2,884 research outputs found
Toward least-privilege isolation for software
Hackers leverage software vulnerabilities to disclose, tamper with, or destroy sensitive
data. To protect sensitive data, programmers can adhere to the principle of
least-privilege, which entails giving software the minimal privilege it needs to operate,
which ensures that sensitive data is only available to software components on a
strictly need-to-know basis. Unfortunately, applying this principle in practice is dif-
�cult, as current operating systems tend to provide coarse-grained mechanisms for
limiting privilege. Thus, most applications today run with greater-than-necessary
privileges. We propose sthreads, a set of operating system primitives that allows
�ne-grained isolation of software to approximate the least-privilege ideal. sthreads
enforce a default-deny model, where software components have no privileges by default,
so all privileges must be explicitly granted by the programmer.
Experience introducing sthreads into previously monolithic applications|thus,
partitioning them|reveals that enumerating privileges for sthreads is di�cult in
practice. To ease the introduction of sthreads into existing code, we include Crowbar,
a tool that can be used to learn the privileges required by a compartment. We
show that only a few changes are necessary to existing code in order to partition
applications with sthreads, and that Crowbar can guide the programmer through
these changes. We show that applying sthreads to applications successfully narrows
the attack surface by reducing the amount of code that can access sensitive data.
Finally, we show that applications using sthreads pay only a small performance
overhead. We applied sthreads to a range of applications. Most notably, an SSL
web server, where we show that sthreads are powerful enough to protect sensitive
data even against a strong adversary that can act as a man-in-the-middle in the
network, and also exploit most code in the web server; a threat model not addressed
to date
A Vulnerability Assessment of the East Tennessee State University Administrative Computer Network.
A three phase audit of East Tennessee State University\u27s administrative computer network was conducted during Fall 2001, Spring 2002, and January 2004. Nmap and Nessus were used to collect the vulnerability data. Analysis discovered an average of 3.065 critical vulnerabilities per host with a low of 2.377 in Spring 2001 to a high of 3.694 in Fall 2001. The number of unpatched Windows operating system vulnerabilities, which accounted for over 75% of these critical vulnerabilities, strongly argues for the need of an automated patch deployment system for the approximately 3,000 Windows-based systems at ETSU
CVE-driven Attack Technique Prediction with Semantic Information Extraction and a Domain-specific Language Model
This paper addresses a critical challenge in cybersecurity: the gap between
vulnerability information represented by Common Vulnerabilities and Exposures
(CVEs) and the resulting cyberattack actions. CVEs provide insights into
vulnerabilities, but often lack details on potential threat actions (tactics,
techniques, and procedures, or TTPs) within the ATT&CK framework. This gap
hinders accurate CVE categorization and proactive countermeasure initiation.
The paper introduces the TTPpredictor tool, which uses innovative techniques to
analyze CVE descriptions and infer plausible TTP attacks resulting from CVE
exploitation. TTPpredictor overcomes challenges posed by limited labeled data
and semantic disparities between CVE and TTP descriptions. It initially
extracts threat actions from unstructured cyber threat reports using Semantic
Role Labeling (SRL) techniques. These actions, along with their contextual
attributes, are correlated with MITRE's attack functionality classes. This
automated correlation facilitates the creation of labeled data, essential for
categorizing novel threat actions into threat functionality classes and TTPs.
The paper presents an empirical assessment, demonstrating TTPpredictor's
effectiveness with accuracy rates of approximately 98% and F1-scores ranging
from 95% to 98% in precise CVE classification to ATT&CK techniques.
TTPpredictor outperforms state-of-the-art language model tools like ChatGPT.
Overall, this paper offers a robust solution for linking CVEs to potential
attack techniques, enhancing cybersecurity practitioners' ability to
proactively identify and mitigate threats
- …