actors and examine their utilization throughout different phases of the CKC, highlighting the implications for cyber defense. Additionally, we propose GenAI-enabled defense strategies that are both attack-aware and adaptive. These strategies encompass various techniques such as detection, deception, and adversarial training, among others, aiming to effectively mitigate the risks posed by GenAI-induced cyber threats

Deep Neural Networks and Data for Automated Driving

This open access book brings together the latest developments from industry and research on automated driving and artificial intelligence. Environment perception for highly automated driving heavily employs deep neural networks, facing many challenges. How much data do we need for training and testing? How to use synthetic data to save labeling costs for training? How do we increase robustness and decrease memory usage? For inevitably poor conditions: How do we know that the network is uncertain about its decisions? Can we understand a bit more about what actually happens inside neural networks? This leads to a very practical problem particularly for DNNs employed in automated driving: What are useful validation techniques and how about safety? This book unites the views from both academia and industry, where computer vision and machine learning meet environment perception for highly automated driving. Naturally, aspects of data, robustness, uncertainty quantification, and, last but not least, safety are at the core of it. This book is unique: In its first part, an extended survey of all the relevant aspects is provided. The second part contains the detailed technical elaboration of the various questions mentioned above

Security Risk Management for the Internet of Things

In recent years, the rising complexity of Internet of Things (IoT) systems has increased their potential vulnerabilities and introduced new cybersecurity challenges. In this context, state of the art methods and technologies for security risk assessment have prominent limitations when it comes to large scale, cyber-physical and interconnected IoT systems. Risk assessments for modern IoT systems must be frequent, dynamic and driven by knowledge about both cyber and physical assets. Furthermore, they should be more proactive, more automated, and able to leverage information shared across IoT value chains. This book introduces a set of novel risk assessment techniques and their role in the IoT Security risk management process. Specifically, it presents architectures and platforms for end-to-end security, including their implementation based on the edge/fog computing paradigm. It also highlights machine learning techniques that boost the automation and proactiveness of IoT security risk assessments. Furthermore, blockchain solutions for open and transparent sharing of IoT security information across the supply chain are introduced. Frameworks for privacy awareness, along with technical measures that enable privacy risk assessment and boost GDPR compliance are also presented. Likewise, the book illustrates novel solutions for security certification of IoT systems, along with techniques for IoT security interoperability. In the coming years, IoT security will be a challenging, yet very exciting journey for IoT stakeholders, including security experts, consultants, security research organizations and IoT solution providers. The book provides knowledge and insights about where we stand on this journey. It also attempts to develop a vision for the future and to help readers start their IoT Security efforts on the right foot

Deep learning for compilers

Constructing compilers is hard. Optimising compilers are multi-million dollar projects spanning years of development, yet remain unable to fully exploit the available performance, and are prone to bugs. The rapid transition to heterogeneous parallelism and diverse architectures has raised demand for aggressively-optimising compilers to an all time high, leaving compiler developers struggling to keep up. What is needed are better tools to simplify compiler construction. This thesis presents new techniques that dramatically lower the cost of compiler construction, while improving robustness and performance. The enabling insight for this research is the leveraging of deep learning to model the correlations between source code and program behaviour, enabling tasks which previously required significant engineering effort to be automated. This is demonstrated in three domains: First, a generative model for compiler benchmarks is developed. The model requires no prior knowledge of programming languages, yet produces output of such quality that professional software developers cannot distinguish generated from hand-written programs. The efficacy of the generator is demonstrated by supplementing the training data of predictive models for compiler optimisations. The generator yields an automatic improvement in heuristic performance, and exposes weaknesses in state-of-the- art approaches which, when corrected, yield further performance improvements. Second, a compiler fuzzer is developed which is far simpler than prior techniques. By learning a generative model rather than engineering a generator from scratch, it is implemented in 100 fewer lines of code than the state-of-the-art, yet is capable of exposing bugs which prior techniques cannot. An extensive testing campaign reveals 67 new bugs in OpenCL compilers, many of which have now been fixed. Finally, this thesis addresses the challenge of feature design. A methodology for learning compiler heuristics is presented that, in contrast to prior approaches, learns directly over the raw textual representation of programs. The approach outperforms state-of-the-art models with hand-engineered features in two challenging optimisation domains, without requiring any expert guidance. Additionally, the methodology enables models trained in one task to be adapted to perform another, permitting the novel transfer of information between optimisation problem domains. The techniques developed in these three contrasting domains demonstrate the exciting potential of deep learning to simplify and improve compiler construction. The outcomes of this thesis enable new lines of research to equip compiler developers to keep up with the rapidly evolving landscape of heterogeneous architectures

