137 research outputs found
Trustworthy Software : lessons from `goto fail' & Heartbleed bugs
In the first four months of 2014, two major vulnerabilities were announced affecting operation of the Transport Layer Security (TLS) protocol, which is used by applications to secure Internet communications. The `goto fail' bug affected Apple's iOS and OS X software and the `Heartbleed' bug affected versions of the OpenSSL software. Whilst the Apple bug was serious because it affected a wide range of Apple products, the Heartbleed bug was of greater significance due to widespread use of the OpenSSL library. This paper considers the lessons to be learned from these incidents. It examines how the use of the Trustworthy Software Framework (TSF) developed by the authors could have helped to reduce the risk of a major bugs like `goto fail' and Heartbleed. It also examines the responsibilities of developers where they use third party libraries and the need for appropriate due diligence. The paper also makes recommendations about how incidents like this should be handled to avoid confusing and contradictory messages being given
An Empirical Study on Android-related Vulnerabilities
Mobile devices are used more and more in everyday life. They are our cameras,
wallets, and keys. Basically, they embed most of our private information in our
pocket. For this and other reasons, mobile devices, and in particular the
software that runs on them, are considered first-class citizens in the
software-vulnerabilities landscape. Several studies investigated the
software-vulnerabilities phenomenon in the context of mobile apps and, more in
general, mobile devices. Most of these studies focused on vulnerabilities that
could affect mobile apps, while just few investigated vulnerabilities affecting
the underlying platform on which mobile apps run: the Operating System (OS).
Also, these studies have been run on a very limited set of vulnerabilities.
In this paper we present the largest study at date investigating
Android-related vulnerabilities, with a specific focus on the ones affecting
the Android OS. In particular, we (i) define a detailed taxonomy of the types
of Android-related vulnerability; (ii) investigate the layers and subsystems
from the Android OS affected by vulnerabilities; and (iii) study the
survivability of vulnerabilities (i.e., the number of days between the
vulnerability introduction and its fixing). Our findings could help OS and apps
developers in focusing their verification & validation activities, and
researchers in building vulnerability detection tools tailored for the mobile
world
Intruder Alert? How Stock Markets React to Potential IT Security Breaches: The Case of OpenSSL Heartbleed
This exploratory study investigates how potential information technology security breaches affect stock prices. Previous research indicates that stock markets tend to punish firms that experience unsolicited disclosure of information and proprietary data. However, little research exists on the question of whether firms are punished for creating the mere potential for data theft. Based on the information boundary theory, we design our exploratory research model. Subsequently, we utilize a sample of 4,147 stocks of firms headquartered in 43 countries to conduct multiple event studies. We reveal a delayed adverse stock market response to potential IT security breaches as well as a discrimination among firms operating in different industries. Consequently, this work enhances the understanding of the full economic impact of information security measures by shedding light on previously neglected hidden costs
Prioritizing Tasks in Code Repair: A Psychological Exploration of Computer Code
The current study explored the influence of task prioritization on how computer programmers reviewed and edited code. Forty-five programmers recruited from Amazon Mechanical Turk downloaded and edited a computer program in C#. Programmers were given instructions to review the code and told to prioritize either the reputation, transparency, or performance aspects of the code, or were given no prioritization instruction. Code changes and remarks about their changes to the code were analyzed with a between-within multivariate analysis of variance. Results indicate prioritizing an aspect of the code leads to increased performance on that aspect, but with deficits to other aspects of the code. Managers may want programmers to prioritize certain aspects of code depending on the stage of development of the software (i.e., testing, rollout, etc.). However, managers should also be cognizant of the effects task prioritization has on programmer perceptions of the code as a whole
Recommended from our members
Remedying Security Concerns at an Internet Scale
The state of security across the Internet is poor, and it has been so since the advent of the modern Internet. While the research community has made tremendous progress over the years in learning how to design and build secure computer systems, network protocols, and algorithms, we are far from a world where we can truly trust the security of deployed Internet systems. In reality, we may never reach such a world. Security concerns continue to be identified at scale through-out the software ecosystem, with thousands of vulnerabilities discovered each year. Meanwhile, attacks have become ever more frequent and consequential.As Internet systems will continue to be inevitably affected by newly found security concerns, the research community must develop more effective ways to remedy these issues. To that end, in this dissertation, we conduct extensive empirical measurements to understand how remediation occurs in practice for Internet systems, and explore methods for spurring improved remediation behavior. This dissertation provides a treatment of the complete remediation life cycle, investigating the creation, dissemination, and deployment of remedies. We start by focusing on security patches that address vulnerabilities, and analyze at scale their creation process, characteristics of the resulting fixes, and how these impact vulnerability remediation. We then investigate and systematize how administrators of Internet systems deploy software updates which patch vulnerabilities across the many machines they manage on behalf of organizations. Finally, we conduct the first systematic exploration of Internet-scale outreach efforts to disseminate information about security concerns and their remedies to system administrators, with an aim of driving their remediation decisions. Our results show that such outreach campaigns can effectively galvanize positive reactions.Improving remediation, particularly at scale, is challenging, as the problem space exhibits many dimensions beyond traditional computer technical considerations, including human, social, organizational, economic, and policy facets. To make meaningful progress, this work uses a diversity of empirical methods, from software data mining to user studies to Internet-wide network measurements, to systematically collect and evaluate large-scale datasets. Ultimately, this dissertation establishes broad empirical grounding on security remediation in practice today, as well as new approaches for improved remediation at an Internet scale
Evaluating the Gasday Security Policy Through Penetration Testing and Application of the Nist Cybersecurity Framework
This thesis explores cybersecurity from the perspective of the Marquette University GasDay lab. We analyze three different areas of cybersecurity in three independent chapters. Our goal is to improve the cybersecurity capabilities of GasDay, Marquette University, and the natural gas industry. We present network penetration testing as a process of attempting to gain access to resources of GasDay without prior knowledge of any valid credentials. We discuss our method of identifying potential targets using industry standard reconnaissance methods. We outline the process of attempting to gain access to these targets using automated tools and manual exploit creation. We propose several solutions to those targets successfully exploited and recommendations for others. Next, we discuss GasDay Web and techniques to validate the security of a web-based GasDay software product. We use a form of penetration testing specifically targeted for a website. We demonstrate several vulnerabilities that are able to cripple the availability of the website and recommendations to mitigate these vulnerabilities. We then present the results of performing an inspection of GasDay Web code to uncover vulnerabilities undetectable by automated tools and make suggestions on their fixes. We discuss recommendations on how vulnerabilities can be mitigated or detected in the future. Finally, we apply the NIST Cybersecurity Framework to GasDay. We present the Department of Energy recommendations for the natural gas industry. Using these recommendations and the NIST Framework, we evaluate the overall cybersecurity maturity of the GasDay lab. We present several recommendations where GasDay could improve the maturity levels that are cost-effective and easy to implement. We identify several items missing from a cybersecurity plan and propose methods to implement them. The results of this thesis show that cybersecurity at a research lab is difficult. We demonstrate that even as a member of Marquette University, GasDay cannot rely on Marquette for cybersecurity. We show that the primary obstacle is lack of information - about cybersecurity and the assets GasDay controls. We make recommendations on how these items can be effectively created and managed
- …