Browse Source

Init

master
Nicolas Hafner 3 years ago
commit
ba6d8f8e0c
Signed by: shinmera GPG Key ID: E12B14478BE4C922
8 changed files with 205 additions and 0 deletions
  1. +10
    -0
      .gitignore
  2. BIN
      dag-diff.png
  3. BIN
      overview.pdf
  4. BIN
      overview.png
  5. BIN
      presentation.pdf
  6. +195
    -0
      presentation.tex
  7. BIN
      static-dag.png
  8. BIN
      static-dag2.png

+ 10
- 0
.gitignore View File

@ -0,0 +1,10 @@
_minted-presentation/
auto/
*.aux
*.log
*.nav
*.out
*.snm
*.synctex.gz
*.toc
*.vrb

BIN
dag-diff.png View File

Before After
Width: 1164  |  Height: 644  |  Size: 53 KiB

BIN
overview.pdf View File


BIN
overview.png View File

Before After
Width: 2472  |  Height: 1288  |  Size: 159 KiB

BIN
presentation.pdf View File


+ 195
- 0
presentation.tex View File

@ -0,0 +1,195 @@
\documentclass[14pt,t]{beamer}
\usepackage{fontspec}
\usepackage{color}
\usepackage{minted}
\usepackage{etoolbox}
%% These fonts are non-free.
%% Comment out the lines if you don't have them.
\setmainfont{Equity Text A}
\setsansfont{Concourse T3}
\setmonofont{Triplicate T4}
\definecolor{bgcolor}{RGB}{20,25,28}
\definecolor{codecolor}{RGB}{249,38,114}
\hypersetup{colorlinks,linkcolor=,urlcolor=codecolor}
\setbeamercolor{background canvas}{bg=bgcolor}
\setbeamercolor{normal text}{fg=white}
\setbeamercolor{itemize item}{fg=lightgray}
\setbeamercolor{itemize subitem}{fg=lightgray}
\setbeamercolor{itemize subsubitem}{fg=lightgray}
\setbeamercolor{enumerate item}{fg=lightgray}
\setbeamercolor{enumerate subitem}{fg=lightgray}
\setbeamercolor{enumerate subsubitem}{fg=lightgray}
\setbeamercolor{enumerate item}{fg=lightgray}
\setbeamercolor{page number in head/foot}{fg=lightgray}
\setbeamerfont{page number in head/foot}{size=\large}
\setbeamertemplate{itemize items}[circle]
\setbeamertemplate{navigation symbols}{}
\setbeamertemplate{footline}{
\hfill%
\usebeamercolor[fg]{page number in head/foot}%
\usebeamerfont{page number in head/foot}%
\setbeamertemplate{page number in head/foot}[framenumber]%
\usebeamertemplate*{page number in head/foot}\kern1em\vskip2pt%
}
\usemintedstyle{monokai}
\newminted[javacode]{java}{fontsize=\scriptsize}
\renewcommand{\footnotesize}{\tiny}
\def\code#1{{\color{codecolor}\texttt{#1}}}
\renewcommand{\theFancyVerbLine}{\color{darkgray}\large \oldstylenums{\arabic{FancyVerbLine}}}
\renewcommand{\title}[1]{
{\LARGE #1} \vskip 0.4cm
}
\renewcommand{\subtitle}[1]{
\vskip 0.3cm {\Large #1} \vskip 0.2cm %
}
\begin{document}
\begin{frame}
\begin{center}
\vspace{1cm}
{\LARGE Inferring Crypto API Rules \\ from Code Changes}\\
\vspace{0.5cm}
{ ETH Software Engineering Seminar 2018 }
\end{center}
\end{frame}
\begin{frame}
\title{The Problem}
\begin{itemize}
\item Security APIs are difficult to use
\item The APIs change and evolve
\item Old techniques become vulnerable
\end{itemize}
\end{frame}
\begin{frame}
\title{The Paper's Approach}
\begin{itemize}
\item Observe code changes in many projects
\item Look at changes in Security API uses
\item Derive security advisory rules from changes
\item Apply rules to projects to discover vulnerabilities
\end{itemize}
\end{frame}
\begin{frame}
\title{Technique Overview}
\vspace{1cm}
\makebox[\linewidth][c]{
\includegraphics[width=0.8\pagewidth]{overview.png}
}
\end{frame}
\begin{frame}[fragile]
\title{Static Analysis}
\begin{javacode}
class AESCipher{
Cipher cipher;
String algorithm = "AES";
void setKey(Secret key){
cipher = Cipher.getInstance(algoritm);
cipher.init(Cipher.ENCRYPT_MODE, key);
}
}
\end{javacode}
\pause
\makebox[\linewidth][c]{
\includegraphics[width=0.6\pagewidth]{static-dag.png}
}
\end{frame}
\begin{frame}[fragile]
\title{Static Analysis}
\begin{javacode}
class AESCipher{
Cipher cipher;
String algorithm = "AES/CBC/PKCS5Padding";
void setKey(Secret key, String iv){
byte[] bytes = Hex.decodeHex(iv.toCharArray());
IVParameterSpec ivSpec = new IVParameterSpec(bytes);
cipher = Cipher.getInstance(algoritm);
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec);
}
}
\end{javacode}
\pause
\makebox[\linewidth][c]{
\includegraphics[width=0.6\pagewidth]{static-dag2.png}
}
\end{frame}
\begin{frame}
\title{Graph Diffs}
\makebox[\linewidth][c]{
\includegraphics[width=0.45\pagewidth]{static-dag.png}
\includegraphics[width=0.45\pagewidth]{static-dag2.png}
}
\pause
\makebox[\linewidth][c]{
\includegraphics[width=0.6\pagewidth]{dag-diff.png}
}
\end{frame}
\begin{frame}
\title{Change Filtering}
\begin{itemize}
\item Remove the diff if there are:
\begin{enumerate}
\item no changes
\item no removals
\item no additionsKN
\end{enumerate}
relevant to our API, or if
\begin{enumerate}\setcounter{enumi}{3}
\item the diff is a duplicate.
\end{enumerate}
\end{itemize}
\end{frame}
\begin{frame}
\title{Change Clustering}
\end{frame}
\begin{frame}
\title{Data Set}
\begin{itemize}
\item 30'000 projects scanned
\item 461 projects selected
\item 11'551 changes collected
\item 6 target API classes analysed
\end{itemize}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\item Semantic changes are not affected
\item Seven new security rules derived
\item Vulnerabilities found in 57\% of analysed projects
\end{itemize}
\end{frame}
\begin{frame}
\title{Conclusion}
\begin{itemize}
\item Filtering out semantic changes automatically is a feasible approach
\item In a sample case, 13 security rules were derived
\item Of the analysed projects, 57\% were vulnerable to at least one of the derived rules
\end{itemize}
\end{frame}
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-command-extra-options: "-shell-escape"
%%% TeX-master: t
%%% TeX-engine: luatex
%%% End:

BIN
static-dag.png View File

Before After
Width: 1164  |  Height: 644  |  Size: 24 KiB

BIN
static-dag2.png View File

Before After
Width: 1164  |  Height: 644  |  Size: 54 KiB

Loading…
Cancel
Save