5,417 research outputs found
Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for Analyzing Android
A common security architecture is based on the protection of certain
resources by permission checks (used e.g., in Android and Blackberry). It has
some limitations, for instance, when applications are granted more permissions
than they actually need, which facilitates all kinds of malicious usage (e.g.,
through code injection). The analysis of permission-based framework requires a
precise mapping between API methods of the framework and the permissions they
require. In this paper, we show that naive static analysis fails miserably when
applied with off-the-shelf components on the Android framework. We then present
an advanced class-hierarchy and field-sensitive set of analyses to extract this
mapping. Those static analyses are capable of analyzing the Android framework.
They use novel domain specific optimizations dedicated to Android.Comment: IEEE Transactions on Software Engineering (2014). arXiv admin note:
substantial text overlap with arXiv:1206.582
Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android
A common security architecture, called the permission-based security model
(used e.g. in Android and Blackberry), entails intrinsic risks. For instance,
applications can be granted more permissions than they actually need, what we
call a "permission gap". Malware can leverage the unused permissions for
achieving their malicious goals, for instance using code injection. In this
paper, we present an approach to detecting permission gaps using static
analysis. Our prototype implementation in the context of Android shows that the
static analysis must take into account a significant amount of
platform-specific knowledge. Using our tool on two datasets of Android
applications, we found out that a non negligible part of applications suffers
from permission gaps, i.e. does not use all the permissions they declare
Avaliação clÃnica e laboratorial do derrame pleural tuberculoso.
Trabalho de Conclusão de Curso - Universidade Federal de Santa Catarina, Centro de Ciências da Saúde, Departamento de ClÃnica Médica, Curso de Medicina, Florianópolis, 199
In-Vivo Bytecode Instrumentation for Improving Privacy on Android Smartphones in Uncertain Environments
In this paper we claim that an efficient and readily applicable means to
improve privacy of Android applications is: 1) to perform runtime monitoring by
instrumenting the application bytecode and 2) in-vivo, i.e. directly on the
smartphone. We present a tool chain to do this and present experimental results
showing that this tool chain can run on smartphones in a reasonable amount of
time and with a realistic effort. Our findings also identify challenges to be
addressed before running powerful runtime monitoring and instrumentations
directly on smartphones. We implemented two use-cases leveraging the tool
chain: BetterPermissions, a fine-grained user centric permission policy system
and AdRemover an advertisement remover. Both prototypes improve the privacy of
Android systems thanks to in-vivo bytecode instrumentation.Comment: ISBN: 978-2-87971-111-
Model Driven Mutation Applied to Adaptative Systems Testing
Dynamically Adaptive Systems modify their behav- ior and structure in
response to changes in their surrounding environment and according to an
adaptation logic. Critical sys- tems increasingly incorporate dynamic
adaptation capabilities; examples include disaster relief and space exploration
systems. In this paper, we focus on mutation testing of the adaptation logic.
We propose a fault model for adaptation logics that classifies faults into
environmental completeness and adaptation correct- ness. Since there are
several adaptation logic languages relying on the same underlying concepts, the
fault model is expressed independently from specific adaptation languages.
Taking benefit from model-driven engineering technology, we express these
common concepts in a metamodel and define the operational semantics of mutation
operators at this level. Mutation is applied on model elements and model
transformations are used to propagate these changes to a given adaptation
policy in the chosen formalism. Preliminary results on an adaptive web server
highlight the difficulty of killing mutants for adaptive systems, and thus the
difficulty of generating efficient tests.Comment: IEEE International Conference on Software Testing, Verification and
Validation, Mutation Analysis Workshop (Mutation 2011), Berlin : Allemagne
(2011
MUSTI: Dynamic Prevention of Invalid Object Initialization Attacks
Invalid object initialization vulnerabilities have been identified since the 1990’s by a research group at Princeton University. These vulnerabilities are critical since they can be used to totally compromise the security of a Java virtual machine.Recently, such a vulnerability identified as CVE-2017-3289 has been found again in the bytecode verifier of the JVM and affects more than 40 versions of the JVM. In this paper, we present a runtime solution called MUSTIto detect and prevent attacks leveraging this kind of critical vulnerabilities. We optimize MUSTI to have a runtime overhead below 0.5% and a memory overhead below 0.42%. Compared to state-of-the-art, MUSTI is completely automated and does not require to manually annotate the code
Sensitivity indices for multivariate outputs
International audienceWe define and study a generalization of Sobol sensitivity indices for the case of a vector output.Nous définissons et étudions une généralisation des indices de Sobol pour des sorties vectorielles
Sensitivity analysis for multidimensional and functional outputs
International audienceLet be random objects (the inputs), defined on some probability space and valued in some measurable space . Further, let be the output. Here, is a measurable function from to some Hilbert space ( could be either of finite or infinite dimension). In this work, we give a natural generalization of the Sobol indices (that are classically defined when ), when the output belongs to . These indices have very nice properties. First, they are invariant. under isometry and scaling. Further they can be, as in dimension , easily estimated by using the so-called Pick and Freeze method. We investigate the asymptotic behaviour of such estimation scheme
- …