8th of March at 16h00, Gonçalo Carvalho and José Pereira will give two short presentations, to promote discussion on two relevant ongoing or disruptive topics. Afterwards, there will be a social gathering where everyone can talk freely on whatever subjects they like.
Location: G4.1
Gonçalo Carvalho – “From the ER+ conceptual model to its logical model”
Bio
Gonçalo Carvalho has a background in Geography and after a change of field is currently doing his Ph.D. research in Data models for multi-layer systems. His major research interests are in the areas of databases, distributed systems, edge computing, cyber-physical systems, and green computing.
Abstract
Distributed databases and data transformation mechanisms are remarkably relevant for Business Intelligence and Data Analytics. The Entity-Relational (ER) model is fundamental for modeling complex enterprise systems, but has shortcomings. ER+ tackled the representation of multiple database locations and conceptually expressed data transportation and data transformation operations, such as aggregate and line functions, which are standard for data analytics. The new ER+ concepts need a logical representation, which we will introduce in this talk.
José Pereira – “On the Use of Deep Graph CNN to Detect Vulnerable C Functions and Function Prioritization Techniques”
Bio
José D’Abruzzo Pereira is a Ph.D. student in Informatics Engineering at the University of Coimbra (UC) and a member of the Software and System Engineering (SSE) group at CISUC. His research interests include security and vulnerability detection, static code analysis, software project management, software quality, and self-adaptive systems. He received a MSc in Information Technology and Software Engineering from the University of Coimbra and Carnegie Mellon University and a BSc. in Computer Science from the State University of Campinas – Brazil (Unicamp). He is also acting as a professor in the Specialization in Software Engineering at the State University of Campinas – Brazil (Unicamp) and as an Invited Assistant Professor at the University of Coimbra.
Abstract
Software vulnerabilities are a problem in most software systems. If left unchecked, they can be exploited by malicious third parties to compromise the system, which can result in hazardous consequences. Over the years, several techniques have been proposed to tackle the problem of automatically detecting vulnerabilities. However, despite the efforts, they usually issue many false alarms, which create a large overhead for the development team to analyze them. In this work, we study the viability of using a static technique (developed initially to classify classes of malware) to detect vulnerable C functions. This technique uses the Control Flow Graph (CFG) of the functions, features related to the structure of the graph, and the code sequence. Different from the malware classification problem, we also extract memory management-related features. A Deep Graph Convolutional Neural Network (DGCNN) processes all of the features. To do that, we use vulnerable and non-vulnerable functions of the open-source Linux Kernel project. Results show that a high recall can be obtained using this approach at the cost of low precision. At this point, a new prioritization mechanism is under development, and it uses Quality Models (QMs) to rank the functions. In addition, a security expert classification will help validate the prioritization mechanism.