22,383 research outputs found
ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware
Billions of users rely on the security of the Android platform to protect
phones, tablets, and many different types of consumer electronics. While
Android's permission model is well studied, the enforcement of the protection
policy has received relatively little attention. Much of this enforcement is
spread across system services, taking the form of hard-coded checks within
their implementations. In this paper, we propose Authorization Check Miner
(ACMiner), a framework for evaluating the correctness of Android's access
control enforcement through consistency analysis of authorization checks.
ACMiner combines program and text analysis techniques to generate a rich set of
authorization checks, mines the corresponding protection policy for each
service entry point, and uses association rule mining at a service granularity
to identify inconsistencies that may correspond to vulnerabilities. We used
ACMiner to study the AOSP version of Android 7.1.1 to identify 28
vulnerabilities relating to missing authorization checks. In doing so, we
demonstrate ACMiner's ability to help domain experts process thousands of
authorization checks scattered across millions of lines of code
An analysis of the requirements traceability problem
In this paper1, we investigate and discuss the underlying nature
of the requirements traceability problem. Our work is based on
empirical studies, involving over 100 practitioners, and an
evaluation of current support. We introduce the distinction
between pre-requirements specification (pre-RS) traceability
and post-requirements specification (post-RS) traceability, to
demonstrate why an all-encompassing solution to the problem is
unlikely, and to provide a framework through which to
understand its multifaceted nature. We report how the majority
of the problems attributed to poor requirements traceability are
due to inadequate pre-RS traceability and show the fundamental
need for improvements here. In the remainder of the paper, we
present an analysis of the main barriers confronting such
improvements in practice, identify relevant areas in which
advances have been (or can be) made, and make
recommendations for research
The simplicity project: easing the burden of using complex and heterogeneous ICT devices and services
As of today, to exploit the variety of different "services", users need to configure each of their devices by using different procedures and need to explicitly select among heterogeneous access technologies and protocols. In addition to that, users are authenticated and charged by different means. The lack of implicit human computer interaction, context-awareness and standardisation places an enormous burden of complexity on the shoulders of the final users. The IST-Simplicity project aims at leveraging such problems by: i) automatically creating and customizing a user communication space; ii) adapting services to user terminal characteristics and to users preferences; iii) orchestrating network capabilities. The aim of this paper is to present the technical framework of the IST-Simplicity project. This paper is a thorough analysis and qualitative evaluation of the different technologies, standards and works presented in the literature related to the Simplicity system to be developed
- âŠ