Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach

A Model for Predicting the Likelihood of Successful Exploitation

This paper presents a model that estimates the likelihood that a detected vulnerability can be exploited. The data used to produce the model was obtained by carrying out an experiment that involved exploit attempts against 1179 different machines within a cyber range. Three machine learning algorithms were tested: support vector machines, random forests and neural networks. The best results were provided by a random forest model. This model has a mean cross-validation accuracy of 98.2% and an F1 score of 0.73

Assessing the accuracy of vulnerability scanners and developing a tsunami securaty scanner plug-in

Mestrado em Cibersegurança na Escola Superior de Tecnologia e Gestão do Instituto Politécnico de Viana do CasteloDigital transformation is a key factor for a company's success. Recently this digital transformation was accelerated in many companies due to the Covid-19 pandemic, requiring more changes in people, systems, and data. In some cases, these changes in systems and procedures uncover new vulnerabilities that could be early detected and mitigated. In this context, the vulnerability scanner tools may prevent con guration errors and known vulnerabilities at an early stage. The release of the Tsunami Security Scanner, an open-source vulnerability scanner released by Google, opens the opportunity to analyze and compare the commonly used, free-to-use vulnerability scanners. The wide choice of Vulnerability Scanning Tools can be a time-consuming task for a company that needs to take into consideration complex and numerous variables such as accuracy and precision to be able to choose the right tool. This thesis aims to assess the accuracy of vulnerability scanner tools. In the rst stage resources usage and performance assessment regarding diferent vulnerabilities and systems. In the second stage, a plugin is developed for the Tsunami Security Scanner with the purpose of detecting a speci c vulnerability (CVE-2019-12815). The precision assessment is accomplished by placing multiple virtual machines in a network with different vulnerable scanners and other machines with different vulnerable and non-vulnerable operating systems. This enables the validation that the features and performance of these scanners are different or vary accordingly to the target systems. This work can be particularly helpful to organisations with lower resources such as Small and Medium-sized Enterprises (SMEs) since it reviews a set of these tools that are available for use. The development of the Tsunami Security Scanner plugin is also important as an effort to increase the range of plugins available.A transformação digital é um fator chave para o sucesso das empresas. Recentemente a transformação digital foi acelerada em muitas empresas devido à pandemia de Covid-19, exigindo mudanças de pessoas, sistemas e dados. Em alguns casos, essas mudanças nos sistemas e procedimentos revelam novas vulnerabilidades que devem ser detectadas e mitigadas com antecedência. Neste contexto, as ferramentas de veri ficação de vulnerabilidades podem evitar erros de con figuração e vulnerabilidades conhecidas numa fase antecipada. A disponibilização do Tsunami Security Scanner, um verificador de vulnerabilidades de código aberto lançaado pelo Google, abre a oportunidade de analisar e comparar os verifi cadores de vulnerabilidades comumente usados e gratuitos. A ampla escolha de ferramentas de veri ficação de vulnerabilidades pode ser uma tarefa demorada para uma empresa que precisa levar em consideração variáveis complexas e numerosas, como exatidão e precisão, para poder escolher a ferramenta certa. Esta tese visa avaliar a precisão de ferramentas de veri ficação de vulnerabilidades. Numa primeira fase, avaliação do uso de recursos e desempenho em relação a diferentes vulnerabilidades e sistemas. Numa segunda fase, é desenvolvido um plugin para o Tsunami Security Scanner com o objetivo de detectar uma vulnerabilidade específica (CVE-2019- 12815). A avaliação da precisão das ferramentas é realizada colocando múltiplas máquinas virtuais em uma rede com diferentes veri ficadores de vulnerabilidades e outras máquinas com diferentes sistemas operativos vulneráveis e não vulneráveis. Isso permite validar que as características e desempenho desses verifi cadores são diferentes ou variam de acordo com os sistemas-alvo. Este trabalho pode ser particularmente útil para organizações com recursos mais limitados, já que revê um conjunto dessas ferramentas que estão disponíveis para uso. O desenvolvimento do plugin para o Tsunami Security Scanner também é importante como um esforço para aumentar a gama de plugins disponíveis

A system to secure websites and educate students about cyber security through crowdsourcing

