Reasoning about Accidental and Malicious Misuse via Formal Methods

PI(s), Co-PI(s), Researchers:

PI: Munindar Singh; Co-PIs: William Enck, Laurie Williams; Researchers: Hui Guo, Samin Yaseer Mahmud, Md Rayhanur Rahman, Vaibhav Garg

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

• Policy

This project seeks to aid security analysts in identifying and protecting against accidental and malicious actions by users or software through automated reasoning on unified representations of user expectations and software implementations to identify misuses sensitive to usage and machine context.

PUBLICATIONS

• Samin Yaseer Mahmud, Akhil Acharya, Benjamin Andow, William Enck, Bradley Reaves. 2020. Cardpliance: PCI DSS Compliance of Android Applications. Proceedings of the USENIX Security Symposium.

• Hui Guo, Munindar P. Singh. 2020. Caspar: Extracting and Synthesizing User Stories of Problems from App Reviews. Proceedings of the 42nd International Conference on Software Engineering.

• Md Rayhanur Rahman, William Enck, and Laurie Williams. 2020. Do Configuration Management Tools Make Systems More Secure? An Empirical Research Plan (Poster Abstract). Proceedings of the 7th Symposium on the Science of Security (HotSoS).

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

• We conducted a preliminary investigation in which we identified app reviews that were relevant to spying (binary classification). We found that relevant app reviews differ greatly in terms of the severity of the problem leading us to investigate how we can automatically determine the severity of the app's spying capability described in an app review.

• Our research plan on the effectiveness of configuration management tools for system security was accepted as an extended abstract at HotSoS 2020.

• We are working on a systematic literature review on mining cyber threat intelligence from unstructured cyber threat reports. We have identified relevant research articles.

COMMUNITY ENGAGEMENTS

• Munindar Singh gave a talk on Engineering Ethical Multiagent Systems at the University of Wollongong, Australia, in which he discussed concerns of policy and privacy.

EDUCATIONAL ADVANCES: