Tue 10 May 2022 21:25 - 21:30 at ICSE room 2-odd hours - Software Security 4 Chair(s): Hamid Bagheri
Software systems may contain critical program components (e.g.,patented program logic or sensitive data) that, when reverse-engineered by adversaries, can significantly damage the system’s system’s operators or software developers (e.g.,financial loss or operational failures). While protecting critical program components (e.g., code or data) in software systems is of utmost importance, existing approaches, unfortunately, have two major weaknesses: (1) they can be reverse-engineered via various program analysis techniques and (2) when an adversary obtains a legitimate-looking critical program component, he or she can be sure that it is genuine. In this paper, we propose Ambitr, a novel technique that hides critical program components. The core of Ambitr is Ambiguous Translator that can generate the critical program components when the input is a correct secret key. The translator is ambiguous as it can accept any inputs and produces a number of legitimate-looking outputs, making it difficult to know whether an input is correct secret key or not. The executions of the translator when it processes the correct secret key and other inputs are also indistinguishable, making the analysis inconclusive. Our evaluation results show that static, dynamic and symbolic analysis techniques fail to identify the hidden information in Ambitr. We also demonstrate that manual analysis of Ambitris extremely challenging.
Tue 10 MayDisplayed time zone: Eastern Time (US & Canada) change
11:00 - 12:00 | Software Security 7Journal-First Papers / Technical Track at ICSE room 4-odd hours Chair(s): Diomidis Spinellis Athens University of Economics and Business; Delft University of Technology | ||
11:00 5mTalk | The Case for Adaptive Security Interventions Journal-First Papers Irum Rauf The Open University, UK, Marian Petre The Open University, Thein Tun , Tamara Lopez The Open University, Paul Lunn The University of Manchester, UK, Dirk van der Linden Northumbria University, John Towse Department of Psychology, University of Lancaster, UK, Helen Sharp The Open University, Mark Levine Lancaster University, Awais Rashid University of Bristol, UK, Bashar Nuseibeh The Open University (UK) & Lero (Ireland) Link to publication DOI Pre-print Media Attached | ||
11:05 5mTalk | Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite Journal-First Papers Andreas Dann Paderborn University, Henrik Plate SAP Security Research, France, Ben Hermann Technical University Dortmund, Serena Elisa Ponta SAP Security Research, France, Eric Bodden University of Paderborn; Fraunhofer IEM Link to publication DOI Pre-print Media Attached | ||
11:10 5mTalk | The Extent of Orphan Vulnerabilities from Code Reuse in Open Source SoftwareNominated for Distinguished Paper Technical Track David Reid University of Tennessee, Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, Audris Mockus The University of Tennessee DOI Pre-print Media Attached | ||
11:15 5mTalk | Practical Automated Detection of Malicious npm Packages Technical Track Pre-print Media Attached | ||
11:20 5mTalk | Exploiting Input Sanitization for Regex Denial of Service Technical Track DOI Pre-print Media Attached | ||
11:25 5mTalk | Hiding Critical Program Components via Ambiguous Translation Technical Track Chijung Jung University of Virginia, Doowon Kim University of Tennessee, Knoxville, An Chen University of Georgia, Weihang Wang University at Buffalo, SUNY, Yunhui Zheng IBM Research, Kyu Hyung Lee University of Georgia, Yonghwi Kwon University of Virginia Pre-print Media Attached | ||
21:00 - 22:00 | Software Security 4Journal-First Papers / Technical Track at ICSE room 2-odd hours Chair(s): Hamid Bagheri University of Nebraska-Lincoln | ||
21:00 5mTalk | Out of Sight, Out of Mind? How Vulnerable Dependencies Affect Open-Source Projects Journal-First Papers Gede Artha Azriadi Prana Singapore Management University, Abhishek Sharma Veracode, Inc., Lwin Khin Shar Singapore Management University, Darius Foo National University of Singapore, Andrew Santosa Veracode, Inc., Asankhaya Sharma Veracode, Inc., David Lo Singapore Management University Pre-print Media Attached | ||
21:05 5mTalk | Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite Journal-First Papers Andreas Dann Paderborn University, Henrik Plate SAP Security Research, France, Ben Hermann Technical University Dortmund, Serena Elisa Ponta SAP Security Research, France, Eric Bodden University of Paderborn; Fraunhofer IEM Link to publication DOI Pre-print Media Attached | ||
21:10 5mTalk | DeFault: Mutual Information-based Crash Triage for Massive Crashes Technical Track Xing Zhang National University of Defense Technology, Jiongyi Chen National University of Defense Technology, Chao Feng National University of Defense Technology, Ruilin Li National University of Defense Technolog, Wenrui Diao Shandong University, Kehuan Zhang The Chinese University of Hong Kong Pre-print Media Attached | ||
21:15 5mTalk | Practical Automated Detection of Malicious npm Packages Technical Track Pre-print Media Attached | ||
21:20 5mTalk | Exploiting Input Sanitization for Regex Denial of Service Technical Track DOI Pre-print Media Attached | ||
21:25 5mTalk | Hiding Critical Program Components via Ambiguous Translation Technical Track Chijung Jung University of Virginia, Doowon Kim University of Tennessee, Knoxville, An Chen University of Georgia, Weihang Wang University at Buffalo, SUNY, Yunhui Zheng IBM Research, Kyu Hyung Lee University of Georgia, Yonghwi Kwon University of Virginia Pre-print Media Attached | ||