Research

February 22nd, 2010 Leave a comment Go to comments

newsMy thesis project SecureSync:

  • I am working on a security-related project. My ambitious and ultimate goal is to detect and fix vulnerabilities in different modules of a system or across different systems. I know it’s very hard problem. The problem, however, can be solvable by some relaxation. It is submitted at NIER, ICSE 2010 and used for my master dissertation. The initial result is very encouraging and I am excited.
  • 02/01/2010: I proposed two types of vulnerabilities to detect in my thesis:
    • Type 1: Vulnerability happens at one specific API/library that is used in the same way in different versions of one system or across different system. This API/lib can be changed in interface to adapt specific requirements in different systems.
    • Type2: We focus on vulnerability happening in the way (usage) of APIs/libraries which some systems uses the same (wrong/buggy) usage of APIs/libs to do the same task in different scenarios. This type of vulnerability is harder to detect because these systems share very little similar code (to invoke vulnerable APIs/libs) scattered in complete different code in different modules. It is important to design new representation of source code which capture the usage of APIs/libs and extract them.
  • 02/04/2010: I have come up with the new graph representation for my security model. The idea of this design focuses on the type of vulnerability that reuse the APIs in different context. The presentation is informative enough and strict enough to extract only the relevant information related to APIs supposed to be use in incorrect ways. Essentially, I designed the graph representation which captures information such as the order of function calls, the branching points and branching conditions.
  • 02/09/2010: I have finished coding to build the new graph representation for source code called SSGraph and extract the subgraphs/subset of functions (called SSSign)that capture the wrong usage of APIs/libs. Next step I will automatically look into other systems, represent their source code as SSGraph and find potential candidate in which SSSign appears.
  • 02/10/2010: My paper for ICSE 2010 NIER track has been accepted !!!

Dear Nam, Tung, Hoan, Xinying, Anh and Tien,
We are pleased to inform you that your paper,
“Detecting Recurring and Similar Software Vulnerabilities”(Paper-ID: xxx)
has been accepted for presentation in the ICSE New Ideas and Emergent
Results program and for publication in the conference companion proceedings.
The competition was strong: only 19 of the 76 submissions were accepted,
giving an acceptance rate of 25.0%.

  • 02/14/2010: I have finished coding in the second round. There are some interesting features like:
    • Automatically represent the source code as SSGraph and extract “the core” pattern between the sample code of vulnerability.
    • Automatically search in other systems (via Google code search or in database) for potential similar vulnerability.
    • Calculate the distance between the candidate with the buggy and patch sample to determine whether it is a vulnerability or not.

Happy Valentine Day ♥♥♥

  • 02/22/2010:  I had some trouble with coding and debugging the package for detecting type 1. I need to create the oracle and data input again . This time with with some semi-automated tool I wrote, the data making process is pretty fast. The previous data were not extracted correctly from the bug database. Therefore, the result of detecting type 1 (which I expect pretty high) is not satisfiable.  I plan to finish the type 1 quickly so that I can focus more on type 2 – which is the key contribution. There are, however, a lot of interesting engineering work on Type 1 to make it scalable. The whole database of only source code is 7.2GB. One possible solution I come up with after discussing with Dr. Jeff Foster is using XDR presentation to transform source code into intermediate format for faster parsing.



News:

newsOur paper “Recurring Bug Fixes in Object-Oriented Programs” has been accepted at the 32nd International Conference on Software Engineering (ICSE 2010). More information, please have a look at FixWizard.

newsOur paper “Operation-based, Fine-grained Version Control Model for Tree-based Representation” has been accepted at the 13th International Conference on Fundamental Approaches to Software Engineering (FASE 2010).

Projects:

  1. FixWizard: Recommend Recurring Changes for Code Relatives
  2. Grouminer: Graph-based Mining of Multiple Object Usage Patterns.
  3. Clever: Clone-aware Configuration Management
  4. Cleman: A Framework for Clone Group Management in Evolving Software
  5. ModelCD: An accurate, complete solution for the detection of clones in models.
  6. Exas: Accurate and Efficient Structural Characteristic Feature Extraction Method for Clone Detection

More information about my group’s research, please visit http://www.ece.iastate.edu/~nampham/research.html

  1. Huy Tran
    February 4th, 2010 at 10:30 | #1
    Reply | Quote

    Hi Nam,

    Congratulation for the accepted papers at the best conferences in SE! I have just found your home page by accident as I was looking for some related work. Really well-done, man! Be confident and go head for a very bright future.

    Best wishes,
    Huy Tran

  2. NamPham
    February 4th, 2010 at 10:33 | #2
    Reply | Quote

    I will try my best.
    Thank you.

  1. No trackbacks yet.