Model-Based Robustness Testing in Event-B Using Mutation

International audienceRobustness testing aims at finding errors in a system under invalid conditions, such as unexpected inputs. We propose a robust-ness testing approach for Event-B based on specification mutation and model-based testing. We assume that a specification describes the valid inputs of a system. By applying negation rules, we mutate the precondition of events to explore invalid behaviour. Tests are generated from the mutated specification using ProB. ProB has been adapted to efficiently process mutated events. Mutated events are statically checked for satisfiability and enability using constraint satisfaction, to prune the transition search space. This has dramatically improve the performance of test generation. The approach is applied to the Java Card bytecode verifier. Large mutated specifications (containing 921 mutated events) can be easily tackled to ensure a good coverage of the robustness test space

Novel Attacks and Defenses in the Userland of Android

In the last decade, mobile devices have spread rapidly, becoming more and more part of our everyday lives; this is due to their feature-richness, mobility, and affordable price. At the time of writing, Android is the leader of the market among operating systems, with a share of 76% and two and a half billion active Android devices around the world. Given that such small devices contain a massive amount of our private and sensitive information, the economic interests in the mobile ecosystem skyrocketed. For this reason, not only legitimate apps running on mobile environments have increased dramatically, but also malicious apps have also been on a steady rise. On the one hand, developers of mobile operating systems learned from security mistakes of the past, and they made significant strides in blocking those threats right from the start. On the other hand, these high-security levels did not deter attackers. In this thesis, I present my research contribution about the most meaningful attack and defense scenarios in the userland of the modern Android operating system. I have emphasized "userland'' because attack and defense solutions presented in this thesis are executing in the userspace of the operating system, due to the fact that Android is slightly different from traditional operating systems. After the necessary technical background, I show my solution, RmPerm, in order to enable Android users to better protect their privacy by selectively removing permissions from any app on any Android version. This operation does not require any modification to the underlying operating system because we repack the original application. Then, using again repackaging, I have developed Obfuscapk; it is a black-box obfuscation tool that can work with every Android app and offers a free solution with advanced state of the art obfuscation techniques -- especially the ones used by malware authors. Subsequently, I present a machine learning-based technique that focuses on the identification of malware in resource-constrained devices such as Android smartphones. This technique has a very low resource footprint and does not rely on resources outside the protected device. Afterward, I show how it is possible to mount a phishing attack -- the historically preferred attack vector -- by exploiting two recent Android features, initially introduced in the name of convenience. Although a technical solution to this problem certainly exists, it is not solvable from a single entity, and there is the need for a push from the entire community. But sometimes, even though there exists a solution to a well-known vulnerability, developers do not take proper precautions. In the end, I discuss the Frame Confusion vulnerability; it is often present in hybrid apps, and it was discovered some years ago, but I show how it is still widespread. I proposed a methodology, implemented in the FCDroid tool, for systematically detecting the Frame Confusion vulnerability in hybrid Android apps. The results of an extensive analysis carried out through FCDroid on a set of the most downloaded apps from the Google Play Store prove that 6.63% (i.e., 1637/24675) of hybrid apps are potentially vulnerable to Frame Confusion. The impact of such results on the Android users' community is estimated in 250.000.000 installations of vulnerable apps

Data trust framework using blockchain and smart contracts

Lack of trust is the main barrier preventing more widespread data sharing. The lack of transparent and reliable infrastructure for data sharing prevents many data owners from sharing their data. Data trust is a paradigm that facilitates data sharing by forcing data controllers to be transparent about the process of sharing and reusing data. Blockchain technology has the potential to present the essential properties for creating a practical and secure data trust framework by transforming current auditing practices and automatic enforcement of smart contracts logic without relying on intermediaries to establish trust. Blockchain holds an enormous potential to remove the barriers of traditional centralized applications and propose a distributed and transparent administration by employing the involved parties to maintain consensus on the ledger. Furthermore, smart contracts are a programmable component that provides blockchain with more flexible and powerful capabilities. Recent advances in blockchain platforms toward smart contracts' development have revealed the possibility of implementing blockchain-based applications in various domains, such as health care, supply chain and digital identity. This dissertation investigates the blockchain's potential to present a framework for data trust. It starts with a comprehensive study of smart contracts as the main component of blockchain for developing decentralized data trust. Interrelated, three decentralized applications that address data sharing and access control problems in various fields, including healthcare data sharing, business process, and physical access control system, have been developed and examined. In addition, a general-purpose application based on an attribute-based access control model is proposed that can provide trusted auditability required for data sharing and access control systems and, ultimately, a data trust framework. Besides auditing, the system presents a transparency level that both access requesters (data users) and resource owners (data controllers) can benefit from. The proposed solutions have been validated through a use case of independent digital libraries. It also provides a detailed performance analysis of the system implementation. The performance results have been compared based on different consensus mechanisms and databases, indicating the system's high throughput and low latency. Finally, this dissertation presents an end-to-end data trust framework based on blockchain technology. The proposed framework promotes data trustworthiness by assessing input datasets, effectively managing access control, and presenting data provenance and activity monitoring. A trust assessment model that examines the trustworthiness of input data sets and calculates the trust value is presented. The number of transaction validators is defined adaptively with the trust value. This research provides solutions for both data owners and data users’ by ensuring the trustworthiness and quality of the data at origin and transparent and secure usage of the data at the end. A comprehensive experimental study indicates the presented system effectively handles a large number of transactions with low latency

Foundations of Security Analysis and Design III, FOSAD 2004/2005- Tutorial Lectures

he increasing relevance of security to real-life applications, such as electronic commerce and Internet banking, is attested by the fast-growing number of research groups, events, conferences, and summer schools that address the study of foundations for the analysis and the design of security aspects. This book presents thoroughly revised versions of eight tutorial lectures given by leading researchers during two International Schools on Foundations of Security Analysis and Design, FOSAD 2004/2005, held in Bertinoro, Italy, in September 2004 and September 2005. The lectures are devoted to: Justifying a Dolev-Yao Model under Active Attacks, Model-based Security Engineering with UML, Physical Security and Side-Channel Attacks, Static Analysis of Authentication, Formal Methods for Smartcard Security, Privacy-Preserving Database Systems, Intrusion Detection, Security and Trust Requirements Engineering

Measuring and Mitigating Security and Privacy Issues on Android Applications

Over time, the increasing popularity of the Android operating system (OS) has resulted in its user-base surging past 1 billion unique devices. As a result, cybercriminals and other non-criminal actors are attracted to the OS due to the amount of user information they can access. Aiming to investigate security and privacy issues on the Android ecosystem, previous work has shown that it is possible for malevolent actors to steal users' sensitive personal information over the network, via malicious applications, or vulnerability exploits etc., presenting proof of concepts or evidences of exploits. Due to the ever-changing nature of the Android ecosystem and the arms race involved in detecting and mitigating malicious applications, it is important to continuously examine the ecosystem for security and privacy issues. This thesis presents research contributions in this space, and it is divided into two parts. The first part focuses on measuring and mitigating vulnerabilities in applications due to poor implementation of security and privacy protocols. In particular, we investigate the implementation of the SSL/TLS protocol validation logic, and properties such as ephemerality, anonymity, and end-to-end encryption. We show that, despite increased awareness of vulnerabilities in SSL/TLS implementation by application developers, these vulnerabilities are still present in popular applications, allowing malicious actors steal users' information. To help developers mitigate them, we provide useful recommendations such as enabling SSL/TLS pinning and using the same certificate validation logic in their test and development environments. The second part of this thesis focuses on the detection of malicious applications that compromise users' security and privacy, the detection performance of the different program analysis approach, and the influence of different input generators during dynamic analysis on detection performance. We present a novel method for detecting malicious applications, which is less susceptible to the evolution of the Android ecosystem (i.e., changes in the Android framework as a result of the addition/removal of API calls in new releases) and malware (i.e., changes in techniques to evade detection) compared to previous methods. Overall, this thesis contributes to knowledge around Android apps with respect to, vulnerability discovery that leads to loss of users' security and privacy, and the design of robust Android malware detection tools. It highlights the need for continual evaluation of apps as the ecosystem changes to detect and prevent vulnerabilities and malware that results in a compromise of users' security and privacy

Universal Skeptic Binder-Droid - Towards Arresting Malicious Communication of Colluding Apps in Android

Since its first release, Android has been increasingly adopted by people and companies worldwide. It is currently estimated that around 1.1 billion Android devices are in use. Even though Android was built with Security principles and comes with a sound security model, it is a favorite target for malware authors. McAfee observed a 76% year on year growth in Android malware during the year 2014 alone. Thus malware is a predominant threat in Android ecosystem. A common attack vector for Android malware is the use of colluding apps. Colluding apps involve two or more applications and operate in two phases. In Phase 1, one application steals private sensitive data of the user In Phase 2, the same application sends the data to another application via covert communication channels. There are several covert channels in Android frameworks. Until now, several solutions in the literature have focused on preventing the extraction of sensitive data from the phone. We, to the best of our knowledge, are the first to stop the flow of sensitive info via the covert channels. We propose, Universal Skeptic Binder-Droid, an enhanced Binder module which enforces policies regarding the use of communication channels and prevents apps from colluding. With our proposed system, we have the added advantage of dynamically configuring policies at run time. Our initial implementation and results on our test bed reflect on the effectiveness and the ease of use of such a system

Génération de tests de vulnérabilité pour la structure des fichiers cap en Java Card

Les cartes à puce Java comportent plusieurs mécanismes de sécurité, dont le vérifieur de code intermédiaire (\emph{$\ll$Java Card bytecode verifier$\gg$}), qui est composé de deux parties, la vérification de structure et la vérification de type. Ce mémoire porte sur la génération de tests de vulnérabilité pour la vérification de structure. Il s'inspire des travaux sur la vérification de type de l'outil \textsc{VTG} (\emph{$\ll$Vulnerability Tests Generator$\gg$}) développé par Aymerick Savary. Notre approche consiste à modéliser formellement la spécification de la structure des fichiers \textsf{CAP} avec le langage \textsf{Event-B}, en utilisant des contextes. Cette modélisation permet de donner une définition formelle d'un fichier \textsf{CAP} valide. Nous utilisons ensuite la mutation de spécification pour insérer des fautes dans cette définition dans le but de générer des fichiers \textsf{CAP} (\emph{$\ll$Converted APplet$\gg$}) invalides. Nous utilisons \textsc{ProB}, un explorateur de modèles \textsf{Event-B}, pour générer des tests abstraits de fichiers CAP invalides. La spécification formelle étant d'une taille importante qui entraîne une forte explosion combinatoire (plus de 250 constantes, 450 axiomes, 100 contextes), nous guidons \textsc{ProB} dans sa recherche de modèles en utilisant des valeurs prédéterminées pour un sous-ensemble de symboles de la spécification. Ce mémoire propose un ensemble de patrons de spécification pour représenter les structures des fichiers CAP. Ces patrons limitent aussi l'explosion combinatoire, tout en facilitant la tâche de spécification. Notre spécification \textsf{Event-B} comprend toute la définition des structures des fichiers CAP et une partie des contraintes. Des tests abstraits sont générés pour une partie du modèle, à titre illustratif. Ces tests ont permis de mettre en lumière des imprécisions dans la spécification \textsf{Java Card}. Ces travaux ont permis d'étendre la méthode de génération de test de vulnérabilité aux contextes \textsf{Event-B}. De plus, le modèle proposé permet de tester, à l'aide du \textsc{VTG}, une partie plus importante de la vérification de structure du vérifieur de code intermédiaire

Tools and Algorithms for the Construction and Analysis of Systems

This open access two-volume set constitutes the proceedings of the 26th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2020, which took place in Dublin, Ireland, in April 2020, and was held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020. The total of 60 regular papers presented in these volumes was carefully reviewed and selected from 155 submissions. The papers are organized in topical sections as follows: Part I: Program verification; SAT and SMT; Timed and Dynamical Systems; Verifying Concurrent Systems; Probabilistic Systems; Model Checking and Reachability; and Timed and Probabilistic Systems. Part II: Bisimulation; Verification and Efficiency; Logic and Proof; Tools and Case Studies; Games and Automata; and SV-COMP 2020

Tools and Algorithms for the Construction and Analysis of Systems

This open access two-volume set constitutes the proceedings of the 27th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2021, which was held during March 27 – April 1, 2021, as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2021. The conference was planned to take place in Luxembourg and changed to an online format due to the COVID-19 pandemic. The total of 41 full papers presented in the proceedings was carefully reviewed and selected from 141 submissions. The volume also contains 7 tool papers; 6 Tool Demo papers, 9 SV-Comp Competition Papers. The papers are organized in topical sections as follows: Part I: Game Theory; SMT Verification; Probabilities; Timed Systems; Neural Networks; Analysis of Network Communication. Part II: Verification Techniques (not SMT); Case Studies; Proof Generation/Validation; Tool Papers; Tool Demo Papers; SV-Comp Tool Competition Papers