1,532 research outputs found
Automating Seccomp Filter Generation for Linux Applications
Software vulnerabilities in applications undermine the security of
applications. By blocking unused functionality, the impact of potential
exploits can be reduced. While seccomp provides a solution for filtering
syscalls, it requires manual implementation of filter rules for each individual
application. Recent work has investigated automated approaches for detecting
and installing the necessary filter rules. However, as we show, these
approaches make assumptions that are not necessary or require overly
time-consuming analysis.
In this paper, we propose Chestnut, an automated approach for generating
strict syscall filters for Linux userspace applications with lower requirements
and limitations. Chestnut comprises two phases, with the first phase consisting
of two static components, i.e., a compiler and a binary analyzer, that extract
the used syscalls during compilation or in an analysis of the binary. The
compiler-based approach of Chestnut is up to factor 73 faster than previous
approaches without affecting the accuracy adversely. On the binary analysis
level, we demonstrate that the requirement of position-independent binaries of
related work is not needed, enlarging the set of applications for which
Chestnut is usable. In an optional second phase, Chestnut provides a dynamic
refinement tool that allows restricting the set of allowed syscalls further. We
demonstrate that Chestnut on average blocks 302 syscalls (86.5%) via the
compiler and 288 (82.5%) using the binary-level analysis on a set of 18 widely
used applications. We found that Chestnut blocks the dangerous exec syscall in
50% and 77.7% of the tested applications using the compiler- and binary-based
approach, respectively. For the tested applications, Chestnut prevents
exploitation of more than 62% of the 175 CVEs that target the kernel via
syscalls. Finally, we perform a 6 month long-term study of a sandboxed Nginx
server
Automatic Software Repair: a Bibliography
This article presents a survey on automatic software repair. Automatic
software repair consists of automatically finding a solution to software bugs
without human intervention. This article considers all kinds of repairs. First,
it discusses behavioral repair where test suites, contracts, models, and
crashing inputs are taken as oracle. Second, it discusses state repair, also
known as runtime repair or runtime recovery, with techniques such as checkpoint
and restart, reconfiguration, and invariant restoration. The uniqueness of this
article is that it spans the research communities that contribute to this body
of knowledge: software engineering, dependability, operating systems,
programming languages, and security. It provides a novel and structured
overview of the diversity of bug oracles and repair operators used in the
literature
Securing Virtualized System via Active Protection
Virtualization is the predominant enabling technology of current cloud infrastructure
On Making Emerging Trusted Execution Environments Accessible to Developers
New types of Trusted Execution Environment (TEE) architectures like TrustLite
and Intel Software Guard Extensions (SGX) are emerging. They bring new features
that can lead to innovative security and privacy solutions. But each new TEE
environment comes with its own set of interfaces and programming paradigms,
thus raising the barrier for entry for developers who want to make use of these
TEEs. In this paper, we motivate the need for realizing standard TEE interfaces
on such emerging TEE architectures and show that this exercise is not
straightforward. We report on our on-going work in mapping GlobalPlatform
standard interfaces to TrustLite and SGX.Comment: Author's version of article to appear in 8th Internation Conference
of Trust & Trustworthy Computing, TRUST 2015, Heraklion, Crete, Greece,
August 24-26, 201
Tailored Source Code Transformations to Synthesize Computationally Diverse Program Variants
The predictability of program execution provides attackers a rich source of
knowledge who can exploit it to spy or remotely control the program. Moving
target defense addresses this issue by constantly switching between many
diverse variants of a program, which reduces the certainty that an attacker can
have about the program execution. The effectiveness of this approach relies on
the availability of a large number of software variants that exhibit different
executions. However, current approaches rely on the natural diversity provided
by off-the-shelf components, which is very limited. In this paper, we explore
the automatic synthesis of large sets of program variants, called sosies.
Sosies provide the same expected functionality as the original program, while
exhibiting different executions. They are said to be computationally diverse.
This work addresses two objectives: comparing different transformations for
increasing the likelihood of sosie synthesis (densifying the search space for
sosies); demonstrating computation diversity in synthesized sosies. We
synthesized 30184 sosies in total, for 9 large, real-world, open source
applications. For all these programs we identified one type of program analysis
that systematically increases the density of sosies; we measured computation
diversity for sosies of 3 programs and found diversity in method calls or data
in more than 40% of sosies. This is a step towards controlled massive
unpredictability of software
Advanced Techniques for Improving the Efficacy of Digital Forensics Investigations
Digital forensics is the science concerned with discovering, preserving, and analyzing evidence on digital devices. The intent is to be able to determine what events have taken place, when they occurred, who performed them, and how they were performed. In order for an investigation to be effective, it must exhibit several characteristics. The results produced must be reliable, or else the theory of events based on the results will be flawed. The investigation must be comprehensive, meaning that it must analyze all targets which may contain evidence of forensic interest. Since any investigation must be performed within the constraints of available time, storage, manpower, and computation, investigative techniques must be efficient. Finally, an investigation must provide a coherent view of the events under question using the evidence gathered. Unfortunately the set of currently available tools and techniques used in digital forensic investigations does a poor job of supporting these characteristics. Many tools used contain bugs which generate inaccurate results; there are many types of devices and data for which no analysis techniques exist; most existing tools are woefully inefficient, failing to take advantage of modern hardware; and the task of aggregating data into a coherent picture of events is largely left to the investigator to perform manually. To remedy this situation, we developed a set of techniques to facilitate more effective investigations. To improve reliability, we developed the Forensic Discovery Auditing Module, a mechanism for auditing and enforcing controls on accesses to evidence. To improve comprehensiveness, we developed ramparser, a tool for deep parsing of Linux RAM images, which provides previously inaccessible data on the live state of a machine. To improve efficiency, we developed a set of performance optimizations, and applied them to the Scalpel file carver, creating order of magnitude improvements to processing speed and storage requirements. Last, to facilitate more coherent investigations, we developed the Forensic Automated Coherence Engine, which generates a high-level view of a system from the data generated by low-level forensics tools. Together, these techniques significantly improve the effectiveness of digital forensic investigations conducted using them
Forensic Box for Quick Network-Based Security Assessments
Network security assessments are seen as important, yet cumbersome and time consuming tasks,
mostly due to the use of different and manually operated tools. These are often very specialized
tools that need to be mastered and combined, besides requiring sometimes that a testing environment
is set up. Nonetheless, in many cases, it would be useful to obtain an audit in a swiftly
and on-demand manner, even if with less detail. In such cases, these audits could be used as
an initial step for a more detailed evaluation of the network security, as a complement to other
audits, or aid in preventing major data leaks and system failures due to common configuration,
management or implementation issues.
