Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach

Adaptive Educational Hypermedia based on Multiple Student Characteristics

The learning process in Adaptive Educational Hypermedia (AEH) environments is complex and may be influenced by aspects of the student, including prior knowledge, learning styles, experience and preferences. Current AEH environments, however, are limited to processing only a small number of student characteristics. This paper discusses the development of an AEH system which includes a student model that can simultaneously take into account multiple student characteristics. The student model will be developed to use stereotypes, overlays and perturbation techniques. Keywords: adaptive educational hypermedia, multiple characteristics, student model

Rock falls impacting railway tracks. Detection analysis through an artificial intelligence camera prototype

During the last few years, several approaches have been proposed to improve early warning systems for managing geological risk due to landslides, where important infrastructures (such as railways, highways, pipelines, and aqueducts) are exposed elements. In this regard, an Artificial intelligence Camera Prototype (AiCP) for real-time monitoring has been integrated in a multisensor monitoring system devoted to rock fall detection. An abandoned limestone quarry was chosen at Acuto (central Italy) as test-site for verifying the reliability of the integratedmonitoring system. A portion of jointed rockmass, with dimensions suitable for optical monitoring, was instrumented by extensometers. One meter of railway track was used as a target for fallen blocks and a weather station was installed nearby. Main goals of the test were (i) evaluating the reliability of the AiCP and (ii) detecting rock blocks that reach the railway track by the AiCP. At this aim, several experiments were carried out by throwing rock blocks over the railway track. During these experiments, the AiCP detected the blocks and automatically transmitted an alarm signal

A publication database for optical long baseline interferometry

Optical long baseline interferometry is a technique that has generated almost 850 refereed papers to date. The targets span a large variety of objects from planetary systems to extragalactic studies and all branches of stellar physics. We have created a database hosted by the JMMC and connected to the Optical Long Baseline Interferometry Newsletter (OLBIN) web site using MySQL and a collection of XML or PHP scripts in order to store and classify these publications. Each entry is defined by its ADS bibcode, includes basic ADS informations and metadata. The metadata are specified by tags sorted in categories: interferometric facilities, instrumentation, wavelength of operation, spectral resolution, type of measurement, target type, and paper category, for example. The whole OLBIN publication list has been processed and we present how the database is organized and can be accessed. We use this tool to generate statistical plots of interest for the community in optical long baseline interferometry.Comment: To be published in the SPIE'2010 conference on "Optical and Infrared Interferometry II

Seamless Integration of Group Communication into an Adaptive Online Exercise System

Distance learners in traditional online exercise and tutoring systems often get stuck with questions for which they need the help of a tutor or colleague. Learning alone can also be frustrating. In our Communication And Tutoring System CATS we have integrated the possibility to dial up a tutor and/or to setup an immediate group communication with other distance learners using Internet videoconferencing technology. To find the appropriate partner, we have implemented a measurement algorithm that keeps track of the performance level of a learner by measuring the percentage of correct answers at the current level, the reliability with which the learner answers the questions and the time he/she takes. From these measures we derive a unified performance parameter that controls the presentation of the next set of questions. These are then generated dynamically by the exercise applet. The CATS system automatically selects the most appropriate communica-tion partner(s) bas! ed on the exercises the learners are currently working on, and on their skill levels. We motivate this approach from a pedagogical point of view and present the architecture and implementation of the CATS system

A Brief History of Web Crawlers

Web crawlers visit internet applications, collect data, and learn about new web pages from visited pages. Web crawlers have a long and interesting history. Early web crawlers collected statistics about the web. In addition to collecting statistics about the web and indexing the applications for search engines, modern crawlers can be used to perform accessibility and vulnerability checks on the application. Quick expansion of the web, and the complexity added to web applications have made the process of crawling a very challenging one. Throughout the history of web crawling many researchers and industrial groups addressed different issues and challenges that web crawlers face. Different solutions have been proposed to reduce the time and cost of crawling. Performing an exhaustive crawl is a challenging question. Additionally capturing the model of a modern web application and extracting data from it automatically is another open question. What follows is a brief history of different technique and algorithms used from the early days of crawling up to the recent days. We introduce criteria to evaluate the relative performance of web crawlers. Based on these criteria we plot the evolution of web crawlers and compare their performanc