|9:00-10:30||Engineering Privacy and the Challenges of Transitioning Science to Practice (Travis Breaux, CMU)||Software Analytics: Achievements and Challenges (Dongmei Zhang, MSR and Tao Xie, NCSU)|
|11:00-12:30||Engineering Secure Software: On The Many Ways You Should Be Breaking Your Product (Andy Meneely, RIT)||String Analysis (Tevfik Bultan, UCSB and Fang Yu, NCUT and Muath Alkhalaf, KSU)|
|14:00-15:30||Symbolic Techniques for Program Debugging and Repair (Abhik Roychoudhury, NUS and Satish Chandra, Samsung)||Engineering Cyberphysical System Software (Luca Mottola, Politecnico di Milano & SICS)|
|16:00-17:30||Social Media & Science 2.0 (Felienne Hermans, TU-Delft)|
9:00-10:30Travis Breaux (Carnegie Mellon University)
Emerging technologies that deliver automation increasingly rely on sharing sensitive personal information, which can introduce new threats to personal privacy. To address these new risks, regulators and privacy advocates have called for "Privacy By Design" to build privacy into systems early in the software-development lifecycle. There are several challenges to this call: first, the established definitions of privacy describe factors outside the traditional system boundary that software developers typically consider; second, in contrast to security, the risk model that underpins privacy is exogenous, contextual and anthropic, which is profoundly different from traditional views of system risk; and third, maximizing privacy in systems will necessarily reduce information utility, which either safely constrains design or dangerously precludes some systems by destabilizing their desired operating principles. In this session, we will discuss these challenges in the context of Walter Vincenti's design instrumentalities with examples drawn from surveillance technology applied in social networking, recommender systems and mobile applications. Proposals for addressing these challenges will be discussed in the context of emerging research in privacy and software engineering.
Bio: Travis Breaux is an Assistant Professor of Computer Science, appointed in the Institute for Software Research of the School of Computer Science at Carnegie Mellon University (CMU). Dr. Breaux's research program searches for new methods and tools for developing correct software specifications and ensuring that software systems conform to those specifications in a transparent, reliable and trustworthy manner. This includes demonstrating compliance with U.S. and international privacy and security laws, policies and standards. Dr. Breaux is the Director of the Requirements Engineering Laboratory at CMU and is the Chair of the USACM Public Policy Committee on Security and Privacy. As an educator, Dr. Breaux founded the engineering privacy course in CMU's Master of Science in Privacy Program.
Dongmei Zhang (Microsoft Research), Tao Xie (University of Illinois at Urbana-Champaign)
A huge wealth of various data exists in the practice of software development. Further rich data are produced by modern software and services in operation, many of which tend to be data-driven and/or data-producing in nature. Hidden in the data is information about the quality of software and services, user experiences, as well as the dynamics of software development. Software analytics is to develop and apply data exploration and analysis technologies, such as pattern recognition, machine learning, and information visualization, on software data in order to empower software practitioners to obtain insightful and actionable information for modern software and services. This 90-minute tutorial presents achievements and challenges of research and practice on principles, techniques, and applications of software analytics, highlighting success stories in industry, research achievements that have transferred to industrial practice, and future directions in software analytics. Attendees will acquire the skills and knowledge needed to perform research or conduct practice in the field of software analytics and to integrate analytics in their own research, practice, or teaching.
Bio: Dongmei Zhang is a Principal Researcher and research manager at the Software Analytics group of Microsoft Research (MSR). Her research interests include data-driven software analysis, machine learning, information visualization and large-scale computing platforms. She founded the Software Analytics group at MSR in 2009. Since then she has led the group in research on software-analytics technologies. Her group collaborates closely with multiple product teams in Microsoft, and has developed and deployed software-analytics tools that have created high business impact.
Bio: Tao Xie is an Associate Professor in the Department of Computer Science at the University of Illinois at Urbana-Champaign, USA. He has worked as a visiting researcher at Microsoft Research Redmond and Microsoft Research Asia. His research interests are in software engineering, focusing on software testing, program analysis, and software analytics. He leads the Automated Software Engineering Research Group at Illinois, and is a member of the Programming Languages, Formal Methods, and Software Engineering (PL-FM-SE) area at Illinois.
11:00-12:30Andy Meneely (Rochester Institute of Technology)
Security is a tough reality for software engineers today. Software products that are maliciously abused can undermine the many activities of our modern, digital world. The software that we depend upon must be secure, or we are at risk not just as “users”, but as consumers, patients, and citizens. The daily grind for a software engineer is already heavy: understanding customer requirements, collaborating in large teams, learning new technologies, fixing bugs, and delivering new features on time. All of these activities involve a mindset of “building” software, yet security is about “breaking” software. To a customer, software is supposed to transparently improve their lives. To a malicious hacker, software is an opportunity to abuse functionality for malicious gain. As a result, software engineers must maintain both the “builder” mindset as well as the “breaker” mindset throughout the software-development lifecycle.
In this tutorial, we will examine how security can be integrated into each step of the software-development lifecycle. We will also discuss recent trends in Engineering Secure Software, such as evidence-based engineering of secure software and the effects of catastrophic vulnerabilities such as Heartbleed.
Bio: Andy Meneely is an Assistant Professor in the Department of Software Engineering at the Rochester Institute of Technology, and is also an extended faculty member to the Department of Computing Security at RIT. He received his PhD in Computer Science at North Carolina State University in 2011. His research involves formulating metrics to examine the socio-technical structure of software-development teams and examining those impacts on the security of software.
Tevfik Bultan (UC Santa Barbara), Fang Yu (National Chengchi University in Taiwan), Muath Alkhalaf (King Saud University)
Like many other program-analysis problems, it is not possible to solve the string analysis problem precisely (i.e., it is not possible to precisely determine the set of string values that can reach a program point). However, one can compute over- or under-approximations of possible string values. If the approximations are precise enough, they can enable us to demonstrate existence or absence of bugs in string manipulating code. String analysis has been an active research area in the last decade, resulting in a wide variety of string-analysis techniques. In this tutorial, we will discuss automated string-analysis techniques, focusing particularly on automata-based static string analysis. We plan to cover the following topics: computing pre and post-conditions of basic string operations using automata, symbolic representation of automata, forward and backward string analysis using symbolic automata representation, relational string analysis, vulnerability detection using string analysis, differential string analysis, and automated repair using string analysis.
Bio: Tevfik Bultan is a Professor in the Department of Computer Science at the University of California, Santa Barbara (UCSB). His current research interests are in dependability of web software and services, automated verification, string analysis, and data model specification and analysis. Dr. Bultan co-chaired the program committees of the 9th International Symposium on Automated Technology for Verification and Analysis (ATVA 2011), the 20th International Symposium on the Foundations of Software Engineering (FSE 2012), and the 28th IEEE/ACM International Conference on Automated Software Engineering (ASE 2013). He was a keynote speaker at the 19th International Conference on Concurrency Theory (CONCUR 2008), the 6th ACM-IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE 2008), the 9th International Symposium on Formal Aspects of Component Software (FACS 2012), and the 2013 IFIP Joint International Conference on Formal Techniques for Distributed Systems (33rd FORTE / 15th FMOODS).
Bio: Fang Yu is an Associate Professor in the Department of Management Information Systems at the National Chengchi University in Taiwan. He is the director of the Software Security Laboratory which focuses on areas of security, verification, and program analysis techniques with the aim of improving the correctness and reliability of software systems. Dr. Yu was an invited speaker at the 2014 Big Data Workshop in Hong Kong, in April 2014, and he received the Outstanding Dissertation Award from the Computer Science Department at UC, Santa Barbara, in June 2010 for his dissertation titled: ``Automatic Verification of String Manipulating Programs.''
Bio: Muath Alkhalaf just completed his Ph.D. at the University of California, Santa Barbara, and joined the Computer Science Department of the King Saud University in Saudi Arabia as an Assistant Professor. His research interests are in string analysis, software security and automated program repair. Mr. Alkhalaf's dissertation research has been published in prestigious conferences in software engineering, software analysis and verification areas such as ISSTA 2014, ICST 2014, ISSTA 2012, ICSE 2012, ICSE 2011, TACAS 2010 and ASE 2009.
14:00-15:30Abhik Roychoudhury (National University of Singapore) and Satish Chandra (Samsung Electronics)
In recent years, there have been significant advances in symbolic execution technology, driven by the increasing maturity of SMT and SAT solvers as well as by the availability of cheap compute resources. This technology has had a significant impact in the area of automatically finding bugs in software. In this tutorial, we will review ways in which symbolic execution can be used not just for finding bugs in programs, but also in debugging them! In current practice, once a failure-inducing input has been found, humans have to spend a great deal of effort in determining the root cause of the bug. The reason the task is complicated is that a person has to figure out manually how the execution of the program on the failure-inducing input deviated from the “intended” execution of the program. We will show that symbolic analysis can be used to help the human in this task in a variety of ways. In particular, symbolic execution helps to glean the intended program behavior. We will show that this ability of symbolic execution in extracting program specifications can help in automating program repair as well.
Concretely, the tutorial will provide a background in symbolic execution, and then cover material from a series of recent papers on determination of root cause of errors and their repair using symbolic techniques; some of these papers are listed below. This is an emerging area, and the tutorial will point out several opportunities where additional research is needed to make this technology ready for field usage. This tutorial will attempt to further link up the software-engineering community with the programming-languages and formal-methods communities, in the specific context of software debugging and repair.
Bio: Abhik Roychoudhury is a Professor of Computer Science at the National University of Singapore, where he has been employed since 2001. He received his Ph.D. in Computer Science from the State University of New York at Stony Brook in 2000. His research interests are in software testing and analysis, trustworthy software and embedded software. His work has received various awards and honors - the most recent being his appointment as ACM Distinguished Speaker in 2013. He is a member of the editorial board for IEEE Transactions on Software Engineering.
Bio: Satish Chandra is a Senior Principal Engineer at Samsung Electronics, where he has worked since 2013. Prior to that he was a research staff member at IBM, and before that, a member of technical staff at Bell Labs Research. He received his Ph.D. in Computer Science from the University of Wisconsin at Madison in 1997. His current research interests are in bug finding and verification tools, symbolic analysis, and synthesis of programs. His research has been recognized by an ACM Distinguished Scientist (2011) award.
Luca Mottola (Politecnico di Milano and SICS Swedish ICT)
Cyberphysical systems (CPSs) are networked embedded systems tightly coupled with the physical world, built out of resource-constrained devices equipped with sensors and actuators. Because of the resulting intimate interactions between the \world" and the \machine", developing CPS software brings many SE challenges to an extreme. The sheer number of computing units, the heterogeneity of the systems, the need to integrate into larger computing infrastructures, and the increasing demand for self-adaptive operation require simple solutions to complex problems, able to tame the environment dynamics within limited resources. Existing contributions are, however, scattered across diverse research communities, including software engineering, embedded and real-time distributed systems, sensor networks, and low-power wireless networking.
The tutorial aims at providing a systematic, yet succinct overview of existing efforts in the field of developing CPS software. The tutorial will cover topics such as i) paradigmatic CPS applications and related (non-)functional requirements; ii) real-time low-power wireless sensing and actuation; iii) design and modelling approaches for CPS; iv) automatic program synthesis, programming abstractions, and middleware; and v) validation and verification of CPS software. The material will cover both theoretical aspects and their applications to real-world scenarios. The tutorial is aimed at fresh students looking for interesting problems, researchers wanting to gain deeper insights into CPS software, and practitioners in search of a systematic overview on the topic. In a broader perspective, the tutorial is a step towards creating increased awareness within the SE community about the challenges in this specific field.
Bio: Luca Mottola is an assistant professor at Politecnico di Milano (Italy) and a senior researcher at SICS Swedish ICT. Previously, he was a research scholar at the University of Southern California (USA). He completed his Ph.D. at Politecnico di Milano (Italy) in 2008. His research interests include the design, implementation, and validation of networked embedded software. Out of his research, he was listed among Postscapes Internet of Things Top 100 Thinkers" and has received the 2011 Cor Baayen Award for the most promising young researcher in computer science; the 2013 MIT Young Innovator Award given by MIT Technology Review Italia; the 2009 EWSN/CONET European Best Ph.D. Thesis Award; the Best Paper Award at ACM/IEEE IPSN 2011; the Best Paper Award at ACM/IEEE IPSN 2009; and the Best Demo Award at ACM Sensys 2007.
16:00-17:30Felienne Hermans (Delft University of Technology)
The way we do science is changing. While journals and conferences were once the only way to disseminate research results, today we can use blogs, Twitter, and open platforms like ﬁgshare.
But how to incorporate these social media—dubbed Science 2.0—into your scientiﬁc process? Maybe you want to start but don’t know how, or you don’t know where to ﬁnd the time. In this tutorial, we will present hands-on tips to start with social media immediately and use platforms like Twitter, Hackernews, or Reddit for their research. We present useful tools, resources, and practices from current research that will help researchers new to social media get started. Since social media can also easily become overwhelming, we will also discuss strategies for handling information overload and other challenges. While this tutorial is mainly aimed at beginners, it will also include interesting tips and tricks for researchers already using social media.
Bio: Felienne Hermans is an assistant professor at the Software Engineering Research Group at Delft University of Technology, where she researches the application of software engineering methods to spreadsheets. Her presentations on SlideShare were viewed over 60,000 times combined, and her blog post on an Excel Turing machine was covered on BoingBoing and Hackernews.
Clouds and cloud computing is becoming a household term, yet a surprising number of applications are essentially not "cloud-ready". Some are existing large and complex applications engineered to protect their intellectual property (e.g., via CPU lock-in), and some are applications intended to run on a "cloud" but were implemented without an understanding of how clouds work. Issues range from deficiencies in application/software mobility, to security issues, to multi-tenancy issues, to performance issues, to licensing issues, to reliability, and so on. This tutorial presents the concept of clouds, essential cloud services, functionalities, and sub-systems, and it reviews existing cloud architectures. It then discusses principles and techniques that can be used to develop cloud-resident software. We will briefly cover metrics and check-lists that allow software developers to understand what a particular commercial or open-source cloud provides, and what the pitfalls and risks might be with a particular cloud. Special attention will be paid to ways of minimizing mismatch (and the resulting issues) between software intended to run on a cloud and the underlying cloud services and architecture. Attendees will gain an understanding of how to develop cloud-based applications, and which software-engineering processes and tools may be available and suitable, and which should or should not be used, to develop cloud applications.
Bio: Mladen A. Vouk received Ph.D. from the King's College, University of London U.K. He is Department Head and Professor of Computer Science, and Associate Vice Provost for Information Technology at N.C. State University, Raleigh, N.C., U.S.A. He has extensive experience in both commercial software production and academic computing. He is the author or co-author of over 300 publications. His research and development interests include software engineering, scientific computing and analytics, IT-assisted education, and high-performance computing and clouds. He is a member of the IFIP Working Group 2.5 on Numerical Software, and a recipient of the IFIP Silver Core award. He is an IEEE Fellow, and a recipient of the IEEE Distinguished Service and Gold Core Awards.