Search for: All records

Context: Supervised learning-based projects (SLPs), i.e., software projects that use supervised learning algorithms, such as decision trees are useful for performing classification-related tasks. Yet, security weaknesses, such as the use of hard-coded passwords in SLPs, can make SLPs susceptible to security attacks. A characterization of security weaknesses in SLPs can help practitioners understand the security weaknesses that are frequent in SLPs and adopt adequate mitigation strategies. Objective: The goal of this paper is to help practitioners securely develop supervised learning-based projects by conducting an empirical study of security weaknesses in supervised learning-based projects. Methodology: We conduct an empirical study by quantifying the frequency of security weaknesses in 278 open source SLPs. Results: We identify 22 types of security weaknesses that occur in SLPs. We observe ‘use of potentially dangerous function’ to be the most frequently occurring security weakness in SLPs. Of the identified 3,964 security weaknesses, 23.79% and 40.49% respectively, appear for source code files used to train and test models. We also observe evidence of co-location, e.g., instances of command injection co-locates with instances of potentially dangerous function. Conclusion: Based on our findings, we advocate for a shift left approach for SLP development with security-focused code reviews, and application of security static analysis. 

The last few decades have seen a large proliferation in the prevalence of cyber-physical systems. This has been especially highlighted by the explosive growth in the number of Internet of Things (IoT) devices. Unfortunately, the increasing prevalence of these devices has begun to draw the attention of malicious entities which exploit them for their own gain. What makes these devices especially attractive is the various resource constraints present in these devices that make it difficult to add standard security features. Therefore, one intriguing research direction is creating security solutions out of already present components such as sensors. Physically Unclonable Functions (PUFs) are one potential solution that use intrinsic variations of the device manufacturing process for provisioning security. In this work, we propose a novel weak PUF design using thermistor temperature sensors. Our design uses the differences in resistance variation between thermistors in response to temperature change. To generate a PUF that is reliable across a range of temperatures, we use a response-generation algorithm that helps mitigate the effects of temperature variation on the thermistors. We tested the performance of our proposed design across a range of environmental operating conditions. From this we were able to evaluate the reliability of the proposed PUF with respect to variations in temperature and humidity. We also evaluated the PUF’s uniqueness using Monte Carlo simulations.