Metamorphic testing has been advocated as a possible approach to testing of systems that have no useful test oracles; but it has not often been applied in practice. Here we report some of the results of applying metamorphic testing to real-world e-commerce product search engines.
{"title":"Applying Metamorphic Testing to e-Commerce Product Search Engines","authors":"S. Nagai, Tatsuhiro Tsuchiya","doi":"10.1109/PRDC.2018.00030","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00030","url":null,"abstract":"Metamorphic testing has been advocated as a possible approach to testing of systems that have no useful test oracles; but it has not often been applied in practice. Here we report some of the results of applying metamorphic testing to real-world e-commerce product search engines.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125913501","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Threats posed by side-channel and covert-channel attacks exploiting the CPU cache to compromise the confidentiality of a system raise serious security concerns. This applies especially to systems offering shared hardware or resources to their customers. As eradicating this threat is practically impeded due to performance implications or financial cost of the current mitigation approaches, a detection mechanism might enhance the security of such systems. In the course of this work, we propose an approach towards side-channel attacks detection, considering the specificity of cache-based SCAs and their implementations.
{"title":"On the Detection of Side-Channel Attacks","authors":"Tsvetoslava Vateva-Gurova, N. Suri","doi":"10.1109/PRDC.2018.00031","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00031","url":null,"abstract":"Threats posed by side-channel and covert-channel attacks exploiting the CPU cache to compromise the confidentiality of a system raise serious security concerns. This applies especially to systems offering shared hardware or resources to their customers. As eradicating this threat is practically impeded due to performance implications or financial cost of the current mitigation approaches, a detection mechanism might enhance the security of such systems. In the course of this work, we propose an approach towards side-channel attacks detection, considering the specificity of cache-based SCAs and their implementations.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"119 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121401092","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Oliver Schwahn, Nicolas Coppik, Stefan Winter, N. Suri
Software Fault Injection (SFI) is a widely used technique to experimentally assess the dependability of software systems. To provide a comprehensive view on the dependability of a software under test, SFI typically requires large numbers of experiments, which leads to long test latencies. In order to reduce the overall test duration for SFI, we propose FASTFI, which (1) avoids redundant executions of common path prefixes for faults in the same injection location, (2) avoids test executions for faults that do not get activated, and (3) utilizes parallel processors by executing SFI tests concurrently. FASTFI takes patch files that specify source code mutations as an input, conducts an automated source code analysis to identify the function they target, and then automatically parallelizes the execution of all mutants that target the same function. Our evaluation of FASTFI on four PARSEC benchmarks shows a SFI test latency reduction of up to a factor of 26.
{"title":"FastFI: Accelerating Software Fault Injections","authors":"Oliver Schwahn, Nicolas Coppik, Stefan Winter, N. Suri","doi":"10.1109/PRDC.2018.00035","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00035","url":null,"abstract":"Software Fault Injection (SFI) is a widely used technique to experimentally assess the dependability of software systems. To provide a comprehensive view on the dependability of a software under test, SFI typically requires large numbers of experiments, which leads to long test latencies. In order to reduce the overall test duration for SFI, we propose FASTFI, which (1) avoids redundant executions of common path prefixes for faults in the same injection location, (2) avoids test executions for faults that do not get activated, and (3) utilizes parallel processors by executing SFI tests concurrently. FASTFI takes patch files that specify source code mutations as an input, conducts an automated source code analysis to identify the function they target, and then automatically parallelizes the execution of all mutants that target the same function. Our evaluation of FASTFI on four PARSEC benchmarks shows a SFI test latency reduction of up to a factor of 26.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"65 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126265795","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Shun-Chieh Chang, Yeali S. Sun, Wu-Long Chuang, Meng Chang Chen, Bo Sun, Takeshi Takahashi
Malware developers often use various obfuscation techniques to generate polymorphic and metamorphic versions of malicious programs. As a result, variants of a malware family generally exhibit resembling behavior, and most importantly, they possess certain common essential codes so to achieve the same designed purpose. Meantime, keeping up with new variants and generating signatures for each individual in a timely fashion has been costly and inefficient for anti-virus software companies. It motivates us the idea of no more dancing with variants. In this paper, we aim to find a malware family's main characteristic operations or activities directly related to its intent. We propose a novel automatic dynamic Android profiling system and malware family runtime behavior signature generation method called Runtime API sequence Motif Mining Algorithm (RasMMA) based on the analysis of the sensitive and permission-related execution traces of the threads and processes of a set of variant APKs of a malware family. We show the effectiveness of using the generated family signature to detect new variants using real-world dataset. Moreover, current anti-malware tools usually treat detection models as a black box for classification and offer little explanations on how malwares behave and how they proceed step by step to infiltrate targeted system and achieve the goal. We take malware family DroidKungFu as a case study to illustrate that the generated family signature indeed captures key malicious activities of the family.
{"title":"ANTSdroid: Using RasMMA Algorithm to Generate Malware Behavior Characteristics of Android Malware Family","authors":"Shun-Chieh Chang, Yeali S. Sun, Wu-Long Chuang, Meng Chang Chen, Bo Sun, Takeshi Takahashi","doi":"10.1109/PRDC.2018.00047","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00047","url":null,"abstract":"Malware developers often use various obfuscation techniques to generate polymorphic and metamorphic versions of malicious programs. As a result, variants of a malware family generally exhibit resembling behavior, and most importantly, they possess certain common essential codes so to achieve the same designed purpose. Meantime, keeping up with new variants and generating signatures for each individual in a timely fashion has been costly and inefficient for anti-virus software companies. It motivates us the idea of no more dancing with variants. In this paper, we aim to find a malware family's main characteristic operations or activities directly related to its intent. We propose a novel automatic dynamic Android profiling system and malware family runtime behavior signature generation method called Runtime API sequence Motif Mining Algorithm (RasMMA) based on the analysis of the sensitive and permission-related execution traces of the threads and processes of a set of variant APKs of a malware family. We show the effectiveness of using the generated family signature to detect new variants using real-world dataset. Moreover, current anti-malware tools usually treat detection models as a black box for classification and offer little explanations on how malwares behave and how they proceed step by step to infiltrate targeted system and achieve the goal. We take malware family DroidKungFu as a case study to illustrate that the generated family signature indeed captures key malicious activities of the family.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132117411","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper proposes a method to protect block chains, which is transaction records in virtual currency such as Bitcoin, from majority voting attacks. In the proposed method, it is difficult to acquire consecutive blocks by increasing the difficulty level of the search problem for the node that acquired the block.
{"title":"An Attack-Tolerant Agreement Algorithm for Block Chain","authors":"M. Kitakami, Kazuki Matsuoka","doi":"10.1109/PRDC.2018.00041","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00041","url":null,"abstract":"This paper proposes a method to protect block chains, which is transaction records in virtual currency such as Bitcoin, from majority voting attacks. In the proposed method, it is difficult to acquire consecutive blocks by increasing the difficulty level of the search problem for the node that acquired the block.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129404996","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The prevalent use of mobile applications in enterprise computing requires more stringent yet flexible enforcement of security policies on the mobile devices. Existing enforcement mechanisms such as mobile device management system focus on the management of device features and cannot cover the diverse security policies of enterprise applications precisely. We address the challenge by proposing a novel security policy enforcement system based on Plugin framework. The system provides fine-grained security policy enforcement at each library call site in an application. With root privilege (targeting company-owned devices), fine-grained enforcement can be applied to any application. Without root privilege (targeting BYOD devices), fine-grained enforcement can be applied to the applications installed via the enforcement system.
{"title":"Enforcing Enterprise Mobile Application Security Policy with Plugin Framework","authors":"Pang-Yang Chu, Wei-Huan Lu, Jun-Wei Lin, Yu-Sung Wu","doi":"10.1109/PRDC.2018.00048","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00048","url":null,"abstract":"The prevalent use of mobile applications in enterprise computing requires more stringent yet flexible enforcement of security policies on the mobile devices. Existing enforcement mechanisms such as mobile device management system focus on the management of device features and cannot cover the diverse security policies of enterprise applications precisely. We address the challenge by proposing a novel security policy enforcement system based on Plugin framework. The system provides fine-grained security policy enforcement at each library call site in an application. With root privilege (targeting company-owned devices), fine-grained enforcement can be applied to any application. Without root privilege (targeting BYOD devices), fine-grained enforcement can be applied to the applications installed via the enforcement system.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130242640","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Bo-Chen Tai, Szu-Chuang Li, Yennun Huang, N. Suri, Pang-Chieh Wang
It is important to facilitate data sharing between data owners and data analysts as data owners do not always have the ability to process and analyze data. For example, governments around the world are starting to release collected data to the public to leverage data analysis competence of the crowd. However, some privacy leakage incidents have made the public to rediscover the importance of privacy protection, leading to new privacy regulations. In existing researches dimensionality reduction has played an important role in private data release mechanisms to improve utility but its influence on privacy protection has never been examined. In this study, we perform a series of experiments and found that dimensionality reduction could provide similar privacy protection effects as K-anonymity mechanisms, and it could work as a preprocessor of K-anonymity process to it to reduce the generalization and suppression needed.