This dissertation describes the work towards the design and development of a portable system
for quick network security assessments and the research on the automation of many tasks (and
associated tools) composing that process. An embodiment of such system was built using a Raspberry
Pi 2, several well known open source tools, whose functions vary from network discovery,
service identification, Operating System (OS) fingerprinting, network sniffing and vulnerability
discovery, and custom scripts and programs for connecting all the different parts that comprise
the system. The tools are integrated in a seamless manner with the system, to allow deployment
in wired or wireless network environments, where the device carries out a mostly automated
and thorough analysis. The device is near plug-and-play and produces a structured report at
the end of the assessment. Several simple functions, such as re-scanning the network or doing
Address Resolution Protocol (ARP) poisoning on the network are readily available through a small
LCD display mounted on top of the device. It offers a web based interface for finer configuration
of the several tools and viewing the report, aso developed within the scope of this work. Other
specific outputs, such as PCAP files with collected traffic, are available for further analysis.
The system was operated in controlled and real networks, so as to verify the quality of its
assessments. The obtained results were compared with the results obtained through manually
auditing the same networks. The achieved results showed that the device was able to detect
many of the issues that the human auditor detected, but showed some shortcomings in terms
of some specific vulnerabilities, mainly Structured Query Language (SQL) injections.
The image of the OS with the pre-configured tools, automation scripts and programs is available
for download from [Ber16b]. It comprises one of the main outputs of this work.As avaliações de segurança de uma rede (e dos seus dispositivos) são vistas como tarefas importantes,
mas pesadas e que consomem bastante tempo, devido à utilização de diferentes
ferramentas manuais. Normalmente, estas ferramentas são bastante especializadas e exigem
conhecimento prévio e habituação, e muitas vezes a necessidade de criar um ambiente de teste.
No entanto, em muitos casos, seria útil obter uma auditoria rápida e de forma mais direta, ainda
que pouco profunda. Nesses moldes, poderia servir como passo inicial para uma avaliação mais
detalhada, complementar outra auditoria, ou ainda ajudar a prevenir fugas de dados e falhas de
sistemas devido a problemas comuns de configuração, gestão ou implementação dos sistemas.
Esta dissertação descreve o trabalho efetuado com o objetivo de desenhar e desenvolver um
sistema portátil para avaliações de segurança de uma rede de forma rápida, e também a investigação
efetuada com vista à automação de várias tarefas (e ferramentas associadas) que
compõem o processo de auditoria. Uma concretização do sistema foi criada utilizando um Raspberry
Pi 2, várias ferramentas conhecidas e de código aberto, cujas funcionalidades variam
entre descoberta da rede, identificação de sistema operativo, descoberta de vulnerabilidades a
captura de tráfego na rede, e scripts e programas personalizados que interligam as várias partes
que compõem o sistema. As ferramentas são integradas de forma transparente no sistema,
que permite ser lançado em ambientes cablados ou wireless, onde o dispositivo executa uma
análise meticulosa e maioritariamente automatizada. O dispositivo é praticamente plug and
play e produz um relatório estruturado no final da avaliação. Várias funções simples, tais como
analisar novamente a rede ou efetuar ataques de envenenamento da cache Address Resolution
Protocol (ARP) na rede estão disponíveis através de um pequeno ecrã LCD montado no topo do
dispositivo. Este oferece ainda uma interface web, também desenvolvida no contexto do trabalho,
para configuração mais específica das várias ferramentas e para obter acesso ao relatório
da avaliação. Outros outputs mais específicos, como ficheiros com tráfego capturado, estão
disponíveis a partir desta interface.
O sistema foi utilizado em redes controladas e reais, de forma a verificar a qualidade das suas
avaliações. Os resultados obtidos foram comparados com aqueles obtidos através de auditoria
manual efetuada às mesmas redes. Os resultados obtidos mostraram que o dispositivo deteta a
maioria dos problemas que um auditor detetou manualmente, mas mostrou algumas falhas na
deteção de algumas vulnerabilidades específicas, maioritariamente injeções Structured Query
Language (SQL).
A imagem do Sistema Operativo com as ferramentas pré-configuradas, scripts de automação
e programas está disponível para download de [Ber16b]. Esta imagem corresponde a um dos principais resultados deste trabalho
- …