| 1. |
- Bonnaventure, William, et al.
(författare)
-
Confuzzion : a Java Virtual Machine Fuzzer for Type Confusion Vulnerabilities
- 2021
-
Ingår i: 2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS). - : IEEE. - 9781665458139 - 9781665458146 ; , s. 586-597
-
Konferensbidrag (refereegranskat)abstract
- Current Java Virtual Machine (JVM) fuzzersaim at generating syntactically valid Java programs, without targeting any particular use of the standard Java library. While effective, such fuzzers fail to discover specific kinds of bugs or vulnerabilities, such as type confusion, that are related to the standard API usage. To deal with this issue, we introduce amutation-based feedback-guided black-box JVM fuzzer, called CONFUZZION. CONFUZZION, as the name suggests, targets security-relevant object-oriented flaws with a particular focus on type confusion vulnerabilities. We show that in less than 4 hours, on commodity hardware and without any predefined initialization seed, CONFUZZION automatically generates Java programs that reveal JVM vulnerabilities, i.e., the Common Vulnerabilities and Exposures CVE-2017-3272. We also show that state-of-the-art fuzzers or even traditional automatic testing techniques are not capable of detecting such faults, even after 48 hours of execution in the same environment. To the best of our knowledge, CONFUZZION is the first fuzzer able to detect JVM type confusion vulnerabilities.
|
|
| 2. |
- Elahi, Haroon, et al.
(författare)
-
A qualitative study of app acquisition and management
- 2024
-
Ingår i: IEEE Transactions on Computational Social Systems. - : IEEE. - 2329-924X. ; 11:2, s. 1907-1925
-
Tidskriftsartikel (refereegranskat)abstract
- Smartphone users rely on Apps for their daily lives but simultaneously struggle to protect their privacy and device security from potentially harmful and malicious Apps. However, scientific literature lacks in-depth studies mapping user struggles, factors undermining their efforts, and implications. We cover this gap by engaging 24 smartphone users in 44 interview sessions. We observe them performing different App acquisition and management tasks, seek explanations, and analyze collected data to make the following contributions. First, we develop a theoretical App acquisition and management model describing different phenomena involved in App acquisition and management in Android smartphones. Causal conditions of these phenomena and contexts, and intervening conditions influencing user strategies are discovered grounded in the data acquired through the interview sessions. It shows the challenges they face, the strategies they develop and use to deal with the faced challenges, and their consequences. Second, we systematically discover and relate different App acquisition and management concepts in 34 subcategories related to user struggles. None of the existing studies discovers, explains, and relates actual user behaviors involving this many factors in one place. Third, this research discovers six problems unaddressed by the literature: the usage of untrusted App repositories, mandatory and forced installations, the installation process changes, the Settings App complexities, the void contracts problem, and the psychological consequences of failure to protect privacy in Android phones. Finally, we provide general guidelines for users, App stores, developers, and regulators to assist them in enhancing privacy and security protection in the Android ecosystem.
|
|
| 3. |
- Koyuncu, Anil, et al.
(författare)
-
FixMiner : Mining relevant fix patterns for automated program repair
- 2020
-
Ingår i: Empirical Software Engineering. - : Springer. - 1382-3256 .- 1573-7616. ; 25:3, s. 1980-2024
-
Tidskriftsartikel (refereegranskat)abstract
- Patching is a common activity in software development. It is generally performed on a source code base to address bugs or add new functionalities. In this context, given the recurrence of bugs across projects, the associated similar patches can be leveraged to extract generic fix actions. While the literature includes various approaches leveraging similarity among patches to guide program repair, these approaches often do not yield fix patterns that are tractable and reusable as actionable input to APR systems. In this paper, we propose a systematic and automated approach to mining relevant and actionable fix patterns based on an iterative clustering strategy applied to atomic changes within patches. The goal of FixMiner is thus to infer separate and reusable fix patterns that can be leveraged in other patch generation systems. Our technique, FixMiner, leverages Rich Edit Script which is a specialized tree structure of the edit scripts that captures the AST-level context of the code changes. FixMiner uses different tree representations of Rich Edit Scripts for each round of clustering to identify similar changes. These are abstract syntax trees, edit actions trees, and code context trees. We have evaluated FixMiner on thousands of software patches collected from open source projects. Preliminary results show that we are able to mine accurate patterns, efficiently exploiting change information in Rich Edit Scripts. We further integrated the mined patterns to an automated program repair prototype, PAR(FixMiner), with which we are able to correctly fix 26 bugs of the Defects4J benchmark. Beyond this quantitative performance, we show that the mined fix patterns are sufficiently relevant to produce patches with a high probability of correctness: 81% of PAR(FixMiner)'s generated plausible patches are correct.
|
|
| 4. |
- Koyuncu, Anil, et al.
(författare)
-
iFixR : Bug Report driven Program Repair
- 2019
-
Ingår i: ESEC/FSE'2019. - New York, NY, USA : ASSOC COMPUTING MACHINERY. ; , s. 314-325
-
Konferensbidrag (refereegranskat)abstract
- Issue tracking systems are commonly used in modern software development for collecting feedback from users and developers. An ultimate automation target of software maintenance is then the systematization of patch generation for user-reported bugs. Although this ambition is aligned with the momentum of automated program repair, the literature has, so far, mostly focused on generate-and-validate setups where fault localization and patch generation are driven by a well-defined test suite. On the one hand, however, the common (yet strong) assumption on the existence of relevant test cases does not hold in practice for most development settings: many bugs are reported without the available test suite being able to reveal them. On the other hand, for many projects, the number of bug reports generally outstrips the resources available to triage them. Towards increasing the adoption of patch generation tools by practitioners, we investigate a new repair pipeline, iFixR, driven by bug reports: (1) bug reports are fed to an IR-based fault localizer; (2) patches are generated from fix patterns and validated via regression testing; (3) a prioritized list of generated patches is proposed to developers. We evaluate iFixR on the Defects4J dataset, which we enriched (i.e., faults are linked to bug reports) and carefully-reorganized (i.e., the timeline of test-cases is naturally split). iFixR generates genuine/plausible patches for 21/44 Defects4J faults with its IR-based fault localizer. iFixR accurately places a genuine/plausible patch among its top-5 recommendation for 8/13 of these faults (without using future test cases in generation-and-validation).
|
|
| 5. |
- Sayar, Imen, et al.
(författare)
-
An in-depth study of Java deserialization remote-code execution exploits and vulnerabilities
- 2023
-
Ingår i: ACM Transactions on Software Engineering and Methodology. - : ACM Digital Library. - 1049-331X .- 1557-7392. ; 32:1
-
Tidskriftsartikel (refereegranskat)abstract
- Nowadays, an increasing number of applications use deserialization. This technique, based on rebuilding the instance of objects from serialized byte streams, can be dangerous since it can open the application to attacks such as remote code execution (RCE) if the data to deserialize is originating from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP's list of top 10 security risks for web applications. This is mainly caused by faults in the development process of applications and by flaws in their dependencies, i.e., flaws in the libraries used by these applications. No previous work has studied deserialization attacks in-depth: How are they performed? How are weaknesses introduced and patched? And for how long are vulnerabilities present in the codebase? To yield a deeper understanding of this important kind of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications. For the first analysis, we conduct an exploratory large-scale study by running 256515 experiments in which we vary the versions of libraries for each of the 19 publicly available exploits. Such attacks rely on a combination of gadgets present in one or multiple Java libraries. A gadget is a method which is using objects or fields that can be attacker-controlled. Our goal is to precisely identify library versions containing gadgets and to understand how gadgets have been introduced and how they have been patched. We observe that the modification of one innocent-looking detail in a class - such as making it public - can already introduce a gadget. Furthermore, we noticed that among the studied libraries, 37.5% are not patched, leaving gadgets available for future attacks.For the second analysis, we manually analyze 104 deserialization vulnerabilities CVEs to understand how vulnerabilities are introduced and patched in real-life Java applications. Results indicate that the vulnerabilities are not always completely patched or that a workaround solution is proposed. With a workaround solution, applications are still vulnerable since the code itself is unchanged.
|
|
| 6. |
- Souani, Badr, et al.
(författare)
-
Android malware detection using BERT
- 2022
-
Ingår i: Applied cryptography and network security workshops. - Cham : Springer Nature. - 9783031168147 ; , s. 575-591
-
Konferensbidrag (refereegranskat)abstract
- In this paper, we propose two empirical studies to (1) detect Android malware and (2) classify Android malware into families. We first (1) reproduce the results of MalBERT using BERT models learning with Android application’s manifests obtained from 265k applications (vs. 22k for MalBERT) from the AndroZoo dataset in order to detect malware. The results of the MalBERT paper are excellent and hard to believe as a manifest only roughly represents an application, we therefore try to answer the following questions in this paper. Are the experiments from MalBERT reproducible? How important are Permissions for malware detection? Is it possible to keep or improve the results by reducing the size of the manifests? We then (2) investigate if BERT can be used to classify Android malware into families. The results show that BERT can successfully differentiate malware/goodware with 97% accuracy. Furthermore BERT can classify malware families with 93% accuracy. We also demonstrate that Android permissions are not what allows BERT to successfully classify and even that it does not actually need it.
|
|
