scholarly journals Towards a Hybrid Approach to Protect Against Memory Safety Vulnerabilities

2021 ◽  
Author(s):  
Ahmed Bhayat ◽  
Lucas Cordeiro ◽  
Giles Reger ◽  
Fedor Shmarov ◽  
Konstantin Korovin ◽  
...  
Keyword(s):  
Programming Languages ◽  
Symbolic Execution ◽  
Hybrid Approach ◽  
Bounded Model Checking ◽  
Position Paper ◽  
Memory Safety ◽  
Systems Software ◽  
Static Checking ◽  
Runtime Information ◽  
Deployment Analysis

Memory corruption bugs continue to plague low-level systems software generally written in unsafe programming languages. In order to detect and protect against such exploits, many pre- and post-deployment techniques exist. In this position paper, we propose and motivate the need for a <i>hybrid</i> approach for the protection against memory safety vulnerabilities, combining techniques that can identify the presence (and absence) of vulnerabilities pre-deployment with those that can detect and mitigate such vulnerabilities post-deployment. Our hybrid approach involves three layers: hardware runtime protection provided by capability hardware, software runtime protection provided by compiler instrumentation, and static analysis provided by bounded model checking and symbolic execution. The key aspect of the proposed hybrid approach is that the protection offered is greater than the sum of its parts -- the expense of post-deployment runtime checks is reduced via information obtained during pre-deployment analysis. During pre-deployment analysis, static checking can be guided by runtime information. <br>

scholarly journals Towards a Hybrid Approach to Protect Against Memory Safety Vulnerabilities

2021 ◽  
Author(s):  
Ahmed Bhayat ◽  
Lucas Cordeiro ◽  
Giles Reger ◽  
Fedor Shmarov ◽  
Konstantin Korovin ◽  
...  
Keyword(s):  
Programming Languages ◽  
Symbolic Execution ◽  
Hybrid Approach ◽  
Bounded Model Checking ◽  
Position Paper ◽  
Memory Safety ◽  
Systems Software ◽  
Static Checking ◽  
Runtime Information ◽  
Deployment Analysis

Memory corruption bugs continue to plague low-level systems software generally written in unsafe programming languages. In order to detect and protect against such exploits, many pre- and post-deployment techniques exist. In this position paper, we propose and motivate the need for a <i>hybrid</i> approach for the protection against memory safety vulnerabilities, combining techniques that can identify the presence (and absence) of vulnerabilities pre-deployment with those that can detect and mitigate such vulnerabilities post-deployment. Our hybrid approach involves three layers: hardware runtime protection provided by capability hardware, software runtime protection provided by compiler instrumentation, and static analysis provided by bounded model checking and symbolic execution. The key aspect of the proposed hybrid approach is that the protection offered is greater than the sum of its parts -- the expense of post-deployment runtime checks is reduced via information obtained during pre-deployment analysis. During pre-deployment analysis, static checking can be guided by runtime information. <br>

scholarly journals Towards a Hybrid Approach to Protect Against Memory Safety Vulnerabilities

2021 ◽  
Author(s):  
Ahmed Bhayat ◽  
Lucas Cordeiro ◽  
Giles Reger ◽  
Fedor Shmarov ◽  
Konstantin Korovin ◽  
...  
Keyword(s):  
Programming Languages ◽  
Symbolic Execution ◽  
Hybrid Approach ◽  
Bounded Model Checking ◽  
Position Paper ◽  
Memory Safety ◽  
Systems Software ◽  
Static Checking ◽  
Runtime Information ◽  
Deployment Analysis

Memory corruption bugs continue to plague low-level systems software generally written in unsafe programming languages. In order to detect and protect against such exploits, many pre- and post-deployment techniques exist. In this position paper, we propose and motivate the need for a <i>hybrid</i> approach for the protection against memory safety vulnerabilities, combining techniques that can identify the presence (and absence) of vulnerabilities pre-deployment with those that can detect and mitigate such vulnerabilities post-deployment. Our hybrid approach involves three layers: hardware runtime protection provided by capability hardware, software runtime protection provided by compiler instrumentation, and static analysis provided by bounded model checking and symbolic execution. The key aspect of the proposed hybrid approach is that the protection offered is greater than the sum of its parts -- the expense of post-deployment runtime checks is reduced via information obtained during pre-deployment analysis. During pre-deployment analysis, static checking can be guided by runtime information. <br>

