-
Small Vision-Language Models: A Survey on Compact Architectures and Techniques
Authors:
Nitesh Patnaik,
Navdeep Nayak,
Himani Bansal Agrawal,
Moinak Chinmoy Khamaru,
Gourav Bal,
Saishree Smaranika Panda,
Rishi Raj,
Vishal Meena,
Kartheek Vadlamani
Abstract:
The emergence of small vision-language models (sVLMs) marks a critical advancement in multimodal AI, enabling efficient processing of visual and textual data in resource-constrained environments. This survey offers a comprehensive exploration of sVLM development, presenting a taxonomy of architectures - transformer-based, mamba-based, and hybrid - that highlight innovations in compact design and c…
▽ More
The emergence of small vision-language models (sVLMs) marks a critical advancement in multimodal AI, enabling efficient processing of visual and textual data in resource-constrained environments. This survey offers a comprehensive exploration of sVLM development, presenting a taxonomy of architectures - transformer-based, mamba-based, and hybrid - that highlight innovations in compact design and computational efficiency. Techniques such as knowledge distillation, lightweight attention mechanisms, and modality pre-fusion are discussed as enablers of high performance with reduced resource requirements. Through an in-depth analysis of models like TinyGPT-V, MiniGPT-4, and VL-Mamba, we identify trade-offs between accuracy, efficiency, and scalability. Persistent challenges, including data biases and generalization to complex tasks, are critically examined, with proposed pathways for addressing them. By consolidating advancements in sVLMs, this work underscores their transformative potential for accessible AI, setting a foundation for future research into efficient multimodal systems.
△ Less
Submitted 9 March, 2025;
originally announced March 2025.
-
Saltzer & Schroeder for 2030: Security engineering principles in a world of AI
Authors:
Nikhil Patnaik,
Joseph Hallett,
Awais Rashid
Abstract:
Writing secure code is challenging and so it is expected that, following the release of code-generative AI tools, such as ChatGPT and GitHub Copilot, developers will use these tools to perform security tasks and use security APIs. However, is the code generated by ChatGPT secure? How would the everyday software or security engineer be able to tell?
As we approach the next decade we expect a grea…
▽ More
Writing secure code is challenging and so it is expected that, following the release of code-generative AI tools, such as ChatGPT and GitHub Copilot, developers will use these tools to perform security tasks and use security APIs. However, is the code generated by ChatGPT secure? How would the everyday software or security engineer be able to tell?
As we approach the next decade we expect a greater adoption of code-generative AI tools and to see developers use them to write secure code. In preparation for this, we need to ensure security-by-design. In this paper, we look back in time to Saltzer & Schroeder's security design principles as they will need to evolve and adapt to the challenges that come with a world of AI-generated code.
△ Less
Submitted 8 July, 2024;
originally announced July 2024.
-
Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns
Authors:
Jan H. Klemmer,
Stefan Albert Horstmann,
Nikhil Patnaik,
Cordelia Ludden,
Cordell Burton Jr.,
Carson Powers,
Fabio Massacci,
Akond Rahman,
Daniel Votipka,
Heather Richter Lipford,
Awais Rashid,
Alena Naiakshina,
Sascha Fahl
Abstract:
Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear.…
▽ More
Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear. This paper investigates how software professionals use AI assistants in secure software development, what security implications and considerations arise, and what impact they foresee on secure software development. We conducted 27 semi-structured interviews with software professionals, including software engineers, team leads, and security testers. We also reviewed 190 relevant Reddit posts and comments to gain insights into the current discourse surrounding AI assistants for software development. Our analysis of the interviews and Reddit posts finds that despite many security and quality concerns, participants widely use AI assistants for security-critical tasks, e.g., code generation, threat modeling, and vulnerability detection. Their overall mistrust leads to checking AI suggestions in similar ways to human code, although they expect improvements and, therefore, a heavier use for security tasks in the future. We conclude with recommendations for software professionals to critically check AI suggestions, AI creators to improve suggestion security and capabilities for ethical security tasks, and academic researchers to consider general-purpose AI in software development.
△ Less
Submitted 14 October, 2024; v1 submitted 10 May, 2024;
originally announced May 2024.
-
Risk-aware stochastic control of a sailboat
Authors:
MingYi Wang,
Natasha Patnaik,
Anne Somalwar,
Jingyi Wu,
Alexander Vladimirsky
Abstract:
Sailboat path-planning is a natural hybrid control problem (due to continuous steering and occasional "tack-switching" maneuvers), with the actual path-to-target greatly affected by stochastically evolving wind conditions. Previous studies have focused on finding risk-neutral policies that minimize the expected time of arrival. In contrast, we present a robust control approach, which maximizes the…
▽ More
Sailboat path-planning is a natural hybrid control problem (due to continuous steering and occasional "tack-switching" maneuvers), with the actual path-to-target greatly affected by stochastically evolving wind conditions. Previous studies have focused on finding risk-neutral policies that minimize the expected time of arrival. In contrast, we present a robust control approach, which maximizes the probability of arriving before a specified deadline/threshold. Our numerical method recovers the optimal risk-aware (and threshold-specific) policies for all initial sailboat positions and a broad range of thresholds simultaneously. This is accomplished by solving two quasi-variational inequalities based on second-order Hamilton-Jacobi-Bellman (HJB) PDEs with degenerate parabolicity. Monte-Carlo simulations show that risk-awareness in sailing is particularly useful when a carefully calculated bet on the evolving wind direction might yield a reduction in the number of tack-switches.
△ Less
Submitted 23 September, 2023;
originally announced September 2023.
-
Towards Equitable Privacy
Authors:
Kopo M. Ramokapane,
Lizzie Coles-Kemp,
Nikhil Patnaik,
Rui Huan,
Nirav Ajmeri,
Genevieve Liveley,
Awais Rashid
Abstract:
Ensuring equitable privacy experiences remains a challenge, especially for marginalised and vulnerable populations (MVPs) who often hesitate to participate or use digital services due to concerns about the privacy of their sensitive information. In response, security research has emphasised the importance of inclusive security and privacy practices to facilitate meaningful engagement of MVPs onlin…
▽ More
Ensuring equitable privacy experiences remains a challenge, especially for marginalised and vulnerable populations (MVPs) who often hesitate to participate or use digital services due to concerns about the privacy of their sensitive information. In response, security research has emphasised the importance of inclusive security and privacy practices to facilitate meaningful engagement of MVPs online. However, research in this area is still in its early stages, with other MVPs yet to be considered (such as low-income groups, and refugees), novel engagement methods yet to be explored, and limited support for software developers in building applications and services for MVPs. In 2022, we initiated a UK Research Council funded Equitable Privacy project to address these gaps. Our goal is to prioritise the privacy needs and requirements of MVPs in the design and development of software applications and services.
We design and implement a new participatory research approach -- community studybeds -- in collaboration with third-sector organisations that support MVPs to identify and tackle the challenges these groups encounter. In this paper, we share the initial reflections and experiences of the Equitable Privacy project, particularly emphasising the utilisation of our community studybeds.
△ Less
Submitted 28 July, 2023;
originally announced August 2023.
-
Don't forget your classics: Systematizing 45 years of Ancestry for Security API Usability Recommendations
Authors:
Nikhil Patnaik,
Andrew C. Dwyer,
Joseph Hallett,
Awais Rashid
Abstract:
Producing secure software is challenging. The poor usability of security APIs makes this even harder. Many recommendations have been proposed to support developers by improving the usability of cryptography libraries and APIs; rooted in wider best practice guidance in software engineering and API design. In this SLR, we systematize knowledge regarding these recommendations.
We identify and analy…
▽ More
Producing secure software is challenging. The poor usability of security APIs makes this even harder. Many recommendations have been proposed to support developers by improving the usability of cryptography libraries and APIs; rooted in wider best practice guidance in software engineering and API design. In this SLR, we systematize knowledge regarding these recommendations.
We identify and analyze 65 papers spanning 45 years, offering a total of 883 recommendations.We undertake a thematic analysis to identify 7 core ways to improve usability of APIs. We find that most of the recommendations focus on helping API developers to construct and structure their code and make it more usable and easier for programmers to understand. There is less focus, however, on documentation, writing requirements, code quality assessment and the impact of organizational software development practices. By tracing and analyzing paper ancestry, we map how this knowledge becomes validated and translated over time.We find evidence that less than a quarter of all API usability recommendations are empirically validated, and that recommendations specific to usable security APIs lag even further behind in this regard.
△ Less
Submitted 5 May, 2021;
originally announced May 2021.
-
"Do this! Do that!, And nothing will happen" Do specifications lead to securely stored passwords?
Authors:
Joseph Hallett,
Nikhil Patnaik,
Benjamin Shreeve,
Awais Rashid
Abstract:
Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being…
▽ More
Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.
△ Less
Submitted 19 February, 2021;
originally announced February 2021.
