Visible to the public Reasoning about Accidental and Malicious Misuse via Formal MethodsConflict Detection Enabled

Submitted by najmeri on Tue, 06/25/2019 - 10:56pm

PI(s), Co-PI(s), Researchers:

PI: Munindar Singh; Co-PIs: William Enck, Laurie Williams; Researchers: Hui Guo, Samin Yaseer Mahmud

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

  • Policy

This project seeks to aid security analysts in identifying and protecting against accidental and malicious actions by users or software through automated reasoning on unified representations of user expectations and software implementation to identify misuses sensitive to usage and machine context.

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

None this quarter.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

  • We identified the Payment Card Industry Data Security Standard (PCI-DSS) for payment information (credit card processing) as a basis for studying accidental and malicious misuse in a practical setting. We have studied the PCI-DSS standard and identified six restrictions (prohibition norms) that apply to end-user software. We have codified these restrictions into static program analysis checks and built an initial tool called Cardpliance that identifies PCI-DSS misuse violations in Android applications. We are currently testing Cardpliance and applying it to a set of real applications that are known to ask the user for credit card information.
  • Based on the understanding that security related reports contain valuable information, we have investigated user-reported textual artifacts from different domains. Specifically, we have looked into MAUDE (Manufacturer and User Facility Device Experience), CVE (Common Vulnerabilities and Exposures, MITRE), FAA Accidents and Incidents reports, and user reviews on Apple's App Store. Of these sources, user reviews of mobile apps most clearly express user expectations.

COMMUNITY ENGAGEMENTS

EDUCATIONAL ADVANCES:

Groups: