DOCSLIB.ORG

Understanding the Reproducibility of Crowd- Reported Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Understanding the Reproducibility of Crowd- Reported Security Understanding the Reproducibility of Crowd- reported Security Vulnerabilities Dongliang Mu, Nanjing University; Alejandro Cuevas, The Pennsylvania State University; Limin Yang and Hang Hu, Virginia Tech; Xinyu Xing, The Pennsylvania State University; Bing Mao, Nanjing University; Gang Wang, Virginia Tech https://www.usenix.org/conference/usenixsecurity18/presentation/mu This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Understanding the Reproducibility of Crowd-reported Security Vulnerabilities †‡Dongliang Mu,∗ ‡Alejandro Cuevas, §Limin Yang, §Hang Hu ‡Xinyu Xing, †Bing Mao, §Gang Wang †National Key Laboratory for Novel Software Technology, Nanjing University, China ‡College of Information Sciences and Technology, The Pennsylvania State University, USA §Department of Computer Science, Virginia Tech, USA [email protected], [email protected], fliminyang, [email protected], [email protected], [email protected], [email protected] Abstract 1 Introduction Security vulnerabilities in software systems are posing a Today’s software systems are increasingly relying on the serious threat to users, organizations and even nations. In “power of the crowd” to identify new security vulnera- 2017, unpatched vulnerabilities allowed the WannaCry bilities. And yet, it is not well understood how repro- ransomware cryptoworm to shutdown more than 300,000 ducible the crowd-reported vulnerabilities are. In this computers around the globe [24]. Around the same time, paper, we perform the first empirical analysis on a wide another vulnerability in Equifax’s Apache servers led to range of real-world security vulnerabilities (368 in total) a devastating data breach that exposed half of the Amer- with the goal of quantifying their reproducibility. Fol- ican population’s Social Security Numbers [48]. lowing a carefully controlled workflow, we organize a Identifying security vulnerabilities has been increas- focused group of security analysts to carry out reproduc- ingly challenging. Due to the high complexity of mod- tion experiments. With 3600 man-hours spent, we ob- ern software, it is no longer feasible for in-house teams tain quantitative evidence on the prevalence of missing to identify all possible vulnerabilities before a software information in vulnerability reports and the low repro- release. Consequently, an increasing number of soft- ducibility of the vulnerabilities. We find that relying on a ware vendors have begun to rely on “the power of the single vulnerability report from a popular security forum crowd” for vulnerability identification. Today, anyone is generally difficult to succeed due to the incomplete on the Internet (e.g., white hat hackers, security analysts, information. By widely crowdsourcing the information and even regular software users) can identify and report a gathering, security analysts could increase the reproduc- vulnerability. Companies such as Google and Microsoft tion success rate, but still face key challenges to trou- are spending millions of dollars on their “bug bounty” bleshoot the non-reproducible cases. To further explore programs to reward vulnerability reporters [38, 54, 41]. solutions, we surveyed hackers, researchers, and engi- To further raise community awareness, the reporter may neers who have extensive domain expertise in software obtain a Common Vulnerabilities and Exposures (CVE) security (N=43). Going beyond Internet-scale crowd- ID, and archive the entry in various online vulnerability sourcing, we find that, security professionals heavily rely databases. As of December 2017, the CVE website has on manual debugging and speculative guessing to infer archived more than 95,000 security vulnerabilities. the missed information. Our result suggests that there is Despite the large number of crowd-reported vulnera- not only a necessity to overhaul the way a security fo- bilities, there is still a major gap between vulnerability rum collects vulnerability reports, but also a need for au- reporting and vulnerability patching. Recent measure- tomated mechanisms to collect information commonly ments show that it takes a long time, sometimes multiple missing in a report. years, for a vulnerability to be patched after the