Ghera: A Repository of Android App Vulnerability Benchmarks

Security of mobile apps affects the security of their users. This has fueled the development of techniques to automatically detect vulnerabilities in mobile apps and help developers secure their apps; specifically, in the context of Android platform due to openness and ubiquitousness of the platform. Despite a slew of research efforts in this space, there is no comprehensive repository of up-to-date and lean benchmarks that contain most of the known Android app vulnerabilities and, consequently, can be used to rigorously evaluate both existing and new vulnerability detection techniques and help developers learn about Android app vulnerabilities. In this paper, we describe Ghera, an open source repository of benchmarks that capture 25 known vulnerabilities in Android apps (as pairs of exploited/benign and exploiting/malicious apps). We also present desirable characteristics of vulnerability benchmarks and repositories that we uncovered while creating Ghera.Comment: 10 pages. Accepted at PROMISE'1

The Devil Behind the Mirror: Tracking the Campaigns of Cryptocurrency Abuses on the Dark Web

The dark web has emerged as the state-of-the-art solution for enhanced anonymity. Just like a double-edged sword, it also inadvertently becomes the safety net and breeding ground for illicit activities. Among them, cryptocurrencies have been prevalently abused to receive illicit income while evading regulations. Despite the continuing efforts to combat illicit activities, there is still a lack of an in-depth understanding regarding the characteristics and dynamics of cryptocurrency abuses on the dark web. In this work, we conduct a multi-dimensional and systematic study to track cryptocurrency-related illicit activities and campaigns on the dark web. We first harvest a dataset of 4,923 cryptocurrency-related onion sites with over 130K pages. Then, we detect and extract the illicit blockchain transactions to characterize the cryptocurrency abuses, targeting features from single/clustered addresses and illicit campaigns. Throughout our study, we have identified 2,564 illicit sites with 1,189 illicit blockchain addresses, which account for 90.8 BTC in revenue. Based on their inner connections, we further identify 66 campaigns behind them. Our exploration suggests that illicit activities on the dark web have strong correlations, which can guide us to identify new illicit blockchain addresses and onions, and raise alarms at the early stage of their deployment

Gluon transverse momentum dependent correlators in polarized high energy processes

We investigate the gluon transverse momentum dependent correlators as Fourier transform of matrix elements of nonlocal operator combinations. At the operator level these correlators include both field strength operators and gauge links bridging the nonlocality. In contrast to the collinear PDFs, the gauge links are no longer unique for transverse momentum dependent PDFs (TMDs) and also Wilson loops lead to nontrivial effects. We look at gluon TMDs for unpolarized, vector and tensor polarized targets. In particular a single Wilson loop operators become important when one considers the small-x limit of gluon TMDs

PPAndroid-Benchmarker: Benchmarking Privacy Protection Systems on Android Devices

Mobile devices are ubiquitous in today's digital world. While people enjoy the convenience brought by mobile devices, it has been proven that many mobile apps leak personal information without user consent or even awareness. That can occur due to many reasons, such as careless programming errors, intention of developers to collect private information, infection of innocent apps by malware, etc. Thus, the research community has proposed many methods and systems to detect privacy leakage and prevent such detected leakage on mobile devices. This is a to do note at margin While it is obviously essential to evaluate the accuracy and effectiveness of privacy protection systems, we are not aware of any automated system that can benchmark performance of privacy protection systems on Android devices. In this paper, we report PPAndroid-Benchmarker, the first system of this kind, which can fairly benchmark any privacy protection systems dynamically (i.e., in run time) or statically. PPAndroid-Benchmarker has been released as an open-source tool and we believe that it will help the research community, developers and even end users to analyze, improve, and choose privacy protection systems on Android devices. We applied PPAndroid-Benchmarker in dynamic mode to 165 Android apps with some privacy protection features, selected from variant app markets and the research community, and showed effectiveness of the tool. We also illustrate two components of PPAndroid-Benchmarker on the design level, which are Automatic Test Apps Generator for benchmarking static analysis based tools and Reconfigurability Engine that allows any instance of PPAndroid-Benchmarker to be reconfigured including but not limited to adding and removing information sources and sinks. Furthermore, we give some insights about current status of mobile privacy protection and prevention in app markets based upon our analysis