Due to the vast testing space, the increasing demand for effective and�efficient testing of deep neural networks (DNNs) has led to the development of�various DNN test case prioritization techniques. However, the fact that DNNs�can deliver high-confidence predictions for incorrectly predicted examples,�known as the over-confidence problem, causes these methods to fail to reveal�high-confidence errors. To address this limitation, in this work, we propose�FAST, a method that boosts existing prioritization methods through guided�FeAture SelecTion. FAST is based on the insight that certain features may�introduce noise that affects the model's output confidence, thereby�contributing to high-confidence errors. It quantifies the importance of each�feature for the model's correct predictions, and then dynamically prunes the�information from the noisy features during inference to derive a new�probability vector for the uncertainty estimation. With the help of FAST, the�high-confidence errors and correctly classified examples become more�distinguishable, resulting in higher APFD (Average Percentage of Fault�Detection) values for test prioritization, and higher generalization ability�for model enhancement. We conduct extensive experiments to evaluate FAST across�a diverse set of model structures on multiple benchmark datasets to validate�the effectiveness, efficiency, and scalability of FAST compared to the�state-of-the-art prioritization techniques.
由于测试空间广阔,对深度神经网络(DNN)进行有效和高效测试的需求与日俱增,因此开发了各种 DNN 测试用例优先级排序技术。然而,由于 DNN 可以为预测错误的示例提供高置信度预测,即所谓的过置信度问题,导致这些方法无法揭示高置信度错误。为了解决这一局限性,我们在这项工作中提出了 FAST 方法,该方法通过引导图像选择来提升现有的优先级排序方法。FAST 基于这样一种认识:某些特征可能会带来噪声,影响模型输出的置信度,从而导致高置信度错误。它量化了每个特征对模型正确预测的重要性,然后在推理过程中动态修剪噪声特征信息,为不确定性估计导出新的概率向量。在 FAST 的帮助下,高置信度错误和正确分类的示例变得更加难以区分,从而为测试优先级的确定带来更高的 APFD(平均故障检测百分比)值,并为模型的增强带来更高的泛化能力。我们进行了广泛的实验,在多个基准数据集上对 FAST 的各种模型结构进行了评估,从而验证了 FAST 与最先进的优先级排序技术相比的有效性、效率和可扩展性。
{"title":"FAST: Boosting Uncertainty-based Test Prioritization Methods for Neural Networks via Feature Selection","authors":"Jialuo Chen, Jingyi Wang, Xiyue Zhang, Youcheng Sun, Marta Kwiatkowska, Jiming Chen, Peng Cheng","doi":"arxiv-2409.09130","DOIUrl":"https://doi.org/arxiv-2409.09130","url":null,"abstract":"Due to the vast testing space, the increasing demand for effective and\u0000efficient testing of deep neural networks (DNNs) has led to the development of\u0000various DNN test case prioritization techniques. However, the fact that DNNs\u0000can deliver high-confidence predictions for incorrectly predicted examples,\u0000known as the over-confidence problem, causes these methods to fail to reveal\u0000high-confidence errors. To address this limitation, in this work, we propose\u0000FAST, a method that boosts existing prioritization methods through guided\u0000FeAture SelecTion. FAST is based on the insight that certain features may\u0000introduce noise that affects the model's output confidence, thereby\u0000contributing to high-confidence errors. It quantifies the importance of each\u0000feature for the model's correct predictions, and then dynamically prunes the\u0000information from the noisy features during inference to derive a new\u0000probability vector for the uncertainty estimation. With the help of FAST, the\u0000high-confidence errors and correctly classified examples become more\u0000distinguishable, resulting in higher APFD (Average Percentage of Fault\u0000Detection) values for test prioritization, and higher generalization ability\u0000for model enhancement. We conduct extensive experiments to evaluate FAST across\u0000a diverse set of model structures on multiple benchmark datasets to validate\u0000the effectiveness, efficiency, and scalability of FAST compared to the\u0000state-of-the-art prioritization techniques.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261403","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Altaf Allah Abbassi, Houssem Ben Braiek, Foutse Khomh, Thomas Reid
The industry increasingly relies on deep learning (DL) technology for�manufacturing inspections, which are challenging to automate with rule-based�machine vision algorithms. DL-powered inspection systems derive defect patterns�from labeled images, combining human-like agility with the consistency of a�computerized system. However, finite labeled datasets often fail to encompass�all natural variations necessitating Continuous Training (CT) to regularly�adjust their models with recent data. Effective CT requires fresh labeled�samples from the original distribution; otherwise, selfgenerated labels can�lead to silent performance degradation. To mitigate this risk, we develop a�robust CT-based maintenance approach that updates DL models using reliable data�selections through a two-stage filtering process. The initial stage filters out�low-confidence predictions, as the model inherently discredits them. The second�stage uses variational auto-encoders and histograms to generate image�embeddings that capture latent and pixel characteristics, then rejects the�inputs of substantially shifted embeddings as drifted data with erroneous�overconfidence. Then, a fine-tuning of the original DL model is executed on the�filtered inputs while validating on a mixture of recent production and original�datasets. This strategy mitigates catastrophic forgetting and ensures the model�adapts effectively to new operational conditions. Evaluations on industrial�inspection systems for popsicle stick prints and glass bottles using critical�real-world datasets showed less than 9% of erroneous self-labeled data are�retained after filtering and used for fine-tuning, improving model performance�on production data by up to 14% without compromising its results on original�validation data.
{"title":"Trimming the Risk: Towards Reliable Continuous Training for Deep Learning Inspection Systems","authors":"Altaf Allah Abbassi, Houssem Ben Braiek, Foutse Khomh, Thomas Reid","doi":"arxiv-2409.09108","DOIUrl":"https://doi.org/arxiv-2409.09108","url":null,"abstract":"The industry increasingly relies on deep learning (DL) technology for\u0000manufacturing inspections, which are challenging to automate with rule-based\u0000machine vision algorithms. DL-powered inspection systems derive defect patterns\u0000from labeled images, combining human-like agility with the consistency of a\u0000computerized system. However, finite labeled datasets often fail to encompass\u0000all natural variations necessitating Continuous Training (CT) to regularly\u0000adjust their models with recent data. Effective CT requires fresh labeled\u0000samples from the original distribution; otherwise, selfgenerated labels can\u0000lead to silent performance degradation. To mitigate this risk, we develop a\u0000robust CT-based maintenance approach that updates DL models using reliable data\u0000selections through a two-stage filtering process. The initial stage filters out\u0000low-confidence predictions, as the model inherently discredits them. The second\u0000stage uses variational auto-encoders and histograms to generate image\u0000embeddings that capture latent and pixel characteristics, then rejects the\u0000inputs of substantially shifted embeddings as drifted data with erroneous\u0000overconfidence. Then, a fine-tuning of the original DL model is executed on the\u0000filtered inputs while validating on a mixture of recent production and original\u0000datasets. This strategy mitigates catastrophic forgetting and ensures the model\u0000adapts effectively to new operational conditions. Evaluations on industrial\u0000inspection systems for popsicle stick prints and glass bottles using critical\u0000real-world datasets showed less than 9% of erroneous self-labeled data are\u0000retained after filtering and used for fine-tuning, improving model performance\u0000on production data by up to 14% without compromising its results on original\u0000validation data.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261406","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
As Autonomous driving systems (ADS) have transformed our daily life, safety�of ADS is of growing significance. While various testing approaches have�emerged to enhance the ADS reliability, a crucial gap remains in understanding�the accidents causes. Such post-accident analysis is paramount and beneficial�for enhancing ADS safety and reliability. Existing cyber-physical system (CPS)�root cause analysis techniques are mainly designed for drones and cannot handle�the unique challenges introduced by more complex physical environments and deep�learning models deployed in ADS. In this paper, we address the gap by offering�a formal definition of ADS root cause analysis problem and introducing ROCAS, a�novel ADS root cause analysis framework featuring cyber-physical co-mutation.�Our technique uniquely leverages both physical and cyber mutation that can�precisely identify the accident-trigger entity and pinpoint the�misconfiguration of the target ADS responsible for an accident. We further�design a differential analysis to identify the responsible module to reduce�search space for the misconfiguration. We study 12 categories of ADS accidents�and demonstrate the effectiveness and efficiency of ROCAS in narrowing down�search space and pinpointing the misconfiguration. We also show detailed case�studies on how the identified misconfiguration helps understand rationale�behind accidents.
{"title":"ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutation","authors":"Shiwei Feng, Yapeng Ye, Qingkai Shi, Zhiyuan Cheng, Xiangzhe Xu, Siyuan Cheng, Hongjun Choi, Xiangyu Zhang","doi":"arxiv-2409.07774","DOIUrl":"https://doi.org/arxiv-2409.07774","url":null,"abstract":"As Autonomous driving systems (ADS) have transformed our daily life, safety\u0000of ADS is of growing significance. While various testing approaches have\u0000emerged to enhance the ADS reliability, a crucial gap remains in understanding\u0000the accidents causes. Such post-accident analysis is paramount and beneficial\u0000for enhancing ADS safety and reliability. Existing cyber-physical system (CPS)\u0000root cause analysis techniques are mainly designed for drones and cannot handle\u0000the unique challenges introduced by more complex physical environments and deep\u0000learning models deployed in ADS. In this paper, we address the gap by offering\u0000a formal definition of ADS root cause analysis problem and introducing ROCAS, a\u0000novel ADS root cause analysis framework featuring cyber-physical co-mutation.\u0000Our technique uniquely leverages both physical and cyber mutation that can\u0000precisely identify the accident-trigger entity and pinpoint the\u0000misconfiguration of the target ADS responsible for an accident. We further\u0000design a differential analysis to identify the responsible module to reduce\u0000search space for the misconfiguration. We study 12 categories of ADS accidents\u0000and demonstrate the effectiveness and efficiency of ROCAS in narrowing down\u0000search space and pinpointing the misconfiguration. We also show detailed case\u0000studies on how the identified misconfiguration helps understand rationale\u0000behind accidents.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142222817","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In open-source software (OSS), software vulnerabilities have significantly�increased. Although researchers have investigated the perspectives of�vulnerability reporters and OSS contributor security practices, understanding�the perspectives of OSS maintainers on vulnerability management and platform�security features is currently understudied. In this paper, we investigate the�perspectives of OSS maintainers who maintain projects listed in the GitHub�Advisory Database. We explore this area by conducting two studies: identifying�aspects through a listing survey ($n_1=80$) and gathering insights from�semi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find�that supply chain mistrust and lack of automation for vulnerability management�are the most challenging, and barriers to adopting platform security features�include a lack of awareness and the perception that they are not necessary.�Surprisingly, we find that despite being previously vulnerable, some�maintainers still allow public vulnerability reporting, or ignore reports�altogether. Based on our findings, we discuss implications for OSS platforms�and how the research community can better support OSS vulnerability management�efforts.
{"title":"A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features","authors":"Jessy Ayala, Yu-Jye Tung, Joshua Garcia","doi":"arxiv-2409.07669","DOIUrl":"https://doi.org/arxiv-2409.07669","url":null,"abstract":"In open-source software (OSS), software vulnerabilities have significantly\u0000increased. Although researchers have investigated the perspectives of\u0000vulnerability reporters and OSS contributor security practices, understanding\u0000the perspectives of OSS maintainers on vulnerability management and platform\u0000security features is currently understudied. In this paper, we investigate the\u0000perspectives of OSS maintainers who maintain projects listed in the GitHub\u0000Advisory Database. We explore this area by conducting two studies: identifying\u0000aspects through a listing survey ($n_1=80$) and gathering insights from\u0000semi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find\u0000that supply chain mistrust and lack of automation for vulnerability management\u0000are the most challenging, and barriers to adopting platform security features\u0000include a lack of awareness and the perception that they are not necessary.\u0000Surprisingly, we find that despite being previously vulnerable, some\u0000maintainers still allow public vulnerability reporting, or ignore reports\u0000altogether. Based on our findings, we discuss implications for OSS platforms\u0000and how the research community can better support OSS vulnerability management\u0000efforts.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142222819","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
An Guo, Yuan Zhou, Haoxiang Tian, Chunrong Fang, Yunjian Sun, Weisong Sun, Xinyu Gao, Anh Tuan Luu, Yang Liu, Zhenyu Chen
