Reasoning about Accidental and Malicious Misuse via Formal Methods

PI(s), Co-PI(s), Researchers:

PI: Munindar Singh; Co-PIs: William Enck, Laurie Williams; Researchers: Hui Guo, Samin Yaseer Mahmud, Md Rayhanur Rahman, Vaibhav Garg

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

• Policy

This project seeks to aid security analysts in identifying and protecting against accidental and malicious actions by users or software through automated reasoning on unified representations of user expectations and software implementations to identify misuses sensitive to usage and machine context.

PUBLICATIONS

Haque, Amanul, Garg, Vaibhav, Guo, Hui, Singh, Munindar P.. 2022. "Pixie: Preference in Implicit and Explicit Comparisons," Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (ACL).

KEY HIGHLIGHTS

Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

• We completed the creation of a tool that evaluates the Android SDKs for payment providers against OWASP's mobile application security verification standard (MASVS). Our study of 50 payment SDKs identified pervasive security weaknesses. We contacted the payment providers and submitted a paper to an academic conference for peer-review.

• Our work on identifying preferences in comparative sentences was accepted as a short paper at Association for Computational Linguistics conference in 2022.

• We improved our process of selecting keywords that sample reviews reporting online misbehavior. Using the final set of 34 keywords, we could sample 47174 app reviews. Four annotators read 200 of such reviews and labeled one of the two classes: (i) online misbehavior and (ii) no online misbehavior.

• We relabled the data for the iRogue project, we revised our ground truth to highly rate rogue potential cases. After training on the revised ground truth, our framework's performance increased to 91.78% recall at an 83.22% F1 score.

• We have started a new project in which we look at the stories of Intimate Partner Surveillance (IPS) from the abuser's perspective. A previous study gathered a dataset of such stories that are posted on forums discussing infidelity. We recently obtained access to the dataset. We observed that the stories mention a series of ordered events that constitute IPS strategies.

COMMUNITY ENGAGEMENTS

None.

EDUCATIONAL ADVANCES:

We engaged a female undergraduate student on this project.