Automating the Assessment of Algorithms and Programming Concepts in App Inventor Projects in Middle School

As computer science education makes its way into schools, diverse initiatives worldwide promote computer science education in K-12, often focusing on teaching algorithms and programming with block-based programming languages such as Scratch or App Inventor. However, alternatives to assess the learning of computer science concepts on this educational stage are still scarce. This chapter presents an automated rubric for assessing algorithms and programming concepts of App Inventor projects at middle school level. The assessment is based on a rubric proposed in alignment with the K-12 Computer Science Framework with satisfactory reliability and validity. The rubric has been automated through a web-based system that allows assessing App Inventor projects through static code analysis. As a result, it can support computer science education in practice providing feedback to students and teachers.

Adversarial EXEmples

Recent work has shown that adversarial Windows malware samples—referred to as adversarial EXE mples in this article—can bypass machine learning-based detection relying on static code analysis by perturbing relatively few input bytes. To preserve malicious functionality, previous attacks either add bytes to existing non-functional areas of the file, potentially limiting their effectiveness, or require running computationally demanding validation steps to discard malware variants that do not correctly execute in sandbox environments. In this work, we overcome these limitations by developing a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks based on practical, functionality-preserving manipulations to the Windows Portable Executable file format. These attacks, named Full DOS , Extend , and Shift , inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section. Our experimental results show that these attacks outperform existing ones in both white-box and black-box scenarios, achieving a better tradeoff in terms of evasion rate and size of the injected payload, while also enabling evasion of models that have been shown to be robust to previous attacks. To facilitate reproducibility of our findings, we open source our framework and all the corresponding attack implementations as part of the secml-malware Python library. We conclude this work by discussing the limitations of current machine learning-based malware detectors, along with potential mitigation strategies based on embedding domain knowledge coming from subject-matter experts directly into the learning process.

Formal concept analysis model for static code analysis

Tools that focus on static code analysis for early error detection are of utmost importance in software development, especially since the propagation of errors is strongly related to higher costs in the development process. Formal Concept Analysis is a prominent field of applied mathematics that uses conceptual landscapes to discover and represent maximal clusters of data. Its expressive visualization method makes it suitable for exploratory analyses in different fields. In this paper we present a Formal Concept Analysis framework for static code analysis that can serve as a model for quantitative and qualitative exploration and interpretation of such results.

SAMLDroid: A Static Taint Analysis and Machine Learning Combined High-Accuracy Method for Identifying Android Apps with Location Privacy Leakage Risks

Insecure applications (apps) are increasingly used to steal users’ location information for illegal purposes, which has aroused great concern in recent years. Although the existing methods, i.e., static and dynamic taint analysis, have shown great merit for identifying such apps, which mainly rely on statically analyzing source code or dynamically monitoring the location data flow, identification accuracy is still under research, since the analysis results contain a certain false positive or true negative rate. In order to improve the accuracy and reduce the misjudging rate in the process of vetting suspicious apps, this paper proposes SAMLDroid, a combined method of static code analysis and machine learning for identifying Android apps with location privacy leakage, which can effectively improve the identification rate compared with existing methods. SAMLDroid first uses static analysis to scrutinize source code to investigate apps with location acquiring intentions. Then it exploits a well-trained classifier and integrates an app’s multiple features to dynamically analyze the pattern and deliver the final verdict about the app’s property. Finally, it is proved by conducting experiments, that the accuracy rate of SAMLDroid is up to 98.4%, which is nearly 20% higher than Apparecium.