502 research outputs found
Observing the Evolution of QUIC Implementations
The QUIC protocol combines features that were initially found inside the TCP,
TLS and HTTP/2 protocols. The IETF is currently finalising a complete
specification of this protocol. More than a dozen of independent
implementations have been developed in parallel with these standardisation
activities.
We propose and implement a QUIC test suite that interacts with public QUIC
servers to verify their conformance with key features of the IETF
specification. Our measurements, gathered over a semester, provide a unique
viewpoint on the evolution of a protocol and of its implementations. They
highlight the arrival of new features and some regressions among the different
implementations.Comment: 6 pages, 8 figure
GitHub Considered Harmful? Analyzing Open-Source Projects for the Automatic Generation of Cryptographic API Call Sequences
GitHub is a popular data repository for code examples. It is being
continuously used to train several AI-based tools to automatically generate
code. However, the effectiveness of such tools in correctly demonstrating the
usage of cryptographic APIs has not been thoroughly assessed. In this paper, we
investigate the extent and severity of misuses, specifically caused by
incorrect cryptographic API call sequences in GitHub. We also analyze the
suitability of GitHub data to train a learning-based model to generate correct
cryptographic API call sequences. For this, we manually extracted and analyzed
the call sequences from GitHub. Using this data, we augmented an existing
learning-based model called DeepAPI to create two security-specific models that
generate cryptographic API call sequences for a given natural language (NL)
description. Our results indicate that it is imperative to not neglect the
misuses in API call sequences while using data sources like GitHub, to train
models that generate code.Comment: Accepted at QRS 202
Negative Results on Mining Crypto-API Usage Rules in Android Apps
Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that âdevelopers update API usage instances to fix misusesâ, we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates
Dwarna : a blockchain solution for dynamic consent in biobanking
Dynamic consent aims to empower research partners and facilitate active participation in the research process. Used within
the context of biobanking, it gives individuals access to information and control to determine how and where their
biospecimens and data should be used. We present Dwarnaâa web portal for âdynamic consentâ that acts as a hub
connecting the different stakeholders of the Malta Biobank: biobank managers, researchers, research partners, and the
general public. The portal stores research partnersâ consent in a blockchain to create an immutable audit trail of research
partnersâ consent changes. Dwarnaâs structure also presents a solution to the European Unionâs General Data Protection
Regulationâs right to erasureâa right that is seemingly incompatible with the blockchain model. Dwarnaâs transparent
structure increases trustworthiness in the biobanking process by giving research partners more control over which research
studies they participate in, by facilitating the withdrawal of consent and by making it possible to request that the biospecimen
and associated data are destroyed.peer-reviewe
CryptoEval: Evaluating the Risk of Cryptographic Misuses in Android Apps with Data-Flow Analysis
The misunderstanding and incorrect configurations of cryptographic primitives
have exposed severe security vulnerabilities to attackers. Due to the
pervasiveness and diversity of cryptographic misuses, a comprehensive and
accurate understanding of how cryptographic misuses can undermine the security
of an Android app is critical to the subsequent mitigation strategies but also
challenging. Although various approaches have been proposed to detect
cryptographic misuses in Android apps, seldom studies have focused on
estimating the security risks introduced by cryptographic misuses. To address
this problem, we present an extensible framework for deciding the threat level
of cryptographic misuses in Android apps. Firstly, we propose a unified
specification for representing cryptographic misuses to make our framework
extensible and develop adapters to unify the detection results of the
state-of-the-art cryptographic misuse detectors, resulting in an adapter-based
detection toolchain for a more comprehensive list of cryptographic misuses.
Secondly, we employ a misuse-originating data-flow analysis to connect each
cryptographic misuse to a set of data-flow sinks in an app, based on which we
propose a quantitative data-flow-driven metric for assessing the overall risk
of the app introduced by cryptographic misuses. To make the per-app assessment
more useful in the app vetting at the app-store level, we apply unsupervised
learning to predict and classify the top risky threats, to guide more efficient
subsequent mitigations. In the experiments on an instantiated implementation of
the framework, we evaluate the accuracy of our detection and the effect of
data-flow-driven risk assessment of our framework. Our empirical study on over
40,000 apps as well as the analysis of popular apps reveals important security
observations on the real threats of cryptographic misuses in Android apps
- âŠ