Security considerations in the open source software ecosystem

Open source software plays an important role in the software supply chain, allowing stakeholders to utilize open source components as building blocks in their software, tooling, and infrastructure. But relying on the open source ecosystem introduces unique challenges, both in terms of security and trust, as well as in terms of supply chain reliability. In this dissertation, I investigate approaches, considerations, and encountered challenges of stakeholders in the context of security, privacy, and trustworthiness of the open source software supply chain. Overall, my research aims to empower and support software experts with the knowledge and resources necessary to achieve a more secure and trustworthy open source software ecosystem. In the first part of this dissertation, I describe a research study investigating the security and trust practices in open source projects by interviewing 27 owners, maintainers, and contributors from a diverse set of projects to explore their behind-the-scenes processes, guidance and policies, incident handling, and encountered challenges, finding that participants’ projects are highly diverse in terms of their deployed security measures and trust processes, as well as their underlying motivations. More on the consumer side of the open source software supply chain, I investigated the use of open source components in industry projects by interviewing 25 software developers, architects, and engineers to understand their projects’ processes, decisions, and considerations in the context of external open source code, finding that open source components play an important role in many of the industry projects, and that most projects have some form of company policy or best practice for including external code. On the side of end-user focused software, I present a study investigating the use of software obfuscation in Android applications, which is a recommended practice to protect against plagiarism and repackaging. The study leveraged a multi-pronged approach including a large-scale measurement, a developer survey, and a programming experiment, finding that only 24.92% of apps are obfuscated by their developer, that developers do not fear theft of their own apps, and have difficulties obfuscating their own apps. Lastly, to involve end users themselves, I describe a survey with 200 users of cloud office suites to investigate their security and privacy perceptions and expectations, with findings suggesting that users are generally aware of basic security implications, but lack technical knowledge for envisioning some threat models. The key findings of this dissertation include that open source projects have highly diverse security measures, trust processes, and underlying motivations. That the projects’ security and trust needs are likely best met in ways that consider their individual strengths, limitations, and project stage, especially for smaller projects with limited access to resources. That open source components play an important role in industry projects, and that those projects often have some form of company policy or best practice for including external code, but developers wish for more resources to better audit included components. This dissertation emphasizes the importance of collaboration and shared responsibility in building and maintaining the open source software ecosystem, with developers, maintainers, end users, researchers, and other stakeholders alike ensuring that the ecosystem remains a secure, trustworthy, and healthy resource for everyone to rely on

Proceedings of SAT Competition 2020 : Solver and Benchmark Descriptions

Non peer reviewe

Web interaction environments : characterising Web accessibility at the large

Tese de doutoramento, Informática (Engenharia Informática), Universidade de Lisboa, Faculdade de Ciências, 2012Accessibility quality on the Web is essential for providing a good Web experience to people with disabilities. The existence of virtual ramps aid these users grasping and interacting withWeb content, just like the experience of those who are unimpaired. However, more often than not, Web pages impose accessibility barriers, usually centred on the unavailability of tailored content to specific perceptual abilities (e.g., textual description of images, enabling grasping information with assistive technologies), as well as on proper HTML structural elements that adequate the semantics of a Web page. When evaluating the accessibility quality of Web pages, the resulting analysis is often focused on a small sample set (e.g., a single Web page or a selection of pages from a Web site). While this kind of analysis gets the gist of accessibility quality, it misses the big picture on the overall accessibility quality of the Web. This thesis addresses the challenge of observing accessibility phenomena on the Web, through the experimental evaluation of large collections of Web pages. This resulted on new findings about the accessibility quality of the Web, such as its correlation with HTML element count, and the erroneous perception of accessibility quality by developers. Small-scale experiments have been verified also at large scale, such as the correlation between the usage of HTML templates and accessibility quality. Based on the challenges raised by the experimental evaluation, this thesis proposes a novel approach for large scale Web accessibility evaluation based on Linked Data, as well as the establishment of metrics to assess the truthfulness and coverage of automated evaluation methods.A qualidade da acessibilidade é um factor crucial para as pessoas com deficiências terem uma boa experiência de interacção com a Web.A qualidade da acessibilidade é um factor crucial para as pessoas com deficiências terem uma boa experiência de interacção com a Web. A existência de rampas virtuais ajuda estas pessoas a compreender e interagir com conteúdos Web, a par do que o utilizador comum já experiencia. Porém, a maioria das páginas Web ainda contêm barreiras à acessibilidade. Estas barreiras centram-se normalmente na indisponibilidade de conteúdos perceptíveis por diferentes tipos de capacidades (e.g., descrições textuais de imagens), bem como no uso incorrecto de elementos HTML de acordo com a semântica de uma página Web. Nos dias de hoje, a avaliação da qualidade de acessibilidade de páginas Web é ainda efectuada em pequena escala (e.g., uma página Web ou, no melhor caso, um conjunto de páginas representativas de um sítio Web). Apesar deste tipo de avaliações resultarem na compreensão de alguns fenómenos do estado da acessibilidade na Web, ainda não se sabe qual o seu impacto em larga escala. Esta tese discute os principais desafios na observação da acessibilidade da Web, tendo por base um conjunto de avaliações experimentais de colecções de grande dimensão de páginas Web. Destes estudos destacam-se as seguintes contribuições e resultados:a diferença drástica na interpretação dos avisos resultantes de avaliações de acessibilidade Web: um dos resultados principais da avaliação experimental em larga escala destaca a diferença na interpretação dos avisos (warnings) da aplicação de técnicas da norma WCAG, onde a interpretação optimista (i.e., a visão da maioria dos criadores de páginas Web) se distancia amplamente da interpretação conservadora (onde os avisos são interpretados como erros); a correlação entre a qualidade da acessibilidade de uma página Web e a sua complexidade: este mesmo estudo de larga escala revelou uma correlação entre a complexidade de uma página Web (no que diz respeito ao número de elementos HTML que contém) e a qualidade da acessibilidade. Quanto menor a complexidade de uma página Web, mais certa se torna a alta qualidade da acessibilidade dessa página; o benefício do uso de templates e sistemas de gestão de conteúdos na melhoria da acessibilidade de páginas Web: em ambos os estudos experimentais de acessibilidade foi detectada uma correlação entre a qualidade de acessibilidade das páginas Web e o uso de templates e sistemas de gestão de conteúdo. Esta propriedade foi verificada quer em pequena escala (sobre uma colecção de páginas Web da Wikipedia), quer em larga escala; o incumprimento das regras mais elementares e mais conhecidas da acessibilidade: estes estudos experimentais permitiram também verificar que, apesar de toda a envagelização e educação sobre as questões de acessibilidade na Web, a maioria das regras de acessibilidade são incessantemente quebradas pela maioria das páginas Web.Esta problemática verifica-se, em particular, nas regras de cumprimento de acessibilidade mais conhecidas, tal como por exemplo a disponibilidade de textos alternativos a conteúdos multimédia. Com base nestas experiências e resultados, esta tese apresenta um novo modelo de estudo da acessibilidade na Web, tendo por base o ciclo de estudos da Web em larga escala. Deste modelo resultaram as seguintes contribuições: um modelo para a avaliação distribuída de acessibilidade Web, baseado em propriedades tecnológicas e topológicas: foi concebido um modelo de avaliação de acessibilidade Web que permite a concepção de sistemas de avaliação com base em propriedades tecnológicas e topológicas. Este modelo possibilita, entre outras características, o estudo da cobertura de plataformas e avaliadores de acessibilidade, bem como da sua aplicação em larga escala; uma extensão às linguagens e modelos EARL e Linked Data, bem como um conjunto de definições para extrair informação destes: este modelo de avaliação de acessibilidade Web foi sustentado também pela sua concretização em linguagens e modelos já existentes para o estudo de acessibilidade (EARL) e da Web em larga escala (Linked Data), permitindo assim a sua validação; definição dos limites da avaliação de acessibilidade Web: por fim, este modelo de avaliação de acessibilidade permitiu também delinear uma metodologia de meta-avaliação da acessibilidade, na qual se poderão enquadrar as propriedades dos avaliadores de acessibilidade existentes. Todas estas contribuições resultaram também num conjunto de publicações científicas, das quais se destacam: Rui Lopes and Luís Carriço, A Web Science Perspective of Web Accessibility, in submission for the ACM Transactions on Accessible Computing (TACCESS), ACM, 2011; Rui Lopes and Luís Carriço, Macroscopic Characterisations of Web Accessibility, New Review of Hypermedia and Multimedia – Special Issue on Web Accessibility. Taylor & Francis, 2010; Rui Lopes, Karel Van Isacker and Luís Carriço, Redefining Assumptions: Accessibility and Its Stakeholders, The 12th International Conference on Computers Helping People with Special Needs (ICCHP), Vienna, Austria, 14-16 July 2010; Rui Lopes, Daniel Gomes and Luís Carriço, Web Not For All: A Large Scale Study of Web Accessibility, W4A: 7th ACM International Cross-Disciplinary Conference on Web Accessibility, Raleigh, North Carolina, USA, 26-27 April 2010; Rui Lopes, Konstantinos Votis, Luís Carriço, Dimitrios Tzovaras, and Spiridon Likothanassis, The Semantics of Personalised Web Accessibility Assessment, 25th Annual ACM Symposium on Applied Computing (SAC), Sierre, Switzerland, 22-26 March, 2010 Konstantinos Votis, Rui Lopes, Dimitrios Tzovaras, Luís Carriço and Spiridon Likothanassis, A Semantic Accessibility Assessment Environment for Design and Development for the Web, HCI International 2009 (HCII 2009), San Diego, California, USA, 19-24 July 2009 Rui Lopes and Luís Carriço, On the Gap Between Automated and In-Vivo Evaluations of Web Accessibility, HCI International 2009 (HCII 2009), San Diego, California, USA, 19-24 July 2009; Rui Lopes, Konstantinos Votis, Luís Carriço, Spiridon Likothanassis and Dimitrios Tzovaras, Towards the Universal Semantic Assessment of Accessibility, 24th Annual ACM Symposium on Applied Computing (SAC),Waikiki Beach, Honolulu, Hawaii, USA, 8-12 March 2009; Rui Lopes and Luís Carriço, Querying Web Accessibility Knowledge from Web Graphs, Handbook of Research on Social Dimensions of Semantic Technologies, IGI Global, 2009; Rui Lopes, Konstantinos Votis, Luís Carriço, Spiridon Likothanassis and Dimitrios Tzovaras, A Service Oriented Ontological Framework for the Semantic Validation of Web Accessibility, Handbook of Research on Social Dimensions of Semantic Technologies, IGI Global, 2009; Rui Lopes and Luís Carriço, On the Credibility of Wikipedia: an Accessibility Perspective, Second Workshop on Information Credibility on the Web (WICOW 2008), Napa Valley, California, USA, 2008; Rui Lopes, Luís Carriço, A Model for Universal Usability on the Web, WSW 2008: Web Science Workshop, Beijing, China, 22 April 2008; Rui Lopes, Luís Carriço, The Impact of Accessibility Assessment in Macro Scale Universal Usability Studies of the Web, W4A: 5th ACM International Cross-Disciplinary Conference on Web Accessibility, Beijing, China, 21-22 April 2008. Best paper award; Rui Lopes, Luís Carriço, Modelling Web Accessibility for Rich Document Production, Journal on Access Services 6 (1-2), Routledge, Taylor & Francis Group, 2009; Rui Lopes, Luís Carriço, Leveraging Rich Accessible Documents on the Web, W4A: 4th ACM International Cross-Disciplinary Conference on Web Accessibility, Banff, Canada, 7-8 May 2007.Fundação para a Ciência e a Tecnologia (FCT, SFRH/BD/29150/2006

