Do Android Taint Analysis Tools Keep Their Promises?

In recent years, researchers have developed a number of tools to conduct taint analysis of Android applications. While all the respective papers aim at providing a thorough empirical evaluation, comparability is hindered by varying or unclear evaluation targets. Sometimes, the apps used for evaluation are not precisely described. In other cases, authors use an established benchmark but cover it only partially. In yet other cases, the evaluations differ in terms of the data leaks searched for, or lack a ground truth to compare against. All those limitations make it impossible to truly compare the tools based on those published evaluations. We thus present ReproDroid, a framework allowing the accurate comparison of Android taint analysis tools. ReproDroid supports researchers in inferring the ground truth for data leaks in apps, in automatically applying tools to benchmarks, and in evaluating the obtained results. We use ReproDroid to comparatively evaluate on equal grounds the six prominent taint analysis tools Amandroid, DIALDroid, DidFail, DroidSafe, FlowDroid and IccTA. The results are largely positive although four tools violate some promises concerning features and accuracy. Finally, we contribute to the area of unbiased benchmarking with a new and improved version of the open test suite DroidBench

Latent Class Linear Mixed Models: a general approach implemented via SAS macro with a tutorial for clinical researchers

Linear mixed models provide a flexible, intuitive method for analyzing repeated-measures data when the population being studied can be thought of as either a single population or as a set of known subpopulations. However, in many cases, the underlying subpopulations are not known. Furthermore, the factors that determine the subpopulations can be extremely complex or unmeasurable. In such cases, a different approach is required in order to more accurately analyze the data. The Latent Class Linear Mixed Model (LCLMM) combines the features of the linear mixed model (LMM) with an additional component, which partitions the population into subpopulations or latent classes. This model has usually been specified with relatively simple, restrictive assumptions. In this dissertation, the methods related to the LCLMM are extended to provide a more general model specification. Fixed-effects may be specified as a combination of class-specific effects and across-class effects. Variances may be specified as being class-specific or equal across classes, a general correlation structure for the random effects is permitted, and multiple residual error variances may be fit. The bound proposed by Hathaway [1985] on the variances to ensure consistency is examined in the context of mixtures of linear mixed models. Class membership probabilities may be specified in one of two ways - via a logistic regression model or using our proposed method in which class membership is estimated based on the relative fit of the underlying linear mixed models. These methods are implemented in a new SAS[registered trademark] macro which offers several options for estimation. In addition to an EM algorithm, gradient-based methods, including quasi-Newton, as well as Hessian-based methods, such as Newton-Raphson, are available to the user. Parameter standard errors are estimated, and predictions of the random effects are derived and calculated. Practical issues, including choosing the number of latent classes and estimation method, are discussed and guidelines are provided based on simulation studies. The stability and advantage of the proposed methods are also examined via simulation study. Finally, our methods are applied to several simple simulated datasets as well as to three real-world applications to illustrate their usefulness for practical applications

ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware

Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android's permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. In this paper, we propose Authorization Check Miner (ACMiner), a framework for evaluating the correctness of Android's access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities. We used ACMiner to study the AOSP version of Android 7.1.1 to identify 28 vulnerabilities relating to missing authorization checks. In doing so, we demonstrate ACMiner's ability to help domain experts process thousands of authorization checks scattered across millions of lines of code

VFCFinder: Seamlessly Pairing Security Advisories and Patches

Security advisories are the primary channel of communication for discovered vulnerabilities in open-source software, but they often lack crucial information. Specifically, 63% of vulnerability database reports are missing their patch links, also referred to as vulnerability fixing commits (VFCs). This paper introduces VFCFinder, a tool that generates the top-five ranked set of VFCs for a given security advisory using Natural Language Programming Language (NL-PL) models. VFCFinder yields a 96.6% recall for finding the correct VFC within the Top-5 commits, and an 80.0% recall for the Top-1 ranked commit. VFCFinder generalizes to nine different programming languages and outperforms state-of-the-art approaches by 36 percentage points in terms of Top-1 recall. As a practical contribution, we used VFCFinder to backfill over 300 missing VFCs in the GitHub Security Advisory (GHSA) database. All of the VFCs were accepted and merged into the GHSA database. In addition to demonstrating a practical pairing of security advisories to VFCs, our general open-source implementation will allow vulnerability database maintainers to drastically improve data quality, supporting efforts to secure the software supply chain

Ouachita hosts “Between the Shadow and the Light: An Exhibit Out of South Africa” international traveling art exhibit through Feb. 23

Ouachita Baptist University’s Sutton School of Social Sciences is hosting the final U.S. stop of the international traveling exhibit, “Between the Shadow and the Light: An Exhibit Out of South Africa,” on Ouachita’s campus. It is the largest exhibit to show on Ouachita’s campus to date, spanning Mabee Fine Arts Center’s Hammons Gallery as well as Moses-Provine Hall’s Rosemary Gossett Adams Galleries. The exhibit will be on display through Feb. 23 and is free and open to the public

S3C2 Summit 2023-06: Government Secure Supply Chain Summit

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. On June 7, 2023, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 17 practitioners from 13 government agencies. The goal of the Summit was two-fold: (1) to share our observations from our previous two summits with industry, and (2) to enable sharing between individuals at the government agencies regarding practical experiences and challenges with software supply chain security. For each discussion topic, we presented our observations and take-aways from the industry summits to spur conversation. We specifically focused on the Executive Order 14028, software bill of materials (SBOMs), choosing new dependencies, provenance and self-attestation, and large language models. The open discussions enabled mutual sharing and shed light on common challenges that government agencies see as impacting government and industry practitioners when securing their software supply chain. In this paper, we provide a summary of the Summit.Comment: arXiv admin note: text overlap with arXiv:2307.16557, arXiv:2307.1564