155 research outputs found
Obfuscating Java Programs by Translating Selected Portions of Bytecode to Native Libraries
Code obfuscation is a popular approach to turn program comprehension and
analysis harder, with the aim of mitigating threats related to malicious
reverse engineering and code tampering. However, programming languages that
compile to high level bytecode (e.g., Java) can be obfuscated only to a limited
extent. In fact, high level bytecode still contains high level relevant
information that an attacker might exploit.
In order to enable more resilient obfuscations, part of these programs might
be implemented with programming languages (e.g., C) that compile to low level
machine-dependent code. In fact, machine code contains and leaks less high
level information and it enables more resilient obfuscations.
In this paper, we present an approach to automatically translate critical
sections of high level Java bytecode to C code, so that more effective
obfuscations can be resorted to. Moreover, a developer can still work with a
single programming language, i.e., Java
A large study on the effect of code obfuscation on the quality of java code
Context: Obfuscation is a common technique used to protect software against malicious reverse engineering. Obfuscators manipulate the source code to make it harder to analyze and more difficult to understand for the attacker. Although different obfuscation algorithms and implementations are available, they have never been directly compared in a large scale study.
Aim: This paper aims at evaluating and quantifying the effect of several different obfuscation implementations (both open source and commercial), to help developers and project managers to decide which algorithms to use.
Method: In this study we applied 44 obfuscations to 18 subject applications covering a total of 4 millions lines of code. The effectiveness of these source code obfuscations has been measured using 10 code metrics, considering modularity, size and complexity of code.
Results: Results show that some of the considered obfuscations are effective in making code metrics change substantially from original to obfuscated code, although this change (called potency of the obfuscation) is different on different metrics. In the paper we recommend which obfuscations to select, given the security requirements of the software to be protected
Hypertesting of Programs: Theoretical Foundation and Automated Test Generation
Hyperproperties are used to define correctness requirements that involve relations between multiple program executions. This allows, for instance, to model security and concurrency requirements, which cannot be expressed by means of trace properties. In this paper, we propose a novel systematic approach for automated testing of hyperproperties. Our contribution is both foundational and practical. On the foundational side, we define a hypertesting framework, which includes a novel hypercoverage adequacy criterion designed to guide the synthesis of test cases for hyperproperties. On the practical side, we instantiate such framework by implementing HyperFuzz and HyperEvo, two test generators targeting the Non-Interference security requirement, that rely respectively on fuzzing and search algorithms. Experimental results show that the proposed hypercoverage adequacy criterion correlates with the capability of a hypertest to expose hyperproperty violations and that both HyperFuzz and HyperEvo achieve high hypercoverage and high vulnerability exposure with no false alarms (by construction). While they both outperform the state-of-the-art dynamic taint analysis tool Phosphor, HyperEvo is more effective than HyperFuzz on some benchmark programs
Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs
Mass assignment is one of the most prominent vulnerabilities in RESTful APIs that originates from a misconfiguration in common web frameworks. This allows attackers to exploit naming convention and automatic binding to craft malicious requests that (massively) override data supposed to be read-only.In this paper, we adopt a black-box testing perspective to automatically detect mass assignment vulnerabilities in RESTful APIs. Indeed, execution scenarios are generated purely based on the OpenAPI specification, that lists the available operations and their message format. Clustering is used to group similar operations and reveal read-only fields, the latter are candidates for mass assignment. Then, test interaction sequences are automatically generated by instantiating abstract testing templates, with the aim of trying to use the found read-only fields to carry out a mass assignment attack. Test interactions are run, and their execution is assessed by a specific oracle, in order to reveal whether the vulnerability could be successfully exploited.The proposed novel approach has been implemented and evaluated on a set of case studies written in different programming languages. The evaluation highlights that the approach is quite effective in detecting seeded vulnerabilities, with a remarkably high accuracy
Assessment of Source Code Obfuscation Techniques
Obfuscation techniques are a general category of software protections widely
adopted to prevent malicious tampering of the code by making applications more
difficult to understand and thus harder to modify. Obfuscation techniques are
divided in code and data obfuscation, depending on the protected asset. While
preliminary empirical studies have been conducted to determine the impact of
code obfuscation, our work aims at assessing the effectiveness and efficiency
in preventing attacks of a specific data obfuscation technique - VarMerge. We
conducted an experiment with student participants performing two attack tasks
on clear and obfuscated versions of two applications written in C. The
experiment showed a significant effect of data obfuscation on both the time
required to complete and the successful attack efficiency. An application with
VarMerge reduces by six times the number of successful attacks per unit of
time. This outcome provides a practical clue that can be used when applying
software protections based on data obfuscation.Comment: Post-print, SCAM 201
Deep Reinforcement Learning for Black-Box Testing of Android Apps
The state space of Android apps is huge and its thorough exploration during
testing remains a major challenge. In fact, the best exploration strategy is
highly dependent on the features of the app under test. Reinforcement Learning
(RL) is a machine learning technique that learns the optimal strategy to solve
a task by trial and error, guided by positive or negative reward, rather than
by explicit supervision. Deep RL is a recent extension of RL that takes
advantage of the learning capabilities of neural networks. Such capabilities
make Deep RL suitable for complex exploration spaces such as the one of Android
apps. However, state of the art, publicly available tools only support basic,
tabular RL. We have developed ARES, a Deep RL approach for black-box testing of
Android apps. Experimental results show that it achieves higher coverage and
fault revelation than the baselines, which include state of the art RL based
tools, such as TimeMachine and Q-Testing. We also investigated qualitatively
the reasons behind such performance and we have identified the key features of
Android apps that make Deep RL particularly effective on them to be the
presence of chained and blocking activities
DeepREST: Automated Test Case Generation for REST APIs Exploiting Deep Reinforcement Learning
Automatically crafting test scenarios for REST APIs helps deliver more reliable and trustworthy web-oriented systems. However, current black-box testing approaches rely heavily on the information available in the API's formal documentation, i.e., the Open API Specification (OAS for short). While useful, the OAS mostly covers syntactic aspects of the API (e.g., producer-consumer relations between operations, input value properties, and additional constraints in natural language), and it lacks a deeper understanding of the API business logic. Missing semantics include implicit ordering (logic dependency) between operations and implicit input-value constraints. These limitations hinder the ability of black-box testing tools to generate truly effective test cases automatically.This paper introduces DeepREST, a novel black-box approach for automatically testing REST APIs. It leverages deep reinforcement learning to uncover implicit API constraints, that is, constraints hidden from API documentation. Curiosity-driven learning guides an agent in the exploration of the API and learns an effective order to test its operations. This helps identify which operations to test first to take the API in a testable state and avoid failing API interactions later. At the same time, experience gained on successful API interactions is leveraged to drive accurate input data generation (i.e., what parameters to use and how to pick their values). Additionally, DeepREST alternates exploration with exploitation by mutating successful API interactions to improve test coverage and collect further experience.Our empirical validation suggests that the proposed approach is very effective in achieving high test coverage and fault detection and superior to a state-of-the-art baseline
EtherSolve: Computing an Accurate Control-Flow Graph from Ethereum Bytecode
Motivated by the immutable nature of Ethereum smart contracts and of their transactions, quite many approaches have been proposed to detect defects and security problems before smart contracts become persistent in the blockchain and they are granted control on substantial financial value. Because smart contracts source code might not be available, static analysis approaches mostly face the challenge of analysing compiled Ethereum bytecode, that is available directly from the official blockchain. However, due to the intrinsic complexity of Ethereum bytecode (especially in jump resolution), static analysis encounters significant obstacles that reduce the accuracy of exiting automated tools. This paper presents a novel static analysis algorithm based on the symbolic execution of the Ethereum operand stack that allows us to resolve jumps in Ethereum bytecode and to construct an accurate control-flow graph (CFG) of the compiled smart contracts. EtherSolve is a prototype implementation of our approach. Experimental results on a significant set of real world Ethereum smart contracts show that EtherSolve improves the accuracy of the execrated CFGs with respect to the state of the art available approaches. Many static analysis techniques are based on the CFG representation of the code and would therefore benefit from the accurate extraction of the CFG. For example, we implemented a simple extension of EtherSolve that allows to detect instances of the re-entrancy vulnerability
Reactive attestation : automatic detection and reaction to software tampering attacks
Anti-tampering is a form of software protection conceived to detect and avoid the execution of tampered programs. tamper detection assesses programs’ integrity with load- or execution-time checks. Avoidance reacts to tampered programs by stopping or rendering them unusable. General purpose reactions (such as halting the execution)
stand out like a lighthouse in the code and are quite easy to defeat by an attacker. More sophisticated reactions, which degrade the user experience or the quality of service, are less easy to locate and remove but are too tangled with the program’s business logic, and are thus difficult to automate by a general purpose protection tool. In the present paper, we propose a novel approach to antitampering that (i) fully automatically applies to a target program, (ii) uses Remote Attestation for detection purposes and (iii) adopts a server-side reaction that is difficult to block by an attacker. By
means of Client/Server Code Splitting, a crucial part of the program is removed from the client and executed on a remote trusted server in sync with the client. If a client program provides evidences of its integrity, the part moved to the server is executed. Otherwise, a server-side reaction logic may (temporarily or definitely) decide to stop serving it. Therefore, a tampered client application can not continue its execution. We assessed our automatic protection tool
on a case study Android application. Experimental results show that all the original and tampered executions are correctly detected, reactions are promptly applied, and execution overhead is on an acceptable level
Mycobacterium kansasii as the Primary Etiology of Pulmonary Infections due to Non-Tuberculous Mycobacterium (NTM) in Patients Without Human Immunodeficiency Virus (HIV): Experience from a Center in Buenos Aires, Argentina
Introduction: Pulmonary diseases due to non-tuberculous mycobacterium (NTM) lung infection in HIV-negative patients are rarely described in the literature. Currently, NTM consist of more than 150 species, and they are globally ubiquitous in both natural and man-made environments.The objective of this study was to define the most frequent species of NTM causing pulmonary disease in HIV-negative patients in the city of Buenos Aires, Argentina. The prevalence of pulmonary diseases caused by NTM is difficult to determine since the isolation of NTM does not necessarily indicate disease.
Methods: A retrospective review of all the respiratory cultures positive for NTM in the Bacteriology Laboratory of Posadas Hospital between January 2010 and December 2015 was performed. 31 patients without Human Immunodeficiency Virus (HIV) from whom NTM was isolated in respiratory samples, which fulfilled diagnostic criteria for NTM disease were included.
Results: The mean age was 50 years at the time of the diagnosis (SD ± 17.2); and 19 patients (61.3%) were males. Mycobacterium kansasii was the most commonly isolated NTM (68%) followed by Mycobacterium avium Complex (MAC) (19%). M. kansasii was the most common cause of pulmonary infection by NTM in these HIV-negative patients. Cultures should be performed to identify the species and to treat accordingly. 46% of the patients included in the study, there was no evidence of risk factors. Only 32% of the subjects had respiratory comorbidities, and the most common radiologic finding was cavitation (55%).
Discussion: Our study indicates that M. kansasii is the primary etiology of NTM pulmonary disease in HIV-negative patients in our service area in Buenos Aires. This finding supports the consideration that patients with symptoms compatible with pulmonary tuberculosis should also be evaluated for NTM with appropriate acid-fast bacilli cultures, as treatment regimens differ vastly according to the specific pathogen isolated, although clinical and radiographic presentations may have overlapping features. The possibility of M. kansasii pulmonary disease or other NTM should be considered in patients treated empirically for TB without appropriate clinical response
- …