Pub Date : 2022-10-01DOI: 10.1109/ISSREW55968.2022.00050
Sushovan Bhadra
Modern software development organizations rely on continuous integration and continuous delivery (CI/CD), since it allows developers to continuously integrate their code in a single shared repository and automates the delivery process of the product to the user. While modern software practices improve the performance of the software life cycle, they also increase the complexity of this process. Past studies make improvements to the performance of the CI/CD pipeline. However, there are fewer formal models to quantitatively guide process and product quality improvement or characterize how automated and human activities compose and interact asynchronously. Therefore, this paper develops a Petri net model to analyze a CI/CD pipeline to improve process performance in terms of the probability of successfully delivering new or updated functionality by a specified deadline. The utility of the model is demonstrated through a sensitivity analysis to identify stages of the pipeline where improvements would most significantly improve the probability of timely product delivery.
{"title":"A Stochastic Petri net Model of Continuous Integration and Continuous Delivery","authors":"Sushovan Bhadra","doi":"10.1109/ISSREW55968.2022.00050","DOIUrl":"https://doi.org/10.1109/ISSREW55968.2022.00050","url":null,"abstract":"Modern software development organizations rely on continuous integration and continuous delivery (CI/CD), since it allows developers to continuously integrate their code in a single shared repository and automates the delivery process of the product to the user. While modern software practices improve the performance of the software life cycle, they also increase the complexity of this process. Past studies make improvements to the performance of the CI/CD pipeline. However, there are fewer formal models to quantitatively guide process and product quality improvement or characterize how automated and human activities compose and interact asynchronously. Therefore, this paper develops a Petri net model to analyze a CI/CD pipeline to improve process performance in terms of the probability of successfully delivering new or updated functionality by a specified deadline. The utility of the model is demonstrated through a sensitivity analysis to identify stages of the pipeline where improvements would most significantly improve the probability of timely product delivery.","PeriodicalId":178302,"journal":{"name":"2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121127355","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ISSREW55968.2022.00034
Cihan Tunc, James Durflinger, C. Mahmoudi, Valerio Formicola
The advancements in computer and networking technologies created closely connected cyberspaces. Nevertheless, this also invalidated many traditional and isolated/local network solutions and introduced higher cybersecurity risk. As a solution, NIST's Zero-Trust Architecture (ZTA) with “never trust, always verify” principle has been widely accepted; yet, its implementation, enforcement, and compliance-check mechanisms are still immature as the solutions are generally applied manually. In this paper, we present an autonomic computing based management engine for networking of a cyberspace, we refer as Autonomic ZTA-based Network Management Engine (AZNME), which monitors an asset's network connections, checks if these connections fulfill ZTA requirements, and evaluates trust continuously, and takes mitigation actions as needed. As a proof of concept, we implemented the AZNME focusing on active connections (e.g., IPs and ports) to enforce policies and create firewall rules based on trust evaluation.
{"title":"Autonomic ZTA-based Network Management Engine (AZNME)","authors":"Cihan Tunc, James Durflinger, C. Mahmoudi, Valerio Formicola","doi":"10.1109/ISSREW55968.2022.00034","DOIUrl":"https://doi.org/10.1109/ISSREW55968.2022.00034","url":null,"abstract":"The advancements in computer and networking technologies created closely connected cyberspaces. Nevertheless, this also invalidated many traditional and isolated/local network solutions and introduced higher cybersecurity risk. As a solution, NIST's Zero-Trust Architecture (ZTA) with “never trust, always verify” principle has been widely accepted; yet, its implementation, enforcement, and compliance-check mechanisms are still immature as the solutions are generally applied manually. In this paper, we present an autonomic computing based management engine for networking of a cyberspace, we refer as Autonomic ZTA-based Network Management Engine (AZNME), which monitors an asset's network connections, checks if these connections fulfill ZTA requirements, and evaluates trust continuously, and takes mitigation actions as needed. As a proof of concept, we implemented the AZNME focusing on active connections (e.g., IPs and ports) to enforce policies and create firewall rules based on trust evaluation.","PeriodicalId":178302,"journal":{"name":"2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127031488","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ISSREW55968.2022.00081
Md Jobair Hossain Faruk, Masrura Tasnim, H. Shahriar, Maria Valero, A. Rahman, Fan Wu
Software supply chain attacks occur during the processes of producing software is compromised, resulting in vulnerabilities that target downstream customers. While the number of successful exploits is limited, the impact of these attacks is significant. Despite increased awareness and research into software supply chain attacks, there is limited information available on mitigating or architecting for these risks, and existing information is focused on singular and independent elements of the supply chain. In this paper, we extensively review software supply chain security using software development tools and infrastructure. We investigate the path that attackers find is least resistant followed by adapting and finding the next best way to complete an attack. We also provide a thorough discussion on how common software supply chain attacks can be prevented, preventing malicious hackers from gaining access to an organization's development tools and infrastructure including the development environment. We considered various SSC attacks on stolen code-sign certificates by malicious attackers and prevented unnoticed malware from passing by security scanners. We are aiming to extend our research to contribute to preventing software supply chain attacks by proposing novel techniques and frameworks.
