Speakers

Title: Memory Safety and the Case for Modular VM Development

Abstract: The development of Lisp and the first garbage collection algorithms go back to the late 1950's and John MacCarthy's quest to develop AI.  Programming languages and memory management are at the very foundation of large companies like Google, and underpin the AI revolution. Performant, safe languages are therefore a high priority. Memory-safe languages are not thus merely a popular choice. For many software developers, the alternative is economically untenable given the stakes associated with successful attacks and the cost of mitigating critical exploits in an unsafe language through testing, verification and defensive programming.   Unfortunately, while memory management has become more important, it remains a major source of overhead for even the most highly optimized runtimes. In this talk I’ll take a broad look at memory performance and the engineering of high performance garbage collectors. I’ll discuss why a modular approach to memory management will be important to the future of programming language implementation.

Bio: Steve Blackburn is a research scientist at Google DeepMind and a Professor at the ANU. His research interests include programming language implementation, computer architecture, software engineering and performance analysis. Steve leads the MMTk and DaCapo projects. He is a passionate educator and a Fellow of the ACM.

Title: Low-code and Model-Driven Software Engineering

Abstract: Model-driven engineering is a software engineering aiming at using models of software in order to produce, document, verify, and/or optimize the artifacts of a software development process. In this talk, we will present the foundations, methods, and tools aiming at reducing the amount of code that must be written by software developers, by leveraging the principles of model-driven engineering. We will also discuss the strength and weaknesses of these approaches, using practical examples to illustrate them.

Bio: Étienne Borde is a Senior Lecturer within the department of Computer Science and Software Engineering at the University of Canterbury, New Zealand, since April 2023. Etienne received his PhD from Telecom Paris – Institut Poltechnique de Paris (Paris, France). Prior to joining the University of Canterbury, Etienne has been a “Maître de Conférences” (Lecturer/Senior Lecturer) at Telecom Paris – Institut Polytechnique de Paris (Paris, France), an invited researcher at the Software Engineering Institute (Pittsburgh, USA) and an invited professor at the Nanyang Technological Institute (Singapore). Etienne’s research focuses on the development of methods and tools for software engineering in (real-time) critical application, such as applications from the transportation domain. Model-driven engineering, real-time scheduling, model-checking, and discrete optimization are the types of techniques Etienne has studied, combined, or contributed to in his research work.

Title: The Limitations of Software Composition Analysis  

Abstract: Modern software is largely composed from existing components, a practice facilitated by automated build tools and software repositories.  From the security point of view, this has created new challenges as vulnerabilities are inherited from those components. The use of vulnerable and outdated components is now in the OWASP Top-10 list. 

Software Composition Analysis (SCA) aims to address this challenge by reasoning about the propagation of known vulnerabilities through dependencies between software packages.   Numerous analyses are readily available – they tend to scale well and are well-integrated into the tools and workflows used by developers (GitHub, various IDEs, docker, etc). 

Like most non-trivial program analyses, SCA must balance precision, recall and complexity (scalability). I will talk about some of those issues in general, and then more specifically about our work to improve the recall of SCA. This work has led to updates to vulnerability databases (GHSA)  for several vulnerabilities, including the infamous CVE-2021-44228 (aka log4shell). 

I will also briefly discuss ongoing work and research opportunities in the field of software supply chain security. 

Bio: Jens Dietrich is an Associate Professor in the School of Engineering and Computer Science at Victoria University of Wellington in Wellington, New Zealand. He has a Master in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, Jens has worked in consulting in Germany, Namibia, Switzerland and the UK, before returning to academia in 2003, first at Massey University and since 2018 at Victoria University. His research interests are in the areas of software componentry, evolution, testing, static analysis and vulnerability detection.

Title: Demystifying the Evolution of IoT Malware

Abstract: Malware, short for malicious software, is arguably one of the most significant threats to computer systems. In recent years, malware attacks against Internet of Things (IoT) networks have become increasingly prevalent due to the vulnerabilities inherent in IoT devices, such as weak passwords, outdated software and firmware, and lack of end-to-end encryption. A network of compromised IoT devices that have been infected with malware, often known as an IoT botnet, can be manipulated to carry out various cyberattacks, such as distributed denial-of-service (DDoS) attacks. This talk will introduce the concept of botnet attacks and their propagation cycle and discuss the evolution of tactics and techniques employed in malware targeting IoT devices. 

Bio: Mengmeng Ge is a Senior Lecturer of Cyber Security at University of Canterbury. She completed her PhD degree at University of Canterbury in 2018. Since 2019, she joined Deakin University and worked as a Lecturer in Cyber and Networking for 2 years. She then joined RMIT University in 2021 and worked as a Lecturer in Cybersecurity for over a year. Her research mainly focuses on model-based cybersecurity analysis, security modelling for the Internet of Things, deep learning-based intrusion detection, and emerging proactive defences (e.g., moving target defence, cyber deception). She also has considerable industry experience in security risk management, vulnerability assessment, and security analytics. 

Title: How to Talk to Strange Programs and Find Bugs

Abstract: For effective testing of programs with complex structured inputs, the input specification or the input grammar is practically mandatory.  Given an input grammar, we can use it to produce inputs that reach program internals and induce interesting behaviours. We can also use such grammars for quickly generating inputs, for characterizing program behaviours, for repair of inputs, as well as for quick input validation. However, many programs that require complex structured inputs come with a precise input grammar. Even when such a grammar is available, the grammar could be incomplete, obsolete, or incorrect. Hence, one of the long-standing questions in software engineering is the inference of such grammars. That is, given a parser, how do we /invert/ such parsers, and get the input specification back? This talk will focus on how to extract such grammars from parsers themselves, and what can we do with such grammars.

Bio: Rahul Gopinath is a lecturer at the University of Sydney, where he works in the broad fields of Software Engineering and Cybersecurity. He was previously a postdoctoral scholar at CISPA Helmholtz Center for Information Security in Germany. His focus is on inferring program input specifications and behavioral oracles under whitebox and blackbox conditions, which can then be leveraged for fuzzing.

Title: Personalized Guidelines for Design, Implementation, and Evaluation of Anti-phishing Interventions

Abstract: Current anti-phishing interventions, which typically involve one-size-fits-all solutions, suffer from limitations such as inadequate usability and poor implementation. Human-centric challenges in anti-phishing technologies remain little understood. Research shows a deficiency in the comprehension of end-user preferences, mental states, and cognitive requirements by developers and practitioners involved in the design, implementation, and evaluation of anti-phishing interventions. This research addresses the current lack of resources and guidelines for the design, implementation and evaluation of anti-phishing interventions, by presenting personalised guidelines to the developers and practitioners. Through an analysis of 53 academic studies and 16 items of grey literature studies, we systematically identified the challenges and recommendations within the anti-phishing interventions, across different practitioner groups and intervention types. Results: We identified 22 dominant factors at the individual, technical, and organisational levels, that affected the effectiveness of anti-phishing interventions and, accordingly, reported 41 guidelines based on the suggestions and recommendations provided in the studies to improve the outcome of anti-phishing interventions. Our dominant factors can help developers and practitioners enhance their understanding of human-centric, technical and organisational issues in anti-phishing interventions. Our customised guidelines can empower developers and practitioners to counteract phishing attacks.

Bio: Sherif Haggag is the Director of Teaching Ops, PG course advisor and A Professor in the School of Computer Science at the University of Adelaide. He has worked at various universities, such as Deakin University, where he achieved his PhD. His research areas of interest include Human-Centred Software Engineering, Cybersecurity, Understanding Human-Centric issues and designing apps with adaptive user interfaces, Human factors and social engineering in Cybersecurity and the persistence of the Privacy Paradox and cybersecurity behaviour. Dr Sherif strongly believes that software engineering is designed to solve human problems and support humans in different aspects, such as health, education, transport, manufacturing, etc. However, current software engineering techniques do not pay attention to other humans/end users who use the same system.

Title: Understanding Agile Software Development – Insights from Empirical Analysis of the Swiss Agile Studies

Abstract: Agile Development has become the de-facto standard in software development nowadays. It was in many ways so successful that it is now even expanding to domains outside of IT. However, companies and organisations are still struggling with it’s proper application and the transformation to it. This is very often because the impact on workstyle and culture are not clear; many improvement are coming late; or because the correct practices are not at all, or not correctly, applied. In my talk, I will present insights that we gained through our empirical studies in Switzerland about satisfaction, leadership, practices and improvements and the influence of experience when working in an agile way.

Bio: Martin Kropp is a Professor of Software Engineering in the Institute of Mobile and Distributed Systems at the University of Applied Sciences and Arts Northwestern Switzerland.  His main interests ar everything that helps to make software development more efficient, including build automation, testing, refactoring and software development methodologies. His current research interest is in agile methodologies and tools supporting agile teams in their daily work and their collaboration. He is a co-founder and organizer of the Swiss Agile Research Network and co-author of the bi-annual Swiss Agile Study. 

Title: Making memory unsafety hard: Rust's unsafe keyword as a case study in software robustness

Abstract: This talk discusses the concept of memory safety and some of the approaches that the software engineering community has established to address it. The Rust programming language is unique in its class, systems programming languages, for being able to provide memory safety without runtime overhead. The compiler tags all values with a logical lifetime for which references can be proven to be valid. However, many programs require access to the outside world. References provided by the operating system via syscalls or via other libraries via linking are two examples. For those cases, Rust offers the unsafe keyword. The bulk of the talk will be a discussion of some preliminary findings from research investigating the use of unsafe throughout the open source ecosystem, a corpus of over 120k packages.

Bio: Tim McNamara is one of the world's leading Rust educators and runs a consultancy in the language called accelerant.dev. Previously the global head of Rust language education at AWS, he is the lead content creator for the official Rust training program offered by the Rust Foundation, author of the world-renowned textbook Rust in Action, and host of a popular YouTube channel offering tutorials in the language. He has held positions within the New Zealand eScience Infrastructure (NeSI), Canonical, AWS, and a number of data science consultancies. He holds a Masters in Public Policy from Victoria University of Wellington.

Title: The Pivotal Role of Software Engineering and DevOps in Responsible AI

Abstract: Responsible AI stands as a beacon in the research landscape, tasked with mitigating risks ranging from existential controversies to ethical transgressions in AI applications. The path to realizing Responsible AI is fraught with challenges, despite the existence of extensive ethical frameworks and advancements in algorithmic accountability. Concurrently, Software Engineering (SE) is undergoing a profound transformation, spurred by AI advancements, and is struggling to maintain system quality and coherence amid the complexities of AI models and auto-generated code. This paradigm shift has given rise to new challenges and opportunities for engineering AI systems responsibly. This talk will dissect SE's contributions to efforts in pioneering Responsible AI through SE and DevOps research. We will scrutinize industry challenges, such as compartmentalized risk management and the misalignment between ethical principles and algorithmic functions, along with the emergence of unforeseen behaviors. We posit that SE and DevOps are crucial in guiding Responsible AI, necessitating a fundamental reorientation—from building systems with specified functions to harnessing and orchestrating emergent capabilities within AI systems.

Bio: Liming Zhu is a Research Director at CSIRO’s Data61 and a conjoint full professor at the University of New South Wales (UNSW). He is the chairperson of Standards Australia’s blockchain committee and contributes to the AI trustworthiness committee. He is a member of the OECD.AI expert group on AI Risks and Accountability, as well as a member of the Responsible AI at Scale think tank at Australia’s National AI Centre. His research program innovates in the areas of AI/ML systems, responsible/ethical AI, software engineering, blockchain, regulation technology, quantum software, privacy and cybersecurity. He has published over 300 papers on software architecture, blockchain, governance and responsible AI. He delivered the keynote “Software Engineering as the Linchpin of Responsible AI” at the International Conference on Software Engineering (ICSE) 2023. His two upcoming books “Responsible AI: Best Practices for Creating Trustworthy AI Systems” and  “Engineering AI Systems: DevOps and Architecture Approaches”, will be published by Addison Wesley in 2024.