Neural-Augmented Static Analysis of Android Communication

We address the problem of discovering communication links between applications in the popular Android mobile operating system, an important problem for security and privacy in Android. Any scalable static analysis in this complex setting is bound to produce an excessive amount of false-positives, rendering it impractical. To improve precision, we propose to augment static analysis with a trained neural-network model that estimates the probability that a communication link truly exists. We describe a neural-network architecture that encodes abstractions of communicating objects in two applications and estimates the probability with which a link indeed exists. At the heart of our architecture are type-directed encoders (TDE), a general framework for elegantly constructing encoders of a compound data type by recursively composing encoders for its constituent types. We evaluate our approach on a large corpus of Android applications, and demonstrate that it achieves very high accuracy. Further, we conduct thorough interpretability studies to understand the internals of the learned neural networks.Comment: Appears in Proceedings of the 2018 ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE

An Exploratory Study of Forces and Frictions affecting Large-Scale Model-Driven Development

In this paper, we investigate model-driven engineering, reporting on an exploratory case-study conducted at a large automotive company. The study consisted of interviews with 20 engineers and managers working in different roles. We found that, in the context of a large organization, contextual forces dominate the cognitive issues of using model-driven technology. The four forces we identified that are likely independent of the particular abstractions chosen as the basis of software development are the need for diffing in software product lines, the needs for problem-specific languages and types, the need for live modeling in exploratory activities, and the need for point-to-point traceability between artifacts. We also identified triggers of accidental complexity, which we refer to as points of friction introduced by languages and tools. Examples of the friction points identified are insufficient support for model diffing, point-to-point traceability, and model changes at runtime.Comment: To appear in proceedings of MODELS 2012, LNCS Springe

A Generic Software Modeling Framework for Building Heterogeneous Distributed and Parallel Software Systems

Heterogeneous distributed and parallel computing environments are highly dependent on hardware and communication protocols. The result is significant difficulty in software reuse, portability across platforms, interoperability, and an increased overall development effort. A new systems engineering approach is needed for parallel processing systems in heterogeneous environments. The generic modeling framework de-emphasizes platform- specific development while exploiting software reuse (and platform-specific capabilities) with a simple, well defined, and easily integrated set of abstractions providing a high level of heterogeneous interoperability

A Case Study on Software Vulnerability Coordination

Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list. Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated. Method: Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling. Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics. Conclusion: [...

Designing and implementing a tool to transform source code to UML diagrams

Currently, reverse engineering is considered as a significant process to extract the design information and abstractions of a system from the present software. The extracted source codes have been converted into a certain structure to be easily analyzed in the following procedure. For facilitating the software process development, it might be optimum to have tools beingcertain which generate automatically or help UML generating models from the codes as a source. The current study focuses on the reverse engineering process regarding the python and java source codes to the behavior diagrams: the use case and the activity diagrams which might be of high importance in the process of software maintenance. This approach is carried out in the current study in the application referred to as the RCUML tool with the use of the python language which helped in understanding python and java source codes in the software application, and enabling visualization regarding the software behavior