Security

In the field of information security, the group concentrates on source code related artifacts and on natural language texts in order to address security related problems.

As the JavaScript language is highly dynamic and typeless, it is to be expected that precise security analysis can only be achieved by combining static and dynamic program analysis techniques. As a basic data structure for security analysis, we are working on designing a hybrid call graph that is assembled using static analysis and dynamic execution traces produced by running unit test of the programs. We plan to create a unified, enhanced precision call graph data structure based on these analyses.

Using this hybrid, precise call graph, we are implementing various vulnerability detection algorithms that will be able to capture typical security vulnerabilities (e.g. those listed in the OWASP top 10). The detection algorithms will be based on various statistical and machine learning methods. We also plan to provide additional intelligent algorithms for filtering results to minimize false positive hits.

People

László Vidács (contact), Péter Hegedűs, Gergő Balogh, László Tóth

Projects

Vulnerability analysis of JavaScript programs
Predicting vulnerable components using machine learning models.

Automated tagging of security requirements
Security requirements compound an important part of the non-functional requirements. Extracting and tagging security-related requirements is a crucial task of the requirements engineering. Often these requirements are given as a part of another expectation expressed in natural language form. The object of the project is developing a tool for tagging security related sentences thereof supporting identifying security-related issues in the early phase of the development.

Static and dynamic analysis of JavaScript programs
Analysis and comparison of static and dynamic call graphs and call chains.

Bug database for JavaScript
Bug dataset with manually selected and cleaned JavaScript bugs in server side open source projects.

Selected publications