國立虎尾科技大學 |

Security and Usability Issues in Event-Driven Applications.

紀錄類型:	書目-語言資料,手稿 : Monograph/item
正題名/作者:	Security and Usability Issues in Event-Driven Applications./
作者:	Bose, Priyanka.
面頁冊數:	1 online resource (150 pages)
附註:	Source: Dissertations Abstracts International, Volume: 85-03, Section: B.
Contained By:	Dissertations Abstracts International85-03B.
標題:	Computer engineering. -
電子資源:	click for full text (PQDT)
ISBN:	9798380153782

Security and Usability Issues in Event-Driven Applications.
Bose, Priyanka.

Security and Usability Issues in Event-Driven Applications. - 1 online resource (150 pages)

Source: Dissertations Abstracts International, Volume: 85-03, Section: B.

Thesis (Ph.D.)--University of California, Santa Barbara, 2023.

Includes bibliographical references

An application is a computer program designed to run on a device. To ease our daily life, we delegate many tedious tasks to these applications. An event-driven application is one where the events drive an application from one state to the other. For example, in the case of Android apps, clicking UI buttons perform certain actions which change the app state. Here, clicking the button is an example of an event. Similarly, for smart contracts, which are very popular nowadays, the execution of a transaction, which can be thought of as an event, drives the state of the smart contract into a different one.These event-driven applications suffer from both usability and security issues that can be abused by malicious actors. For example, a bug in an Android app may cause the device to become unresponsive or crash altogether. Frequent such crashes result in the instability of the app and a bad user experience. Moreover, app crashes due to a programming error, such as a null pointer exception, may create an opportunity for a malicious user to exploit the vulnerability and execute arbitrary code on the device. For decentralized applications, that use smart contract, a vulnerability in a contract can be exploited by a malicious actor leading to tremendous losses, as demonstrated by recent attacks. For instance, the notorious "TheDAO" reentrancy attack led to a financial loss of about $50M in 2016. Furthermore, in recent years, several other reentrancy attacks, e.g., Uniswap, Burgerswap, Lendf.me, resulted in multimillion dollar losses. Furthermore, given the high popularity and significant total value locked in decentralized applications, they have become attractive targets for various money-making opportunities for malicious actors. These bad actors may seek to exploit weaknesses in the applications to engage in high-frequency trading activities such as front-running and back-running or to corner the market by buying NFTs (Non-fungible tokens) and selling them later at a significant profit.Hence, it is crucial to comprehensively analyze and understand the security and usability issues associated with event-driven applications. This is particularly important given the potential financial losses and negative impact on user experience that may result from vulnerabilities in these applications However, these event-driven applications typically have multiple entry points and are highly stateful, allowing anyone to invoke these entry points independently and in any order-making the automated analysis challenging.Throughout my Ph.D. research, I focused on analyzing various aspects related to the security and usability issues of these event-driven applications and extensively discussed the findings in my dissertation. First, I introduce the fundamental differences between traditional applications and event-driven applications and highlight the unique challenges these event-driven applications pose. Next, I present a comprehensive threat model for these applications with associated security, usability issues, and risks. Lastly, I present in detail how my work focuses on analyzing these applications. Specifically, I present Columbus, a callback-driven Android app testing technique that employs a combination of static analysis, under-constrained symbolic execution and type-guided dynamic heap introspection to generate valid and effective inputs to test the stability and usability of these apps. Furthermore, I developed Sailfish, a scalable system for automatically finding state-inconsistency bugs in smart contracts. Finally, my research delved into the intriguing economic landscape of decentralized applications, with a particular focus on the emerging field of NFT trading-exploring how actors in this ecosystem make use of these unique digital assets to earn profits through high-frequency trading activities, sometimes in malicious ways.

Electronic reproduction.
Ann Arbor, Mich. :
ProQuest,
2024

Mode of access: World Wide Web

ISBN: 9798380153782Subjects--Topical Terms:

569006
Computer engineering.
Subjects--Index Terms:

Android appsIndex Terms--Genre/Form:

554714
Electronic books.

Security and Usability Issues in Event-Driven Applications.
LDR:05260ntm a22003857 4500 001 1148306
005 20240924101846.5
006 m o d
007 cr bn ---uuuuu
008 250605s2023 xx obm 000 0 eng d
020 $a 9798380153782
035 $a (MiAaPQ)AAI30530357
035 $a AAI30530357
040 $a MiAaPQ $b eng $c MiAaPQ $d NTU
100 1 $a Bose, Priyanka. $3 1474247
245 1 0 $a Security and Usability Issues in Event-Driven Applications.
264 0 $c 2023
300 $a 1 online resource (150 pages)
336 $a text $b txt $2 rdacontent
337 $a computer $b c $2 rdamedia
338 $a online resource $b cr $2 rdacarrier
500 $a Source: Dissertations Abstracts International, Volume: 85-03, Section: B.
500 $a Advisor: Vigna, Giovanni;Kruegel, Christopher.
502 $a Thesis (Ph.D.)--University of California, Santa Barbara, 2023.
504 $a Includes bibliographical references
520 $a An application is a computer program designed to run on a device. To ease our daily life, we delegate many tedious tasks to these applications. An event-driven application is one where the events drive an application from one state to the other. For example, in the case of Android apps, clicking UI buttons perform certain actions which change the app state. Here, clicking the button is an example of an event. Similarly, for smart contracts, which are very popular nowadays, the execution of a transaction, which can be thought of as an event, drives the state of the smart contract into a different one.These event-driven applications suffer from both usability and security issues that can be abused by malicious actors. For example, a bug in an Android app may cause the device to become unresponsive or crash altogether. Frequent such crashes result in the instability of the app and a bad user experience. Moreover, app crashes due to a programming error, such as a null pointer exception, may create an opportunity for a malicious user to exploit the vulnerability and execute arbitrary code on the device. For decentralized applications, that use smart contract, a vulnerability in a contract can be exploited by a malicious actor leading to tremendous losses, as demonstrated by recent attacks. For instance, the notorious "TheDAO" reentrancy attack led to a financial loss of about $50M in 2016. Furthermore, in recent years, several other reentrancy attacks, e.g., Uniswap, Burgerswap, Lendf.me, resulted in multimillion dollar losses. Furthermore, given the high popularity and significant total value locked in decentralized applications, they have become attractive targets for various money-making opportunities for malicious actors. These bad actors may seek to exploit weaknesses in the applications to engage in high-frequency trading activities such as front-running and back-running or to corner the market by buying NFTs (Non-fungible tokens) and selling them later at a significant profit.Hence, it is crucial to comprehensively analyze and understand the security and usability issues associated with event-driven applications. This is particularly important given the potential financial losses and negative impact on user experience that may result from vulnerabilities in these applications However, these event-driven applications typically have multiple entry points and are highly stateful, allowing anyone to invoke these entry points independently and in any order-making the automated analysis challenging.Throughout my Ph.D. research, I focused on analyzing various aspects related to the security and usability issues of these event-driven applications and extensively discussed the findings in my dissertation. First, I introduce the fundamental differences between traditional applications and event-driven applications and highlight the unique challenges these event-driven applications pose. Next, I present a comprehensive threat model for these applications with associated security, usability issues, and risks. Lastly, I present in detail how my work focuses on analyzing these applications. Specifically, I present Columbus, a callback-driven Android app testing technique that employs a combination of static analysis, under-constrained symbolic execution and type-guided dynamic heap introspection to generate valid and effective inputs to test the stability and usability of these apps. Furthermore, I developed Sailfish, a scalable system for automatically finding state-inconsistency bugs in smart contracts. Finally, my research delved into the intriguing economic landscape of decentralized applications, with a particular focus on the emerging field of NFT trading-exploring how actors in this ecosystem make use of these unique digital assets to earn profits through high-frequency trading activities, sometimes in malicious ways.
533 $a Electronic reproduction. $b Ann Arbor, Mich. : $c ProQuest, $d 2024
538 $a Mode of access: World Wide Web
650 4 $a Computer engineering. $3 569006
650 4 $a Computer science. $3 573171
653 $a Android apps
653 $a Non-fungible tokens
653 $a Program analysis
653 $a Smart contracts
653 $a Symbolic executions
655 7 $a Electronic books. $2 local $3 554714
690 $a 0984
690 $a 0464
710 2 $a University of California, Santa Barbara. $b Computer Science. $3 1182528
710 2 $a ProQuest Information and Learning Co. $3 1178819
773 0 $t Dissertations Abstracts International $g 85-03B.
856 4 0 $u http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=30530357 $z click for full text (PQDT)