ISSTA 2019
Mon 15 - Fri 19 July 2019 Beijing, China
Thu 18 Jul 2019 15:07 - 15:30 at Grand Ballroom - Testing and Machine Learning Chair(s): Hongyu Zhang

More and more companies use static analysis to perform regular code reviews to detect security vulnerabilities in their code, configuring them to detect various types of bugs and vulnerabilities such as the SANS top 25 or the OWASP top 10. For such analyses to be as precise as possible, they must be adapted to the code base they scan. The particular challenge we address in this paper is to provide analyses with the correct security-relevant methods (Srm): sources, sinks, etc. We present SWAN, a fully-automated machine-learning approach to detect sources, sinks, validators, and authentication methods for Java programs. SWAN further classifies the Srm into specific vulnerability classes of the SANS top 25. To further adapt the lists detected by SWAN to the code base and to improve its precision, we also introduce SWANAssist, an extension to SWAN that allows analysis users to refine the classifications. On twelve popular Java frameworks, SWAN achieves an average precision of 0.826, which is better or comparable to existing approaches. Our experiments show that SWANAssist requires a relatively low effort from the developer to significantly improve its precision.

Talk-Slides (20190718_SWAN.pdf)1.60MiB

Thu 18 Jul
Times are displayed in time zone: Beijing, Chongqing, Hong Kong, Urumqi change

14:00 - 15:30: Testing and Machine LearningTechnical Papers at Grand Ballroom
Chair(s): Hongyu ZhangThe University of Newcastle
14:00 - 14:22
DeepHunter: A Coverage-Guided Fuzz Testing Framework for Deep Neural Networks
Technical Papers
Xiaofei XieNanyang Technological University, Lei MaKyushu University, Felix Juefei-XuCarnegie Mellon University, Minhui Xue, Hongxu ChenNanyang Technological University, Yang LiuNanyang Technological University, Singapore, Jianjun ZhaoKyushu University, Bo LiUIUC, Jianxiong YinNVIDIA AI Tech Centre, Simon SeeNVIDIA AI Tech Centre
14:22 - 14:45
Search-based Test and Improvement of Machine-Learning-Based Anomaly Detection SystemsArtifacts ReusableArtifacts Functional
Technical Papers
Maxime CordySnT, University of Luxembourg, Steve Mullerunaffiliated, Mike PapadakisUniversity of Luxembourg, Yves Le TraonUniversity of Luxembourg
14:45 - 15:07
DeepFL: Integrating Multiple Fault Diagnosis Dimensions for Deep Fault LocalizationArtifacts ReusableDistinguished Paper AwardsArtifacts Functional
Technical Papers
Xia LiUniversity of Texas at Dallas, USA, Wei LiSouthern University of Science and Technology, Yuqun ZhangSouthern University of Science and Technology, Lingming Zhang
15:07 - 15:30
Codebase-Adaptive Detection of Security-Relevant MethodsArtifacts Functional
Technical Papers
Goran PiskachevFraunhofer IEM, Lisa Nguyen Quang DoPaderborn University, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM
DOI Pre-print Media Attached File Attached