Monday, October 15th, 9:00AM - 12:30PM (10:30AM-11:00AM Coffee break), Tutorial 1: Past, Present and Future of Software Reliability Assurance

Speakers: Rashid Mijumbi (Nokia, Ireland), Kazu Okumoto, Abhaya Asthana and Jacques Meekel

Abstract

The communications industry is evolving towards a convergence of ICT and Telecommunications in which most communications software will run on generic servers the cloud. This trend is making it a requirement for software vendors to ensure continuous product integration and delivery. In order to guarantee the required levels of software reliability within such agile processes, software reliability growth modelling (SRGM) tools must also evolve. Specifically, the very short development cycles in DevOps projects make traditional exponential or s-shaped curve models inefficient in accurately predicting defects, and call for a revolution in software quality assurance. This tutorial addresses the need for software reliability growth modelling to evolve from traditional exponential or s-shaped data fitting to ‘curve shifting’. The tutorial will begin by discussing the past of SRGM – a past dominated by complex curve fitting only achieved by statistics experts. Then, it will introduce recent trends in SRGM where the entire process of data collection, pre-processing, curve fitting and visualization is automated to create SRGM-as-a-service without the need for specialized experts. Finally, the tutorial will introduce the future of SRGM in which curve fitting can be augmented by curve shifting during the early stages of software development so as to enhance the accuracy. Moreover, throughout the tutorial, specific use cases from a real DevOps project will be used to motivate the need for evolution. Participants will also benefit from a live demo as well as hands-on experience with a recently developed and deployed cloud-based, automated SRGM tool which embodies all features of the discussion.

Monday, October 15th, 2:00PM - 5:30PM (3:30PM-4:00 Coffee break), Tutorial 2: Anomaly Detection in Networks.

Speaker: Veena Mendiratta (Nokia Bell Labs, USA)

Abstract

The application of analytics methods to data collected from communication networks provides valuable information about the network state, and for detecting and predicting anomalous behavior in the network. Large volumes of operation data, including textual and log files, are collected from communication networks; and the inherent value of this data is recognized by academics, practitioners as well as network operators, who need easy to use and robust methods to detect and analyze anomalies based on the network data. The anomalies are indicators of vulnerabilities in the network. From an operations perspective, it is important to detect the anomalies and correct the problem (based on knowing the root cause) in a timely manner. The goal of this tutorial is to deliver a balanced mix of theory and hands-on practice. The first part of the tutorial will focus on introducing analytics methods for network anomaly detection. Next, a real-world case study is presented applying non-parametric machine learning techniques and PCA based methods to detect anomalies in wireless networks. Once an anomaly is detected, message patterns are analyzed for root cause analysis by comparing the message patterns of the anomaly data to those of the normal data to determine where the problems are occurring. Neural network based Kohonen Self Organizing Maps (SOMs) and visual analytics are also used for exploring the anomalous behavior. Data from a 4G network will be used for the analyses. The case study is significant, as communications traffic on wireless networks generates large
volumes of log metadata with hundreds of fields including error codes on a continuous basis across the various servers involved in a communication session. The last third of the tutorial will provide a hands-on session where attendees will be guided in the analysis of real log data using the techniques described above, in particular, the use of Kohonen SOMs. The hands-on session will focus on exploratory data analysis and modeling approaches using the provided (real) datasets. The hands-on session will be conducted using: the R software environment, the rstudio user interface for R, and various R packages.

Thursday, October 18th, 9:00AM - 12:30PM (10:30AM-11:00AM Coffee break), Tutorial 3: Towards Development of Secure Mobile Software

Speakers: Hossain Shahriar (Kennesaw State University, USA) and Md Arabin Islam Talukder (Kennesaw State University, USA)

Abstract

An increasing number of mobile software applications are being developed to meet various needs of end users including SMS messaging, social networking, and game playing. Android is currently the leading smartphone Operating System in the world and currently occupying more than 70% of the global market share of smartphone. Unfortunately, many Android applications have been reported suffering from security and reliability issues. More than 50% of mobile devices have unpatched vulnerabilities, opening to malware and attacks. Malware on a smartphone can make a phone partially or fully unusable, cause unwanted billing, or steal contact information stored in a phonebook. Further, benign applications may contain vulnerabilities due to the lack of developer knowledge and malware applications can exploit the known vulnerabilities by providing malicious inputs. Android applications may also suffer from resource leakage. Particularly, memory leak can occur when users navigate applications in devices though screen rotation and pressing of built-in buttons leading to the crash of applications. This tutorial is intended to provide an overview of Android applications, malware engineering, classification of malware, and mitigation approaches. In particular, it will demonstrate examples of static analysis and dynamic analysis techniques. Also, it will  explore some recent labware developed as part of NSF Secure Mobile Software Development project, intended to promote secure mobile software development among practitioners. Finally, it will discuss content provider leakage and memory leak vulnerabilities, and mitigation approaches.

Tuesday, October 16th, 2:00PM - 5:30PM (3:30PM-4:00 Coffee break), Tutorial 4: Towards Reliable Things: Formal Verification of IoT Software with Frama-C

Speakers: Allan Blanchard (Inria Lille – Nord Europe, France), Nikolai Kosmatov (CEA, France), Frederic Loulergue (Northern Arizona University, USA)

Abstract

Among distributed systems, connected devices and services, also referred to as the Internet of Things (IoT), have proliferated very quickly in the past years. There are now billions of interconnected devices, and this number is growing. It is anticipated that by 2021, about 46 billions of devices will be in use. Some of these devices are in service in safety and security critical domains, and even in domains that are not necessarily critical, privacy issues may arise with devices collecting and transmitting a lot of personal information. Formal methods have been used successfully for years in highly critical domains, now they can help to bring security into the IoT field. In practice it is common to rely on a combination of formal methods to achieve an appropriate degree of guarantee: static analyses to guarantee the absence of runtime errors, deductive verification of functional correctness, dynamic verification for parts that cannot be proved using deductive verification. This tutorial is focused on Frama-C, which is a source code analysis platform that aims at conducting verification of industrial-size programs written in ISO C99 source code. Frama-C fully supports the combination of formal methods approach, by providing to its users with a collection of plug-ins that perform static and dynamic analysis for safety and security critical software. Moreover collaborative verification across cooperating plugins is enabled by their integration on top of a shared kernel, and their compliance to a common specification language ACSL. Recently Frama-C has been applied to the verification of software in the context of the Internet of Things.

Wednesday, October 17th, 2:00PM - 5:30PM (3:30PM-4:00 Coffee break), Tutorial 5: Exploiting Operational Profile Data for Continuous Dependability Assessment in DevOps

Speakers: Alberto Avritzer (Esulabsolutions, Inc., USA) and André van Hoorn (University of Stuttgart, Germany)

Abstract

DevOps is an emerging software engineering paradigm that aims for fast feedback cycles between software changes in development and bringing these changes into production. Apart from cultural and organizational changes, DevOps employs a high degree of automation, cloud technologies, and tailored architectural styles such as microservices. The increased development speed and complexity impose various challenges to dependability assessment. However, this context also provides great opportunities, such as, enabling access to extensive operational data obtained from continuous monitoring in production, which is a core DevOps principle. The goal of this tutorial is to provide an overview of challenges and approaches for dependability assessment in the context of DevOps and microservices. Specifically, the tutorial presents dependability assessment approaches that employ operational data obtained from production-level application performance management (APM) tools, giving access to operational workload profiles, architectural information, failure models, and security intrusions. This data are used to automatically create and configure dependability assessments based on models, load tests, and resilience benchmarks. The focus of this tutorial is on approaches that employ production usage, because these approaches provide more accurate recommendations for microservice architecture dependability assessment than approaches that do not consider production usage. The tutorial prsents an overview of (1) the state-of-the-art approaches for obtaining operational data from production systems using APM tools, (2) the challenges of dependability for DevOps and microservices, and (3) selected approaches based on operational data to assess dependability. The dependability focus of this tutorial is on scalability, resilience, survivability, and security. Particularly, we present a demo of the automated approach for the evaluation of a domain-based scalability and security metric assessment that is based on the microservice architecture ability to satisfy the performance requirement under load and/or intrusions. The approach is illustrated by presenting experimental results using a benchmark microservice architecture.

Wednesday, October 17th, 2:00PM - 5:30PM (3:30PM-4:00 Coffee break), Tutorial 6: From Software Security Assessment to Security Benchmark

Speakers: Nuno Antunes (University of Coimbra, Portugal) and Marco Vieira  (University of Coimbra, Portugal)

Abstract

Measuring security and comparing systems according to their security is that illusory possibility that every system administrator or architect would like to have. Benchmarking is a “solved” problem in many domains, with performance benchmarks being widely adopted by industry and research, and even dependability benchmarks having already a well-established set of approaches in terms of the research community. The same is not true for security benchmarking. On the other hand, there is a wide body of techniques and tools that allow for the assessment of system security, including modeling, analysis and testing techniques, each of them applicable in their specific domain, and with specific advantages or disadvantages that makes them more or less fit to the multiple scenarios. However, comparing systems based on the output of these techniques is not so useful, as they are prepared to find problems, which are to be corrected. After these problems are corrected, what is left to us to compare? This tutorial discusses the problematic of security benchmarking from both theoretical and practical perspectives and understand why it is so much difficult to benchmark security than other quality attributes of the system. New approaches that can provide information to help selecting the best alternatives in terms of security will be discussed, as well  as many interesting open research challenges aimed at achieving security benchmarks. The tutorial will address both current research topics and engineering practice. Case studies will be presented, and future research opportunities will be identified and discussed.