Combining static and dynamic analysis for the reverse engineering of web applications

Software has become so complex that it is increasingly hard to have a complete understanding of how a particular system will behave. Web applications, their user interfaces in particular, are built with a wide variety of technologies making them particularly hard to debug and maintain. Reverse engineering techniques, either through static analysis of the code or dynamic analysis of the running application, can be used to help gain this understanding. Each type of technique has its limitations. With static analysis it is difficult to have good coverage of highly dynamic applications, while dynamic analysis faces problems with guaranteeing that generated models fully capture the behavior of the system. This paper proposes a new hybrid approach for the reverse engineering of web applications' user interfaces. The approach combines dynamic analyzes of the application at runtime, with static analyzes of the source code of the event handlers found during interaction. Information derived from the source code is both directly added to the generated models, and used to guide the dynamic analysis.This work is funded by ERDF - European Regional Development Fund through the COMPETE Programme (operational programme for competitiveness) and by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within project FCOMP-01-0124-FEDER-015095. Carlos Eduardo Silva is further funded by the Portuguese Government through FCT, grant SFRH/BD/71136/2010

AndroShield:automated Android applications vulnerability detection, a hybrid static and dynamic analysis approach

The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution

Strategies for protecting intellectual property when using CUDA applications on graphics processing units

Recent advances in the massively parallel computational abilities of graphical processing units (GPUs) have increased their use for general purpose computation, as companies look to take advantage of big data processing techniques. This has given rise to the potential for malicious software targeting GPUs, which is of interest to forensic investigators examining the operation of software. The ability to carry out reverse-engineering of software is of great importance within the security and forensics elds, particularly when investigating malicious software or carrying out forensic analysis following a successful security breach. Due to the complexity of the Nvidia CUDA (Compute Uni ed Device Architecture) framework, it is not clear how best to approach the reverse engineering of a piece of CUDA software. We carry out a review of the di erent binary output formats which may be encountered from the CUDA compiler, and their implications on reverse engineering. We then demonstrate the process of carrying out disassembly of an example CUDA application, to establish the various techniques available to forensic investigators carrying out black-box disassembly and reverse engineering of CUDA binaries. We show that the Nvidia compiler, using default settings, leaks useful information. Finally, we demonstrate techniques to better protect intellectual property in CUDA algorithm implementations from reverse engineering

Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach

Structured Review of Code Clone Literature

This report presents the results of a structured review of code clone literature. The aim of the review is to assemble a conceptual model of clone-related concepts which helps us to reason about clones. This conceptual model unifies clone concepts from a wide range of literature, so that findings about clones can be compared with each other

Using SVG and XSLT for graphic representation

Using SVG and XSLT for graphic representation In this paper we will present an XML based framework that can be used to produce graphical visualisation of scientific data. The approach rather than producing ordinary histogram and function diagaram graphs, tries to represent the information in a more graphical appealing and easy to understand way. For examples the approach will give the ability to represent the temperature as the level of coulored fluid in a thermometer. The proposed framework is able to maintain the value of the datas strictly separated from the visual form of its representation (positions of element, colours, visual representation etc.). By defining appropriate data structures and expressing them using XML, the framework gives the user the ability to create graphic representations using standard SVG and XSLT. Since XML can be used for describing complex data information, we represent every level of the graphic representation with an XML structure. To describe our architecture we defined the following XML dialects, each one with different markup tags, reflecting the semantical values of the elements. Data definition level. Used to define the value of the datas that can be used in the graphic representation Data representation level. Used to define the graphic representation, it defines how the values expressed by the data definition level are represented. Both data representation and data definition files are based on a DTD to impose the constraints. Data representation level is the core of the system, and defines a powerful language for representation. Source primitives. Used to define for the source of the graphic elements, for example static file or SVG code. Modification primitives. Used to define the modifications that can affect a graphic element, for example rotation, scaling or repetition. Disposition primitives. Used to define the possible dispositions along x, y and z axes, for example to impose a order in the representation of elements. Action primitives. Used to define the possible actions that canbe activated by graphic elements for different user behaviours. For example a mouse action can activate a link to a different resource, or can change the value of any of the other primitives of the data structure, as image source or disposition, or can show a tooltip . XSLT is used to output a SVG file derived from the two files describing the graphic representation. Our aim is to provide an abstract language to be used to represent in different ways the same concept. In fact, we can link a data definition file with different data representation levels, providing different kinds and levels of complexity for the same concept. An example use could be the representation of the temperature described before, where the temperature itself could be represented either as the level of mercury in the termomether, or as the rotation of an arrow in a gauge. The transformation process is made from an XML source tree into an XML result tree, using XPath to define patterns. XSLT transformation process is based on templates, that define some actions (like adding or removing elements, or sorting them) to be performed when a part of the document matches a template. To implement some of the complex graphics operations we are using XSLT extensions that allow to perform mathematical operations. These XSLT extensions are not yet standard and require specific compliant parser, as Apache Xalan, that allows the developer to interface with Java classes in order to increase XSLT areas of application, from simple node transformations to quite complex operations