This program is tentative and subject to change.
Cloud-based workspace systems, such as Google Workspace and Microsoft OneDrive, have enabled third-party developers to create and upload functionality-rich applications (referred to as \emph{add-ons}). Existing studies have primarily examined user-centric data protection and permission management of this emerging ecosystem, but the underlying \emph{DevOps} mechanisms that regulate add-on development, deployment, and operation remain largely unexplored.
In this work, we conduct the first \emph{developer-centric} investigation of these DevOps mechanisms. We propose a hybrid method that combines a static analysis to abstract development and integration (i.e., deployment) (\emph{Dev}) models and a dynamic analysis to add-ons’ runtime operation workflows (\emph{Ops}). It yields insights into the DevOps lifecycle of add-ons, unveiling associated attack surfaces and multiple types of security vulnerabilities, including source code leakage, code tampering and secret key exposure. Our large-scale evaluation of 5,300 Google Workspace add-ons reveals a concerning \emph{status quo} of the ecosystem: 274 add-ons are subject to source code leakage, including widely-used ones with over 100,000 users. Among them, 96 (around one third) expose the secret keys of developers, e.g., PayPal merchant secret key and secret keys to access the developer’s back-end databases.
This program is tentative and subject to change.
Thu 16 AprDisplayed time zone: Brasilia, Distrito Federal, Brazil change
16:00 - 17:30 | Dependability and Security 7Research Track at Oceania X Chair(s): Kaixuan Li Nanyang Technological University | ||
16:00 15mTalk | WhisperCatcher: Demystifying Unauthorized and Encrypted Private Data Transmission in Android ApplicationsAward Winner Research Track Zhaoyu Qiu Xi'an Jiaotong University, Ming Fan Xi'an Jiaotong University, Bocan Ma Xi'an Jiaotong University, Yutian Tang University of Glasgow, United Kingdom, Lei Xue Sun Yat-Sen University, Haijun Wang Xi'an Jiaotong University, Ting Liu Xi'an Jiaotong University | ||
16:15 15mTalk | Exploring and Improving Real-World Vulnerability Data Generation via Prompting Large Language Models Research Track Guangbei Yi Washington State University, Yu Nong University at Buffalo, SUNY, Minzhang Li Washington State University, Haipeng Cai University at Buffalo, SUNY DOI Pre-print | ||
16:30 15mTalk | TaintP2X: Detecting Taint-Style Prompt-to-Anything Injection Vulnerabilities in LLM-Integrated Applications Research Track HeJunjie , Shenao Wang Huazhong University of Science and Technology, Yanjie Zhao Huazhong University of Science and Technology, Xinyi Hou Huazhong University of Science and Technology, Zhao Liu 360 AI Security Lab, Quanchen Zou 360 AI Security Lab, Haoyu Wang Huazhong University of Science and Technology | ||
16:45 15mTalk | CoBrA: Context-, Branch-sensitive Static Analysis for Detecting Taint-style Vulnerabilities in PHP Web Applications Research Track Yichao Xu , Mingqing Kang Johns Hopkins University, Neil Thimmaiah University of Illinois Chicago, Rigel Gjomemo University of Illinois Chicago, V. N. Venkatakrishnan University of Illinois Chicago, Yinzhi Cao Johns Hopkins University | ||
17:00 15mTalk | Project-Level Resource Leak Detection through Agent-based Ownership Analysis and Repair Pattern Verification Research Track Chengxin Xu Institute of Information Engineering, Chinese Academy of Sciences, xiu zhang Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China, Xiaorui Gong Institute of Information Engineering, Chinese Academy of Science | ||
17:15 15mTalk | Understanding DevOps Security of Google Workspace Apps Research Track Liuhuo Wan University of Queensland, Chuan Yan University of Queensland, Zicong Liu University of Queensland, Haoyu Wang Huazhong University of Science and Technology, Guangdong Bai City University of Hong Kong | ||