Daniel Votipka scite author profile

Identifying security vulnerabilities in software is a critical task that requires significant human effort. Currently, vulnerability discovery is often the responsibility of software testers before release and white-hat hackers (often within bug bounty programs) afterward. This arrangement can be ad-hoc and far from ideal; for example, if testers could identify more vulnerabilities, software would be more secure at release time. Thus far, however, the processes used by each group -and how they compare to and interact with each other -have not been well studied. This paper takes a first step toward better understanding, and eventually improving, this ecosystem: we report on a semi-structured interview study (n=25) with both testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face. The results suggest that hackers and testers follow similar processes, but get different results due largely to differing experiences and therefore different underlying knowledge of security concepts. Based on these results, we provide recommendations to support improved security training for testers, better communication between hackers and developers, and smarter bug bounty policies to motivate hacker participation.1 The way people think and the perspectives and previous experiences they bring to bear on a problem [24, pg. 40-65].

show abstract

An Observational Investigation of Reverse Engineers' Process and Mental Models

Votipka

Rabin

Micinski

et al. 2019

View full text Add to dashboard Cite

Reverse engineering is a complex process essential to software-security tasks such as vulnerability discovery and malware analysis. Significant research and engineering effort has gone into developing tools to support reverse engineers. However, little work has been done to understand the way reverse engineers think when analyzing programs, leaving tool developers to make interface design decisions based only on intuition.This paper takes a first step toward a better understanding of reverse engineers' processes, with the goal of producing insights for improving interaction design for reverse engineering tools. We present the results of a semi-structured, observational interview study of reverse engineers (N=16). Each observation investigated the questions reverse engineers ask as they probe a program, how they answer these questions, and the decisions they make throughout the reverse engineering process. From the interview responses, we distill a model of the reverse engineering process, divided into three phases: overview, sub-component scanning, and focused experimentation. Each analysis phase's results feed the next as reverse engineers' mental representations become more concrete. We find that reverse engineers typically use static methods in the first two phases, but dynamic methods in the final phase, with experience playing large, but varying, roles in each phase. Based on these results, we provide five interaction design guidelines for reverse engineering tools.

show abstract

User Interactions and Permission Use on Android

Micinski

Votipka

Stevens

et al. 2017

View full text Add to dashboard Cite

Android and other mobile operating systems ask users for authorization before allowing apps to access sensitive resources such as contacts and location. We hypothesize that such authorization systems could be improved by becoming more integrated with the app's user interface. In this paper, we conduct two studies to test our hypothesis. First, we use App-Tracer, a dynamic analysis tool we developed, to measure to what extent user interactions and sensitive resource use are related in existing apps. Second, we conduct an online survey to examine how different interactions with the UI affect users' expectations about whether an app accesses sensitive resources. Our results suggest that user interactions such as button clicks can be interpreted as authorization, reducing the need for separate requests; but that accesses not directly tied to user interactions should be separately authorized, possibly when apps are first launched.

show abstract

Passe-Partout: A General Collection Methodology for Android Devices

Votipka

Vidas

Christin

2013

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Like computers, mobile devices are both used to commit and are the subject of crimes. Digital forensics collection and analysis techniques need to adapt to cope with the unique characteristics of mobile devices. Fortunately, the rapid adoption of such devices has also resulted in a relatively homogeneous set of software platforms. In this paper, we describe a general methodology for performing digital forensic data collection on Androidbased devices. By re-purposing a special Android boot mode, comprehensive extraction of evidence, with minimal potential for data corruption or omission, is possible.

show abstract

Does Being Verified Make You More Credible?

Vaidya

Votipka

Mazurek

et al. 2019

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Daniel Votipka

Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes

An Observational Investigation of Reverse Engineers' Process and Mental Models

User Interactions and Permission Use on Android

Passe-Partout: A General Collection Methodology for Android Devices

Does Being Verified Make You More Credible?

Contact Info

Product

Resources

About