121 research outputs found
Do Android Taint Analysis Tools Keep Their Promises?
In recent years, researchers have developed a number of tools to conduct
taint analysis of Android applications. While all the respective papers aim at
providing a thorough empirical evaluation, comparability is hindered by varying
or unclear evaluation targets. Sometimes, the apps used for evaluation are not
precisely described. In other cases, authors use an established benchmark but
cover it only partially. In yet other cases, the evaluations differ in terms of
the data leaks searched for, or lack a ground truth to compare against. All
those limitations make it impossible to truly compare the tools based on those
published evaluations.
We thus present ReproDroid, a framework allowing the accurate comparison of
Android taint analysis tools. ReproDroid supports researchers in inferring the
ground truth for data leaks in apps, in automatically applying tools to
benchmarks, and in evaluating the obtained results. We use ReproDroid to
comparatively evaluate on equal grounds the six prominent taint analysis tools
Amandroid, DIALDroid, DidFail, DroidSafe, FlowDroid and IccTA. The results are
largely positive although four tools violate some promises concerning features
and accuracy. Finally, we contribute to the area of unbiased benchmarking with
a new and improved version of the open test suite DroidBench
Latent Class Linear Mixed Models: a general approach implemented via SAS macro with a tutorial for clinical researchers
Linear mixed models provide a flexible, intuitive method for analyzing repeated-measures data when the population being studied can be thought of as either a single population or as a set of known subpopulations. However, in many cases, the underlying subpopulations are not known. Furthermore, the factors that determine the subpopulations can be extremely complex or unmeasurable. In such cases, a different approach is required in order to more accurately analyze the data. The Latent Class Linear Mixed Model (LCLMM) combines the features of the linear mixed model (LMM) with an additional component, which partitions the population into subpopulations or latent classes. This model has usually been specified with relatively simple, restrictive assumptions. In this dissertation, the methods related to the LCLMM are extended to provide a more general model specification. Fixed-effects may be specified as a combination of class-specific effects and across-class effects. Variances may be specified as being class-specific or equal across classes, a general correlation structure for the random effects is permitted, and multiple residual error variances may be fit. The bound proposed by Hathaway [1985] on the variances to ensure consistency is examined in the context of mixtures of linear mixed models. Class membership probabilities may be specified in one of two ways - via a logistic regression model or using our proposed method in which class membership is estimated based on the relative fit of the underlying linear mixed models. These methods are implemented in a new SAS[registered trademark] macro which offers several options for estimation. In addition to an EM algorithm, gradient-based methods, including quasi-Newton, as well as Hessian-based methods, such as Newton-Raphson, are available to the user. Parameter standard errors are estimated, and predictions of the random effects are derived and calculated. Practical issues, including choosing the number of latent classes and estimation method, are discussed and guidelines are provided based on simulation studies. The stability and advantage of the proposed methods are also examined via simulation study. Finally, our methods are applied to several simple simulated datasets as well as to three real-world applications to illustrate their usefulness for practical applications
ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware
Billions of users rely on the security of the Android platform to protect
phones, tablets, and many different types of consumer electronics. While
Android's permission model is well studied, the enforcement of the protection
policy has received relatively little attention. Much of this enforcement is
spread across system services, taking the form of hard-coded checks within
their implementations. In this paper, we propose Authorization Check Miner
(ACMiner), a framework for evaluating the correctness of Android's access
control enforcement through consistency analysis of authorization checks.
ACMiner combines program and text analysis techniques to generate a rich set of
authorization checks, mines the corresponding protection policy for each
service entry point, and uses association rule mining at a service granularity
to identify inconsistencies that may correspond to vulnerabilities. We used
ACMiner to study the AOSP version of Android 7.1.1 to identify 28
vulnerabilities relating to missing authorization checks. In doing so, we
demonstrate ACMiner's ability to help domain experts process thousands of
authorization checks scattered across millions of lines of code
VFCFinder: Seamlessly Pairing Security Advisories and Patches
Security advisories are the primary channel of communication for discovered
vulnerabilities in open-source software, but they often lack crucial
information. Specifically, 63% of vulnerability database reports are missing
their patch links, also referred to as vulnerability fixing commits (VFCs).
This paper introduces VFCFinder, a tool that generates the top-five ranked set
of VFCs for a given security advisory using Natural Language Programming
Language (NL-PL) models. VFCFinder yields a 96.6% recall for finding the
correct VFC within the Top-5 commits, and an 80.0% recall for the Top-1 ranked
commit. VFCFinder generalizes to nine different programming languages and
outperforms state-of-the-art approaches by 36 percentage points in terms of
Top-1 recall. As a practical contribution, we used VFCFinder to backfill over
300 missing VFCs in the GitHub Security Advisory (GHSA) database. All of the
VFCs were accepted and merged into the GHSA database. In addition to
demonstrating a practical pairing of security advisories to VFCs, our general
open-source implementation will allow vulnerability database maintainers to
drastically improve data quality, supporting efforts to secure the software
supply chain
Ouachita hosts “Between the Shadow and the Light: An Exhibit Out of South Africa” international traveling art exhibit through Feb. 23
Ouachita Baptist University’s Sutton School of Social Sciences is hosting the final U.S. stop of the international traveling exhibit, “Between the Shadow and the Light: An Exhibit Out of South Africa,” on Ouachita’s campus. It is the largest exhibit to show on Ouachita’s campus to date, spanning Mabee Fine Arts Center’s Hammons Gallery as well as Moses-Provine Hall’s Rosemary Gossett Adams Galleries. The exhibit will be on display through Feb. 23 and is free and open to the public
S3C2 Summit 2023-06: Government Secure Supply Chain Summit
Recent years have shown increased cyber attacks targeting less secure
elements in the software supply chain and causing fatal damage to businesses
and organizations. Past well-known examples of software supply chain attacks
are the SolarWinds or log4j incidents that have affected thousands of customers
and businesses. The US government and industry are equally interested in
enhancing software supply chain security. On June 7, 2023, researchers from the
NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure
Software Supply Chain Summit with a diverse set of 17 practitioners from 13
government agencies. The goal of the Summit was two-fold: (1) to share our
observations from our previous two summits with industry, and (2) to enable
sharing between individuals at the government agencies regarding practical
experiences and challenges with software supply chain security. For each
discussion topic, we presented our observations and take-aways from the
industry summits to spur conversation. We specifically focused on the Executive
Order 14028, software bill of materials (SBOMs), choosing new dependencies,
provenance and self-attestation, and large language models. The open
discussions enabled mutual sharing and shed light on common challenges that
government agencies see as impacting government and industry practitioners when
securing their software supply chain. In this paper, we provide a summary of
the Summit.Comment: arXiv admin note: text overlap with arXiv:2307.16557,
arXiv:2307.1564
- …