Android intent. https://stackoverflow.com/questions/6578051/what-is-an-intent-in-android. (Accessed on 01/22/2018).
Android intent (android developer guide). https://developer.android.com/guide/components/intents-filters.html. (Accessed on 01/22/2018).
Atlas queries documentation. http://www.ensoftcorp.com/atlas_docs/javadoc/2.x/index.html?com/ensoftcorp/atlas/core/query/Q.html. (Accessed on 01/22/2018).
Atlas wiki. http://ensoftatlas.com/wiki/Main_Page. (Accessed on 01/22/2018).
Automated program analysis for cybersecurity (apac). http://www.defenseinnovationmarketplace.mil/resources/DARPA%202011%208%203%20APAC%20Industry%20Day.pdf. (Accessed on 01/22/2018).
Bap – a binary analysis platform. https://www.grammatech.com/products/codesonar. (Accessed on 04/02/2018).
Bitblaze. http://bitblaze.cs.berkeley.edu. (Accessed on 04/02/2018).
Blueborne cyber threat impacts amazon echo and google home. https://www.armis.com/blueborne-cyber-threat-impacts-amazon-echo-google-home/. (Accessed on 01/22/2018).
Codesonar. https://www.grammatech.com/products/codesonar. (Accessed on 04/02/2018).
Coverity static analysis, static application security testing. https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html?utm_source=google&utm_medium=paid%20search&utm_term=coverity&utm_campaign=G_S_Coverity_Exact&cmp=ps-SIG-G_S_Coverity_Exact&gclid=EAIaIQobChMIhe3pqvXr2AIVV7bACh1fEgaQEAAYASAAEgL8K_D_BwE. (Accessed on 01/22/2018).
Cve – common vulnerabilities and exposures (cve). https://cve.mitre.org/. (Accessed on 01/22/2018).
Cvss v3.0 specification document. https://www.first.org/cvss/specification-document. (Accessed on 01/22/2018).
Ddos attack that disrupted internet was largest of its kind in history, experts say — technology — the guardian. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet. (Accessed on 01/22/2018).
Department of defense – directive number 3020.40. http://policy.defense.gov/Portals/11/Documents/hdasa/newsletters/302040p.pdf. (Accessed on 01/22/2018).
Ensoft corp. http://www.ensoftcorp.com. (Accessed on 01/22/2018).
Extensible common software graph. http://ensoftatlas.com/wiki/Extensible_Common_Software_Graph. (Accessed on 01/22/2018).
Fermat conjecture. https://en.wikipedia.org/wiki/Fermat%27s_Last_Theorem. (Accessed on 01/22/2018).
Grackle. https://grackle.galois.com. (Accessed on 04/02/2018).
Hp fortify. http://www.ndm.net/sast/hp-fortify. (Accessed on 01/22/2018).
Klee llvm execution engine. http://klee.github.io/. (Accessed on 04/02/2018).
Modbus. http://www.modbus.org. (Accessed on 01/22/2018).
Modbus penetration testing framework. https://github.com/enddo/smod. (Accessed on 01/22/2018).
Morris worm – wikipedia. https://en.wikipedia.org/wiki/Morris_worm. (Accessed on 01/22/2018).
National vulnerability database. https://nvd.nist.gov/. (Accessed on 01/22/2018).
Open ssl developer confesses to causing heartbleed bug — daily mail online. http://www.dailymail.co.uk/sciencetech/article-2602277/Heartbleed-accident-Developer-confesses-coding-error-admits-effect-clearly-severe.html#ixzz546wC2cbw. (Accessed on 01/22/2018).
Sandvines packetlogic devoices used to deploy government spyware in turkey and redirect egyptian users to affiiliate ads. https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/. (Accessed on 04/02/2018).
Slam. https://www.microsoft.com/en-us/research/project/slam/. (Accessed on 04/02/2018).
Soot. https://github.com/Sable/soot. (Accessed on 04/02/2018).
Space/time analysis for cybersecurity (stac). https://www.darpa.mil/program/space-time-analysis-for-cybersecurity. (Accessed on 01/22/2018).
Splint (programming tool) – wikipedia. https://en.wikipedia.org/wiki/Splint_(programming_tool). (Accessed on 01/22/2018).
Stuxnet – wikipedia. https://en.wikipedia.org/wiki/Stuxnet. (Accessed on 01/22/2018).
Sy110: Phases of a cyber attack / cyber recon. https://www.usna.edu/CyberDept/sy110/lec/cyberRecon/lec.html. (Accessed on 01/22/2018).
Telecommunications equipment – wikipedia. https://en.wikipedia.org/wiki/Telecommunications_equipment. (Accessed on 01/22/2018).
Wala. http://wala.sourceforge.net/wiki/index.php/Main_Page. (Accessed on 04/02/2018).
Wannacry ransomware attack. https://arstechnica.com/information-technology/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/. (Accessed on 01/22/2018).
Final report on the august 14, 2003 blackout in the united states and canada: Causes and recommendations. https://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf, April 2004. (Accessed on 01/22/2018).
2009 cyberspace policy review — homeland security. https://www.dhs.gov/sites/default/files/publications/Cyberspace_Policy_Review_final_0.pdf, 2009. (Accessed on 01/22/2018).
Defense contractors northrop grumman, l-3 communications hit by cyber-attack. https://www.cioinsight.com/c/a/Latest-News/Defense-Contractors-Northrop-Grummond-L3-Communications-Hit-by-CyberAttack-106322, June 2011. (Accessed on 01/22/2018).
National cyber security divisions control systems security program (cssp). https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf, May 2011. (Accessed on 01/22/2018).
Investigative report on the u.s. national security issues posed by chinese telecommunications companies huawei and zte. https://intelligence.house.gov/sites/intelligence.house.gov/files/documents/huawei-zte%20investigative%20report%20(final).pdf, October 2012. (Accessed on 01/22/2018).
Darpa-baa-13-11: Vetting commodity it software and firmware (vet), updated. https://govtribe.com/project/darpa-baa-13-11-vetting-commodity-it-software-and-firmware-vet, Februrary 2013. (Accessed on 01/22/2018).
Industroyer: Biggest threat to industrial control systems since stuxnet. https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/, June 2017. (Accessed on 01/22/2018).
National initiative for cybersecurity education (nice) cybersecurity workforce framework. https://csrc.nist.gov/csrc/media/publications/sp/800-181/archive/2016-11-02/documents/sp800_181_draft.pdf, August 2017. (Accessed on 01/22/2018).
Threat modeling cheat sheet – owasp. https://www.owasp.org/index.php/Threat_Modeling_Cheat_Sheet, December 2017. (Accessed on 01/22/2018).
RTCA (Firm). SC 167. Software considerations in Airborne Systems and equipment certification. RTCA, Incorporated, 1992.
Alfred V Aho, Ravi Sethi, and Jeffrey D Ullman. Compilers: principles, techniques, and tools, volume 2. Addison-wesley Reading, 2007.
Jafar M. Al-Kofahi, Suresh Kothari, and Christian Kästner. Four languages and lots of macros: Analyzing autotools build systems. In Proceedings of the 16th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences, GPCE 2017, pages 176–186. ACM, 2017.
Keith Alexander. Keynote – 2011 cyber & space symposium. https://www.youtube.com/watch?v=jaaU5nGDh68, November 2011. (Accessed on 01/22/2018).
Payas Awadhutkar, Ganesh Ram Santhanam, Benjamin Holland, and Suresh Kothari. Intelligence amplifying loop characterizations for detecting algorithmic complexity vulnerabilities. In The 24th Asia-Pacific Software Engineering Conference (APSEC 2017), 2017.
Roberto Baldoni, Emilio Coppa, Daniele Cono D’Elia, Camil Demetrescu, and Irene Finocchi. A survey of symbolic execution techniques. CoRR, abs/1610.00502, 2016.
Dirk Beyer. Status report on software verification. In TACAS, volume 8413, pages 373–388, 2014.
Dirk Beyer, Thomas A Henzinger, Ranjit Jhala, and Rupak Majumdar. The software model checker blast. International Journal on Software Tools for Technology Transfer, 9(5–6):505–525, 2007.
Dirk Beyer and Alexander K. Petrenko. Linux driver verification. In Tiziana Margaria and Bernhard Steffen, editors, Leveraging Applications of Formal Methods, Verification and Validation. Applications and Case Studies, pages 1–6, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg.
Wayne Boyer and Miles McQueen. Ideal based cyber security technical metrics for control systems. In International Workshop on Critical Information Infrastructures Security, pages 246–260. Springer, 2007.
Frederick P. Brooks, Jr. The computer scientist as toolsmith ii. Commun. ACM, 39(3):61–68, March 1996.
David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. Automatically identifying trigger-based behavior in malware. Botnet Detection, pages 65–88, 2008.
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J Schwartz. Bap: A binary analysis platform. In International Conference on Computer Aided Verification, pages 463–469. Springer, 2011.
Eric Byres and Justin Lowe. The myths and facts behind cyber security risks for industrial control systems. In Proceedings of the VDE Kongress, volume 116, pages 213–218, 2004.
C. Canal and A. Idani. Software Engineering and Formal Methods: SEFM 2014 Collocated Workshops: HOFM, SAFOME, OpenCert, MoKMaSD, WS-FMDS, Grenoble, France, September 1–2, 2014, Revised Selected Papers. Lecture Notes in Computer Science. Springer International Publishing, 2015.
Anton Cherepanov. Win32/industroyer a new threat for industrial control systems. https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf, June 2017. (Accessed on 01/22/2018).
Alonzo Church. A note on the entscheidungsproblem. The journal of symbolic logic, 1(1):40–41, 1936.
Edmund M. Clarke, E Allen Emerson, and A Prasad Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems (TOPLAS), 8(2):244–263, 1986.
Edmund M Clarke, William Klieber, Miloš Nováček, and Paolo Zuliani. Model checking and the state explosion problem. In Tools for Practical Software Verification, pages 1–30. Springer, 2012.
Darren Cofer. Model checking: cleared for take off. Model Checking Software, pages 76–87, 2010.
Zachary A Collier, Mahesh Panwar, Alexander A Ganin, Alexander Kott, and Igor Linkov. Security metrics in industrial control systems. In Cyber-security of SCADA and Other Industrial Control Systems, pages 167–185. Springer, 2016.
Douglas Comer. Operating system design: the Xinu approach, Linksys version. CRC Press, 2011.
Lucian Constantin. Flame authors order infected computers to remove all traces of the malware – cio. https://www.cio.com.au/article/427005/flame_authors_order_infected_computers_remove_all_traces_malware/, June 2012. (Accessed on 01/22/2018).
Scott Crosby. Denial of service through regular expressions. Usenix Security work in progress report, 2003.
John D’Arcy and Gwen Greene. Security culture and the employment relationship as drivers of employees security compliance. Information Management & Computer Security, 22(5):474–489, 2014.
Richard A De Millo, Richard J Lipton, and Alan J Perlis. Social processes and proofs of theorems and programs. Communications of the ACM, 22(5):271–280, 1979.
Tom Deering, Suresh Kothari, Jeremias Sauceda, and Jon Mathews. Atlas: a new way to explore software, build analysis tools. In Companion Proceedings of the 36th International Conference on Software Engineering, pages 588–591. ACM, 2014.
Tom Deering, Ganesh Ram Santhanam, and Suresh Kothari. Flowminer: Automatic summarization of library data-flow for malware analysis. In International Conference on Information Systems Security, pages 171–191. Springer, 2015.
RA DeMillo, RJ Lipton, and AJ PerHls. Social processes and proofs of programs and theorems. In Proc. Fourth ACM Symposium on Principles of Program-ming Languages, pages 206–214, 1979.
Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. Evil pickles: Dos attacks based on object-graph engineering (artifact). In DARTS-Dagstuhl Artifacts Series, volume 3. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2017.
Isil Dillig, Thomas Dillig, and Alex Aiken. Sound, complete and scalable path-sensitive analysis. In ACM SIGPLAN Notices, volume 43, pages 270–280. ACM, 2008.
Paul Ducklin. Anatomy of a goto fail apples ssl bug explained, plus an unofficial patch for os x! naked security. https://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/, February 2014. (Accessed on 01/22/2018).
Nick Feamster and Hari Balakrishnan. Detecting bgp configuration faults with static analysis. In Proceedings of the 2Nd Conference on Symposium on Networked Systems Design & Implementation – Volume 2, NSDI’05, pages 43–56. USENIX Association, 2005.
Kathleen Fisher. High assurance cyber military systems (hacms). http://www.cyber.umd.edu/sites/default/files/documents/symposium/fisher-HACMS-MD.pdf, May 2013. (Accessed on 01/22/2018).
National Institute for Standards and Technology (NIST). Nist guide to industrial control systems security. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf, May 2015. (Accessed on 01/22/2018).
Malay Ganai and Aarti Gupta. SAT-based scalable formal verification solutions. Springer, 2007.
Michael R Garey and David S Johnson. Computers and intractability. a guide to the theory of np-completeness. a series of books in the mathematical sciences, 1979.
Allen Goldberg, Tie-Cheng Wang, and David Zimmerman. Applications of feasible path analysis to program testing. In Proceedings of the 1994 ACM SIGSOFT international symposium on Software testing and analysis, pages 80–94. ACM, 1994.
Andy Greenberg. Hackers remotely kill a jeep on the highwaywith me in it — wired. https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/, July 2015. (Accessed on 01/22/2018).
Benjamin Holland, Payas Awadhutkar, Suresh Kothari, Ahmed Tamrawi, and Jon Mathews. Comb: Computing relevant program behaviors. In International Conference on Software Engineering Demonstration track, page To appear., 2018.
Benjamin Holland, Tom Deering, Suresh Kothari, Jon Mathews, and Nikhil Ranade. Security toolbox for detecting novel and sophisticated android malware. In Proceedings of the 37th International Conference on Software Engineering-Volume 2, pages 733–736. IEEE Press, 2015.
Benjamin Holland, Ganesh Ram Santhanam, Payas Awadhutkar, and Suresh Kothari. Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In Source Code Analysis and Manipulation (SCAM), 2016 IEEE 16th International Working Conference on, pages 79–84. IEEE, 2016.
Michael Howard and David LeBlanc. Writing secure code. Pearson Education, 2003.
IBM. Security attacks on industrial control systems – managed security services research report. https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03046USEN. (Accessed on 01/22/2018).
Kamal Jabbour and Sarah Muccio. The science of mission assurance. Journal of Strategic Security, 4(2):61, 2011.
Michael B Kelley. Stuxnet was far more dangerous than previous thought – business insider. http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11, November 2013. (Accessed on 01/22/2018).
James C King. Symbolic execution and program testing. Communications of the ACM, 19(7):385–394, 1976.
S. Kothari, P. Awadhutkar, and A. Tamrawi. Insights for practicing engineers from a formal verification study of the linux kernel. In 2016 IEEE International Symposium on Software Reliability Engineering Workshops, pages 264–270, Oct 2016.
S. Kothari, A. Deepak, A. Tamrawi, B. Holland, and S. Krishnan. A human-in-the-loop approach for resolving complex software anomalies. In 2014 IEEE International Conference on Systems, Man, and Cybernetics (SMC), pages 1971–1978, Oct 2014.
Suresh Kothari, Payas Awadhutkar, Ahmed Tamrawi, and Jon Mathews. Modeling lessons from verifying large software systems for safety and security. In 2017 Winter Simulation Conference (WSC), pages 1431–1442, 2017.
Vadim Kotov and Fabio Massacci. Anatomy of exploit kits. Engineering Secure Software and Systems, 7781:181–196, 2013.
Mahesh Lal. Neo4j Graph Data Modeling. Packt Publishing Ltd, 2015.
Sihyung Lee. Reducing Complexity of Large-scale Network Configuration Management. PhD thesis, Pittsburgh, PA, USA, 2010. AAI3415822.
J. L. LIONS. Ariane 5 failure – full report. http://sunnyday.mit.edu/accidents/Ariane5accidentreport.html, July 1996. (Accessed on 01/22/2018).
Alan K Mackworth. Constraint satisfaction problems. Encyclopedia of AI, 285:293, 1992.
P MELL. A complete guide to the common vulnerability scoring system version 2.0.
Arash Nourian and Stuart Madnick. A systems theoretic approach to the security threats in cyber physical systems applied to stuxnet. IEEE Transactions on Dependable and Secure Computing, 2015.
Ebenezer A Oladimeji, Sam Supakkul, and Lawrence Chung. Security threat modeling and analysis: A goal-oriented approach. In Proc. of the 10th IASTED International Conference on Software Engineering and Applications (SEA 2006), pages 13–15, 2006.
Leon E. Panetta. Defense.gov transcript: Remarks by secretary panetta on cybersecurity to the business executives for national security, new york city. http://archive.defense.gov/transcripts/transcript.aspx?transcriptid=5136, October 2012. (Accessed on 01/22/2018).
Fabio Pasqualetti, Florian Dörfler, and Francesco Bullo. Attack detection and identification in cyber-physical systems. IEEE Transactions on Automatic Control, 58(11):2715–2729, 2013.
Alin C Popescu, Brian J Premore, and Todd Underwood. Anatomy of a leak: As9121. Renesys Corp.,
Kevin Poulsen. Slammer worm crashed ohio nuke plant network. https://www.securityfocus.com/news/6767, August 2003. (Accessed on 01/22/2018).
Jean-Pierre Queille and Joseph Sifakis. Specification and verification of concurrent systems in cesar. In International Symposium on programming, pages 337–351. Springer, 1982.
Jean-Pierre Queille and Joseph Sifakis. Fairness and related properties in transition systems a temporal logic to deal with fairness. Acta Informatica, 19(3):195–220, 1983.
Brian Randell. The origins of computer programming. IEEE Annals of the History of Computing, 16(4):6–14, 1994.
Henry Gordon Rice. Classes of recursively enumerable sets and their decision problems. Transactions of the American Mathematical Society, 74(2):358–366, 1953.
DAVID E. SANGER. Obama ordered wave of cyberattacks against iran – the new york times. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=1&_r=1&hp, June 2012. (Accessed on 01/22/2018).
Ganesh Ram Santhanam, Benjamin Holland, Suresh Kothari, and Jon Mathews. Interactive visualization toolbox to detect sophisticated android malware. In Visualization for Cyber Security (VizSec), 2017 IEEE Symposium on, pages 1–8. IEEE, 2017.
Ganesh Ram Santhanam, Benjamin Holland, Suresh Kothari, and Nikhil Ranade. Human-on-the-loop automation for detecting software side-channel vulnerabilities. In International Conference on Information Systems Security, pages 209–230. Springer, 2017.
Bruce Schneier. Heartbleed – schneier on security. https://www.schneier.com/blog/archives/2014/04/heartbleed.html, April 2014. (Accessed on 01/22/2018).
Tony Smith. Hacker jailed for revenge sewage attacks. http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/, October 2001. (Accessed on 01/22/2018).
Panos Stratis. Formal verification in large-scaled software: Worth to ponder. https://blog.inf.ed.ac.uk/sapm/2014/02/20/formal-verification-in-large-scaled-software-worth-to-ponder/, 2014. (Accessed on 01/25/2018).
Frank Swiderski and Window Snyder. Threat Modeling (Microsoft Professional), volume 7. Microsoft Press, 2004.
Ahmed Tamrawi and Suresh Kothari. Projected control graph for accurate and efficient analysis of safety and security vulnerabilities. In Software Engineering Conference (APSEC), 2016 23rd Asia-Pacific, pages 113–120. IEEE, 2016.
Ahmed Tamrawi and Suresh Kothari. Projected control graph for computing relevant program behaviors. Journal of Science of Computer Programming, To appear.
Alan M. Turing. The use of dots as brackets in church’s system. The Journal of Symbolic Logic, 7(4):146–156, 1942.
Mark Weiser. Program slicing. In Proceedings of the 5th international conference on Software engineering, pages 439–449. IEEE Press, 1981.
D. E. Whitehead, K. Owens, D. Gammel, and J. Smith. Ukraine cyber-induced power outage: Analysis and practical mitigation strategies. In 2017 70th Annual Conference for Protective Relay Engineers (CPRE), pages 1–8, April 2017.
Peter T Wood. Query languages for graph databases. ACM SIGMOD Record, 41(1):50–60, 2012.
Jim Woodcock, Peter Gorm Larsen, Juan Bicarregui, and John Fitzgerald. Formal methods: Practice and experience. ACM Computing Surveys (CSUR), 41(4):19, 2009.
Avishai Wool. A quantitative study of firewall configuration errors. Computer, 37(6):62–67, 2004.
Victoria Woollaston. Open ssl developer confesses to causing heartbleed bug — daily mail online. http://www.dailymail.co.uk/sciencetech/article-2602277/Heartbleed-accident-Developer-confesses-coding-error-admits-effect-clearly-severe.html#ixzz546xyGkwC, April 2014. (Accessed on 01/22/2018).
Yichen Xie and Alex Aiken. Saturn: A scalable framework for error detection using boolean satisfiability. ACM Transactions on Programming Languages and Systems (TOPLAS), 29(3):16, 2007.
Ilja S Zakharov, Mikhail U Mandrykin, Vadim S Mutilin, EM Novikov, Alexander K Petrenko, and Alexey V Khoroshilov. Configurable toolset for static verification of operating systems kernel modules. Programming and Computer Software, 41(1):49–64, 2015.
Jian Zhang and Xiaoxu Wang. A constraint solver and its application to path feasibility analysis. International Journal of Software Engineering and Knowledge Engineering, 11(02):139–156, 2001.