10:45 - 11:05
|
"Too Quiet in the Library: A Study of Native Third-Party Libraries in Android"
Joshua Garcia, Assistant Professor, Department of Informatics, UC Irvine
Abstract:
Android applications (“apps”) make avid use of third-party native libraries to increase performance and to reuse already implemented functionality. Native code can be directly executed from apps through the Java Native Interface or the Android Native Development Kit. Android developers drop precompiled native libraries into their projects, enabling their use. Unfortunately, developers are often not aware that these libraries (or their dependencies) must be updated. This results in the continuous use of outdated native libraries with unpatched security vulnerabilities years after patches are available.
To assess the severity of the use of outdated and vulnerable libraries in the Android ecosystem, we study the prevalence of native libraries in the top apps of the Google Play market over time, correlating the time when native libraries are updated with the availability of security patches. A core difficulty we have to solve for this research is the identification of libraries and versions. Developers often rename or modify libraries but we require precise information about each binary. Our binary similarity metric bin2sim uses diverse features extracted from the libraries to identify and map the required information. Leveraging bin2sim, we create an approach called LibRARIAN (LibRAry veRsion IdentificAtioN) that can accurately identify native libraries and their versions as found in Android apps with a a 98.76% true-positive rate, no false positives, and a 1.23% false-negative rate.
In our study using LibRARIAN, we find that many libraries are outdated and that security patches are applied with long delays, if at all. We discovered that native libraries in apps are updated, on average, 3 times slower than the release rate of new versions of those libraries. For vulnerabilities, we found 80 apps with 1,781 vulnerable versions with known CVEs between Sept. 2013 and April 2019, with 61 of those apps still remaining vulnerable until the end point of our study. We find that app developers took, on average, 507.21±70.97 days to apply security patches, while library developers release a security patch after 19.04 ± 14.35 days—a 27 times slower rate of update.
Bio:
Joshua Garcia is an Assistant Professor in the Informatics Department of the Donald Bren School of Information and Computer Sciences (ICS) at the University of California, Irvine (UCI). His research interests are in software engineering with a focus on mobile security, testing, and analysis; software architecture; and software maintenance and re-engineering. Garcia leverages static and dynamic program analysis, machine learning, and artificial intelligence to address problems in the area of mobile applications and decay of software architecture. His research tools and datasets have been used by dozens of researchers, agencies, and companies around the world—including universities in Argentina, Australia, Brazil, Canada, China, Europe, and the United States, and by companies and government agencies such as Boeing, Bosch, Google, IBM, Microsoft, Northrop Grumman, the FBI, the Department of Homeland Security, and NASA.
|
11:05 - 11:25
|
"How Reliable is the Crowdsourced Knowledge of Security Implementation?"
Na Meng, Assistant Professor, Department of Computer Science, Virginia Tech
Abstract:
Stack Overflow (SO) is the most popular online Q&A site for developers to share their expertise in solving programming issues. However, researchers recently observed that SO contains exploitable security vulnerabilities in the suggested code of popular answers, which found their way into security-sensitive high- profile applications that millions of users install every day. This observation inspires us to explore the following questions: How much can we trust the security implementation suggestions on SO? If suggested answers are vulnerable, can developers rely on the community’s dynamics to infer the vulnerability and identify a secure counterpart?
To answer these highly important questions, we conducted a comprehensive study on security-related SO posts by contrasting secure and insecure advice with the community-given content evaluation. Our findings show that based on the distribution of secure and insecure code on SO, users being laymen in security rely on additional advice and guidance. However, the community-given feedback does not allow differentiating secure from insecure choices. The reputation mechanism fails in indicating trustworthy users with respect to security questions, ultimately leaving other users wandering around alone in a software security minefield. Bio:
Dr. Na Meng is an assistant professor in the Department of Computer Science at Virginia Tech, U.S. (since 2015). She received her PhD in Computer Science at The University of Texas at Austin, U.S. (2014). Her research interests include Software Engineering and Programming Languages. She focuses on conducting empirical studies on software bugs and fixes, and investigating new approaches to help developers comprehend programs and changes, to detect and fix bugs, and to modify code automatically. Nowadays, Dr. Meng also explores to fix security bugs automatically. Dr. Meng received the NSF CAREER Award in 2019.
|
11:25 - 11:45
|
"Human Aspects of Software Engineering"
David Redmiles, Associate Professor, Department of Informatics, UC Irvine
Abstract:
UC Irvine and, in particular, the Institute for Software Research have a long history of considering the human aspects of software engineering. Research has ranged from studying individuals interaction with software to the effects of technology on organizations and society at large. This talk provides some orientation toward researching human aspects and an overview of some recent research projects from my research group. Projects include studies of the Internet of Things (IoT), effects of gender in software development platforms such as GitHub, software education, and interventions to improve teamwork.
Bio:
Dr. David Redmiles is a Professor in the Department of Informatics at the University of California, Irvine (UCI) in the Donald Bren School of Information and Computer Sciences (ICS). He is the author of nearly 200 publications integrating the areas of software engineering, human-computer interaction, and computer-supported cooperative work. He has graduated 11 PhD students and served on the dissertation committees of over 30 other PhD students. His current research focuses on distributed and collaborative software engineering, especially the aspects of awareness and trust among collaborators. He is a member of the Association for Computing Machinery (ACM) and the Institute of Electrical and Electronics Engineers (IEEE) Computer Society. He was designated an ACM Distinguished Scientist in 2011. He earned his PhD degree in 1992 at the University of Colorado, Boulder. He holds a BS (1980) in Mathematics and Computer Science and a MS (1982) in Computer Science from the American University in Washington, D.C.
|