Samuel A. Malachowsky
Senior Lecturer, Department of Software Engineering
Project Management Professional (PMP)
Providing an Experiential Cybersecurity Learning Experience Through Mobile Security LabsCite This: BibTeX | EndNote | RefMan | CSV
The reality of today’s computing landscape already suffers from a shortage of cybersecurity professionals, and this gap only expected to grow. We need to generate interest in this STEM topic early in our student’s careers and provide teachers the resources they need to succeed in addressing this gap. To address this shortfall we present Practical LAbs in Security for Mobile Applications (PLASMA), a public set of educational security labs to enable instruction in creation of secure Android apps. These labs include example vulnerable applications, information about each vulnerability, steps for how to repair the vulnerabilities, and information about how to confirm that the vulnerability has been properly repaired. Our goal is for instructors to use these activities in their mobile, security, and general computing courses ranging from secondary school to university settings. Another goal of this project is to foster interest in security and computing through demonstrating its importance. Initial feedback demonstrates the labs’ positive effects in enhancing student interest in cybersecurity and acclaim from instructors. All project activities may be found on the project website:http://www.TeachingMobileSecurity.com (Anthony Peruma, Samuel A. Malachowsky, and Daniel E. Krutz; Conference Paper, 2018-08-15)
Darwin: A Static Analysis Dataset of Malicious and Benign Android AppsCite This: BibTeX | EndNote | RefMan | CSV
The Android platform comprises the vast majority of the mobile market. Unfortunately, Android apps are not immune to issues that plague conventional software including security vulnerabilities, bugs, and permission-based problems. In order to address these issues, we need a better understanding of the apps we use everyday. Over the course of more than a year, we collected and reverse engineered 64,868 Android apps from the Google Play store as well as 1,669 malware samples collected from several sources. Each app was analyzed using several static analysis tools to collect a variety of quality and security related information. The apps spanned 41 different categories, and constituted a total of 576,174 permissions, 39,780 unique signing keys and 125,159 over-permissions. We present the dataset of these apps, and a sample set of analytics, on our website http://darwin.rit.edu with the option of downloading the dataset for offline evaluation. (Nuthan Munaiah, Casey Klimkowsky, Shannon McRae, Adam Blaine, Samuel A. Malachowsky, Cesar Perez, and Daniel E. Krutz; Conference Paper, 2016-11-14)
Examining the Relationship between Security Metrics and User Ratings of Mobile Apps: A Case StudyCite This: BibTeX | EndNote | RefMan | CSV
The success or failure of a mobile application (‘app’) is largely determined by user ratings. Users frequently make their app choices based on the ratings of apps in comparison with similar, often competing apps. Users also expect apps to continually provide new features while maintaining quality, or the ratings drop. At the same time apps must also be secure, but is there a historical trade-off between security and ratings? Or are app store ratings a more all-encompassing measure of product maturity? We used static analysis tools to collect security-related metrics in 38,466 Android apps from the Google Play store. We compared the rate of an app’s permission misuse, number of requested permissions, and Androrisk score, against its user rating.
We found that high-rated apps have statistically significantly higher security risk metrics than low-rated apps. However, the correlations are weak. This result supports the conventional wisdom that users are not factoring security risks into their ratings in a meaningful way. This could be due to several reasons including users not placing much emphasis on security, or that the typical user is unable to gauge the security risk level of the apps they use everyday. (Daniel E. Krutz, Nuthan Munaiah, Andrew Meneely, and Samuel A. Malachowsky; Conference Paper, 2016-11-14)
Teaching Android Security Through Examples: A Publicly Available Database of Vulnerable AppsCite This: BibTeX | EndNote | RefMan | CSV
Security is hard, and teaching security can be even harder. Here we describe a public educational activity to assist in the instruction of both students and developers in creating secure Android apps. Our set of activities includes example vulnerable applications, information about each vulnerability, steps on how to repair the vulnerabilities, and information about how to confirm that the vulnerability has been properly repaired. Our primary goal is to make these activities available to other instructors for use in their classrooms ranging from the K-12 to university settings. A secondary goal of this project is to foster interest in security and computing. All project activities may be found on the project website, http://www.teachingmobilesecurity.com (Daniel E. Krutz and Samuel A. Malachowsky; Journal/Magazine Article, 2016-12-1)
A Project Component in a Web Engineering CourseCite This: BibTeX | EndNote | RefMan | CSV
Web applications are an extremely important and ubiquitous part of today's world. Students must not only know how to develop them from a technical perspective, but in doing so need to understand how to follow the proper principles of software engineering - delivering the project on time, on budget, and in a high quality manner.
At the Department of Software Engineering at the Rochester Institute of Technology, we offer a Web Engineering course which not only introduces students to a variety of web technologies, but more importantly it shows them how to use them in a collaborative environment while properly utilizing web engineering methodologies.The course includes a significant project component requiring students to use a variety of contemporary technologies and resources to create a robust web application. The main premise of the project is for each group to create a web portal using both custom-built and already existing components. The project takes place over the entire 15 week course term, includes multiple releases, and has students work in teams of 4-5.
This innovative project component has received significant praise from both students and faculty members while fulfilling an emerging area of our curriculum. Students enjoy the real-world nature of the project and the ability to work with contemporary technologies in a format which closely mimics what they will see in industry. This paper outlines the educational objectives, project details, some sample project results of our class offering, as well as student feedback about the project. The goal of this work is to share the project, its importance, and lessons learned for use at other institutions with similar educational goals. (Samuel A. Malachowsky and Daniel E. Krutz; Conference Paper, 2015-10-21)
An Insider Threat Activity in a Software Security CourseCite This: BibTeX | EndNote | RefMan | CSV
Software development teams face a critical threat to the security of their systems: insiders. A malicious insider is a person who violates an authorized level of access in a software system. Unfortunately, when creating software, developers do not typically account for insider threat. Students learning software development are unaware of the impacts of malicious actors and are far too often untrained in prevention methods against them. A few of the defensive mechanisms to protect against insider threats include eliminating system access once an employee leaves an organization, enforcing principle of least privilege, code reviews, and constant monitoring for suspicious activity.
At the Department of Software Engineering at the Rochester Institute of Technology, we require a course titled Engineering of Secure Software and have created an activity designed to prepare students for the problem of insider threats. At the beginning of this activity, student teams are given the task of designing a moderately sized secure software system. The goal of this insider is to manipulate the team into creating a flawed system design that would allow attackers to perform malicious activities once the system has been created. When the insider is revealed at the conclusion of the project, students discuss countermeasures regarding the malicious actions the insiders were able to plan or complete, along with methods of prevention that may have been employed by the team to detect the malicious developer.
In this paper, we describe the activity along with the results of a survey. We discuss the benefits and challenges of the activity with the goal of giving other instructors the tools they need to conduct this activity at their institution. While many institutions do not offer courses in computer security, this self-contained activity may be used in any computing course to enforce the importance of protecting against insider threats. (Daniel E. Krutz, Andrew Meneely, and Samuel A. Malachowsky; Conference Paper, 2015-10-21)
Enhancing the Educational Experience for Deaf and Hard of Hearing Students in Software EngineeringCite This: BibTeX | EndNote | RefMan | CSV
Software engineering is largely a communication-driven, team-oriented discipline. There are numerous hurdles for ensuring proper communication and interaction between all project stakeholders, including physical, technological, and cultural barriers. These obstructions not only affect software engineering in industry, but in academia as well. One possible issue that is often overlooked in software engineering education is how to best educate Deaf and hard-of-hearing (Deaf/HoH) students, and how to fully engage them in the classroom.
In this paper, we present our experiences in teaching software engineering to Deaf/HoH students. In the classroom, these students work very closely in activities and on project teams with their hearing peers. We also present recommendations for creating a more robust software engineering educational experience for not only Deaf/HoH students, but for hearing students as well.
We encourage instructors not only in software engineering programs, but in other computing disciplines to consider our recommendations and observations in order to enhance the educational experience for all students in the classroom, whether Deaf/HoH or hearing (Daniel E. Krutz, Jayme A. Kaplan, Samuel A. Malachowsky, and Scott D. Jones; Conference Paper, 2015-10-21)
A Dataset of Open-Source Android ApplicationsCite This: BibTeX | EndNote | RefMan | CSV
Android has grown to be the world's most popular mobile platform with apps that are capable of doing everything from checking sports scores to purchasing stocks. In order to assist researchers and developers in better understanding the development process as well as the current state of the apps themselves, we present a large dataset of analyzed open-source Android applications and provide a brief analysis of the data, demonstrating potential usefulness. This dataset contains 1,179 applications, including 4,416 different versions of these apps and 435,680 total commits. Furthermore, for each app we include the analytical results obtained from several static analysis tools including Androguard, Sonar, and Stowaway.
In order to better support the community in conducting research on the security characteristics of the apps, our large analytical dataset comes with the detailed information including various versions of AndroidManifest.xml files and synthesized information such as permissions, intents, and minimum SDK. We collected 13,036 commits of the manifest files and recorded over 69,707 total permissions used. The results and a brief set of analytics are presented on our website: http://androsec.rit.edu. (Daniel E. Krutz, Mehdi Mirakhorli, Samuel A. Malachowsky, Andres Ruiz, Jacob Peterson, Andrew Filipski, Jared Smith; Conference Paper, 2015-5-16)
Implementing Project Managers in the Software Engineering ClassroomCite This: BibTeX | EndNote | RefMan | CSV
Project management is a discipline that spans many industries and has undeniable benefits in its application. Sometimes, however, it can be difficult to convey its importance and application in the classroom environment. Many process and project management classes cover the core concepts, but fail to provide students with the opportunity to experience both the dynamics and leadership elements so core to project management as both a leader and a team member.
This paper describes an innovative approach to using project managers (PMs) in the classroom that has had measured effects in several areas, including individual student participation, group project disposition, and in-class presentations. Results have been encouraging, with student feedback (from both PMs and group members) indicating positive effects on interest in the field and application of project management, improved group dynamics, and more individual participation in the outcome of group projects.
Specifically included in the paper are examples of PM inclusion in both the class curriculum and main project from beginning to end and how they have been applied to a process and project management course in the past. Areas explored include the PM selection process, class attendance improvement via the PM-led group dynamic, PM-specific activities and evaluation, and the inclusion of a final presentation as a product in a normally process and project heavy course. For context, a description of the class curriculum, some related work, and relevant quantitative and qualitative student feedback are included as well.
The concepts and examples have been successfully implemented as part of a software engineering curriculum, but they could easily be applied to any classroom that wishes to expand project management instruction beyond a simple explanation of process and project management to an immersive experience with both practical and pedagogical benefits. (Samuel A. Malachowsky; Conference Paper, 2015-06-14)
Examining the Effectiveness of Using Concolic Analysis to Detect Code ClonesCite This: BibTeX | EndNote | RefMan | CSV
During the initial construction and subsequent maintenance of an application, duplication of functionality is common, whether intentional or otherwise. This replicated functionality, known as a code clone, has a diverse set of causes and can have moderate to severe adverse effects on a software project in a variety of ways. A code clone is defined as multiple code fragments that produce similar results when provided the same input. While there is an array of powerful clone detection tools, most suffer from a variety of drawbacks including, most importantly, the inability to accurately and reliably detect the more difficult clone types.
This paper presents a new technique for detecting code clones based on concolic analysis, which uses a mixture of concrete and symbolic values to traverse a large and diverse portion of the source code. By performing concolic analysis on the targeted source code and then examining the holistic output for similarities, code clone candidates can be consistently identified. We found that concolic analysis was able to accurately and reliably discover all four types of code clones with an average precision of .8, recall of .91, F-score of .85 and an accuracy of .99. (Daniel E. Krutz, Samuel A. Malachowsky, Emad Shihab; Conference Paper, 2015-04-17)
Using a Real World Project in a Software Testing CourseCite This: BibTeX | EndNote | RefMan | CSV
Although testing often accounts for 50% of the budget of a typical software project, the subject of software testing is often overlooked in computing curriculum. Students often view testing as a boring and unnecessary task, and education is usually focused on building software, not ensuring its quality. Previous works have focused on either making the subject of testing more exciting for students or on a more potent lecture-based learning process.
At the Department of Software Engineering at the Rochester Institute of Technology, recent efforts have been focused on the project component of our Software Testing course as an area of innovation. Rather than previous methods such as a tightly controlled and repetitive testbed, our students are allowed to choose a real-world, open source project to test throughout the term. With the instructor as both counsel and client, students are expected to deliver a test plan, a final report, and several class-wide presentations.
This project has achieved significant student praise; qualitative and quantitative feedback demonstrates both increased satisfaction and fulfilled curricular requirements. Students enjoy the real-world aspect of the project and the ability to work with relevant applications and technologies. This paper outlines the project details and educational goals. (Daniel E. Krutz, Samuel A. Malachowsky, Thomas Reichlmayr; Conference Paper, 2014-03-01)