Ongoing Work

One of our ongoing projects is to make the web service open to the public. We currently work on scaling up the backend system so that it can analyze web applications which are more complicated. The analyzer will be deployed on the cloud server for load balance and leveraging the service level. By analyzing complicated web application, we can collect more data and improve the representation of the front end applications. We plan to dig out more analysis data from back-end servers. With more data, we can provide users with more aspects of the relations between the files of target applications. The service could be enhanced by integrating more visualization tools such as Dashboard with bar charts so users can choose their preferred display view. Finally, we plan to enhance the graphic visualization with Unity. One direction would be to integrate 3D visualization to present complicated flow graphs with conditions and display more information in the visualization tool. And the algorithm will be improved for representing more complicate dependency graphs. Our system represents one bee comb in the recent version but there are still lots of space we can facilitate for the visualization. We will try to represent multiple bee combs in the 3D environment and users can switch the angle to view different web applications. Also there will be more abstraction levels can be represented in the visualization so that we can provide user more aspects to examine the vulnerabilities. To fulfill the demand of users and improve our tool, it is necessary to collect the feedbacks of users from different position in the enterprise. Our goal is integrating several techniques and transforming them into a user-oriented solution so that people can use this solution to solve the tough problems.

References

‧

[1] Hamed Ahmadi and Jun Kong. User-centric adaptation of Web information for small screens.

Journal of Visual Languages and Computing ,Vol.23, No.1,pages 13-28, 2012.

[2] Johannes Bohnet and Jürgen Döllner. Visual exploration of function call graphs for feature location in complex software systems. In Proc. of the ACM 2006 Symposium on Software Visualization, SOFTVIS '06, pages 95-104, Brighton, UK, September 4-5, 2006.

[3] Johannes Bohnet, Stefan Voigt, and Jürgen Döllner. Locating and understanding features of complex software systems by synchronizing time-, collaboration- and code-focused views on execution traces. In Proc. of the 16th IEEE International Conference on Program Comprehension, ICPC '08, pages 268-271, Amsterdam, The Netherlands, June 10-13, 2008.

[4] Manuel Costa, Miguel Castro, Lidong Zhou, Lintao Zhang, and Marcus Peinado. Bouncer:

securing software by blocking bad input. In Proc. of the 21st ACM Symposium on Operating Systems Principles, SOSP '07, pages 117-130, Stevenson, Washington, USA, October 14-17, 2007.

[5] Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. Precise analysis of string expressions. In Proc. of the 10th International Static Analysis Symposium, SAS '03, pages 1-18, San Diego, CA, USA, June 11-13, 2003.

[6] Kunrong Chen and Vaclav Rajlich. RIPPLES: Tool for Change in Legacy Software. In Proc.

of the IEEE International Conference on Software Maintenance, ICSM '01 pages 230-239, Florence, Italy, November 6-10, 2001.

[7] Tsung-Hsiang Chang, Tom Yeh, and Rob Miller. Associating the visual representation of user interfaces with their internal structures and metadata. In Proc. of the 24th Annual ACM

‧

[8] Pierre Dragicevic, Stéphane Huot, and Fanny Chevalier. Gliimpse:Animating from markup code to rendered documents and vice versa. In Proc. of the 24th annual ACM

symposium on User interface software and technology, UIST '11, pages 245-256, Santa Barbara, CA, USA, October 16-19, 2011.

[9] Xiang Fu, Xin Lu, Boris Peltsverger, Shijun Chen, Kai Qian, and Lixin Tao. A static analysis framework for detecting sql injection vulnerabilities. In Proc. of the 31st Annual International Computer Software and Applications Conference, COMPSAC '07, pages 87-96, Beijing, China, , July 24-2, 2007.

[10] gotoAndPlay(). Smartfoxserver @ONLINE, http://www.smartfoxserver.com/. Jan. 2013.

[11] David Grove, Greg DeFouw, Jeffrey Dean ,and Craig Chambers. Call Graph Construction in Oriented Languages. In Proc. of the 1997 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages Applications, OOPSLA '97, pages 108-124, Atlanta, Georgia, USA, October 5-9, 1997.

[12] Paul A. Gross and Caitlin Kelleher. Non-programmers identifying functionality in unfamiliar code: strategies and barriers. Journal of Visual Languages and Computing, Vol. 21 No.

5, pages263-276, December 2010.

[13] Susan L. Graham, Peter B. Kessler, and Marshall K. McKusick. gprof: a call graph execution profiler. In Proc. of the SIGPLAN Symposium on Compiler Construction, SIGPLAN '82, pages 120-126, Boston, Massachusetts, USA, June 23-25, 1982.

‧

[14]Carl Gould, Zhendong Su and Premkumar Devanbu. Static checking of dynamically generated queries in database applications. In Proc. of the 26th International Conference on Software Engineering, ICSE '04, pages 645-654, Edinburgh, United Kingdom, May 23-28, 2004.

[15] Paul A. Gross, Jennifer Yang, and Caitlin Kelleher. Dinah: an interface to assist non-programmers with selecting program code causing graphical output. In Proc. of the International Conference on Human Factors in Computing Systems, CHI '11, pages 3397-3400, Vancouver, BC, Canada, May 7-12, 2011.

[16] Liviu Iftode, Cristian Borcea, Nishkam Ravi, Porlin Kang, and Peng Zhou. Smart phone: An embedded system for universal interactions. In Proc. of the 10th IEEE International Workshop on Future Trends of Distributed Computing Systems FTDCS '04, pages 88-94, Suzhou, China, May 26-28, 2004.

[17] James A. Jones, Mary Jean Harrold and John Stasko. Visualization of test information to assist fault localization. In Proc. of the 24th International Conference on Software Engineering, ICSE '02, pages 467-477, New York, NY, USA, May 19-25, 2002.

[18] Adam Kiezun, Vijay Ganesh, Philip J. Guo, Pieter Hooimeijer and Michael D. Ernst. Hampi:

a solver for string constraints. In Proc. of the 18th International Symposium on Software Testing and Analysis ,ISSTA '09, pages 105-116, Chicago, IL, USA, July 19-23, 2009

[19] Thorsten Karrer, Jan-Peter Krämer, Jonathan Diehl, Björn Hartmann and Jan Borchers.

Stacksplorer: call graph navigation helps increasing code maintenance efficiency. In Proc. of the 24th annual ACM symposium on User interface software and technology, UIST '11, pages 217-224, New York, NY, USA, October 16-19, 2011.

‧

Immediate Visual Location of Software Features. In Proc. International Conference on Software Maintenance, ICSM '00, pages 33-39, San Jose, California, USA, October 11-14, 2000.

[21] Bonnie MacKay. The gateway: a navigation technique for migrating to small screens. In the Proc. of Extended abstracts of the 2003 Conference on Human Factors in Computing Systems ,CHI '03, pages 684-685, Ft. Lauderdale, Florida, USA, April 5-10, 2003.

[22] Alessandro Orso, James A. Jones, Mary Jean Harrold, and John T. Stasko. Gammatella:

Visualization of program-execution data for deployed software. In the Proc. of 26th International Conference on Software Engineering, ICSE '04, pages 699-700, Edinburgh, United Kingdom, May 23-28, 2004.

[23] Karl J. Ottenstein and Linda M. Ottenstein. The Program Dependence Graph in a Software Development Environment. In Proc. of the ACM SIGSOFT/SIGPLAN Software Engineering Symposium on Practical Software Development Environments, SDE '84, pages 177-184, Pittsburgh, Pennsylvania, USA, April 23-25, 1984.

[24] Michael J. Pacione. Software visualization for object-oriented program comprehension. In Proc. of the 26th International Conference on Software Engineering, ICSE '04, pages 63-65, Edinburgh, United Kingdom, May 23-28, 2004.

[25] Virpi Roto, Andrei Popescu, Antti Koivisto, and Elina Vartiainen.Minimap: a Web page visualization method for mobile phones. In the Proc. of the 2006 Conference on Human Factors in Computing Systems, CHI '06, pages 35-44, Montreal, Quebec, Canada, April 22-27, 2006.

[26] Michael Risi and Giuseppe Scanniello. Metricattitude: a visualization tool for the reverse engineering of object oriented software. In the Proc. of International Working Conference on

‧

[27] Nicolas Surribas. Wapiti @ONLINE,Jan. 2013.

[28] Mavituna Security. Netsparker@ONLINE,Jan. 2013.

[29] D. Shannon, S. Hajra, A. Lee, D. Zhan, and S. Khurshid. Abstracting symbolic execution with string analysis. In the Proc. of Testing: Academic and Industrial Conference Practice and Research Techniques-MUTATION, TAICPART-MUTATION '07, pages 13-22, Washington, DC, USA, September10-14 2007.

[30] Tarja Systä, Kai Koskimies and Hausi A. Müller. Shimba -an environment for reverse engineering java software systems. Journal of Software: Practice and Experience, Vol.31 No.4, pages 371-394, 2001.

[31] Unity Technologies. Unity documentation @ONLINE,Jan. 2013.

[32] Stanford University. IPhone application development @ONLINE, Jan. 2013.

[33] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In Proc.

of the 24th IEEE/ACM International Conference on Automated Software Engineering ASE '09, pages 605-609, Auckland, New Zealand, November 16-20, 2009.

[34] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Stranger: An automata-based string analysis tool for php. In Proc. of the 16th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS'10, pages 154-15, Paphos, Cyprus, March 20-28, 2010.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

[35] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Patching vulnerabilities with sanitization synthesis. In Proc. of the 33rd International Conference on Software Engineering, ICSE '11, pages 251-260, Waikiki, Honolulu , HI, USA, May 21-28, 2011.

[36] Fang Yu, Tevfik Bultan, Marco Cova, and Oscar H. Ibarra. Symbolic string verification: An automata-based approach. In Proc. of the 15th International SPIN Workshop on Model Checking Software, SPIN '08, pages 306-324 Los Angeles, CA, USA, August 10-12, 2008.

[37] Fang Yu, Tevfik Bultan, and Ben Hardekopf. String abstractions for string verification. In Proc. of the 15th International SPIN Workshop on Model Checking Software, SPIN '11, pages 20-37, Snowbird, UT, USA, July 14-15, 2011.

[38] Fang Yu, Tevfik Bultan, and Oscar H. Ibarra. Relational string verification using multi-track.

In Proc. of the 15th International Conference on Implementation and Application of Automata, CIAA '10, pages 290-299, Winnipeg, MB, Canada, August 12-15, 2010.