Investigation and Impact of Knowledge-Based Information on Programming Languages Based on Probabilistic Models

2010 ◽  
Vol 39 ◽  
pp. 436-440
Author(s):  
Zhi Ming Qu
Keyword(s):  
Expert Systems ◽  
Programming Languages ◽  
Probabilistic Models ◽  
Role Playing ◽  
Position Paper ◽  
The Other ◽  
Erasure Coding ◽  
Role Playing Games ◽  
Knowledge Based ◽  
Other Hand

In recent years, much research has been devoted to the refinement of IPv6; on the other hand, few have investigated the confusing unification of interrupts and Internet QoS. In this position paper, it demonstrates the emulation of interrupts. In order to overcome this quagmire, a novel system is presented for the intuitive unification of expert systems and massive multiplayer online role-playing games. It is concluded that erasure coding can be verified to make heterogeneous, interposable, and event-driven, which is proved to be applicable.

scholarly journals FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs (Competition Contribution)

2021 ◽  
pp. 363-367 ◽  
Author(s):  
Kaled M. Alshmrany ◽  
Rafael S. Menezes ◽  
Mikhail R. Gadelha ◽  
Lucas C. Cordeiro
Keyword(s):  
Model Checking ◽  
Symbolic Execution ◽  
Bounded Model Checking ◽  
Test Cases ◽  
Security Vulnerabilities ◽  
C Programs ◽  
Code Coverage

AbstractWe describe and evaluate a novel white-box fuzzer for C programs named , which combines fuzzing and symbolic execution, and applies Bounded Model Checking (BMC) to find security vulnerabilities in C programs. explores and analyzes C programs (1) to find execution paths that lead to property violations and (2) to incrementally inject labels to guide the fuzzer and the BMC engine to produce test-cases for code coverage. successfully participates in Test-Comp’21 and achieves first place in the category and second place in the category.

scholarly journals CONFUZZIUS: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts

2021 ◽  
Author(s):  
Christof Ferreira Torres ◽  
Antonio Ken Iannillo ◽  
Arthur Gervais ◽  
Radu State
Keyword(s):  
State Of The Art ◽  
Symbolic Execution ◽  
Hybrid Approach ◽  
Data Dependency ◽  
Smart Contracts ◽  
Dependency Analysis ◽  
Bug Detection ◽  
Code Coverage ◽  
Traditional Programs ◽  
Turing Complete

<div> <div> <p>Smart contracts are Turing-complete programs that are executed across a blockchain. Unlike traditional programs, once deployed, they cannot be modified. As smart contracts carry more value, they become more of an exciting target for attackers. Over the last years, they suffered from exploits costing millions of dollars due to simple programming mistakes. As a result, a variety of tools for detecting bugs have been proposed. Most of these tools rely on symbolic execution, which may yield false positives due to over-approximation. Recently, many fuzzers have been proposed to detect bugs in smart contracts. However, these tend to be more effective in finding shallow bugs and less effective in finding bugs that lie deep in the execution, therefore achieving low code coverage and many false negatives. An alternative that has proven to achieve good results in traditional programs is hybrid fuzzing, a combination of symbolic execution and fuzzing. In this work, we study hybrid fuzzing on smart contracts and present ConFuzzius, the first hybrid fuzzer for smart contracts. ConFuzzius uses evolutionary fuzzing to exercise shallow parts of a smart contract and constraint solving to generate inputs that satisfy complex conditions that prevent evolutionary fuzzing from exploring deeper parts. Moreover, ConFuzzius leverages dynamic data dependency analysis to efficiently generate sequences of transactions that are more likely to result in contract states in which bugs may be hidden. We evaluate the effectiveness of ConFuzzius by comparing it with state-of-the-art symbolic execution tools and fuzzers for smart contracts. Our evaluation on a curated dataset of 128 contracts and a dataset of 21K real-world contracts shows that our hybrid approach detects more bugs than state-of-the-art tools (up to 23%) and that it outperforms existing tools in terms of code coverage (up to 69%). We also demonstrate that data dependency analysis can boost bug detection up to 18%.</p> </div> </div>

scholarly journals Interoperabilitas perangkat lunak menggunakan RESTful web service

2018 ◽  
Vol 4 (1) ◽  
pp. 14
Author(s):  
M. Miftakul Amin
Keyword(s):  
Web Services ◽  
Web Service ◽  
Programming Languages ◽  
Visual Basic ◽  
Heterogeneous Environments ◽  
Server Side ◽  
Systems Software ◽  
Restful Web Service ◽  
Restful Web Services ◽  
Client Side

Pengembangan sistem informasi membutuhkan interoperabilitas dalam lingkungan yang heterogen, dilihat dari sistem operasi, perangkat lunak, bahasa pemrograman, dan basis data, sehingga dapat saling berkomunikasi dan bertukar data atau informasi. RESTful web service dapat digunakan sebagai salah satu teknologi untuk mewujudkan interoperabilitas. Sebuah studi kasus tentang aplikasi perpustakaan telah digunakan dalam penelitian ini. Aplikasi tersebut dibangun dengan Slim Framework PHP untuk sisi server dan Visual Basic pada sisi client. Komunikasi antara client dan server menggunakan HTTP method yaitu GET, POST, PUT, dan DELETE. Pengujian telah dilakukan untuk melihat performa dari web service yang telah dikembangkan menggunakan perangkat lunak Postman. Hasil dari penelitian ini menunjukkan bahwa, aplikasi client dapat mengakses web service yang disediakan di sisi server sebagai wujud interoperabilitas.   Information development systems need interoperability in heterogeneous environments, seen from operating systems, software, programming languages, and databases, so that they can communicate and exchange data or information. RESTful web services can be used as one of the technologies to realize interoperability. As case studies build library applications using PHP Slim Framework on the server side, while Visual Basic programming language is used on the client side. Communication Between client and server using HTTP Method that is GET, POST, PUT, and DELETE. Testing has been done to see the performance of web service functionality that has been developed using Postman software. The result shows that client applications can access the web services provided on the server side as a form of interoperability.

Decoupling IPv7 from Replication in Link-Level Acknowledgements

2012 ◽  
Vol 246-247 ◽  
pp. 390-393
Author(s):  
Yu Hui Shen ◽  
Han Zhou Hao
Keyword(s):  
Model Checking ◽  
Programming Languages ◽  
Lambda Calculus ◽  
Position Paper ◽  
The Internet ◽  
Game Theoretic

Mathematicians agree that homogeneous archetypes are an interesting new topic in the field of programming languages, and researchers concur. In our research, we verify the evaluation of model checking. In this position paper we describe an encrypted tool for refining lambda calculus (VENDS), which we use to prove that the Internet can be made empathic, game-theoretic, and metamorphic.

scholarly journals Profiling Initialisation Behaviour in Java

2021 ◽  
Author(s):  
◽  
Stephen Frank Nelson
Keyword(s):  
Programming Languages ◽  
Program Analysis ◽  
Garbage Collection ◽  
Hybrid Approach ◽  
Memory Consumption ◽  
Aspect Oriented Programming ◽  
Analysis Study ◽  
Programming Tools ◽  
Mutable State ◽  
Blank Slate

<p>Freshly created objects are a blank slate: their mutable state and their constant properties must be initialised before they can be used. Programming languages like Java typically support object initialisation by providing constructor methods. This thesis examines the actual initialisation of objects in real-world programs to determine whether constructor methods support the initialisation that programmers actually perform. Determining which object initialisation techniques are most popular and how they can be identified will allow language designers to better understand the needs of programmers, and give insights that VM designers could use to optimise the performance of language implementations, reduce memory consumption, and improve garbage collection behaviour. Traditional profiling typically either focuses on timing, or uses sampling or heap snapshots to approximate whole program analysis. Classifying the behaviour of objects throughout their lifetime requires analysis of all program behaviour without approximation. This thesis presents two novel whole-program object profilers: one using purely class modification (#prof ), and a hybrid approach utilising class modification and JVM support (rprof ). #prof modifies programs using aspect-oriented programming tools to generate and aggregate data and examines objects that enter different collections to determine whether correlation exists between initialisation behaviour and the use of equality operators and collections. rprof confirms the results of an existing static analysis study of field initialisation using runtime analysis, and provides a novel study of object initialisation behaviour patterns.</p>

Sign in / Sign up

Export Citation Format

Share Document