230 research outputs found
Security Code Smells in Android ICC
Android Inter-Component Communication (ICC) is complex, largely
unconstrained, and hard for developers to understand. As a consequence, ICC is
a common source of security vulnerability in Android apps. To promote secure
programming practices, we have reviewed related research, and identified
avoidable ICC vulnerabilities in Android-run devices and the security code
smells that indicate their presence. We explain the vulnerabilities and their
corresponding smells, and we discuss how they can be eliminated or mitigated
during development. We present a lightweight static analysis tool on top of
Android Lint that analyzes the code under development and provides just-in-time
feedback within the IDE about the presence of such smells in the code.
Moreover, with the help of this tool we study the prevalence of security code
smells in more than 700 open-source apps, and manually inspect around 15% of
the apps to assess the extent to which identifying such smells uncovers ICC
security vulnerabilities.Comment: Accepted on 28 Nov 2018, Empirical Software Engineering Journal
(EMSE), 201
Investigation of commuting Hamiltonian in quantum Markov network
Graphical Models have various applications in science and engineering which
include physics, bioinformatics, telecommunication and etc. Usage of graphical
models needs complex computations in order to evaluation of marginal
functions,so there are some powerful methods including mean field
approximation, belief propagation algorithm and etc. Quantum graphical models
have been recently developed in context of quantum information and computation,
and quantum statistical physics, which is possible by generalization of
classical probability theory to quantum theory. The main goal of this paper is
preparing a primary generalization of Markov network, as a type of graphical
models, to quantum case and applying in quantum statistical physics.We have
investigated the Markov network and the role of commuting Hamiltonian terms in
conditional independence with simple examples of quantum statistical physics.Comment: 11 pages, 8 figure
Towards Actionable Visualization for Software Developers
Abundant studies have shown that visualization is advantageous for software developers, yet adopting visualization during software development is not a common practice due to the large effort involved in finding an appropriate visualization. Developers require support to facilitate that task. Among 368 papers in SOFTVIS/VISSOFT venues, we identify 86 design study papers about the application of visualization to relieve concerns in software development. We extract from these studies the task, need, audience, data source, representation, medium and tool; and we characterize them according to the subject, process and problem domain. On the one hand, we support software developers to put visualization in action by mapping existing visualization techniques to particular needs from different perspectives. On the other hand, we highlight the problem domains that are overlooked in the field and need more support
Crypto Experts Advise What They Adopt
Previous studies have shown that developers regularly seek advice on online forums to resolve their cryptography issues. We investigated whether users who are active in cryptography discussions also use cryptography in practice. We collected the top 1 of responders who have participated in crypto discussions on Stack Overflow, and we manually analyzed their crypto contributions to open source projects on GitHub. We could identify 319 GitHub profiles that belonged to such crypto responders and found that 189 of them used cryptography in their projects. Further investigation revealed that the majority of analyzed users (i.e., 85) use the same programming languages for crypto activity on Stack Overflow and crypto contributions on GitHub. Moreover, 90 of the analyzed users employed the same concept of cryptography in their projects as they advised about on Stack Overflow
CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs
Research has shown that cryptographic APIs are hard to use. Consequently,
developers resort to using code examples available in online information
sources that are often not secure. We have developed a web platform, named
CryptoExplorer, stocked with numerous real-world secure and insecure examples
that developers can explore to learn how to use cryptographic APIs properly.
This platform currently provides 3,263 secure uses, and 5,897 insecure uses of
Java Cryptography Architecture mined from 2,324 Java projects on GitHub. A
preliminary study shows that CryptoExplorer provides developers with secure
crypto API use examples instantly, developers can save time compared to
searching on the internet for such examples, and they learn to avoid using
certain algorithms in APIs by studying misused API examples. We have a pipeline
to regularly mine more projects, and, on request, we offer our dataset to
researchers.Comment: 27th IEEE International Conference on Software Analysis, Evolution
and Reengineering (SANER). London, Ontario, Canada, February 18-21, 202
- …