9,551 research outputs found
Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study
Passwords are still a mainstay of various security systems, as well as the
cause of many usability issues. For end-users, many of these issues have been
studied extensively, highlighting problems and informing design decisions for
better policies and motivating research into alternatives. However, end-users
are not the only ones who have usability problems with passwords! Developers
who are tasked with writing the code by which passwords are stored must do so
securely. Yet history has shown that this complex task often fails due to human
error with catastrophic results. While an end-user who selects a bad password
can have dire consequences, the consequences of a developer who forgets to hash
and salt a password database can lead to far larger problems. In this paper we
present a first qualitative usability study with 20 computer science students
to discover how developers deal with password storage and to inform research
into aiding developers in the creation of secure password systems
Green Security Plugin for Pervasive Computing using the HADAS toolkit
Energy is a critical resource in pervasive computing devices. However, information about energy consumption is not directly accessible through software development environments,
making it difficult to reuse the knowledge provided by existing energy-consumption experimental studies. To address this limitation, this paper presents a solution to enrich Android
Studio with energy consumption information. We have developed a Green Security Plugin that provides energy-aware information to developers that make use of Android Security
API. This plugin has been developed taking advantage of the functionalities provided by the HADAS toolkit. HADAS is a repository of energy consuming concerns in which researchers
can store the energy measures obtained during their experimental studies and developers can perform a sustainability analysis to make green design/implementation decisions.Universidad de Málaga. Campus de Excelencia Internacional AndalucĂa Tec
A gap analysis of Internet-of-Things platforms
We are experiencing an abundance of Internet-of-Things (IoT) middleware
solutions that provide connectivity for sensors and actuators to the Internet.
To gain a widespread adoption, these middleware solutions, referred to as
platforms, have to meet the expectations of different players in the IoT
ecosystem, including device providers, application developers, and end-users,
among others. In this article, we evaluate a representative sample of these
platforms, both proprietary and open-source, on the basis of their ability to
meet the expectations of different IoT users. The evaluation is thus more
focused on how ready and usable these platforms are for IoT ecosystem players,
rather than on the peculiarities of the underlying technological layers. The
evaluation is carried out as a gap analysis of the current IoT landscape with
respect to (i) the support for heterogeneous sensing and actuating
technologies, (ii) the data ownership and its implications for security and
privacy, (iii) data processing and data sharing capabilities, (iv) the support
offered to application developers, (v) the completeness of an IoT ecosystem,
and (vi) the availability of dedicated IoT marketplaces. The gap analysis aims
to highlight the deficiencies of today's solutions to improve their integration
to tomorrow's ecosystems. In order to strengthen the finding of our analysis,
we conducted a survey among the partners of the Finnish IoT program, counting
over 350 experts, to evaluate the most critical issues for the development of
future IoT platforms. Based on the results of our analysis and our survey, we
conclude this article with a list of recommendations for extending these IoT
platforms in order to fill in the gaps.Comment: 15 pages, 4 figures, 3 tables, Accepted for publication in Computer
Communications, special issue on the Internet of Things: Research challenges
and solution
Open-TEE - An Open Virtual Trusted Execution Environment
Hardware-based Trusted Execution Environments (TEEs) are widely deployed in
mobile devices. Yet their use has been limited primarily to applications
developed by the device vendors. Recent standardization of TEE interfaces by
GlobalPlatform (GP) promises to partially address this problem by enabling
GP-compliant trusted applications to run on TEEs from different vendors.
Nevertheless ordinary developers wishing to develop trusted applications face
significant challenges. Access to hardware TEE interfaces are difficult to
obtain without support from vendors. Tools and software needed to develop and
debug trusted applications may be expensive or non-existent.
In this paper, we describe Open-TEE, a virtual, hardware-independent TEE
implemented in software. Open-TEE conforms to GP specifications. It allows
developers to develop and debug trusted applications with the same tools they
use for developing software in general. Once a trusted application is fully
debugged, it can be compiled for any actual hardware TEE. Through performance
measurements and a user study we demonstrate that Open-TEE is efficient and
easy to use. We have made Open- TEE freely available as open source.Comment: Author's version of article to appear in 14th IEEE International
Conference on Trust, Security and Privacy in Computing and Communications,
TrustCom 2015, Helsinki, Finland, August 20-22, 201
Security Code Smells in Android ICC
Android Inter-Component Communication (ICC) is complex, largely
unconstrained, and hard for developers to understand. As a consequence, ICC is
a common source of security vulnerability in Android apps. To promote secure
programming practices, we have reviewed related research, and identified
avoidable ICC vulnerabilities in Android-run devices and the security code
smells that indicate their presence. We explain the vulnerabilities and their
corresponding smells, and we discuss how they can be eliminated or mitigated
during development. We present a lightweight static analysis tool on top of
Android Lint that analyzes the code under development and provides just-in-time
feedback within the IDE about the presence of such smells in the code.
Moreover, with the help of this tool we study the prevalence of security code
smells in more than 700 open-source apps, and manually inspect around 15% of
the apps to assess the extent to which identifying such smells uncovers ICC
security vulnerabilities.Comment: Accepted on 28 Nov 2018, Empirical Software Engineering Journal
(EMSE), 201
- …