Search

Your search keyword '"Ruef, Andrew"' showing total 84 results
Start Over Author "Ruef, Andrew"
84 results on '"Ruef, Andrew"'

1. Build It, Break It, Fix It: Contesting Secure Development

Author

Parker, James, Hicks, Michael, Ruef, Andrew, Mazurek, Michelle L., Levin, Dave, Votipka, Daniel, Mardziel, Piotr, and Fulton, Kelsey R.

Subjects
Computer Science - Cryptography and Security
Abstract

Typical security contests focus on breaking or mitigating the impact of buggy systems. We present the Build-it, Break-it, Fix-it (BIBIFI) contest, which aims to assess the ability to securely build software, not just break it. In BIBIFI, teams build specified software with the goal of maximizing correctness, performance, and security. The latter is tested when teams attempt to break other teams' submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended; teams can use any language, tool, process, etc. that they like. As such, contest outcomes shed light on factors that correlate with successfully building secure software and breaking insecure software. We ran three contests involving a total of 156 teams and three different programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used C/C++, but submissions coded in a statically-type safe language were 11 times less likely to have a security flaw than C/C++ submissions. Break-it teams that were also successful build-it teams were significantly better at finding security bugs., Comment: 35pgs. Extension of arXiv:1606.01881 which was a conference paper previously published in CCS 2016. This is a journal version submitted to TOPS

Published
2019

2. A Counterexample-guided Approach to Finding Numerical Invariants

Author

Nguyen, ThanhVu, Antopoulos, Timos, Ruef, Andrew, and Hicks, Michael

Subjects
Computer Science - Software Engineering
Abstract

Numerical invariants, e.g., relationships among numerical variables in a program, represent a useful class of properties to analyze programs. General polynomial invariants represent more complex numerical relations, but they are often required in many scientific and engineering applications. We present NumInv, a tool that implements a counterexample-guided invariant generation (CEGIR) technique to automatically discover numerical invariants, which are polynomial equality and inequality relations among numerical variables. This CEGIR technique infers candidate invariants from program traces and then checks them against the program source code using the KLEE test-input generation tool. If the invariants are incorrect KLEE returns counterexample traces, which help the dynamic inference obtain better results. Existing CEGIR approaches often require sound invariants, however NumInv sacrifices soundness and produces results that KLEE cannot refute within certain time bounds. This design and the use of KLEE as a verifier allow NumInv to discover useful and important numerical invariants for many challenging programs. Preliminary results show that NumInv generates required invariants for understanding and verifying correctness of programs involving complex arithmetic. We also show that NumInv discovers polynomial invariants that capture precise complexity bounds of programs used to benchmark existing static complexity analysis techniques. Finally, we show that NumInv performs competitively comparing to state of the art numerical invariant analysis tools.

Published
2019

3. Evaluating Fuzz Testing

Author

Klees, George, Ruef, Andrew, Cooper, Benji, Wei, Shiyi, and Hicks, Michael

Subjects
Computer Science - Cryptography and Security
Abstract

Fuzz testing has enjoyed great success at discovering security critical bugs in real software. Recently, researchers have devoted significant effort to devising new fuzzing techniques, strategies, and algorithms. Such new ideas are primarily evaluated experimentally so an important question is: What experimental setup is needed to produce trustworthy results? We surveyed the recent research literature and assessed the experimental evaluations carried out by 32 fuzzing papers. We found problems in every evaluation we considered. We then performed our own extensive experimental evaluation using an existing fuzzer. Our results showed that the general problems we found in existing experimental evaluations can indeed translate to actual wrong or misleading assessments. We conclude with some guidelines that we hope will help improve experimental evaluations of fuzz testing algorithms, making reported results more robust.

Published
2018

4. Evaluating Design Tradeoffs in Numeric Static Analysis for Java

Author

Wei, Shiyi, Mardziel, Piotr, Ruef, Andrew, Foster, Jeffrey S., and Hicks, Michael

Subjects
Computer Science - Programming Languages
Abstract

Numeric static analysis for Java has a broad range of potentially useful applications, including array bounds checking and resource usage estimation. However, designing a scalable numeric static analysis for real-world Java programs presents a multitude of design choices, each of which may interact with others. For example, an analysis could handle method calls via either a top-down or bottom-up interprocedural analysis. Moreover, this choice could interact with how we choose to represent aliasing in the heap and/or whether we use a relational numeric domain, e.g., convex polyhedra. In this paper, we present a family of abstract interpretation-based numeric static analyses for Java and systematically evaluate the impact of 162 analysis configurations on the DaCapo benchmark suite. Our experiment considered the precision and performance of the analyses for discharging array bounds checks. We found that top-down analysis is generally a better choice than bottom-up analysis, and that using access paths to describe heap objects is better than using summary objects corresponding to points-to analysis locations. Moreover, these two choices are the most significant, while choices about the numeric domain, representation of abstract objects, and context-sensitivity make much less difference to the precision/performance tradeoff.

Published
2018
Full Text
View/download PDF

5. Summoning Demons: The Pursuit of Exploitable Bugs in Machine Learning

Author

Stevens, Rock, Suciu, Octavian, Ruef, Andrew, Hong, Sanghyun, Hicks, Michael, and Dumitraş, Tudor

Subjects
Computer Science - Cryptography and Security, Computer Science - Learning
Abstract

Governments and businesses increasingly rely on data analytics and machine learning (ML) for improving their competitive edge in areas such as consumer satisfaction, threat intelligence, decision making, and product efficiency. However, by cleverly corrupting a subset of data used as input to a target's ML algorithms, an adversary can perturb outcomes and compromise the effectiveness of ML technology. While prior work in the field of adversarial machine learning has studied the impact of input manipulation on correct ML algorithms, we consider the exploitation of bugs in ML implementations. In this paper, we characterize the attack surface of ML programs, and we show that malicious inputs exploiting implementation bugs enable strictly more powerful attacks than the classic adversarial machine learning techniques. We propose a semi-automated technique, called steered fuzzing, for exploring this attack surface and for discovering exploitable bugs in machine learning programs, in order to demonstrate the magnitude of this threat. As a result of our work, we responsibly disclosed five vulnerabilities, established three new CVE-IDs, and illuminated a common insecure practice across many machine learning systems. Finally, we outline several research directions for further understanding and mitigating this threat.

Published
2017

6. Argumentation Models for Cyber Attribution

Author

Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., and Ruef, Andrew

Subjects
Computer Science - Artificial Intelligence
Abstract

A major challenge in cyber-threat analysis is combining information from different sources to find the person or the group responsible for the cyber-attack. It is one of the most important technical and policy challenges in cyber-security. The lack of ground truth for an individual responsible for an attack has limited previous studies. In this paper, we take a first step towards overcoming this limitation by building a dataset from the capture-the-flag event held at DEFCON, and propose an argumentation model based on a formal reasoning framework called DeLP (Defeasible Logic Programming) designed to aid an analyst in attributing a cyber-attack. We build models from latent variables to reduce the search space of culprits (attackers), and show that this reduction significantly improves the performance of classification-based approaches from 37% to 62% in identifying the attacker., Comment: 8 pages paper to be presented at International Symposium on Foundations of Open Source Intelligence and Security Informatics (FOSINT-SI) 2016 In conjunction with ASONAM 2016 San Francisco, CA, USA, August 19-20, 2016

Published
2016

7. Build It, Break It, Fix It: Contesting Secure Development

Author

Ruef, Andrew, Hicks, Michael, Parker, James, Levin, Dave, Mazurek, Michelle L., and Mardziel, Piotr

Subjects
Computer Science - Cryptography and Security, Computer Science - Software Engineering
Abstract

Typical security contests focus on breaking or mitigating the impact of buggy systems. We present the Build-it Break-it Fix-it BIBIFI contest which aims to assess the ability to securely build software not just break it. In BIBIFI teams build specified software with the goal of maximizing correctness performance and security. The latter is tested when teams attempt to break other teams submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended - teams can use any language tool process etc. that they like. As such contest outcomes shed light on factors that correlate with successfully building secure software and breaking insecure software. During we ran three contests involving a total of teams and two different programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used CC but submissions coded in a statically-typed language were less likely to have a security flaw build-it teams with diverse programming-language knowledge also produced more secure code. Shorter programs correlated with better scores. Break-it teams that were also build-it teams were significantly better at finding security bugs.

Published
2016
Full Text
View/download PDF

8. Cyber-Deception and Attribution in Capture-the-Flag Exercises

Author

Nunes, Eric, Kulkarni, Nimish, Shakarian, Paulo, Ruef, Andrew, and Little, Jay

Subjects
Computer Science - Cryptography and Security
Abstract

Attributing the culprit of a cyber-attack is widely considered one of the major technical and policy challenges of cyber-security. The lack of ground truth for an individual responsible for a given attack has limited previous studies. Here, we overcome this limitation by leveraging DEFCON capture-the-flag (CTF) exercise data where the actual ground-truth is known. In this work, we use various classification techniques to identify the culprit in a cyberattack and find that deceptive activities account for the majority of misclassified samples. We also explore several heuristics to alleviate some of the misclassification caused by deception., Comment: 4 pages Short name accepted to FOSINT-SI 2015

Published
2015

9. Cyber Attacks and Public Embarrassment: A Survey of Some Notable Hacks

Author

Shakarian, Jana, Shakarian, Paulo, and Ruef, Andrew

Subjects
Computer Science - Computers and Society, Computer Science - Cryptography and Security
Abstract

We hear it all too often in the media: an organization is attacked, its data, often containing personally identifying information, is made public, and a hacking group emerges to claim credit. In this excerpt, we discuss how such groups operate and describe the details of a few major cyber-attacks of this sort in the wider context of how they occurred. We feel that understanding how such groups have operated in the past will give organizations ideas of how to defend against them in the future.

Published
2015

10. Enhanced Data Collection for Cyber Attribution

Author

Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., Ruef, Andrew, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin Sherman, Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., and Ruef, Andrew

Published
2018
Full Text
View/download PDF

11. Belief Revision in DeLP3E

Author

Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., Ruef, Andrew, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin Sherman, Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., and Ruef, Andrew

Published
2018
Full Text
View/download PDF

12. Argumentation-Based Cyber Attribution: The DeLP3E Model

Author

Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., Ruef, Andrew, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin Sherman, Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., and Ruef, Andrew

Published
2018
Full Text
View/download PDF

13. Applying Argumentation Models for Cyber Attribution

Author

Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., Ruef, Andrew, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin Sherman, Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., and Ruef, Andrew

Published
2018
Full Text
View/download PDF

14. Baseline Cyber Attribution Models

Author

Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., Ruef, Andrew, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin Sherman, Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., and Ruef, Andrew

Published
2018
Full Text
View/download PDF

15. Achieving Safety Incrementally with Checked C

Author

Ruef, Andrew, Lampropoulos, Leonidas, Sweet, Ian, Tarditi, David, Hicks, Michael, Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Nielson, Flemming, editor, and Sands, David, editor

Published
2019
Full Text
View/download PDF

16. Introduction

Author

Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., Ruef, Andrew, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin Sherman, Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., and Ruef, Andrew

Published
2018
Full Text
View/download PDF

17. The Dragon and the Computer: Why Intellectual Property Theft is Compatible with Chinese Cyber-Warfare Doctrine

Author

Shakarian, Paulo, Shakarian, Jana, and Ruef, Andrew

Subjects
Computer Science - Cryptography and Security, Computer Science - Computers and Society
Abstract

Along with the USA and Russia, China is often considered one of the leading cyber-powers in the world. In this excerpt, we explore how Chinese military thought, developed in the 1990s, influenced their cyber-operations in the early 2000s. In particular, we examine the ideas of "Unrestricted Warfare" and "Active Offense" and discuss how they can permit for the theft of intellectual property. We then specifically look at how the case study of Operation Aurora, a cyber-operation directed against many major U.S. technology and defense firms, reflects some of these ideas., Comment: This is an excerpt from the upcoming book Introduction to Cyber-Warfare: A Multidisciplinary Approach published by Syngress (ISBN: 978-0124078147)

Published
2013

18. Volume-Based Merge Heuristics for Disjunctive Numeric Domains

Author

Ruef, Andrew, Hietala, Kesha, Cox, Arlen, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, and Podelski, Andreas, editor

Published
2018
Full Text
View/download PDF

21. Conclusion

Author

Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., Ruef, Andrew, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin Sherman, Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, Nunes, Eric, Shakarian, Paulo, Simari, Gerardo I., and Ruef, Andrew

Published
2018
Full Text
View/download PDF

28. Introduction

Author

Nunes, Eric, primary, Shakarian, Paulo, additional, Simari, Gerardo I., additional, and Ruef, Andrew, additional

Published
2018
Full Text
View/download PDF

31. Conclusion

Author

Nunes, Eric, primary, Shakarian, Paulo, additional, Simari, Gerardo I., additional, and Ruef, Andrew, additional

Published
2018
Full Text
View/download PDF

40. Introduction

Author

Shakarian, Paulo, primary, Shakarian, Jana, additional, and Ruef, Andrew, additional

Published
2013
Full Text
View/download PDF

43. Preface

Author

Shakarian, Paulo, primary, Shakarian, Jana, additional, and Ruef, Andrew, additional

Published
2013
Full Text
View/download PDF

45. Cyber Warfare

Author

Shakarian, Paulo, primary, Shakarian, Jana, additional, and Ruef, Andrew, additional

Published
2013
Full Text
View/download PDF

50. Build It, Break It, Fix It

Author

Parker, James, primary, Hicks, Michael, additional, Ruef, Andrew, additional, Mazurek, Michelle L., additional, Levin, Dave, additional, Votipka, Daniel, additional, Mardziel, Piotr, additional, and Fulton, Kelsey R., additional

Published
2020
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results