Improving Developers\u27 Understanding of Regex Denial of Service Tools through Anti-Patterns and Fix Strategies

Regular expressions are used for diverse purposes, including input validation and firewalls. Unfortunately, they can also lead to a security vulnerability called ReDoS (Regular Expression Denial of Service), caused by a super-linear worst-case execution time during regex matching. Due to the severity and prevalence of ReDoS, past work proposed automatic tools to detect and fix regexes. Although these tools were evaluated in automatic experiments, their usability has not yet been studied; usability has not been a focus of prior work. Our insight is that the usability of existing tools to detect and fix regexes will improve if we complement them with anti-patterns and fix strategies of vulnerable regexes. We developed novel anti-patterns for vulnerable regexes, and a collection of fix strategies to fix them. We derived our anti-patterns and fix strategies from a novel theory of regex infinite ambiguity—a necessary condition for regexes vulnerable to ReDoS. We proved the soundness and completeness of our theory. We evaluated the effectiveness of our anti-patterns, both in an automatic experiment and when applied manually. Then, we evaluated how much our anti-patterns and fix strategies improve developers’ understanding of the outcome of detection and fixing tools. Our evaluation found that our anti-patterns were effective over a large dataset of regexes (N=209,188): 100% precision and 99% recall, improving the state of the art 50% precision and 87% recall. Our anti-patterns were also more effective than the state of the art when applied manually (N=20): 100% developers applied them effectively vs. 50% for the state of the art. Finally, our anti-patterns and fix strategies increased developers’ understanding using automatic tools (N=9): from median “Very weakly” to median “Strongly” when detecting vulnerabilities, and from median “Very weakly” to median “Very strongly” when fixing them

Public Sector Open Source Software Projects -- How is development organized?

Background: Open Source Software (OSS) started as an effort of communities of volunteers, but its practices have been adopted far beyond these initial scenarios. For instance, the strategic use of OSS in industry is constantly growing nowadays in different verticals, including energy, automotive, and health. For the public sector, however, the adoption has lagged behind even if benefits particularly salient in the public sector context such as improved interoperability, transparency, and digital sovereignty have been pointed out. When Public Sector Organisations (PSOs) seek to engage with OSS, this introduces challenges as they often lack the necessary technical capabilities, while also being bound and influenced by regulations and practices for public procurement. Aim: We aim to shed light on how public sector OSS projects, i.e., projects initiated, developed and governed by public sector organizations, are developed and structured. We conjecture, based on the challenges of PSOs, that the way development is organized in these type of projects to a large extent disalign with the commonly adopted bazaar model (popularized by Eric Raymond), which implies that development is carried out collaboratively in a larger community. Method: We plan to contrast public sector OSS projects with a set of earlier reported case studies of bazaar OSS projects, including Mockus et al.'s reporting of the Apache web server and Mozilla browser OSS projects, along with the replications performed on the FreeBSD, JBossAS, JOnAS, and Apache Geronimo OSS projects. To enable comparable results, we will replicate the methodology used by Mockus et al. on a purposefully sampled subset of public sector OSS projects. The subset will be identified and characterized quantitatively by mining relevant software repositories, and qualitatively investigated through interviews with individuals from involved organizations.Comment: Registered Report accepted at MSR'2

Physics of the HL-LHC, and perspectives at the HE-LH: report from working group 4: opportunities in flavour physics at the HL-LHC and HE-LHC

Motivated by the success of the flavour physics programme carried out over the last decade at the Large Hadron Collider (LHC), we characterize in detail the physics potential of its High-Luminosity and High-Energy upgrades in this domain of physics. We document the extraordinary breadth of the HL/HE-LHC programme enabled by a putative Upgrade II of the dedicated flavour physics experiment LHCb and the evolution of the established flavour physics role of the ATLAS and CMS general purpose experiments. We connect the dedicated flavour physics programme to studies of the top quark, Higgs boson, and direct high-pT searches for new particles and force carriers. We discuss the complementarity of their discovery potential for physics beyond the Standard Model, affirming the necessity to fully exploit the LHC’s flavour physics potential throughout its upgrade eras

A Characterization and Partial Automation of the Multi-revision, Fine-grained Analysis of Code History as an Efficient and Accurate Mechanism to Support Software Development

