OS Version Research Articles

On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile Browsers

Digital certificates are frequently used to secure communications between users and web servers. Critical to the Web's PKI is the secure validation of digital certificates. Nonetheless, certificate validation itself is complex and error-prone. Moreover, it is also undermined by particular constraints of mobile browsers. However, these issues have long been overlooked. In this paper, we undertook the first systematic and large-scale study of the certificate validation mechanism within popular mobile browsers to highlight the necessity of reassessing it among all released browsers. To this end, we first compile a comprehensive test suite to identify security flaws in certificate validation from various aspects. By designing and implementing a generic, automated testing pipeline, we effectively evaluate 30 popular browsers on two mobile OS versions and compare them with five representative desktop browsers. We found the latest mobile browsers Accept as many as 33.2% invalid certificates and Reject merely 5.4% invalid ones on average, leaving the majority of them to be decided by users who usually have little expertise. Our findings shed light on the severity and inconsistency of certificate validation flaws across mobile browsers, which are likely to expose users to MITM attacks, spoofing attacks, and so forth.

Local Disordered Region Sampling (LDRS) for ensemble modeling of proteins with experimentally undetermined or low confidence prediction segments.

The Local Disordered Region Sampling (LDRS, pronounced loaders) tool is a new module developed for IDPConformerGenerator, a previously validated approach to model intrinsically disordered proteins (IDPs). The IDPConformerGenerator LDRS module provides a method for generating all-atom conformations of intrinsically disordered protein regions at N- and C-termini of and in loops or linkers between folded regions of an existing protein structure. These disordered elements often lead to missing coordinates in experimental structures or low confidence in predicted structures. Requiring only a pre-existing PDB or mmCIF formatted structural template of the protein with missing coordinates or with predicted confidence scores and its full-length primary sequence, LDRS will automatically generate physically meaningful conformational ensembles of the missing flexible regions to complete the full-length protein. The capabilities of the LDRS tool of IDPConformerGenerator include modeling phosphorylation sites using enhanced Monte Carlo-Side Chain Entropy, transmembrane proteins within an all-atom bilayer, and multi-chain complexes. The modeling capacity of LDRS capitalizes on the modularity, the ability to be used as a library and via command-line, and the computational speed of the IDPConformerGenerator platform. The LDRS module is part of the IDPConformerGenerator modeling suite, which can be downloaded from GitHub at https://github.com/julie-forman-kay-lab/IDPConformerGenerator. IDPConformerGenerator is written in Python3 and works on Linux, Microsoft Windows, and Mac OS versions that support DSSP. Users can utilize LDRS's Python API for scripting the same way they can use any part of IDPConformerGenerator's API, by importing functions from the "idpconfgen.ldrs_helper" library. Otherwise, LDRS can be used as a command line interface application within IDPConformerGenerator. Full documentation is available within the command-line interface as well as on IDPConformerGenerator's official documentation pages (https://idpconformergenerator.readthedocs.io/en/latest/).

Unveiling the Landscape of Operating System Vulnerabilities

Operating systems play a crucial role in computer systems, serving as the fundamental infrastructure that supports a wide range of applications and services. However, they are also prime targets for malicious actors seeking to exploit vulnerabilities and compromise system security. This is a crucial area that requires active research; however, OS vulnerabilities have not been actively studied in recent years. Therefore, we conduct a comprehensive analysis of OS vulnerabilities, aiming to enhance the understanding of their trends, severity, and common weaknesses. Our research methodology encompasses data preparation, sampling of vulnerable OS categories and versions, and an in-depth analysis of trends, severity levels, and types of OS vulnerabilities. We scrape the high-level data from reliable and recognized sources to generate two refined OS vulnerability datasets: one for OS categories and another for OS versions. Our study reveals the susceptibility of popular operating systems such as Windows, Windows Server, Debian Linux, and Mac OS. Specifically, Windows 10, Windows 11, Android (v11.0, v12.0, v13.0), Windows Server 2012, Debian Linux (v10.0, v11.0), Fedora 37, and HarmonyOS 2, are identified as the most vulnerable OS versions in recent years (2021–2022). Notably, these vulnerabilities exhibit a high severity, with maximum CVSS scores falling into the 7–8 and 9–10 range. Common vulnerability types, including CWE-119, CWE-20, CWE-200, and CWE-787, are prevalent in these OSs and require specific attention from OS vendors. The findings on trends, severity, and types of OS vulnerabilities from this research will serve as a valuable resource for vendors, security professionals, and end-users, empowering them to enhance OS security measures, prioritize vulnerability management efforts, and make informed decisions to mitigate risks associated with these vulnerabilities.

