786 research outputs found
Cipherfix: Mitigating Ciphertext Side-Channel Attacks in Software
Trusted execution environments (TEEs) provide an environment for running
workloads in the cloud without having to trust cloud service providers, by
offering additional hardware-assisted security guarantees. However, main memory
encryption as a key mechanism to protect against system-level attackers trying
to read the TEE's content and physical, off-chip attackers, is insufficient.
The recent Cipherleaks attacks infer secret data from TEE-protected
implementations by analyzing ciphertext patterns exhibited due to deterministic
memory encryption. The underlying vulnerability, dubbed the ciphertext
side-channel, is neither protected by state-of-the-art countermeasures like
constant-time code nor by hardware fixes.
Thus, in this paper, we present a software-based, drop-in solution that can
harden existing binaries such that they can be safely executed under TEEs
vulnerable to ciphertext side-channels, without requiring recompilation. We
combine taint tracking with both static and dynamic binary instrumentation to
find sensitive memory locations, and mitigate the leakage by masking secret
data before it gets written to memory. This way, although the memory encryption
remains deterministic, we destroy any secret-dependent patterns in encrypted
memory. We show that our proof-of-concept implementation protects various
constant-time implementations against ciphertext side-channels with reasonable
overhead.Comment: Jan Wichelmann and Anna P\"atschke contributed equally to this wor
Augmented Symbolic Execution for Information Flow in Hardware Designs
We present SEIF, a methodology that combines static analysis with symbolic
execution to verify and explicate information flow paths in a hardware design.
SEIF begins with a statically built model of the information flow through a
design and uses guided symbolic execution to recognize and eliminate non-flows
with high precision or to find corresponding paths through the design state for
true flows. We evaluate SEIF on two open-source CPUs, an AES core, and the AKER
access control module. SEIF can exhaustively explore 10-12 clock cycles deep in
4-6 seconds on average, and can automatically account for 86-90% of the paths
in the statically built model. Additionally, SEIF can be used to find multiple
violating paths for security properties, providing a new angle for security
verification
Protection Models for Web Applications
Early web applications were a set of static web pages connected to one another. In contrast, modern applications are full-featured programs that are nearly equivalent to desktop applications in functionality. However, web servers and web browsers, which were initially designed for static web pages, have not updated their protection models to deal with the security consequences of these full-featured programs. This mismatch has been the source of several security problems in web applications.
This dissertation proposes new protection models for web applications. The design and implementation of prototypes of these protection models in a web server and a web browser are also described. Experiments are used to demonstrate the improvements in security and performance from using these protection models. Finally, this dissertation also describes systematic design methods to support the security of web applications
Fundamental Approaches to Software Engineering
This open access book constitutes the proceedings of the 25th International Conference on Fundamental Approaches to Software Engineering, FASE 2022, which was held during April 4-5, 2022, in Munich, Germany, as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022. The 17 regular papers presented in this volume were carefully reviewed and selected from 64 submissions. The proceedings also contain 3 contributions from the Test-Comp Competition. The papers deal with the foundations on which software engineering is built, including topics like software engineering as an engineering discipline, requirements engineering, software architectures, software quality, model-driven development, software processes, software evolution, AI-based software engineering, and the specification, design, and implementation of particular classes of systems, such as (self-)adaptive, collaborative, AI, embedded, distributed, mobile, pervasive, cyber-physical, or service-oriented applications
Cybersecurity: Past, Present and Future
The digital transformation has created a new digital space known as
cyberspace. This new cyberspace has improved the workings of businesses,
organizations, governments, society as a whole, and day to day life of an
individual. With these improvements come new challenges, and one of the main
challenges is security. The security of the new cyberspace is called
cybersecurity. Cyberspace has created new technologies and environments such as
cloud computing, smart devices, IoTs, and several others. To keep pace with
these advancements in cyber technologies there is a need to expand research and
develop new cybersecurity methods and tools to secure these domains and
environments. This book is an effort to introduce the reader to the field of
cybersecurity, highlight current issues and challenges, and provide future
directions to mitigate or resolve them. The main specializations of
cybersecurity covered in this book are software security, hardware security,
the evolution of malware, biometrics, cyber intelligence, and cyber forensics.
We must learn from the past, evolve our present and improve the future. Based
on this objective, the book covers the past, present, and future of these main
specializations of cybersecurity. The book also examines the upcoming areas of
research in cyber intelligence, such as hybrid augmented and explainable
artificial intelligence (AI). Human and AI collaboration can significantly
increase the performance of a cybersecurity system. Interpreting and explaining
machine learning models, i.e., explainable AI is an emerging field of study and
has a lot of potentials to improve the role of AI in cybersecurity.Comment: Author's copy of the book published under ISBN: 978-620-4-74421-
- …