CS 7936 — Computer Security & Privacy Seminar, Summer 2017


Wednesdays, 12:00–1:00 PM, 3485/3490 MEB (Flux / NE Conference Room)

Navigation Links: Schedule | Overview | Credit | Reading and Presenting

Past offerings: Fall 2016 | Spring 2016 | Fall 2015 | Spring 2015

Date Presenter Topic
7/26
Design and Evaluation of a Data-Driven Password Meter (Ur et al)
More info Abstract:
Despite their ubiquity, many password meters provide inaccurate
strength estimates. Furthermore, they do not explain to users what is
wrong with their password or how to improve it. We describe the
development and evaluation of a data-driven password meter that
provides accurate strength measurement and actionable, detailed
feedback to users. This meter combines neural networks and numerous
carefully combined heuristics to score passwords and generate
data-driven text feedback about the user's password. We describe the
meter's iterative development and final design. We detail the security
and usability impact of the meter's design dimensions, examined
through a 4,509-participant online study. Under the more common
password-composition policy we tested, we found that the data-driven
meter with detailed feedback led users to create more secure, and no
less memorable, passwords than a meter with only a bar as a strength
indicator.
7/19
You Get Where You're Looking for: The Impact of Information Sources on Code Security (Acar et al)
More info Abstract:
Vulnerabilities in Android code -- including but not limited to
insecure data storage, unprotected inter-component communication,
broken TLS implementations, and violations of least privilege -- have
enabled real-world privacy leaks and motivated research cataloguing
their prevalence and impact. Researchers have speculated that
appification promotes security problems, as it increasingly allows
inexperienced laymen to develop complex and sensitive apps.
Anecdotally, Internet resources such as Stack Overflow are blamed for
promoting insecure solutions that are naively copy-pasted by
inexperienced developers. In this paper, we for the first time
systematically analyzed how the use of information resources impacts
code security. We first surveyed 295 app developers who have published
in the Google Play market concerning how they use resources to solve
security-related problems. Based on the survey results, we conducted a
lab study with 54 Android developers (students and professionals), in
which participants wrote security-and privacy-relevant code under time
constraints. The participants were assigned to one of four conditions:
free choice of resources, Stack Overflow only, official Android
documentation only, or books only. Those participants who were allowed
to use only Stack Overflow produced significantly less secure code
than those using, the official Android documentation or books, while
participants using the official Android documentation produced
significantly less functional code than those using Stack Overflow. To
assess the quality of Stack Overflow as a resource, we surveyed the
139 threads our participants accessed during the study, finding that
only 25% of them were helpful in solving the assigned tasks and only
17% of them contained secure code snippets. In order to obtain ground
truth concerning the prevalence of the secure and insecure code our
participants wrote in the lab study, we statically analyzed a random
sample of 200,000 apps from Google Play, finding that 93.6% of the
apps used at least one of the API calls our participants used during
our study. We also found that many of the security errors made by our
participants also appear in the wild, possibly also originating in the
use of Stack Overflow to solve programming problems. Taken together,
our results confirm that API documentation is secure but hard to use,
while informal documentation such as Stack Overflow is more accessible
but often leads to insecurity. Given time constraints and economic
pressures, we can expect that Android developers will continue to
choose those resources that are easiest to use, therefore, our results
firmly establish the need for secure-but-usable documentation.
7/12
No seminar
More info
7/5
No seminar
More info
6/28
No seminar
More info
6/21
No seminar
More info
6/14
Comparing the Usability of Cryptographic APIs (Acar et al)
More info Abstract:
Potentially dangerous cryptography errors are well-documented in many
applications. Conventional wisdom suggests that many of these errors
are caused by cryptographic Application Programming Interfaces (APIs)
that are too complicated, have insecure defaults, or are poorly
documented. To address this problem, researchers have created several
cryptographic libraries that they claim are more usable; however, none
of these libraries have been empirically evaluated for their ability
to promote more secure development. This paper is the first to examine
both how and why the design and resulting usability of different
cryptographic libraries affects the security of code written with
them, with the goal of understanding how to build effective future
libraries. We conducted a controlled experiment in which 256 Python
developers recruited from GitHub attempt common tasks involving
symmetric and asymmetric cryptography using one of five different
APIs. We examine their resulting code for functional correctness and
security, and compare their results to their self-reported sentiment
about their assigned library. Our results suggest that while APIs
designed for simplicity can provide security benefits—reducing the
decision space, as expected, prevents choice of insecure
parameters—simplicity is not enough. Poor documentation, missing code
examples, and a lack of auxiliary features such as secure key storage,
caused even participants assigned to simplified libraries to struggle
with both basic functional correctness and security. Surprisingly, the
availability of comprehensive documentation and easy-to-use code
examples seems to compensate for more complicated APIs in terms of
functionally correct results and participant reactions; however, this
did not extend to security results. We find it particularly concerning
that for about 20% of functionally correct tasks, across libraries,
participants believed their code was secure when it was not. Our
results suggest that while new cryptographic libraries that want to
promote effective security should offer a simple, convenient
interface, this is not enough: they should also, and perhaps more
importantly, ensure support for a broad range of common tasks and
provide accessible documentation with secure, easy-to-use code
examples.
6/7
Stack Overflow Considered Harmful? --- The Impact of Copy&Paste on Android Application Security (Fischer et al)
More info Abstract:
Online programming discussion platforms such as Stack Overflow serve
as a rich source of information for software developers. Available
information include vibrant discussions and oftentimes ready-to-use
code snippets. Previous research identified Stack Overflow as one of
the most important information sources developers rely on. Anecdotes
report that software developers copy and paste code snippets from
those information sources for convenience reasons. Such behavior
results in a constant flow of community-provided code snippets into
production software. To date, the impact of this behaviour on code
security is unknown. We answer this highly important question by
quantifying the proliferation of security-related code snippets from
Stack Overflow in Android applications available on Google Play.
Access to the rich source of information available on Stack Overflow
including ready-to-use code snippets provides huge benefits for
software developers. However, when it comes to code security there are
some caveats to bear in mind: Due to the complex nature of code
security, it is very difficult to provide ready-to-use and secure
solutions for every problem. Hence, integrating a security-related
code snippet from Stack Overflow into production software requires
caution and expertise. Unsurprisingly, we observed insecure code
snippets being copied into Android applications millions of users
install from Google Play every day. To quantitatively evaluate the
extent of this observation, we scanned Stack Overflow for code
snippets and evaluated their security score using a stochastic
gradient descent classifier. In order to identify code reuse in
Android applications, we applied state-of-the-art static analysis. Our
results are alarming: 15.4% of the 1.3 million Android applications we
analyzed, contained security-related code snippets from Stack
Overflow. Out of these 97.9% contain at least one insecure code
snippet.

Overview

The Fall 2016 offering of CS 7936 will focus on reading and discussing papers that are useful related work for the presenter's security and privacy research.

Class announcements are sent out on security-privacy@cs.utah.edu. You can subscribe at http://mailman.cs.utah.edu/mailman/listinfo/security-privacy.

Credit

Students may enroll for one (1) credit. Although the University lists the course as “variable credit,” the two- and three-credit options are not currently available.

Students enrolled in the seminar are expected to read the papers prior to the seminar. Additionally, students are expected to sign up to lead the discussion on one or more seminar meeting. Leading the disucssion means:

  1. Choosing the paper and sending it to tdenning@cs.utah.edu by 6PM Sunday before the seminar meeting;
  2. Preparing a 7-10 minute summary of the paper and its pertinent points;
  3. Familiarizing yourself enough with the paper to be able to answer questions that may come up;
  4. Preparing potential discussion points if the discussion needs prompting.

Reading and Presenting

It can be useful to look up the video of the presentation (if it was at USENIX, the video was recorded and is available online) and/or the slides (which may be available on the presenting author's page).

The following questions (some of which are pulled from Writing for Computer Science) can be useful to keep in mind when reading a paper (although not all questions will apply to all papers):