Information Security Commons^™

Context-Sensitive Auto-Sanitization For Php, Jared M. Smith, Richard J. Connor, David P. Cunningham, Kyle G. Bashour, Walter T. Work

Chancellor’s Honors Program Projects

No abstract provided.

Teaching Android Security Through Examples: A Publicly Available Database Of Vulnerable Apps, Daniel E. Krutz, Samuel A. Malachowsky

Articles

Security is hard, and teaching security can be even harder. Here we describe a public educational activity to assist in the instruction of both students and developers in creating secure Android apps. Our set of activities includes example vulnerable applications, information about each vulnerability, steps on how to repair the vulnerabilities, and information about how to confirm that the vulnerability has been properly repaired. Our primary goal is to make these activities available to other instructors for use in their classrooms ranging from the K-12 to university settings. A secondary goal of this project is to foster interest in security …

Security Testing With Misuse Case Modeling, Samer Yousef Khamaiseh

Boise State University Theses and Dissertations

Having a comprehensive model of security requirements is a crucial step towards developing a reliable software system. An effective model of security requirements which describes the possible scenarios that may affect the security aspects of the system under development can be an effective approach for subsequent use in generating security test cases.

Misuse case was first proposed by Sinder and Opdahl as an approach to extract the security requirements of the system under development [1]. A misuse case is a use case representing scenarios that might be followed by a system adversary in order to compromise the system; that is …

Semeo: A Semantic Equivalence Analysis Framework For Obfuscated Android Applications, Zhen Hu

Department of Computer Science and Engineering: Dissertations, Theses, and Student Research

Software repackaging is a common approach for creating malware. In this approach, malware authors inject malicious payloads into legitimate applications; then, to ren- der security analysis more difficult, they obfuscate most or all of the code. This forces analysts to spend a large amount of effort filtering out benign obfuscated methods in order to locate potentially malicious methods for further analysis. If an effective mechanism for filtering out benign obfuscated methods were available, the number of methods that must be analyzed could be reduced, allowing analysts to be more productive. In this thesis, we introduce SEMEO, a highly effective and …

Automated Verification Of Timed Security Protocols With Clock Drift, Li Li, Jun Sun

Research Collection School Of Computing and Information Systems

Time is frequently used in security protocols to provide better security. For instance, critical credentials often have limited lifetime which improves the security against brute-force attacks. However, it is challenging to correctly use time in protocol design, due to the existence of clock drift in practice. In this work, we develop a systematic method to formally specify as well as automatically verify timed security protocols with clock drift. We first extend the previously proposed timed applied ππ -calculus as a formal specification language for timed protocols with clock drift. Then, we define its formal semantics based on timed logic rules, …

Code Metrics For Predicting Risk Levels Of Android Applications, Akond A. Rahman

KSU Proceedings on Cybersecurity Education, Research and Practice

Android applications pose security and privacy risks for end-users. Early prediction of risk levels that are associated with Android applications can help Android developers is releasing less risky applications to end-users. Researchers have showed how code metrics can be used as early predictors of failure prone software components. Whether or not code metrics can be used to predict risk levels of Android applications requires systematic exploration. The goal of this paper is to aid Android application developers in assessing the risk associated with developed Android applications by identifying code metrics that can be used as predictors to predict two levels …

Mabic: Mobile Application Builder For Interactive Communication, Huy Manh Nguyen

Masters Theses & Specialist Projects

Nowadays, the web services and mobile technology advance to a whole new level. These technologies make the modern communication faster and more convenient than the traditional way. People can also easily share data, picture, image and video instantly. It also saves time and money. For example: sending an email or text message is cheaper and faster than a letter. Interactive communication allows the instant exchange of feedback and enables two-way communication between people and people, or people and computer. It increases the engagement of sender and receiver in communication.

Although many systems such as REDCap and Taverna are built for …

Integrated Software Fingerprinting Via Neural-Network-Based Control Flow Obfuscation, Haoyu Ma, Ruiqi Li, Xiaoxu Yu, Chunfu Jia, Debin Gao

Research Collection School Of Computing and Information Systems

Dynamic software fingerprinting has been an important tool in fighting against software theft and pirating by embedding unique fingerprints into software copies. However, existing work uses methods from dynamic software watermarking as direct solutions in which secret marks are inside rather independent code modules attached to the software. This results in an intrinsic weakness against targeted collusive attacks since differences among software copies correspond directly to the fingerprint-related components. In this paper, we suggest a novel mode of dynamic fingerprinting called integrated fingerprinting, of which the goal is to ensure all fingerprinted software copies possess identical behaviors at semantic level. …

Indoor Localization Via Multi-Modal Sensing On Smartphones, Han Xu, Zheng Yang, Zimu Zhou, Longfei Shangguan, Ke Yi, Yunhao Liu

Research Collection School Of Computing and Information Systems

Indoor localization is of great importance to a wide range ofapplications in shopping malls, office buildings and publicplaces. The maturity of computer vision (CV) techniques andthe ubiquity of smartphone cameras hold promise for offering sub-meter accuracy localization services. However, pureCV-based solutions usually involve hundreds of photos andpre-calibration to construct image database, a labor-intensiveoverhead for practical deployment. We present ClickLoc, anaccurate, easy-to-deploy, sensor-enriched, image-based indoor localization system. With core techniques rooted insemantic information extraction and optimization-based sensor data fusion, ClickLoc is able to bootstrap with few images. Leveraging sensor-enriched photos, ClickLoc also enables user localization with a single photo of the …