Taming Android Fragmentation through Lightweight Crowdsourced Testing

Android fragmentation refers to the overwhelming diversity of Android devices and OS versions. These lead to the impossibility of testing an app on every supported device, leaving a number of compatibility bugs scattered in the community and thereby resulting in poor user experiences. To mitigate this, our fellow researchers have designed various works to automatically detect such compatibility issues. However, the current state-of-the-art tools can only be used to detect specific kinds of compatibility issues (i.e., compatibility issues caused by API signature evolution), i.e., many other essential types of compatibility issues are still unrevealed. For example, customized OS versions on real devices and semantic changes of OS could lead to serious compatibility issues, which are non-trivial to be detected statically. To this end, we propose a novel, lightweight, crowdsourced testing approach, to fill this research gap and enable the possibility of taming Android fragmentation through crowdsourced efforts. Specifically, crowdsourced testing is an emerging alternative to conventional mobile testing mechanisms that allow developers to test their products on real devices to pinpoint platform-specific issues. Experimental results on thousands of test cases on real-world Android devices show that is effective in automatically identifying and verifying API-induced compatibility issues. Also, after investigating the user experience through qualitative metrics, users' satisfaction provides strong evidence that is useful and welcome in practice.

ENSURING THE SECURITY OF CORPORATE USERS ACCOUNTS

Today, the need to protect user accounts of network operating systems is beyond doubt, as unauthorized changes to them in the system can negate the operation of software and hardware tools to protect corporate information. User access rights to the corporation's information resources are established in accordance with the organization's information security policy in order to maintain the confidentiality, integrity and availability of corporate information. With this in mind, the article discusses the rules for creating users accounts for a corporate network and explores ways to ensure their security based on Windows network operating systems. The basic list of rules for creating, assigning and using credentials is defined, namely: setting the maximum restriction of administrative rights for users with administrator rights, providing users and support groups with only those rights that they need to perform their daily tasks, using the organization's domain administrator accounts only to manage domain controllers. An installation file is organized that contains a set of the most common Active Directory (AD) administration utilities. The core of this package is made up of the following utilities: Account Lockout Examiner, Netwrix Auditor, SolarWinds Permissions Analyzer, Active Directory Health Profiler, and Semperis DS Protector. Modeling of AD security diagnostics has shown that using the collected tools in a single installation file greatly simplifies the process of monitoring the AD security status and diagnosing the established user access rights. It has been established that the highest level of security for accounts of privileged users and system administrators using Active Directory is achieved starting with Windows Server 2012 R2, since this OS and later versions implement the functionality of a protected user group, which provides additional protection against compromising their credentials during the authentication procedure.

Alternate Data Stream Attack Framework to Perform Stealth Attacks on Active Directory Hosts

Microsoft’s file system, NTFS, is the most utilised file system by Windows OS versions XP, Vista, 7, and 10. These systems have a little-known file attribute feature known as alternate data streams (ADS) which allows each file in the NTFS file system to have multiple data streams. ADS cannot be removed from the NTFS operating systems. However, the presence of ADS is not inevitably an issue in the OS or file system. Valid instances can be found on systems if scanned and might be valid. Windows OS does not have any in-built tools or applications to determine and remove the presence of existing ADS. This research presents ADSA or alternate data stream attack framework to exploit the alternate data streams and perform cyberattacks on Microsoft operating systems. This research discusses the process of creating and searching alternate data streams with a standard file and an executable binary. The authors executed ADS-hidden executable binary in the ADS. The authors present methods to detect and perform a clean-up by deleting the alternate data stream.

Achieving resource-centric access control for web-app interactions on android

The capability of interacting with web content has become increasingly common among mobile apps. While web-app interaction can facilitate many new functionalities and improve app user experience, they also cause various notable security attacks on mobile apps or web content. The root cause is lack of proper access control mechanisms for web-app interactions on mobile OSes. Existing solutions usually adopt either an origin-centric design or a code-centric deign, and suffer from one or several of the following limitations: coarse protection granularity, poor flexibility in terms of access control policy establishment, and incompatibility with existing apps/OSes due to the need of modifying the apps and/or the underlying OS. More importantly, none of the existing works can organically deal with all the five web-app interaction mechanisms. In this paper, we first identify and survey five mechanisms through which web content interacts with mobile apps. We then propose ReACt , a novel Re source-centric A ccess C on t rol design that can coherently work with all the web-app interaction mechanisms while addressing the above-mentioned limitations. We have implemented a prototype system on Android, and performed extensive evaluation on it. The evaluation results show that our system works well with existing commercial off-the-shelf Android apps and different versions of Android OS, and it can achieve the design goals with small overhead.

Leveraging the first line of defense: a study on the evolution and usage of android security permissions for enhanced android malware detection

Android security permissions are built-in security features that constrain what an app can do and access on the system, that is, its privileges. Permissions have been widely used for Android malware detection, mostly in combination with other relevant app attributes. The available set of permissions is dynamic, refined in every new Android OS version release. The refinement process adds new permissions and deprecates others. These changes directly impact the type and prevalence of permissions requested by malware and legitimate applications over time. Furthermore, malware trends and benign apps’ inherent evolution influence their requested permissions. Therefore, the usage of these features in machine learning-based malware detection systems is prone to concept drift issues. Despite that, no previous study related to permissions has taken into account concept drift. In this study, we demonstrate that when concept drift is addressed, permissions can generate long-lasting and effective malware detection systems. Furthermore, the discriminatory capabilities of distinct set of features are tested. We found that the initial set of permissions, defined in Android 1.0 (API level 1), are sufficient to build an effective detection model, providing an average 0.93 F1 score in data that spans seven years. In addition, we explored and characterized permissions evolution using local and global interpretation methods. In this regard, the varying importance of individual permissions for malware and benign software recognition tasks over time are analyzed.

Script-based automation of analytical instrument software tasks.

In laboratories with multiple identical analytical instruments and consistent sample workflows, analysts frequently perform repetitive software control steps, yet automation options in vendor-supplied instrument software are generally limited and may not support the desired laboratory workflow. Scripts that automate tasks to monitor systems, streamline worklist creation, or minimize downtime can save valuable personnel time and reduce errors. AutoHotkey is a free, open-source scripting language for Windows that allows users with no programming experience to easily create scripts automating a wide variety of activities. The scripts automate the tasks that a user performs while interacting with the instrument control software, such as mouse clicks and keyboard entries and closing software windows, rather than modify the underlying instrument software, and thus these scripts are compatible with multiple vendor software packages and Windows OS versions. The scripts can be triggered manually from a desktop icon or automatically through Windows Task Scheduler.

The Human Interface Device (HID) Attack on Android Lock Screen Non-Biometric Protections and Its Computational Complexity

Nowadays, information obtained from mobile phones is often the subject of evidence in front of a court. ForensicNowadays, information obtained from mobile phones is often the subject of evidence in front of a court. Forensicanalysts often come across smartphones about which they have no prior information. However, they need to extract data fromthem. The main prerequisite to extract the data is to bypass Android lock screen protection. The HID attack is a promisingmethod to break Android lock screen protection. In many cases, this is the only way how to break the smartphone´s nonbiometriclock screen protections on newer Android OS versions. The article contains examples of three non-biometric typesof Android smartphone lock screen protections and their computational complexity. The paper describes hardware and softwarerequirements for implementation of HID attack.

Study and Analysis of the Influence of UX in MIUI – A Case Study on Xiaomi

Purpose: In an ever-changing world, we all have one thing in our hands that is constant, a Mobile Phone. When we buy a Smart Phone, we do make sure we buy the best one that offers a combination of Good Hardware, Great Software, and also a price that we can put for the features offered. In that way, we cannot deny the fact that Xiaomi also called Mi or Redmi phones are some of the best market players we have seen. Even though people generally look only for the hardware features of the phone, it is inevitable to use an Operating System that will take advantage of the hardware features and also be user-friendly. Mi offers such one OS to its users in the form of MIUI, a modified version of the Android OS that normally comes in stock android-based phones. In this paper, we try to understand how Xiaomi as a company has made the OS a marketing strategy for them to popularize their product and become one of the best-selling mobile phones in China and India. Objectives: To understand the evolution and features that MIUI has to offer, to do a comparative study with its competitors and to provide suggestions to improve the company based on the analysis done. Design/Methodology/Approach: This company analysis was done by referring to multiple online sources, such as websites and blogs that guide and review products based on MIUI from Xiaomi. The analysis of the influence of UX in MIUI was done with a SWOC Analysis. Findings/Result: Based on the SWOC analysis of the company, keeping MIUI as a major criterion, the various opportunities and challenges that are there for Xiaomi are discussed. It is found that the company will be able to keep growing as long as it takes advantage of the current scenario and overcome its challenges. Originality/Value: Based on secondary data available, this paper analyses the influence of User Experience in MIUI provided by Xiaomi. Paper Type: A Case Study Analysis Based paper on the MIUI of Xiaomi Company

PowerPrint: Identifying Smartphones through Power Consumption of the Battery

Device fingerprinting technologies are widely employed in smartphones. However, the features used in existing schemes may bring the privacy disclosure problems because of their fixed and invariable nature (such as IMEI and OS version), or the draconian of their experimental conditions may lead to a large reduction in practicality. Finding a new, secure, and effective smartphone fingerprint is, however, a surprisingly challenging task due to the restrictions on technology and mobile phone manufacturers. To tackle this challenge, we propose a battery-based fingerprinting method, named PowerPrint, which captures the feature of power consumption rather than invariable information of the battery. Furthermore, power consumption information can be easily obtained without strict conditions. We design an unsupervised learning-based algorithm to fingerprint the battery, which is stimulated with different power consumption of tasks to improve the performance. We use 15 smartphones to evaluate the performance of PowerPrint in both laboratory and public conditions. The experimental results indicate that battery fingerprint can be efficiently used to identify smartphones with low overhead. At the same time, it will not bring privacy problems, since the power consumption information is changing in real time.

S0060 Characterization of Diagnostic Patterns of Chronic Pancreatitis Within a Large Health Management Organization

INTRODUCTION: Chronic pancreatitis (CP) is an irreversible and progressive fibro-inflammatory disease of the pancreas causing pain and/or loss of exocrine/endocrine function. It is typically diagnosed with a combination of clinical and imaging criteria including atrophy, ductal dilatation, multiple parenchymal and intraductal calcifications. One of the main challenges in making a diagnosis of CP is the lack of universally agreed gold standard diagnostic criteria. To better understand the diagnostic patterns of this chronic, often disabling illness, we performed a retrospective analysis of 215 patients with CP treated at 9 hospitals of MedStar Health. METHODS: Using ICD 10 codes, we retrieved charts of patients presenting to acute care sites within the MedStar Health system between March 2015 and June 2019. These included emergency room visits and inpatient admissions. The following 7 variables pertaining to diagnosis of CP were manually extracted: 1. How was CP diagnosed? 2. Who made the diagnosis? 3. Demographics including sex, age 4. Length of stay 5. Was a GI consult obtained? 6. Location of care (Tertiary care vs. Non-tertiary care hospital) 7. Presumed etiology. Statistical analysis was performed by ANOVA analysis using GraphPad PRISM for Mac OS (Version 8). RESULTS: We found 215 encounters eligible for retrospective chart review. Average length of stay (in days) was longest when a gastroenterologist made the diagnosis (7.48), followed by the internist (2.02), or when a prior diagnosis was known (1.35). When a gastroenterologist was consulted, the chance of making an accurate diagnosis of CP was highest (53%) vs. when they weren’t consulted (20%). Most patients received a diagnosis of CP at a non-tertiary care center. The specialist making the diagnosis significantly changed the probability of accurate diagnosis (P < 0.0001) by clinical and imaging criteria. CONCLUSION: Most patients with CP are diagnosed at non-tertiary centers within the MedStar Health System. Most of these patients are given a diagnosis based on a prior diagnosis of CP. Accuracy of diagnosis significantly improved when a gastroenterologist was consulted. Non-tertiary centers most commonly made a diagnosis of CP based on inappropriate clinical and imaging criteria. These represent avenues for targeted interventions to standardize the diagnosis of CP across a large health management organization.Table 1.: TablesFigure 1.: Retrospective study design.Figure 2.: Graphs.

S3071 Type of Pain Medication Used in Acute Pancreatitis Is Related to Diagnostic Patterns and Outcomes

INTRODUCTION: Acute Pancreatitis (AP) is a leading gastrointestinal cause for hospital admissions in the United States. Supportive care including analgesia remains a cornerstone of treatment although data is lacking regarding optimal type and dose of pain medications in AP. Given known systemic effects of opioids including known anti-inflammatory properties, we examined trends of pain medication use and their related factors in AP. METHODS: We used ICD 10 code for AP to retrieve 4043 charts of patients presenting to emergency rooms within the MedStar Health system (a nine hospital regional health management organization) from March 2015 to June 2019. We assimilated data including relevant history, laboratory markers, imaging, in-patient management and readmissions. We used Revised Atlanta criteria to define the diagnosis of AP. Pertinent to pain management, we recorded if an analgesic was prescribed, what type was used and if the patient received opioids within 24, 48 hours from admissions and at discharge. Statistical analyses were performed including T-test, ANOVA using GraphPad PRISM for Mac OS (Version 8). RESULTS: 2541 complete patient charts were used in our retrospective study. 81% of patients who met the Revised Atlanta criteria received pain medications (P < 0.0001). There was a significant difference between tertiary & non tertiary care centers in the use of pain medications, both between groups of patients who met the criteria (P = 0.0018) and those who did not (P = 0.0135) (Figure 1). Significant differences were noted for length of stay (LOS) (P = 0.0001), with opioid medications associated with a prolonged hospital course (Figure 2). Significant differences were also seen in patients with respect to ICU admission rate (P = 0.04) as well as complications of AP (P = 0.0001). CONCLUSION: Our results show differences in pain management regimens between different tiers of hospitals, location of care (e.g. ICU). Variation in these management plans was associated with differences in LOS and complications related to AP. These differences may be attributed to severity of symptoms with contribution from individual/ group clinical practices by physicians at these hospitals. By understanding these differences, we can design rational prospective trials to assess optimal pain management in AP.Figure 1.: Trends of using pain medications in tertiary & non-tertiary care centers in patients with Acute Pancreatitis who met the Revised Atlanta’s criteria.Figure 2.: Graph depicting relationship between the types of pain medications used and the length of hospital stay in patients with Acute Pancreatitis.

Reproducibility, preservation, and access to research with ReproZip and ReproServer

The adoption of reproducibility remains low, despite incentives becoming increasingly common in different domains, conferences, and journals. The truth is, reproducibility is technically difficult to achieve due to the complexities of computational environments. To address these technical challenges, we created ReproZip, an open-source tool that automatically packs research along with all the necessary information to reproduce it, including data files, software, OS version, and environment variables. Everything is then bundled into an rpz file, which users can use to reproduce the work with ReproZip and a suitable unpacker (e.g.: using Vagrant or Docker). The rpz file is general and contains rich metadata: more unpackers can be added as needed, better guaranteeing long-term preservation. However, installing the unpackers can still be burdensome for secondary users of ReproZip bundles. In this paper, we will discuss how ReproZip and our new tool, ReproServer, can be used together to facilitate access to well-preserved, reproducible work. ReproServer is a web application that allows users to upload or provide a link to a ReproZip bundle, and then interact with/reproduce the contents from the comfort of their browser. Users are then provided a persistent link to the unpacked work on ReproServer which they can share with reviewers or colleagues.

