780 research outputs found

    Security Code Smells in Android ICC

    Get PDF
    Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.Comment: Accepted on 28 Nov 2018, Empirical Software Engineering Journal (EMSE), 201

    Face Liveness Detection under Processed Image Attacks

    Get PDF
    Face recognition is a mature and reliable technology for identifying people. Due to high-definition cameras and supporting devices, it is considered the fastest and the least intrusive biometric recognition modality. Nevertheless, effective spoofing attempts on face recognition systems were found to be possible. As a result, various anti-spoofing algorithms were developed to counteract these attacks. They are commonly referred in the literature a liveness detection tests. In this research we highlight the effectiveness of some simple, direct spoofing attacks, and test one of the current robust liveness detection algorithms, i.e. the logistic regression based face liveness detection from a single image, proposed by the Tan et al. in 2010, against malicious attacks using processed imposter images. In particular, we study experimentally the effect of common image processing operations such as sharpening and smoothing, as well as corruption with salt and pepper noise, on the face liveness detection algorithm, and we find that it is especially vulnerable against spoofing attempts using processed imposter images. We design and present a new facial database, the Durham Face Database, which is the first, to the best of our knowledge, to have client, imposter as well as processed imposter images. Finally, we evaluate our claim on the effectiveness of proposed imposter image attacks using transfer learning on Convolutional Neural Networks. We verify that such attacks are more difficult to detect even when using high-end, expensive machine learning techniques

    Keeping Context In Mind: Automating Mobile App Access Control with User Interface Inspection

    Full text link
    Recent studies observe that app foreground is the most striking component that influences the access control decisions in mobile platform, as users tend to deny permission requests lacking visible evidence. However, none of the existing permission models provides a systematic approach that can automatically answer the question: Is the resource access indicated by app foreground? In this work, we present the design, implementation, and evaluation of COSMOS, a context-aware mediation system that bridges the semantic gap between foreground interaction and background access, in order to protect system integrity and user privacy. Specifically, COSMOS learns from a large set of apps with similar functionalities and user interfaces to construct generic models that detect the outliers at runtime. It can be further customized to satisfy specific user privacy preference by continuously evolving with user decisions. Experiments show that COSMOS achieves both high precision and high recall in detecting malicious requests. We also demonstrate the effectiveness of COSMOS in capturing specific user preferences using the decisions collected from 24 users and illustrate that COSMOS can be easily deployed on smartphones as a real-time guard with a very low performance overhead.Comment: Accepted for publication in IEEE INFOCOM'201

    Detection solution analysis for simplistic spoofing attacks in commercial mini and micro UAVs

    Get PDF
    Enamus droone kasutab lennundusest pärit GPS navigatsiooniseadmeid, millel puuduvad turvaprotokollid ning nende riskioht pahatahtlike rünnakute sihtmärgina on kasvanud hüppeliselt lähimineviku arengute ja progressi tõttu SDR ja GNSS simulatsioonitarkvara valdkonnas. See on loonud ligipääsu tehnikale amatöörkasutajatele, millel on saatja aadressi võltsimise jõudlus. Need potensiaalsed rünnakud kuuluvad lihtsakoeliste kategooriasse, kuid selle uurimustöö tulemusena selgus, et nendes rünnakute edukuses on olulised erinevused teatud GPS vastuvõtjate ja konfiguratsioonide vahel. \n\rSee uurimustöö analüüsis erinevaid saatja aadressi võltsimise avastamise meetodeid, mis olid avatud kasutajatele ning valis välja need, mis on sobilikud mini- ja mikrodroonide tehnonõuetele ja operatsioonistsenaariumitele, eesmärgiga pakkuda välja GPS aadresside rünnakute avastamiseks rakenduste tasandil avatud allikakoodiga Ground Control Station tarkvara SDK. Avastuslahenduse eesmärk on jälgida ja kinnitada äkilisi, abnormaalseid või ebaloogilisi tulemväärtusi erinevates drooni sensiorites lisaallkatest pärit lisainfoga. \n\rLäbiviidud testid kinnitavad, et olenevalt olukorrast ja tingimustest saavad saatja aadressi võltsimise rünnakud õnnestuda. Rünnakud piiravad GPS mehanismide ligipääsu, mida saab kasutada rünnakute avastuseks. Neid rünnakuid puudutav info asetseb infovoos või GPSi signaalprotsessi tasandis, kuid seda infot ei saa haarata tasandile kus SDK tarkvara haldab kõigi teiste sensorite infot.Most of UAVs are GPS navigation based aircrafts that rely on a system with lack of security, their latent risk against malicious attacks has been raised with the recent progress and development in SDRs and GNSS simulation software, facilitating to amateurs the accessibility of equipment with spoofing capabilities. The attacks which can be done with this setup belong to the category simplistic, however, during this thesis work there are validated different cases of successful results under certain GPS receivers’ state or configuration.\n\rThis work analysis several spoofing detection methods found in the open literature, and selects the ones which can be suitable for mini and micro UAV technical specifications and operational scenario, for proposing a GPS spoofing detection solution developed in the application layer of an open source code Ground Control Station software SDK. The detection solution is intended to monitor and correlate abrupt, abnormal or unreasonable values of different sensors of the UAV with data obtained from available additional sources.\n\rThe conducted tests validate the cases and circumstances where the spoofing attacks were successful. Limitations include the lack of mechanisms to access GPS values which can be useful for detection spoofing attacks, but reside in the data bit or signal processing layer of the GPS and can not be retrieve to the layer where the SDK in computing all data of other sensors

    Evaluating the Resilience of Face Recognition Systems Against Malicious Attacks

    Get PDF
    This paper presents an experiment designed to test the resilience of several user verification systems based on face recognition technology against simple identity spoofing methods, such as trying to gain access to the system by using mobile camera shots of the users, their ID cards, or social media photos of them that are available online. We also aim at identifying the compression threshold above which a photo can be used to gain access to the system. Four major user verification tools were tested: Keyemon and Luxand Blink on Windows and Android Face Unlock and FaceLock on Android. The results show all tested systems to be vulnerable to even very crude attacks, indicating that the technology is not ready yet for adoption in applications where security rather than user convenience is the main concern

    Evaluating the Resilience of Face Recognition Systems Against Malicious Attacks

    Get PDF
    This paper presents an experiment designed to test the resilience of several user verification systems based on face recognition technology against simple identity spoofing methods, such as trying to gain access to the system by using mobile camera shots of the users, their ID cards, or social media photos of them that are available online. We also aim at identifying the compression threshold above which a photo can be used to gain access to the system. Four major user verification tools were tested: Keyemon and Luxand Blink on Windows and Android Face Unlock and FaceLock on Android. The results show all tested systems to be vulnerable to even very crude attacks, indicating that the technology is not ready yet for adoption in applications where security rather than user convenience is the main concern

    Visual Odometry and Trajectory Reconstruction for UAVs

    Get PDF
    The growing popularity of systems based on Unmanned Aerial Vehicles (UAVs) is highlighting their vulnerability particularly in relation to the positioning system used. Typically, UAV architectures use the civilian GPS which is exposed to a number of different attacks, such as jamming or spoofing. This is why it is important to develop alternative methodologies to accurately estimate the actual UAV position without relying on GPS measurements only. In this paper we propose a position estimate method for UAVs based on monocular visual odometry. We have developed a flight control system capable of keeping track of the entire trajectory travelled, with a reduced dependency on the availability of GPS signal. Moreover, the simplicity of the developed solution makes it applicable to a wide range of commercial drones. The final goal is to allow for safer flights in all conditions, even under cyber-attacks trying to deceive the drone
    corecore