出國成果報告書（格式）

計畫編號

¹

²

出國人員 郁方 出國日期 103 年 1 月 6 日至 103

年 1 月 13 日 ， 共 8 日

出國地點

³

⁴

報告內容摘要(請以 200 字～300 字說明)

This report summarizes my feedbacks on attending the 47

^th

Conference on System Sciences, 2014 (HICSS-47), hosted by IEEE computer society and Hawaii University. HICSS is recognized as one of the top three conferences in information systems, as well as well recognized in computer science for his longest standing on one of the continuously running science conferences. The conference has ten research tracks with around one thousand attendees and 535 papers that are accepted to be published. This year, I have two papers that are accepted to be published in the Software technology track. Both are nominated for the best paper, and one won the award (10/535). Several important themes of this year research include new architectures of green energy, e-governance and the

application and security of cloud computing and big data.

（本文

⁵

The objective of this trip is to give oral presentations of my recent works on web application security and cloud computing security. Web and cloud applications have become a crucial part of commerce, entertainment and social interaction and they are rapidly replacing desktop applications. In the near future, they are expected to play critical roles in national infrastructures such as healthcare, national security, and the power grid. However, there is a large stumbling block to the ever-increasing reliance on web applications in almost every aspect of society: they are notorious for security vulnerabilities. Global accessibility of web applications makes this a very serious problem. Malicious users all around the world can exploit a vulnerable web application and cause serious damages. One important observation is, many severe web application vulnerabilities are caused by improper string manipulation.

Programs that propagate and use malicious user inputs without sanitization or with improper sanitization are vulnerable to these well-known attacks.

1 單位出國案如有 1 案以上，計畫編號請以頂大計畫辦公室核給之單位計畫編號 + 「-XX（單位自編

2 位出國案序號）」型式為之。如僅有 1 案，則以頂大計畫單位編號為之即可（ 出 國 人 員 免 填 ） 。

2 執行單位係指頂大計畫單位編號對應之單位（ 出 國 人 員 免 填 ） 。

3 出國地點請寫前往之國家之大學、機關組織或會議名稱。

4 出國經費指的是實際核銷金額，單位以元計。

5 頁數不限，但應含「目的」、「過程」、「心得及建議」。

過程

In our first work, we present Patcher, a new online service for Web application developers detecting, patching and viewing vulnerabilities related to string manipulation in their web applications. Particularly, we incorporate the service with novel string analysis techniques that not only check whether a web application is vulnerable to the types of attacks we discussed above, but also generate the corresponding patches that ensure the applications free from malicious exploits of identified vulnerabilities. Patcher is a new online service that is open to public users. Users can access and upload their code to check potential vulnerabilities. Users can also insert patches that are automatically generated to prevent malicious exploits of their programs. While deploying new web services, it is essential to build the confidence on their security mechanisms. To the best of our knowledge, this is the first public online service that secures web applications using formal verification techniques.

This is a joint work with my master student.

The work was nominated the best paper from the mini track of enlightened cyber security, and the work was also the winner of the best paper award in the software technology track.

We had many discussions after the talk. Several issues have been discussed such as how we patch vulnerabilities, how we guarantee the correctness, and how to access the patcher service. Two senior researchers even have tried the service by uploading their own PHP applications, showing their great interests in our work.

Photo: The best paper award.

Our second work is on cloud computing security. This is also one main theme of this year HICSS. As we have mentioned, cloud computing has become one of the most dominant computation platforms nowadays. While system vendors and public users are benefit from sharing resources in the cloud environment, security breaches that may cause worse damages of the cloud ecosystem than personal computers could be one of the major blocks on this evolution road. One successful exploit of a cloud host may lead to the compromise of all its guest VMs. It is hence essential and desirable to have effective and systematic mechanisms to enhance security of cloud computing platforms. In this work, we propose VIS, a virtualization introspection system for KVM-based cloud platforms. This system can monitor both static and dynamic VM status, replay and classify various attacks to determine which VMs are attacking the Hypervisor, and determine which VMs are attacking other VMs. Additionally, VIS can also detect compromised VMs, as well as perform termination and online migration.

We have some feedbacks discussing the limitation of VIS. Particularly, VIS is limited to

protection based on established rules. That is to say, to be useful, it needs collect more attack patterns. Additionally, the rules are derived by heuristics, have false positives and negatives, and require more sophisticated analysis, such as system call sequences.

Below are some photos of the events. According to the registration record, the officer mentioned that this year HICSS has more than 9 hundred attendances. The reception night is a cozy night next to the lagoon of Hilton. We had chance to discuss our research with Dr.

Panadero from Politecnica, Madrid. We also met Prof. Raymond Choo from University of South Australia who is working on security forensics. He has several ongoing projects joint with the department of Justice in Taiwan. Prof. Yue-Zhe Chuang from National Taiwan University and Prof. Chi-Chao Cha from National Taiwan Science and Technology University have interests to propose a joint research project for the connection of Taiwan and Australia.

The keynote lecture was given by Prof. Chertoff. He addressed the issue on Cyber security of enterprise. He pointed out that “ security should be viewed as a business enabler.” As being a researcher working on security, I will be very happy to see this trend comes in the future. Business managers would pay much more attention on security management and techniques than what they used to be.

The conference ends with the awards ceremony on Thursday afternoon. I feel excited with two papers nominated for the best paper though I have no idea at that time that a newbie would have chance to win the final best paper award. Checking the award history, the previous award winner from Taiwan was Prof. Chi-Ping Wei and his students in HICSS 33, fourteen years ago. About the best paper award, there are total ten tracks in HICSS. Each track has its field specialty and recognizes one best paper award. That is to say, less than top 2% accepted papers (10 out of 535) could win the best paper award. This year, Prof.

Hsin-Hui Lin and his student from National Sun Yat-San University won the best paper in the Electronic Marketing track, and my student and I won the best paper in the Software Technology track. It would be a nice record and memory as being the faculty from Taiwan. I am proud to be part of it.

感想與建議

With around a thousand attendees world widely, HICSS provides a great chance to promote your research to the international scholars. Though this is my first time to attend HICSS, I have been told long time ago that HICSS is an important conference in the field of Information System. As a junior faculty in the MIS department with the computer science background, it fits nicely my research field the software technology in HICSS. Further more, the friendly phenomenon, constructive feedbacks, and the fact that the committees and reviewers in the information system fields appreciate our work would for sure encourage our ongoing study.

As for the suggestion on research, my feeling is that the cloud computing has become the dominant platform, and its security and the applications on analyzing big data would last for a wile being critical research issues and worth to be investigated.