Android fragmentation refers to the fact that there are nowadays a massive number of different Android devices, which are manufactured by different companies and run different Android OS versions, operationalized in the digital world. The minor difference between these devices may lead to compatibility issues that eventually result in different app behaviors and, subsequently, poor user experiences. It has hence been a hot topic in mobile software engineering to tame Android fragmentation. In this talk, I will introduce some of our attempts to address such fragmentation issues.
Dr. Li Li is a Senior lecturer (a.k.a., Associate Professor) and a PhD supervisor at Monash University, Australia. He received his PhD degree in computer science from the University of Luxembourg in 2016. He has published over 60 research papers at prestigious conferences such as ICSE, ESEC/FSE, ASE, ISSTA, POPL, PLDI, etc. and prestigious journals such as ACM TOSEM and IEEE TSE, TIFS, TDSC, etc.
Li’s research has received various awards, including the prestigious ARC Discovery Early Career Researcher Award (DECRA in short), an ACM Distinguished Paper Award at PLDI 2021, a Best Student Paper Award at WWW 2020, an ACM Distinguished Paper Award at ASE 2018, a FOSS Impact Paper Award at MSR 2018, and a Best Paper Award at the ERA track of IEEE SANER 2016.
Li was named as one of the Top-5 most impactful earlier career software engineering researchers in the world.
Li is an active member of the software engineering and security community serving as a reviewer for many top-tier conferences and journals such as ASE, ICSME, SANER, TSE, TOSEM, TIFS, TDSC, TOPS, EMSE, JSS, IST, etc.
no description available
In the field of software engineering (SE) research, there has long been a focus on automating various development tasks in an attempt to facilitate or augment the abilities of developers. Research aligned with this objective typically aims to learn models from information mined from software repositories and then apply these models to automate a given SE task. The large majority of this work has focused on artifacts consisting of two main modalities of information — code and natural language. However, one information source which has been comparatively underutilized is the visual modality of software expressed via User Interfaces (UIs). UIs serve as an important medium of interaction between the logic of an application and users, and as such, they encode salient information about underlying program functionality into rich, pixel-based data representations. Given the latent information contained within UIs, and the rapid advancement of Deep Learning (DL) techniques for computer vision and natural language processing in recent years, there is a tremendous opportunity to leverage UI-related software artifacts to offer novel forms of software development automation. This talk will explore the exciting potential of mining and learning patterns from user interfaces to support mobile app development, and lay out some community challenges that, if addressed, could catalyze this area of research.
Kevin Moran is an Assistant Professor in the Department of Computer Science at George Mason University. He graduated with his B.A. in Physics and Computer Science from the College of the Holy Cross in 2013, his M.S. in Computer Science from the College of William & Mary in 2015, and his P.hD. in Computer Science from the College of William & Mary in 2018 advised by Dr. Denys Poshyvanyk. His main research interests include software engineering, maintenance, and evolution with a focus on mobile platforms. Additionally, he explores applications of data mining and machine learning to software engineering problems.
no description available
no description available
In the mobile smartphone market, the Android system remains dominant. For example, Statista reports 86% of global smartphone shipments are for Android OS systems in 2022 and that number is expected to increase into at least 2023. In just 2021, Statista further reported almost 15 billion mobile devices being operated worldwide. With such an overwhelming majority of those devices being Android devices, Android apps are also ubiquitous and pervasive.
Besides this ubiquity, the nature of Android apps has evolved immensely such that they have become highly reliant on native code. Studies dating back 10 years demonstrate that only between around 4%-6% of Android apps at that time used native code. However, our recent study has shown that among the top 200 free apps on Google Play, the official Android market, 145 of them (72.50%) contain native libraries. Android apps include these third-party native libraries to increase performance and to reuse functionality. Native code is directly executed from apps through the Java Native Interface or the Android Native Development Kit. Android developers add precompiled native libraries to their projects, enabling their use. Unfortunately, developers often struggle or simply neglect to update these libraries in a timely manner. This results in the continuous use of outdated native libraries with unpatched security vulnerabilities years after patches became available.