Startups are innovative companies who have ideas for the betterment of the society. But, due to limited resources, and highly expensive testing procedures, they invest less time and money in securing their website and web applications. Furthermore, cyber security education lacks integrating practical knowledge with educational theoretical materials. Recognizing, the need to educate both startups and students about cyber security, this report presents Secure Startup - a novel system, that aims to provide startups with a platform to protect their website in a costeffective manner, while educating students about the real-world cyber skills. This system finds potential security problems in startup websites and provides them with effective solutions through a crowdtesting framework. Secure Startup, crowdsources the testers (security experts and students) of this system, through social media platforms, using Twitter Bots. The basic idea behind this report, is to understand, if such a system can help students learn the necessary cyber skills, while running successful tests and generating quality results for the startups. The results presented in this report show that, this system has a higher learning rate, and a higher task effectiveness rate, which helps in detecting and remediating maximum possible vulnerabilities. These results were generated after analyzing the performance of the testers and the learning capabilities of students, based on their feedback, trainings and task performance. These results have been promising in pursuing the system\u27s value which lays in enhancing the security of a startup website and providing a new approach for practical cyber security education

Data Centre vulnerabilities physical, logical and trusted entity security

Data centres are often the hub for a significant number of disparate interconnecting systems. With rapid advances in virtualization, the use of data centres have increased significantly and are set to continue growing. Systems hosted typically serve the data needs for a growing number of organizations ranging from private individuals to mammoth governmental departments. Due to this centralized method of operation, data centres have become a prime target for attackers. These attackers are not only after the data contained in the data centre but often the physical infrastructure the systems run on is the target of attack. Down time resulting from such an attack can affect a wide range of entities and can have severe financial implications for the owners of the data centre. To limit liability strict adherence to standards are prescribed. Technology however develops at a far faster pace than standards and our ability to accurately measure information security has significant hidden caveats. This allows for a situation where the defenders dilemma is exacerbated by information overload, a significant increase in attack surface and reporting tools that show only limited views. This paper investigates the logical and physical security components of a data centre and introduces the notion of third party involvement as an increase in attack surface due to the manner in which data centres typically operate

INTRUSION PREDICTION SYSTEM FOR CLOUD COMPUTING AND NETWORK BASED SYSTEMS

Cloud computing offers cost effective computational and storage services with on-demand scalable capacities according to the customers’ needs. These properties encourage organisations and individuals to migrate from classical computing to cloud computing from different disciplines. Although cloud computing is a trendy technology that opens the horizons for many businesses, it is a new paradigm that exploits already existing computing technologies in new framework rather than being a novel technology. This means that cloud computing inherited classical computing problems that are still challenging. Cloud computing security is considered one of the major problems, which require strong security systems to protect the system, and the valuable data stored and processed in it. Intrusion detection systems are one of the important security components and defence layer that detect cyber-attacks and malicious activities in cloud and non-cloud environments. However, there are some limitations such as attacks were detected at the time that the damage of the attack was already done. In recent years, cyber-attacks have increased rapidly in volume and diversity. In 2013, for example, over 552 million customers’ identities and crucial information were revealed through data breaches worldwide [3]. These growing threats are further demonstrated in the 50,000 daily attacks on the London Stock Exchange [4]. It has been predicted that the economic impact of cyber-attacks will cost the global economy $3 trillion on aggregate by 2020 [5]. This thesis focused on proposing an Intrusion Prediction System that is capable of sensing an attack before it happens in cloud or non-cloud environments. The proposed solution is based on assessing the host system vulnerabilities and monitoring the network traffic for attacks preparations. It has three main modules. The monitoring module observes the network for any intrusion preparations. This thesis proposes a new dynamic-selective statistical algorithm for detecting scan activities, which is part of reconnaissance that represents an essential step in network attack preparation. The proposed method performs a statistical selective analysis for network traffic searching for an attack or intrusion indications. This is achieved by exploring and applying different statistical and probabilistic methods that deal with scan detection. The second module of the prediction system is vulnerabilities assessment that evaluates the weaknesses and faults of the system and measures the probability of the system to fall victim to cyber-attack. Finally, the third module is the prediction module that combines the output of the two modules and performs risk assessments of the system security from intrusions prediction. The results of the conducted experiments showed that the suggested system outperforms the analogous methods in regards to performance of network scan detection, which means accordingly a significant improvement to the security of the targeted system. The scanning detection algorithm has achieved high detection accuracy with 0% false negative and 50% false positive. In term of performance, the detection algorithm consumed only 23% of the data needed for analysis compared to the best performed rival detection method

“Be a Pattern for the World”: The Development of a Dark Patterns Detection Tool to Prevent Online User Loss

Dark Patterns are designed to trick users into sharing more information or spending more money than they had intended to do, by configuring online interactions to confuse or add pressure to the users. They are highly varied in their form, and are therefore difficult to classify and detect. Therefore, this research is designed to develop a framework for the automated detection of potential instances of web-based dark patterns, and from there to develop a software tool that will provide a highly useful defensive tool that helps detect and highlight these patterns