References of "Le Traon, Yves 50002182"
     in
Bookmark and Share    
Full Text
See detailHighly precise taint analysis for Android applications
Fritz, Christian; Arzt, Steven; Rasthofer, Siegfried et al

Report (2013)

Today’s smart phones are a ubiquitous source of private and confidential data. At the same time, smartphone users are plagued by malicious apps that exploit their given privileges to steal such sensitive ... [more ▼]

Today’s smart phones are a ubiquitous source of private and confidential data. At the same time, smartphone users are plagued by malicious apps that exploit their given privileges to steal such sensitive data, or to track users without their consent or even the users noticing. Dynamic program analyses fail to discover such malicious activity because apps have learned to recognize the analyses as they execute. In this work we present FlowDroid, a novel and highly precise taint analysis for Android applications. A precise model of Android’s lifecycle allows the analysis to properly handle callbacks, while context, flow, field and objectsensitivity allows the analysis to track taints with a degree of precision unheard of from previous Android analyses. We also propose DroidBench, an open test suite for evaluating the e↵ectiveness and accuracy of taint-analysis tools specifically for Android apps. As we show through a set of experiments using SecuriBench Micro, DroidBench and a set of well-known Android test applications, our approach finds a very high fraction of data leaks while keeping the rate of false positives low. On DroidBench, our approach achieves 93% recall and 86% precision, greatly outperforming the commercial tools AppScan Source and Fortify SCA. [less ▲]

Detailed reference viewed: 100 (1 UL)
Full Text
Peer Reviewed
See detailModel-Driven Adaptive Delegation
Nguyen, Phu Hong UL; Nain, Grégory UL; Klein, Jacques UL et al

in Masuhara, Hidehiko; Chiba, Sigeru; Ubayashi, Naoyasu (Eds.) Proceedings of the 12th annual international conference companion on Aspect-oriented software development (2013, March)

Model-Driven Security is a specialization of Model-Driven Engineering (MDE) that focuses on making security models productive, i.e., enforceable in the final deployment. Among the variety of models that ... [more ▼]

Model-Driven Security is a specialization of Model-Driven Engineering (MDE) that focuses on making security models productive, i.e., enforceable in the final deployment. Among the variety of models that have been studied in a MDE perspective, one can mention access control models that specify the access rights. So far, these models mainly focus on static definitions of access control policies, without taking into account the more complex, but essential, delegation of rights mechanism. User delegation is a meta-level mechanism for administrating access rights, which allows a user without any specific administrative privileges to delegate his/her access rights to another user. This paper analyses the main hard-points for introducing various delegation semantics in model-driven security and proposes a model-driven framework for 1) specifying access control, delegation and the business logic as separate concerns; 2) dynamically enforcing/weaving access control policies with various delegation features into security-critical systems; and 3) providing a flexibly dynamic adaptation strategy. We demonstrate the feasibility and effectiveness of our proposed solution through the proof-of-concept implementations of different systems. [less ▲]

Detailed reference viewed: 189 (15 UL)
Full Text
Peer Reviewed
See detailAccess Control Enforcement Testing
El Kateb, Donia; ElRakaiby, Yehia; Mouelhi, Tejeddine et al

in Abstract book of 2013 8TH INTERNATIONAL WORKSHOP ON AUTOMATION OF SOFTWARE TEST (AST) (2013)

A policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy ... [more ▼]

A policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access decision logic. In applications, PEPs are generally implemented manually, which can introduce errors in policy enforcement and lead to security vulnerabilities. In this paper, we propose an approach to systematically test and validate the correct enforcement of access control policies in a given target application. More specifically, we rely on a two folded approach where a static analysis of the target application is first made to identify the sensitive accesses that could be regulated by the policy. The dynamic analysis of the application is then conducted using mutation to verify for every sensitive access whether the policy is correctly enforced. The dynamic analysis of the application also gives the exact location of the PEP to enable fixing enforcement errors detected by the analysis. The approach has been validated using a case study implementing an access control policy. [less ▲]

Detailed reference viewed: 99 (1 UL)
Full Text
Peer Reviewed
See detailEffective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis
Octeau, Damien; McDaniel, Patrick; Jha, Somesh et al

in Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis (2013)

Many threats present in smartphones are the result of interactions between application components, not just artifacts of single components. However, current techniques for identifying inter-application ... [more ▼]

Many threats present in smartphones are the result of interactions between application components, not just artifacts of single components. However, current techniques for identifying inter-application communication are ad hoc and do not scale to large numbers of ap- plications. In this paper, we reduce the discovery of inter-component communication (ICC) in smartphones to an instance of the Interprocedural Distributive Environment (IDE) problem, and develop a sound static analysis technique targeted to the Android platform. We apply this analysis to 1,200 applications selected from the Play store and characterize the locations and substance of their ICC. Experiments show that full specifications for ICC can be identified for over 93% of ICC locations for the applications studied. Further the analysis scales well; analysis of each application took on average 113 seconds to complete. Epicc, the resulting tool, finds ICC vulnerabilities with far fewer false positives than the next best tool. In this way, we develop a scalable vehicle to extend current security analysis to entire collections of applications as well as the interfaces they export. [less ▲]

Detailed reference viewed: 517 (7 UL)
Full Text
Peer Reviewed
See detailMulti-objective test generation for software product lines
Henard, Christopher UL; Papadakis, Mike UL; Perrouin, Gilles UL et al

in 17th International Software Product Line Conference, SPLC 2013, Tokyo, Japan - August 26 - 30, 2013 (2013)

Detailed reference viewed: 148 (13 UL)
Full Text
Peer Reviewed
See detailAssessing Software Product Line Testing Via Model-Based Mutation: An Application to Similarity Testing
Henard, Christopher UL; Papadakis, Mike UL; Perrouin, Gilles UL et al

in 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation, Workshops Proceedings, Luxembourg, Luxembourg, March 18-22, 2013 (2013)

Detailed reference viewed: 186 (13 UL)
Full Text
Peer Reviewed
See detailTowards automated testing and fixing of re-engineered feature models
Henard, Christopher UL; Papadakis, Mike UL; Perrouin, Gilles UL et al

in Proceedings of the 2013 International Conference on Software Engineering (2013)

Detailed reference viewed: 1014 (8 UL)
Full Text
Peer Reviewed
See detailProteum/FL: A tool for localizing faults using mutation analysis.
Papadakis, Mike UL; Delamaro, Eduardo Márcio; Le Traon, Yves UL

in International Working Conference on Source Code Analysis and Manipulation (2013)

Detailed reference viewed: 121 (4 UL)
Full Text
Peer Reviewed
See detailMutation Testing Strategies using Mutant Classification
Papadakis, Mike UL; Le Traon, Yves UL

in Abstract book of 28th Symposium On Applied Computing (2013)

Detailed reference viewed: 186 (5 UL)
Full Text
Peer Reviewed
See detailUsage and testability of AOP: An empirical study of AspectJ
Munoz, F.; Baudry, B.; Delamare, R. et al

in Information and Software Technology (2013), 55(2), 252-266

Context: Back in 2001, the MIT announced aspect-oriented programming as a key technology in the next 10 years. Nowadays, 10 years later, AOP is still not widely adopted. Objective: The objective of this ... [more ▼]

Context: Back in 2001, the MIT announced aspect-oriented programming as a key technology in the next 10 years. Nowadays, 10 years later, AOP is still not widely adopted. Objective: The objective of this work is to understand the current status of AOP practice through the analysis of open-source project which use AspectJ. Method: First we analyze different dimensions of AOP usage in 38 AspectJ projects. We investigate the degree of coupling between aspects and base programs, and the usage of the pointcut description language. A second part of our study focuses on testability as an indicator of maintainability. We also compare testability metrics on Java and AspectJ implementations of the HealthWatcher aspect-oriented benchmark. Results: The first part of the analysis reveals that the number of aspects does not increase with the size of the base program, that most aspects are woven in every places in the base program and that only a small portion of the pointcut language is used. The second part about testability reveals that AspectJ reduces the size of modules, increases their cohesion but also increases global coupling, thus introducing a negative impact on testability. Conclusion: These observations and measures reveal a major trend: AOP is currently used in a very cautious way. This cautious usage could come from a partial failure of AspectJ to deliver all promises of AOP, in particular an increased software maintainability. © 2012 Elsevier B.V. All rights reserved. [less ▲]

Detailed reference viewed: 143 (2 UL)
Full Text
Peer Reviewed
See detailStress Testing of Transactional Database Systems
Meira, Jorge Augusto UL; Almeida, Eduardo Cunha de; Sunyé, Gerson et al

in Journal of Information and Data Management (2013)

Transactional database management systems (DBMS) have been successful at supporting traditional transaction processing workloads. However, web-based applications that tend to generate huge numbers of ... [more ▼]

Transactional database management systems (DBMS) have been successful at supporting traditional transaction processing workloads. However, web-based applications that tend to generate huge numbers of concurrent business operations are pushing DBMS performance over their limits, thus threatening overall system availability. Then, a crucial question is how to test DBMS performance under heavy workload conditions. Answering this question requires a testing methodology to set up non-biased conditions for pushing a particular DBMS over its normal performance limits (i.e., to stress it). In this article, we present a stress testing methodology for DBMS to search for defects in supporting very heavy workloads. Our methodology leverages distributed testing techniques and takes into account the various biases that may affect the test results. It progressively increases the workload along with several tuning steps up to a stress condition. We validate our methodology with empirical studies on two popular DBMS (one proprietary, one open-source) and detail the defects that have been found. [less ▲]

Detailed reference viewed: 131 (14 UL)
Full Text
Peer Reviewed
See detailUnder Pressure Benchmark for DDBMS Availability
Fior, Alessandro Gustavo; Meira, Jorge Augusto UL; Almeida, Eduardo Cunha de et al

in Journal of Information and Data Management (2013)

The availability of Distributed Database Management Systems (DDBMS) is related to the probability of being up and running at a given point in time and to the management of failures. One well-known and ... [more ▼]

The availability of Distributed Database Management Systems (DDBMS) is related to the probability of being up and running at a given point in time and to the management of failures. One well-known and widely used mechanism to ensure availability is replication, which includes performance impact on maintaining data replicas across the DDBMS’s machine nodes. Benchmarking can be used to measure such impact. In this article, we present a benchmark that evaluates the performance of DDBMS, considering availability through replication, called Under Pressure Benchmark (UPB). The UPB measures performance with different degrees of replication upon a high-throughput distributed workload, combined with failures. The UPB methodology increases the evaluation complexity from a stable system scenario to a complex one with different load sizes and replicas. We validate our benchmark with three high-throughput in-memory DDBMS: VoltDB, NuoDB and Dbms-X. [less ▲]

Detailed reference viewed: 244 (5 UL)
Full Text
Peer Reviewed
See detailA PEP-PDP Architecture to Monitor and Enforce Security Policies in Java Applications
Elrakaiby, Yehia; Le Traon, Yves UL

in 2013 International Conference on Availability, Reliability and Security (2013)

Security of Java-based applications is crucial to many businesses today. In this paper, we propose an approach to completely automate the generation of a security architecture inside of a target Java ... [more ▼]

Security of Java-based applications is crucial to many businesses today. In this paper, we propose an approach to completely automate the generation of a security architecture inside of a target Java application where advanced security policies can be enforced. Our approach combines the use of Aspect-Oriented Programming with the Policy Enforcement Point (PEP) - Policy Decision Point (PDP) paradigm and allows the runtime update of policies. [less ▲]

Detailed reference viewed: 135 (0 UL)
Full Text
Peer Reviewed
See detailSustainable ICT4D in Africa: Where Do We Go From Here?
Bissyande, Tegawendé François D Assise UL; Ahmat, Daouda; Ouoba, Jonathan et al

in EAI International Conference on e-Infrastructure and e-Services for Developing Countries (2013)

In recent years many researchers in Africa and beyond have devoted considerable resources investigating ways to harness the potential of ICT for improving users’ livelihood in developing areas. Topics and ... [more ▼]

In recent years many researchers in Africa and beyond have devoted considerable resources investigating ways to harness the potential of ICT for improving users’ livelihood in developing areas. Topics and domains of interest appear to be broad with recurring themes and solutions. Unfortunately there are no clear research roadmaps on what is urgent and of the state of the art solutions. In this position paper for the AFRICOMM series of conference, we propose to investigate some priorities for ICT4D in Africa. We believe that our work could motivate researchers and create a synergy around a few important challenges of ICT4D in Africa. [less ▲]

Detailed reference viewed: 155 (1 UL)
Full Text
Peer Reviewed
See detailPLEDGE: a product line editor and test generation tool
Henard, Christopher UL; Papadakis, Mike UL; Perrouin, Gilles UL et al

in 17th International Software Product Line Conference co-located workshops, SPLC 2013 workshops, Tokyo, Japan - August 26 (2013)

Detailed reference viewed: 134 (6 UL)
Full Text
Peer Reviewed
See detailSelection of Regression System Tests for Security Policy Evolution
Hwang, JeeHyun; Xie, Tao; El Kateb, Donia UL et al

