Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems

With a growing number of embedded devices that create, transform and send data autonomously at its core, the Internet-of-Things (IoT) is a reality in different sectors such as manufacturing, healthcare or transportation. With this expansion, the IoT is becoming more present in critical environments, where security is paramount. Infamous attacks such as Mirai have shown the insecurity of the devices that power the IoT, as well as the potential of such large-scale attacks. Therefore, it is important to secure these embedded systems that form the backbone of the IoT. However, the particular nature of these devices and their resource constraints mean that the most cost-effective manner of securing these devices is to secure them before they are deployed, by minimizing the number of vulnerabilities they ship. To this end, fuzzing has proved itself as a valuable technique for automated vulnerability finding, where specially crafted inputs are fed to programs in order to trigger vulnerabilities and crash the system. In this survey, we link the world of embedded IoT devices and fuzzing. For this end, we list the particularities of the embedded world as far as security is concerned, we perform a literature review on fuzzing techniques and proposals, studying their applicability to embedded IoT devices and, finally, we present future research directions by pointing out the gaps identified in the review

Security, privacy, and legislation adherence assessment of a whistleblowing web application

In recent years, web applications have become increasingly more complex as they are required to have more features than ever before. The need for more features comes from both the service providers as well as the end-users, since competition on the Software as a Service (SaaS) market can be fierce. The ever-growing complexity and feature richness of web applications have in turn also increased their attack surface, predisposing them to new threats and vulnerabilities. The evolving web applications have also developed new methods of gathering personal data from its users. User information privacy has become a hot topic of discussion in the past decade, which has led to privacy legislation being enacted in different regions of the world. In 2019, the European Parliament enacted Directive (EU) 2019/1937 into the European law, which is also known as the Whistleblower Directive. The Directive's goal is to establish rules and procedures to protect individuals who report information they have acquired in a work-related context on breaches of EU law in key policy areas. The Directive requires qualifying organizations and municipalities to set up reporting channels that whistleblowers can use to anonymously report these breaches. The commissioner of this thesis, BeanBakers Ltd, has developed a web application called Vihjaa that is meant to be used by organizations and municipalities as an internal reporting channel that complies with the requirements set for the application by the Directive. The main objectives of this thesis were to identify the requirements set for Vihjaa by EU law and then to conduct security, privacy, and legislation adherence assessments on Vihjaa to gain a deeper understanding of its current status. Furthermore, the procedures and methodology used during the assessments can be used as a framework for future works, which assess the states of other web applications. Our assessment found that Vihjaa's state of security, privacy, and legislation adherence are mostly in a good standing, but there were multiple issues identified that should be addressed. Most of the identified issues were of low severity, for instance, lacking a privacy policy document, missing a incident response plan, and out-dated dependencies. In this thesis, we present the developed framework that can be used to assess web applications of this nature, the results of our assessments, and a ranking of data items collected by a web application based on how critical they are for the process of identifying a specific user

Informacijos saugos valdymo karkasas smulkiam ir vidutiniam verslui

Information security is one of the concerns any organization or person faces. The list of new threats appears, and information security management mechanisms have to be established and continuously updated to be able to fight against possible security issues. To be up to date with existing information technology threats and prevention, protection, maintenance possibilities, more significant organizations establish positions or even departments, to be responsible for the information security management. However, small and medium enterprise (SME) does not have enough capacities. Therefore, the information security management situation in SMEs is fragmented and needs improvement. In this thesis, the problem of information security management in the small and medium enterprise is analyzed. It aims to simplify the information security management process in the small and medium enterprise by proposing concentrated information and tools in information security management framework. Existence of an information security framework could motivate SME to use it in practice and lead to an increase of SME security level. The dissertation consists of an introduction, four main chapters and general conclusions. The first chapter introduces the problem of information security management and its’ automation. Moreover, state-of-the-art frameworks for information security management in SME are analyzed and compared. The second chapter proposes a novel information security management framework and guidelines on its adoption. The framework is designed based on existing methodologies and frameworks. A need for a model for security evaluation based on the organization’s management structure noticed in chapter two; therefore, new probability theory-based model for organizations information flow security level estimation presented in chapter three. The fourth chapter presents the validation of proposed security evaluation models by showing results of a case study and experts ranking of the same situations. The multi-criteria analysis was executed to evaluate the ISMF suitability to be applied in a small and medium enterprise. In this chapter, we also analyze the opinion of information technology employees in an SME on newly proposed information security management framework as well as a new model for information security level estimation. The thesis is summarized by the general conclusions which confirm the need of newly proposed framework and associated tools as well as its suitability to be used in SME to increase the understanding of current information security threat situation.Dissertatio

Traceability and tracing of pharmaceutical distribution through Blockchain and Smart Contracts

[Abstract]: Pharmaceutical supply chains require a large number of actions and resources to track products circulating there. However, the appearance of Blockchain implies a substantial advance in identifying products since it adapts perfectly to the conditions imposed by the sector. Therefore, this Bachelor’s thesis investigates technologies such as Blockchain to reinforce the mechanisms and guarantee security in the traffic of products throughout the pharmaceutical supply chain. The developed system allows users to interact with it, facilitating a graphical interface with all the functionalities offered to add, update and view information on both medicines and workers. In addition, this system offers great reliability when it comes to ensuring the integrity of the information assigned to medicines, where data is accessible throughout the supply chain, ensuring total transparency between members of the chain and end users. Therefore, in terms of security, this system makes great strides to offer a solution against falsifications in the supply of medicines and their subsequent sale.[Resumo]: As cadeas de suministro farmacéuticas requiren un gran número de accións e recursos para poder realizar o seguimento dos produtos que por alí circulan. Sin embargo, a aparición de Blockchain implica un avance substancial á hora de identificar os produtos que se amolda perfectamente ás condicións impostas polo sector. Por ello, este Traballo Fin de Grao investiga en tecnoloxías como Blockchain para reforzar os mecanismos e garantir a seguridade no tráfico de produtos ao longo da cadea de suministro farmacéutico. Desenvolveuse un sistema co que os usuarios poden interactuar facilitando unha interface gráfica con todas as funcionalidades ofrecidas para engadir, actualizar e visualizar información tanto de medicamentos como dos traballadores. Ademais, este sistema ofrece unha gran fiabilidade á hora de garantir a integridade da información asignada aos medicamentos, onde os datos son accesibles en toda a cadea de suministro, garantindo a total transparencia entre os membros da cadea e os usuarios finais. Por iso, en materia de seguridade, o sistema dá grandes avances para ofrecer unha solución contra as falsificacións na subministración de medicamentos e a súa posterior venda.Traballo fin de grao (UDC.FIC). Enxeñaría Informática. Curso 2021/202

Modélisation formelle des systèmes de détection d'intrusions

L’écosystème de la cybersécurité évolue en permanence en termes du nombre, de la diversité, et de la complexité des attaques. De ce fait, les outils de détection deviennent inefficaces face à certaines attaques. On distingue généralement trois types de systèmes de détection d’intrusions : détection par anomalies, détection par signatures et détection hybride. La détection par anomalies est fondée sur la caractérisation du comportement habituel du système, typiquement de manière statistique. Elle permet de détecter des attaques connues ou inconnues, mais génère aussi un très grand nombre de faux positifs. La détection par signatures permet de détecter des attaques connues en définissant des règles qui décrivent le comportement connu d’un attaquant. Cela demande une bonne connaissance du comportement de l’attaquant. La détection hybride repose sur plusieurs méthodes de détection incluant celles sus-citées. Elle présente l’avantage d’être plus précise pendant la détection. Des outils tels que Snort et Zeek offrent des langages de bas niveau pour l’expression de règles de reconnaissance d’attaques. Le nombre d’attaques potentielles étant très grand, ces bases de règles deviennent rapidement difficiles à gérer et à maintenir. De plus, l’expression de règles avec état dit stateful est particulièrement ardue pour reconnaître une séquence d’événements. Dans cette thèse, nous proposons une approche stateful basée sur les diagrammes d’état-transition algébriques (ASTDs) afin d’identifier des attaques complexes. Les ASTDs permettent de représenter de façon graphique et modulaire une spécification, ce qui facilite la maintenance et la compréhension des règles. Nous étendons la notation ASTD avec de nouvelles fonctionnalités pour représenter des attaques complexes. Ensuite, nous spécifions plusieurs attaques avec la notation étendue et exécutons les spécifications obtenues sur des flots d’événements à l’aide d’un interpréteur pour identifier des attaques. Nous évaluons aussi les performances de l’interpréteur avec des outils industriels tels que Snort et Zeek. Puis, nous réalisons un compilateur afin de générer du code exécutable à partir d’une spécification ASTD, capable d’identifier de façon efficiente les séquences d’événements.Abstract : The cybersecurity ecosystem continuously evolves with the number, the diversity, and the complexity of cyber attacks. Generally, we have three types of Intrusion Detection System (IDS) : anomaly-based detection, signature-based detection, and hybrid detection. Anomaly detection is based on the usual behavior description of the system, typically in a static manner. It enables detecting known or unknown attacks but also generating a large number of false positives. Signature based detection enables detecting known attacks by defining rules that describe known attacker’s behavior. It needs a good knowledge of attacker behavior. Hybrid detection relies on several detection methods including the previous ones. It has the advantage of being more precise during detection. Tools like Snort and Zeek offer low level languages to represent rules for detecting attacks. The number of potential attacks being large, these rule bases become quickly hard to manage and maintain. Moreover, the representation of stateful rules to recognize a sequence of events is particularly arduous. In this thesis, we propose a stateful approach based on algebraic state-transition diagrams (ASTDs) to identify complex attacks. ASTDs allow a graphical and modular representation of a specification, that facilitates maintenance and understanding of rules. We extend the ASTD notation with new features to represent complex attacks. Next, we specify several attacks with the extended notation and run the resulting specifications on event streams using an interpreter to identify attacks. We also evaluate the performance of the interpreter with industrial tools such as Snort and Zeek. Then, we build a compiler in order to generate executable code from an ASTD specification, able to efficiently identify sequences of events

TLS/PKI Challenges and certificate pinning techniques for IoT and M2M secure communications

Transport Layer Security is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on Public Key Infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, the article provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current Certificate Pinning solutions in order to illustrate the potential problems that should be addressed

Advanced Digital Auditing

This open access book discusses the most modern approach to auditing complex digital systems and technologies. It combines proven auditing approaches, advanced programming techniques and complex application areas, and covers the latest findings on theory and practice in this rapidly developing field. Especially for those who want to learn more about novel approaches to testing complex information systems and related technologies, such as blockchain and self-learning systems, the book will be a valuable resource. It is aimed at students and practitioners who are interested in contemporary technology and managerial implications

A Mobile Secure Bluetooth-Enabled Cryptographic Provider

The use of digital X509v3 public key certificates, together with different standards for secure digital signatures are commonly adopted to establish authentication proofs between principals, applications and services. One of the robustness characteristics commonly associated with such mechanisms is the need of hardware-sealed cryptographic devices, such as Hardware-Security Modules (or HSMs), smart cards or hardware-enabled tokens or dongles. These devices support internal functions for management and storage of cryptographic keys, allowing the isolated execution of cryptographic operations, with the keys or related sensitive parameters never exposed. The portable devices most widely used are USB-tokens (or security dongles) and internal ships of smart cards (as it is also the case of citizen cards, banking cards or ticketing cards). More recently, a new generation of Bluetooth-enabled smart USB dongles appeared, also suitable to protect cryptographic operations and digital signatures for secure identity and payment applications. The common characteristic of such devices is to offer the required support to be used as secure cryptographic providers. Among the advantages of those portable cryptographic devices is also their portability and ubiquitous use, but, in consequence, they are also frequently forgotten or even lost. USB-enabled devices imply the need of readers, not always and not commonly available for generic smartphones or users working with computing devices. Also, wireless-devices can be specialized or require a development effort to be used as standard cryptographic providers. An alternative to mitigate such problems is the possible adoption of conventional Bluetooth-enabled smartphones, as ubiquitous cryptographic providers to be used, remotely, by client-side applications running in users’ devices, such as desktop or laptop computers. However, the use of smartphones for safe storage and management of private keys and sensitive parameters requires a careful analysis on the adversary model assumptions. The design options to implement a practical and secure smartphone-enabled cryptographic solution as a product, also requires the approach and the better use of the more interesting facilities provided by frameworks, programming environments and mobile operating systems services. In this dissertation we addressed the design, development and experimental evaluation of a secure mobile cryptographic provider, designed as a mobile service provided in a smartphone. The proposed solution is designed for Android-Based smartphones and supports on-demand Bluetooth-enabled cryptographic operations, including standard digital signatures. The addressed mobile cryptographic provider can be used by applications running on Windows-enabled computing devices, requesting digital signatures. The solution relies on the secure storage of private keys related to X509v3 public certificates and Android-based secure elements (SEs). With the materialized solution, an application running in a Windows computing device can request standard digital signatures of documents, transparently executed remotely by the smartphone regarded as a standard cryptographic provider