36,995 research outputs found
Advisory: vulnerability analysis in software development project dependencies
ecurity has become a crucial factor in the development of soft ware systems. The number of dependencies in software systems
is becoming a source of countless bugs and vulnerabilities. In the
past, the product line community has proposed several techniques
and mechanisms to cope with the problems that arise when dealing
with variability and dependency management in such systems. In
this paper, we present Advisory, a solution that allows automated
dependency analysis for vulnerabilities within software projects
based on techniques from the product line community. Advisory
first inspects software dependencies, then generates a dependency
graph, to which security information about vulnerabilities is attrib uted and translated into a formal model, in this case, based on SMT.
Finally, Advisory provides a set of analysis and reasoning operations
on these models that allow extracting helpful information about
the location of vulnerabilities of the project configuration space,
as well as details for advising on the security risk of these projects
and their possible configurations.Ministerio de Ciencia e Innovación PID2020-112540RB-C44 (AETHER-US)Junta de Andalucía P20-01224 (COPERNICA)Junta de Andalucía METAMORFOSIS (US-1381375
Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces
Embedded devices are becoming more widespread, interconnected, and
web-enabled than ever. However, recent studies showed that these devices are
far from being secure. Moreover, many embedded systems rely on web interfaces
for user interaction or administration. Unfortunately, web security is known to
be difficult, and therefore the web interfaces of embedded systems represent a
considerable attack surface.
In this paper, we present the first fully automated framework that applies
dynamic firmware analysis techniques to achieve, in a scalable manner,
automated vulnerability discovery within embedded firmware images. We apply our
framework to study the security of embedded web interfaces running in
Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable
modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement
a scalable framework for discovery of vulnerabilities in embedded web
interfaces regardless of the vendor, device, or architecture. To achieve this
goal, our framework performs full system emulation to achieve the execution of
firmware images in a software-only environment, i.e., without involving any
physical embedded devices. Then, we analyze the web interfaces within the
firmware using both static and dynamic tools. We also present some interesting
case-studies, and discuss the main challenges associated with the dynamic
analysis of firmware images and their web interfaces and network services. The
observations we make in this paper shed light on an important aspect of
embedded devices which was not previously studied at a large scale.
We validate our framework by testing it on 1925 firmware images from 54
different vendors. We discover important vulnerabilities in 185 firmware
images, affecting nearly a quarter of vendors in our dataset. These
experimental results demonstrate the effectiveness of our approach
- …