ENHANCING DIRECTED SEARCH IN BLACK-BOX, GREY-BOX AND WHITE-BOX FUZZ TESTING

Ph.DDOCTOR OF PHILOSOPH

Toward Effective Secure Code Reviews: An Empirical Study of Security-Related Coding Weaknesses

Identifying security issues early is encouraged to reduce the latent negative impacts on software systems. Code review is a widely-used method that allows developers to manually inspect modified code, catching security issues during a software development cycle. However, existing code review studies often focus on known vulnerabilities, neglecting coding weaknesses, which can introduce real-world security issues that are more visible through code review. The practices of code reviews in identifying such coding weaknesses are not yet fully investigated. To better understand this, we conducted an empirical case study in two large open-source projects, OpenSSL and PHP. Based on 135,560 code review comments, we found that reviewers raised security concerns in 35 out of 40 coding weakness categories. Surprisingly, some coding weaknesses related to past vulnerabilities, such as memory errors and resource management, were discussed less often than the vulnerabilities. Developers attempted to address raised security concerns in many cases (39%-41%), but a substantial portion was merely acknowledged (30%-36%), and some went unfixed due to disagreements about solutions (18%-20%). This highlights that coding weaknesses can slip through code review even when identified. Our findings suggest that reviewers can identify various coding weaknesses leading to security issues during code reviews. However, these results also reveal shortcomings in current code review practices, indicating the need for more effective mechanisms or support for increasing awareness of security issue management in code reviews

Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing

APIs often transmit far more data to client applications than they need, and in the context of web applications, often do so over public channels. This issue, termed Excessive Data Exposure (EDE), was OWASP's third most significant API vulnerability of 2019. However, there are few automated tools -- either in research or industry -- to effectively find and remediate such issues. This is unsurprising as the problem lacks an explicit test oracle: the vulnerability does not manifest through explicit abnormal behaviours (e.g., program crashes or memory access violations). In this work, we develop a metamorphic relation to tackle that challenge and build the first fuzzing tool -- that we call EDEFuzz -- to systematically detect EDEs. EDEFuzz can significantly reduce false negatives that occur during manual inspection and ad-hoc text-matching techniques, the current most-used approaches. We tested EDEFuzz against the sixty-nine applicable targets from the Alexa Top-200 and found 33,365 potential leaks -- illustrating our tool's broad applicability and scalability. In a more-tightly controlled experiment of eight popular websites in Australia, EDEFuzz achieved a high true positive rate of 98.65% with minimal configuration, illustrating our tool's accuracy and efficiency

Search for High Energy Skimming Neutrinos at a Surface Detector Array

In the present study we propose a new method for detectionof high energy cosmological muon neutrinos by transition radiations at amedium interface. The emerging electro-magnetic radiations induced by earth-skimming heavy charged leptons are able to trigger a few of aligned neighboringlocal water Cherenkov stations at  a surface detector array similar tothe Pierre Auger Observatory. The estimation applied tothe model of Gamma Ray Burst induced  neutrino fluxes and the spherical earth surface shows a competitive rate of muonneutrino events in the energy range below the GZK cut-off

XGV-BERT: Leveraging Contextualized Language Model and Graph Neural Network for Efficient Software Vulnerability Detection

With the advancement of deep learning (DL) in various fields, there are many attempts to reveal software vulnerabilities by data-driven approach. Nonetheless, such existing works lack the effective representation that can retain the non-sequential semantic characteristics and contextual relationship of source code attributes. Hence, in this work, we propose XGV-BERT, a framework that combines the pre-trained CodeBERT model and Graph Neural Network (GCN) to detect software vulnerabilities. By jointly training the CodeBERT and GCN modules within XGV-BERT, the proposed model leverages the advantages of large-scale pre-training, harnessing vast raw data, and transfer learning by learning representations for training data through graph convolution. The research results demonstrate that the XGV-BERT method significantly improves vulnerability detection accuracy compared to two existing methods such as VulDeePecker and SySeVR. For the VulDeePecker dataset, XGV-BERT achieves an impressive F1-score of 97.5%, significantly outperforming VulDeePecker, which achieved an F1-score of 78.3%. Again, with the SySeVR dataset, XGV-BERT achieves an F1-score of 95.5%, surpassing the results of SySeVR with an F1-score of 83.5%

PROBLEMS OF ENGLISH STUDIES STUDENTS ON LEARNING PHONOLOGY AND SUGGESTIONS, CAN THO UNIVERSITY, VIETNAM

The writers were concerned by the phonological challenges encountered by students of the Schools of Foreign Languages, Can Tho University. Foreign language majors are often difficult, and theory is quite tackled, which has caused many serious problems for students. This is no exception for students majoring in English Studies, at Can Tho University in the process of approaching the subject "Introduction to English Phonology". This study was conducted to clarify the phonological challenges that students at Can Tho University are facing, as well as suggest solutions to the problem of phonology learners. Using data from Google Questionnaire Forms, the research conducted an error analysis of 103 English majors who studied the subject. Based on the phonological problems, certain remedial activities were planned for the students, which helped improve their study process phonological problems considerably.   Article visualizations

Malaria in central Vietnam: analysis of risk factors by multivariate analysis and classification tree models

BACKGROUND: In Central Vietnam, forest malaria remains difficult to control due to the complex interactions between human, vector and environmental factors. METHODS: Prior to a community-based intervention to assess the efficacy of long-lasting insecticidal hammocks, a complete census (18,646 individuals) and a baseline cross-sectional survey for determining malaria prevalence and related risk factors were carried out. Multivariate analysis using survey logistic regression was combined to a classification tree model (CART) to better define the relative importance and inter-relations between the different risk factors. RESULTS: The study population was mostly from the Ra-glai ethnic group (88%), with both low education and socio-economic status and engaged mainly in forest activities (58%). The multivariate analysis confirmed forest activity, bed net use, ethnicity, age and education as risk factors for malaria infections, but could not handle multiple interactions. The CART analysis showed that the most important risk factor for malaria was the wealth category, the wealthiest group being much less infected (8.9%) than the lower and medium wealth category (16.6%). In the former, forest activity and bed net use were the most determinant risk factors for malaria, while in the lower and medium wealth category, insecticide treated nets were most important, although the latter were less protective among Ra-glai people. CONCLUSION: The combination of CART and multivariate analysis constitute a novel analytical approach, providing an accurate and dynamic picture of the main risk factors for malaria infection. Results show that the control of forest malaria remains an extremely complex task that has to address poverty-related risk factors such as education, ethnicity and housing conditions

Factors Affecting Successful Quality Assurance Implementation in Vietnamese Higher Education: A Qualitative Study

Quality assurance and accreditation was officially introduced into the higher education system in Vietnam over ten years ago. It is evident that quality assurance has resulted in positive impacts on university management, teaching, learning and research activities. This paper aims to explore factors that aid the successful implementation of higher education quality assurance and accreditation in Vietnam. Through semi-structured interviews with 32 participants, this study identified a number of factors that contributed to quality assurance processes, including awareness of the importance of quality assurance, better institutional manager leadership, support of university lecturers, staff, and students, and the vital responsibility of internal quality assurance staff. These confirm that internal stakeholders play an important role in undertaking quality assurance programmes and activities