Tiramisu

OVERVIEW

  • In this project we explore techniques beyond those in the Program Analysis domain, to find bugs and vulnerabilities, as well as ways of preventing such bugs and vulnerabilities from happening in the first instance, through Secure Languages.

    Tiramisu – Secure languages

    Today’s languages do not support our developers in writing secure code for the most common types of vulnerabilities, such as buffer errors, injection attacks, and information leaks. We are exploring secure language concepts and secure abstractions that can be applied in future languages to prevent these vulnerabilities.

    Key challenge

    The secure language concepts we are exploring need to extend the boundaries across different languages used in cloud applications, as well as extend into the databases used by such applications.

    How we meet that challenge

    Why not introduce secure language concepts into a multi-lingual, database-backed, memory-safe runtime, while at the same time improve compiler information flow tracking? We are starting to work on enhanced compiler and runtime to support security abstractions in these runtime conditions while we keep track of interoperability across the multiple languages.

    Tiramisu – Fuzzing techniques

    Recently, lightweight fuzzers that do not use any program analysis have been shown to be effective in finding vulnerabilities in programs written in languages such as C/C++. However, these techniques are not tailored for JavaScript programs, which are highly event driven and expect well-structured and complex inputs.

    Why do we need to fuzz JS applications?

    Static analysis of JavaScript programs is known to have limitations when scalability is a concern. Dynamic analysis techniques are more suitable for this language. However, the coverage of dynamic analysis is dependent on the inputs provided to execute the program.

    We are exploring various fuzzing techniques to generate inputs for JavaScript programs to find security vulnerabilities. In particular, we are interested in program analysis techniques that improve random fuzzers to have better coverage while maintaining their scalability.

    To find out more, contact Cristina Cifuentes.

RESEARCH ASSISTANTS

  • May - Dec 2017: Xingzhong Du, The University of Queensland
  • Sep 2017- Jan 2018: Aaron Craig, Victoria University of Wellington, NZ

VISITING STAFF

  • Dec 2016 - Feb 2017: Chris Gage, Summer Intern, Queensland University of Technology
  • Feb - Nov 2016: Timothy Chappell, Visiting Postdoc, Queensland University of Technology