[Review] Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths

[Review] Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths

Link

Problem: Missing a security operation, such as a bound check.

Traditional Methods: Cross-checking. Locate the potential bugs by exploiting a large number of similar code snippets and compare their patterns.

The paper proposes a new approach to locating bugs, which do not need a large number of cases. Instead, only two code snippets are required. To be specific, object-based similar-path pairs are constructed.

Read more
[Review] HEALER: Relation Learning Guided Kernel Fuzzing

[Review] HEALER: Relation Learning Guided Kernel Fuzzing

Link

The paper proposes a new technique called relation learning to help infer the relations between system calls when fuzzing the kernel.

Relation learning is achieved by constructing a relation graph, which is a two-dimensional graph with each cell representing the dependencies between two system calls.

The relation graph is built through static and dynamic learning. Static learning will infer the dependencies by analyzing the parameters and the return value of each system call. Dynamic learning will determine the dependencies by analyzing the generated minimized system call sequences.

Read more
[Review] Python Crypto Misuses in the Wild

[Review] Python Crypto Misuses in the Wild

Link here

The paper conducts a study on Python crypto API misuses. A tool called LICMA is implemented aiming at detecting crypto API misuses in python.

Several conclusions:

  1. 52.26 % of the Python projects using crypto APIs contain at least a potential misuse.
  2. Only 14.81 % of the projects directly contain a misuse of a crypto API. The rest is introduced through third-party code.
  3. Most Python applications are more secure compared with C or Java, and the distribution between the concrete types of misuses differ a lot.
Read more
[Review] Prompt Programming for Large Language Models: Beyond the Few-Shot Paradigm

[Review] Prompt Programming for Large Language Models: Beyond the Few-Shot Paradigm

Link here

The paper discusses about prompt engineering, mainly focusing on GPT-3. It compiles some prompt engineering approaches.

Background:

The recent rise of massive self-supervised language models such as GPT-3 arises the interests of prompt engineering. For such models, 0-shot prompts may significantly outperform few-shot prompts. So, the importance of prompt engineering is again being promoted.

Some facts:

  • 0-shot may outperform few-shot: instead of treating examples as a categorical guide, it is inferred that their semantic meaning is relevant to the task.
  • For GPT-3, its resemblance not to a single human author but a superposition of authors.
Read more