Autonomous driving systems (ADSs) have undergone remarkable development and�are increasingly employed in safety-critical applications. However, recently�reported data on fatal accidents involving ADSs suggests that the desired level�of safety has not yet been fully achieved. Consequently, there is a growing�need for more comprehensive and targeted testing approaches to ensure safe�driving. Scenarios from real-world accident reports provide valuable resources�for ADS testing, including critical scenarios and high-quality seeds. However,�existing scenario reconstruction methods from accident reports often exhibit�limited accuracy in information extraction. Moreover, due to the diversity and�complexity of road environments, matching current accident information with the�simulation map data for reconstruction poses significant challenges. In this�paper, we design and implement SoVAR, a tool for automatically generating�road-generalizable scenarios from accident reports. SoVAR utilizes�well-designed prompts with linguistic patterns to guide the large language�model in extracting accident information from textual data. Subsequently, it�formulates and solves accident-related constraints in conjunction with the�extracted accident information to generate accident trajectories. Finally,�SoVAR reconstructs accident scenarios on various map structures and converts�them into test scenarios to evaluate its capability to detect defects in�industrial ADSs. We experiment with SoVAR, using accident reports from the�National Highway Traffic Safety Administration's database to generate test�scenarios for the industrial-grade ADS Apollo. The experimental findings�demonstrate that SoVAR can effectively generate generalized accident scenarios�across different road structures. Furthermore, the results confirm that SoVAR�identified 5 distinct safety violation types that contributed to the crash of�Baidu Apollo.
{"title":"SoVAR: Building Generalizable Scenarios from Accident Reports for Autonomous Driving Testing","authors":"An Guo, Yuan Zhou, Haoxiang Tian, Chunrong Fang, Yunjian Sun, Weisong Sun, Xinyu Gao, Anh Tuan Luu, Yang Liu, Zhenyu Chen","doi":"arxiv-2409.08081","DOIUrl":"https://doi.org/arxiv-2409.08081","url":null,"abstract":"Autonomous driving systems (ADSs) have undergone remarkable development and\u0000are increasingly employed in safety-critical applications. However, recently\u0000reported data on fatal accidents involving ADSs suggests that the desired level\u0000of safety has not yet been fully achieved. Consequently, there is a growing\u0000need for more comprehensive and targeted testing approaches to ensure safe\u0000driving. Scenarios from real-world accident reports provide valuable resources\u0000for ADS testing, including critical scenarios and high-quality seeds. However,\u0000existing scenario reconstruction methods from accident reports often exhibit\u0000limited accuracy in information extraction. Moreover, due to the diversity and\u0000complexity of road environments, matching current accident information with the\u0000simulation map data for reconstruction poses significant challenges. In this\u0000paper, we design and implement SoVAR, a tool for automatically generating\u0000road-generalizable scenarios from accident reports. SoVAR utilizes\u0000well-designed prompts with linguistic patterns to guide the large language\u0000model in extracting accident information from textual data. Subsequently, it\u0000formulates and solves accident-related constraints in conjunction with the\u0000extracted accident information to generate accident trajectories. Finally,\u0000SoVAR reconstructs accident scenarios on various map structures and converts\u0000them into test scenarios to evaluate its capability to detect defects in\u0000industrial ADSs. We experiment with SoVAR, using accident reports from the\u0000National Highway Traffic Safety Administration's database to generate test\u0000scenarios for the industrial-grade ADS Apollo. The experimental findings\u0000demonstrate that SoVAR can effectively generate generalized accident scenarios\u0000across different road structures. Furthermore, the results confirm that SoVAR\u0000identified 5 distinct safety violation types that contributed to the crash of\u0000Baidu Apollo.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142222814","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Despite the immense potential of AI-powered medical devices to revolutionize�healthcare, concerns regarding their safety in life-critical applications�remain. While the European regulatory framework provides a comprehensive�approach to medical device software development, it falls short in addressing�AI-specific considerations. This article proposes a model to bridge this gap by�extending the general idea of AI lifecycle with regulatory activities relevant�to AI-enabled medical systems.
{"title":"Towards regulatory compliant lifecycle for AI-based medical devices in EU: Industry perspectives","authors":"Tuomas Granlund, Vlad Stirbu, Tommi Mikkonen","doi":"arxiv-2409.08006","DOIUrl":"https://doi.org/arxiv-2409.08006","url":null,"abstract":"Despite the immense potential of AI-powered medical devices to revolutionize\u0000healthcare, concerns regarding their safety in life-critical applications\u0000remain. While the European regulatory framework provides a comprehensive\u0000approach to medical device software development, it falls short in addressing\u0000AI-specific considerations. This article proposes a model to bridge this gap by\u0000extending the general idea of AI lifecycle with regulatory activities relevant\u0000to AI-enabled medical systems.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142222815","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hoare-style inference rules for program constructs permit the copying of�expressions and tests from program text into logical contexts. It is known that�this requires care even for sequential programs but further issues arise for�concurrent programs because of potential interference to the values of�variables. The "rely-guarantee" approach does tackle the issue of recording�acceptable interference and offers a way to provide safe inference rules. This�paper shows how the algebraic presentation of rely-guarantee ideas can clarify�and formalise the conditions for safely re-using expressions and tests from�program text in logical contexts for reasoning about programs.
{"title":"Handling expression evaluation under interference","authors":"Ian J. Hayes, Cliff B. Jones, Larissa A. Meinicke","doi":"arxiv-2409.07741","DOIUrl":"https://doi.org/arxiv-2409.07741","url":null,"abstract":"Hoare-style inference rules for program constructs permit the copying of\u0000expressions and tests from program text into logical contexts. It is known that\u0000this requires care even for sequential programs but further issues arise for\u0000concurrent programs because of potential interference to the values of\u0000variables. The \"rely-guarantee\" approach does tackle the issue of recording\u0000acceptable interference and offers a way to provide safe inference rules. This\u0000paper shows how the algebraic presentation of rely-guarantee ideas can clarify\u0000and formalise the conditions for safely re-using expressions and tests from\u0000program text in logical contexts for reasoning about programs.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142222866","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Researchers have investigated the bug bounty ecosystem from the lens of�platforms, programs, and bug hunters. Understanding the perspectives of bug�bounty report reviewers, especially those who historically lack a security�background and little to no funding for bug hunters, is currently understudied.�In this paper, we primarily investigate the perspective of open-source software�(OSS) maintainers who have used texttt{huntr}, a bug bounty platform that pays�bounties to bug hunters who find security bugs in GitHub projects and have had�valid vulnerabilities patched as a result. We address this area by conducting�three studies: identifying characteristics through a listing survey ($n_1=51$),�their ranked importance with Likert-scale survey data ($n_2=90$), and�conducting semi-structured interviews to dive deeper into real-world�experiences ($n_3=17$). As a result, we categorize 40 identified�characteristics into benefits, challenges, helpful features, and wanted�features. We find that private disclosure and project visibility are the most�important benefits, while hunters focused on money or CVEs and pressure to�review are the most challenging to overcome. Surprisingly, lack of�communication with bug hunters is the least challenging, and CVE creation�support is the second-least helpful feature for OSS maintainers when reviewing�bug bounty reports. We present recommendations to make the bug bounty review�process more accommodating to open-source maintainers and identify areas for�future work.
