Browse Proceedings

Software security has become more and more critical as we are increasingly depending on the Internet, an untrustworthy computing environment. Software functionality and security are tightly related to each other, vulnerabilities due to design errors, ...

Risk assessment is a critical decision making process during the Security Certification and Accreditation (C&A) process. However, existing infrastructure-wide C&A processes in real world are challenged by the ever increasing complexity of information ...

These days, security-sensitive business application systems are developed and maintained by more than one software engineer, some of which may be unethical or malicious. Unethical software engineers can insert malicious code to the systems or ...

Exception handling alters the control flow of the program. As such, errors introduced in exception handling code may influence the overall program in undesired ways. To detect such errors early and thereby decrease the programming costs, it is ...

Control logic of embedded systems is nowadays largely implemented in software. Such control software implements, among others, models of physical characteristics, like heat exchange among system components. Due to evolution of system properties and ...

As the capability to automatically generate code from different models becomes more sophisticated, it is critical that these models be adequately tested for quality assurance prior to code generation. Although simulation-based blackbox testing ...

Information flow control models can be applied widely. This paper discusses only the models preventing information leakage during program execution. In the prevention, an information flow control model dynamically monitors statements that will cause ...

Access control is a vital security mechanism in today's operating systems, and the security policies dictating the security relevant behaviors is lengthy and complex, for example in Security-Enhanced Linux (SELinux). It is extremely difficult to verify ...

Temporal correctness is one of the most important requirements for time-critical systems. Although time-critical systems are designed to meet their timing constraints, there can be still errors especially with timing constraints in run-time due to ...

Role-Based Access Control (RBAC) and Mandatory Access Control (MAC) are widely used access control models. They are often used together in domains where both data integrity and information flow are concerned. There is much work on combined use of RBAC ...

Covert channel analysis is an important requirement when building secure information systems, and identification is the most difficult task. Although some approaches were presented, they are either experimental or constrained to some particular systems. ...

Organizations with stringent security requirements like banks or hospitals frequently adopt role-based access control (RBAC) principles to simplify their internal permission management. Authorization constraints represent a fundamental advanced RBAC ...

Slicing is a well-known reduction technique in many areas such as debugging, maintenance, and testing, and thus, there has been considerable research in the application of slicing techniques to models at the design level. UML state machine diagrams can ...

Fault tree analysis (FTA) is a traditional reliability analysis technique. In practice, the manual development of fault trees could be costly and error-prone, especially in the case of fault tolerant systems due to the inherent complexities such as ...

We have developed a method called PREDIQT for model-based prediction of impacts of architectural design changes on system quality. A recent case study indicated feasibility of the PREDIQT method when applied on a real-life industrial system. This paper ...

One fundamental challenge for software testing is the oracle problem, which means that either there does not exist a mechanism (called oracle) to verify the test output given any possible program input, or it is very expensive, if not impossible, to ...

As part of network security testing, an administrator needs to know whether the firewall enforces the security policy as expected or not. In this setting, black-box testing and evaluation methodologies can be helpful. In this paper, we employ a simple ...

Automatically finding vulnerabilities and even generating exploits are desirable for software testing. For the protection of intellectual property and copyright, programs being tested may be lack of source code and symbol table information. Concolic ...

Tagging systems are particularly vulnerable to tag spam. Although some previous efforts aim to address this problem with detection-based or demotion-based approaches, tricky attacks launched by attackers who can exploit vulnerabilities of spam-resistant ...

Service-oriented architecture (SOA) provides an ability to satisfy the increasing demand of the customer for complicated services in business environments via the composition of service components scattered on the Internet. Service composition is a ...

VoIP steganography is a real-time network steganography, which utilizes VoIP protocols and traffic as a covert channel to conceal secret messages. Recently, there has been a noticeable increase in the interest in VoIP steganography due to the volume of ...