Multiple studies found that developer questions about the history of code were among the hardest and most time-consuming to answer. In fact, the study of multi-revision, fine-grained code history with current approaches is a laborious, repetitive, and as such, error-prone process. In this dissertation, I posit the thesis that the multi-revision, fine-grained analysis of source-code history can be partially automated in a way that is efficient, that provides support to answer software development questions, and that accurately models source-code evolution. I present a series of techniques, tools and experiments that I developed and performed in order to evaluate this thesis. In the first step towards evaluating my thesis, I observe and conceptualize the process of multi-revision, fine-grained analysis of source-code history, as it is performed with the assistance of current revision-control tools. This conceptualization reveals the limitations in terms of efficiency of such process. I address the efficiency limitations of the multi-revision, fine-grained analysis of source-code history by creating Automatic History Slicing, a novel technique that enables developers to automatically obtain the subset of the history of a program that corresponds to any set of lines of code. Then, I also provide automatic support for answering developer questions by extending Automatic History Slicing into two other techniques and tools. The first one of these techniques is Chronos, which provides support for developers to answer ad-hoc questions about source code history by facilitating the visualization and investigation of the history of any set of lines of code. I also create a technique called WhoseFault, which provides support for developers to answer a prevalent anticipated developer question: who are the most suitable developers to fix a bug? WhoseFault automates all the steps of the multi-revision, fine-grained analysis of code history to provide a recommendation of the most suitable developers to fix a bug. Finally, I improve the accuracy of the multi-revision, fine-grained analysis of source-code history by creating Fuzzy Automatic History Slicing, a technique that allows the modeling and analysis of fine-grained code evolution with a novel fuzzy approach that recognizes the non-discrete nature of code evolution. The findings in this dissertation motivate future research in three directions: the empirical study of code evolution, the usage of code-history analysis for new applications, and the analysis of additional historical artifacts to support software development

D.D. Francisci Amostazo ... Alvearensis ... De causis piis in genere, et in specie libri VIII... : tomus secundus...

3 ej. de la misma obraMarca tip. en port.: "Papillon f."Texto a dos col.El ej. El ej. BHR/B-049-190 (2) enc. junto: "D.D. Francisci Amostazo ... Alvearensis ... De causis piis in genere, et in specie libri VIII... : tomus primus", formando un vol. facticioCCPB000139150-XBHR/A-010-101 (2)BHR/A-016-057BHR/A-016-057BHR/B-049-190 (2).BHR/B-049-190 (2).PielPerg.Piel0890406624FDH/1721-13-57E-18 T-5 N-426-1-4Hª Derecho/N-97 (2)*6, A-Z6, Aa-Ll6, Mm

An Empirical Study of Activity, Popularity, Size, Testing, and Stability in Continuous Integration

A good understanding of the practices followed by software development projects can positively impact their success --- particularly for attracting talent and on-boarding new members. In this paper, we perform a cluster analysis to classify software projects that follow continuous integration in terms of their activity, popularity, size, testing, and stability. Based on this analysis, we identify and discuss four different groups of repositories that have distinct characteristics that separates them from the other groups. With this new understanding, we encourage open source projects to acknowledge and advertise their preferences according to these defining characteristics, so that they can recruit developers who share similar values

La percepción de lo social

The human beings we are social beings. The sociability is constructed across the shared meaning of everything what happens in the universe constituting a set of values, beliefs and common behaviors. Socialization is communication, and communication is the one that makes possible that the human groups share their ways of being and spread their messages to the new members in order that they incorporate them into their personal array. The content of the social beliefs adopts the form of social messages that are constantly transmitted, and that acquire special relevancy during the infancy learning process that is the longest of all the alive beings that we know. These messages reflect the beliefs of any society at one moment. This paper gathers some of the beliefs and opinions of the Spanish society during the years 2007 and 2008, classified by age, gender and status and, transmitted by diverse mass media.Los seres humanos somos seres sociales. La sociabilidad se construye a través del significado compartido de todo lo que acontece en el universo formando un conjunto de valores, creencias y comportamientos comunes. Socializar es comunicar, siendo precisamente la comunicación la que hace posible que los grupos humanos compartan sus formas de ser y de estar y las difundan a los nuevos miembros para que las incorporen a su acervo personal. El contenido de las creencias sociales adopta la forma de mensajes sociales que se transmiten constantemente, y que adquieren especial relevancia durante la infancia mediante un proceso de aprendizaje que es el más largo de todos los seres vivos que conocemos. Esos mensajes reflejan la manera de pensar de cada sociedad en un momento dado. Este trabajo recoge alguna de las creencias y opiniones de la sociedad española durante los años 2007 y 2008, clasificadas por edad, estatus y género, y recogidas a través de los mensajes sociales transmitidos por diversos medios

Artifact (software + dataset) for "The Impact of Regular Expression Denial of Service (ReDoS) in Practice: an Empirical Study at the Ecosystem Scale"

<p># Ecosystem-scale regexp study</p> <p>Welcome to the FSE'18 artifact for the ESEC/FSE paper *"The Impact of Regular Expression Denial of Service (ReDoS) in Practice: an Empirical Study at the Ecosystem Scale"*, by J.C. Davis, C.A Coghlan, F. Servant, and D. Lee, all of Virginia Tech.</p> <p>This paper describes a study in which we:<br> - extracted regular expressions (regexes, regexps) from npm and pypi modules<br> - analyzed the regexes along several dimensions</p> <p>Our artifact consists of:<br> - Code to analyze a regex for super-linear performance (Table 1), degree of vulnerability (Table 2), semantic meaning (Table 3), and use of anti-patterns (Table 4).<br> - Unique regexes collected from npm and pypi modules. We are releasing these regexes raw (without analysis or source module(s)) due to security concerns.</p> <p>In addition, we wrote code to statically extract regexes from npm and pypi modules.<br> We released this code as part of our `vuln-regex-detector` software, available [here](https://github.com/davisjam/vuln-regex-detector).<br> Regex extraction was uninteresting from a scientific perspective so we do not elaborate on it in this artifact.</p> <p>In addition to this directory's `README.md`, each sub-tree comes with one or more READMEs describing the software and tests.</p> <p>## Installation</p> <p>### By hand</p> <p>To install, execute the script `./configure` on an Ubuntu 16.04 machine with root privileges.<br> This will obtain and install the various dependencies (OS packages, REDOS detectors, npm modules, and pypi modules).<br> It will also initialize submodules.</p> <p>The final line of this script is `echo "Configuration complete. I hope everything works!"`.<br> If you see this printed to the console, great!<br> Otherwise...alas.</p> <p>### Container</p> <p>To facilitate replication, we have published a [containerized version](https://hub.docker.com/r/jamiedavis/daviscoghlanservantlee-fse18-regexartifact/) of this project on hub.docker.com.<br> The container is based on an Ubuntu 16.04 image so it is fairly large.<br>  <br> For example, you might run:</p> <p>```<br> docker pull jamiedavis/daviscoghlanservantlee-fse18-regexartifact<br> docker run -ti jamiedavis/daviscoghlanservantlee-fse18-regexartifact<br> > vim .env<br> # Set ECOSYSTEM_REGEXP_PROJECT_ROOT=/davis-fse18-artifact/EcosystemREDOS-FSE18<br> > . .env<br> > ./full-analysis/analyze-regexp.pl ./full-analysis/test/vuln-email.json<br> ```</p

Taller de naturaleza

La experiencia, iniciada el curso anterior, consiste en convertir una finca rural (cedida por el padre de un alumno) en una granja agropecuaria y utilizarla con fines educativos como taller de naturaleza. Los objetivos planteados son: aplicar una metodología activa que fomente la investigación; despertar el interés del alumnado por la realidad; ponerles en contacto con la naturaleza; ayudarle a vivir y conocer el medio local y la vida, costumbres y trabajos de sus gentes; enriquecer la vida del niño, facilitándole el acceso a nuevas experiencias; posibilitar a través de la investigación del medio que el niño construya su propia visión del mundo y elabore conscientemente su propia identidad; y potenciar el respeto a la diversidad y el pluralismo. El trabajo en la granja se organiza en talleres permanentes (cuidado y crianza de animales y plantas, observación del tiempo y el espacio, periodismo, impresión y artes gráficas y, transformación). Así, cada día en la asamblea se deciden las tareas a realizar: observación meteorológica; recogida de datos; construcción de aparatos; estudios de animales en el aula; de un ecosistema y del relieve; elaboración de planos; entrevistas en el pueblo para conocer su historia; excursiones; colección de minerales; descubrimiento de las principales constelaciones, etc. La evaluación de la experiencia se realiza mediante el diario de la granja, el desarrollo de las asambleas, los cuadernos de investigación y las fichas de observación. La valoración señala que los problemas surgidos en el claustro y con los padres dio lugar a un fuerte enfrentamiento, que ha repercutido de forma negativa en el desarrollo de la experiencia..Madrid (Comunidad Autónoma). Consejería de Educación y CulturaMadridMadrid (Comunidad Autónoma). Subdirección General de Formación del Profesorado. CRIF Las Acacias; General Ricardos 179 - 28025 Madrid; Tel. + 34915250893ES