To further understand such phenomena, we study the security updates in native libraries in the most popular 200 free apps on Google Play from Sept. 2013 to May 2020. A core difficulty we face in this study is the identification of libraries and their versions. Developers often rename or modify libraries, making their identification challenging. We created an approach called LibRARIAN (LibRAry veRsion IdentificAtioN) that accurately identifies native libraries and their versions as found in Android apps based on our novel similarity metric bin2sim. LibRARIAN leverages different features extracted from libraries based on their metadata and identifying strings in read-only sections. We discovered 53/200 popular apps (26.5%) with vulnerable versions with known CVEs between Sept. 2013 and May 2020, with 14 of those apps remaining vulnerable. We find that app developers took, on average, 528.71 days to apply security patches, while library developers release a security patch after 54.59 days - a 10 times slower rate of update.
After presenting this work, I will elaborate on steps my research group and other research groups have taken toward analyzing native code in more depth, the challenges that exist, and possible paths forward.
no description available
I am a PhD student in the Specification and Modelling of Software Systems research group at the Paderborn University in Germany. My research focuses on cooperative (static and dynamic) Android app analysis.
Links
- Work: https://homepages.uni-paderborn.de/fpauck
- Personal: http://www.FelixPauck.de
- Github: https://github.com/FoelliX
Tool Demonstrations
Tue 11 Oct 2022 10:00 - 10:30 at Ballroom A - Tool Poster Session 1Many organizations seek to increase their agility in order to deliver more timely and competitive products. However, in safety-critical systems such as medical devices, autonomous vehicles, or factory floor robots, the release of new features has the potential to introduce hazards that potentially lead to runtime failures that impact software safety. As a result, many projects suffer from a phenomenon referred to as the `big freeze’. SAFA is designed to address this challenge. It uses cutting-edge deep-learning solutions to generate trees of requirements, design, code, tests, and other artifacts, in order to visually depict how hazards are mitigated in the system, and then generates warnings when key artifacts are missing. It uses a combination of colors, annotations, and recommendations to dynamically visualize change across software versions, and augments safety cases with visual annotations to aid users in detecting and analyzing potentially adverse impacts of change upon system safety. A link to our tool demo can be found at https://www.youtube.com/watch?v=r-CwxerbSVA.
Research Papers
Thu 13 Oct 2022 13:40 - 14:00 at Room 128 - Technical Session 28 - Safety-Critical and Self-Adaptive Systems Chair(s): Eunsuk Kang Carnegie Mellon UniversityAutonomous Driving Systems (ADSs) are safety-critical, and must be fully tested before being deployed on real-world roads. To comprehensively evaluate the performance of ADSs, it is essential to generate various safety-critical scenarios. Most of existing studies assess ADSs either by searching high dimensional input space, or using simple and pre-defined test scenarios, which are not efficient or not adequate. To better test ADSs, this paper proposes to automatically generate safety-critical test scenarios for ADSs by influential behavior patterns, which are mined from real traffic trajectories. Based on influential behavior patterns, a novel scenario generation technique, CRISCO, is presented to generate safety-critical scenarios for ADSs testing. CRISCO assigns participants to perform influential behavior patterns to challenge the ADS. It generates diverse test scenarios by solving a group of trajectory constraints, and improves the challenge of those non-critical scenarios by adding participants’ behavior from influential behavior patterns incrementally. We demonstrate CRISCO on an industrial-grade full-stack ADS platform, Baidu Apollo. The experiment results show that our approach can effectively and efficiently generate safety-critical scenarios to crash ADS, and it exposes 13 distinct types of safety violations in 12 hours. It also outperforms two state-of-art ADS testing techniques by exposing more 5 distinct types of safety violations on the same road.
Research Papers
Thu 13 Oct 2022 14:00 - 14:20 at Room 128 - Technical Session 28 - Safety-Critical and Self-Adaptive Systems Chair(s): Eunsuk Kang Carnegie Mellon UniversityScene graph generation takes a camera image and derives a graph representation of key objects in the image and their relations. This core computer vision task is often used in autonomous driving, where traditional software and machine learning (ML) components are used in tandem. However, in such a safety-critical context, valid scene graphs can be further restricted by consistency constraints captured by domain or safety experts. However, existing ML approaches for scene graph generation focus exclusively on relational-level accuracy but provide little to no guarantee that consistency constraints are satisfied in the generated scene graphs. In this paper, we aim to complement existing ML-based approaches by a post-processing step using constraint optimization over probabilistic scene graphs that can (1) guarantee that no consistency constraints are violated and (2) improve the overall accuracy of the generated scene graphs by fixing constraint violations. We evaluate the effectiveness of our approach using well-known, and novel metrics in the context of two popular ML datasets augmented with consistency constraints and two ML-based scene graph generation approaches as baselines.
Industry Showcase
Thu 13 Oct 2022 14:20 - 14:40 at Room 128 - Technical Session 28 - Safety-Critical and Self-Adaptive Systems Chair(s): Eunsuk Kang Carnegie Mellon UniversityMost industrial processes in real-world manufacturing applications are characterized by the scalability property, which requires an automated strategy to self-adapt machine learning (ML) software systems to the new conditions. In this paper, we investigate an Electroslag Remelting (ESR) use case process from the Uddeholms AB steel company. The use case involves predicting the minimum pressure value for a vacuum pumping event. Taking into account the long time required to collect new records and efficiently integrate the new machines with the built ML software system. Additionally, to accommodate the changes and satisfy the non-functional requirement of the software system, namely adaptability, we propose an automated and adaptive approach based on a drift handling technique called importance weighting. The aim is to address the problem of adding a new furnace to production and enable the adaptability attribute of the ML software. The overall results demonstrate the improvements in ML software performance achieved by implementing the proposed approach over the classical non-adaptive approach.
Pre-printLate Breaking Results
Thu 13 Oct 2022 14:40 - 14:50 at Room 128 - Technical Session 28 - Safety-Critical and Self-Adaptive Systems Chair(s): Eunsuk Kang Carnegie Mellon UniversityAutonomous Driving Systems (ADS) require extensive evaluation of safety before they can come onto the market. However, since relying solely on field testing is practically infeasible due to the impossibility to cover sufficient distances to ensure adequate safety, the focus shifted to scenario-based testing. In this paper, we proposed Scenario Modeling Language for Autonomous Driving (SML4ADS) as a Domain-Specific Modeling Language (DSML) for scenario representation and generation. Compared to other existing works, our approach simplifies the description of scenarios in a non-programming, user-friendly manner, allows modeling the uncertain behavior of vehicles in a scenario and generating executable scenario in CARLA. We apply SML4ADS in numerous typical scenarios to preliminarily demonstrate the effectiveness and feasibility of our approach in modeling and generating executable scenarios.
NIER Track
Thu 13 Oct 2022 14:50 - 15:00 at Room 128 - Technical Session 28 - Safety-Critical and Self-Adaptive Systems Chair(s): Eunsuk Kang Carnegie Mellon UniversitySelf-adaptive systems increasingly rely on machine learning techniques as black-box models to make decisions even when the target world of interest includes uncertainty and unknowns. Because of the lack of transparency, adaptation decisions, as well as their effect on the world, are hard to explain. This often hinders the ability to trace unsuccessful adaptations back to understandable root causes. In this paper, we introduce our vision of explainable self-adaptation. We demonstrate our vision by instantiating our ideas on a running example in the robotics domain and by showing an automated proof-of-concept process providing human-understandable explanations for successful and unsuccessful adaptations in critical scenarios.
File AttachedIndustry Showcase
Thu 13 Oct 2022 15:00 - 15:20 at Room 128 - Technical Session 28 - Safety-Critical and Self-Adaptive Systems Chair(s): Eunsuk Kang Carnegie Mellon UniversityPresence monitoring or intrusion detection in a location/are are examples of \textit{decision-support applications}, i.e., applications where monitoring is used to collect (heterogeneous) data and create situational awareness, which furthers require decisions and/or actions.
As such, \textit{decision-support software} consists of different interconnected components with very diverse roles, whose communication and synchronization are essential for the application functionality and performance. Despite this complexity, software design for decision-support is often driven by short-term functional requirements and only supported by designers’ previous experience. In the current non-systematic approach, mistakes can be easily made, and can be very difficult to repair.
In this work, we describe our \textit{systematic method for efficient and effective decision-support software design}, based on application design-space exploration (DSE). To this end, we describe how to build a design space and present structured methods to traverse the design space towards software solutions that meet user requirements for \textit{both} functionality and performance.
Research Papers
Thu 13 Oct 2022 16:00 - 16:20 at Room 128 - Technical Session 30 - Builds and Dependencies Chair(s): Christian Kästner Carnegie Mellon UniversityThird-party libraries (TPLs) are frequently reused in software to reduce development cost and the time-to-market. However, exter- nal library dependencies may introduce vulnerabilities into host applications. The issue of library dependency has received consid- erable critical attention. Many package managers like Maven, Pip, NPM are proposed to manage TPLs, and there has been a lot of effort put into studying dependencies in language ecosystem like Java, Python, JavaScript except C/C++. Due to the lack of a unified package manager for C/C++, existing research has only a few un- derstanding of TPL dependency in C/C++ ecosystem, especially at large-scale.
Towards Understanding TPL dependencies in C/C++ ecosystem, we collect existing TPL databases, package management tools and dependency detection tools, summarize the dependency patterns of C/C++ projects, and construct a comprehensive and precise C/C++ dependency detector. Using our detector, we extract dependencies from a large-scale database containing 24K C/C++ repositories from GitHub. Based on the extracted dependencies, we provide the results and findings of an empirical study aimed at understanding the characteristics of the TPL dependencies. We further discuss the challenges to manage dependency for C/C++ and the future directions for software engineering researchers and developers in fields of software composition analysis, C/C++ package manager and library development. Our dataset of extracted dependencies used in this work are anonymously available at url:
Tool Demonstrations
Tue 11 Oct 2022 10:00 - 10:30 at Ballroom A - Tool Poster Session 1Software metrics capture information about software development products and processes. These metrics support decision-making, e.g., in team management or dependency selection. However, existing metrics tools measure only a snapshot of a software project. Little attention has been given to enabling engineers to reason about metric trends over time—longitudinal metrics that give insight about process, not just product. In this work, we present PRIME (PRocess Internal MEtrics), a tool for computing and visualizing process metrics. The currently-supported metrics include productivity, issue density, issue spoilage, and bus factor. We illustrate the value of longitudinal data and conclude with a research agenda. The demo video can be found at https://youtu.be/YigEHy3_JCo. The source code can be found at https://github.com/SoftwareSystemsLaboratory/prime.
Research Papers
Thu 13 Oct 2022 16:30 - 16:50 at Room 128 - Technical Session 30 - Builds and Dependencies Chair(s): Christian Kästner Carnegie Mellon UniversityModern software systems are often built by leveraging code written by others in the form of libraries and packages to accelerate their development. While there are many benefits to using third-party packages, software projects often become dependent on a large number of software packages. Consequently, developers are faced with the difficult challenge of maintaining their project dependencies by keeping them up-to-date and free of security vulnerabilities. However, how often are project dependencies used in production where they could pose a threat to their project’s security?
We conduct an empirical study on 100 JavaScript projects using the Node Package Manager (npm) to quantify how often project dependencies are released to production and analyze their characteristics and their impact on security. Our results indicate that most project dependencies are not released to production. In fact, the majority of dependencies declared as runtime dependencies are not used in production, while some development dependencies are used in production, debunking two common assumptions of dependency management. Our analysis reveals that the functionality of a package is not enough to determine if it will be shipped to production or not. Findings also indicate that most security alerts target dependencies not used in production, making them highly unlikely to be a risk for the security of the software. Our study unveils a more complex side of dependency management: not all dependencies are equal. Dependencies used in production are more sensitive to security exposure and should be prioritized. However, current tools lack the appropriate support in identifying production dependencies.
Research Papers
Thu 13 Oct 2022 16:50 - 17:10 at Room 128 - Technical Session 30 - Builds and Dependencies Chair(s): Christian Kästner Carnegie Mellon UniversityDocker building is a critical component of containerized workflow, which automates the process by which sources are packaged and transformed into container images. If not run properly, Docker builds can bring long durations (i.e., slow builds), which increases the cost in human and computing resources, and thus inevitably affect the software development. However, the current status and remedy for the duration cost in Docker builds remain unclear and need an in-depth study. To fill this gap, this paper provides the first empirical investigation on 171,439 Docker builds from 5,833 open source software (OSS) projects. Starting with an exploratory study, the Docker build durations can be characterized in real-world projects, and the developers’ perceptions of slow builds are obtained via a comprehensive survey. Driven by the results of our exploratory study, we propose a prediction modeling of Docker build duration, leveraging 27 handcrafted features from build-related context and configuration and 8 regression algorithms for the prediction task. Our results demonstrate that Random Forest provides the superior performance with a Spearman’s correlation of 0.781, outperforming the baseline random model by 82.9% in RMSE, and 90.6% in MAE, respectively. The implications of this study will facilitate research and assist practitioners in improving the Docker build process.
Journal-first Papers
Thu 13 Oct 2022 17:10 - 17:30 at Room 128 - Technical Session 30 - Builds and Dependencies Chair(s): Christian Kästner Carnegie Mellon UniversityIn this work, we introduce an approach, called CIT-daily, which integrates combinatorial interaction testing (CIT) with the daily build processes to systematically test the interactions between the factors/parameters affecting the system’s behaviors, on a daily basis. We also develop a number of CIT-daily strategies and empirically evaluate them on highly-configurable systems. The first strategy tests the same t-way covering array every day throughout the process, achieving a t-way coverage on a daily basis by covering each possible combination of option settings for every combination of t options. The other strategies, on the other hand, while guaranteeing a t-way coverage on a daily basis, aim to cover higher order interactions between the configuration options over time by varying the t-way covering arrays tested. In the experiments, we observed that the proposed approach significantly improved the effectiveness (i.e., fault revealing abilities) of the daily build processes; randomizing the coverage of higher order interactions between the configuration options while guaranteeing a base $t$-way coverage every day, further improved the effectiveness; and the more the higher order interactions covered during the process, the higher the fault revealing abilities tended to be.
Link to publication DOIResearch Papers
Thu 13 Oct 2022 17:30 - 17:50 at Room 128 - Technical Session 30 - Builds and Dependencies Chair(s): Christian Kästner Carnegie Mellon UniversityTraceability establishes trace links among software artifacts (e.g., requirements and code) based on whether two artifacts relate to the same part of system functionalities. These trace links are valuable for software development process, but are difficult to obtain manually. To cope with the costly and fallible manual recovery, researchers proposed many automated approaches that help to recover trace links through the textual similarities among software artifacts, such as approaches based on Information Retrieval (IR). However, the low quality and the low quantity of artifact texts negatively impact the calculated textual similarities, thus greatly hindering the performance of IR-based approaches. In this study, we propose to extract co-occurred word pairs from the text structures of both requirements and code (i.e., consensual biterms) to improve IR-based traceability recovery. Specifically, we first collect a set of biterms based on the part-of-speech of requirement texts, and then filter them through the code texts. We then use these consensual biterms to both enrich the input corpus for IR techniques and enhance the calculations of IR values. An empirical evaluation based on nine real-world systems shows that our approach can not only outperform baseline approaches, but also achieve a significant complementary effect with other enhancing strategies from different perspectives.
Pre-print