initial report [43]. In addition to the lack of awareness, anec- dotal evidence also asserts the poor quality of crowd- sourced reports. For example, a Facebook user once ∗Work was done while visiting The Pennsylvania State University. identified a vulnerability that allowed attackers to post USENIX Association 27th USENIX Security Symposium 919 messages onto anyone’s timeline. However, the initial ably large. For example, prior works have used reported report had been ignored by Facebook engineers due to vulnerabilities to benchmark their vulnerability detection “lack of enough details to reproduce the vulnerability”, and patching tools. Most datasets are limited to less than until the Facebook CEO’s timeline was hacked [18]. 10 vulnerabilities [39, 29, 40, 46, 25], or at the scale of As more vulnerabilities are reported by the crowd, the tens [55, 56, 27, 42], due to the significant manual efforts reproducibility of the vulnerability becomes critical for needed to build ground truth data. software vendors to quickly locate and patch the prob- We have a number of key observations. First, in- lem. Unfortunately, a non-reproducible vulnerability is dividual vulnerability reports from popular security fo- more likely to be ignored [53], leaving the affected sys- rums have an extremely low success rate of reproduction tem vulnerable. So far, related research efforts have pri- (4.5% – 43.8%) caused by missing information. Second, marily focused on vulnerability notifications, and gener- a “crowdsourcing” approach that aggregates information ating security patches [26, 35, 43, 45]. The vulnerability from all possible references help to recover some but not reproduction, as a critical early step for risk mitigation, all of the missed fields. After information aggregation, has not been well understood. 95.1% of the 368 vulnerabilities still missed at least one In this paper, we bridge the gap by conducting the required information field. Third, it is not always the first in-depth empirical analysis on the reproducibility most commonly missed information that foiled the re- of crowd-reported vulnerabilities. We develop a series production. Most reports did not include details on soft- of experiments to assess the usability of the information ware installation options and configurations (87%+), or provided by the reporters by actually attempting to re- the affected operating system (OS) (22.8%). While such produce the vulnerabilities. Our analysis seeks to answer information is often recoverable using “common sense” three specific questions. First, how reproducible are the knowledge, the real challenges arise when the vulner- reported vulnerabilities using only the provided informa- ability reports missed the Proof-of-Concept (PoC) files tion? Second, what factors have made certain vulnera- (11.7%) or, more often, the methods to trigger the vul- bilities difficult to reproduce? Third, what actions could nerability (26.4%). Based on the aggregated informa- software vendors (and the vulnerability reporters) take to tion and common sense knowledge, only 54.9% of the systematically improve the efficiency of reproduction? reported vulnerabilities can be reproduced. Recovering the missed information is even more chal- Assessing Reproducibility. The biggest challenge is lenging given the limited feedback on “why a system did that reproducing a vulnerability requires almost exclu- not crash”. To recover the missing information, we iden- sively manual efforts, and requires the “reproducer” to tified useful heuristics through extensive manual debug- have highly specialized knowledge and skill sets. It is ging and troubleshooting, which increased the reproduc- difficult for a study to achieve both depth and scale at tion rate to 95.9%. We find it helpful to prioritize test- the same time. To these ends, we prioritize depth while ing the information fields that are likely to require non- preserving a reasonable scale for generalizable results. standard configurations. We also observe useful correla- More specifically, we focus on memory error vulnerabil- tions between “similar” vulnerability reports, which can ities, which are ranked among the most dangerous soft- provide hints to reproduce the poorly documented ones. ware errors [7] and have caused significant real-world Despite these heuristics, we argue that significant man- impacts (e.g., Heartbleed, WannaCry). We organize a fo- ual efforts could have been saved if the reporting system cused group of highly experienced security researchers required a few mandated information fields. and conduct a series of controlled experiments to repro- duce the vulnerabilities based on the provided informa- Survey. To validate our observations, we surveyed tion. We carefully design a workflow so that the repro- external security professionals from both academia and 1 duction results reflect the value of the information in the industry . We received 43 valid responses from 10 dif- reports, rather than the analysts’ personal hacking skills. ferent institutions, including 2 industry labs, 6 academic groups and 2 Capture The Flag (CTF) teams. The survey Our experiments demanded 3600 man-hours to finish, results confirmed
Load more

Recommended publications
  • Reproducibility, Replicability, and Generalization in the Social, Behavioral, and Economic Sciences
    REPRODUCIBILITY, REPLICABILITY, AND GENERALIZATION IN THE SOCIAL, BEHAVIORAL, AND ECONOMIC SCIENCES Report of the Subcommittee on Replicability in Science of the SBE Advisory Committee to the National Science Foundation 13 May 2015 Presentation at SBE AC Spring Meeting by K. Bollen. Report of the Subcommittee on Replicability in Science Advisory Committee to the NSF SBE Directorate Subcommittee Members: Kenneth Bollen (University of North Carolina at Chapel Hill, Cochair) John T. Cacioppo (University of Chicago, Cochair) Robert M. Kaplan (Agency for Healthcare Research and Quality) Jon A. Krosnick (Stanford University) James L. Olds (George Mason University) Staff Assistance Heather Dean (National Science Foundation) TOPICS I. Background II. Subcommittee Report III. Definitions IV. Recommendations V. Final Comments Background • Spring, 2013 o NSF SBE Advisory Committee establishes subcommittee on how SBE can promote robust research practices • Summer & Fall 2013 o Subcommittee proposal for workshop on “Robust Research in the Social, Behavioral, and Economic Sciences.” • February 20-21, 2014 o Workshop convened o Participants drawn from variety of universities, funding agencies, scientific associations, and journals o Cover broad range of issues from extent and cause of problems to possible solutions o Details are in the appendix of the circulated report • Post-workshop period o Document & digest workshop content o Discuss and propose recommendations o Complete report Subcommittee Report • DEFINITIONS o No consensus in science on the meanings
    [Show full text]
  • Metabolic Sensor Governing Bacterial Virulence in Staphylococcus Aureus
    Metabolic sensor governing bacterial virulence in PNAS PLUS Staphylococcus aureus Yue Dinga, Xing Liub, Feifei Chena, Hongxia Dia, Bin Xua, Lu Zhouc, Xin Dengd,e, Min Wuf, Cai-Guang Yangb,1, and Lefu Lana,1 aDepartment of Molecular Pharmacology and bChinese Academy of Sciences Key Laboratory of Receptor Research, Shanghai Institute of Materia Medica, Chinese Academy of Sciences, Shanghai 201203, China; cDepartment of Medicinal Chemistry, School of Pharmacy, Fudan University, Shanghai 201203, China; dDepartment of Chemistry and eInstitute for Biophysical Dynamics, The University of Chicago, Chicago, IL 60637; and fDepartment of Basic Sciences University of North Dakota School of Medicine and Health Sciences, Grand Forks, ND 58203 Edited by Richard P. Novick, New York University School of Medicine, New York, NY, and approved October 14, 2014 (received for review June 13, 2014) An effective metabolism is essential to all living organisms, in- To survive and replicate efficiently in the host, S. aureus has cluding the important human pathogen Staphylococcus aureus.To developed exquisite mechanisms for scavenging nutrients and establish successful infection, S. aureus must scavenge nutrients adjusting its metabolism to maintain growth while also coping with and coordinate its metabolism for proliferation. Meanwhile, it also stress (6, 11). On the other hand, S. aureus produces a wide array must produce an array of virulence factors to interfere with host of virulence factors to evade host immune defenses and to derive defenses. However, the ways in which S. aureus ties its metabolic nutrition either parasitically or destructively from the host during state to its virulence regulation remain largely unknown. Here we infections (6).
    [Show full text]
  • Principles of Validation of Diagnostic Assays for Infectious Diseases1
    PRINCIPLES OF VALIDATION OF DIAGNOSTIC ASSAYS FOR INFECTIOUS DISEASES1 R. H. JACOBSON, New York State College of Veterinary Medicine, Cornell University, Ithaca, New York, USA Abstract PRINCIPLES OF VALIDATION OF DIAGNOSTIC ASSAYS FOR INFECTIOUS DISEASES. Assay validation requires a series of inter-related processes. Assay validation is an experimental process: reagents and protocols are optimized by experimentation to detect the analyte with accuracy and precision. Assay validation is a relative process: its diagnostic sensitivity and diagnostic specificity are calculated relative to test results obtained from reference animal populations of known infection/exposure status. Assay validation is a conditional process: classification of animals in the target population as infected or uninfected is conditional upon how well the reference animal population used to validate the assay represents the target population; accurate predictions of the infection status of animals from test results (PV+ and PV−) are conditional upon the estimated prevalence of disease/infection in the target population. Assay validation is an incremental process: confidence in the validity of an assay increases over time when use confirms that it is robust as demonstrated by accurate and precise results; the assay may also achieve increasing levels of validity as it is upgraded and extended by adding reference populations of known infection status. Assay validation is a continuous process: the assay remains valid only insofar as it continues to provide accurate and precise results as proven through statistical verification. Therefore, the work required for validation of diagnostic assays for infectious diseases does not end with a time-limited series of experiments based on a few reference samples rather, to assure valid test results from an assay requires constant vigilance and maintenance of the assay, along with reassessment of its performance characteristics for each unique population of animals to which it is applied.
    [Show full text]
  • New NIH Guidelines to Improve Experimental Rigor and Reproducibility
    New NIH guidelines to improve Experimental Rigor and Reproducibility Oswald Steward Professor, Department of Anatomy & Neurobiology Senior Associate Dean for Research University of California School of Medicine What I’ll tell you 1) Background: Increasing reports of failures to replicate 2) Previous actions by NIH to enhance rigor 3) New requirements for grants submitted after January 2016 4) What NIH will be looking for in new required sections 5) Some suggested best practices to meet new standards for scientific rigor • The Problem: Numerous recent reports of findings that can’t be replicated. Failure to replicate key results from preclinical cancer studies: 1) Prinz et al. (2011) Believe it or not: How much can we rely on published data on potential drug targets? Nature Reviews Drug Discovery. Inconsistencies were found in 2/3 studies 2) Begley and Ellis (2012) Raise standards for preclinical cancer research. Nature. Only 6/53 “landmark” papers replicated 3) Begley (2013) Six red flags for suspect work. Nature. -Were experiments performed blinded? -Were basic experiments repeated? -Were all the results presented? -Were there positive and negative controls? -Were reagents validated? -Were statistical tests appropriate? • In ALS field, Scott et al., (2008) re-assessed 70 drugs that had been reported to increase lifespan in an animal model of ALS (SOD1-G93A knockout mice). • 221 separate studies were carried out over a five year period that involved over 18,000 mice. • Some drugs were already in clinical trials. • Outcome: There was no statistically significant positive effect for any of the 70 compounds tested. • Conclusion: Previously published effects were measurements of noise in the distribution of survival means as opposed to an actual drug effect.
    [Show full text]
  • Studies of Staphylococcal Infections. I. Virulence of Staphy- Lococci and Characteristics of Infections in Embryonated Eggs * WILLIAM R
    Journal of Clinical Investigation Vol. 43, No. 11, 1964 Studies of Staphylococcal Infections. I. Virulence of Staphy- lococci and Characteristics of Infections in Embryonated Eggs * WILLIAM R. MCCABE t (From the Research Laboratory, West Side Veterans Administration Hospital, and the Department of Medicine, Research and Educational Hospitals, University of Illinois College of Medicine, Chicago, Ill.) Many of the determinants of the pathogenesis niques still require relatively large numbers of and course of staphylococcal infections remain staphylococci to produce infection (19). Fatal imprecisely defined (1, 2) despite their increas- systemic infections have been equally difficult to ing importance (3-10). Experimental infections produce in animals and have necessitated the in- in suitable laboratory animals have been of con- jection of 107 to 109 bacteria (20-23). A few siderable assistance in clarifying the role of host strains of staphylococci have been found that are defense mechanisms and specific bacterial virulence capable of producing lethal systemic infections factors with a variety of other infectious agents. with inocula of from 102 to 103 bacteria (24) and A sensitive experimental model would be of value have excited considerable interest (25-27). The in defining the importance of these factors in virulence of these strains apparently results from staphylococcal infections, but both humans and an unusual antigenic variation (27, 28) which, the usual laboratory animals are relatively re- despite its interest, is of doubtful significance in sistant. Extremely large numbers of staphylo- human staphylococcal infection, since such strains cocci are required to produce either local or sys- have been isolated only rarely from clinical in- temic infections experimentally.
    [Show full text]
  • On the Reproducibility of Meta-Analyses.Docx
    On the Reproducibility of Meta-Analyses 1 1 RUNNING HEAD: ON THE REPRODUCIBILITY OF META-ANALYSES 2 3 4 On the Reproducibility of Meta-Analyses: Six Practical Recommendations 5 6 Daniël Lakens 7 Eindhoven University of Technology 8 Joe Hilgard 9 University of Missouri - Columbia 10 Janneke Staaks 11 University of Amsterdam 12 13 In Press, BMC Psychology 14 15 Word Count: 6371 16 17 Keywords: Meta-Analysis; Reproducibility; Open Science; Reporting Guidelines 18 19 Author Note: Correspondence can be addressed to Daniël Lakens, Human Technology 20 Interaction Group, IPO 1.33, PO Box 513, 5600MB Eindhoven, The Netherlands. E-mail: 21 [email protected]. We would like to thank Bianca Kramer for feedback on a previous draft 22 of this manuscript. 23 24 Competing Interests: The authors declared that they had no competing interest with respect 25 to their authorship or the publication of this article. 26 27 Author Contributions: All authors contributed writing this manuscript. DL drafted the 28 manuscript, DL, JH, and JS revised the manuscript. All authors read and approved the final 29 manuscript. 30 31 Email Addresses: D. Lakens: [email protected] 32 Joe Hilgard: [email protected] 33 Janneke Staaks: [email protected] On the Reproducibility of Meta-Analyses 2 34 Abstract 35 Background 36 Meta-analyses play an important role in cumulative science by combining information 37 across multiple studies and attempting to provide effect size estimates corrected for 38 publication bias. Research on the reproducibility of meta-analyses reveals that errors are 39 common, and the percentage of effect size calculations that cannot be reproduced is much 40 higher than is desirable.
    [Show full text]
  • 10 Things to Know About Reproducibility and Replicability
    10 Things to Know About Reproducibility and Replicability One of the pathways by which the scientific community confirms the validity of a new scientific discovery is by repeating the research that produced it. When a scientific effort fails to independently confirm the computations or results of a previous study, some argue that such an observed inconsistency can be an important precursor to new discovery while others fear it may be a symptom of a lack of rigor in science. When a newly reported scientific study has far-reaching implications for science or a major, potential impact on the public, the question of its reliability takes on heightened importance. 1 The terms reproducibility and replicability take on 6 Not all studies can be replicated. While scientists are a range of meanings in contemporary usage. The report able to test for replicability of most studies, it is impossible to do distinguishes and defines the terms as follows: Reproducibility so for studies of ephemeral phenomena. means obtaining consistent results using the same input data, computational steps, methods, and conditions of analysis; it is synonymous with computational reproducibility. Replicability 7 One type of scientific research tool, statistical means obtaining consistent results across studies aimed at inference, has an outsized role in replicability discussions answering the same scientific question, each of which has due to the frequent misuse of statistics and the use of a obtained its own data. p-value threshold for determining “statistical significance.” Biases in published research can occur due to the excess reliance on and misunderstanding of statistical significance. 2 Reproducibility and replicability matter.
    [Show full text]
  • Lab Services Accuracy and Reproducibility
    Accuracy and Reproducibility ABOUT The Laboratory Services Committee of the American Thyroid Association® (ATA) conducted a survey of ATA® members to identify areas of member interest for education in pathology and laboratory medicine. In response to the results of the survey, the Lab Service Committee developed a series of educational materials to share with the ATA® membership. The topics below were ranked as high educational priorities amongst the membership. FIGURE 1A: FIGURE 1B: Single perfectly accurate result. Three inaccurate results that ACCURACY AND PRECISION are accurate on average WHAT ARE THE INDICATORS OF TEST RELIABILITY? The most commonly used descriptors of analytical performance for laboratories are accuracy and precision. Accuracy is the degree to which the test results approximate the value that would be obtained by a reference method, and precision is the reproducibility of test results among measurements, days, and operating conditions. The metrics of analytical performance are distinct from the metrics of clinical performance, which are focused on sensitivity, specificity, and predictive values. FIGURE 1C: Three perfectly precise but ACCURACY (TRUENESS) inaccurate results. A test method is said to be accurate when the values it produces are close to the values that are obtained from a reference method. Thus, PRECISION (REPEATABILITY) the concept of accuracy is highly dependent on the correct choice of The description of accuracy above demonstrates why this metric alone a reference method as all judgments of accuracy treat the reference is insufficient to characterize how a test performs. Three arrows shown method as truth; deviations from the reference method are therefore in (Figure 1B) are all very inaccurate, but they average to be accurate.
    [Show full text]
  • A Novel High Throughput, Parallel Infection Assay for Determining The
    viruses Article A Novel High Throughput, Parallel Infection Assay for Determining the Replication Capacities of 346 Primary HIV-1 Isolates of the Zurich Primary HIV-1 Infection Study in Primary Cells Audrey E. Rindler 1,2,3 , Herbert Kuster 1,2 , Kathrin Neumann 1,2 , Christine Leemann 1,2, Dominique L. Braun 1,2 , Karin J. Metzner 1,2,* and Huldrych F. Günthard 1,2,* 1 Division of Infectious Diseases and Hospital Epidemiology, University Hospital Zürich, 8091 Zürich, Switzerland; [email protected] (A.E.R.); [email protected] (H.K.); [email protected] (K.N.); [email protected] (C.L.); [email protected] (D.L.B.) 2 Institute of Medical Virology, University of Zürich, 8057 Zürich, Switzerland 3 Life Sciences Graduate School, University of Zürich, 8057 Zürich, Switzerland * Correspondence: [email protected] (K.J.M.); [email protected] (H.F.G.) Abstract: HIV-1 replication capacity is an important characteristic to understand the replication competence of single variants or virus populations. It can further aid in the understanding of HIV-1 pathogenicity, disease progression, and drug resistance mutations. To effectively study RC, many assays have been established. However, there is still demand for a high throughput replication capacity assay using primary cells which is robust and reproducible. In this study, we established Citation: Rindler, A.E.; Kuster, H.; such an assay and validated it using 346 primary HIV-1 isolates from patients enrolled in the Neumann, K.; Leemann, C.; Braun, Zurich Primary HIV Infection study (ZPHI) and two control viruses, HIV-1 JR-CSF and HIV-1 D.L.; Metzner, K.J.; Günthard, H.F.
    [Show full text]
  • 1 Maximizing the Reproducibility of Your Research Open
    1 Maximizing the Reproducibility of Your Research Open Science Collaboration1 Open Science Collaboration (in press). Maximizing the reproducibility of your research. In S. O. Lilienfeld & I. D. Waldman (Eds.), Psychological Science Under Scrutiny: Recent Challenges and Proposed Solutions. New York, NY: Wiley. Authors’ Note: Preparation of this chapter was supported by the Center for Open Science and by a Veni Grant (016.145.049) awarded to Hans IJzerman. Correspondence can be addressed to Brian Nosek, [email protected]. 1 Alexander A. Aarts, Nuenen, The Netherlands; Frank A. Bosco, Virginia Commonwealth University; Katherine S. Button, University of Bristol; Joshua Carp, Center for Open Science; Susann Fiedler, Max Planck Institut for Research on Collective Goods; James G. Field, Virginia Commonwealth University; Roger Giner-Sorolla, University of Kent; Hans IJzerman, Tilburg University; Melissa Lewis, Center for Open Science; Marcus Munafò, University of Bristol; Brian A. Nosek, University of Virginia; Jason M. Prenoveau, Loyola University Maryland; Jeffrey R. Spies, Center for Open Science 2 Commentators in this book and elsewhere describe evidence that modal scientific practices in design, analysis, and reporting are interfering with the credibility and veracity of the published literature (Begley & Ellis, 2012; Ioannidis, 2005; Miguel et al., 2014; Simmons, Nelson, & Simonsohn, 2011). The reproducibility of published findings is unknown (Open Science Collaboration, 2012a), but concern that is lower than desirable is widespread -
    [Show full text]
  • RCR Rigor and Reproducibility
    Responsible Conduct of Research Workshop Series, 2017-2018 Rigor and Reproducibility -­‐-­‐ March 1, 2018-­‐-­‐ Rigour or rigor (see spelling differences) describes a condition of stiffness or strictness. Rigour frequently refers to a process of adhering absolutely to certain constraints, or the practice of maintaining strict consistency with certain predefined parameters. Webster’s DicBonary accessed 2016 December Rigor Allende, J.. Rigor – The essence of scientific work. Electronic Journal of Biotechnolo gy, North America, 724 07 2012. Have you talked about rigor in your research group? 1. Yes 2. No. 3. Maybe Reproducibility is the ability of an entire experiment or study to be duplicated, either by the same researcher or by someone else working independently. Reproducing an experiment is called replicating it. Reproducibility is one of the main principles of the scientific method. But a new paper in Science Translational Medicine argues that the current movement to replicate results is crippled by a lack of agreement about the very nature of the word “replication” and its synonyms. hDps://www.statnews.com/2016/06/01/reproducibility-­‐ hDps://en.wikipedia.org/wiki/Reproducibility science/ Have you talked about reproducibility in your research group? 1. Yes 2. No. 3. Maybe I followed the m•thods In your paper to the last Well .... When did you do the experiment? On a Fr iday? detail..• This experl ment doesn't world Oooh.M that's why! It never works on Fridays! Anll 20t'> S !otTWTfS /' )A'J<~"' .,/r' Y.a'>... ..,.,,,.'SJ! ,P . .. ll ll a. l> i. l' ll 1' ID Rigor, Transparency and Reproducibility Carrie Dykes, PhD Research Engagement Specialist ' ' I C~ Al &'l'IJ A ' 'SLATIONAL sca1'cE ..;{u.
    [Show full text]
  • Companion Guidelines on Replication and Reproducibility in Education
    Companion Guidelines on Replication & Reproducibility in Education Research A Supplement to the Common Guidelines for Education Research and Development A Report from The National Science Foundation and The Institute of Education Sciences, U.S. Department of Education Nov 28, 2018 Introduction The Institute of Education Sciences (IES) and the National Science Foundation (NSF) jointly issued the Common Guidelines for Education Research and Development in 2013 to describe “shared understandings of the roles of various types of ‘genres’ of research in generating evidence about strategies and interventions for increasing student learning” (IES and NSF, 2013: 7). In the intervening period, the education research community and federal policymakers have been increasingly attentive to the role of, and factors that promote and inhibit, replication and reproducibility of research. In order to build a coherent body of work to inform evidence-based decision making, there is a need to increase the visibility and value of reproducibility and replication studies among education research stakeholders. The purpose of this companion to the Common Guidelines is to highlight the importance of these studies and provide crossagency guidance on the steps investigators are encouraged to take to promote corroboration, ensure the integrity of education research, and extend the evidence base. The companion begins with a brief overview of the central role of replication in the advancement of science, including definitions of key terminology for the purpose of establishing a common understanding of the concepts. The companion also addresses the challenges and implications of planning and conducting reproducibility and replication studies within education. Background and terminology Efforts to reproduce and replicate research findings are central to the accumulation of scientific knowledge that helps inform evidence-based decision making and policies.
    [Show full text]