Towards a unified software attack model to assess software protections

Attackers can tamper with programs to break usage conditions. Different software protection techniques have been proposed to limit the possibility of tampering. Some of them just limit the possibility to understand the (binary) code, others react more actively when a change attempt is detected. However, the validation of the software protection techniques has been always conducted without taking into consideration a unified process adopted by attackers to tamper with programs. In this paper we present an extension of the mini-cycle of change, initially proposed to model the process of changing program for maintenance, to describe the process faced by an attacker to defeat software protections. This paper also shows how this new model should support a developer when considering what are the most appropriate protections to deplo

Substitution and complementarity patterns between traditional transport means and car sharing: a person and trip level analysis

Car sharing is a new transport mode which combines characteristics of private and collective traditional transport means. Understanding the relationship of this mode with existing ones is very important for policy makers to create an efficient transport system and to properly address public resources. This paper aims to analyze the interaction of car sharing with the existing offer of competing modes, using data from a specific travel survey administered in the city of Turin, where both free-floating and one-way station based car sharing services are offered. All transport modes operating in the study area were considered. Bivariate models were estimated to study the propensity to have a car sharing subscription and the substitution patterns between different travel means for a representative random sample of trips taken by the Turin population. Results show that the current car sharing system is perceived as efficient and useful; car sharing members are young males, living in high-income and low-size household with, in particular, a high number of workers and low number of available cars; moreover, the presence of private parking near home has a strong negative impact. There is evidence that car sharing can substitute car driving trips, while the evidence that the same can happen with biking and walking trips is not supported by models but only marginally seen from descriptive statistics. There is also some complementarity between car sharing and public transport and a strong complementarity between car sharing and bike sharing, so that policy makers should jointly promote those modes

Evaluating car-sharing switching rates from traditional transport means through logit models and Random Forest classifiers

Positive impacts of car-sharing, such as reductions in car ownership, congestion, vehicle-miles-traveled and greenhouse gas emissions, have been extensively analyzed. However, these benefits are not fully effective if car-sharing subtracts travel demand from existing sustainable modes. This paper evaluates substitution rates of car-sharing against private cars and public transport using a Random Forest classifier and Binomial Logit model. The models were calibrated and validated using a stated-preference travel survey and applied to a revealed-preference survey, both administered to a representative sample of the population living in Turin (Italy). Results of the two models show that the predictive power of both models is comparable, albeit the Logit model tends to estimate predictions with a higher reliability and the Random Forest model produces higher positive switches towards car-sharing. However, results from both models suggest that the substitution rate of private cars is, on average, almost five times that of public transport

Increased Risk Taking in Relation to Chronic Stress in Adults

Chronic stress is a public health problem that affects a significant part of the population. While the physiological damage it causes is under ongoing scrutiny, its behavioral effects have been overlooked. This is one of the first studies to examine the relation between chronic stress and decision-making, using a standard lottery paradigm. We measured learning-independent risk taking in the gain domain through binary choices between financially incentivized lotteries. We then measured self-reported chronic stress with the Trier Inventory for the Assessment of Chronic Stress (TICS). We additionally collected hair samples in a subsample of volunteers, in order to quantify chronic cortisol exposure. We discovered a significant, positive correlation between self-reported chronic stress and risk taking that is stronger for women than for men. This confirms part of the findings in acute stress research that show a connection between higher stress and increased risk taking. However, unlike the biologically-based results from acute stress research, we did not identify a significant relation between hair cortisol and behavior. In line with previous literature, we found a clear gender difference in risk taking and self-reports: women generally take less risk and report slightly higher stress levels than men. We conclude that perceived chronic stress can impact behavior in risky situations

Deep Reinforcement Learning for Black-box Testing of Android Apps

The state space of Android apps is huge, and its thorough exploration during testing remains a significant challenge. The best exploration strategy is highly dependent on the features of the app under test. Reinforcement Learning (RL) is a machine learning technique that learns the optimal strategy to solve a task by trial and error, guided by positive or negative reward, rather than explicit supervision. Deep RL is a recent extension of RL that takes advantage of the learning capabilities of neural networks. Such capabilities make Deep RL suitable for complex exploration spaces such as one of Android apps. However, state-of-the-art, publicly available tools only support basic, Tabular RL. We have developed ARES, a Deep RL approach for black-box testing of Android apps. Experimental results show that it achieves higher coverage and fault revelation than the baselines, including state-of-the-art tools, such as TimeMachine and Q-Testing. We also investigated the reasons behind such performance qualitatively, and we have identified the key features of Android apps that make Deep RL particularly effective on them to be the presence of chained and blocking activities. Moreover, we have developed FATE to fine-tune the hyperparameters of Deep RL algorithms on simulated apps, since it is computationally expensive to carry it out on real apps

Empirical assessment of the effort needed to attack programs protected with client/server code splitting

Context. Code hardening is meant to fight malicious tampering with sensitive code executed on client hosts. Code splitting is a hardening technique that moves selected chunks of code from client to server. Although widely adopted, the effective benefits of code splitting are not fully understood and thoroughly assessed. Objective. The objective of this work is to compare non protected code vs. code splitting protected code, considering two levels of the chunk size parameter, in order to assess the effectiveness of the protection - in terms of both attack time and success rate - and to understand the attack strategy and process used to overcome the protection. Method. We conducted an experiment with master students performing attack tasks on a small application hardened with different levels of protection. Students carried out their task working at the source code level. Results. We observed a statistically significant effect of code splitting on the attack success rate that, on the average, was reduced from 89% with unprotected clear code to 52% with the most effective protection. The protection variant that moved some small-sized code chunks turned out to be more effective than the alternative moving fewer but larger chunks. Different strategies were identified yielding different success rates. Moreover, we discovered that successful attacks exhibited different process w.r.t. failed ones.Conclusions We found empirical evidence of the effect of code splitting, assessed the relative magnitude, and evaluated the influence of the chunk size parameter. Moreover, we extracted the process used to overcome such obfuscation technique