Zachary B. Ratliff, D. Richard Kuhn, Daniel J. Ragsdale
{"title":"使用事件序列检测Android应用程序中的漏洞","authors":"Zachary B. Ratliff, D. Richard Kuhn, Daniel J. Ragsdale","doi":"10.1109/QRS.2019.00032","DOIUrl":null,"url":null,"abstract":"Sequence covering arrays have demonstrated their usefulness for finding software bugs that propagate via some sequence of events. However, the distribution of t-way event sequence failures has never been reported, and as a result, the practicality of using these methods is not fully known. In this paper, our analysis of the distribution of t-way interactions between events in event sequence bugs provides insight into the practicality and usefulness of this combinatorial testing method. From a developer's perspective, these methods can contribute to finding this particular class of bugs early in the software development process, saving the developers time and money without sacrificing effectiveness. However, an attacker may also leverage these techniques to discover previously undetected vulnerabilities as a means to exploit the system. This work involved analyzing hundreds of vulnerability reports, performing event sequence testing on two different closed source Android applications, as well as developing a combinatorial coverage measurement tool.","PeriodicalId":122665,"journal":{"name":"2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Detecting Vulnerabilities in Android Applications using Event Sequences\",\"authors\":\"Zachary B. Ratliff, D. Richard Kuhn, Daniel J. Ragsdale\",\"doi\":\"10.1109/QRS.2019.00032\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Sequence covering arrays have demonstrated their usefulness for finding software bugs that propagate via some sequence of events. However, the distribution of t-way event sequence failures has never been reported, and as a result, the practicality of using these methods is not fully known. In this paper, our analysis of the distribution of t-way interactions between events in event sequence bugs provides insight into the practicality and usefulness of this combinatorial testing method. From a developer's perspective, these methods can contribute to finding this particular class of bugs early in the software development process, saving the developers time and money without sacrificing effectiveness. However, an attacker may also leverage these techniques to discover previously undetected vulnerabilities as a means to exploit the system. This work involved analyzing hundreds of vulnerability reports, performing event sequence testing on two different closed source Android applications, as well as developing a combinatorial coverage measurement tool.\",\"PeriodicalId\":122665,\"journal\":{\"name\":\"2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)\",\"volume\":\"19 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-07-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/QRS.2019.00032\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/QRS.2019.00032","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Detecting Vulnerabilities in Android Applications using Event Sequences
Sequence covering arrays have demonstrated their usefulness for finding software bugs that propagate via some sequence of events. However, the distribution of t-way event sequence failures has never been reported, and as a result, the practicality of using these methods is not fully known. In this paper, our analysis of the distribution of t-way interactions between events in event sequence bugs provides insight into the practicality and usefulness of this combinatorial testing method. From a developer's perspective, these methods can contribute to finding this particular class of bugs early in the software development process, saving the developers time and money without sacrificing effectiveness. However, an attacker may also leverage these techniques to discover previously undetected vulnerabilities as a means to exploit the system. This work involved analyzing hundreds of vulnerability reports, performing event sequence testing on two different closed source Android applications, as well as developing a combinatorial coverage measurement tool.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