PGsim: A Comprehensive and Highly Customizable Personal Genome Simulator

Although genome sequencing has become increasingly popular, the simulation of individual genomes is still important. This is because sequencing a large number of individual genomes is costly and genome data with extreme and boundary conditions, such as fatal genetic defects, are difficult to obtain. Privacy and legal barriers also prevent many applications of real data. Large sequencing projects in recent years have provided a deeper understanding of the human genome. However, there is a lack of tools to leverage known data to simulate personal genomes as real as possible. Here, we designed and developed PGsim, a comprehensive and highly customizable individual genome simulator, that fully uses existing knowledge, such as variant allele frequencies in global or world main populations, mutation probability differences between protein-coding regions and non-coding regions, transition/transversion (Ti/Tv) ratios, Indel incidence, Indel length distribution, structural variation sites, and pathogenic mutation sites. Users can flexibly control the proportion and quantity of known variants, common variants, novel variants in both coding and non-coding regions, and special variants through detailed parameter settings. To ensure that the simulated personal genome has sufficient randomness, PGsim makes the generated variants more real and reliable in terms of variant distribution, proportion, and population characteristics. PGsim is able to employ a huge volume database as background data to simulate personal genomes and does not require SQL database support. Users can easily change the variant databases used as needed. As a Perl script, there is no obstacle to running PGsim on any version of the MAC OS or Linux systems, and no libraries, packages, interpreters, compilers, or other dependencies need to be installed in advance. The PGsim tool is publicly available at https://github.com/lrjuan/PGsim.

SerbisyoPH : An Android Application for Hiring Service Provider

Background/Objectives: This project aims to lessen the hustle on looking for a service provider by easing up the search through an application that will search for a skilled worker that will fit on performing a specific task. Different level of access is applied depending on the purpose of their use, may it be the client, service provider or the admin. Job posting and searching for a specific service are the major concern of the application. Methods/Statistical analysis: Payments through a different transaction may be done using a PayPal account. This application is only available in the Philippines and can be used using Android devices with at least Lollipop or a higher version of Android OS. Findings: The application “Passed” the conformance, compatibility test, and functionality test. The application got a mean of 3.48 with the use of Mobile Application Rating Scale criteria (MARS) and 3.55 using Content Management System criteria (CMS). Highly Acceptable was the interpretation of the two evaluations. Improvements/Applications: The SerbisyoPH is an android application for hiring the service provider. Its advanced technology and focus on mobile development were done for the benefit the people living in the Philippines, the clients, service provider, and future developers.

Secure and Utility-Aware Data Collection with Condensed Local Differential Privacy

Local Differential Privacy (LDP) is popularly used in practice for privacy-preserving data collection. Although existing LDP protocols offer high utility for large user populations (100,000 or more users), they perform poorly in scenarios with small user populations (such as those in the cybersecurity domain) and lack perturbation mechanisms that are effective for both ordinal and non-ordinal item sequences while protecting sequence length and content simultaneously. In this paper, we address the small user population problem by introducing the concept of Condensed Local Differential Privacy (CLDP) as a specialization of LDP, and develop a suite of CLDP protocols that offer desirable statistical utility while preserving privacy. Our protocols support different types of client data, ranging from ordinal data types in finite metric spaces (numeric malware infection statistics), to non-ordinal items (OS versions, transaction categories), and to sequences of ordinal and non-ordinal items. Extensive experiments are conducted on multiple datasets, including datasets that are an order of magnitude smaller than those used in existing approaches, which show that proposed CLDP protocols yield high utility. Furthermore, case studies with Symantec datasets demonstrate that our protocols accurately support key cybersecurity-focused tasks of detecting ransomware outbreaks, identifying targeted and vulnerable OSs, and inspecting suspicious activities on infected machines.

Android OS Fragmentation: Causes and Concerns

Android is facing a serious security concern due to OS fragmentation, as a significant number of android users are using much older version of the mobile OS without being updated with latest security patches. The rush to release new devices without sufficient testing is inadvertently introducing security flaws.

Perancangan Permainan Ular Tangga Multiplayer Berbasis Android

Snake game ladder is a much-loved game on the cellular telephone a few years ago, but as it grew its technology today many people use cell telephone based on android, so snake game that had rucked also lagged. As the game develops in accordance with technology, conventional games that used to be a lot of interest to be left behind. Therefore in this research the ladder snake game will design a game of snake ladder with waterfall method and backtracking algorithm purpose of this research is this game can run on Jellybeans Android OS until latest Android OS version.