ESEC/FSE 2020 Workshops
28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2020)
Powered by
Conference Publishing Consulting

3rd ACM SIGSOFT International Workshop on Software Security from Design to Deployment (SEAD 2020), November 9, 2020, Virtual, USA

SEAD 2020 – Preliminary Table of Contents

Contents - Abstracts - Authors
Twitter: https://twitter.com/esecfse

3rd ACM SIGSOFT International Workshop on Software Security from Design to Deployment (SEAD 2020)

Frontmatter

Title Page


Message from the Chairs
On behalf of the entire workshop committee, it is our great pleasure to welcome you to the Third International Workshop on Software Security from Design to Deployment (SEAD), held on November 9, 2020, and co-located with the ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE) 2020.

Papers

Comparing Formal Models of IoT App Coordination Analysis
Clay Stevens, Mohannad Alhanahnah, Qiben Yan, and Hamid Bagheri
(University of Nebraska-Lincoln, USA; University of Wisconsin-Madison, USA; Michigan State University, USA; University of California at Irvine, USA)
The rising popularity of the Internet-of-Things (IoT) devices has driven their increasing adoption in various settings, such as modern homes. IoT systems integrate such physical devices with third-party apps, which can coordinate in arbitrary ways. However, malicious or undesired coordination can lead to serious vulnerabilities. This paper explores two different ways, i.e., a commonly-used state-based approach and a holistic, rule-based approach, to formally model app coordination and the safety and security thereof in the context of IoT platforms. The less common rule-base approach allows for a smaller, more scalable model. We realize both modeling approaches using bounded model checking with Alloy to automatically identify potential cases where apps exhibit coordination relationships. We evaluate the effectiveness of the modeling approaches by checking a corpus of real-world IoT apps of Samsung SmartThings and IFTTT. The experimental results demonstrate that our rule-based modeling leads to a more scalable analysis.

Article Search
Using Dynamically Inferred Invariants to Analyze Program Runtime Complexity
ThanhVu Nguyen, Didier Ishimwe, Alexey Malyshev, Timos Antonopoulos, and Quoc-Sang Phan
(University of Nebraska-Lincoln, USA; Yale University, USA; Synopsys, USA)
Being able to detect program runtime complexity can help identify security vulnerabilities such as DoS attacks and side-channel information leakage. In prior work, we use dynamic invariant generation to infer nonlinear numerical relations to represent runtime complexity of imperative programs. In this work, we propose a new dynamic analysis approach for learning recurrence relations to capture complexity bounds for recursive programs. This approach allows us to efficiently infer simple linear recurrence relations that represent nontrivial, potentially nonlinear, complexity bounds. Preliminary results on several popular recursive programs show that we can learn precise recurrence relations capturing worst-case complexity bounds such as O(n log n) and O(cn).

Article Search
Towards Automated, Provenance-Driven Security Audit for git-Based Repositories: Applied to Germany's Corona-Warn-App
Tim Sonnekalb, Thomas S. Heinze, Lynn von Kurnatowski, Andreas Schreiber, Jesus M. Gonzalez-Barahona, and Heather Packer
(DLR, Germany; Universidad Rey Juan Carlos, Spain; University of Southampton, UK)
Software repositories contain information about source code, software development processes, and team interactions. We combine provenance of the development process with code security analysis to automatically discover insights. This provides fast feedback on the software's design and security issues, which we evaluate on projects that are developed under time pressure, such as Germany's COVID-19 contact tracing app 'Corona-Warn-App'.

Article Search
Robustness Analysis for Secure Software Design
Eunsuk Kang
(Carnegie Mellon University, USA)
A common type of security analysis involves checking whether a system is capable of establishing a set of security requirements under a particular threat model. Building an accurate threat model, however, is a challenging task due to the uncertain and evolving nature of a malicious environment in which the system is deployed. In this paper, as a complementary analysis, we propose a systematic approach for evaluating the design of a system with respect to its robustness against an adversarial environment; i.e., the degree of assumptions about attacker capabilities under which the system is capable of maintaining its security requirements. We argue that robustness is an important property that should be considered as part of any secure development process. In this paper, we propose a formal definition of robustness, and describe a technique for automatically evaluating the robustness of a system. We demonstrate potential applications of the robustness concept using an example involving the OAuth authentication protocol.

Article Search

proc time: 1.51