FuSE 2013
Future of Software Engineering symposium

Abstract: What can software engineering learn from gaming? What can gaming learn from software engineering? Can the hard problems of software engineering be converted into games that can be crowdsourced and solved by ordinary players? What are the broader implications for the research community?

I don't have the answers to these questions. However, this talk presents one perspective. I aim to inspire researchers to apply new ideas and techniques to a variety of tasks in software engineering, gaming, and beyond.

Bio: Michael D. Ernst is an Associate Professor in the Computer Science & Engineering department at the University of Washington.

Ernst's research aims to make software more reliable, more secure, and easier (and more fun!) to produce. His primary technical interests are in software engineering and related areas, including programming languages, type theory, security, program analysis, bug prediction, testing, and verification. Ernst's research combines strong theoretical foundations with realistic experimentation, with an eye to changing the way that software developers work.

Dr. Ernst was previously a tenured professor at MIT, and before that a researcher at Microsoft Research.

More information is available at his homepage.

Abstract: Cyber systems must inspire trust and confidence, comply with applicable security and other policies, predictably protect the integrity of data and resources as well as the privacy of data owners, and perform reliably and safely. For this predictability, scientific principles must underlie the design, analysis and operation of these systems because adversaries present ever-changing threats. Solving today's security problems with targeted "engineering" solutions will not help us outsmart the adversaries. The determination to attack hard security problems through the advancement of science drives an emphasis on being explicit regarding the scoping of problems, on hypothesis formation, on data gathering, and on analysis of that data. In this talk, we will explore how software engineering research, in general, has become more empirical, scientific, and substantiated through sound, scientific research methods, and what needs to happen for a similar advancement in the science of software security.

Bio: Laurie Williams is a Professor of Computer Science at North Carolina State University (NCSU). Laurie has taught software engineering, software testing, software reliability, and software security at NCSU since 2000. Laurie's software security research includes security metrics, authentication/logging, access control, software security engineering, and security testing. Laurie is a co-director of the NCSU Science of Security Lablet funded by the US National Security Agency. She is the Senior Research Director of the Institute of Next Generation Systems (ITnG). Laurie was named an ACM Distinguished Scientist in 2011. Laurie has a PhD in Computer Science from the University of Utah, an MBA from Duke University, and a BS in Industrial Engineering from Lehigh University. Laurie worked at IBM for nine years before returning to academia.

Abstract: Programming languages, like their "natural" counterparts, are rich, powerful and expressive. But while skilled writers like Zadie Smith, Aravind Adiga, and Salman Rushdie delight us with their elegant, creative deployment of the power and beauty of English, most of what us regular mortals say and write everyday is Very Repetitive and Highly Predictable.

This predictability, as most of us have learned by now, is at the heart of the modern statistical revolution in speech recognition, natural language translation, question-answering, etc. We will argue that in fact, despite the power and expressiveness of programming languages, most <<Software>> in fact is <<also>> quite repetitive and predictable, and can be fruitfully modeled using the same types of statistical models used in natural language processing. We present some practical applications of this rather unexpected finding, and present a research vision arguing that this phenomenon is potentially rich in both scientific questions, and engineering promise.

This is an international effort is currently funded by the U.S NSF and the UK EPSRC. Active collaborators include Zhendong Su at UC Davis, Roni Rosenfeld and William Cohen of CMU, Earl Barr and Mark Harmon of University College, London, Mark Gabel of UT Dallas, and Charles Sutton of the University of Edinburgh. There's lots to do, and we welcome more collaborators.

Bio: Prem Devanbu is Professor of Computer Science at UC Davis. His research interest is mainly in exploiting Good Data to help Software Engineers live better, longer, happier, more meaningful lives.

Abstract: Have you ever been at a gathering and someone asks you what you do for a living? Often, explaining that you do software engineering research ends the discussion pretty quickly. Other times, I have had people engage and suggest that it will all be passe in a few years when computers program computers. In this talk, I'll provide one person's perspective on why humans are critical for building great software and how we need to do a much better job as a software engineering community in taking advantage of the incredible resource on the other side of the screens.

Abstract: Society is becoming increasingly dependent upon human-intensive systems, namely systems that involve complex interaction and cooperation among software applications, hardware devices, and human participants. In such systems, humans typically participate as experts, often making important decisions based upon the information provided by the software and hardware components. This specialization of roles requires new and innovative approaches to modeling, analyzing, and executing such systems. This talk will describe some of those concerns, including modeling approaches that support human-desired flexibility and complex exception management, analysis approaches that focus on the fallibility of human participants, and execution support to help reduce human errors.

Abstract: The growing demand for ever more complex and sophisticated applications outpaces our understanding of how to build, modify, or configure them to meet the basic behavioral goals of reliability, performance, and security. We envision a new approach to engineering software systems wherein we treat an application as a large family of automatically generated variants. These variants derive from such things as mutations to the code base, alternative configuration settings, and changes to thread scheduling policies. The variants are then deployed for live use and executed in parallel in such a way that the cumulative effect of their behavior probabilistically exhibits higher reliability, performance, and security than either the original application or any individual variant. We refer to our approach as "multiplicity computing", owing to the large and potentially diverse family of variants, each competing with the other to see which one best achieves the behavioral goals.

This talk reviews some of the challenges in multiplicity computing, including: (1) finding sources of variation and formulating techniques to automatically generate variants from those sources; (2) designing a run-time infrastructure for managing and coordinating the simultaneous execution of multiple variants; (3) providing an execution platform that manages the resources required for this execution; (4) developing a framework for conducting rigorous live experiments with variants; and (5) deriving general-purpose architectural principles and design methods to support the technique.

Abstract: A new analysis paradigm, blended program analysis combines a dynamic representation of program calling structure with a static analysis applied to a region of that calling structure. Traditionally, compilers have used static analysis to enable semantics-preserving program transformations. Blended analysis supports tool-building to aid software developers improve the security of their applications and enhance program understanding.

We have built a framework for blended analysis of JavaScript codes from popular websites from alexa.com. We will show results of a blended taint analysis to demonstrate how it deals with the dynamic features of JavaScript, including eval and variadic functions. Our results show that blended taint analysis discovered 13 unique violations in 6 of the 12 websites analyzed. In contrast, each 'strawman' static analysis identified less than ½ of these violations. Moreover, new results show the effectiveness of a second blended analysis in a reference analysis of JavaScript website codes, enabling developers to more accurately trace object usage.

*This research was performed with my PhD student Shiyi Wei and has been funded by the IBM Open Collaboration Research program and NSF-CCF 0811518.

Abstract: Semantics-based software assurance has been a focus for both practitioners and researchers for at least a half century. For much of that period, the ambitions of both sides were frustrated by challenges related to scaling, composition, and usability. More recent experience has demonstrated that these challenges are not insurmountable, and that advanced techniques for modeling, analysis, and traceability — when supported by capable tools, process realism, and clear thinking regarding adoption incentives — can make a significant difference. Indeed, recent technical and practical developments have brought researchers and practitioners closer together, and the pace of advancement does appear to be increasing. In this talk, I discuss some ideas related to incremental evidence-based approaches. These approaches focus on integrating the production of assurance-related evidence with the production of software-related artifacts such as models, code, test cases, etc. These approaches complement and augment current assessment methods which tend to emphasize process compliance.