Interactively Verifying Absence of Explicit Information Flows in Android Apps
Size: px
Start display at page:

Download "Interactively Verifying Absence of Explicit Information Flows in Android Apps"

Transcription

1 Interactively Verifying Absence of Explicit Information Flows in Android Apps Osbert Bastani, Saswat Anand, and Alex Aiken Stanford University OOPSLA 2015

2 Problem Google Play Store > 1 million apps on the store Lots of malware submitted Information leaks SMS Fraud Ransomware 2

3 Information Flow Analysis Finding Android malware using source to sink flows Information leak: location flows to Internet SMS Fraud: phone # used in SMS send Ransomware: network packets encrypt files 3

4 Standard Audits Nostatic information flow Too many false positives Light-weight static analysis Dynamic code loading Calls to undocumented APIs Dynamic analysis Information flows

5 Standard Audits Android App Light Static + Dynamic Analysis FNs Google Play

6 Dead Code Dead code can cause false positive information flows Global property (e.g., method with no caller) Examples Leaks in 3 rd party libraries Conservative assumptions about potential callbacks 6

7 Key Issue Hard to understand someone else s code No source code! Obfuscation Can we shift work to developer? 7

8 Developer Queries Program static analysis dead code points-to information flow sound, imprecise results 8

9 Developer Queries Program static analysis dead code points-to information flow sound, imprecise results potential dead code 9

10 Developer Queries Program static analysis dead code points-to information flow sound, imprecise results yes/no potential dead code 10

11 Developer Queries Program static analysis dead code points-to information flow sound, precise results yes/no potential dead code 11

12 Problem Developer may be adversarial Solution: Enforce response 12

13 Developer Queries Program static analysis dead code points-to information flow sound, imprecise results potential dead code 13

14 Developer Queries Program static analysis dead code points-to information flow sound, imprecise results yes potential dead code 14

15 Developer Queries Program static analysis dead code points-to information flow sound, precise results yes potential dead code 15

16 Developer Queries Program static analysis dead code points-to information flow sound, precise results delete confirmed dead code Program yes potential dead code 16

17 Developer Queries Program static analysis dead code points-to information flow sound, precise results potential dead code 17

18 Developer Queries Program static analysis dead code points-to information flow sound, precise results no potential dead code 18

19 Developer Queries Program static analysis dead code points-to information flow sound, precise results test case + no potential dead code 19

20 Developer Queries Program static analysis dead code points-to information flow no queries filter false positives sound, precise results test case + no potential dead code 20

21 Developer Queries: Cuts Cut Code that is (potentially) dead Removing the code breaks (potential) information flows Valid cut: Developer confirms that the cut is dead 21

22 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) App 22

23 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) App Potential Dead Code 23

24 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) not a cut App Potential Dead Code 24

25 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) cut App Potential Dead Code 25

26 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) min cut App Potential Dead Code 26

27 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) Invalid! min cut App Potential Dead Code 27

28 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) App Potential Dead Code 28

29 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) min cut App Potential Dead Code 29

30 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) Valid! min cut App Potential Dead Code 30

31 Developer Queries: Cuts Android Framework getlatitude() sendhttp( ) App Potential Dead Code 31

32 Developer Queries Developer query List of statements in cut Developer response Test case that executes reachable statements in the cut Why tests? Verifiable Developers routinely write tests Can seed with dynamic analysis Aid auditor 32

33 Interactive Verification Step 1: Sound static analysis Step 2: Find cut and query developer Step 3: Update potential dead code and repeat Step 4: Delete valid cut 33

34 Our Audits Android App Light Static + Dynamic Analysis + Cuts no cut Google Play

35 Finding Valid Cuts 35

36 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); 36

37 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION SrcRef RefSink getlatitude.return sendhttp.arg INTERNET 37

38 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION SrcRef Assign RefSink getlatitude.return lat sendhttp.arg INTERNET 38

39 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION SrcRef Assign Assign RefSink getlatitude.return lat sendhttp.arg INTERNET 39

40 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION SrcRef Assign Assign RefSink getlatitude.return lat sendhttp.arg INTERNET SrcSink 40

41 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION SrcRef Assign Assign RefSink getlatitude.return lat sendhttp.arg INTERNET SrcSink 41

42 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION SrcRef Assign Assign RefSink getlatitude.return lat sendhttp.arg INTERNET SrcSink 42

43 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); potentially dead LOCATION SrcRef Assign Assign RefSink getlatitude.return lat sendhttp.arg INTERNET SrcSink 43

44 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); potentially dead LOCATION getlatitude.return 1 lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 44

45 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION getlatitude.return 1 lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 45

46 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); Invalid! LOCATION getlatitude.return 1 lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 46

47 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION getlatitude.return 1 lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 47

48 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION getlatitude.return lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 48

49 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION getlatitude.return lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 49

50 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); Valid! LOCATION getlatitude.return lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 50

51 Finding Valid Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { throw new Error(); sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); 51

52 Multiple Cuts 52

53 Multiple Cuts What if a developer mistakenly answers yes? Might delete important code! 53

54 Multiple Cuts What if a developer mistakenly answers yes? Might delete important code! Solution: Multiple independent cuts Developer only needs to be right once! 54

55 Multiple Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION getlatitude.return 1 lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 55

56 Multiple Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION getlatitude.return 1 lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 56

57 Multiple Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION getlatitude.return lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 57

58 Multiple Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); LOCATION getlatitude.return lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 58

59 Multiple Cuts 1. String lat = getlatitude(); 2. Runnable runmalice = 3. new Runnable() { 4. void run() { sendhttp(lat); } 5. }; 6. Runnable runbenign = 7. new Runnable() { 8. void run() {} 9. }; 10. runbenign.run(); Valid! LOCATION getlatitude.return lat 1 sendhttp.arg SrcRef Assign Assign RefSink INTERNET SrcSink 59

60 Multiple Cuts Program correct if any cut is valid Terminate only if every cut is reached 60

61 Experiments Ran tool on corpus of 78 Android apps Experiment 1: Recorded cut sizes Experiment 2: Interactively verified cuts

62 Cut sizes # Statements <5 kloc (16 Apps) 5-50 kloc (26 Apps) >50 kloc (36 Apps) All (78 Apps) Cut 1 Cut 2 62

63 Cut sizes # Statements <5 kloc (16 Apps) 5-50 kloc (26 Apps) >50 kloc (36 Apps) All (78 Apps) Cut 1 Cut 2 63

64 Cut sizes # Statements <5 kloc (16 Apps) 5-50 kloc (26 Apps) >50 kloc (36 Apps) All (78 Apps) Cut 1 Cut 2 64

65 Interactive Verification # Unverified Apps Remaining Cut 1 Cut 2 Cut 1 Cut 2 65

66 Interactive Verification # Unverified Apps Remaining Cut 1 Cut 2 Cut 1 Cut 2 Input 66

67 Interactive Verification # Unverified Apps Remaining Cut 1 Cut 2 Cut 1 Cut 2 Input Gen. cuts 67

68 Interactive Verification # Unverified Apps Remaining Input Gen. cuts Cut 1 Cut 2 Cut 1 Cut 2 Query developer (Iteration 1) 68

69 Interactive Verification # Unverified Apps Remaining Cut 1 Cut 2 Cut 1 Cut 2 Input Gen. cuts Query developer (Iteration 1) Gen. cuts 69

70 Interactive Verification # Unverified Apps Remaining Cut 1 Cut 2 Cut 1 Cut 2 Input Gen. cuts Query developer (Iteration 1) Gen. cuts Query developer (Iteration 2) 70

71 Interactive Verification # Unverified Apps Remaining Cut 1 Cut 2 Cut 1 Cut 2 Input Gen. cuts Query developer (Iteration 1) Gen. cuts Query developer (Iteration 2) Output 71

72 Summary Remove dead code with adversarial developer Step 1: Sound static analysis Step 2: Find cut and query developer Step 3: Update knowledge and repeat Step 4: Delete valid cut Experiments Discharged 11 out of 12 false positives Only 2 iterations needed 72

73 Conclusions Manual labor in automatic static analysis Filter false positives A little interaction goes a long way Discharged 11 out of 12 false positives due to dead code 73

74 Future Work Other sources of false positives Reflective method calls Implicit flows More complex security policies 74

75 References S. Arzt, et al. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI, Y. Feng, S. Anand, I. Dillig, A. Aiken. Apposcopy: semantics based detection of Android malware through static analysis. In FSE, M. D. Ernst et al. Collaborative verification of information flow for a high-assurance app store. In CCS, I. Dillig, T. Dillig, A. Aiken. Automated error diagnosis using abductive inference. In PLDI, H. Zhu, T. Dillig, I. Dillig. Automated inference of library specifications for source-sink property verification. In APLAS, 2013.

76 Thanks!

Similar documents

BEYOND DEDUCTIVE INFERENCE IN PROGRAM ANALYSIS

BEYOND DEDUCTIVE INFERENCE IN PROGRAM ANALYSIS BEYOND DEDUCTIVE INFERENCE IN PROGRAM ANALYSIS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE

More information

Collaborative Verification of Information Flow for a High-Assurance App Store

Collaborative Verification of Information Flow for a High-Assurance App Store Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst, René Just, Suzanne Millstein, Werner Dietl*, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros,

More information

Ripple: Reflection Analysis for Android Apps in Incomplete Information Environments

Ripple: Reflection Analysis for Android Apps in Incomplete Information Environments Ripple: Reflection Analysis for Android Apps in Incomplete Information Environments Yifei Zhang, Tian Tan, Yue Li and Jingling Xue Programming Languages and Compilers Group University of New South Wales

More information

The Checker Framework: pluggable static analysis for Java

The Checker Framework: pluggable static analysis for Java The Checker Framework: pluggable static analysis for Java http://checkerframework.org/ Werner Dietl University of Waterloo https://ece.uwaterloo.ca/~wdietl/ Joint work with Michael D. Ernst and many others.