Überleben und Macht: die Ägyptenpolitik der arabischen Golfstaaten zwischen 2011 und 2015

Der Originaltitel der Dissertation lautet: „Über die Handlungsmotive der Kerneliten Saudi-Arabiens, der Vereinigten Arabischen Emirate und Katars in ihrer Ägyptenpolitik zwischen 2011 und 2015“ Zwischen 2011 und 2015 haben Saudi-Arabien, die Vereinigten Arabischen Emirate (VAE) und Katar verschiedene Staatsführungen in Ägypten unterstützt. Dazu gehörten der ägyptische Militärrat (SCAF), der der Muslimbruderschaft zugehörige Präsident Mohammed Mursi und der durch den Militärputsch 2013 an die Macht gelangte Abdel Fatah Al-Sisi. Die Dissertation geht unter Anwendung eines akteurszentrierten Erklärungsansatzes der Frage nach, welche Motive für diese Unterstützungsmuster entscheidend waren. Im Fokus stehen dabei die Handlungsmotive Herrschaftssicherung, Geostrategie und persönliche wirtschaftliche Interessen der herrschenden Kerneliten. Empirisch beginnt die Studie mit einer umfangreichen Analyse der von den drei Golfstaaten in diesem Zeitraum an Ägypten geleisteten finanziellen und materiellen Unterstützung, die als Indikator für die politische Unterstützung dieser Länder verwendet wird. Zur Analyse des Handlungsmotivs Herrschaftssicherung werden im Anschluss in einer strukturellen Analysekomponente transnationale Oppositionsstrukturen zwischen Ägypten und den drei Golfstaaten untersucht und in einer akteurszentrierten Komponente schließlich die Bewertung dieser Strukturen durch die Kerneliten der drei Golfstaaten. Für das Handlungsmotiv Geostrategie werden mögliche Veränderungen in den langfristigen außenpolitischen Grundorientierung und die Bewertung solcher Veränderungen durch die Kerneliten der Golfstaaten analysiert. Da bereits früh festgestellt werden konnte, dass persönliche wirtschaftliche Interessen keine zentrale Rolle bei der Erklärung der identifizierten Unterstützungsmuster gespielt haben, wurde auf eine Detailanalyse dieses Handlungsmotivs verzichtet. Die Anwendung der Vergleichsmethodik zeigt im Ergebnis, dass die Ägyptenpolitik Saudi-Arabiens und der VAE in erster Linie über das Handlungsmotiv Herrschaftssicherung zu erklären ist. Geostrategie, insbesondere die vorsichtigen Änderungen der ägyptischen Iranpolitik, hat für diese Staaten eine untergeordnete Rolle gespielt. Im Fall Katars hingegen bildet eine idiosynkratisch geprägte Geostrategie den entscheidenden Erklärungsfaktor. Auch in der Außenpolitik Saudi-Arabiens und der VAE spielte der idiosynkratische Faktor eine Rolle, allerdings in geringerem Ausmaß. Die Dissertation enthält außerdem eine umfangreiche Profilsammlung zu den wichtigsten Vertretern der Kerneliten und weiterer wichtiger Mitglieder der politisch relevanten Eliten Saudi-Arabiens, der VAE und Katars. Die Kerneliten wurden über eine in den Golfstaaten durchgeführte Eliten- du Expertenumfrage identifiziert. Die Datenbasis der Untersuchung bilden zum einen zahlreiche mit hochrangigen Elitenvertretern in Saudi-Arabien, den VAE, Katar, Ägypten und in Europa geführte Interviews. Zum anderen wurden Daten aus den 2015 geleakten arabischsprachigen „Saudi Cables“ des saudischen Außenministeriums, den geleakten US-Botschaftstelegrammen der „Public Library of US Diplomacy“ sowie einer Vielzahl weiterer englisch- und arabischsprachiger Quellen gewonnen