Pdroid, Joe Larry Allen

Masters Theses

When an end user attempts to download an app on the Google Play Store they receive two related items that can be used to assess the potential threats of an application, the list of permissions used by the application and the textual description of the application. However, this raises several concerns. First, applications tend to use more permissions than they need and end users are not tech-savvy enough to fully understand the security risks. Therefore, it is challenging to assess the threats of an application fully by only seeing the permissions. On the other hand, most textual descriptions do not …

Proxy Signature With Revocation, Shengmin Xu, Guomin Yang, Yi Mu, Shu Ma

Research Collection School Of Computing and Information Systems

Proxy signature is a useful cryptographic primitive that allows signing right delegation. In a proxy signature scheme, an original signer can delegate his/her signing right to a proxy signer (or a group of proxy signers) who can then sign documents on behalf of the original signer. In this paper, we investigate the problem of proxy signature with revocation. The revocation of delegated signing right is necessary for a proxy signature scheme when the proxy signer’s key is compromised and/or any misuse of the delegated right is noticed. Although a proxy signature scheme usually specifies a delegation time period, it may …

Cdrep: Automatic Repair Of Cryptographic-Misuses In Android Applications, Siqi Ma, David Lo, Teng Li, Robert H. Deng

Research Collection School Of Computing and Information Systems

Cryptography is increasingly being used in mobile applications to provide various security services; from user authentication, data privacy, to secure communications. However, there are plenty of mistakes that developers could accidentally make when using cryptography in their mobile apps and such mistakes can lead to a false sense of security. Recent research efforts indeed show that a significant portion of mobile apps in both Android and iOS platforms misused cryptographic APIs. In this paper, we present CDRep, a tool for automatically repairing cryptographic misuse defects in Android apps. We classify such defects into seven types and manually assemble the corresponding …

Graph-Aided Directed Testing Of Android Applications For Checking Runtime Privacy Behaviours, Joseph Joo Keng Chan, Lingxiao Jiang, Kiat Wee Tan, Rajesh Krishna Balan

Research Collection School Of Computing and Information Systems

While automated testing of mobile applications is very useful for checking run-time behaviours and specifications, its capability in discovering issues in apps is often limited in practice due to long testing time. A common practice is to randomly and exhaustively explore the whole app test space, which takes a lot of time and resource to achieve good coverage and reach targeted parts of the apps. In this paper, we present MAMBA, a directed testing system for checking privacy in Android apps. MAMBA performs path searches of user events in control-flow graphs of callbacks generated from static analysis of app bytecode. …

Leveraging Automated Privacy Checking For Design Of Mobile Privacy Protection Mechanisms, Joseph Joo Keng Chan, Lingxiao Jiang, Kiat Wee Tan, Rajesh Balan

Research Collection School Of Computing and Information Systems

While mobile platforms rely on developers to follow good practices in privacy design, developers might not always adhere. In addition, it is often difficult for users to understand the privacy behaviour of their applications without some prolonged usage. To aid in these issues, we describe on-going research to improve privacy protection by utilizing techniques that mine privacy information from application binaries as a grey-box (Automated Privacy Checking). The outputs can then be utilized to improve the users' ability to exercise privacy-motivated discretion. We conducted a user study to observe the effects of presenting information on leak-causing triggers within applications in …

User Interface Design, Moritz Stefaner, Sebastien Ferre, Saverio Perugini, Jonathan Koren, Yi Zhang

Saverio Perugini

As detailed in Chap. 1, system implementations for dynamic taxonomies and faceted search allow a wide range of query possibilities on the data. Only when these are made accessible by appropriate user interfaces, the resulting applications can support a variety of search, browsing and analysis tasks. User interface design in this area is confronted with specific challenges. This chapter presents an overview of both established and novel principles and solutions.

An Immersive Telepresence System Using Rgb-D Sensors And Head-Mounted Display, Xinzhong Lu, Ju Shen, Saverio Perugini, Jianjun Yang

Saverio Perugini

We present a tele-immersive system that enables people to interact with each other in a virtual world using body gestures in addition to verbal communication. Beyond the obvious applications, including general online conversations and gaming, we hypothesize that our proposed system would be particularly beneficial to education by offering rich visual contents and interactivity. One distinct feature is the integration of egocentric pose recognition that allows participants to use their gestures to demonstrate and manipulate virtual objects simultaneously. This functionality enables the instructor to effectively and efficiently explain and illustrate complex concepts or sophisticated problems in an intuitive manner. The …

Gone In 200 Milliseconds: The Challenge Of Blocking Malvertising, Catherine Dwyer, Ameet Kanguri

Student and Faculty Research Days

Online advertising is a multi-billion dollar global industry that lets advertisers serve ads to specific customers of interest as they browse the web. Using real time bidding (RTB), as web visitors land on a site, advertising networks are alerted of space available and whatever profile information can be gleaned about the visitor. Ad networks then auction this combination of space and profile through ad exchanges, and the winning bid's ad content is served to the web visitor. The entire process, from a visitor landing on a publisher's page to ads being auctioned, takes 200 milliseconds--the time needed to snap your …