More information

AFRL-RI-RS-TR

AFRL-RI-RS-TR AFRL-RI-RS-TR-2017-032 STATIC ANALYSIS OF MOBILE PROGRAMS STANFORD UNIVERSITY FEBRUARY 2017 FINAL TECHNICAL REPORT APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED STINFO COPY AIR FORCE RESEARCH LABORATORY

More information

Building a Next- Generation App Store. Jason Franklin Ph.D. Research Associate Stanford University

Building a Next- Generation App Store. Jason Franklin Ph.D. Research Associate Stanford University Building a Next- Generation App Store Jason Franklin Ph.D. jfrankli@cs.stanford.edu Research Associate Stanford University App Store: Promise Safe, Trusted, Centralized??! :)??! App Stores: Reality "Permissions

More information

Information-Flow Analysis of Android Applications in DroidSafe

Information-Flow Analysis of Android Applications in DroidSafe Information-Flow Analysis of Android Applications in DroidSafe Michael I. Gordon, Deokhwan Kim, Jeff Perkins, and Martin Rinard MIT CSAIL Limei Gilham Kestrel Institute Nguyen Nguyen Global InfoTek, Inc.

More information

Simplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University

Simplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Loops and Loop Invariants Loop Head x = 0; while( x

More information

Program Analysis for Security

Program Analysis for Security CS 155 Spring 2016 Program Analysis for Security John Mitchell Acknowledgments: Lecture slides are from the Computer Security course thought by Dan Boneh at Stanford University. When slides are obtained

More information

Safety Checks and Semantic Understanding via Program Analysis Techniques

Safety Checks and Semantic Understanding via Program Analysis Techniques Safety Checks and Semantic Understanding via Program Analysis Techniques Nurit Dor Joint Work: EranYahav, Inbal Ronen, Sara Porat Goal Find properties of a program Anti-patterns that indicate potential

More information

Formal Security Analysis of Android Apps

Formal Security Analysis of Android Apps Formal Security Analysis of Android Apps Matteo Maffei S&P Security and Privacy Group Exploits extremely slow patching process Exploits OS vulnerabilities Breaks sandbox separation logic by notifications

More information

a bayesian approach to privacy enforcement in smartphones

a bayesian approach to privacy enforcement in smartphones USENIX Security, 2014 a bayesian approach to privacy enforcement in smartphones Omer Tripp!! IBM Research, NY!! Julia Rubin!! IBM Research, Haifa 1 motivation * http://hackread.com/android-malware-steals-credit-card-information/

More information

Detecting Advanced Android Malware by Data Flow Analysis Engine. Xu Hao & pll

Detecting Advanced Android Malware by Data Flow Analysis Engine. Xu Hao & pll Detecting Advanced Android Malware by Data Flow Analysis Engine Xu Hao & pll 2013.09 Content Background adfaer - Android Data Flow Analyzer Janus - Detect Reflection Experiment Future Work Android Security

More information

Programs that write themselves: Program synthesis for the masses. Yu Feng UT Austin

Programs that write themselves: Program synthesis for the masses. Yu Feng UT Austin Programs that write themselves: Program synthesis for the masses Yu Feng UT Austin New platforms impose demand for programming 2 New platforms impose demand for programming 2 New platforms impose demand

More information

Finding Clues For Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps

Finding Clues For Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps Finding Clues For Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps Yuhong Nan, Zhemin Yang, Yuan Zhang, Donglai Zhu and Min Yang Fudan University Xiaofeng Wang Indiana University

More information

Module: Future of Secure Programming

Module: Future of Secure Programming Module: Future of Secure Programming Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Programmer s Little Survey Problem What does program for

More information

Wanted: Students to participate in a user study

Wanted: Students to participate in a user study Wanted: Students to participate in a user study Requirements: Know how to use the Eclipse IDE Knowledge in Java development Knowledge of static analysis is not required, but it is a plus Time: 2-3 hours

More information

CSCE 548 Building Secure Software Software Analysis Basics

CSCE 548 Building Secure Software Software Analysis Basics CSCE 548 Building Secure Software Software Analysis Basics Professor Lisa Luo Spring 2018 Previous Class Ø Android Background Ø Two Android Security Problems: 1. Android App Repackaging o Very easy to

