11,902 research outputs found
A Formal Approach to Exploiting Multi-Stage Attacks based on File-System Vulnerabilities of Web Applications (Extended Version)
Web applications require access to the file-system for many different tasks.
When analyzing the security of a web application, secu- rity analysts should
thus consider the impact that file-system operations have on the security of
the whole application. Moreover, the analysis should take into consideration
how file-system vulnerabilities might in- teract with other vulnerabilities
leading an attacker to breach into the web application. In this paper, we first
propose a classification of file- system vulnerabilities, and then, based on
this classification, we present a formal approach that allows one to exploit
file-system vulnerabilities. We give a formal representation of web
applications, databases and file- systems, and show how to reason about
file-system vulnerabilities. We also show how to combine file-system
vulnerabilities and SQL-Injection vulnerabilities for the identification of
complex, multi-stage attacks. We have developed an automatic tool that
implements our approach and we show its efficiency by discussing several
real-world case studies, which are witness to the fact that our tool can
generate, and exploit, complex attacks that, to the best of our knowledge, no
other state-of-the-art-tool for the security of web applications can find
Security, Privacy and Safety Risk Assessment for Virtual Reality Learning Environment Applications
Social Virtual Reality based Learning Environments (VRLEs) such as vSocial
render instructional content in a three-dimensional immersive computer
experience for training youth with learning impediments. There are limited
prior works that explored attack vulnerability in VR technology, and hence
there is a need for systematic frameworks to quantify risks corresponding to
security, privacy, and safety (SPS) threats. The SPS threats can adversely
impact the educational user experience and hinder delivery of VRLE content. In
this paper, we propose a novel risk assessment framework that utilizes attack
trees to calculate a risk score for varied VRLE threats with rate and duration
of threats as inputs. We compare the impact of a well-constructed attack tree
with an adhoc attack tree to study the trade-offs between overheads in managing
attack trees, and the cost of risk mitigation when vulnerabilities are
identified. We use a vSocial VRLE testbed in a case study to showcase the
effectiveness of our framework and demonstrate how a suitable attack tree
formalism can result in a more safer, privacy-preserving and secure VRLE
system.Comment: Tp appear in the CCNC 2019 Conferenc
- …