Yonghwi Kwon

Geunsik Lim, Yonghwi Kwon, Joonbae Park et al.

The two most significant bottlenecks in code merging are the build process and the unit tests. However, as the number of items to be checked in a code review increases, that code review becomes a bottleneck for code merging as well. Because of the dependency structure between code review services, an error in one service affects the entire service. As a result, whenever a service error occurs, it is crucial to have methods for determining which code review service has ultimately caused the error. With the goal of achieving a non-stop & non-breakable code review service, this paper describes an early error detection method along with a case study of the service.

Meng Wang, Chijung Jung, Ali Ahad et al.

Injection attacks have been a major threat to web applications. Despite the significant effort in thwarting injection attacks, protection against injection attacks remains challenging due to the sophisticated attacks that exploit the existing protection techniques' design and implementation flaws. In this paper, we develop Spinner, a system that provides general protection against input injection attacks, including OS/shell command, SQL, and XXE injection. Instead of focusing on detecting malicious inputs, Spinner constantly randomizes underlying subsystems so that injected inputs (e.g., commands or SQL queries) that are not properly randomized will not be executed, hence prevented. We revisit the design and implementation choices of previous randomization-based techniques and develop a more robust and practical protection against various sophisticated input injection attacks. To handle complex real-world applications, we develop a bidirectional analysis that combines forward and backward static analysis techniques to identify intended commands or SQL queries to ensure the correct execution of the randomized target program. We implement Spinner for the shell command processor and two different database engines (MySQL and SQLite) and in diverse programming languages including C/C++, PHP, JavaScript and Lua. Our evaluation results on 42 real-world applications including 27 vulnerable ones show that it effectively prevents a variety of input injection attacks with low runtime overhead (around 5%).