More information

Looking Forward: Challenges in Mobile Security. John Mitchell Stanford University

Looking Forward: Challenges in Mobile Security. John Mitchell Stanford University Looking Forward: Challenges in Mobile Security John Mitchell Stanford University Outline Mobile platform security SessionJuggler Using phone as authentication token SelectiveAuth Protecting resources on

More information

Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps

Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps FENGGUO WEI, University of South Florida SANKARDAS ROY, Bowling Green State University

More information

Module: Future of Secure Programming

Module: Future of Secure Programming Module: Future of Secure Programming Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Programmer s Little Survey Problem What does program for

More information

Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps

Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps 1 Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps FENGGUO WEI, University of South Florida SANKARDAS ROY, Bowling Green State University

More information

Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps Will Klieber*, Lori Flynn*, Amar Bhosale, Limin Jia, and Lujo Bauer *presenting June 2015 Copyright 2015 Carnegie Mellon University

More information

Finding Errors in Multithreaded GUI Applications

Finding Errors in Multithreaded GUI Applications Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work with: Hao Lu, Michael D. Ernst GUIs are everywhere in modern software 2 Multithreading in GUI applications

More information

Secure Programming Lecture 15: Information Leakage

Secure Programming Lecture 15: Information Leakage Secure Programming Lecture 15: Information Leakage David Aspinall 21st March 2017 Outline Overview Language Based Security Taint tracking Information flow security by type-checking Summary Recap We have

More information

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University, USA Abstract We present a technique to mine explicit information

More information

Certificate reputation. Dorottya Papp

Certificate reputation. Dorottya Papp Certificate reputation Dorottya Papp Motivation Verification on a digital certificate does not reveal important factors Is it a fake certificate? (Hash collision) Was it mistakenly issued? (Comodo scandal)

More information

Gaps in Static Analysis Tool Capabilities. Providing World-Class Services for World-Class Competitiveness

Gaps in Static Analysis Tool Capabilities. Providing World-Class Services for World-Class Competitiveness Gaps in Static Analysis Tool Capabilities 1 Overview Gaps in Static Analysis tools as identified during the evaluation of five (5) commercially available static analysis tools Collaborative effort between

More information

X-Rays, not Passport Checks Information Flow Control Using JOANA

X-Rays, not Passport Checks Information Flow Control Using JOANA X-Rays, not Passport Checks Information Flow Control Using JOANA Gregor Snelting Presentation at SAP, 14.5.2014 KIT Universita t des Landes Baden-Wu rttemberg und nationales Großforschungszentrum in der

More information

Final report: Non-Interactive Zero Knowledge Protocol for Verifiable Computing

Final report: Non-Interactive Zero Knowledge Protocol for Verifiable Computing Final report: Non-Interactive Zero Knowledge Protocol for Verifiable Computing Part A abstract description of the project: In this project we implemented a zero knowledge protocol for verifiable computing.

More information

Lessons Learned in Static Analysis Tool Evaluation. Providing World-Class Services for World-Class Competitiveness

Lessons Learned in Static Analysis Tool Evaluation. Providing World-Class Services for World-Class Competitiveness Lessons Learned in Static Analysis Tool Evaluation 1 Overview Lessons learned in the evaluation of five (5) commercially available static analysis tools Topics Licensing Performance Measurement Limitations

More information

Verifying the Safety of Security-Critical Applications

Verifying the Safety of Security-Critical Applications Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig

More information

ReDroid: Prioritizing Data Flows and Sinks for App Security Transformation

ReDroid: Prioritizing Data Flows and Sinks for App Security Transformation FEAST 2017 ReDroid: Prioritizing Data Flows and Sinks for App Security Transformation Ke Tian*, Gang Tan^, Daphne Yao*, Barbara Ryder* *Department of Computer Science Virginia Tech ^Department of CSE Penn

More information

CMSC436: Fall 2013 Week 4 Lab

CMSC436: Fall 2013 Week 4 Lab CMSC436: Fall 2013 Week 4 Lab Objectives: Familiarize yourself with Android Permission and with the Fragment class. Create simple applications using different Permissions and Fragments. Once you ve completed

More information

Designing Robust Classes

Designing Robust Classes Designing Robust Classes Learning Goals You must be able to:! specify a robust data abstraction! implement a robust class! design robust software! use Java exceptions Specifications and Implementations

More information

Static Analysis for Android: GUIs, Callbacks, and Beyond

Static Analysis for Android: GUIs, Callbacks, and Beyond Static Analysis for Android: GUIs, Callbacks, and Beyond Atanas (Nasko) Rountev Joint work with Dacong Yan Shengqian Yang Haowei Wu Yan Wang Hailong Zhang Ohio State University PRESTO: Program Analyses

More information

Bottom-up Context-Sensitive Pointer Analysis for Java

Bottom-up Context-Sensitive Pointer Analysis for Java Bottom-up Context-Sensitive Pointer Analysis for Java Yu Feng, Xinyu Wang, Isil Dillig and Thomas Dillig UT Austin 1 What is this talk about? Pointer analysis Given a program variable v, what are the heap

More information

Tackling Lack of Software Specifications A Sustained, Sustainability and Productivity Crisis

Tackling Lack of Software Specifications A Sustained, Sustainability and Productivity Crisis Tackling Lack of Software Specifications A Sustained, Sustainability and Productivity Crisis Hridesh Rajan Collaboration with Hoan A. Nguyen, Tien Nguyen, Gary Leavens, Samantha Khairunnesa, John Singleton,

More information

Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis

Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel,

More information

Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications. Amiangshu Bosu, Fang Liu, Danfeng (Daphne) Yao, & Gang Wang

Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications. Amiangshu Bosu, Fang Liu, Danfeng (Daphne) Yao, & Gang Wang Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications Amiangshu Bosu, Fang Liu, Danfeng (Daphne) Yao, & Gang Wang http://mashable.com/2013/10/30/department-of-defense-app-store/#ijubpfyljaq4

More information

Finding Architectural Flaws in Android Apps Is Easy

Finding Architectural Flaws in Android Apps Is Easy Finding Architectural Flaws in Android Apps Is Easy By Radu Vanciu and Marwan Abi-Antoun Department of Computer Science Wayne State University Detroit, Michigan, USA This work was supported in part by

More information

Static Analysis in C/C++ code with Polyspace

Static Analysis in C/C++ code with Polyspace 1 Static Analysis in C/C++ code with Polyspace Yongchool Ryu Application Engineer gary.ryu@mathworks.com 2016 The MathWorks, Inc. 2 Agenda Efficient way to find problems in Software Category of Static

More information

Unit 6 - Software Design and Development LESSON 8 QUALITY ASSURANCE

Unit 6 - Software Design and Development LESSON 8 QUALITY ASSURANCE Unit 6 - Software Design and Development LESSON 8 QUALITY ASSURANCE Previously Key features of programming languages Software Development Lifecycle Design models Some software structures functions, procedures,

More information

A Gentle Introduction to Program Analysis

A Gentle Introduction to Program Analysis A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally

More information

A Characterization of State Spill in Modern OSes

A Characterization of State Spill in Modern OSes A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE Department, Rice University EuroSys 2017 How do we deal with complexity? 2 Modularization 1234 complex system

More information

Verification & Validation of Open Source

Verification & Validation of Open Source Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open

More information

Scaling CQUAL to millions of lines of code and millions of users p.1

Scaling CQUAL to millions of lines of code and millions of users p.1 Scaling CQUAL to millions of lines of code and millions of users Jeff Foster, Rob Johnson, John Kodumal and David Wagner {jfoster,rtjohnso,jkodumal,daw}@cs.berkeley.edu. UC Berkeley Scaling CQUAL to millions

More information

Analysis/Bug-finding/Verification for Security

Analysis/Bug-finding/Verification for Security Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information

More information

Moving Fast with High Reliability: Program Analysis at Uber

Moving Fast with High Reliability: Program Analysis at Uber Moving Fast with High Reliability: Program Analysis at Uber Manu Sridharan Software Reliability Workshop ETH Zurich OCTOBER 14, 2017 Uber Apps Rider Driver Eats ios and Android Uber Apps Rider Driver Eats

More information

Uranine: Real-time Privacy Leakage Monitoring without System Modification for Android

Uranine: Real-time Privacy Leakage Monitoring without System Modification for Android Uranine: Real-time Privacy Leakage Monitoring without System Modification for Android Vaibhav Rastogi 1, Zhengyang Qu 2, Jedidiah McClurg 3, Yinzhi Cao 4, and Yan Chen 2 1 University of Wisconsin and Pennsylvania

More information

On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis

On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber

More information

CSCE 813 Internet Security Final Exam Preview

CSCE 813 Internet Security Final Exam Preview CSCE 813 Internet Security Final Exam Preview Professor Lisa Luo Fall 2017 Coverage All contents! Week1 ~ Week 15 The nature of the exam: 12 questions: 3 multiple choices questions 1 true or false question

More information

Understanding and Detecting Wake Lock Misuses for Android Applications

Understanding and Detecting Wake Lock Misuses for Android Applications Understanding and Detecting Wake Lock Misuses for Android Applications Artifact Evaluated by FSE 2016 Yepang Liu, Chang Xu, Shing-Chi Cheung, and Valerio Terragni Code Analysis, Testing and Learning Research

