2017 IEEE Cybersecurity Development (SecDev)

24-26 Sept. 2017

Filter Results

Displaying Results 1 - 25 of 32
  • [Front cover]

    Publication Year: 2017, Page(s): c1
    Request permission for commercial reuse | PDF file iconPDF (2164 KB)
    Freely Available from IEEE
  • [Title page i]

    Publication Year: 2017, Page(s): i
    Request permission for commercial reuse | PDF file iconPDF (32 KB)
    Freely Available from IEEE
  • [Title page iii]

    Publication Year: 2017, Page(s): iii
    Request permission for commercial reuse | PDF file iconPDF (73 KB)
    Freely Available from IEEE
  • [Copyright notice]

    Publication Year: 2017, Page(s): iv
    Request permission for commercial reuse | PDF file iconPDF (128 KB)
    Freely Available from IEEE
  • Table of contents

    Publication Year: 2017, Page(s):v - vii
    Request permission for commercial reuse | PDF file iconPDF (142 KB)
    Freely Available from IEEE
  • Message from the General Chair

    Publication Year: 2017, Page(s): viii
    Request permission for commercial reuse | PDF file iconPDF (108 KB) | HTML iconHTML
    Freely Available from IEEE
  • Message from the Program Chair

    Publication Year: 2017, Page(s): ix
    Request permission for commercial reuse | PDF file iconPDF (104 KB) | HTML iconHTML
    Freely Available from IEEE
  • Message from the Tutorial Chair

    Publication Year: 2017, Page(s): x
    Request permission for commercial reuse | PDF file iconPDF (100 KB) | HTML iconHTML
    Freely Available from IEEE
  • Conference Committees

    Publication Year: 2017, Page(s):xi - xii
    Request permission for commercial reuse | PDF file iconPDF (91 KB)
    Freely Available from IEEE
  • Panel: Building a Business around Secure Development

    Publication Year: 2017, Page(s):xiii - xiv
    Request permission for commercial reuse | PDF file iconPDF (99 KB)
    Freely Available from IEEE
  • Keynotes

    Publication Year: 2017, Page(s):xv - xvii
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (113 KB)

    Provides an abstract for each of the keynote presentations and a brief professional biography of each presenter. The complete presentations were not made available for publication as part of the conference proceedings. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • SecDev 2017 Posters

    Publication Year: 2017, Page(s): xviii
    Request permission for commercial reuse | PDF file iconPDF (84 KB)
    Freely Available from IEEE
  • Hands-On Tutorial: Auditing Static Analysis Alerts Using a Lexicon & Rules

    Publication Year: 2017, Page(s):1 - 2
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (194 KB) | HTML iconHTML

    This hands-on tutorial teaches participants how to audit static analysis alerts, using an auditing lexicon and rules. There is no widely-accepted lexicon or standard set of rules for auditing static analysis alerts in the software engineering community. Auditing rules and a lexicon should guide different auditors to make the same determination for an alert. Standard terms and processes are necessa... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Automated Assessment Tools and the Software Assurance Marketplace (SWAMP)

    Publication Year: 2017, Page(s): 3
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (189 KB) | HTML iconHTML

    Software assurance tools - tools that scan the source or binary code of a program to find weaknesses - are the first line of defense in assessing the security of a software project. These tools can catch flaws in a program that can affect both the correctness and safety of the code. This tutorial is relevant to anyone wanting to understand how those tools work, and learn how to use these automated... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Input Handling Done Right: Building Hardened Parsers Using Language-Theoretic Security

    Publication Year: 2017, Page(s):4 - 5
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (186 KB) | HTML iconHTML

    Input-handling vulnerabilities have been a constant source of security problems for decades. Many famous recent bugs are in fact input-handling bugs. We argue that the techniques for writing parsers in its present form are insufficient, and hence we propose a new pattern. In this tutorial, we will show participants a new design pattern for designing and implementing parsers using this new method. ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Java Deserialization Vulnerabilities and Mitigations

    Publication Year: 2017, Page(s):6 - 7
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (269 KB) | HTML iconHTML