{"title":"A Deep Dive Into How Open-Source Project Maintainers Review and Resolve Bug Bounty Reports","authors":"Jessy Ayala, Steven Ngo, Joshua Garcia","doi":"arxiv-2409.07670","DOIUrl":"https://doi.org/arxiv-2409.07670","url":null,"abstract":"Researchers have investigated the bug bounty ecosystem from the lens of\u0000platforms, programs, and bug hunters. Understanding the perspectives of bug\u0000bounty report reviewers, especially those who historically lack a security\u0000background and little to no funding for bug hunters, is currently understudied.\u0000In this paper, we primarily investigate the perspective of open-source software\u0000(OSS) maintainers who have used texttt{huntr}, a bug bounty platform that pays\u0000bounties to bug hunters who find security bugs in GitHub projects and have had\u0000valid vulnerabilities patched as a result. We address this area by conducting\u0000three studies: identifying characteristics through a listing survey ($n_1=51$),\u0000their ranked importance with Likert-scale survey data ($n_2=90$), and\u0000conducting semi-structured interviews to dive deeper into real-world\u0000experiences ($n_3=17$). As a result, we categorize 40 identified\u0000characteristics into benefits, challenges, helpful features, and wanted\u0000features. We find that private disclosure and project visibility are the most\u0000important benefits, while hunters focused on money or CVEs and pressure to\u0000review are the most challenging to overcome. Surprisingly, lack of\u0000communication with bug hunters is the least challenging, and CVE creation\u0000support is the second-least helpful feature for OSS maintainers when reviewing\u0000bug bounty reports. We present recommendations to make the bug bounty review\u0000process more accommodating to open-source maintainers and identify areas for\u0000future work.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142227609","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Timothy Huo, Ana Catarina Araújo, Jake Imanaka, Anthony Peruma, Rick Kazman
The widespread use of smartphones and tablets has made society heavily�reliant on mobile applications (apps) for accessing various resources and�services. These apps often handle sensitive personal, financial, and health�data, making app security a critical concern for developers. While there is�extensive research on software security topics like malware and�vulnerabilities, less is known about the practical security challenges mobile�app developers face and the guidance they seek. rev{In this study, we mine�Stack Overflow for questions on mobile app security, which we analyze using�quantitative and qualitative techniques.} The findings reveal that Stack�Overflow is a major resource for developers seeking help with mobile app�security, especially for Android apps, and identifies seven main categories of�security questions: Secured Communications, Database, App Distribution Service,�Encryption, Permissions, File-Specific, and General Security. Insights from�this research can inform the development of tools, techniques, and resources by�the research and vendor community to better support developers in securing�their mobile apps.
{"title":"Mobile App Security Trends and Topics: An Examination of Questions From Stack Overflow","authors":"Timothy Huo, Ana Catarina Araújo, Jake Imanaka, Anthony Peruma, Rick Kazman","doi":"arxiv-2409.07926","DOIUrl":"https://doi.org/arxiv-2409.07926","url":null,"abstract":"The widespread use of smartphones and tablets has made society heavily\u0000reliant on mobile applications (apps) for accessing various resources and\u0000services. These apps often handle sensitive personal, financial, and health\u0000data, making app security a critical concern for developers. While there is\u0000extensive research on software security topics like malware and\u0000vulnerabilities, less is known about the practical security challenges mobile\u0000app developers face and the guidance they seek. rev{In this study, we mine\u0000Stack Overflow for questions on mobile app security, which we analyze using\u0000quantitative and qualitative techniques.} The findings reveal that Stack\u0000Overflow is a major resource for developers seeking help with mobile app\u0000security, especially for Android apps, and identifies seven main categories of\u0000security questions: Secured Communications, Database, App Distribution Service,\u0000Encryption, Permissions, File-Specific, and General Security. Insights from\u0000this research can inform the development of tools, techniques, and resources by\u0000the research and vendor community to better support developers in securing\u0000their mobile apps.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142222849","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nowadays, companies are highly exposed to cyber security threats. In many�industrial domains, protective measures are being deployed and actively�supported by standards. However the global process remains largely dependent on�document driven approach or partial modelling which impacts both the efficiency�and effectiveness of the cybersecurity process from the risk analysis step. In�this paper, we report on our experience in applying a model-driven approach on�the initial risk analysis step in connection with a later security testing. Our�work rely on a common metamodel which is used to map, synchronise and ensure�information traceability across different tools. We validate our approach using�different scenarios relying domain modelling, system modelling, risk assessment�and security testing tools.
{"title":"Building a Cybersecurity Risk Metamodel for Improved Method and Tool Integration","authors":"Christophe Ponsard","doi":"arxiv-2409.07906","DOIUrl":"https://doi.org/arxiv-2409.07906","url":null,"abstract":"Nowadays, companies are highly exposed to cyber security threats. In many\u0000industrial domains, protective measures are being deployed and actively\u0000supported by standards. However the global process remains largely dependent on\u0000document driven approach or partial modelling which impacts both the efficiency\u0000and effectiveness of the cybersecurity process from the risk analysis step. In\u0000this paper, we report on our experience in applying a model-driven approach on\u0000the initial risk analysis step in connection with a later security testing. Our\u0000work rely on a common metamodel which is used to map, synchronise and ensure\u0000information traceability across different tools. We validate our approach using\u0000different scenarios relying domain modelling, system modelling, risk assessment\u0000and security testing tools.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142222865","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: