The Threat in your Pocket: Trends, Challenges, and Solutions in Mobile Application Security

Professor Sam Malek
University of California, USA


Mobile devices are ubiquitous, with billions of smartphones and tablets used worldwide. Fueling the popularity of such devices is the abundance of apps available on a variety of markets (e.g., Google Play). This abundance of apps arises, in large part, due to the platform’s low barrier to entry for amateur and professional developers alike, where a re-usable infrastructure enables relatively quick production of apps. However, this low barrier to entry is associated with an increased risk of apps with defects, particularly in the form of security vulnerabilities. Consequently, developers and designers of such apps are in need of appropriate approaches, tools, and frameworks that aid them in producing secure apps. In this talk, I will first provide an overview of the security vulnerabilities in Android and the attacks that exploit them. I will then describe a few promising approaches that aim to resolve these security threats. Finally, I will conclude the talk with the lessons learned and the avenues for future research.

The Unbearable Fragility of Software Documentation

Professor Martin Robillard
McGill University, Canada


Software documentation is possibly one of the most fragile of human constructions: Changing a single line in the documented software can invalidate its documentation. Yet we do need software documentation, sometimes crucially. In this talk I will discuss what makes software documentation so fragile, and how we could get rid of this fragility by rethinking the role that documentation plays in the life-cycle of a software system.

Speaker’s Bio

Martin Robillard is a Professor of Computer Science at McGill University. His current research focuses on problems related to software evolution, architecture and design, and software reuse. He served as the Program Co-Chair for the 20th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE 2012) and the 39th ACM/IEEE International Conference on Software Engineering (ICSE 2017). He received his Ph.D. and M.Sc. in Computer Science from the University of British Columbia and a B.Eng. from École Polytechnique de Montréal

Automated Program Repair

Professor Abhik Roychoudhury
National University of Singapore


Software systems, are prone to vulnerabilities which can be exploited. One of the key difficulties in building trustworthy software systems – is the lack of specifications, or intended behavior, or a description of how the software system is supposed to behave. In our work, we have developed semantic analysis techniques to extract or discover specifications from an erroneous or vulnerable program. Such a specification discovery process helps in automatically generating repairs, thereby moving closer to the goal of self-healing software systems. As more and more of our daily functionalities become software controlled, and with the impending arrival of technology like personalized drones, the need for self-healing software has never been greater. There exist exciting possibilities for combining semantics based repair approaches with search-based repair, and this is under investigation in our research team. We envision that automated repair capabilities should be integrated into programming environments in the future. We will also discuss the possibility of using automated repair for grading and teaching of introductory programming to various learner groups

Speaker’s Bio

Abhik Roychoudhury is a Professor of Computer Science at National University of Singapore. His research focuses on software testing and analysis, software security and trust-worthy software construction. His research group has built scalable techniques for testing, debugging and repair of programs using systematic semantic analysis. He has been an ACM Distinguished Speaker (2013-19). He is currently leading a large five-year long targeted research effort funded by National Research Foundation in the domain of trust-worthy software. He is the Lead Principal Investigator of the Singapore Cyber-security Consortium, which is a consortium of over 35 companies in the cyber-security space engaging with academia for research and collaboration. He has served as Program Chair of ACM International Symposium on Software Testing and Analysis (ISSTA) 2016 and Editorial Board member of IEEETransactions on Software Engineering (TSE) from 2014 to 2018. Abhik received his Ph.D. in Computer Science from the State University of New York at Stony Brook in 2000.

Human-centric Software Engineering

Professor John Grundy
Monash University, Australia


Humans are a key part of software development, including customers, designers, coders, testers and end users. In this talk I discuss several examples from our recent work on handling human-centric issues when engineering software systems. This includes personality impact on aspects of software development, specifically testing and pair-programming; understanding interpersonal issues in agile practices ; incorporating end user emotions into software requirements engineering; reporting usability defects; providing proactive design critics in software tools to augment human decision making; and finally to the use of human-centric, domain-specific visual models for non-technical experts to specify and generate systems, without the need for software engineers at all. I assess the usefulness of these approaches and discuss key future directions.

Speaker’s Bio

Professor John Grundy is the Senior Deputy Dean for the Faculty of Information Technology and a Professor of Software Engineering at Monash University. Professor Grundy holds the BSc(Hons), MSc and PhD degrees, all in Computer Science, from the University of Auckland. Professor Grundy is a Fellow of Automated Software Engineering, Fellow of Engineers Australia, Certified Professional Engineer, Engineering Executive, Member of the ACM and Senior Member of the IEEE. His research is in the area of software engineering, primarily software tools and techniques, software architecture, model-driven software engineering, visual languages, software security engineering, service-based and component-based systems and user interfaces. His work is mostly applied and he does research, R&D and consulting work with a range of companies. These have included, among many others, Unisono, Uniting AgeWell, Mailguard, NICTA, Thales Australia, CA Labs, XSol, Orion Health, Peace Software, and Whitecloud Systems.

Oracle Parfait: The Flavour of Real-World Vulnerability Detection

Cristina Cifuentes
Oracle Labs, Australia


The Parfait static code analysis tool focuses on detecting vulnerabilities that affect C, C++, Java and PL/SQL languages. Its focus has been on four key items expected of a commercial tool that lives in a commercial organisation:

precision of results (i.e., high true positive rate),
scalability (i.e., being able to quickly scan millions of lines of code),
incremental analysis (i.e., run over deltas of the code quickly), and
usability (i.e., ease of integration into standard build processes and reporting).

Parfait is used everyday around the world by thousands of Oracle developers.

In this presentation, we’ll sample a flavour of Parfait. We explore some real-world challenges faced in the creation of a robust vulnerability detection tool, we look into two examples of vulnerabilities that severely affected the Java platform in 2012-13 and most machines in 2017-18, and we conclude by recounting what matters to developers for integration into today’s continuous integration and continuous delivery (CI/CD) pipelines.

Speaker’s Bio

Cristina is the Director of Oracle Labs Australia and an Architect at Oracle. Headquartered in Brisbane, the Lab focuses on Program Analysis as it applies to finding vulnerabilities in software and enhancing the productivity of developers worldwide. Prior to founding Oracle Labs Australia, Cristina was the Principal Investigator of the Parfait bug tracking project at Sun Microsystems, then Oracle. Today, Oracle Parfait has become the defacto tool used by thousands of Oracle developers for bug and vulnerability detection in real-world, commercially sized C/C++/Java applications. Parfait’s success is founded on the pioneering work in advancing static program analysis techniques by Cristina’s team of Researchers and Engineers at Oracle Labs Australia. Cristina’s passion for tackling the big issues in the field of Program Analysis began with her doctoral work in binary decompilation at Queensland’s University of Technology. In an interview with Richard Morris for Geek of the Week, Cristina talks about Parfait, Walkabout and her career journey in this field. Before she joined Oracle and Sun Microsystems, Cristina held teaching posts at major Australian Universities, co-edited Going Digital, a landmark book on cybersecurity, and served on the executive committees of ACM SIGPLAN and IEEE Reverse Engineering.

Comments are closed.