297 Hits in 9.0 sec

Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques

Amit Seal Ami, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, Denys Poshyvanyk
2021 ACM Transactions on Privacy and Security  
This article describes the Mutation-Based Soundness Evaluation (μSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix flaws, by leveraging the well-founded  ...  However, existing tools, and specifically, static analysis tools, trade soundness of the analysis for precision and performance and are hence sound y .  ...  ACKNOWLEDGMENTS We thank the developers of the evaluated tools for making their tools available to the community, and for being open to suggestions.  ... 
doi:10.1145/3439802 fatcat:jij564rmn5akhdpqdk5pzdempi

Discovering Flaws in Security-Focused Static Analysis Tools for Android using Systematic Mutation [article]

Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, Denys Poshyvanyk
2018 arXiv   pre-print
This paper proposes the Mutation-based soundness evaluation (μSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix, flaws, by leveraging the well-founded  ...  However, existing tools, and specifically, static analysis tools, trade soundness of the analysis for precision and performance, and are hence soundy.  ...  We thank the FlowDroid developers, as well as the developers of the other tools we evaluate in this paper, for making their tools available to the community, providing us with the necessary information  ... 
arXiv:1806.09761v2 fatcat:2qfojo6c7veavmrgwliulbui5i

Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques [article]

Amit Seal Ami, Nathan Cooper, Kaushal Kafle, Kevin Moran, Denys Poshyvanyk, Adwait Nadkarni
2021 arXiv   pre-print
This paper presents the MASC framework, which enables a systematic and data-driven evaluation of crypto-detectors using mutation testing.  ...  We develop 12 generalizable usage-based mutation operators and three mutation scopes that can expressively instantiate thousands of compilable variants of the misuse cases for thoroughly evaluating crypto-detectors  ...  ACKNOWLEDGMENT We thank the developers of the evaluated tools for making their tools available to the community, and for being open to discussion, suggestions, and improvements.  ... 
arXiv:2107.07065v4 fatcat:dae4vcxftjhftpiafpuur7vr4a


Guozhu Meng, Yinxing Xue, Chandramohan Mahinthan, Annamalai Narayanan, Yang Liu, Jie Zhang, Tieming Chen
2016 Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security - ASIA CCS '16  
Thus, it is desired to conduct a systematic investigation and evaluation of anti-malware solutions and tools based on different attacks and evasion techniques.  ...  With the help of MYSTIQUE, we conduct experiments to 1) understand Android malware and the associated attack features as well as evasion techniques; 2) evaluate and compare the 57 off-the-shelf anti-malware  ...  This work is also sponsored by the National Science Foundation of China (No. 61572349, 61272106) .  ... 
doi:10.1145/2897845.2897856 dblp:conf/ccs/MengXCN0ZC16 fatcat:ssubdviipffe3k5lc7ue2evzu4

Automated Testing of Android Apps: A Systematic Literature Review

Pingfan Kong, Li Li, Jun Gao, Kui Liu, Tegawende F. Bissyande, Jacques Klein
2018 IEEE Transactions on Reliability  
In this paper, we aim at providing a clear overview of the state-of-the-art works around the topic of Android app testing, in an attempt to highlight the main trends, pinpoint the main methodologies applied  ...  Given the widespread adoption of Android and the specificities of its development model, the literature has proposed various testing approaches for ensuring that not only functional requirements but also  ...  Comparing to the distribution of the number of evaluated apps summarized in an SLR of static analysis of Android apps [22] , where the median and maximum numbers are respectively 374 and 318,515, far  ... 
doi:10.1109/tr.2018.2865733 fatcat:rshkb3a3ajev5gce3crha5netm

A Mutation Framework for Evaluating Security Analysis tools in IoT Applications [article]

Manar H. Alalfi, Sajeda Parveen, Bara Nazzal
2021 arXiv   pre-print
First, we propose a set of mutational operators tailored to evaluate three types of sensitivity analysis, flow, path and context sensitivity.  ...  Hence, this paper presents an automated framework to evaluate taint-flow analysis tools in the domain of IoT applications.  ...  [41] presented the Mutation-based soundness evaluation (µSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix flaws and that by leveraging the well-founded  ... 
arXiv:2110.05562v1 fatcat:g7epw34mvjb25dasqhzbk4chve

Exploring Software Security Test Generation Techniques: Challenges and Opportunities

Mamdouh Alenezi, Mohammed Akour, Hamid Abdul Basit
2021 International Journal of Education and Information Technologies  
Moreover, this paper aims to depict the sound of security in the current state of the art of test case generation.  ...  The process of ensuring the security of software includes the introduction of processes in the Software Development Life Cycle where one of them is testing after the software is developed.  ...  [62] try to combine dynamic and static analysis in order to find security weaknesses in Java based applications.  ... 
doi:10.46300/9109.2021.15.11 fatcat:jfrdf2fi4zdo7mv7jbz5hot3aa

Security analysis of permission re-delegation vulnerabilities in Android apps

Biniam Fisseha Demissie, Mariano Ceccato, Lwin Khin Shar
2020 Empirical Software Engineering  
If that is the case, it generates test cases to detect the vulnerabilities. We evaluated the vulnerability detection capability of our approach based on 1,258 official apps and 20 mutated apps.  ...  We also compared our approach with two static analysis-based approaches — Covert and IccTA — based on 595 open source apps.  ...  Acknowledgements The content of this paper is part of the PhD thesis of the first author Biniam Fisseha Demissie.  ... 
doi:10.1007/s10664-020-09879-8 fatcat:ephbimiylndmrmz7xqtavnvy4i

Mutation Testing Advances: An Analysis and Survey [chapter]

Mike Papadakis, Marinos Kintis, Jie Zhang, Yue Jia, Yves Le Traon, Mark Harman
2018 Advances in Computers  
Mutation is typically used as a way to evaluate the adequacy of test suites, to guide the generation of test cases and to support experimentation.  ...  Mutation testing realises the idea of using artificial defects to support testing activities.  ...  [28] (in 2014), a systematic mapping of mutation-based test generation by Souza et al.  ... 
doi:10.1016/bs.adcom.2018.03.015 fatcat:5xmuznmnd5ea7larfbdlvmvyeq

An Automated Approach for Privacy Leakage Identification in IoT Apps [article]

Bara' Nazzal, Manar H. Alalfi
2022 arXiv   pre-print
This paper presents a fully automated static analysis approach and a tool, Taint-Things, for the identification of tainted flows in SmartThings IoT apps.  ...  Our approach reports potential vulnerable tainted flows in a form of a concise security slice, where the relevant parts of the code are given with the lines affecting the sensitive information, which could  ...  [25] to evaluate taint analysis tools for IoT applications using a mutation-based framework. The analysis evaluated Taint-Things with another two tools, SaINT and FlowsMiner.  ... 
arXiv:2202.02895v1 fatcat:r7nh2wk4xrcgzi3l4okssiiopi

Self-protection of Android systems from inter-component communication attacks

Mahmoud Hammad, Joshua Garcia, Sam Malek
2018 Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering - ASE 2018  
While the above techniques rely on static program analysis to detect security risks and prevent them at runtime, another set of approaches leverage dynamic analysis techniques to detect and prevent security  ...  SEALANT is a technique that combine static analysis with dynamic monitoring to detect security vulnerabilities in Android apps and prevent ICC attacks.  ...  Specifically, our selected features leverage categorized Android API usage, reflection-based features, and features from native binaries of apps.  ... 
doi:10.1145/3238147.3238207 dblp:conf/kbse/HammadGM18 fatcat:qht4e54ehjfltlht6wjuwzsata

A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices

Miao Yu, Jianwei Zhuge, Ming Cao, Zhiwei Shi, Lin Jiang
2020 Future Internet  
Finally, we forecast and discuss the research directions on vulnerability analysis techniques of IoT devices.  ...  With it, security vulnerabilities of IoT devices are emerging endlessly. The proliferation of security vulnerabilities will bring severe risks to users' privacy and property.  ...  Through the above investigations, we find that the current study focuses on IoT security issues and lack analysis techniques.  ... 
doi:10.3390/fi12020027 fatcat:rbg5eyfvj5h7lezzzyiyhjrpci

Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS

Luke Deshotels, Costin Carabas, Jordan Beichler, Razvan Deaconescu, William Enck
2020 2020 IEEE Symposium on Security and Privacy (SP)  
In this paper, we present the Kobold framework to study NSXPC-based system services using a combination of static and dynamic analysis.  ...  Apple uses several access control mechanisms to prevent third party applications from directly accessing security sensitive resources, including sandboxing and file access control.  ...  Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies.  ... 
doi:10.1109/sp40000.2020.00023 dblp:conf/sp/DeshotelsCBDE20 fatcat:d5ktavl3cnhxlfwavvrcs5xury

A Survey of Context Simulation for Testing Mobile Context-Aware Applications

Chu Luo, Jorge Goncalves, Eduardo Velloso, Vassilis Kostakos
2020 ACM Computing Surveys  
This article aims to give a comprehensive overview of the state-of-the-art context simulation methods for testing mobile context-aware applications.  ...  Accordingly, researchers have proposed diverse context simulation techniques to enable low-cost and effective tests, instead of conducting costly and time-consuming real-world experiments.  ...  Eduardo Velloso is the recipient of an Australian Research Council Discovery Early Career Award (Project Number: DE180100315).  ... 
doi:10.1145/3372788 fatcat:mpkgpye24jetbkep7hh2bkjf7y

Mining Android crash fixes in the absence of issue- and change-tracking systems

Pingfan Kong, Li Li, Jun Gao, Tegawendé F. Bissyandé, Jacques Klein
2019 Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis - ISSTA 2019  
This often arises from the misuse of Android framework APIs, making it harder to debug since official Android documentation does not discuss thoroughly potential exceptions.Recently, the program repair  ...  Finally, we release ReCBench, a benchmark consisting of 200 crashed apks and the crash replication scripts, which the community can explore for evaluating generated crash-inducing bug patches.  ...  For example, researchers have used static taint analysis to discovery privacy leaks in Android apps [4] and leveraged model checking techniques to verify Android apps in terms of their security properties  ... 
doi:10.1145/3293882.3330572 dblp:conf/issta/KongLGBK19 fatcat:5mhibuftsfdxrhb6d6u3pyztme
« Previous Showing results 1 — 15 out of 297 results