Write a Blog >>
ICSE 2022
Sun 8 - Fri 27 May 2022
Tue 10 May 2022 03:15 - 03:20 at ICSE room 3-odd hours - Software Security 1 Chair(s): Liliana Pasquale
Wed 11 May 2022 22:05 - 22:10 at ICSE room 2-even hours - Software Security 6 Chair(s): Travis Breaux

Android platform introduces the runtime permission model in version 6.0. The new model greatly improves data privacy and user experience, but brings new challenges for app developers. First, it allows users to freely revoke granted permissions. Hence, developers cannot assume that permissions granted to an app would keep being granted. Instead, they should make their app carefully check the permission status before invoking dangerous APIs. Second, the permission specification keeps evolving, bringing new types of compatibility issues to the ecosystem. To understand the impact of the challenges, we conducted an empirical study on 13,352 popular Google Play apps. We found that 86.0% apps used dangerous APIs asynchronously after permission management and 61.2% apps used evolving dangerous APIs. If an app does not handle permission revoking properly or deal with the platform differences, unexpected runtime issues may happen and even cause app crashes. We call such Android Runtime Permission issues as ARP bugs. Unfortunately, existing runtime permission issue detection tools cannot effectively deal with the ARP bugs induced by asynchronous permission management and permission specification evolution. To fill the gap, we designed a static analyzer, Aper, that performs reaching definition and dominator analysis on Android apps to detect the two types of ARP bugs. To compare Aper with existing tools, we built a benchmark, ARPfix, from 60 real ARP bugs. Our experiment results show that Aper significantly outperforms two academic tools, ARPDroid and RevDroid, and an industrial tool, Lint, on ARPfix, with an average improvement of 46.3% on F1-score. In addition, Aper successfully found 34 ARP bugs in 214 open-source Android apps, most of which can cause app crashes according to our manual validation. We reported these bugs to the app developers. So far, 17 bugs have been confirmed and seven have been fixed.

Tue 10 May

Displayed time zone: Eastern Time (US & Canada) change

03:00 - 04:00
Software Security 1Journal-First Papers / Technical Track at ICSE room 3-odd hours
Chair(s): Liliana Pasquale University College Dublin & Lero
03:00
5m
Talk
Deep Learning based Vulnerability Detection: Are We There Yet?
Journal-First Papers
Saikat Chakraborty Columbia University, Rahul Krishna IBM Research, Yangruibo Ding Columbia University, Baishakhi Ray Columbia University
Link to publication DOI Media Attached
03:05
5m
Talk
ReMoS: Reducing Defect Inheritance in Transfer Learning via Relevant Model Slicing
Technical Track
Ziqi Zhang Peking University, Yuanchun Li Microsoft Research, Jindong Wang Microsoft Research, Bingyan Liu Peking University, Ding Li Peking University, Xiangqun Chen Peking University, Yao Guo Peking University, Yunxin Liu Tsinghua University
Pre-print Media Attached
03:10
5m
Talk
Less is More: Supporting Developers in Vulnerability Detection during Code Review
Technical Track
Larissa Braz University of Zurich, Christian Aeberhard University of Zurich, Gül Calikli University of Glasgow, Alberto Bacchelli University of Zurich
Link to publication DOI Pre-print Media Attached File Attached
03:15
5m
Talk
Aper: Evolution-Aware Runtime Permission Misuse Detection for Android Apps
Technical Track
Sinan Wang Southern University of Science and Technology, Yibo Wang Northeastern University, Xian Zhan The Hong Kong Polytechnic University, Ying Wang Northeastern University, China, Yepang Liu Southern University of Science and Technology, Xiapu Luo Hong Kong Polytechnic University, Shing-Chi Cheung Hong Kong University of Science and Technology
DOI Pre-print Media Attached

Wed 11 May

Displayed time zone: Eastern Time (US & Canada) change

22:00 - 23:00
Software Security 6Technical Track / Journal-First Papers at ICSE room 2-even hours
Chair(s): Travis Breaux Carnegie Mellon University
22:00
5m
Talk
Lags in the release, adoption, and propagation of npm vulnerability fixes
Journal-First Papers
Bodin Chinthanet Nara Institute of Science and Technology, Raula Gaikovina Kula Nara Institute of Science and Technology, Shane McIntosh University of Waterloo, Takashi Ishio Nara Institute of Science and Technology, Akinori Ihara Wakayama University, Kenichi Matsumoto Nara Institute of Science and Technology
Link to publication DOI Pre-print Media Attached
22:05
5m
Talk
Aper: Evolution-Aware Runtime Permission Misuse Detection for Android Apps
Technical Track
Sinan Wang Southern University of Science and Technology, Yibo Wang Northeastern University, Xian Zhan The Hong Kong Polytechnic University, Ying Wang Northeastern University, China, Yepang Liu Southern University of Science and Technology, Xiapu Luo Hong Kong Polytechnic University, Shing-Chi Cheung Hong Kong University of Science and Technology
DOI Pre-print Media Attached
22:10
5m
Talk
A Grounded Theory Based Approach to Characterize Software Attack Surfaces
Technical Track
sara moshtari Rochester Institute of Technology, Ahmet Okutan Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology
Pre-print Media Attached
22:15
5m
Talk
The Extent of Orphan Vulnerabilities from Code Reuse in Open Source SoftwareNominated for Distinguished Paper
Technical Track
David Reid University of Tennessee, Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, Audris Mockus The University of Tennessee
DOI Pre-print Media Attached
22:20
5m
Talk
MVD: Memory-related Vulnerability Detection Based on Flow-Sensitive Graph Neural Networks
Technical Track
Sicong Cao Yangzhou University, Xiaobing Sun Yangzhou University, Lili Bo Yangzhou University, Rongxin Wu Xiamen University, Bin Li Yangzhou University, Chuanqi Tao Nanjing University of Aeronautics and Astronautics
DOI Pre-print Media Attached
22:25
5m
Talk
VulCNN: An Image-inspired Scalable Vulnerability Detection System
Technical Track
Yueming Wu Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Shihan Dou Huazhong University of Science and Technology, Wei Yang University of Texas at Dallas, Duo Xu Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology
DOI Pre-print Media Attached
Hide past events

Information for Participants
Tue 10 May 2022 03:00 - 04:00 at ICSE room 3-odd hours - Software Security 1 Chair(s): Liliana Pasquale
Info for room ICSE room 3-odd hours:

Click here to go to the room on Midspace

Wed 11 May 2022 22:00 - 23:00 at ICSE room 2-even hours - Software Security 6 Chair(s): Travis Breaux
Info for room ICSE room 2-even hours:

Click here to go to the room on Midspace