Scientific Conference (2012, September)

Detailed reference viewed: 129 (2 UL)
Full Text
Peer Reviewed
See detailIntroducing Conviviality as a property of Multi-Context Systems
Bikakis, Antonis; Efthymiou, Vasileios UL; Caire, Patrice UL et al

in The 4th International Workshop on Acquisition, Representation and Reasoning with Contextualized Knowledge ARCOE-12 (2012, August 27)

Detailed reference viewed: 74 (0 UL)
Full Text
Peer Reviewed
See detailIntroducing Conviviality as a New Paradigm for Interactions among IT Objects
Moawad, Assaad UL; Efthymiou, Vasileios UL; Caire, Patrice UL et al

in Proceedings of the Workshop on AI Problems and Approaches for Intelligent Environments (2012, August), 907

The Internet of Things allows people and objects to seamlessly interact, crossing the bridge between real and virtual worlds. Newly created spaces are heterogeneous; social relations naturally extend to ... [more ▼]

The Internet of Things allows people and objects to seamlessly interact, crossing the bridge between real and virtual worlds. Newly created spaces are heterogeneous; social relations naturally extend to smart objects. Conviviality has recently been introduced as a social science concept for ambient intelligent systems to highlight soft qualitative requirements like user friendliness of systems. Roughly, more opportunities to work with other people increase the conviviality. In this paper, we first propose the conviviality concept as a new interaction paradigm for social exchanges between humans and Information Technology (IT) objects, and extend it to IT objects among themselves. Second, we introduce a hierarchy for IT objects social interactions, from low-level one-way interactions to high-level complex interactions. Then, we propose a mapping of our hierarchy levels into dependence networks-based conviviality classes. In particular, low levels without cooperation among objects are mapped to lower conviviality classes, and high levels with complex cooperative IT objects are mapped to higher conviviality classes. Finally, we introduce new conviviality measures for the Internet of Things, and an iterative process to facilitate cooperation among IT objects, thereby the conviviality of the system. We use a smart home as a running example. [less ▲]

Detailed reference viewed: 128 (9 UL)
Full Text
Peer Reviewed
See detailTowards Flexible Evolution of Dynamically Adaptive Systems
Perrouin, Gilles UL; Morin, Brice; Chauvel, Franck et al

in New Ideas & Emerging Results Track of the International Conference of Software Engineering (NIER@ICSE) (2012, June)

Modern software systems need to be continuously available under varying conditions. Their ability adapt to their execution context is thus increasingly seen as a key to their success. Recently, many ... [more ▼]

Modern software systems need to be continuously available under varying conditions. Their ability adapt to their execution context is thus increasingly seen as a key to their success. Recently, many approaches were proposed to design and support the execution of Dynamically Adaptive Systems (DAS). However, the ability of a DAS to evolve is limited to the addition, update or removal of adaptation rules or reconfiguration scripts. These artifacts are very specific to the control loop managing such a DAS and runtime evolution of the DAS requirements may affect other parts of the DAS. In this paper, we argue to evolve all parts of the loop. We suggest leveraging recent advances in model-driven techniques to offer an approach that supports the evolution of both systems and their adaptation capabilities. The basic idea is to consider the control loop itself as an adaptive system. [less ▲]

Detailed reference viewed: 134 (0 UL)
Full Text
Peer Reviewed
See detailAccess Control Enforcement Testing
El Kateb, Donia UL; Elrakaiby, Yehia; Mouelhi, Tejeddine UL et al

in 8th International Workshop on Automation of Software Test (AST), 2013 (2012, May)

A policy-based access control architecture com- prises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy ... [more ▼]

A policy-based access control architecture com- prises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access decision logic. In applications, PEPs are generally implemented manually, which can introduce errors in policy enforcement and lead to security vulnerabilities. In this paper, we propose an approach to systematically test and validate the correct enforcement of access control policies in a given target application. More specifically, we rely on a two folded approach where a static analysis of the target application is first made to identify the sensitive accesses that could be regulated by the policy. The dynamic analysis of the application is then conducted using mutation to verify for every sensitive access whether the policy is correctly enforced. The dynamic analysis of the application also gives the exact location of the PEP to enable fixing enforcement errors detected by the analysis. The approach has been validated using a case study implementing an access control policy. [less ▲]

Detailed reference viewed: 140 (7 UL)