942 research outputs found
Towards Smart Hybrid Fuzzing for Smart Contracts
Smart contracts are Turing-complete programs that are executed across a
blockchain network. Unlike traditional programs, once deployed they cannot be
modified. As smart contracts become more popular and carry more value, they
become more of an interesting target for attackers. In recent years, smart
contracts suffered major exploits, costing millions of dollars, due to
programming errors. As a result, a variety of tools for detecting bugs has been
proposed. However, majority of these tools often yield many false positives due
to over-approximation or poor code coverage due to complex path constraints.
Fuzzing or fuzz testing is a popular and effective software testing technique.
However, traditional fuzzers tend to be more effective towards finding shallow
bugs and less effective in finding bugs that lie deeper in the execution. In
this work, we present CONFUZZIUS, a hybrid fuzzer that combines evolutionary
fuzzing with constraint solving in order to execute more code and find more
bugs in smart contracts. Evolutionary fuzzing is used to exercise shallow parts
of a smart contract, while constraint solving is used to generate inputs which
satisfy complex conditions that prevent the evolutionary fuzzing from exploring
deeper paths. Moreover, we use data dependency analysis to efficiently generate
sequences of transactions, that create specific contract states in which bugs
may be hidden. We evaluate the effectiveness of our fuzzing strategy, by
comparing CONFUZZIUS with state-of-the-art symbolic execution tools and
fuzzers. Our evaluation shows that our hybrid fuzzing approach produces
significantly better results than state-of-the-art symbolic execution tools and
fuzzers
The Transitivity of Trust Problem in the Interaction of Android Applications
Mobile phones have developed into complex platforms with large numbers of
installed applications and a wide range of sensitive data. Application security
policies limit the permissions of each installed application. As applications
may interact, restricting single applications may create a false sense of
security for the end users while data may still leave the mobile phone through
other applications. Instead, the information flow needs to be policed for the
composite system of applications in a transparent and usable manner. In this
paper, we propose to employ static analysis based on the software architecture
and focused data flow analysis to scalably detect information flows between
components. Specifically, we aim to reveal transitivity of trust problems in
multi-component mobile platforms. We demonstrate the feasibility of our
approach with Android applications, although the generalization of the analysis
to similar composition-based architectures, such as Service-oriented
Architecture, can also be explored in the future
The Effectiveness of Low-Level Structure-based Approach Toward Source Code Plagiarism Level Taxonomy
Low-level approach is a novel way to detect source code plagiarism. Such
approach is proven to be effective when compared to baseline approach (i.e., an
approach which relies on source code token subsequence matching) in controlled
environment. We evaluate the effectiveness of state of the art in low-level
approach based on Faidhi \& Robinson's plagiarism level taxonomy; real
plagiarism cases are employed as dataset in this work. Our evaluation shows
that state of the art in low-level approach is effective to handle most
plagiarism attacks. Further, it also outperforms its predecessor and baseline
approach in most plagiarism levels.Comment: The 6th International Conference on Information and Communication
Technolog
Recommended from our members
Android Security: A Survey of Issues, Malware Penetration, and Defenses
Smartphones have become pervasive due to the availability of office applications, Internet, games, vehicle guidance using location-based services apart from conventional services such as voice calls, SMSes, and multimedia services. Android devices have gained huge market share due to the open architecture of Android and the popularity of its application programming interface (APIs) in the developer community. Increased popularity of the Android devices and associated monetary benefits attracted the malware developers, resulting in big rise of the Android malware apps between 2010 and 2014. Academic researchers and commercial antimalware companies have realized that the conventional signature-based and static analysis methods are vulnerable. In particular, the prevalent stealth techniques, such as encryption, code transformation, and environment-aware approaches, are capable of generating variants of known malware. This has led to the use of behavior-, anomaly-, and dynamic-analysis-based methods. Since a single approach may be ineffective against the advanced techniques, multiple complementary approaches can be used in tandem for effective malware detection. The existing reviews extensively cover the smartphone OS security. However, we believe that the security of Android, with particular focus on malware growth, study of antianalysis techniques, and existing detection methodologies, needs an extensive coverage. In this survey, we discuss the Android security enforcement mechanisms, threats to the existing security enforcements and related issues, malware growth timeline between 2010 and 2014, and stealth techniques employed by the malware authors, in addition to the existing detection methods. This review gives an insight into the strengths and shortcomings of the known research methodologies and provides a platform, to the researchers and practitioners, toward proposing the next-generation Android security, analysis, and malware detection techniques
- …