Vinuri Bandara - Academia.edu (original) (raw)
Papers by Vinuri Bandara
IEEE Transactions on Dependable and Secure Computing
Android implements a permission system to regulate apps' access to system resources and sensitive... more Android implements a permission system to regulate apps' access to system resources and sensitive user data. One salient feature of this system is its extensibility: apps can define their own custom permissions to expose features and data to other apps. However, little is known about how widespread the usage of custom permissions is, and what is the impact that these permissions can have on users' privacy and security. In this paper, we empirically study the usage of custom permissions at large scale, using a dataset of 2.2M pre-installed and app-store-downloaded apps. We find the usage of custom permissions to be widespread, and seemingly growing over time. Despite this prevalence, we find that custom permissions are virtually invisible to end users, and their purpose mostly undocumented. This lack of transparency can lead to serious security and privacy problems: we show that custom permissions can facilitate access to permission-protected system resources to apps that lack those permissions without user awareness. To detect this practice, we design and implement two static analysis tools, and highlight multiple concerning cases spotted in the wild. We conclude this study with a discussion of potential solutions to mitigate the privacy and security risks of custom permissions.
Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021
Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every so... more Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every software project has to go through. When comparing the studies on understanding the security vulnerabilities in software, such as vulnerability discovery and patterns, there is a lack of studies on the vulnerability remediation phase. To address this, we have done a timeline analysis for 130 of the most dependent upon open source projects written in JavaScript language, hosted on GitHub to understand the nature and the lifetime of the vulnerabilities in those projects. We used a static code analyzer on 501K commits from the repositories to identify commits that introduced new vulnerabilities to the code and fixed existing vulnerabilities in the code. In 90% of the projects, we identified that a commit that fixed an existing vulnerability had introduced one or more new vulnerabilities into the code. On average, 16% of the commits intended to fix vulnerabilities have introduced one or more new vulnerabilities from the analyzed projects. We also found that 18% of the total vulnerabilities found in those projects have originated from a commit meant to fix an existing vulnerability, and 78% of those vulnerabilities could have been avoided of introduction if the developers were to use proper internal testing. Here, we demonstrate Sequza, a visualization tool to help organizations detect such instances at the earliest possible. CCS CONCEPTS • Security and privacy → Usability in security and privacy; Vulnerability management.
Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every so... more Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every software project has to go through. When comparing the studies on understanding the security vulnerabilities in software, such as vulnerability discovery and patterns, there is a lack of studies on the vulnerability remediation phase. To address this, we have done a timeline analysis for 130 of the most dependent upon open source projects written in JavaScript language, hosted on GitHub to understand the nature and the lifetime of the vulnerabilities in those projects. We used a static code analyzer on 501K commits from the repositories to identify commits that introduced new vulnerabilities to the code and fixed existing vulnerabilities in the code. In 90% of the projects, we identified that a commit that fixed an existing vulnerability had introduced one or more new vulnerabilities into the code. On average, 16% of the commits intended to fix vulnerabilities have introduced one or more new vulnerabilities from the analyzed projects. We also found that 18% of the total vulnerabilities found in those projects have originated from a commit meant to fix an existing vulnerability, and 78% of those vulnerabilities could have been avoided of introduction if the developers were to use proper internal testing. Here, we demonstrate Sequza, a visualization tool to help organizations detect such instances at the earliest possible. CCS CONCEPTS • Security and privacy → Usability in security and privacy; Vulnerability management.
2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)
IEEE Transactions on Dependable and Secure Computing
Android implements a permission system to regulate apps' access to system resources and sensitive... more Android implements a permission system to regulate apps' access to system resources and sensitive user data. One salient feature of this system is its extensibility: apps can define their own custom permissions to expose features and data to other apps. However, little is known about how widespread the usage of custom permissions is, and what is the impact that these permissions can have on users' privacy and security. In this paper, we empirically study the usage of custom permissions at large scale, using a dataset of 2.2M pre-installed and app-store-downloaded apps. We find the usage of custom permissions to be widespread, and seemingly growing over time. Despite this prevalence, we find that custom permissions are virtually invisible to end users, and their purpose mostly undocumented. This lack of transparency can lead to serious security and privacy problems: we show that custom permissions can facilitate access to permission-protected system resources to apps that lack those permissions without user awareness. To detect this practice, we design and implement two static analysis tools, and highlight multiple concerning cases spotted in the wild. We conclude this study with a discussion of potential solutions to mitigate the privacy and security risks of custom permissions.
Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021
Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every so... more Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every software project has to go through. When comparing the studies on understanding the security vulnerabilities in software, such as vulnerability discovery and patterns, there is a lack of studies on the vulnerability remediation phase. To address this, we have done a timeline analysis for 130 of the most dependent upon open source projects written in JavaScript language, hosted on GitHub to understand the nature and the lifetime of the vulnerabilities in those projects. We used a static code analyzer on 501K commits from the repositories to identify commits that introduced new vulnerabilities to the code and fixed existing vulnerabilities in the code. In 90% of the projects, we identified that a commit that fixed an existing vulnerability had introduced one or more new vulnerabilities into the code. On average, 16% of the commits intended to fix vulnerabilities have introduced one or more new vulnerabilities from the analyzed projects. We also found that 18% of the total vulnerabilities found in those projects have originated from a commit meant to fix an existing vulnerability, and 78% of those vulnerabilities could have been avoided of introduction if the developers were to use proper internal testing. Here, we demonstrate Sequza, a visualization tool to help organizations detect such instances at the earliest possible. CCS CONCEPTS • Security and privacy → Usability in security and privacy; Vulnerability management.
Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every so... more Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every software project has to go through. When comparing the studies on understanding the security vulnerabilities in software, such as vulnerability discovery and patterns, there is a lack of studies on the vulnerability remediation phase. To address this, we have done a timeline analysis for 130 of the most dependent upon open source projects written in JavaScript language, hosted on GitHub to understand the nature and the lifetime of the vulnerabilities in those projects. We used a static code analyzer on 501K commits from the repositories to identify commits that introduced new vulnerabilities to the code and fixed existing vulnerabilities in the code. In 90% of the projects, we identified that a commit that fixed an existing vulnerability had introduced one or more new vulnerabilities into the code. On average, 16% of the commits intended to fix vulnerabilities have introduced one or more new vulnerabilities from the analyzed projects. We also found that 18% of the total vulnerabilities found in those projects have originated from a commit meant to fix an existing vulnerability, and 78% of those vulnerabilities could have been avoided of introduction if the developers were to use proper internal testing. Here, we demonstrate Sequza, a visualization tool to help organizations detect such instances at the earliest possible. CCS CONCEPTS • Security and privacy → Usability in security and privacy; Vulnerability management.
2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)