    This tutorial provides developers with practical guidance for securely implementing Java Serialization. Java deserialization is a clear and present danger as its widely used both directly by applications and indirectly by Java subsystems such as RMI (Remote Method Invocation), JMX (Java Management Extension), JMS (Java Messaging System). Deserialization of untrusted streams can result in remote co... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Angr - The Next Generation of Binary Analysis

    Publication Year: 2017, Page(s):8 - 9
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (182 KB) | HTML iconHTML

    Software is becoming increasingly more complex, and vul-nerabilities more subtle Better approaches are required to effectively analyze modern binaries, efficiently identify deeply buried defects, and intelligently assist human analysts with specific software reversing tasks Tons of good techniques and approaches regarding binary analysis have recently emerged from both academia and industry, many ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A Machine Learning Approach to SDL

    Publication Year: 2017, Page(s):10 - 15
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (399 KB)

    Security Risk Assessments (SRA) play a key role in the Security Development Lifecycle (SDL). At an early stage of the project, the SRA helps allocate security resources and identifies SDL requirements and activities. In this paper, we present key findings from a machine learning approach toward the SRA that seeks to learn from a database of previous product security risk assessments and associated... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Improving Attention to Security in Software Design with Analytics and Cognitive Techniques

    Publication Year: 2017, Page(s):16 - 21
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (612 KB) | HTML iconHTML

    There is widening chasm between the ease of creating software and difficulty of "building security in". This paper reviews the approach, the findings and recent experiments from a seven-year effort to enable consistency across a large, diverse development organization and software portfolio via policies, guidance, automated tools and services. Experience shows that developing secure ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Developers Need Support, Too: A Survey of Security Advice for Software Developers

    Publication Year: 2017, Page(s):22 - 26
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (228 KB) | HTML iconHTML

    Increasingly developers are becoming aware of the importance of software security, as frequent high-profile security incidents emphasize the need for secure code. Faced with this new problem, most developers will use their normal approach: web search. But are the resulting web resources useful and effective at promoting security in practice? Recent research has identified security problems arising... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A Software Solution for Hardware Vulnerabilities

    Publication Year: 2017, Page(s):27 - 33
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (613 KB) | HTML iconHTML

    Modern processors are becoming increasingly complex with features that improve performance and add new functionality. However, such improvements are a double-edged sword: they improve performance and functionality but also introduce security-critical bugs into the processor that attackers can leverage to bypass a system's security policies. Existing solutions require hardware extensions and often ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • ASLR: How Robust Is the Randomness?

    Publication Year: 2017, Page(s):34 - 41
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (543 KB) | HTML iconHTML

    This paper examines the security provided by different implementations of Address Space Layout Randomization (ASLR). ASLR is a security mechanism that increases control-flow integrity by making it more difficult for an attacker to properly execute a buffer-overflow attack, even in systems with vulnerable software. The strength of ASLR lies in the randomness of the offsets it produces in memory lay... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Layering Security at Global Control Points to Secure Unmodified Software

    Publication Year: 2017, Page(s):42 - 49
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (489 KB) | HTML iconHTML

    Developing secure software is inherently difficult, and is further hampered by a rush to market, the lack of cybersecurity-trained architects and developers, and the difficulty of identifying flaws and deploying mitigations. To address these problems, we advocate for an alternative paradigm–layering security onto applications from global control points, such as the browser, operating system... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Empirical Studies on the Security and Usability Impact of Immutability

    Publication Year: 2017, Page(s):50 - 53
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (195 KB) | HTML iconHTML

    Although it is well-known that API design has a large and long-term impact on security, the literature contains few substantial guidelines for practitioners on how to design APIs that improve security. Even fewer of those guidelines have been evaluated empirically. Security professionals have proposed that software engineers choose immutable APIs and architectures to enhance security. Unfortunatel... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Securing Dataverse with an Adapted Command Design Pattern

    Publication Year: 2017, Page(s):54 - 60
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (318 KB) | HTML iconHTML

    In order to bake security into application design, we introduce an adaptation to the Command pattern: command instances are tagged with the permissions required to perform them for each object they manipulate. Prior to executing a command instance issued by a given user, an execution engine validates the user has the required permissions over the objects the command is about to operate on. Stating... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.