More information

Understanding and Detecting Wake Lock Misuses for Android Applications

Understanding and Detecting Wake Lock Misuses for Android Applications Understanding and Detecting Wake Lock Misuses for Android Applications Artifact Evaluated Yepang Liu, Chang Xu, Shing-Chi Cheung, and Valerio Terragni Code Analysis, Testing and Learning Research Group

More information

SOFTWARE MAINTENANCE AND EVOLUTION --- REFACTORING FOR ASYNC --- CS563 WEEK 3 - THU

SOFTWARE MAINTENANCE AND EVOLUTION --- REFACTORING FOR ASYNC --- CS563 WEEK 3 - THU SOFTWARE MAINTENANCE AND EVOLUTION --- REFACTORING FOR ASYNC --- CS563 WEEK 3 - THU Danny Dig Course Objectives: Project Practice a research or novel-industrial project through all its stages: - formulate

More information

Cemetery Navigation and Information Query System Based on Android and Java Web

Cemetery Navigation and Information Query System Based on Android and Java Web 2017 3rd International Conference on Computational Systems and Communications (ICCSC 2017) Cemetery Navigation and Information Query System Based on Android and Java Web Chao Ding1, a, Yongjie Yang1, b,

More information

Averroes: Letting go of the library!

Averroes: Letting go of the library! Workshop on WALA - PLDI 15 June 13th, 2015 public class HelloWorld { public static void main(string[] args) { System.out.println("Hello, World!"); 2 public class HelloWorld { public static void main(string[]

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

State of Office 365 Adoption & Risk A Dive into the Data. Jim Reavis, CEO, Cloud Security Alliance Brandon Cook, VP, Marketing, Skyhigh Networks

State of Office 365 Adoption & Risk A Dive into the Data. Jim Reavis, CEO, Cloud Security Alliance Brandon Cook, VP, Marketing, Skyhigh Networks State of Office 365 Adoption & Risk A Dive into the Data Jim Reavis, CEO, Cloud Security Alliance Brandon Cook, VP, Marketing, Skyhigh Networks Q4 2016 Office 365 Usage and Risk Report Brandon Cook, Skyhigh

More information

Towards Verifying Android Apps for the Absence of No-Sleep Energy Bugs

Towards Verifying Android Apps for the Absence of No-Sleep Energy Bugs Towards Verifying Android Apps for the Absence of No-Sleep Energy Bugs Panagiotis Vekris Ranjit Jhala, Sorin Lerner, Yuvraj Agarwal University of California, San Diego 1 2 Software Energy Bugs 3 Software

More information

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing

More information

Static Taint Analysis Applied to Detecting Bad Programming Practices in Android

Static Taint Analysis Applied to Detecting Bad Programming Practices in Android Static Taint Analysis Applied to Detecting Bad Programming Practices in Android Gonzalo Winniczuk Universidad de Buenos Aires Departamento de Computación Buenos Aires, Argentina Sergio Yovine CONICET-Universidad

More information

Outline. iterator review iterator implementation the Java foreach statement testing

Outline. iterator review iterator implementation the Java foreach statement testing Outline iterator review iterator implementation the Java foreach statement testing review: Iterator methods a Java iterator only provides two or three operations: E next(), which returns the next element,

More information

AP Computer Science Principles

AP Computer Science Principles 2017 AP Computer Science Principles Sample Student Responses Commentary Inside: RR Performance Task Create RR Guideline RR Commentary Student Samples provided separately College Board, Advanced Placement

More information

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps Automated Generation of Event-Oriented Exploits in Android Hybrid Apps Guangliang Yang, Jeff Huang, and Guofei Gu *Secure Communication and Computer Systems Lab Texas A&M University In Android, the hybrid

More information

Micro Focus Security Fortify Audit Assistant

Micro Focus Security Fortify Audit Assistant White Paper Security Micro Focus Security Fortify Audit Assistant Table of Contents page Introduction... 1 Why Static Application Security Testing?............................................. 1 Confirmation

More information

THE ART OF SECURING 100 PRODUCTS. Nir

THE ART OF SECURING 100 PRODUCTS. Nir THE ART OF SECURING 100 PRODUCTS Nir Valtman @ValtmaNir I work for as the Application Security 1st time speaking publicly, except at Mmmm OH, AND Neither of my previous startups succeeded!