{"title":"Exploring the Relationship Between Dimensionality Reduction and Private Data Release","authors":"Bo-Chen Tai, Szu-Chuang Li, Yennun Huang, N. Suri, Pang-Chieh Wang","doi":"10.1109/PRDC.2018.00013","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00013","url":null,"abstract":"It is important to facilitate data sharing between data owners and data analysts as data owners do not always have the ability to process and analyze data. For example, governments around the world are starting to release collected data to the public to leverage data analysis competence of the crowd. However, some privacy leakage incidents have made the public to rediscover the importance of privacy protection, leading to new privacy regulations. In existing researches dimensionality reduction has played an important role in private data release mechanisms to improve utility but its influence on privacy protection has never been examined. In this study, we perform a series of experiments and found that dimensionality reduction could provide similar privacy protection effects as K-anonymity mechanisms, and it could work as a preprocessor of K-anonymity process to it to reduce the generalization and suppression needed.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131734041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Software-defined networking (SDN) eases the management of large-scale network by providing centralized and programmable control of a network. The centralization inevitably creates a single point of failure and requires the use of redundant controllers. However, due to the need for replicating the SDN application states, existing solutions tend to assume that the controllers are of the same type. This imposes an undesirable trade-off between cost and availability as each active controller would require a dedicated standby controller of the same type. We propose semantic failover to address the issue, which allows generic failover across any types of controllers. Semantic failover models the SDN application states from the control plane messages and restores the application states by invoking the northbound API on the standby controller. It is thereby not dependent on specific types of controllers. The prototype system was tested on real-world SDN controllers, and the evaluation results have demonstrated the potentials of semantic failover for both homogenous and heterogeneous controller pairs.
{"title":"Semantic Failover in Software-Defined Networking","authors":"Shu-Wen Hsueh, Tung-Yueh Lin, Weng-Ian Lei, Chi-Leung Patrick Ngai, Yu-Hang Sheng, Yu-Sung Wu","doi":"10.1109/PRDC.2018.00052","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00052","url":null,"abstract":"Software-defined networking (SDN) eases the management of large-scale network by providing centralized and programmable control of a network. The centralization inevitably creates a single point of failure and requires the use of redundant controllers. However, due to the need for replicating the SDN application states, existing solutions tend to assume that the controllers are of the same type. This imposes an undesirable trade-off between cost and availability as each active controller would require a dedicated standby controller of the same type. We propose semantic failover to address the issue, which allows generic failover across any types of controllers. Semantic failover models the SDN application states from the control plane messages and restores the application states by invoking the northbound API on the standby controller. It is thereby not dependent on specific types of controllers. The prototype system was tested on real-world SDN controllers, and the evaluation results have demonstrated the potentials of semantic failover for both homogenous and heterogeneous controller pairs.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"196 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116148659","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Angelos Oikonomopoulos, Remco Vermeulen, Cristiano Giuffrida, H. Bos
Information on the identity of functions is typically removed when translating source code to executable form. Yet being able to recognize specific functions opens up a number of applications. In this paper, we investigate normalization-based approaches for the purposes of aiding the reverse engineer and as an enabler for the rejuvenation of legacy binaries. We iteratively refine our methods and report on their effectiveness. Our results show that a naive approach can be surprisingly effective in both problem domains. Further, our evaluation looks into more advanced normalization techniques and finds that their practicality varies significantly with the problem domain.
{"title":"On the Effectiveness of Code Normalization for Function Identification","authors":"Angelos Oikonomopoulos, Remco Vermeulen, Cristiano Giuffrida, H. Bos","doi":"10.1109/PRDC.2018.00045","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00045","url":null,"abstract":"Information on the identity of functions is typically removed when translating source code to executable form. Yet being able to recognize specific functions opens up a number of applications. In this paper, we investigate normalization-based approaches for the purposes of aiding the reverse engineer and as an enabler for the rejuvenation of legacy binaries. We iteratively refine our methods and report on their effectiveness. Our results show that a naive approach can be surprisingly effective in both problem domains. Further, our evaluation looks into more advanced normalization techniques and finds that their practicality varies significantly with the problem domain.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116867500","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Blockchains are used to perform state agreement in a distributed system. However, there is no way to validate off-chain actions, such as physical actions, in the current architecture. This paper proposes a new blockchain architecture which features locally physically-verified transactions. From this new architecture, this paper presents a protocol for securing vehicular ad-hoc networks (VANETs) without the need to constantly communicate with roadside units (RSUs) or other infrastructure components. However, issues such as privacy in VANETs and Blockchains are left to future work. This paper shows the results from simulations of the current system in order to note its weaknesses. In particular, this paper can be used as a benchmark to show that ideas such as Proof-of-Work and full blockchain validation cannot work in a purely peer-to-peer VANET.
{"title":"Cyber-Physical Transactions: A Method for Securing VANETs with Blockchains","authors":"Matthew Wagner, B. McMillin","doi":"10.1109/PRDC.2018.00017","DOIUrl":"https://doi.org/10.1109/PRDC.2018.00017","url":null,"abstract":"Blockchains are used to perform state agreement in a distributed system. However, there is no way to validate off-chain actions, such as physical actions, in the current architecture. This paper proposes a new blockchain architecture which features locally physically-verified transactions. From this new architecture, this paper presents a protocol for securing vehicular ad-hoc networks (VANETs) without the need to constantly communicate with roadside units (RSUs) or other infrastructure components. However, issues such as privacy in VANETs and Blockchains are left to future work. This paper shows the results from simulations of the current system in order to note its weaknesses. In particular, this paper can be used as a benchmark to show that ideas such as Proof-of-Work and full blockchain validation cannot work in a purely peer-to-peer VANET.","PeriodicalId":409301,"journal":{"name":"2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)","volume":"179 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115460580","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: