Soundness-guided security analysis for android applications. This project aims to develop a soundness-guided programme analysis to mitigate security threats caused by reflection and dynamic class loading in Android apps, without compromising precision and scalability. Both dynamic code update techniques are widely used in benign and malware apps, but state-of-the-art malware analysis tools ignore or mishandle them, missing security threats and vulnerabilities. The resulting open-source security ....Soundness-guided security analysis for android applications. This project aims to develop a soundness-guided programme analysis to mitigate security threats caused by reflection and dynamic class loading in Android apps, without compromising precision and scalability. Both dynamic code update techniques are widely used in benign and malware apps, but state-of-the-art malware analysis tools ignore or mishandle them, missing security threats and vulnerabilities. The resulting open-source security analysis tool will allow software industries and enterprises (from national security, finance, banking to healthcare, retail, telecommunications) to test their mobile software effectively for code defects or security threats early at software development time at significantly reduced cost.Read moreRead less
Securing systems against code-reuse attacks with modular pointer analysis. This project aims to build secure defences against code-reuse attacks in large-scale C++ applications with millions of lines of code, by enforcing control flow integrity with modular pointer analysis. The state-of-the-art mitigation techniques that are deployed in mainstream computer operating systems can all be bypassed by advanced code-reuse attacks, resulting in security exploits in all major web browsers. The outcomes ....Securing systems against code-reuse attacks with modular pointer analysis. This project aims to build secure defences against code-reuse attacks in large-scale C++ applications with millions of lines of code, by enforcing control flow integrity with modular pointer analysis. The state-of-the-art mitigation techniques that are deployed in mainstream computer operating systems can all be bypassed by advanced code-reuse attacks, resulting in security exploits in all major web browsers. The outcomes of this project will be an exploit mitigation technology and an open-source tool that can significantly raise the bar against advanced code-reuse attacks, thereby providing a foundation for eliminating such security threats.Read moreRead less
Sparse Demand-Driven Analysis to Improve Software Reliability and Security. Current static analysis tools can eliminate many bugs missed by traditional testing but they are still imprecise or inefficient. This project aims to develop precise pointer analyses that enable -finding clients to detect bugs efficiently in large-scale programs in C/C++ and Java, where pointers are used pervasively. The novelty lies in performing these analyses sparsely (allowing data-flow information to move directly f ....Sparse Demand-Driven Analysis to Improve Software Reliability and Security. Current static analysis tools can eliminate many bugs missed by traditional testing but they are still imprecise or inefficient. This project aims to develop precise pointer analyses that enable -finding clients to detect bugs efficiently in large-scale programs in C/C++ and Java, where pointers are used pervasively. The novelty lies in performing these analyses sparsely (allowing data-flow information to move directly from variable definitions to their potential uses) based on Context-Free-Language-reachability (enabling client queries to be answered on-demand). The outcomes aim to significantly improve the reliability and security of industrial-sized software.Read moreRead less
Detecting Asynchronous Event-Driven Order Violations in Android Apps. This project aims to develop an event-interleaving analysis for detecting asynchronous event-driven order violations in Android apps. This project therefore expects to deliver a program analysis foundation that can provide stronger security guarantees than the state of the art against advanced exploits that abuse such asynchronous vulnerabilities. The intended outcomes of this project are a new program analysis technology and ....Detecting Asynchronous Event-Driven Order Violations in Android Apps. This project aims to develop an event-interleaving analysis for detecting asynchronous event-driven order violations in Android apps. This project therefore expects to deliver a program analysis foundation that can provide stronger security guarantees than the state of the art against advanced exploits that abuse such asynchronous vulnerabilities. The intended outcomes of this project are a new program analysis technology and an industrial-strength open-source framework that can significantly raise the bar on mobile software quality and security for Android, the dominant smartphone platform accounting a current market share at 87.0% with 2.9 million apps at Google Play in December 2019.Read moreRead less
Finding concurrency bugs in multithreaded software. This project aims to develop sound and practical techniques for detecting and eliminating concurrency bugs for object-oriented languages like Java, enabled by a new model for concurrent effects. The expected outcome is a novel technology that will significantly improve the safety, productivity and efficiency of large-scale concurrent programming.