More information

Classes, interfaces, & documentation. Review of basic building blocks

Classes, interfaces, & documentation. Review of basic building blocks Classes, interfaces, & documentation Review of basic building blocks Objects Data structures literally, storage containers for data constitute object knowledge or state Operations an object can perform

More information

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far. Lecture Outline Operational Semantics of Cool COOL operational semantics Motivation Adapted from Lectures by Profs. Alex Aiken and George Necula (UCB) Notation The rules CS781(Prasad) L24CG 1 CS781(Prasad)

More information

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved. Avanan for G Suite Technical Overview Contents Intro 1 How Avanan Works 2 Email Security for Gmail 3 Data Security for Google Drive 4 Policy Automation 5 Workflows and Notifications 6 Authentication 7

More information

Lecture 6. Abstract Interpretation

Lecture 6. Abstract Interpretation Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening

More information

Privacy Preserving Ranked Multi-Keyword Search for Multiple Data Owners in Cloud Computing

Privacy Preserving Ranked Multi-Keyword Search for Multiple Data Owners in Cloud Computing S.NO PROJECT CODE IEEE JAVA PROJECT TITLES DOMAIN 1 NEO1501 A Hybrid Cloud Approach for Secure Authorized Deduplication 2 NEO1502 A Profit Maximization Scheme with Guaranteed Quality of Service in Cloud

More information

2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions

2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions 2 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2014 Android Security Extensions App A Perm. P 1 App B Perm. P 2 Perm. P 3 Kirin [2009] Reference Monitor Prevents the installation

More information

Andromeda: XSS Accurate and Scalable Security Analysis of Web Applications. OWASP* Top Ten Security Vulnerabilities. SQL Injection.

Andromeda: XSS Accurate and Scalable Security Analysis of Web Applications. OWASP* Top Ten Security Vulnerabilities. SQL Injection. Andromeda: XSS Accurate and Scalable Security Analysis of Web Applications Attacker s evil script ... Omer Tripp Marco Pistoia Tel Aviv University & IBM IBM T. J. Watson Research Center

More information

Section 1: Definition of Fraud / Fraud Analysis Coderre Chapters 1 6, 8, & 9

Section 1: Definition of Fraud / Fraud Analysis Coderre Chapters 1 6, 8, & 9 Page 1 of 13 Section 1: Definition of Fraud / Fraud Analysis Coderre Chapters 1 6, 8, & 9 1. True or false, is ALL theft fraud? a. True b. False 2. True or false, are ALL deceptive statements examples

More information

Static Analysis of Embedded C Code

Static Analysis of Embedded C Code Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider Relevant features of C code for MCUs Interrupt-driven concurrency Direct hardware access Whole program

More information

Cloning-Based Context-Sensitive Pointer Alias Analysis using BDDs

Cloning-Based Context-Sensitive Pointer Alias Analysis using BDDs More Pointer Analysis Last time Flow-Insensitive Pointer Analysis Inclusion-based analysis (Andersen) Today Class projects Context-Sensitive analysis March 3, 2014 Flow-Insensitive Pointer Analysis 1 John

More information

CSCI 420: Mobile Application Security. Lecture 15. Prof. Adwait Nadkarni

CSCI 420: Mobile Application Security. Lecture 15. Prof. Adwait Nadkarni CSCI 420: Mobile Application Security Lecture 15 Prof. Adwait Nadkarni 1 Running scripts from home apktool instructions: Move both files (apktool.jar & apktool) to /usr/local/bin (root needed) No-root

More information

On the Unsoundness of Static Analysis for Android GUIs

On the Unsoundness of Static Analysis for Android GUIs On the Unsoundness of Static Analysis for Android GUIs Yan Wang Hailong Zhang Atanas Rountev Ohio State University, USA Abstract Android software presents exciting new challenges for the static analysis

More information

FlowFence: Practical Data Protection for Emerging IoT Application Frameworks

FlowFence: Practical Data Protection for Emerging IoT Application Frameworks FlowFence: Practical Data Protection for Emerging IoT Application Frameworks Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, Atul Prakash USENIX Security Symposium 11 August

More information

User Manual. Smart Lock. Please read this manual before operating your Smart Lock, and keep it for further reference. 40

User Manual. Smart Lock. Please read this manual before operating your Smart Lock, and keep it for further reference. 40 User Manual Smart Lock Please read this manual before operating your Smart Lock, and keep it for further reference. 40 I. Introduction Thank you for choosing the AKASO Smart Lock. The new Smart Lock uses

More information

Note-Taking Guide. Numbered t. Colored t. Insert i. Insert t. Insert a l. L s. Paint f. Course: Google s Document App Episode: Word Processing Basics

Note-Taking Guide. Numbered t. Colored t. Insert i. Insert t. Insert a l. L s. Paint f. Course: Google s Document App Episode: Word Processing Basics Course: Googles Document App Episode: Word Processing Basics Note-Taking Guide Make sure you are logged into Google Drive. Click on the red box with the word Create in the upper-left corner and select

More information

The Impact of Third-party Code on Android App Security. Erik Derr

The Impact of Third-party Code on Android App Security. Erik Derr The Impact of Third-party Code on Android App Security Erik Derr Third-party Code A Double-edged Sword Eases software development Code re-use Faster development, less costs Increases apps attack surface

More information

ESP Egocentric Social Platform

ESP Egocentric Social Platform ESP Egocentric Social Platform T. J. Purtell, Ian Vo, Monica S. Lam With: Kanak Biscuitwala, Willem Bult, Dan Boneh, Ben Dodson, Steve Fan, and Frank Wang, Global Social Platforms Ideal for Meeting strangers

More information

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous

More information

Static Detection of Brittle Parameter Typing

Static Detection of Brittle Parameter Typing Static Detection of Brittle Parameter Typing Michael Pradel, Severin Heiniger, and Thomas R. Gross Department of Computer Science ETH Zurich 1 Motivation void m(a a) {... } Object A.. B C D E F 2 Motivation

More information

Crypto tidbits: misuse, side channels. Slides from Dave Levin 414-spring2016

Crypto tidbits: misuse, side channels. Slides from Dave Levin 414-spring2016 Crypto tidbits: misuse, side channels Slides from Dave Levin 414-spring2016 A paper from 2013 that looked at how Android apps use crypto, as a function of 6 rules that reflect the bare minimum a secure

More information

Finding Vulnerabilities in Web Applications

Finding Vulnerabilities in Web Applications Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of

More information

ID: Sample Name: com.cleanmaster.mguard_ apk Cookbook: defaultandroidfilecookbook.jbs Time: 18:32:59 Date: 27/02/2018 Version: 22.0.

ID: Sample Name: com.cleanmaster.mguard_ apk Cookbook: defaultandroidfilecookbook.jbs Time: 18:32:59 Date: 27/02/2018 Version: 22.0. ID: 48100 Sample Name: com.cleanmaster.mguard_2018-02-12.apk Cookbook: defaultandroidfilecookbook.jbs Time: 18:32:59 Date: 27/02/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report

More information

Android Application Development using Kotlin

Android Application Development using Kotlin Android Application Development using Kotlin 1. Introduction to Kotlin a. Kotlin History b. Kotlin Advantages c. How Kotlin Program Work? d. Kotlin software Prerequisites i. Installing Java JDK and JRE

More information

Sarbanes-Oxley Act (SOX)

Sarbanes-Oxley Act (SOX) Sarbanes-Oxley Act (SOX) Introduction The Sarbanes-Oxley (SOX) Act was introduced in 2002 to protect shareholders and the general public from fraudulent accounting activities by bringing greater accountability

More information

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions ISSTA * * Artifact Consistent * Complete * Well Documented * Easy to Reuse * Evaluated * AEC * Lazaro Clapp Stanford University,

More information

Software Security: Vulnerability Analysis

Software Security: Vulnerability Analysis Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants

More information

Automated Error Diagnosis Using Abductive Inference

Automated Error Diagnosis Using Abductive Inference Automated Error Diagnosis Using Abductive Inference Isil Dillig Department of Computer Science College of William & Mary idillig@cs.wm.edu Thomas Dillig Department of Computer Science College of William

More information

Symbolic Inference of Partial Specifications to Augment Regression Testing

Symbolic Inference of Partial Specifications to Augment Regression Testing Symbolic Inference of Partial Specifications to Augment Regression Testing Koen Wermer Utrecht University Student number: 3705951 April 21, 2017 1 1 Introduction A large part of the costs (50-80% [17])

More information

Pliny and Fixr Meeting. September 15, 2014

Pliny and Fixr Meeting. September 15, 2014 Pliny and Fixr Meeting September 15, 2014 Fixr: Mining and Understanding Bug Fixes for App-Framework Protocol Defects (TA2) University of Colorado Boulder September 15, 2014 Fixr: Mining and Understanding

More information

Program-Analysis-Supported Identification of Applications in Large Networks

Program-Analysis-Supported Identification of Applications in Large Networks Program-Analysis-Supported Identification of Applications in Large Networks Christopher Kruegel Computer Security Group ARO MURI Meeting Arizona State University, October 28, 2013 Correlation Engine COAs

More information

SARBANES-OXLEY (SOX) ACT

SARBANES-OXLEY (SOX) ACT SARBANES-OXLEY (SOX) ACT Table of Contents Introduction 03 Who is affected by SOX? 05 Why should my organization 05 comply with SOX? What does SOX require for email 06 compliance? How can my organization

More information

The next step in IT security after Snowden

The next step in IT security after Snowden The next step in IT security after Snowden Prof. Dr. (TU NN) Norbert Pohlmann Institute for Internet Security - if(is) Westphalian University of Applied Sciences Gelsenkirchen, Germany www.internet-sicherheit.de

More information

Static and Dynamic Program Analysis: Synergies and Applications

Static and Dynamic Program Analysis: Synergies and Applications Static and Dynamic Program Analysis: Synergies and Applications Mayur Naik Intel Labs, Berkeley CS 243, Stanford University March 9, 2011 Today s Computing Platforms Trends: parallel cloud mobile Traits:

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback