Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00107
Tong Li, Tianai Zhang
Usability requirements have been widely recognized as an essential quality requirement for systems that interact with people. However, evaluating the satisfaction of usability requirements usually involves user interactions, which is intrusive and time-consuming. In this paper, we propose a novel framework for systematically and automatically evaluating the satisfaction of usability requirements at runtime. Specifically, a behavior-centric conceptual model is proposed to comprehensively characterize user behaviors. An analysis process is then proposed based on the conceptual model, which systematically refines high-level usability requirements into observable and measurable user behaviors in order to automatically evaluate their satisfaction. Moreover, we investigate and mine patterns of user behaviors, which further explain the results of the satisfaction analysis. We systematically design and conduct a case study to evaluate our proposed framework, the results of which show that our approach is able to identify most usability issues and precisely assess the satisfaction of participants’ usability requirements. Importantly, our approach enables continuous usability requirements evaluation without interfering with users, pragmatically contributing to trade-off analysis among quality requirements at runtime.
{"title":"Continuous Usability Requirements Evaluation based on Runtime User Behavior Mining","authors":"Tong Li, Tianai Zhang","doi":"10.1109/QRS57517.2022.00107","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00107","url":null,"abstract":"Usability requirements have been widely recognized as an essential quality requirement for systems that interact with people. However, evaluating the satisfaction of usability requirements usually involves user interactions, which is intrusive and time-consuming. In this paper, we propose a novel framework for systematically and automatically evaluating the satisfaction of usability requirements at runtime. Specifically, a behavior-centric conceptual model is proposed to comprehensively characterize user behaviors. An analysis process is then proposed based on the conceptual model, which systematically refines high-level usability requirements into observable and measurable user behaviors in order to automatically evaluate their satisfaction. Moreover, we investigate and mine patterns of user behaviors, which further explain the results of the satisfaction analysis. We systematically design and conduct a case study to evaluate our proposed framework, the results of which show that our approach is able to identify most usability issues and precisely assess the satisfaction of participants’ usability requirements. Importantly, our approach enables continuous usability requirements evaluation without interfering with users, pragmatically contributing to trade-off analysis among quality requirements at runtime.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114236678","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00111
Nan-Jung Huang, Chih-Jen Huang, Shih-Kun Huang
Pickle is a built-in library in Python that can serialize and deserialize Python objects and data structures. However, the process of pickle deserialization has been confirmed as a hazardous operation. Marco Slaviero uncovered its dangerous vulnerability and proposed exploitation methods in BlackHat 2011. As a result, corresponding defense methods have also been generated. Restricting Globals was proposed in the official Python documentation as a defensive approach.We find that defense implementations are incorrect in some cases. Therefore, we conducted a large-scale analysis of 7543 open-source Python projects with more than 100 stars to find that 36 projects have implemented defense strategies. Among them, nine projects were not correctly implemented. Furthermore, we investigated the root causes of their failures for automatic exploit generation from these projects.
{"title":"Pain Pickle: Bypassing Python Restricted Unpickler for Automatic Exploit Generation","authors":"Nan-Jung Huang, Chih-Jen Huang, Shih-Kun Huang","doi":"10.1109/QRS57517.2022.00111","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00111","url":null,"abstract":"Pickle is a built-in library in Python that can serialize and deserialize Python objects and data structures. However, the process of pickle deserialization has been confirmed as a hazardous operation. Marco Slaviero uncovered its dangerous vulnerability and proposed exploitation methods in BlackHat 2011. As a result, corresponding defense methods have also been generated. Restricting Globals was proposed in the official Python documentation as a defensive approach.We find that defense implementations are incorrect in some cases. Therefore, we conducted a large-scale analysis of 7543 open-source Python projects with more than 100 stars to find that 36 projects have implemented defense strategies. Among them, nine projects were not correctly implemented. Furthermore, we investigated the root causes of their failures for automatic exploit generation from these projects.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130913584","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00038
Kazuki Yoda, Tomoki Nakamaru, Soramichi Akiyama, S. Chiba
This paper presents a technique for detecting an anomaly in method placements in Java packages. This anomaly detection helps code reviewers discover a method belonging to an inappropriate package in modularity when developers commit changes in their software development projects. Moving such a method to an appropriate package will contribute to the maintenance of good modularity in their projects. This is particularly beneficial in the later stage of development, where modularity is often violated by adding new features not anticipated in the initial plan. Our technique is based on few-shot classification in machine learning. This paper empirically reveals that our neural network model can detect an anomaly in method placements and a significant portion of the anomalies is considered as inappropriate method placements in modularity. Our model can discover even a method placement that violates a project-specific coding rule that its developers would choose for some reason of maintainability or readability. Our technique is useful for maintaining the consistency in such a project-specific rule.
{"title":"An Anomaly-Based Approach for Detecting Modularity Violations on Method Placement","authors":"Kazuki Yoda, Tomoki Nakamaru, Soramichi Akiyama, S. Chiba","doi":"10.1109/QRS57517.2022.00038","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00038","url":null,"abstract":"This paper presents a technique for detecting an anomaly in method placements in Java packages. This anomaly detection helps code reviewers discover a method belonging to an inappropriate package in modularity when developers commit changes in their software development projects. Moving such a method to an appropriate package will contribute to the maintenance of good modularity in their projects. This is particularly beneficial in the later stage of development, where modularity is often violated by adding new features not anticipated in the initial plan. Our technique is based on few-shot classification in machine learning. This paper empirically reveals that our neural network model can detect an anomaly in method placements and a significant portion of the anomalies is considered as inappropriate method placements in modularity. Our model can discover even a method placement that violates a project-specific coding rule that its developers would choose for some reason of maintainability or readability. Our technique is useful for maintaining the consistency in such a project-specific rule.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133119261","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00048
Qihao Bao, Bixin Li, Tianyuan Hu, Dongyu Cao
With the wide application of the Raft consensus algorithm in blockchain systems, its safety has attracted more and more attention. However, although some researchers have formally verified the safety of the Raft consensus algorithm in most scenarios, there are still some safety problems with Raft consensus algorithm in some special scenarios, and cause problems now and then. For example, as a core part of the Raft consensus algorithm, the Raft leader election algorithm usually faces some safety problems in following scenarios: if the network communication between some nodes is abnormal, the leader node could be unstable or even cannot be elected, or the log entry cannot be updated, etc. In this paper, we model check the safety of the Raft leader election algorithm throughly using Spin. We use Promela language to model the Raft leader election algorithm and use Linear-time Temporal Logic (LTL) formulae to characterize three safety properties including stability, liveness, and uniqueness. The verification results show that the Raft leader election algorithm does not hold stability and liveness when some nodes are faulty and node log entries are inconsistent. For these safety problems, we give the suggestions for improving safety by analyzing counter examples.
{"title":"Model Checking the Safety of Raft Leader Election Algorithm","authors":"Qihao Bao, Bixin Li, Tianyuan Hu, Dongyu Cao","doi":"10.1109/QRS57517.2022.00048","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00048","url":null,"abstract":"With the wide application of the Raft consensus algorithm in blockchain systems, its safety has attracted more and more attention. However, although some researchers have formally verified the safety of the Raft consensus algorithm in most scenarios, there are still some safety problems with Raft consensus algorithm in some special scenarios, and cause problems now and then. For example, as a core part of the Raft consensus algorithm, the Raft leader election algorithm usually faces some safety problems in following scenarios: if the network communication between some nodes is abnormal, the leader node could be unstable or even cannot be elected, or the log entry cannot be updated, etc. In this paper, we model check the safety of the Raft leader election algorithm throughly using Spin. We use Promela language to model the Raft leader election algorithm and use Linear-time Temporal Logic (LTL) formulae to characterize three safety properties including stability, liveness, and uniqueness. The verification results show that the Raft leader election algorithm does not hold stability and liveness when some nodes are faulty and node log entries are inconsistent. For these safety problems, we give the suggestions for improving safety by analyzing counter examples.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134645318","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00030
Bahareh Afshinpour, Roland Groz, Massih-Reza Amini
Telemetry data (e.g.: CPU and memory usage) is an essential source of information for a software system that projects the system’s health. Anomalies in telemetry data warn system administrators about an imminent failure or deterioration of service quality. However, input events to the system (such as service requests) are the cause of abnormal system behaviour and, thus, anomalous telemetry data. By observing input events, one might predict anomalies even before they appear in telemetry data, thus giving the system administrator even earlier warning before the failure. Finding a correlation between input events and anomalies in telemetry data is challenging in many cases. This paper proposes a machine learning approach to learn the causality correlation between input event sequences and telemetry data. To this aim, a Natural Language Processing(NLP) approach is employed to create a concept space model to distinguish between normal and abnormal test sequences. Based on a vectorized representation of each input sequence, the concept space indicates whether the sequence will cause a system failure. Since the meaning of fault is not established in system status Telemetry-based fault detection, the suggested technique first detects periods of time when a software system status encounters aberrant situations (Bug-Zones). An extensive study on a real-world database acquired by a telecommunication operator and an open-source microservice software demonstrates that our approach achieves 71% and 90% accuracy as a Bug-Zones predictor.
{"title":"Telemetry-Based Software Failure Prediction by Concept-Space Model Creation","authors":"Bahareh Afshinpour, Roland Groz, Massih-Reza Amini","doi":"10.1109/QRS57517.2022.00030","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00030","url":null,"abstract":"Telemetry data (e.g.: CPU and memory usage) is an essential source of information for a software system that projects the system’s health. Anomalies in telemetry data warn system administrators about an imminent failure or deterioration of service quality. However, input events to the system (such as service requests) are the cause of abnormal system behaviour and, thus, anomalous telemetry data. By observing input events, one might predict anomalies even before they appear in telemetry data, thus giving the system administrator even earlier warning before the failure. Finding a correlation between input events and anomalies in telemetry data is challenging in many cases. This paper proposes a machine learning approach to learn the causality correlation between input event sequences and telemetry data. To this aim, a Natural Language Processing(NLP) approach is employed to create a concept space model to distinguish between normal and abnormal test sequences. Based on a vectorized representation of each input sequence, the concept space indicates whether the sequence will cause a system failure. Since the meaning of fault is not established in system status Telemetry-based fault detection, the suggested technique first detects periods of time when a software system status encounters aberrant situations (Bug-Zones). An extensive study on a real-world database acquired by a telecommunication operator and an open-source microservice software demonstrates that our approach achieves 71% and 90% accuracy as a Bug-Zones predictor.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115543994","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00116
Yuan Zhao, Gaolei Yi, Fan Liu, Zhan-wei Hui, Jianhua Zhao
Modern software brings many conveniences to users through big data, but it also risks privacy leakage. In recent years, privacy leaks have been frequent, and various countries have introduced privacy protection bills to protect users' privacy security and avoid misuse of their private data.The researchers have conducted many studies to protect user privacy, including privacy policy compliance checks and mobile application permission checks. However, little existing work considers the verification of matching software code behavior and privacy policy. In this paper, we propose a set of privacy scanning methods to solve mentioned issues with static code analysis.We first classify privacy text and extracts privacy information. Then we perform static analysis on the code to obtain variable privacy information and privacy propagation paths by combining an abstract syntax tree and the call graph. We also match the results to the text analysis results. The experiments demonstrate that our method outperforms other classification methods in privacy text judgment, with an accuracy rate of 90% in detecting privacy information in the code. Meanwhile, the short running time ensures that no extra overhead is imposed on the user.
{"title":"A Framework for Scanning Privacy Information based on Static Analysis","authors":"Yuan Zhao, Gaolei Yi, Fan Liu, Zhan-wei Hui, Jianhua Zhao","doi":"10.1109/QRS57517.2022.00116","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00116","url":null,"abstract":"Modern software brings many conveniences to users through big data, but it also risks privacy leakage. In recent years, privacy leaks have been frequent, and various countries have introduced privacy protection bills to protect users' privacy security and avoid misuse of their private data.The researchers have conducted many studies to protect user privacy, including privacy policy compliance checks and mobile application permission checks. However, little existing work considers the verification of matching software code behavior and privacy policy. In this paper, we propose a set of privacy scanning methods to solve mentioned issues with static code analysis.We first classify privacy text and extracts privacy information. Then we perform static analysis on the code to obtain variable privacy information and privacy propagation paths by combining an abstract syntax tree and the call graph. We also match the results to the text analysis results. The experiments demonstrate that our method outperforms other classification methods in privacy text judgment, with an accuracy rate of 90% in detecting privacy information in the code. Meanwhile, the short running time ensures that no extra overhead is imposed on the user.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125104095","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00056
A. Amiri, Uwe Zdun, Konstantinos Plakidas
Container scheduling is a fundamental part of today’s service and cloud-based applications. Schedulers operate at different levels depending on how much control the system developers have. On the one hand, container orchestration managers such as Google Kubernetes manage the scheduling of containers to different nodes. On the other hand, serverless managers, such as Google Autopilot, take care of the underlying infrastructure automatically, and developers do not need to manage the nodes. However, when it comes to container depletion, i.e., removing the assigned cloud resources to an idle container, current scheduling technologies have limitations. In this paper, we propose our approach to managing cloud resource usage when containers are idle efficiently. For this purpose, we deplete idle containers statefully, i.e., propose a novel manager that monitors idle containers, saves their state, and efficiently depletes them. This manager reconstructs a depleted container using the saved state when reconstruction is needed. In our approach, we suggest an Infrastructure as Code component to automate the creation of new nodes if a depleted container cannot be scheduled on the same node, e.g., because of being overloaded. We provide an analytical model for the stateful depletion of containers and their rescheduling and empirically evaluate the accuracy of our model. For this purpose, we ran an experiment on a private cloud infrastructure and Google Cloud Platform. Our model has a low error rate of 4.28% averaged over public and private clouds.
