DOCSLIB.ORG

Software Runtime Analytics for Developers: Extending Developers’ Mental Models by Runtime Dimensions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Software Runtime Analytics for Developers: Extending Developers’ Mental Models by Runtime Dimensions Zurich Open Repository and Archive University of Zurich Main Library Strickhofstrasse 39 CH-8057 Zurich www.zora.uzh.ch Year: 2018 Software runtime analytics for developers: extending developers’ mental models by runtime dimensions Cito, Jürgen Posted at the Zurich Open Repository and Archive, University of Zurich ZORA URL: https://doi.org/10.5167/uzh-152966 Dissertation Published Version Originally published at: Cito, Jürgen. Software runtime analytics for developers: extending developers’ mental models by runtime dimensions. 2018, University of Zurich, Faculty of Economics. Department of Informatics Software Runtime Analytics for Developers Extending Developers’ Mental Models by Runtime Dimensions Dissertation submitted to the Faculty of Business, Economics and Informatics of the University of Zurich to obtain the degree of Doktor / Doktorin der Wissenschaften, Dr. sc. (corresponds to Doctor of Science, PhD) presented by Jürgen Cito from Vienna, Austria approved in February 2018 at the request of Prof. Dr. Harald C. Gall, University of Zurich, Switzerland Dr. Philipp Leitner, Chalmers University of Technology, Sweden Prof. Dr. Nenad Medvidovic, University of Southern California, USA The Faculty of Business, Economics and Informatics of the University of Zurich hereby authorizes the printing of this dissertation, without indicating an opinion of the views expressed in the work. Zurich, February 14th, 2018 Chairwoman of the Doctoral Board: Prof. Dr. Sven Seuken Abstract Software systems have become instrumental in almost every aspect of modern society. The reliability and performance of these systems plays a crucial role in the every day lives of their users. The performance of a software system is governed by its program code, executed in an environment. To ensure reliability and performance, developers need to understand both code and its execution effects in the context of this environment. Reasoning about source code of programs is a complex cognitive process in which developers construct mental models that are informed by their knowledge of control- and data-flow. Reasoning about runtime aspects of code (e.g., performance) requires consulting external information sources, such as profilers, to construct a more complete image. For software deployed in scalable cloud infrastructures, developers gain insight into operational aspects of code by inspecting distributed runtime data (logs, traces, metrics) to reason about the peculiarities of production environments. Runtime data is currently presented in dashboards that display metrics in time series graphs and enable search capabilities for properties of the data. In a mixed-method empirical study with software developers who deploy in cloud infrastructures, we found that this particular presentation of data is an obstacle to gain actionable insights for software maintenance and debugging tasks. Developers end up relying on their beliefs and intuition about the system to introduce potential fixes, rather than making informed decisions based on data. We propose an approach called Software Runtime Analytics for Developers that integrates operational aspects from production into the daily workflow of software developers, thereby extending their existing mental models of programs by runtime dimensions, and enables ii data-driven decision making for developers. Specifically, we design a framework that is an abstract representation of potential solution spaces that can guide implementations of this approach. We instantiate two concrete solutions out of the abstract framework and implement prototypes that serve as proof-of-concepts. PerformanceHat is an Eclipse IDE plugin that models runtime performance data and matches it to specific, performance-related elements of source code in the IDE (methods, loops, and collections). Given the information on the source code level, we leverage fast inference models that provide live feedback of performance properties of newly written and modified code to prevent performance problems from reaching production. Context-based Analytics is a web application in Python that supports problem diagnosis by establishing explicit links between runtime data and program code fragments. The resulting graph allows developers to navigate the solution space and relate problems at runtime to their origin in source code. We evaluated PerformanceHat in a controlled experiment with 20 professional software developers, in which they worked on software maintenance tasks using our approach and a representative baseline (Kibana). We found that using our approach, developers are significantly faster in (1) detecting the performance issue, and (2) finding the root-cause of the issue. We also let both groups work on non-performance relevant tasks and found no significant differences in task time. We conclude that our approach helps detect, prevent, and debug performance problems faster, while at the same time not adding a disproportionate distraction for maintenance tasks not related to performance. For Context-based Analytics we conducted a case study within IBM to evaluate to what extent our approach can be used to diagnose runtime issues in real-life applications. We designed a study that compares the problem diagnosis process for two issues taken from the issue tracker of an application in IBM Bluemix and found that our approach reduced the effort of diagnosing these issues. In particular, it decreased the number of required analysis steps by 48% and the number of needed inspected traces by 40% on average as compared to a standard diagnosis approach within the application team (Kibana). Zusammenfassung Softwaresysteme haben eine tragende Rolle in fast jedem Aspekt der modernen Gesellschaft. Die Zuverlässigkeit und Performance dieser Systeme spielt eine entscheidende Rolle im täglichen Leben ihrer Benutzer. Die Performance eines Softwaresystems ist abhängig von seinem Programmcode, der in einer Umge- bung ausgeführt wird (beispielsweise in der Cloud). Um Zuverlässigkeit und Performance zu gewährleisten, müssen Entwickler sowohl Code als auch dessen Auswirkungen in der Umgebung verstehen. Das Verstehen des Quellcodes von Programmen ist ein komplexer kognitiver Prozess, bei dem Entwickler mentale Modelle konstruieren, die durch ihr Wissen über Kontroll- und Datenflüsse ges- teuert wird. Um Laufzeitaspekte von Code (z.B. Performance) zu verstehen müssen externe Informationsquellen, beispielsweise Profiler, in Betracht gezogen werden. Bei Software, die in skalierbaren Cloud-Infrastrukturen deployed wird, können Entwickler nur dann Laufzeitaspekte des Codes in Erfahrung bringen indem sie verteilte Laufzeitdaten (Logs, Traces, Metriken) untersuchen, um die Besonderheiten von komplexen Produktionsumgebungen zu verstehen. Laufzeit- daten werden in heutigen Systemen in Dashboards angezeigt, die Messwerte des Systems als Visualisierung von Zeitreihen anzeigen und Suchfunktionen für Eigenschaften der Daten ermöglichen. In einer empirischen Studie mit Soft- ware Entwicklern, die ihre Applikationen in Cloud-Infrastrukturen deployen, haben wir festgestellt, dass diese spezielle Darstellung von Daten ein Hindernis für verwertbare Erkenntnisse für Softwarewartungs- und Debugging-Aufgaben darstellt. Entwickler verlassen sich letztendlich auf ihre Intuition über das Sys- tem um mögliche Korrekturen einzuführen, anstatt fundierte Entscheidungen iv auf Basis von Daten zu treffen. Wir schlagen einen Ansatz namens Software Runtime Analytics for Developers vor, der Laufzeit Aspekte aus der Produktion in den täglichen Workflow von Softwareentwicklern integriert, und damit die vorhandenen mentalen Modelle um Laufzeitdimensionen erweitert und damit datengestützte Entscheidungsfindung für Entwickler ermöglicht. Insbesondere entwerfen wir ein Framework, der eine abstrakte Darstellung möglicher Lö- sungsräume repräsentiert, der die Implementierungen dieses Ansatzes leiten können. Wir instanziieren zwei konkrete Lösungen aus dem abstrakten Framework und implementieren Prototypen, die als Proof-of-Concepts dienen. PerformanceHat ist ein Eclipse-IDE-Plug-in, das Laufzeitdaten modelliert und mit bestimmten Elementen des Quellcodes in der IDE (Methoden, Schleifen, und Collections) abgleicht. Auf Basis der Informationen auf Ebene des Quellcodes verwenden wir schnelle Inferenzmodelle, die eine Live-Rückmeldung der Performance Eigen- schaften von neu geschriebenem und geändertem Code bieten, um zu verhindern, dass Performance Probleme in Produktion deployed werden. Context-based Ana- lytics ist eine Webanwendung in Python, die die Problemdiagnose unterstützt, indem explizite Verknüpfungen zwischen Laufzeitdaten und Programmcode Frag- menten hergestellt werden. Der resultierende Graph ermöglicht es Entwicklern, im Lösungsraum zu navigieren und Probleme zur Laufzeit mit ihrem Ursprung im Quellcode in Beziehung zu setzen. Wir haben PerformanceHat in einem kontrollierten Experiment mit 20 professionellen Entwicklern evaluiert, in dem sie mit unserem Ansatz und einer repräsentativen Baseline (Kibana) an Soft- warewartungsaufgaben gearbeitet haben. Wir haben festgestellt, dass Entwickler mit unserem Ansatz wesentlich schneller (1) das Performance Problem erken- nen und (2) die Ursache des Problems finden. Wir ließen beide Gruppen an nicht-performance relevanten Aufgaben arbeiten und fanden keine signifikanten Unterschiede in der Zeit in denen die Aufgaben erledigt wurden. Wir kommen zu dem Schluss, dass unser Ansatz hilft Performance Probleme schneller zu erkennen, zu verhindern und zu beheben, während gleichzeitig Wartungsaufgaben,
Load more

Recommended publications
  • IBM Developer for Z/OS Enterprise Edition
    Solution Brief IBM Developer for z/OS Enterprise Edition A comprehensive, robust toolset for developing z/OS applications using DevOps software delivery practices Companies must be agile to respond to market demands. The digital transformation is a continuous process, embracing hybrid cloud and the Application Program Interface (API) economy. To capitalize on opportunities, businesses must modernize existing applications and build new cloud native applications without disrupting services. This transformation is led by software delivery teams employing DevOps practices that include continuous integration and continuous delivery to a shared pipeline. For z/OS Developers, this transformation starts with modern tools that empower them to deliver more, faster, with better quality and agility. IBM Developer for z/OS Enterprise Edition is a modern, robust solution that offers the program analysis, edit, user build, debug, and test capabilities z/OS developers need, plus easy integration with the shared pipeline. The challenge IBM z/OS application development and software delivery teams have unique challenges with applications, tools, and skills. Adoption of agile practices Application modernization “DevOps and agile • Mainframe applications • Applications require development on the platform require frequent updates access to digital services have jumped from the early adopter stage in 2016 to • Development teams must with controlled APIs becoming common among adopt DevOps practices to • The journey to cloud mainframe businesses”1 improve their
    [Show full text]
  • Information Needs for Software Development Analytics
    Information Needs for Software Development Analytics Raymond P.L. Buse Thomas Zimmermann The University of Virginia, USA Microsoft Research [email protected] [email protected] Abstract—Software development is a data rich activity with decision making will likely only become more difficult. many sophisticated metrics. Yet engineers often lack the tools Analytics describes application of analysis, data, and sys- and techniques necessary to leverage these potentially powerful tematic reasoning to make decisions. Analytics is especially information resources toward decision making. In this paper, we present the data and analysis needs of professional software useful for helping users move from only answering questions engineers, which we identified among 110 developers and of information like “What happened?” to also answering managers in a survey. We asked about their decision making questions of insight like “How did it happen and why?” process, their needs for artifacts and indicators, and scenarios Instead of just considering data or metrics directly, one can in which they would use analytics. gather more complete insights by layering different kinds of The survey responses lead us to propose several guidelines for analytics tools in software development including: Engi- analyses that allow for summarizing, filtering, modeling, and neers do not necessarily have much expertise in data analysis; experimenting; typically with the help of automated tools. thus tools should be easy to use, fast, and produce concise The key to applying analytics to a new domain is under- output. Engineers have diverse analysis needs and consider most standing the link between available data and the information indicators to be important; thus tools should at the same time needed to make good decisions, as well as the analyses support many different types of artifacts and many indicators.
    [Show full text]
  • Software Analytics for Incident Management of Online Services: An
    Software Analytics for Incident Management of Online Services: An Experience Report Jian-Guang Lou, Qingwei Lin, Rui Ding, Tao Xie Qiang Fu, Dongmei Zhang University of Illinois at Urbana-Champaign Microsoft Research Asia, Beijing, P. R. China Urbana, IL, USA {jlou, qlin, juding, qifu, dongmeiz}@microsoft.com [email protected] Abstract—As online services become more and more popular, incident management needs to be efficient and effective in incident management has become a critical task that aims to order to ensure high availability and reliability of the services. minimize the service downtime and to ensure high quality of the A typical procedure of incident management in practice provided services. In practice, incident management is conducted (e.g., at Microsoft and other service-provider companies) goes through analyzing a huge amount of monitoring data collected at as follow. When the service monitoring system detects a ser- runtime of a service. Such data-driven incident management faces several significant challenges such as the large data scale, vice violation, the system automatically sends out an alert and complex problem space, and incomplete knowledge. To address makes a phone call to a set of On-Call Engineers (OCEs) to these challenges, we carried out two-year software-analytics trigger the investigation on the incident in order to restore the research where we designed a set of novel data-driven techniques service as soon as possible. Given an incident, OCEs need to and developed an industrial system called the Service Analysis understand what the problem is and how to resolve it. In ideal Studio (SAS) targeting real scenarios in a large-scale online cases, OCEs can identify the root cause of the incident and fix service of Microsoft.
    [Show full text]
  • Patterns for Implementing Software Analytics in Development Teams
    Patterns for Implementing Software Analytics in Development Teams JOELMA CHOMA, National Institute for Space Research - INPE EDUARDO MARTINS GUERRA, National Institute for Space Research - INPE TIAGO SILVA DA SILVA, Federal University of São Paulo - UNIFESP The software development activities typically produce a large amount of data. Using a data-driven approach to decision making – such as Software Analytics – the software practitioners can achieve higher development process productivity and improve many aspects of the software quality based on the insightful and actionable information. This paper presents a set of patterns describing steps to encourage the integration of the analytics activities by development teams in order to support them to make better decisions, promoting the continuous improvement of software and its development process. Before any procedure to extract data for software analytics, the team needs to define, first of all, their questions about what will need to be measured, assess and monitored throughout the development process. Once defined the key issues which will be tracked, the team may select the most appropriate means for extracting data from software artifacts that will be useful in decision-making. The tasks to set up the development environment for software analytics should be added to the project planning along with the regular tasks. The software analytics activities should be distributed throughout the project in order to add information about the system in small portions. By defining reachable goals from the software analytics findings, the team turns insights from software analytics into actions to improve incrementally the software characteristics and/or its development process. Categories and Subject Descriptors: D.2.8 [Software and its engineering]: Software creation and management—Metrics General Terms: Software Analytics Additional Key Words and Phrases: Software Analytics, Decision Making, Agile Software Development, Patterns, Software Measurement, Development Teams.
    [Show full text]
  • Opportunities and Open Problems for Static and Dynamic Program Analysis Mark Harman∗, Peter O’Hearn∗ ∗Facebook London and University College London, UK
    1 From Start-ups to Scale-ups: Opportunities and Open Problems for Static and Dynamic Program Analysis Mark Harman∗, Peter O’Hearn∗ ∗Facebook London and University College London, UK Abstract—This paper1 describes some of the challenges and research questions that target the most productive intersection opportunities when deploying static and dynamic analysis at we have yet witnessed: that between exciting, intellectually scale, drawing on the authors’ experience with the Infer and challenging science, and real-world deployment impact. Sapienz Technologies at Facebook, each of which started life as a research-led start-up that was subsequently deployed at scale, Many industrialists have perhaps tended to regard it unlikely impacting billions of people worldwide. that much academic work will prove relevant to their most The paper identifies open problems that have yet to receive pressing industrial concerns. On the other hand, it is not significant attention from the scientific community, yet which uncommon for academic and scientific researchers to believe have potential for profound real world impact, formulating these that most of the problems faced by industrialists are either as research questions that, we believe, are ripe for exploration and that would make excellent topics for research projects. boring, tedious or scientifically uninteresting. This sociological phenomenon has led to a great deal of miscommunication between the academic and industrial sectors. I. INTRODUCTION We hope that we can make a small contribution by focusing on the intersection of challenging and interesting scientific How do we transition research on static and dynamic problems with pressing industrial deployment needs. Our aim analysis techniques from the testing and verification research is to move the debate beyond relatively unhelpful observations communities to industrial practice? Many have asked this we have typically encountered in, for example, conference question, and others related to it.
    [Show full text]
  • Building Useful Program Analysis Tools Using an Extensible Java Compiler
    Building Useful Program Analysis Tools Using an Extensible Java Compiler Edward Aftandilian, Raluca Sauciuc Siddharth Priya, Sundaresan Krishnan Google, Inc. Google, Inc. Mountain View, CA, USA Hyderabad, India feaftan, [email protected] fsiddharth, [email protected] Abstract—Large software companies need customized tools a specific task, but they fail for several reasons. First, ad- to manage their source code. These tools are often built in hoc program analysis tools are often brittle and break on an ad-hoc fashion, using brittle technologies such as regular uncommon-but-valid code patterns. Second, simple ad-hoc expressions and home-grown parsers. Changes in the language cause the tools to break. More importantly, these ad-hoc tools tools don’t provide sufficient information to perform many often do not support uncommon-but-valid code code patterns. non-trivial analyses, including refactorings. Type and symbol We report our experiences building source-code analysis information is especially useful, but amounts to writing a tools at Google on top of a third-party, open-source, extensible type-checker. Finally, more sophisticated program analysis compiler. We describe three tools in use on our Java codebase. tools are expensive to create and maintain, especially as the The first, Strict Java Dependencies, enforces our dependency target language evolves. policy in order to reduce JAR file sizes and testing load. The second, error-prone, adds new error checks to the compilation In this paper, we present our experience building special- process and automates repair of those errors at a whole- purpose tools on top of the the piece of software in our codebase scale.
    [Show full text]
  • The Art, Science, and Engineering of Fuzzing: a Survey
    1 The Art, Science, and Engineering of Fuzzing: A Survey Valentin J.M. Manes,` HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo Abstract—Among the many software vulnerability discovery techniques available today, fuzzing has remained highly popular due to its conceptual simplicity, its low barrier to deployment, and its vast amount of empirical evidence in discovering real-world software vulnerabilities. At a high level, fuzzing refers to a process of repeatedly running a program with generated inputs that may be syntactically or semantically malformed. While researchers and practitioners alike have invested a large and diverse effort towards improving fuzzing in recent years, this surge of work has also made it difficult to gain a comprehensive and coherent view of fuzzing. To help preserve and bring coherence to the vast literature of fuzzing, this paper presents a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature. We methodically explore the design decisions at every stage of our model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective. Index Terms—software security, automated software testing, fuzzing. ✦ 1 INTRODUCTION Figure 1 on p. 5) and an increasing number of fuzzing Ever since its introduction in the early 1990s [152], fuzzing studies appear at major security conferences (e.g. [225], has remained one of the most widely-deployed techniques [52], [37], [176], [83], [239]). In addition, the blogosphere is to discover software security vulnerabilities. At a high level, filled with many success stories of fuzzing, some of which fuzzing refers to a process of repeatedly running a program also contain what we consider to be gems that warrant a with generated inputs that may be syntactically or seman- permanent place in the literature.
    [Show full text]
  • T-Fuzz: Fuzzing by Program Transformation
    T-Fuzz: Fuzzing by Program Transformation Hui Peng1, Yan Shoshitaishvili2, Mathias Payer1 Purdue University1, Arizona State University2 A PRESENTATION BY MD SHAMIM HUSSAIN AND NAFIS NEEHAL CSCI 6450 - PRINCIPLES OF PROGRAM ANALYSIS 1 Outline • Brief forecast • Background • Key Contributions • T-Fuzz Design • T-Fuzz Limitations • Experimental Results • Concluding Remarks • References CSCI 6450 - PRINCIPLES OF PROGRAM ANALYSIS 2 Fuzzing • Randomly generates input to discover bugs in the target program • Highly effective for discovering vulnerabilities • Standard technique in software development to improve reliability and security • Roughly two types of fuzzers - generational and mutational • Generational fuzzers require strict format for generating input • Mutational fuzzers create input by randomly mutating or by random seeds CSCI 6450 - PRINCIPLES OF PROGRAM ANALYSIS 3 Challenges in Fuzzing • Shallow coverage • “Deep Bugs” are hard to find • Reason – fuzzers get stuck at complex sanity checks Shallow Code Path Fig 1: Fuzzing limitations CSCI 6450 - PRINCIPLES OF PROGRAM ANALYSIS 4 Existing Approaches and Limitations • Existing approaches that focus on input generation ◦ AFL (Feedback based) ◦ Driller (Concolic execution based) ◦ VUzzer (Taint analysis based) ◦ etc. • Limitations ◦ Heavyweight analysis (taint analysis, concolic execution) ◦ Not scalable (concolic execution) ◦ Gets stuck on complex sanity checks (e.g. checksum values) ◦ Slow progress for multiple sanity checks (feedback based) CSCI 6450 - PRINCIPLES OF PROGRAM ANALYSIS
    [Show full text]
  • An Efficient Data-Dependence Profiler for Sequential and Parallel Programs
    An Efficient Data-Dependence Profiler for Sequential and Parallel Programs Zhen Li, Ali Jannesari, and Felix Wolf German Research School for Simulation Sciences, 52062 Aachen, Germany Technische Universitat¨ Darmstadt, 64289 Darmstadt, Germany fz.li, [email protected], [email protected] Abstract—Extracting data dependences from programs data dependences without executing the program. Although serves as the foundation of many program analysis and they are fast and even allow fully automatic parallelization transformation methods, including automatic parallelization, in some cases [13], [14], they lack the ability to track runtime scheduling, and performance tuning. To obtain data dependences, more and more related tools are adopting profil- dynamically allocated memory, pointers, and dynamically ing approaches because they can track dynamically allocated calculated array indices. This usually makes their assessment memory, pointers, and array indices. However, dependence pessimistic, limiting their practical applicability. In contrast, profiling suffers from high runtime and space overhead. To dynamic dependence profiling captures only those depen- lower the overhead, earlier dependence profiling techniques dences that actually occur at runtime. Although dependence exploit features of the specific program analyses they are designed for. As a result, every program analysis tool in need profiling is inherently input sensitive, the results are still of data-dependence information requires its own customized useful in many situations, which is why such profiling profiler. In this paper, we present an efficient and at the forms the basis of many program analysis tools [2], [5], same time generic data-dependence profiler that can be used [6]. Moreover, input sensitivity can be addressed by running as a uniform basis for different dependence-based program the target program with changing inputs and computing the analyses.
    [Show full text]
  • Evaluating and Improving Software Quality Using Text Analysis Techniques - a Mapping Study
    Evaluating and Improving Software Quality Using Text Analysis Techniques - A Mapping Study Faiz Shah, Dietmar Pfahl Institute of Computer Science, University of Tartu J. Liivi 2, Tartu 50490, Estonia {shah, dietmar.pfahl}@ut.ee Abstract: Improvement and evaluation of software quality is a recurring and crucial activ- ity in the software development life-cycle. During software development, soft- ware artifacts such as requirement documents, comments in source code, design documents, and change requests are created containing natural language text. For analyzing natural text, specialized text analysis techniques are available. However, a consolidated body of knowledge about research using text analysis techniques to improve and evaluate software quality still needs to be estab- lished. To contribute to the establishment of such a body of knowledge, we aimed at extracting relevant information from the scientific literature about data sources, research contributions, and the usage of text analysis techniques for the im- provement and evaluation of software quality. We conducted a mapping study by performing the following steps: define re- search questions, prepare search string and find relevant literature, apply screening process, classify, and extract data. Bug classification and bug severity assignment activities within defect manage- ment are frequently improved using the text analysis techniques of classifica- tion and concept extraction. Non-functional requirements elicitation activity of requirements engineering is mostly improved using the technique of concept extraction. The quality characteristic which is frequently evaluated for the prod- uct quality model is operability. The most commonly used data sources are: bug report, requirement documents, and software reviews. The dominant type of re- search contributions are solution proposals and validation research.
    [Show full text]
  • Static Program Analysis As a Fuzzing Aid
    Static Program Analysis as a Fuzzing Aid Bhargava Shastry1( ), Markus Leutner1, Tobias Fiebig1, Kashyap Thimmaraju1, Fabian Yamaguchi2, Konrad Rieck2, Stefan Schmid3, Jean-Pierre Seifert1, and Anja Feldmann1 1 TU Berlin, Berlin, Germany [email protected] 2 TU Braunschweig, Braunschweig, Germany 3 Aalborg University, Aalborg, Denmark Abstract. Fuzz testing is an effective and scalable technique to per- form software security assessments. Yet, contemporary fuzzers fall short of thoroughly testing applications with a high degree of control-flow di- versity, such as firewalls and network packet analyzers. In this paper, we demonstrate how static program analysis can guide fuzzing by aug- menting existing program models maintained by the fuzzer. Based on the insight that code patterns reflect the data format of inputs pro- cessed by a program, we automatically construct an input dictionary by statically analyzing program control and data flow. Our analysis is performed before fuzzing commences, and the input dictionary is sup- plied to an off-the-shelf fuzzer to influence input generation. Evaluations show that our technique not only increases test coverage by 10{15% over baseline fuzzers such as afl but also reduces the time required to expose vulnerabilities by up to an order of magnitude. As a case study, we have evaluated our approach on two classes of network applications: nDPI, a deep packet inspection library, and tcpdump, a network packet analyzer. Using our approach, we have uncovered 15 zero-day vulnerabilities in the evaluated software that were not found by stand-alone fuzzers. Our work not only provides a practical method to conduct security evalua- tions more effectively but also demonstrates that the synergy between program analysis and testing can be exploited for a better outcome.
    [Show full text]
  • 5 Key Considerations Towards the Adoption of a Mainframe Inclusive Devops Strategy
    5 Key Considerations Towards the Adoption of a Mainframe Inclusive DevOps Strategy Key considaetrations towards the adoption of a mainframe inclusive devops strategy PLANNING FOR DEVOPS IN MAINFRAME ENVIRONMENTS – KEY CONSIDERATIONS – A mountain of information is available around the implementation and practice of DevOps, collectively encompassing people, processes and technology. This ranges significantly from the implementation of tool chains to discussions around DevOps principles, devoid of technology. While technology itself does not guarantee a successful DevOps implementation, the right tools and solutions can help companies better enable a DevOps culture. Unfortunately, the majority of conversations regarding DevOps center around distributed environments, neglecting the platform that still runs more than 70% of the business and transaction systems in the world; the mainframe. It is estimated that 5 billion lines of new COBOL code are added to live systems every year. Furthermore, 55% of enterprise apps and an estimated 80% of mobile transactions touch the mainframe at some point. Like their distributed brethren, mainframe applications benefit from DevOps practices, boosting speed and lowering risk. Instead of continuing to silo mainframe and distributed development, it behooves practitioners to increase communication and coordination between these environments to help address the pressure of delivering release cycles at an accelerated pace, while improving product and service quality. And some vendors are doing just that. Today, vendors are increasing their focus as it relates to the modernization of the mainframe, to not only better navigate the unavoidable generation shift in mainframe staffing, but to also better bridge mainframe and distributed DevOps cultures. DevOps is a significant topic incorporating community and culture, application and infrastructure development, operations and orchestration, and many more supporting concepts.
    [Show full text]