References of "Monperrus, Martin"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailiFixR: bug report driven program repair
Koyuncu, Anil UL; Liu, Kui UL; Bissyande, Tegawendé François D Assise UL et al

in ESEC/FSE 2019 Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (2019, August)

Issue tracking systems are commonly used in modern software development for collecting feedback from users and developers. An ultimate automation target of software maintenance is then the systematization ... [more ▼]

Issue tracking systems are commonly used in modern software development for collecting feedback from users and developers. An ultimate automation target of software maintenance is then the systematization of patch generation for user-reported bugs. Although this ambition is aligned with the momentum of automated program repair, the literature has, so far, mostly focused on generate-and- validate setups where fault localization and patch generation are driven by a well-defined test suite. On the one hand, however, the common (yet strong) assumption on the existence of relevant test cases does not hold in practice for most development settings: many bugs are reported without the available test suite being able to reveal them. On the other hand, for many projects, the number of bug reports generally outstrips the resources available to triage them. Towards increasing the adoption of patch generation tools by practitioners, we investigate a new repair pipeline, iFixR, driven by bug reports: (1) bug reports are fed to an IR-based fault localizer; (2) patches are generated from fix patterns and validated via regression testing; (3) a prioritized list of generated patches is proposed to developers. We evaluate iFixR on the Defects4J dataset, which we enriched (i.e., faults are linked to bug reports) and carefully-reorganized (i.e., the timeline of test-cases is naturally split). iFixR generates genuine/plausible patches for 21/44 Defects4J faults with its IR-based fault localizer. iFixR accurately places a genuine/plausible patch among its top-5 recommendation for 8/13 of these faults (without using future test cases in generation-and-validation). [less ▲]

Detailed reference viewed: 30 (3 UL)
Full Text
Peer Reviewed
See detailImpact of Tool Support in Patch Construction
Koyuncu, Anil UL; Bissyande, Tegawendé François D Assise UL; Kim, Dongsun UL et al

Scientific Conference (2017, July)

In this work, we investigate the practice of patch construction in the Linux kernel development, focusing on the differences between three patching processes: (1) patches crafted entirely manually to fix ... [more ▼]

In this work, we investigate the practice of patch construction in the Linux kernel development, focusing on the differences between three patching processes: (1) patches crafted entirely manually to fix bugs, (2) those that are derived from warnings of bug detection tools, and (3) those that are automatically generated based on fix patterns. With this study, we provide to the research community concrete insights on the practice of patching as well as how the development community is currently embracing research and commercial patching tools to improve productivity in repair. The result of our study shows that tool-supported patches are increasingly adopted by the developer community while manually-written patches are accepted more quickly. Patch application tools enable developers to remain committed to contributing patches to the code base. Our findings also include that, in actual development processes, patches generally implement several change operations spread over the code, even for patches fixing warnings by bug detection tools. Finally, this study has shown that there is an opportunity to directly leverage the output of bug detection tools to readily generate patches that are appropriate for fixing the problem, and that are consistent with manually-written patches. [less ▲]

Detailed reference viewed: 134 (16 UL)
Full Text
Peer Reviewed
See detailStatic Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for Analyzing Android
Bartel, Alexandre; Klein, Jacques UL; Monperrus, Martin et al

in IEEE Transactions on Software Engineering (TSE) (2014), 40(6), 617-632

A common security architecture is based on the protection of certain resources by permission checks (used e.g., in Android and Blackberry). It has some limitations, for instance, when applications are ... [more ▼]

A common security architecture is based on the protection of certain resources by permission checks (used e.g., in Android and Blackberry). It has some limitations, for instance, when applications are granted more permissions than they actually need, which facilitates all kinds of malicious usage (e.g., through code injection). The analysis of permission-based framework requires a precise mapping between API methods of the framework and the permissions they require. In this paper, we show that naive static analysis fails miserably when applied with off-the-shelf components on the Android framework. We then present an advanced class-hierarchy and field-sensitive set of analyses to extract this mapping. Those static analyses are capable of analyzing the Android framework. They use novel domain specific optimizations dedicated to Android. [less ▲]

Detailed reference viewed: 88 (5 UL)
Full Text
Peer Reviewed
See detailEmpirical Investigation of the Web Browser Attack Surface under Cross-Site Scripting: an Urgent Need for Systematic Security Regression Testing
Abgrall, Erwan UL; Le Traon, Yves UL; Gombault, Sylvain et al

in 7th IEEE International Conference on Software Testing, Verification and Validation (ICST)- Workshop SECTEST (2014)

One of the major threats against web applications is Cross-Site Scripting (XSS). The final target of XSS attacks is the client running a particular web browser. During this last decade, several competing ... [more ▼]

One of the major threats against web applications is Cross-Site Scripting (XSS). The final target of XSS attacks is the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have evolved to support new features. In this paper, we explore whether the evolution of web browsers is done using systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions. We use XSS attack vectors as unit test cases and we propose a new method supported by a tool to address this XSS vector testing issue. The analysis on a decade releases of most popular web browsers including mobile ones shows an urgent need of XSS regression testing. We advocate the use of a shared security testing benchmark as a good practice and propose a first set of publicly available XSS vectors as a basis to ensure that security is not sacrificed when a new version is delivered. [less ▲]

Detailed reference viewed: 90 (1 UL)
Full Text
Peer Reviewed
See detailAutomatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android
Bartel, Alexandre UL; Klein, Jacques UL; Monperrus, Martin et al

in IEEE/ACM International Conference on Automated Software Engineering (2012)

In the permission-based security model (used e.g. in An- droid and Blackberry), applications can be granted more permissions than they actually need, what we call a permission gap?. Malware can leverage ... [more ▼]

In the permission-based security model (used e.g. in An- droid and Blackberry), applications can be granted more permissions than they actually need, what we call a permission gap?. Malware can leverage the unused permissions for achieving their malicious goals, for instance using code injection. In this paper, we present an approach to detecting permission gaps using static analysis. Using our tool on a dataset of Android applications, we found out that a non negligible part of applications suffers from permission gaps, i.e. does not use all the permissions they declare. [less ▲]

Detailed reference viewed: 126 (5 UL)
Full Text
Peer Reviewed
See detailDexpler: Converting Android Dalvik Bytecode to Jimple for Static Analysis with Soot
Bartel, Alexandre UL; Klein, Jacques UL; Monperrus, Martin et al

in ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis (SOAP 2012) (2012)

This paper introduces Dexpler, a software package which converts Dalvik bytecode to Jimple. Dexpler is built on top of Dedexer and Soot. As Jimple is Soot’s main internal rep- resentation of code, the ... [more ▼]

This paper introduces Dexpler, a software package which converts Dalvik bytecode to Jimple. Dexpler is built on top of Dedexer and Soot. As Jimple is Soot’s main internal rep- resentation of code, the Dalvik bytecode can be manipu- lated with any Jimple based tool, for instance for performing point-to or flow analysis. [less ▲]

Detailed reference viewed: 163 (11 UL)
Full Text
See detailImproving Privacy on Android Smartphones Through In-Vivo Bytecode Instrumentation
Bartel, Alexandre UL; Klein, Jacques UL; Monperrus, Martin et al

Report (2012)

In this paper we claim that a widely applicable and efficient means to fight against malicious mobile Android applications is: 1) to perform runtime monitoring 2) by instrumenting the application bytecode ... [more ▼]

In this paper we claim that a widely applicable and efficient means to fight against malicious mobile Android applications is: 1) to perform runtime monitoring 2) by instrumenting the application bytecode and 3) in-vivo, i.e. directly on the smartphone. We present a tool chain to do this and present experimental results showing that this tool chain can run on smartphones in a reasonable amount of time and with a realistic effort. Our findings also identify challenges to be addressed before running powerful runtime monitoring and instrumentations directly on smartphones. We implemented two use-cases leveraging the tool chain: FineGPolicy, a fine-grained user centric permission policy system and AdRemover an advertisement remover. Both prototypes improve the privacy of Android systems thanks to in-vivo bytecode instrumentation. [less ▲]

Detailed reference viewed: 240 (26 UL)
Full Text
See detailIn-Vivo Bytecode Instrumentation for Improving Privacy on Android Smartphones in Uncertain Environments
Bartel, Alexandre; Klein, Jacques UL; Monperrus, Martin et al

E-print/Working paper (2012)

In this paper we claim that an efficient and readily applicable means to improve privacy of Android applications is: 1) to perform runtime monitoring by instrumenting the application bytecode and 2) in ... [more ▼]

In this paper we claim that an efficient and readily applicable means to improve privacy of Android applications is: 1) to perform runtime monitoring by instrumenting the application bytecode and 2) in-vivo, i.e. directly on the smartphone. We present a tool chain to do this and present experimental results showing that this tool chain can run on smartphones in a reasonable amount of time and with a realistic effort. Our findings also identify challenges to be addressed before running powerful runtime monitoring and instrumentations directly on smartphones. We implemented two use-cases leveraging the tool chain: BetterPermissions, a fine-grained user centric permission policy system and AdRemover an advertisement remover. Both prototypes improve the privacy of Android systems thanks to in-vivo bytecode instrumentation. [less ▲]

Detailed reference viewed: 76 (18 UL)
Full Text
See detailAutomatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android
Bartel, Alexandre UL; Klein, Jacques UL; Monperrus, Martin et al

in Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android (Tech Report) (2011)

Android based devices are becoming widespread. As a result and since those devices contain personal and confidential data, the security model of the android software stack has been analyzed extensively ... [more ▼]

Android based devices are becoming widespread. As a result and since those devices contain personal and confidential data, the security model of the android software stack has been analyzed extensively. One key feature of the security model is that applications must declare a list of permissions they are using to access resources. Using static analysis, we first extracted a table from the Android API which maps methods to permissions. Then, we use this mapping within a tool we developed to check that applications effectively need all the permissions they declare. Using our tool on a set of android applications, we found out that a non negligible part of the applications do not use all the permissions they declare. Consequently, the attack surface of such applications can be reduced by removing the non-needed permissions. [less ▲]

Detailed reference viewed: 161 (5 UL)