On the path to AI

This open access book explores machine learning and its impact on how we make sense of the world. It does so by bringing together two ‘revolutions’ in a surprising analogy: the revolution of machine learning, which has placed computing on the path to artificial intelligence, and the revolution in thinking about the law that was spurred by Oliver Wendell Holmes Jr in the last two decades of the 19th century. Holmes reconceived law as prophecy based on experience, prefiguring the buzzwords of the machine learning age—prediction based on datasets. On the path to AI introduces readers to the key concepts of machine learning, discusses the potential applications and limitations of predictions generated by machines using data, and informs current debates amongst scholars, lawyers and policy makers on how it should be used and regulated wisely. Technologists will also find useful lessons learned from the last 120 years of legal grappling with accountability, explainability, and biased data

Perspectives On String Phenomenology

The remarkable recent discovery of the Higgs boson at the CERN Large Hadron Collider completed the Standard Model of particle physics and has paved the way for understanding the physics which may lie beyond it. String/M theory has emerged as a broad framework for describing a plethora of diverse physical systems, which includes condensed matter systems, gravitational systems as well as elementary particle physics interactions. If string/M theory is to be considered as a candidate theory of Nature, it must contain an effectively four-dimensional universe among its solutions that is indistinguishable from our own. In these solutions, the extra dimensions of string/M theory are “compactified” on tiny scales which are often comparable to the Planck length. String phenomenology is the branch of string/M theory that studies such solutions, relates their properties to data, and aims to answer many of the outstanding questions of particle physics beyond the Standard Model.This book contains perspectives on string phenomenology from some of the leading experts in the field. Contributions will range from pedagogical general overviews and perspectives to more technical reviews. We hope that the reader will get a sense of the significant progress that has been made in the field in recent years (e.g. in the topic of moduli stabilization) as well as the topics currently being researched, outstanding problems and some perspectives for the future

Finding Critical and Gradient-Flat Points of Deep Neural Network Loss Functions

Despite the fact that the loss functions of deep neural networks are highly non-convex, gradient-based optimization algorithms converge to approximately the same performance from many random initial points. This makes neural networks easy to train, which, combined with their high representational capacity and implicit and explicit regularization strategies, leads to machine-learned algorithms of high quality with reasonable computational cost in a wide variety of domains. One thread of work has focused on explaining this phenomenon by numerically characterizing the local curvature at critical points of the loss function, where gradients are zero. Such studies have reported that the loss functions used to train neural networks have no local minima that are much worse than global minima, backed up by arguments from random matrix theory. More recent theoretical work, however, has suggested that bad local minima do exist. In this dissertation, we show that one cause of this gap is that the methods used to numerically find critical points of neural network losses suffer, ironically, from a bad local minimum problem of their own. This problem is caused by gradient-flat points, where the gradient vector is in the kernel of the Hessian matrix of second partial derivatives. At these points, the loss function becomes, to second order, linear in the direction of the gradient, which violates the assumptions necessary to guarantee convergence for second order critical point-finding methods. We present evidence that approximately gradient-flat points are a common feature of several prototypical neural network loss functions

KEER2022

Avanttítol: KEER2022. DiversitiesDescripció del recurs: 25 juliol 202