Visible to the public Biblio

Filters: Author is Xusheng Xiao, NEC Laboratories America  [Clear All Filters]
2016-07-13
Sihan Li, University of Illinois at Urbana-Champaign, Xusheng Xiao, NEC Laboratories America, Blake Bassett, University of Illinois at Urbana-Champaign, Tao Xie, University of Illinois at Urbana-Champaign, Nikolai Tillmann, Microsoft Research.  2016.  Measuring Code Behavioral Similarity for Programming and Software Engineering Education. 38th International Conference on Software Engineering.

In recent years, online programming and software engineering education via information technology has gained a lot of popularity. Typically, popular courses often have hundreds or thousands of students but only a few course sta members. Tool automation is needed to maintain the quality of education. In this paper, we envision that the capability of quantifying behavioral similarity between programs is helpful for teaching and learning programming and software engineering, and propose three metrics that approximate the computation of behavioral similarity. Speci cally, we leverage random testing and dynamic symbolic execution (DSE) to generate test inputs, and run programs on these test inputs to compute metric values of the behavioral similarity. We evaluate our metrics on three real-world data sets from the Pex4Fun platform (which so far has accumulated more than 1.7 million game-play interactions). The results show that our metrics provide highly accurate approximation to the behavioral similarity. We also demonstrate a number of practical applications of our metrics including hint generation, progress indication, and automatic grading.

 

2015-11-17
Xusheng Xiao, NEC Laboratories America, Nikolai Tillmann, Microsoft Research, Manuel Fahndrich, Microsoft Research, Jonathan de Halleux, Microsoft Research, Michal Moskal, Microsoft Research, Tao Xie, University of Illinois at Urbana-Champaign.  2015.  User-Aware Privacy Control via Extended Static-Information-Flow Analysis. Automated Software Engineering Journal. 22(3)

Applications in mobile marketplaces may leak private user information without notification. Existing mobile platforms provide little information on how applications use private user data, making it difficult for experts to validate appli- cations and for users to grant applications access to their private data. We propose a user-aware-privacy-control approach, which reveals how private information is used inside applications. We compute static information flows and classify them as safe/un- safe based on a tamper analysis that tracks whether private data is obscured before escaping through output channels. This flow information enables platforms to provide default settings that expose private data for only safe flows, thereby preserving privacy and minimizing decisions required from users. We build our approach into TouchDe- velop, an application-creation environment that allows users to write scripts on mobile devices and install scripts published by other users. We evaluate our approach by studying 546 scripts published by 194 users, and the results show that our approach effectively reduces the need to make access-granting choices to only 10.1 % (54) of all scripts. We also conduct a user survey that involves 50 TouchDevelop users to assess the effectiveness and usability of our approach. The results show that 90 % of the users consider our approach useful in protecting their privacy, and 54 % prefer our approach over other privacy-control approaches.

Wei Yang, University of Illinois at Urbana-Champaign, Xusheng Xiao, NEC Laboratories America, Benjamin Andow, North Carolina State University, Sihan Li, University of Illinois at Urbana-Champaign, Tao Xie, University of Illinois at Urbana-Champaign, William Enck, North Carolina State University.  2015.  AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Context. 37th International Conference on Software Engineering (ICSE 2015).

Mobile malware attempts to evade detection during app analysis by mimicking security-sensitive behaviors of benign apps that provide similar functionality (e.g., sending SMS mes- sages), and suppressing their payload to reduce the chance of being observed (e.g., executing only its payload at night). Since current approaches focus their analyses on the types of security- sensitive resources being accessed (e.g., network), these evasive techniques in malware make differentiating between malicious and benign app behaviors a difficult task during app analysis. We propose that the malicious and benign behaviors within apps can be differentiated based on the contexts that trigger security- sensitive behaviors, i.e., the events and conditions that cause the security-sensitive behaviors to occur. In this work, we introduce AppContext, an approach of static program analysis that extracts the contexts of security-sensitive behaviors to assist app analysis in differentiating between malicious and benign behaviors. We implement a prototype of AppContext and evaluate AppContext on 202 malicious apps from various malware datasets, and 633 benign apps from the Google Play Store. AppContext correctly identifies 192 malicious apps with 87.7% precision and 95% recall. Our evaluation results suggest that the maliciousness of a security-sensitive behavior is more closely related to the intention of the behavior (reflected via contexts) than the type of the security-sensitive resources that the behavior accesses.