Samuel A. Malachowsky

A dataset of open-source Android applications

Android has grown to be the worlds most popular mobile platform with apps that are capable of doing everything from checking sports scores to purchasing stocks. In order to assist researchers and developers in better understanding the development process as well as the current state of the apps themselves, we present a large dataset of analyzed open-source Android applications and provide a brief analysis of the data, demonstrating potential usefulness. This dataset contains 1,179 applications, including 4,416 different versions of these apps and 435,680 total commits. Furthermore, for each app we include the analytical results obtained from several static analysis tools including Androguard, Sonar, and Stowaway. In order to better support the community in conducting research on the security characteristics of the apps, our large analytical dataset comes with the detailed information including various versions of AndroidManifest.xml files and synthesized information such as permissions, intents, and minimum SDK. We collected 13,036 commits of the manifest files and recorded over 69,707 total permissions used. The results and a brief set of analytics are presented on our website: http://androsec.rit.edu.

Using a real world project in a software testing course

Although testing often accounts for 50% of the budget of a typical software project, the subject of software testing is often overlooked in computing curriculum. Students often view testing as a boring and unnecessary task, and education is usually focused on building software, not ensuring its quality. Previous works have focused on either making the subject of testing more exciting for students or on a more potent lecture-based learning process. At the Department of Software Engineering at the Rochester Institute of Technology, recent efforts have been focused on the project component of our Software Testing course as an area of innovation. Rather than previous methods such as a tightly controlled and repetitive testbed, our students are allowed to choose a real-world, open source project to test throughout the term. With the instructor as both counsel and client, students are expected to deliver a test plan, a final report, and several class-wide presentations. This project has achieved significant student praise; qualitative and quantitative feedback demonstrates both increased satisfaction and fulfilled curricular requirements. Students enjoy the real-world aspect of the project and the ability to work with relevant applications and technologies. This paper outlines the project details and educational goals.

Examining the effectiveness of using concolic analysis to detect code clones

During the initial construction and subsequent maintenance of an application, duplication of functionality is common, whether intentional or otherwise. This replicated functionality, known as a code clone, has a diverse set of causes and can have moderate to severe adverse effects on a software project in a variety of ways. A code clone is defined as multiple code fragments that produce similar results when provided the same input. While there is an array of powerful clone detection tools, most suffer from a variety of drawbacks including, most importantly, the inability to accurately and reliably detect the more difficult clone types. This paper presents a new technique for detecting code clones based on concolic analysis, which uses a mixture of concrete and symbolic values to traverse a large and diverse portion of the source code. By performing concolic analysis on the targeted source code and then examining the holistic output for similarities, code clone candidates can be consistently identified. We found that concolic analysis was able to accurately and reliably discover all four types of code clones with an average precision of .8, recall of .91, F-score of .85 and an accuracy of .99.

Darwin: a static analysis dataset of malicious and benign Android apps

The Android platform comprises the vast majority of the mobile market. Unfortunately, Android apps are not immune to issues that plague conventional software including security vulnerabilities, bugs, and permission-based problems. In order to address these issues, we need a better understanding of the apps we use everyday. Over the course of more than a year, we collected and reverse engineered 64,868 Android apps from the Google Play store as well as 1,669 malware samples collected from several sources. Each app was analyzed using several static analysis tools to collect a variety of quality and security related information. The apps spanned 41 different categories, and constituted a total of 576,174 permissions, 39,780 unique signing keys and 125,159 over-permissions. We present the dataset of these apps, and a sample set of analytics, on our website---http://darwin.rit.edu---with the option of downloading the dataset for offline evaluation.

Enhancing the educational experience for deaf and hard of hearing students in software engineering

Software engineering is largely a communication-driven, team-oriented discipline. There are numerous hurdles for ensuring proper communication and interaction between all project stakeholders, including physical, technological, and cultural barriers. These obstructions not only affect software engineering in industry, but in academia as well. One possible issue that is often overlooked in software engineering education is how to best educate Deaf and hard-of-hearing (Deaf/HoH) students, and how to fully engage them in the classroom. In this paper, we present our experiences in teaching software engineering to Deaf/HoH students. In the classroom, these students work very closely in activities and on project teams with their hearing peers. We also present recommendations for creating a more robust software engineering educational experience for not only Deaf/HoH students, but for hearing students as well. We encourage instructors not only in software engineering programs, but in other computing disciplines to consider our recommendations and observations in order to enhance the educational experience for all students in the classroom, whether Deaf/HoH or hearing.

An insider threat activity in a software security course

Software development teams face a critical threat to the security of their systems: insiders. A malicious insider is a person who violates an authorized level of access in a software system. Unfortunately, when creating software, developers do not typically account for insider threat. Students learning software development are unaware of the impacts of malicious actors and are far too often untrained in prevention methods against them. A few of the defensive mechanisms to protect against insider threats include eliminating system access once an employee leaves an organization, enforcing principle of least privilege, code reviews, and constant monitoring for suspicious activity. At the Department of Software Engineering at the Rochester Institute of Technology, we require a course titled Engineering of Secure Software and have created an activity designed to prepare students for the problem of insider threats. At the beginning of this activity, student teams are given the task of designing a moderately sized secure software system. The goal of this insider is to manipulate the team into creating a flawed system design that would allow attackers to perform malicious activities once the system has been created. When the insider is revealed at the conclusion of the project, students discuss countermeasures regarding the malicious actions the insiders were able to plan or complete, along with methods of prevention that may have been employed by the team to detect the malicious developer. In this paper, we describe the activity along with the results of a survey. We discuss the benefits and challenges of the activity with the goal of giving other instructors the tools they need to conduct this activity at their institution. While many institutions do not offer courses in computer security, this self-contained activity may be used in any computing course to enforce the importance of protecting against insider threats.

A project component in a web engineering course

Web applications are an extremely important and ubiquitous part of todays world. Students must not only know how to develop them from a technical perspective, but in doing so need to understand how to follow the proper principles of software engineering - delivering the project on time, on budget, and in a high quality manner. At the Department of Software Engineering at the Rochester Institute of Technology, we offer a Web Engineering course which not only introduces students to a variety of web technologies, but more importantly it shows them how to use them in a collaborative environment while properly utilizing web engineering methodologies. The course includes a significant project component requiring students to use a variety of contemporary technologies and resources to create a robust web application. The main premise of the project is for each group to create a web portal using both custom-built and already existing components. The project takes place over the entire 15 week course term, includes multiple releases, and has students work in teams of 4-5. This innovative project component has received significant praise from both students and faculty members while fulfilling an emerging area of our curriculum. Students enjoy the real-world nature of the project and the ability to work with contemporary technologies in a format which closely mimics what they will see in industry. This paper outlines the educational objectives, project details, some sample project results of our class offering, as well as student feedback about the project. The goal of this work is to share the project, its importance, and lessons learned for use at other institutions with similar educational goals.