Visible to the public Usable Formal Methods for the Design and Composition of Security and Privacy Policies (CMU/UTSA Collaborative Proposal) - October 2016Conflict Detection Enabled

Submitted by Jamie Presken on Thu, 09/15/2016 - 8:09am

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): Travis Breaux (CMU), Jianwei Niu (UTSA)
Researchers:

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)

This refers to Hard Problems, released November 2012.

  • Security-Metrics-Driven-Evaluation, Design, Development and Deployment. Our research evaluates how designers select and apply security patterns in response to attack patterns. The evaluation is based on metrics embodied in formal models of attack scenarios that will be used to measure security risk and promote risk reduction strategies based on assurance cases constructed by the analyst.
  • Understanding and Accounting for Human Behavior. Our research applies theory from psychology concerning how designers comprehend and interpret their environment, how they plan and project software-based solutions into the future, with the aim of better understanding how these activities exist in designing more secure systems. These are not typical models of attackers and defenders, but models of developer behavior, including our ability to influence that behavior with tool-based interventions.

2) PUBLICATIONS

  1. H. Hibshi, T.D. Breaux, C. Wagner. "Improving Security Requirements Adequacy: An Interval Type 2 Fuzzy Logic Security Assessment System," To Appear: IEEE Symposium Series on Computational Intelligence (SSCI'16), Athens, Greece, 2016.
  2. H. Hibshi, T. Breaux, M. Riaz, L. Williams. "A Grounded Analysis of Experts' Decision-Making During Security Assessments," Journal of Cybersecurity, Oxford Press, published online 5 October 2016.
  3. J. Bhatia, M. Evans, S. Wadkar, T.D. Breaux. "Automated Extraction of Regulated Information Types using Hyponymy Relations," Accepted To: IEEE Workshop on Artificial Intelligence and Requirements Engineering, 2016.
  4. R. Slavin, X. Wang, M.B. Hosseini, W. Hester, R. Krishnan, J. Bhatia, T.D. Breaux, J. Niu. "Toward a Framework for Detecting Privacy Policy Violation in Android Application Code," To Appear: ACM/IEEE 38th International Software Engineering Conference, Austin, Texas, pp. 25-36, 2016.
  5. Hui Shen, Ram Krishnan, Rocky Slavin, and Jianwei Niu. "Sequence Diagram Aided Privacy Policy Specification", IEEE Transactions on Dependable and Secure Computing, 13(3): 381-393, 2016.
  6. T. MacGahan, C. Johnson, A. L. Rodriguez, M. Appleby, J. Niu, J. von Ronne. "Towards Verified Privacy Policy Compliance of an Actor-based Electronic Medical Record Systems", extended abstract accepted to ACM SIGPLAN workshop AGERE! 2015.
  7. J. Shahen, J. Niu, M. Tripunitara. "Mohawk+T: Efficient Analysis of Administrative Temporal Role-Based Access Control (ATRBAC) Policies," 20th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 15-26, June 2015.
  8. H. Hibshi, T. D. Breaux, S. B. Broomell, "Assessment of Risk Perception in Security Requirements Composition." IEEE 23rd International Requirements Engineering Conference (RE'15), pp. 146-155, 2015.
  9. T. D. Breaux, D. Smullen, H. Hibshi. "Detecting Repurposing and Over-collection in Multi-Party Privacy Requirements Specifications." IEEE 23rd International Requirements Engineering Conference (RE'15), Ottawa, Canada, pp. 166-175, 2015.
  10. Riaz, M., Breaux, T., Williams, L. "How have we evaluated software pattern application? A systematic mapping study of research design practice," Information and Software Technology, 65: 14-38, 2015
  11. H. Hibshi, T. Breaux, M. Riaz, L. Williams. "A Framework to Measure Experts' Decision Making in Security Requirements Analysis," IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, pp. 13-18, 2014.
  12. R. Slavin, J.-M. Lehker, J. Niu, T. Breaux. "Managing Security Requirement Patterns Using Feature Diagram Hierarchies," IEEE 22nd International Requirements Engineering Conference, pp. 193-202, 2014.
  13. Slankas, J., Riaz, M. King, J., Williams, L. "Discovering Security Requirements from Natural Language," IEEE 22nd International Requirements Engineering Conference, 2014.
  14. Rao, H. Hibshi, T. Breaux, J-M. Lehker, J. Niu, "Less is More? Investigating the Role of Examples in Security Studies using Analogical Transfer," 2014 Symposium and Bootcamp on the Science of Security (HotSoS), Article 7.
  15. H. Hibshi, R. Slavin, J. Niu, T. Breaux, "Rethinking Security Requirements in RE Research," University of Texas at San Antonio, Technical Report #CS-TR-2014-001, January, 2014
  16. Breaux, T., Hibshi, H., Rao, A., Lehker, J.-M. "Towards a Framework for Pattern Experimentation: Understanding empirical validity in requirements engineering patterns." IEEE 2nd Workshop on Requirements Engineering Patterns (RePa'12), Chicago, Illinois, Sep. 2012, pp. 41-47.
  17. Slavin, R., Shen, H., Niu, J., "Characterizations and Boundaries of Security Requirements Patterns," IEEE 2nd Workshop on Requirements Engineering Patterns (RePa'12), Chicago, Illinois, Sep. 2012, pp. 48-53.

3) KEY HIGHLIGHTS

Mobile applications frequently access sensitive personal information to meet user or business requirements. Because this information is sensitive, regulators increasingly require mobile app developers to publish privacy policies that describe what information is collected, for what purpose is the information used and with whom it is shared. Furthermore, regulators have fined companies when these policies are inconsistent with the actual data practices of mobile apps. To help app developers check their privacy policies against their apps for consistency, we propose a semi-automated framework that consists of a policy terminology-API map that links policy phrases to API functions that process sensitive information, and information flow analysis to detect misalignments. We present our results from a collection of API to policy phrase mappings followed by a case study of 501 top Android apps that discovered 63 potential privacy policy violations.

R. Slavin, X. Wang, M.B. Hosseini, W. Hester, R. Krishnan, J. Bhatia, T.D. Breaux, J. Niu. "Toward a Framework for Detecting Privacy Policy Violation in Android Application Code," ACM/IEEE 38th International Software Engineering Conference, Austin, Texas, pp. 25-36, 2016.

Groups: