1,148 research outputs found
Brief announcement: passive and active attacks on audience response systems using software defined radios
Audience response systems, also known as clickers, are used at many academic institutions to offer active learning environments. Since these systems are used to administer graded assignments, and sometimes even exams, it is crucial to assess their security. Our work seeks to exploit and document potential vulnerabilities of clickers. For this purpose, we use software defined radios to perform jamming, sniffing and spoofing attacks on an audience response system in production, which provide different possible methods of cheating. The results of our study demonstrate that clickers are easily exploitable. We build a prototype and show that it is practically possible to covertly steal or forge answers of a peer or even an entire classroom, with high levels of confidence. Additionally, we find that the receivers software of the system lacks protection against unexpected answers, which allows our spoofer to submit any ASCII character and opens the receiver up to possible fuzzing attacks. As a result of this study, we discourage using clickers for high-stake assessments, unless they provide proper security protection..http://people.bu.edu/staro/SSS2017_Brief_v0.pdfhttp://people.bu.edu/staro/SSS2017_Brief_v0.pdfhttp://people.bu.edu/staro/SSS2017_Brief_v0.pdfAccepted manuscrip
Model-Based Security Testing
Security testing aims at validating software system requirements related to
security properties like confidentiality, integrity, authentication,
authorization, availability, and non-repudiation. Although security testing
techniques are available for many years, there has been little approaches that
allow for specification of test cases at a higher level of abstraction, for
enabling guidance on test identification and specification as well as for
automated test generation.
Model-based security testing (MBST) is a relatively new field and especially
dedicated to the systematic and efficient specification and documentation of
security test objectives, security test cases and test suites, as well as to
their automated or semi-automated generation. In particular, the combination of
security modelling and test generation approaches is still a challenge in
research and of high interest for industrial applications. MBST includes e.g.
security functional testing, model-based fuzzing, risk- and threat-oriented
testing, and the usage of security test patterns. This paper provides a survey
on MBST techniques and the related models as well as samples of new methods and
tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582
Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets
Wireless communication standards and implementations have a troubled history
regarding security. Since most implementations and firmwares are closed-source,
fuzzing remains one of the main methods to uncover Remote Code Execution (RCE)
vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from
several shortcomings, such as constrained speed, limited repeatability, and
restricted ability to debug. In this paper, we present Frankenstein, a fuzzing
framework based on advanced firmware emulation, which addresses these
shortcomings. Frankenstein brings firmware dumps "back to life", and provides
fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing
method is sufficient to maintain interoperability with the attached operating
system, hence triggering realistic full-stack behavior. We demonstrate the
potential of Frankenstein by finding three zero-click vulnerabilities in the
Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many
Samsung smartphones, the Raspberry Pis, and many others.
Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond
the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that
crashes multiple operating system kernels and a design flaw in the Bluetooth
5.2 specification that allows link key extraction from the host. Turning off
Bluetooth will not fully disable the chip, making it hard to defend against RCE
attacks. Moreover, when testing our chip-based vulnerabilities on those
devices, we find BlueFrag, a chip-independent Android RCE.Comment: To be published at USENIX Securit
- …