{"title":"Investigating Novel Approaches to Defend Software Supply Chain Attacks","authors":"Md Jobair Hossain Faruk, Masrura Tasnim, H. Shahriar, Maria Valero, A. Rahman, Fan Wu","doi":"10.1109/ISSREW55968.2022.00081","DOIUrl":"https://doi.org/10.1109/ISSREW55968.2022.00081","url":null,"abstract":"Software supply chain attacks occur during the processes of producing software is compromised, resulting in vulnerabilities that target downstream customers. While the number of successful exploits is limited, the impact of these attacks is significant. Despite increased awareness and research into software supply chain attacks, there is limited information available on mitigating or architecting for these risks, and existing information is focused on singular and independent elements of the supply chain. In this paper, we extensively review software supply chain security using software development tools and infrastructure. We investigate the path that attackers find is least resistant followed by adapting and finding the next best way to complete an attack. We also provide a thorough discussion on how common software supply chain attacks can be prevented, preventing malicious hackers from gaining access to an organization's development tools and infrastructure including the development environment. We considered various SSC attacks on stolen code-sign certificates by malicious attackers and prevented unnoticed malware from passing by security scanners. We are aiming to extend our research to contribute to preventing software supply chain attacks by proposing novel techniques and frameworks.","PeriodicalId":178302,"journal":{"name":"2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130613532","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ISSREW55968.2022.00094
M. Kassab, J. Defranco, P. Laplante
Testing for critical AI systems is non-trivial as these systems are prone to a new breed of sophisticated software defects. The admissibility of these systems and their fundamental social acceptance is tightly coupled with assuring whether the potential hazards to humans, animals, and property posed by the prospect defects can be minimized and limited to an acceptable level. In this work, we address the problem of assurance for critical AI systems by firstly, analyzing the nature of defects that occur in AI -infused systems in general and how to combat these within a testing strategy. Secondly, developing a focused taxon-omy of prospect defects in critical AI systems. This taxonomy enables the development of the non-critical proxy (i.e., stand-in) equivalent by reproducing defects with similar characteristics.
{"title":"Investigating Bugs in AI-Infused Systems: Analysis and Proposed Taxonomy","authors":"M. Kassab, J. Defranco, P. Laplante","doi":"10.1109/ISSREW55968.2022.00094","DOIUrl":"https://doi.org/10.1109/ISSREW55968.2022.00094","url":null,"abstract":"Testing for critical AI systems is non-trivial as these systems are prone to a new breed of sophisticated software defects. The admissibility of these systems and their fundamental social acceptance is tightly coupled with assuring whether the potential hazards to humans, animals, and property posed by the prospect defects can be minimized and limited to an acceptable level. In this work, we address the problem of assurance for critical AI systems by firstly, analyzing the nature of defects that occur in AI -infused systems in general and how to combat these within a testing strategy. Secondly, developing a focused taxon-omy of prospect defects in critical AI systems. This taxonomy enables the development of the non-critical proxy (i.e., stand-in) equivalent by reproducing defects with similar characteristics.","PeriodicalId":178302,"journal":{"name":"2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130733025","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ISSREW55968.2022.00030
M. Cinque, Raffaele Della Corte, Giorgio Farina, Stefano Rosiello
Diagnostic logs represent the main source of in-formation about the system runtime. However, the presence of faults typically leads to multiple errors propagating within system components, which requires analysts to dig into cascading messages for root cause analysis. This is exacerbated in complex systems, such as railway systems, composed by several devices generating high amount of logs. Filtering allows dealing with large data volumes, leading practitioners to focus on interesting events, i.e., events that should be further investigated by analysts. This paper proposes an unsupervised approach to discover filtering rules from diagnostic logs. The approach automatically infers potential events correlations, representing them as fault-trees enriched with scores. Trees define filtering rules highlighting the interesting events, while scores allow prioritizing their anal-ysis. The approach has been applied in a preliminary railway case study, which encompasses more than 710k events generated by on-board train equipment during operation.
{"title":"An unsupervised approach to discover filtering rules from diagnostic logs","authors":"M. Cinque, Raffaele Della Corte, Giorgio Farina, Stefano Rosiello","doi":"10.1109/ISSREW55968.2022.00030","DOIUrl":"https://doi.org/10.1109/ISSREW55968.2022.00030","url":null,"abstract":"Diagnostic logs represent the main source of in-formation about the system runtime. However, the presence of faults typically leads to multiple errors propagating within system components, which requires analysts to dig into cascading messages for root cause analysis. This is exacerbated in complex systems, such as railway systems, composed by several devices generating high amount of logs. Filtering allows dealing with large data volumes, leading practitioners to focus on interesting events, i.e., events that should be further investigated by analysts. This paper proposes an unsupervised approach to discover filtering rules from diagnostic logs. The approach automatically infers potential events correlations, representing them as fault-trees enriched with scores. Trees define filtering rules highlighting the interesting events, while scores allow prioritizing their anal-ysis. The approach has been applied in a preliminary railway case study, which encompasses more than 710k events generated by on-board train equipment during operation.","PeriodicalId":178302,"journal":{"name":"2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":"906 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121302897","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/ISSREW55968.2022.00043
Shun Wang, Chao Ni, Jianbo Wang, Changhai Nie
Cross-Site Request Forgery (CSRF) vulnerabilities are severe web vulnerabilities since their characteristics of extreme concealment and heavy harmfulness. However, they have received marginal attention from both the academic and the industry and the detection and protection of CSRF vulnerabilities are still performed predominantly manually. This paper proposes CSRFSolver for API-level CSRF detection and protection with two components: CSRF detector and CSRF defender. The former helps to identify and locate CSRF points where they need CSRF protection, and the latter provides CSRF protection by generating and verifying CSRFToken. We evaluate the effectiveness and efficiency of CSRFSolver on Cisco Webex public URL APIs with the state-of-the-art method. The results indicate that CSRFSolver can effectively and efficiently protect the system from CSRF attacks and have no side effects on systems' functionality. Meanwhile, the practical usefulness of CSRFSolver has also been verified through four years of deployment in Cisco Webex.
{"title":"Detecting and Defending CSRF at API-Level","authors":"Shun Wang, Chao Ni, Jianbo Wang, Changhai Nie","doi":"10.1109/ISSREW55968.2022.00043","DOIUrl":"https://doi.org/10.1109/ISSREW55968.2022.00043","url":null,"abstract":"Cross-Site Request Forgery (CSRF) vulnerabilities are severe web vulnerabilities since their characteristics of extreme concealment and heavy harmfulness. However, they have received marginal attention from both the academic and the industry and the detection and protection of CSRF vulnerabilities are still performed predominantly manually. This paper proposes CSRFSolver for API-level CSRF detection and protection with two components: CSRF detector and CSRF defender. The former helps to identify and locate CSRF points where they need CSRF protection, and the latter provides CSRF protection by generating and verifying CSRFToken. We evaluate the effectiveness and efficiency of CSRFSolver on Cisco Webex public URL APIs with the state-of-the-art method. The results indicate that CSRFSolver can effectively and efficiently protect the system from CSRF attacks and have no side effects on systems' functionality. Meanwhile, the practical usefulness of CSRFSolver has also been verified through four years of deployment in Cisco Webex.","PeriodicalId":178302,"journal":{"name":"2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":"44 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125659503","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: