References of "Tan, Hee Beng Kuan"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailMining Patterns of Unsatisfiable Constraints to Detect Infeasible Paths
DING, SUN; TAN, HEE BENG KUAN; Shar, Lwin Khin UL

in Automation of Software Test (AST 2015) (2015, May)

Detection of infeasible paths is required in many areas including test coverage analysis, test case generation, security vulnerability analysis, etc. Existing approaches typically use static analysis ... [more ▼]

Detection of infeasible paths is required in many areas including test coverage analysis, test case generation, security vulnerability analysis, etc. Existing approaches typically use static analysis coupled with symbolic evaluation, heuristics, or path-pattern analysis. This paper is related to these approaches but with a different objective. It is to analyze code of real systems to build patterns of unsatisfiable constraints in infeasible paths. The resulting patterns can be used to detect infeasible paths without the use of constraint solver and evaluation of function calls involved, thus improving scalability. The patterns can be built gradually. Evaluation of the proposed approach shows promising results. [less ▲]

Detailed reference viewed: 78 (5 UL)
Full Text
Peer Reviewed
See detailWeb Application Vulnerability Prediction using Hybrid Program Analysis and Machine Learning
Shar, Lwin Khin UL; Briand, Lionel UL; Tan, Hee Beng Kuan

in IEEE Transactions on Dependable and Secure Computing (2015), 12(6), 688-707

Due to limited time and resources, web software engineers need support in identifying vulnerable code. A practical approach to predicting vulnerable code would enable them to prioritize security auditing ... [more ▼]

Due to limited time and resources, web software engineers need support in identifying vulnerable code. A practical approach to predicting vulnerable code would enable them to prioritize security auditing efforts. In this paper, we propose using a set of hybrid (static+dynamic) code attributes that characterize input validation and input sanitization code patterns and are expected to be significant indicators of web application vulnerabilities. Because static and dynamic program analyses complement each other, both techniques are used to extract the proposed attributes in an accurate and scalable way. Current vulnerability prediction techniques rely on the availability of data labeled with vulnerability information for training. For many real world applications, past vulnerability data is often not available or at least not complete. Hence, to address both situations where labeled past data is fully available or not, we apply both supervised and semi-supervised learning when building vulnerability predictors based on hybrid code attributes. Given that semi-supervised learning is entirely unexplored in this domain, we describe how to use this learning scheme effectively for vulnerability prediction. We performed empirical case studies on seven open source projects where we built and evaluated supervised and semi-supervised models. When cross validated with fully available labeled data, the supervised models achieve an average of 77% recall and 5% probability of false alarm for predicting SQL injection, cross site scripting, remote code execution and file inclusion vulnerabilities. With a low amount of labeled data, when compared to the supervised model, the semi- supervised model showed an average improvement of 24% higher recall and 3% lower probability of false alarm, thus suggesting semi-supervised learning may be a preferable solution for many real world applications where vulnerability data is missing. [less ▲]

Detailed reference viewed: 422 (29 UL)
Full Text
Peer Reviewed
See detailEmpirical Comparison of Intermediate Representations for Android Applications
Arnatovich, Yauhen Leanidavich; Tan, Hee Beng Kuan; Shar, Lwin Khin UL

in 26th International Conference on Software Engineering and Knowledge Engineering (2014, July 03)

In Android-based mobile computing, since the original Java source code is irretrievable from Dalvik bytecode, intermediate representations (IRs) were developed to represent Dalvik bytecode in readable ... [more ▼]

In Android-based mobile computing, since the original Java source code is irretrievable from Dalvik bytecode, intermediate representations (IRs) were developed to represent Dalvik bytecode in readable form. To date, SMALI, JASMIN, and JIMPLE are all used as Android application IRs by mobile developers, testers and researchers. Here, we compare these three IRs via randomized event-based testing (Monkey testing) to determine that which most accurately preserves the original program behaviors in terms of the number of successfully injected events. As such program behaviors are critical to mobile security, the choice of IR is crucial during software security testing. In our experiment, we developed an event-based comparative scheme, and conducted a comprehensive empirical study. Statistical comparison of the three IRs’ program behaviors shows that SMALI behaves closest to the original applications and hence is the most suitable for software security testing as the most accurate alternative to the original Java source code (which is usually not publicly available). [less ▲]

Detailed reference viewed: 84 (14 UL)
Peer Reviewed
See detailPredicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns
Shar, Lwin Khin UL; Tan, Hee Beng Kuan

in Information and Software Technology (2013)

Detailed reference viewed: 63 (1 UL)
Full Text
Peer Reviewed
See detailDefeating SQL Injection
Shar, Lwin Khin UL; Tan, Hee Beng Kuan

in IEEE Computer (2013), 46(3), 69-77

The best strategy for combating SQL injection, which has emerged as the most widespread website security risk, calls for integrating defensive coding practices with both vulnerability detection and ... [more ▼]

The best strategy for combating SQL injection, which has emerged as the most widespread website security risk, calls for integrating defensive coding practices with both vulnerability detection and runtime attack prevention methods. [less ▲]

Detailed reference viewed: 97 (3 UL)
Full Text
Peer Reviewed
See detailDefending against Cross-Site Scripting Attacks
Shar, Lwin Khin UL; Tan, Hee Beng Kuan

in IEEE Computer (2012), 45(3), 55-62

Researchers have proposed multiple solutions to cross-site scripting, but vulnerabilities continue to exist in many Web applications due to developers’ lack of understanding of the problem and their ... [more ▼]

Researchers have proposed multiple solutions to cross-site scripting, but vulnerabilities continue to exist in many Web applications due to developers’ lack of understanding of the problem and their unfamiliar- ity with current defenses’ strengths and limitations. [less ▲]

Detailed reference viewed: 65 (2 UL)
Full Text
Peer Reviewed
See detailAutomated removal of cross site scripting vulnerabilities in web applications
Shar, Lwin Khin UL; Tan, Hee Beng Kuan

in Information \& Software Technology (2012), 54(5), 467-478

Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in ... [more ▼]

Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects. [less ▲]

Detailed reference viewed: 98 (2 UL)
Peer Reviewed
See detailAuditing the XSS defence features implemented in web application programs
Shar, Lwin Khin UL; Tan, Hee Beng Kuan

in IET Software (2012), 6(4), 377-390

Detailed reference viewed: 29 (0 UL)
Full Text
Peer Reviewed
See detailSemi-Automated Verification of Defense against SQL Injection in Web Applications
Liu, Kaiping; Tan, Hee Beng Kuan; Shar, Lwin Khin UL

in APSEC (2012)

Recent reports reveal that majority of the attacks to Web applications are input manipulation attacks. Among these attacks, SQL injection attack – malicious input is submitted to manipulate the database ... [more ▼]

Recent reports reveal that majority of the attacks to Web applications are input manipulation attacks. Among these attacks, SQL injection attack – malicious input is submitted to manipulate the database in a way that was unintended by the applications' developers – is one such attack. This paper proposes an approach for assisting to code verification process on the defense against SQL injection. The approach extracts all such defenses implemented in code. With the use of the proposed approach, developers, testers or auditors can then check the defenses extracted from code to verify their adequacy. We have evaluated the feasibility, effectiveness, and usefulness of the proposed approach by a set of open-source systems. Our experiment results showed that the proposed approach is effective in extracting all the possible defenses implemented/adopted by Web applications. We observed that the proposed approach would be useful in identifying the false positive cases resulting from other related approaches and auditing the code in order to fix the actual vulnerable cases. [less ▲]

Detailed reference viewed: 64 (8 UL)