• Publications
  • Influence
All Your Droid Are Belong to Us: A Survey of Current Android Attacks
TLDR
This paper discusses the Android security model and some potential weaknesses of the model, and provides a taxonomy of attacks to the platform demonstrated by real attacks that in the end guarantee privileged access to the device. Expand
Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes
TLDR
A semi-structured interview study with both testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face, suggests that hackers and testers follow similar processes, but get different results due largely to differing experiences. Expand
Passe-Partout: A General Collection Methodology for Android Devices
TLDR
By re-purposing a special Android boot mode, comprehensive extraction of evidence is possible, with minimal potential for data corruption or omission, on Android-based devices. Expand
An Observational Investigation of Reverse Engineers' Process and Mental Models
TLDR
The initial observations suggest that reverse engineers rely on a variety of reference points in both the program text and structure as well as its dynamic behavior to build hypotheses about the program's function and identify points of interest for future exploration. Expand
User Comfort with Android Background Resource Accesses in Different Contexts
TLDR
This work investigates user comfort level with resource accesses that happen in a background context, meaning they occur when there is no visual indication of a resource use. Expand
Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It
TLDR
This paper investigates how and why programmers, despite a baseline of security experience, make security-relevant errors, and conducts an in-depth analysis of 94 submissions to a secure-programming contest designed to mimic real-world constraints: correctness, performance, and security. Expand
User Interactions and Permission Use on Android
TLDR
The results suggest that user interactions such as button clicks can be interpreted as authorization, reducing the need for separate requests; but that accesses not directly tied to user interactions should be separately authorized, possibly when apps are first launched. Expand
The Battle for New York: A Case Study of Applied Digital Threat Modeling at the Enterprise Level
TLDR
The introduction of formalized threat modeling to New York City Cyber Command is introduced and it is found that threat modeling improved self-efficacy; 20 of 25 participants regularly incorporated it within their daily duties 30 days after training, without further prompting. Expand
An Observational Investigation of Reverse Engineers' Processes
TLDR
A semi-structured, observational interview study of reverse engineers produces a model of the reverse engineering process, divided into three phases: overview, sub-component scanning, and focused experimentation, which finds that reverse engineers typically use static methods in the first two phases, but dynamic methods inThe final phase, with experience playing large, but varying, roles in each phase. Expand
Does Being Verified Make You More Credible?: Account Verification's Effect on Tweet Credibility
TLDR
Surprisingly, across both studies, it is found that most users can effectively distinguish between authenticity and credibility, and the presence or absence of an authenticity indicator has no significant effect on willingness to share a tweet or take action based on its contents. Expand
...
1
2
...