Discovery Early Career Researcher Award - Grant ID: DE170101081
Funder
Australian Research Council
Funding Amount
$360,000.00
Summary
Adaptive value-flow analysis to improve code reliability and security. This project aims to develop client-driven adaptive value-flow analysis to detect software bugs in system software written in the C/C++ programme language. Static analysis tools for automated code inspections can benefit software developers, but are imprecise, inefficient and not user-friendly for analysing real-world industrial-sized software. The project will investigate static, dynamic and user-guided value-flow analysis t ....Adaptive value-flow analysis to improve code reliability and security. This project aims to develop client-driven adaptive value-flow analysis to detect software bugs in system software written in the C/C++ programme language. Static analysis tools for automated code inspections can benefit software developers, but are imprecise, inefficient and not user-friendly for analysing real-world industrial-sized software. The project will investigate static, dynamic and user-guided value-flow analysis to efficiently and precisely analyse large-scale programs according to clients’ needs, thereby allowing compilers to generate safe, reliable and secure code. This project is expected to advance value-flow analysis for industrial-sized software, improve software reliability and security, and benefit Australian software systems and industries.Read moreRead less
Automating data placement and movement for explicitly managed memory hierarchies. Efficient management of explicitly managed memory hierarchies is essential, making a difference often by one order of magnitude in performance. Compiler-directed techniques promise to take the burden of memory management from the programmer and enable significant performance potential for a broader community, resulting in higher productivity.
Discovery Early Career Researcher Award - Grant ID: DE220101057
Funder
Australian Research Council
Funding Amount
$424,140.00
Summary
Practical Automated Software Bug Fixing via Syntactic and Semantic Analyses. This proposal aims to advance the practical adoption of automated software bug repair, which has recently been adopted by industry, e.g., Facebook. It will produce novel methods that use mining software repositories, program analysis, and human-guided search to help automated repair to scale and be accurate. Expected outcomes include a publicly available automated bug repair framework. This project will help the softwar ....Practical Automated Software Bug Fixing via Syntactic and Semantic Analyses. This proposal aims to advance the practical adoption of automated software bug repair, which has recently been adopted by industry, e.g., Facebook. It will produce novel methods that use mining software repositories, program analysis, and human-guided search to help automated repair to scale and be accurate. Expected outcomes include a publicly available automated bug repair framework. This project will help the software industry deliver to users high quality software with improved reliability and safety, and increase education quality for students learning to code via automated feedback generation.Read moreRead less
Symbolic synthesis of knowledge-based program implementations. Systems with concurrent streams of activity are ubiquitous in computer hardware and software designs, but are conceptually complex, and fraught with faults and inefficiency. The project aims to address these difficulties by automating aspects of system design, to relieve the designer of the need to reason about complex patterns of information flow.
Provable elimination of information leakage through timing channels. This project aims to develop techniques to solve the issue in information security of unauthorised information flow resulting from competition for shared hardware resources. The project will combine operating systems design, formal hardware models, information-flow reasoning and theorem proving to achieve a goal that is widely considered infeasible. The project is expected to result in a system that prevents leakage of critical ....Provable elimination of information leakage through timing channels. This project aims to develop techniques to solve the issue in information security of unauthorised information flow resulting from competition for shared hardware resources. The project will combine operating systems design, formal hardware models, information-flow reasoning and theorem proving to achieve a goal that is widely considered infeasible. The project is expected to result in a system that prevents leakage of critical information, such as encryption keys, through timing channels. This should prevent sophisticated attacks on public clouds, mobile devices and military-grade cross-domain devices.Read moreRead less