{"title":"Stateful Depletion and Scheduling of Containers on Cloud Nodes for Efficient Resource Usage","authors":"A. Amiri, Uwe Zdun, Konstantinos Plakidas","doi":"10.1109/QRS57517.2022.00056","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00056","url":null,"abstract":"Container scheduling is a fundamental part of today’s service and cloud-based applications. Schedulers operate at different levels depending on how much control the system developers have. On the one hand, container orchestration managers such as Google Kubernetes manage the scheduling of containers to different nodes. On the other hand, serverless managers, such as Google Autopilot, take care of the underlying infrastructure automatically, and developers do not need to manage the nodes. However, when it comes to container depletion, i.e., removing the assigned cloud resources to an idle container, current scheduling technologies have limitations. In this paper, we propose our approach to managing cloud resource usage when containers are idle efficiently. For this purpose, we deplete idle containers statefully, i.e., propose a novel manager that monitors idle containers, saves their state, and efficiently depletes them. This manager reconstructs a depleted container using the saved state when reconstruction is needed. In our approach, we suggest an Infrastructure as Code component to automate the creation of new nodes if a depleted container cannot be scheduled on the same node, e.g., because of being overloaded. We provide an analytical model for the stateful depletion of containers and their rescheduling and empirically evaluate the accuracy of our model. For this purpose, we ran an experiment on a private cloud infrastructure and Google Cloud Platform. Our model has a low error rate of 4.28% averaged over public and private clouds.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123411963","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00037
Minjune Kim, Jinny Cho, Hyuk-Soon Lim, T. Moore, Frederica Free-Nelson, R. Ko, Dan Dongseong Kim
As cyberattacks are rising, Moving Target Defense (MTD) can be a countermeasure to proactively protect a networked system against cyber-attacks. Despite the fact that MTD systems demonstrate security effectiveness against the reconnaissance of Cyber Kill Chain (CKC), a time-based MTD has a limitation when it comes to protecting a system against the next phases of CKC. In this work, we propose a novel hybrid MTD technique, its implementation and evaluation. Our hybrid MTD system is designed on a real SDN testbed and it uses an intrusion detection system (IDS) to provide an additional MTD triggering condition. This in itself presents an extra layer of system protection. Our hybrid MTD technique can enhance security in the response to multi-phased cyber-attacks. The use of the reactive MTD triggering from intrusion detection alert shows that it is effective to thwart the further phase of detected cyber-attacks. We also investigate the performance degradation due to more frequent MTD triggers.This work contributes to (1) proposing an ML-based rule classification model for predicting identified attacks which helps a decision-making process for security enhancement; (2) developing a hybrid-based MTD integrated with a Network Intrusion Detection System (NIDS) with the consideration of performance and security; and (3) assessment of the performance degradation and security effectiveness against potential real attacks (i.e., scanning, dictionary, and SQL injection attack) in a physical testbed.
{"title":"Evaluating Performance and Security of a Hybrid Moving Target Defense in SDN Environments","authors":"Minjune Kim, Jinny Cho, Hyuk-Soon Lim, T. Moore, Frederica Free-Nelson, R. Ko, Dan Dongseong Kim","doi":"10.1109/QRS57517.2022.00037","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00037","url":null,"abstract":"As cyberattacks are rising, Moving Target Defense (MTD) can be a countermeasure to proactively protect a networked system against cyber-attacks. Despite the fact that MTD systems demonstrate security effectiveness against the reconnaissance of Cyber Kill Chain (CKC), a time-based MTD has a limitation when it comes to protecting a system against the next phases of CKC. In this work, we propose a novel hybrid MTD technique, its implementation and evaluation. Our hybrid MTD system is designed on a real SDN testbed and it uses an intrusion detection system (IDS) to provide an additional MTD triggering condition. This in itself presents an extra layer of system protection. Our hybrid MTD technique can enhance security in the response to multi-phased cyber-attacks. The use of the reactive MTD triggering from intrusion detection alert shows that it is effective to thwart the further phase of detected cyber-attacks. We also investigate the performance degradation due to more frequent MTD triggers.This work contributes to (1) proposing an ML-based rule classification model for predicting identified attacks which helps a decision-making process for security enhancement; (2) developing a hybrid-based MTD integrated with a Network Intrusion Detection System (NIDS) with the consideration of performance and security; and (3) assessment of the performance degradation and security effectiveness against potential real attacks (i.e., scanning, dictionary, and SQL injection attack) in a physical testbed.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125935061","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00011
R. Khoury
The buffer overflow attack has been dubbed ‘the vulnerability of the century’, because of the frequency and impact of this class of vulnerability. The wide variety of situations where this vulnerability can arise makes it particularly difficult to assess their occurrence or prevent them. In this paper, we present a novel taxonomy of programming errors which can lead to buffer overflows. This taxonomy easily translates into preconditions that ensure the code’s safe execution. We also illustrate each taxonomic class with a real-life example. Finally, from these examples, we draw a series of principles that developers can immediately incorporate in their programming habits in order to improve the security of their code.
{"title":"A Taxonomy of Software Flaws Leading to Buffer Overflows","authors":"R. Khoury","doi":"10.1109/QRS57517.2022.00011","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00011","url":null,"abstract":"The buffer overflow attack has been dubbed ‘the vulnerability of the century’, because of the frequency and impact of this class of vulnerability. The wide variety of situations where this vulnerability can arise makes it particularly difficult to assess their occurrence or prevent them. In this paper, we present a novel taxonomy of programming errors which can lead to buffer overflows. This taxonomy easily translates into preconditions that ensure the code’s safe execution. We also illustrate each taxonomic class with a real-life example. Finally, from these examples, we draw a series of principles that developers can immediately incorporate in their programming habits in order to improve the security of their code.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125959313","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00095
Cheng Wei, Zhiqiu Huang, Yaoshen Yu
Code completion is an efficient software development technique in modern integrated development environments (IDEs), which can predict the most likely code token(s) based on the context of the code to be completed, so as to improve the work efficiency of developers. The Pointer Mixture Network proposed in recent years has achieved good results in code completion, the contribution of this paper is to improve the Pointer Mixture Network’s method. We used one-hot encoding in the data preprocessing phase, which makes the distance between the tokens of calculation more reasonable, and also has an effect on the expansion characteristics of the code. Besides, we add label smoothing to avoid the overfitting of neural language networks and improve the generalization ability of the model. In neural language networks, we apply the three-layer LSTM, so that the hidden layers of LSTM can fully learn the context information. In terms of the optimizer, we choose NAdam whose performance is better than Adam used in the Pointer Mixture Network, which greatly accelerates the training speed of the model. Experiments show that our work exceeds the results obtained in the Pointer Mixture Network, which is in code completion tasks in Python and JavaScript programming languages.
{"title":"Improved Methods of Pointer Mixture Network for Code Completion","authors":"Cheng Wei, Zhiqiu Huang, Yaoshen Yu","doi":"10.1109/QRS57517.2022.00095","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00095","url":null,"abstract":"Code completion is an efficient software development technique in modern integrated development environments (IDEs), which can predict the most likely code token(s) based on the context of the code to be completed, so as to improve the work efficiency of developers. The Pointer Mixture Network proposed in recent years has achieved good results in code completion, the contribution of this paper is to improve the Pointer Mixture Network’s method. We used one-hot encoding in the data preprocessing phase, which makes the distance between the tokens of calculation more reasonable, and also has an effect on the expansion characteristics of the code. Besides, we add label smoothing to avoid the overfitting of neural language networks and improve the generalization ability of the model. In neural language networks, we apply the three-layer LSTM, so that the hidden layers of LSTM can fully learn the context information. In terms of the optimizer, we choose NAdam whose performance is better than Adam used in the Pointer Mixture Network, which greatly accelerates the training speed of the model. Experiments show that our work exceeds the results obtained in the Pointer Mixture Network, which is in code completion tasks in Python and JavaScript programming languages.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121710794","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: