Software Security @ Illinois Automated Software Engineering Group

• Mobile Security and Privacy
• Text Analytics for Security and Privacy
• Attack-Script Analysis
• Code-Vulnerability Detection and Fixing
• Testing, Verification, and Debugging of Security Policies

Mobile Security and Privacy

• Wei Yang., Xusheng Xiao, Benjamin Andow, Sihan Li., Tao Xie., and William Enck. AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts. In Proceedings of the 37th International Conference on Software Engineering (ICSE 2015), Florence, Italy, May 2015. [PDF][BibTeX]
• Wei Yang, Xusheng Xiao, Rahul Pandita, William Enck and Tao Xie. Improving Mobile Application Security via Bridging User Expectations and Application Behaviors. In Proceedings of Symposium and Bootcamp on the Science of Security (HotSoS 2014), Poster, Raleigh, NC, April 2014. [PDF][BibTeX]
• Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security 2013), Washington DC, August 2013.[PDF][BibTeX]
• Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Jonathan de Halleux, Michal Moskal. User-Aware Privacy Control via Extended Static-Information-Flow Analysis. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering 2012 (ASE 2012), Essen, Germany, September 2012. [PDF][BibTex].

Text Analytics for Security and Privacy

• John Slankas, Xusheng Xiao, Laurie Williams, and Tao Xie. Relation Extraction for Inferring Access Control Rules from Natural Language Artifacts. In Proceedings of 30th Annual Computer Security Applications Conference (ACSAC 2014), New Orleans, Louisiana, , December 2014. [PDF][BibTeX]
• Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security 2013), Washington DC, August 2013.[PDF][BibTeX]
• Xusheng Xiao, Amit Paradkar, Suresh Thummalapenta, and Tao Xie. Automated Extraction of Security Policies from Natural-Language Software Documents. In Proceedings of the 20th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE 2012), Research Triangle Park, NC, November 2012. [PDF][BibTeX]
• Michael Gegick, Pete Rotella, and Tao Xie. Identifying Security Bug Reports via Text Mining: An Industrial Case Study. In Proceedings of the 7th Working Conference on Mining Software Repositories (MSR 2010), Cape Town, South Africa, pp. 11-20, May 2010. [PDF][BibTeX]

Attack-Script Analysis

• Ruowen Wang, Peng Ning, Tao Xie, and Quan Chen. MetaSymploit: Day-One Defense Against Script-based Attacks with Security-Enhanced Symbolic Analysis. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security 2013), Washington DC, August 2013.[PDF][BibTeX]

Code-Vulnerability Detection and Fixing

• Yingnong Dang, Dongmei Zhang, Song Ge, Chengyun Chu, Yingjun Qiu, and Tao Xie. XIAO: Tuning Code Clones at Hands of Engineers in Practice. In Proceedings of 28th Annual Computer Security Applications Conference (ACSAC 2012), Orlando, Florida, December 2012. [PDF][BibTeX]
• Nuo Li, Tao Xie, Maozhong Jin, and Chao Liu. Perturbation-based User-Input-Validation Testing of Web Applications. Journal of Systems and Software. Volume 83, Issue 11, pages 2263-2274, November 2010. [BibTeX]
• Kunal Taneja, Nuo Li, Madhuri Marri, Tao Xie, and Nikolai Tillmann. MiTV: Multiple-Implementation Testing of User-Input Validators for Web Applications. In Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering (ASE 2010), Short Paper, Antwerp, Belgium, pages 131-134, September 2010. [PDF][BibTeX]
• Stephen Thomas, Laurie Williams, and Tao Xie. On Automated Prepared Statement Generation to Remove SQL Injection Vulnerabilities. Information and Software Technology, Volume 51, Issue 3, pages 589-598, March 2009. [PDF][BibTeX]
• Yonghee Shin, Laurie Williams, and Tao Xie. SQLUnitGen: SQL Injection Testing Using Static and Dynamic Analysis. In Supplemental Proceedings of the 17th IEEE International Conference on Software Reliability Engineering (ISSRE 2006), Student Program, Raleigh, NC, November 2006. [PDF][BibTeX]
• A longer version appeared as an NCSU CSC Technical Report

Testing, Verification, and Debugging of Security Policies (Access Control Policies and Firewall Policies)

• More Publications are here.
• Overview:
  • JeeHyun Hwang, Evan Martin, Tao Xie, and Vincent C. Hu. Policy-Based Testing. Encyclopedia of Software Engineering, 1:1, 673-683, 01 November 2010. [PDF][BibTex]
  • JeeHyun Hwang, Tao Xie, Vincent Hu, and Mine Altunay. ACPT: A Tool for Modeling and Verifying Access Control Policies. In Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY 2010), System Demo, George Mason University, USA, pages 40-43, July 2010. [PDF][BibTeX]
• Alex X. Liu, Fei Chen, JeeHyun Hwang, and Tao Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In Proceedings of the International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS 2008), Annapolis, Maryland, pp. 265-276, June 2008. [PDF][BibTeX]
• Evan Martin, JeeHyun Hwang, Tao Xie, and Vincent Hu. Assessing Quality of Policy Properties in Verification of Access Control Policies. In Proceedings of 24th Annual Computer Security Applications Conference (ACSAC 2008), Anaheim, California, pp. 163-172, December 2008. [PDF][BibTeX]
• Evan Martin and Tao Xie. A Fault Model and Mutation Testing of Access Control Policies. In Proceedings of the 16th International Conference on World Wide Web(WWW 2007), Security, Privacy, Reliability, and Ethics Track, Banff, Alberta, Canada, pp. 667-676, May 2007. [PDF][Slides][BibTeX]
• Evan Martin and Tao Xie. Inferring Access-Control Policy Properties via Machine Learning. In Proceedings of the 7th IEEE Workshop on Policies for Distributed Systems and Networks (POLICY 2006), London, Ontario Canada, pp. 235-238, June 2006. [PDF][BibTeX]
• Fei Chen, Alex X. Liu, JeeHyun Hwang, and Tao Xie. First Step Towards Automatic Correction of Firewall Policy Faults. ACM Transactions on Autonomous and Adaptive Systems (TAAS), 2012. [PDF][BibTeX]
• JeeHyun Hwang, Tao Xie, Fei Chen, and Alex X. Liu. Systematic Structural Testing of Firewall Policies. IEEE Transactions on Network and Service Management. Volume 9, Issue 1, pages 1-11, 2012. [PDF] [BibTeX]
• Alex X. Liu, Fei Chen, JeeHyun Hwang, and Tao Xie. Designing Fast and Scalable XACML Policy Evaluation Engines. IEEE Transactions on Computers. Volume 60, Issue 12, pages 1802-1817 , December 2011. [PDF][BibTeX]