Automated Code Review

Thesis Supervisor: Dr. Anindya Iqbal

Learning-based automatic program repair techniques are showing promise to provide quality fix suggestions for detected bugs in the source code of the software. These tools mostly exploit historical data of buggy and fixed code changes and are heavily dependent on bug localizers while applying to a new piece of code. With the increasing popularity of code review, dependency on bug localizers can be reduced. Besides, the code review-based bug localization is more trustworthy since reviewers’ expertise and experience are reflected in these suggestions. In this research, I am planning to develop deep learning based tool to automatically suggest repaired code with the help of bug localization and reviewer's comment as a Natual language.

SSL-based Session Hijacking Attacks and Protection Mechanisms. [PDF]

Thesis Supervisor: Dr. Md. Shohrab Hossain

Keywords: Network Security, Session hijacking, SSL stripping, Man-in-the-middle attack, HTTPS

Web communications between the server and the client are being used extensively. However, session hijacking has become a critical problem for most of the client-server communications. Among different session hijacking attacks, SSL stripping is the most dangerous attack.

There are a number of measures proposed to prevent SSL stripping-based session hijacking attacks. However, existing surveys did not summarize all the preventive measures in a comprehensive manner (without much illustration and categorization). Moreover, HTTPS has been proposed to defend session hijacking attacks in the Internet. However, the main problem is that the browsers have to somehow know if HTTPS is enabled for a specific site. To know the existence of HTTPS protocol, HSTS protocol has been proposed. But the problem is that HSTS protocol depends on Trust-on-First-Use policy. So if attacker can manage to attack in the beginning of network connection, then he can successfully bypass the security of HTTPS.

To prevent the drawback of HTTPS, DNSSEC has been proposed. DNSSEC is secured in the sense that domain name and its IP address along with HTTPS ability information is mapped in a secured fashion. DNSSEC with NSEC is vulnerable to zone walking attack. Using zone walking attack, it is possible to fetch all the domain information from DNS server. Attacker then performs some malicious things using the domain information, possibly session hijacking. So we need to prevent zone walking attack. To prevent zone walking attack, NSEC3 has been already proposed.But it has some disadvantages.

In this thesis, we have proposed two new solution to zone walking attack. We have performed simulation of the one of the proposed solutions. Then we have performed in-depth analysis of our proposed solution with results, graphs and detailed explanations. Overall, in this thesis, the issues in the existing network security have been addressed. Our main goal is to prevent session hijacking attack by using secured and efficient network infrastructure.