Visible to the public Reasoning about Accidental and Malicious Misuse via Formal MethodsConflict Detection Enabled

Submitted by nzahan on Fri, 12/18/2020 - 11:43am

PI(s), Co-PI(s), Researchers:

PI: Munindar Singh; Co-PIs: William Enck, Laurie Williams; Researchers: Hui Guo, Samin Yaseer Mahmud, Md Rayhanur Rahman, Vaibhav Garg

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

  • Policy

This project seeks to aid security analysts in identifying and protecting against accidental and malicious actions by users or software through automated reasoning on unified representations of user expectations and software implementations to identify misuses sensitive to usage and machine context.

PUBLICATIONS

None.

KEY HIGHLIGHTS

Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

  • We proposed a framework for identifying apps that enable unexpected information access (UIA) based on evidence in app reviews. To improve the identification performance, we are investigating embeddings based features for training. Further, we are expanding the training set (containing app reviews) so that the trained model can accurately predict on unforeseen data.

  • We proposed a framework for analyzing story structures as sequential patterns of event types in app reviews. App users write about different user-app interaction stories in app reviews to achieve different purposes, such as reporting bugs and expressing unmet expectations. Our proposed framework enables analysts and developers to search for stories based on their structures. We are currently finalizing the results and the research paper.

  • Healthcare professionals and patients need HIPAA-compliant mobile apps to store, seek, or communicate about private health information. However, not all available apps that serve such purposes are HIPAA compliant, and information about apps' HIPAA compliance is not always available. We collected the app descriptions, privacy policies, and developers' webpages of more than 30,000 medical apps on Apple App Store, and are currently exploring a methodology for choosing trustworthy apps that healthcare professionals and patients can use.

  • We continued our analysis of Payment Service Provider (PSP) application programming interfaces (APIs), identifying a set of relevant criteria from the M-ASVS and mapping them to program analysis tasks.

COMMUNITY ENGAGEMENTS

None.

EDUCATIONAL ADVANCES:

None.

Groups: