DOCSLIB.ORG

"Automated Security Analysis of Web Application Technologies"

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Saarland University Faculty of Mathematics and Computer Science Department of Computer Science Automated Security Analysis of Web Application Technologies Malte Horst Arthur Skoruppa Dissertation zur Erlangung des Grades des Doktors der Ingenieurwissenschaften der Fakultät für Mathematik und Informatik der Universität des Saarlandes Saarbrücken, 2017 ii Tag des Kolloquiums: 14. Dezember 2017 Dekan: Prof. Dr. Frank-Olaf Schreyer Prüfungsausschuss Vorsitzender: Prof. Dr. Christian Rossow Berichterstattende: Prof. Dr. Michael Backes Prof. Dr. Andreas Zeller Akademischer Mitarbeiter: Dr. Robert Künnemann iii Zusammenfassung Das Web hat sich zu einem komplexen Netz aus hochinteraktiven Seiten und Anwendungen entwickelt, welches wir täglich zu kommerziellen und sozialen Zwecken einsetzen. Dementsprechend ist die Sicherheit von Webanwendungen von höchster Relevanz. Das automatisierte Auffinden von Sicherheitslücken ist ein anspruchsvolles, aber wichtiges Forschungsgebiet mit dem Ziel, Entwickler zu unterstützen und das Web sicherer zu machen. In dieser Arbeit nutzen wir statische Analysemethoden, um automatisiert Lücken in JavaScript- und PHP-Programmen zu entdecken. JavaScript ist clientseitig die wichtigste Sprache des Webs, während PHP auf der Serverseite am weitesten verbreitet ist. Im ersten Teil nutzen wir eine Reihe von Programmtransformationen und Informationsflussanalyse, um den JavaScript Helios Wahl-Client zu untersuchen. Helios ist ein modernes Wahlsystem, welches auf konzeptueller Ebene eingehend analysiert wurde und dessen Implementierung als sehr sicher gilt. Wir enthüllen zwei schwere und bis dato unentdeckte Sicherheitslücken. Im zweiten Teil präsentieren wir ein Framework, das es Entwicklern er- möglicht, PHP Code auf frei modellierbare Schwachstellen zu untersuchen. Zu diesem Zweck konstruieren wir sogenannte Code-Property-Graphen und im- portieren diese anschließend in eine Graphdatenbank. Schwachstellen können nun als geeignete Datenbankanfragen formuliert werden. Wir zeigen, wie wir herkömmliche Schwachstellen modellieren können und evaluieren unser Frame- work in einer groß angelegten Studie, in der wir hunderte Sicherheitslücken identifizieren. v Abstract The Web today is a complex universe of pages and applications teeming with interactive content that we use for commercial and social purposes. Accordingly, the security of Web applications has become a concern of utmost importance. Devising automated methods to help developers to spot security flaws and thereby make the Web safer is a challenging but vital area of research. In this thesis, we leverage static analysis methods to automatically discover vulnerabilities in programs written in JavaScript or PHP. While JavaScript is the number one language fueling the client-side logic of virtually every Web application, PHP is the most widespread language on the server side. In the first part, we use a series of program transformations and information flow analysis to examine the JavaScript Helios voting client. Helios is a state- of-the-art voting system that has been exhaustively analyzed by the security community on a conceptual level and whose implementation is claimed to be highly secure. We expose two severe and so far undiscovered vulnerabilities. In the second part, we present a framework allowing developers to analyze PHP code for vulnerabilities that can be freely modeled. To do so, we build so- called code property graphs for PHP and import them into a graph database. Vulnerabilities can then be modeled as appropriate database queries. We show how to model common vulnerabilities and evaluate our framework in a large-scale study, spotting hundreds of vulnerabilities. vii Acknowledgments First of all, I wish to express my deep gratitude to my advisor Michael Backes. He has created this amazing working place and given me the opportunity to work in the midst of this warm and welcoming group, which has been continu- ously flourishing over the past years. Despite the growth of the group, Michael never lost sight of any of his students and always tried to bring out the best of each and everyone of us. It was a pleasure learning from him, on a scientific level and beyond. Thank you Michael. I would also like to thank all my former and current colleagues for creating the enjoyable and inspiring working atmosphere inherent to this group, which I feel very fortunate to have had the chance to be a part of. Particular thanks go to Matthias Berg who introduced me to the group. Had it not been for the work with Matthias during my studies, I would probably not stand here. Certainly, Bettina Balthasar also deserves a special thank you for her long- lasting dedication and for taking care of all the bits and pieces vital to the proper workings of the group, always in her delightfully cheerful manner. During my time as a PhD student, I have had the chance to work with brilliant people and I would like to thank all of my co-authors for our fruitful collaborations. In particular, I thank David Pfaff, Ben Stock, and Fabian Yamaguchi for numerous captivating discussions during my research that have been of tremendous help for the successful elaboration of our papers. Additionally, I would like to thank Andreas Zeller, Christian Rossow, and Robert Künnemann for agreeing to be part of my thesis committee. Andreas, as my second referee; Christian, as the committee chair; and Robert, in his words, as my protocol droid. Thank you all! I also wish to extend my gratitude to my friends for their refreshing company and for helping to take my mind off work. Last, but not least, I deeply thank my wonderful family, who has stood behind me throughout all these years with their unconditional love and faith in me. Your support is invaluable. Thank you for everything. Contents 1 Introduction1 2 Web Application Vulnerabilities5 2.1 General Overview.........................6 2.2 Vulnerabilities Threatening the Server.............8 2.2.1 SQL Injections......................9 2.2.2 Command Injections................... 10 2.2.3 Code Injections...................... 12 2.2.4 Arbitrary File Accesses.................. 13 2.3 Vulnerabilities Threatening the Client.............. 15 2.3.1 Cross-Site Scripting (XSS)................ 16 2.3.2 Session Fixation...................... 18 2.3.3 Sensitive Data Exposure................. 20 2.4 Characteristics of Vulnerable Code............... 22 3 Program Representations 25 3.1 Syntactical Representations................... 27 3.1.1 Parse Trees........................ 27 3.1.2 Abstract Syntax Trees.................. 29 3.2 Modeling Control Flow...................... 33 3.2.1 Control Flow Graphs................... 33 3.2.2 Dominator and Post-dominator Trees.......... 36 3.3 Statement Dependencies for Intraprocedural Analysis..... 39 3.3.1 Control Dependencies................... 39 3.3.2 Data Dependencies.................... 40 3.3.3 Program Dependence Graphs.............. 42 3.4 Call Graphs for Interprocedural Analysis............ 43 3.5 Discussion............................. 44 4 Information Flow Analysis of JavaScript 47 4.1 Challenges in the Analysis of the JavaScript Helios Client... 51 4.1.1 Reification of security properties............. 51 4.1.2 JavaScript is highly dynamic............... 52 4.1.3 HTML DOM and browser API............. 52 4.1.4 Included libraries..................... 53 4.1.5 Problem summary.................... 54 4.2 The Helios Voting System.................... 54 x Contents 4.2.1 A short review of the Helios protocol.......... 55 4.2.2 The Helios voting booth................. 56 4.3 Implementation-level Analysis.................. 59 4.3.1 Code transformations................... 60 4.3.2 A unified model for HTML and JavaScript components 65 4.3.3 Intermediate representation............... 67 4.3.4 System dependence graphs................ 68 4.3.5 Slicing........................... 69 4.3.6 Confidentiality and integrity analysis using information flow............................ 70 4.4 Vulnerabilities........................... 72 4.4.1 Arbitrary script execution................ 73 4.4.2 Leaking the vote..................... 76 4.5 Discussion and Takeaways.................... 77 4.6 Related Work........................... 79 4.6.1 Conceptual Attacks on Helios.............. 79 4.6.2 Practical Attacks on Helios............... 81 4.6.3 Static Analysis of JavaScript............... 81 4.7 Summary............................. 83 5 A Framework for Static PHP Code Analysis 85 5.1 Code Property Graphs...................... 89 5.2 Methodology........................... 92 5.2.1 Conceptual Overview................... 92 5.2.2 Graph Traversals..................... 96 5.2.3 Modeling Vulnerabilities................. 98 5.3 Implementation.......................... 105 5.4 Evaluation............................. 106 5.4.1 Dataset.......................... 106 5.4.2 Findings.......................... 108 5.5 Discussion and Limitations.................... 114 5.6 Related Work........................... 116 5.6.1 Discovery of Vulnerabilities in PHP Code........ 116 5.6.2 Flaw Detection Using Query Languages and Graphs.. 118 5.7 Summary............................. 119 6 Conclusion 121 A Refactoring JavaScript Libraries for the Helios Voting Booth125 A.1 Canonical Refactorings...................... 125 A.2 Modeling jQuery Ajax Functions................ 127 Contents xi A.2.1 $.get............................ 127 A.2.2 $.getJSON......................... 128 A.2.3 $.post........................... 129 A.3 Query Object Plugin....................... 130 A.4 Modeling the
Load more

Recommended publications
  • Open Source Php Mysql Application Builder
    Open Source Php Mysql Application Builder Sometimes maxi Myles reappoints her misdemeanant promissorily, but hard-fisted Neale stop-overs cryptography or Tiboldacierated contends expansively. issuably. Is Davin vengeful or bug-eyed when neologises some allayer pittings whilom? Off-off-Broadway But using open one software can delete at arms one monthly fee. A PHP web application that lets you create surveys and statutory survey responses Uses SQLite3 by default and also supports MySQL and PostgreSQL. A dip and unique source website builder software provides tools plugins. Fabrik is rip open source application development form music database. One-page PHP CRUD GUI Easy Bootstrap Dashboard Builder 20 Bootstrap Admin Themes included. Form Builder is an extraordinary form-creating software. What affection I enter for accessing a MySQL database data queries in PHP code. CRUD Admin Generator Generate a backend from a MySql. Comparing the 5 Best PHP Form Builders And 4 Free Scripts. Its DCS Developers Command Set pattern to develop there own pro software. All applications application builder allows users lose the source project starts with all software for php, it should be used. OsCommerce Online Merchant is likewise open-source online shop. Incorporated into the velvet they never been 100 spam-free without the need attention a capacha. Joomla Custom Website Application Builder What is Fabrik. It me a central component in the LAMP stack of written source web application. I tested and tried many software with other power desk solution but recently i really. Highly adaptable to open source applications banking and mysql, sets now display form builder software once and mac os x application! See each and.
    [Show full text]
  • Behat Table of Contents
    behat #behat Table of Contents About 1 Chapter 1: Getting started with behat 2 Remarks 2 Examples 2 Functional testing as user stories 2 Beginning with Behat 2 Extending Behat with Mink 4 Testing JavaScript with Mink and Selenium 6 Setting up test data 7 Capturing emails 8 Installation or Setup 9 Credits 12 About You can share this PDF with anyone you feel could benefit from it, downloaded the latest version from: behat It is an unofficial and free behat ebook created for educational purposes. All the content is extracted from Stack Overflow Documentation, which is written by many hardworking individuals at Stack Overflow. It is neither affiliated with Stack Overflow nor official behat. The content is released under Creative Commons BY-SA, and the list of contributors to each chapter are provided in the credits section at the end of this book. Images may be copyright of their respective owners unless otherwise specified. All trademarks and registered trademarks are the property of their respective company owners. Use the content presented in this book at your own risk; it is not guaranteed to be correct nor accurate, please send your feedback and corrections to [email protected] https://riptutorial.com/ 1 Chapter 1: Getting started with behat Remarks This section provides an overview of what behat is, and why a developer might want to use it. It should also mention any large subjects within behat, and link out to the related topics. Since the Documentation for behat is new, you may need to create initial versions of those related topics.
    [Show full text]
  • Marketing Cloud Published: August 12, 2021
    Marketing Cloud Published: August 12, 2021 The following are notices required by licensors related to distributed components (mobile applications, desktop applications, or other offline components) applicable to the services branded as ExactTarget or Salesforce Marketing Cloud, but excluding those services currently branded as “Radian6,” “Buddy Media,” “Social.com,” “Social Studio,”“iGoDigital,” “Predictive Intelligence,” “Predictive Email,” “Predictive Web,” “Web & Mobile Analytics,” “Web Personalization,” or successor branding, (the “ET Services”), which are provided by salesforce.com, inc. or its affiliate ExactTarget, Inc. (“salesforce.com”): @formatjs/intl-pluralrules Copyright (c) 2019 FormatJS Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    [Show full text]
  • Security Issues and Framework of Electronic Medical Record: a Review
    Bulletin of Electrical Engineering and Informatics Vol. 9, No. 2, April 2020, pp. 565~572 ISSN: 2302-9285, DOI: 10.11591/eei.v9i2.2064 565 Security issues and framework of electronic medical record: A review Jibril Adamu, Raseeda Hamzah, Marshima Mohd Rosli Faculty of Computer and Mathematical Sciences, Universiti Teknologi MARA, Malaysia Article Info ABSTRACT Article history: The electronic medical record has been more widely accepted due to its unarguable benefits when compared to a paper-based system. As electronic Received Oct 30, 2019 medical record becomes more popular, this raises many security threats Revised Dec 28, 2019 against the systems. Common security vulnerabilities, such as weak Accepted Feb 11, 2020 authentication, cross-site scripting, SQL injection, and cross-site request forgery had been identified in the electronic medical record systems. To achieve the goals of using EMR, attaining security and privacy Keywords: is extremely important. This study aims to propose a web framework with inbuilt security features that will prevent the common security vulnerabilities CodeIgniter security in the electronic medical record. The security features of the three most CSRF popular and powerful PHP frameworks Laravel, CodeIgniter, and Symfony EMR security issues were reviewed and compared. Based on the results, Laravel is equipped with Laravel security the security features that electronic medical record currently required. SQL injection This paper provides descriptions of the proposed conceptual framework that Symfony security can be adapted to implement secure EMR systems. Top vulnerabilities This is an open access article under the CC BY-SA license. XSS Corresponding Author: Jibril Adamu, Faculty of Computer and Mathematical Sciences, Universiti Teknologi MARA, 40450 Shah Alam, Selangor, Malaysia.
    [Show full text]
  • Bakalářská Práce
    TECHNICKÁ UNIVERZITA V LIBERCI Fakulta mechatroniky, informatiky a mezioborových studií BAKALÁŘSKÁ PRÁCE Liberec 2013 Jaroslav Jakoubě Příloha A TECHNICKÁ UNIVERZITA V LIBERCI Fakulta mechatroniky, informatiky a mezioborových studií Studijní program: B2646 – Informační technologie Studijní obor: 1802R007 – Informační technologie Srovnání databázových knihoven v PHP Benchmark of database libraries for PHP Bakalářská práce Autor: Jaroslav Jakoubě Vedoucí práce: Mgr. Jiří Vraný, Ph.D. V Liberci 15. 5. 2013 Prohlášení Byl(a) jsem seznámen(a) s tím, že na mou bakalářskou práci se plně vztahuje zákon č. 121/2000 Sb., o právu autorském, zejména § 60 – školní dílo. Beru na vědomí, že Technická univerzita v Liberci (TUL) nezasahuje do mých autorských práv užitím mé bakalářské práce pro vnitřní potřebu TUL. Užiji-li bakalářskou práci nebo poskytnu-li licenci k jejímu využití, jsem si vědom povinnosti informovat o této skutečnosti TUL; v tomto případě má TUL právo ode mne požadovat úhradu nákladů, které vynaložila na vytvoření díla, až do jejich skutečné výše. Bakalářskou práci jsem vypracoval(a) samostatně s použitím uvedené literatury a na základě konzultací s vedoucím bakalářské práce a konzultantem. Datum Podpis 3 Abstrakt Česká verze: Tato bakalářská práce se zabývá srovnávacím testem webových aplikací psaných v programovacím skriptovacím jazyce PHP, které využívají různé knihovny pro komunikaci s databází. Hlavní důraz při hodnocení výsledků byl kladen na rychlost odezvy při zasílání jednotlivých požadavků. V rámci řešení byly zjišťovány dostupné metodiky určené na porovnávání těchto projektů. Byl také proveden průzkum zjišťující, které frameworky jsou nejvíce používané. Klíčová slova: Testování, PHP, webové aplikace, framework, knihovny English version: This bachelor’s thesis is focused on benchmarking of the PHP frameworks and their database libraries used for creating web applications.
    [Show full text]
  • Návrh a Implementace Rozšíření Do Systému Phabricator
    Masarykova univerzita Fakulta informatiky Návrh a implementace rozšíření do systému Phabricator Diplomová práce Lukáš Jagoš Brno, podzim 2019 Masarykova univerzita Fakulta informatiky Návrh a implementace rozšíření do systému Phabricator Diplomová práce Lukáš Jagoš Brno, podzim 2019 Na tomto místě se v tištěné práci nachází oficiální podepsané zadání práce a prohlášení autora školního díla. Prohlášení Prohlašuji, že tato diplomová práce je mým původním autorským dílem, které jsem vypracoval samostatně. Všechny zdroje, prameny a literaturu, které jsem při vypracování používal nebo z nich čerpal, v práci řádně cituji s uvedením úplného odkazu na příslušný zdroj. Lukáš Jagoš Vedoucí práce: Martin Komenda i Poděkování Srdečně chci na tomto místě poděkovat vedoucímu mé diplomové práce RNDr. Martinu Komendovi, Ph.D. za cenné náměty a odborné vedení. Dále chci poděkovat Mgr. Matěji Karolyi za všestrannou po- moc při implementaci praktické části práce a Ing. Mgr. Janu Krejčímu za zpřístupnění testovacího serveru a technickou podporu. iii Shrnutí Diplomová práce se zabývá nástroji pro projektové řízení. V teore- tické části jsou vymezeny pojmy projekt a projektové řízení. Poté jsou představeny vybrané softwarové nástroje pro projektové řízení a je provedeno jejich srovnání. Pozornost je zaměřena na systém Phabrica- tor, který je v práci detailně popsán. V praktické části je navrženo rozšíření Phabricatoru na základě analýzy potřeb a sběru požadavků. Výsledkem je rozšířující modul po- skytující přehledné informace o úkolech z pohledu času a náročnosti, čímž zefektivní jejich plánování a proces týmové spolupráce. iv Klíčová slova projektové řízení, Phabricator, PHP, reportovací modul, SCRUM v Obsah 1 Projektové řízení 3 1.1 Projekt a projektové řízení ..................3 1.2 SW nástroje pro projektové řízení ...............4 1.3 Přehled nástrojů z oblasti řízení projektů ...........6 1.3.1 Phabricator .
    [Show full text]
  • Clickjacking
    Security Now! Transcript of Episode #168 Page 1 of 18 Transcript of Episode #168 ClickJacking Description: Steve and Leo discuss yet another challenge to surfing safely in the web world: Known as "ClickJacking," or more formally as "UI Redressing," this class of newly popular threats tricks web users into performing web-based actions they don't intend by leading them to believe they are doing something else entirely. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-168.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-168-lq.mp3 INTRO: Netcasts you love, from people you trust. This is TWiT. Leo Laporte: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting. This is Security Now! with Steve Gibson, Episode 168 for October 30, 2008: Clickjacking. It's time for Security Now!, the show where we cover everything you'd ever want to know about security. And we do it with a guy who is the king, really, as far as I'm concerned, the man who discovered spyware, named spyware, wrote some of the most used security utilities out there, including ShieldsUP!, Mr. Steve Gibson of GRC.com. Hi, Steve. Steve Gibson: Yes, in fact sometimes we're discussing things that you'd rather wish weren't the case. I mean... Leo: Well, lately it's been kind of bleak because it's like, there's bad stuff, and there doesn't really seem like there's any cure. Steve: Yes, that's true.
    [Show full text]
  • Vabavaralise Isemajutatava Pilvsalvestustarkvara Juurutamine Taltech It Kolledži Näitel
    TALLINNA TEHNIKAÜLIKOOL Infotehnoloogia teaduskond Daniel Proode 178972IAAB VABAVARALISE ISEMAJUTATAVA PILVSALVESTUSTARKVARA JUURUTAMINE TALTECH IT KOLLEDŽI NÄITEL Bakalaureusetöö Juhendaja: Edmund Laugasson, MSc Tallinn 2020 Autorideklaratsioon Kinnitan, et olen kirjutanud oma bakalaureusetöö iseseisvalt ning seda ei ole kellegi teise poolt varem kaitsmisele esitatud. Kõik töö koostamisel kasutatud teiste autorite tööd, olulised seisukohad, kirjandusallikatest ja mujalt pärinevad andmed on töös korrektselt viidatud. Autor: Daniel Proode 18.05.2020 2 Annotatsioon Bakalaureusetöös uuritakse nelja erinevat isemajutatavat pilvsalvestustarkvara ning võrreldakse nende omadusi. Töö raames uuritakse üksnes antud tarkvarade tasuta versioone. Lisaks annab töö ülevaate isemajutatavate pilvsalvestustarkvarade olemusest ja hetkel TalTech IT Kolledžis kasutusel olevast pilvsalvestuslahendusest. Ühe uurimismeetodina on töös kasutusel küsitlus, mille käigus selguvad IT Kolledži üliõpilaste ning õppejõudude nõuded ja ootused uuele pilvsalvestuslahendusele. Töö analüüsiosas kirjeldatakse tarkvarade Nextcloud, ownCloud, Pydio ning Seafile omadusi ja võrreldakse neid tabelis. Samuti selgitatakse välja IT Kolledžile sobivaim pilvsalvestustarkvara, lähtudes küsitluses selgunud kooli üliõpilaste ning õppejõudude nõudmistest ja soovidest. Sobivaim tarkvara juurutatakse prototüübina virtuaalmasinale, mis asub IT Kolledži võrgus olevas serveris. Prototüüp ühendatakse Uni-ID ja IT Kolledžis kasutusel oleva pilvsalvestusteenusega. Küsitluses osalenud üliõpilastel
    [Show full text]
  • Advanced Systems Security: Symbolic Execution
    Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:! Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Problem • Programs have flaws ‣ Can we find (and fix) them before adversaries can reach and exploit them? • Then, they become “vulnerabilities” Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2 Vulnerabilities • A program vulnerability consists of three elements: ‣ A flaw ‣ Accessible to an adversary ‣ Adversary has the capability to exploit the flaw • Which one should we focus on to find and fix vulnerabilities? ‣ Different methods are used for each Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3 Is It a Flaw? • Problem: Are these flaws? ‣ Failing to check the bounds on a buffer write? ‣ printf(char *n); ‣ strcpy(char *ptr, char *user_data); ‣ gets(char *ptr) • From man page: “Never use gets().” ‣ sprintf(char *s, const char *template, ...) • From gnu.org: “Warning: The sprintf function can be dangerous because it can potentially output more characters than can fit in the allocation size of the string s.” • Should you fix all of these? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4 Is It a Flaw? • Problem: Are these flaws? ‣ open( filename, O_CREAT );
    [Show full text]
  • Design Patterns in PHP and Laravel — Kelt Dockins Design Patterns in PHP and Laravel
    Design Patterns in PHP and Laravel — Kelt Dockins Design Patterns in PHP and Laravel Kelt Dockins [email protected] Design Patterns in PHP and Laravel Kelt Dockins Dolph, Arkansas USA ISBN-13 (pbk): 978-1-4842-2450-2 ISBN-13 (electronic): 978-1-4842-2451-9 DOI 10.1007/978-1-4842-2451-9 Library of Congress Control Number: 2016961807 Copyright © 2017 by Kelt Dockins This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made.
    [Show full text]
  • Opportunities and Open Problems for Static and Dynamic Program Analysis Mark Harman∗, Peter O’Hearn∗ ∗Facebook London and University College London, UK
    1 From Start-ups to Scale-ups: Opportunities and Open Problems for Static and Dynamic Program Analysis Mark Harman∗, Peter O’Hearn∗ ∗Facebook London and University College London, UK Abstract—This paper1 describes some of the challenges and research questions that target the most productive intersection opportunities when deploying static and dynamic analysis at we have yet witnessed: that between exciting, intellectually scale, drawing on the authors’ experience with the Infer and challenging science, and real-world deployment impact. Sapienz Technologies at Facebook, each of which started life as a research-led start-up that was subsequently deployed at scale, Many industrialists have perhaps tended to regard it unlikely impacting billions of people worldwide. that much academic work will prove relevant to their most The paper identifies open problems that have yet to receive pressing industrial concerns. On the other hand, it is not significant attention from the scientific community, yet which uncommon for academic and scientific researchers to believe have potential for profound real world impact, formulating these that most of the problems faced by industrialists are either as research questions that, we believe, are ripe for exploration and that would make excellent topics for research projects. boring, tedious or scientifically uninteresting. This sociological phenomenon has led to a great deal of miscommunication between the academic and industrial sectors. I. INTRODUCTION We hope that we can make a small contribution by focusing on the intersection of challenging and interesting scientific How do we transition research on static and dynamic problems with pressing industrial deployment needs. Our aim analysis techniques from the testing and verification research is to move the debate beyond relatively unhelpful observations communities to industrial practice? Many have asked this we have typically encountered in, for example, conference question, and others related to it.
    [Show full text]
  • Book-Of-Abstracts-Ordered-14.Pdf
    Cloud Services for Synchronisation and Sharing (CS3) Book of Abstracts 28 - 30 January 2019 Roma, Italy https://doi.org/10.5281/zenodo.2545482 Cover page photo by DAVID ILIFF. License: CC-BY-SA 3.0 Editor: Belinda Chan (CERN) Publication date: 2019-01-24 Introduction This is the "Book of Abstracts" of the 5th CS3 (Cloud Services for Synchronisation and Sharing) conference (28-30 January 2019, Rome). The 5th edition of this conference marks an important milestone and there are some reflections that we would like to share with you. Five years ago, the CS3 community simply did not exist. Cloud storage technologies were a convenient extension of traditional storage technologies. Universities, National Research and Education Networks, and Research Centres were all exploring this area by adopting solutions proposed by a few innovative emerging companies, many of them from Europe. Cloud storage was immediately a success: all the installations have grown by leaps and bounds as the number of active users and number of files per user increased. More importantly though, cloud storage has become a vital part of our day-by-day activities. This success triggered the need for reflection on scalability, data durability and overall sustainability – all of these areas are still progressing, as illustrated by the abstracts collected at this conference. At the time of the first conference, the actual potential was probably not entirely clear but the conference became the forum to exchange experiences and ideas, and to advance together in this new and exciting domain. Five years hence, and the understanding of cloud storage technology, its maturity and the extension of its usage is continuously increasing.
    [Show full text]