Raffa G; Blasco J; O'Keeffe D; Dash S K: CloudFlow: Identifying Security-sensitive Data Flows in Serverless Applications. Usenix Security 2025, Forthcoming. @conference{giuseppe_usenix,
title = {CloudFlow: Identifying Security-sensitive Data Flows in Serverless Applications},
author = {Giuseppe Raffa and Jorge Blasco and Dan O'Keeffe and Santanu Kumar Dash},
year = {2025},
date = {2025-06-26},
urldate = {2025-06-26},
booktitle = {Usenix Security 2025},
keywords = {},
pubstate = {forthcoming},
tppubtype = {conference}
}
|
Tileria M; Blasco J; Dash S K: DocFlow: Extracting Taint Specifications from Software Documentation. In: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, ACM, Lisbon, Portugal, 2024. @inproceedings{10.1145/3597503.3623312,
title = {DocFlow: Extracting Taint Specifications from Software Documentation},
author = {Marcos Tileria and Jorge Blasco and Santanu Kumar Dash},
url = {https://doi.org/10.1145/3597503.3623312},
doi = {10.1145/3597503.3623312},
year = {2024},
date = {2024-01-01},
urldate = {2024-01-01},
booktitle = {Proceedings of the IEEE/ACM 46th International Conference on Software Engineering},
publisher = {ACM},
address = {Lisbon, Portugal},
series = {ICSE '24},
abstract = {Security practitioners routinely use static analysis to detect security problems and privacy violations in Android apps. The soundness of these analyses depends on how the platform is modelled and the list of sensitive methods. Collecting these methods often becomes impractical given the number of methods available, the pace at which the Android platform is updated, and the proprietary libraries Google releases on each new version. Despite the constant evolution of the Android platform, app developers cope with all these new features thanks to the documentation that comes with each new Android release. In this work, we take advantage of the rich documentation provided by platforms like Android and propose DocFlow, a framework to generate taint specifications for a platform, directly from its documentation. DocFlow models the semantics of API methods using their documentation to detect sensitive methods (sources and sinks) and assigns them semantic labels. Our approach does not require access to source code, enabling the analysis of proprietary libraries for which the code is unavailable. We evaluate DocFlow using Android platform packages and closed-source Google Play Services libraries. Our results show that our framework detects sensitive methods with high precision, adapts to new API versions, and can be easily extended to detect other method types. Our approach provides evidence that Android documentation encodes rich semantic information to categorise sensitive methods, removing the need to analyse source code or perform feature extraction.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Security practitioners routinely use static analysis to detect security problems and privacy violations in Android apps. The soundness of these analyses depends on how the platform is modelled and the list of sensitive methods. Collecting these methods often becomes impractical given the number of methods available, the pace at which the Android platform is updated, and the proprietary libraries Google releases on each new version. Despite the constant evolution of the Android platform, app developers cope with all these new features thanks to the documentation that comes with each new Android release. In this work, we take advantage of the rich documentation provided by platforms like Android and propose DocFlow, a framework to generate taint specifications for a platform, directly from its documentation. DocFlow models the semantics of API methods using their documentation to detect sensitive methods (sources and sinks) and assigns them semantic labels. Our approach does not require access to source code, enabling the analysis of proprietary libraries for which the code is unavailable. We evaluate DocFlow using Android platform packages and closed-source Google Play Services libraries. Our results show that our framework detects sensitive methods with high precision, adapts to new API versions, and can be easily extended to detect other method types. Our approach provides evidence that Android documentation encodes rich semantic information to categorise sensitive methods, removing the need to analyse source code or perform feature extraction. |
Pârtachi P; Dash S K; Allamanis M; Barr E T: Flexeme: Untangling Commits Using Lexical Flows. 28th ACM Joint European Software Engineering Conference
and Symposium on the Foundations of Software Engineering, ESEC/FSE '20 ACM, 2020. @conference{DBLP:conf/sigsoft/PartachiDAB20,
title = {Flexeme: Untangling Commits Using Lexical Flows},
author = {Profir-Petru Pârtachi and Santanu Kumar Dash and Miltiadis Allamanis and Earl T. Barr},
editor = {Prem Devanbu and Myra B. Cohen and Thomas Zimmermann},
url = {https://doi.org/10.1145/3368089.3409693},
doi = {10.1145/3368089.3409693},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {28th ACM Joint European Software Engineering Conference
and Symposium on the Foundations of Software Engineering},
pages = {63--74},
publisher = {ACM},
series = {ESEC/FSE '20},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
|
Pârtachi P; Dash S K; Treude C; Barr E T: POSIT: Simultaneously Tagging Natural and Programming Languages. ICSE '20: 42nd International Conference on Software Engineering,
Seoul, South Korea, 27 June - 19 July, 2020, ACM, 2020. @conference{DBLP:conf/icse/PartachiDTB20,
title = {POSIT: Simultaneously Tagging Natural and Programming Languages},
author = {Profir-Petru Pârtachi and Santanu Kumar Dash and Christoph Treude and Earl T. Barr},
editor = {Gregg Rothermel and Doo-Hwan Bae},
url = {https://doi.org/10.1145/3377811.3380440},
doi = {10.1145/3377811.3380440},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {ICSE '20: 42nd International Conference on Software Engineering,
Seoul, South Korea, 27 June - 19 July, 2020},
pages = {1348--1358},
publisher = {ACM},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
|
Dash S K; Allamanis M; Barr E T: RefiNym: Using Names to Refine Types. 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE'18 2018. @conference{refinym,
title = {RefiNym: Using Names to Refine Types},
author = {Santanu Kumar Dash and Miltiadis Allamanis and Earl T. Barr},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
booktitle = {26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering},
series = {ESEC/FSE'18},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
|
Jordaney R; Sharad K; Dash S K; Wang Z; Papini D; Nouretdinov I; Cavallaro L: Transcend: Detecting Concept Drift in Malware Classification Models. 26th USENIX Security Symposium (USENIX Security 17), USENIX Association, 2017. @conference{transcend,
title = {Transcend: Detecting Concept Drift in Malware Classification Models},
author = {Roberto Jordaney and Kumar Sharad and Santanu K. Dash and Zhi Wang and Davide Papini and Ilia Nouretdinov and Lorenzo Cavallaro},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
booktitle = {26th USENIX Security Symposium (USENIX Security 17)},
pages = {625--642},
publisher = {USENIX Association},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
|