Trustworthy Software : lessons from `goto fail' & Heartbleed bugs

In the first four months of 2014, two major vulnerabilities were announced affecting operation of the Transport Layer Security (TLS) protocol, which is used by applications to secure Internet communications. The `goto fail' bug affected Apple's iOS and OS X software and the `Heartbleed' bug affected versions of the OpenSSL software. Whilst the Apple bug was serious because it affected a wide range of Apple products, the Heartbleed bug was of greater significance due to widespread use of the OpenSSL library. This paper considers the lessons to be learned from these incidents. It examines how the use of the Trustworthy Software Framework (TSF) developed by the authors could have helped to reduce the risk of a major bugs like `goto fail' and Heartbleed. It also examines the responsibilities of developers where they use third party libraries and the need for appropriate due diligence. The paper also makes recommendations about how incidents like this should be handled to avoid confusing and contradictory messages being given

An Empirical Study on Android-related Vulnerabilities

Mobile devices are used more and more in everyday life. They are our cameras, wallets, and keys. Basically, they embed most of our private information in our pocket. For this and other reasons, mobile devices, and in particular the software that runs on them, are considered first-class citizens in the software-vulnerabilities landscape. Several studies investigated the software-vulnerabilities phenomenon in the context of mobile apps and, more in general, mobile devices. Most of these studies focused on vulnerabilities that could affect mobile apps, while just few investigated vulnerabilities affecting the underlying platform on which mobile apps run: the Operating System (OS). Also, these studies have been run on a very limited set of vulnerabilities. In this paper we present the largest study at date investigating Android-related vulnerabilities, with a specific focus on the ones affecting the Android OS. In particular, we (i) define a detailed taxonomy of the types of Android-related vulnerability; (ii) investigate the layers and subsystems from the Android OS affected by vulnerabilities; and (iii) study the survivability of vulnerabilities (i.e., the number of days between the vulnerability introduction and its fixing). Our findings could help OS and apps developers in focusing their verification & validation activities, and researchers in building vulnerability detection tools tailored for the mobile world

Intruder Alert? How Stock Markets React to Potential IT Security Breaches: The Case of OpenSSL Heartbleed

This exploratory study investigates how potential information technology security breaches affect stock prices. Previous research indicates that stock markets tend to punish firms that experience unsolicited disclosure of information and proprietary data. However, little research exists on the question of whether firms are punished for creating the mere potential for data theft. Based on the information boundary theory, we design our exploratory research model. Subsequently, we utilize a sample of 4,147 stocks of firms headquartered in 43 countries to conduct multiple event studies. We reveal a delayed adverse stock market response to potential IT security breaches as well as a discrimination among firms operating in different industries. Consequently, this work enhances the understanding of the full economic impact of information security measures by shedding light on previously neglected hidden costs

Prioritizing Tasks in Code Repair: A Psychological Exploration of Computer Code

The current study explored the influence of task prioritization on how computer programmers reviewed and edited code. Forty-five programmers recruited from Amazon Mechanical Turk downloaded and edited a computer program in C#. Programmers were given instructions to review the code and told to prioritize either the reputation, transparency, or performance aspects of the code, or were given no prioritization instruction. Code changes and remarks about their changes to the code were analyzed with a between-within multivariate analysis of variance. Results indicate prioritizing an aspect of the code leads to increased performance on that aspect, but with deficits to other aspects of the code. Managers may want programmers to prioritize certain aspects of code depending on the stage of development of the software (i.e., testing, rollout, etc.). However, managers should also be cognizant of the effects task prioritization has on programmer perceptions of the code as a whole

Remedying Security Concerns at an Internet Scale

The state of security across the Internet is poor, and it has been so since the advent of the modern Internet. While the research community has made tremendous progress over the years in learning how to design and build secure computer systems, network protocols, and algorithms, we are far from a world where we can truly trust the security of deployed Internet systems. In reality, we may never reach such a world. Security concerns continue to be identified at scale through-out the software ecosystem, with thousands of vulnerabilities discovered each year. Meanwhile, attacks have become ever more frequent and consequential.As Internet systems will continue to be inevitably affected by newly found security concerns, the research community must develop more effective ways to remedy these issues. To that end, in this dissertation, we conduct extensive empirical measurements to understand how remediation occurs in practice for Internet systems, and explore methods for spurring improved remediation behavior. This dissertation provides a treatment of the complete remediation life cycle, investigating the creation, dissemination, and deployment of remedies. We start by focusing on security patches that address vulnerabilities, and analyze at scale their creation process, characteristics of the resulting fixes, and how these impact vulnerability remediation. We then investigate and systematize how administrators of Internet systems deploy software updates which patch vulnerabilities across the many machines they manage on behalf of organizations. Finally, we conduct the first systematic exploration of Internet-scale outreach efforts to disseminate information about security concerns and their remedies to system administrators, with an aim of driving their remediation decisions. Our results show that such outreach campaigns can effectively galvanize positive reactions.Improving remediation, particularly at scale, is challenging, as the problem space exhibits many dimensions beyond traditional computer technical considerations, including human, social, organizational, economic, and policy facets. To make meaningful progress, this work uses a diversity of empirical methods, from software data mining to user studies to Internet-wide network measurements, to systematically collect and evaluate large-scale datasets. Ultimately, this dissertation establishes broad empirical grounding on security remediation in practice today, as well as new approaches for improved remediation at an Internet scale

Evaluating the Gasday Security Policy Through Penetration Testing and Application of the Nist Cybersecurity Framework

This thesis explores cybersecurity from the perspective of the Marquette University GasDay lab. We analyze three different areas of cybersecurity in three independent chapters. Our goal is to improve the cybersecurity capabilities of GasDay, Marquette University, and the natural gas industry. We present network penetration testing as a process of attempting to gain access to resources of GasDay without prior knowledge of any valid credentials. We discuss our method of identifying potential targets using industry standard reconnaissance methods. We outline the process of attempting to gain access to these targets using automated tools and manual exploit creation. We propose several solutions to those targets successfully exploited and recommendations for others. Next, we discuss GasDay Web and techniques to validate the security of a web-based GasDay software product. We use a form of penetration testing specifically targeted for a website. We demonstrate several vulnerabilities that are able to cripple the availability of the website and recommendations to mitigate these vulnerabilities. We then present the results of performing an inspection of GasDay Web code to uncover vulnerabilities undetectable by automated tools and make suggestions on their fixes. We discuss recommendations on how vulnerabilities can be mitigated or detected in the future. Finally, we apply the NIST Cybersecurity Framework to GasDay. We present the Department of Energy recommendations for the natural gas industry. Using these recommendations and the NIST Framework, we evaluate the overall cybersecurity maturity of the GasDay lab. We present several recommendations where GasDay could improve the maturity levels that are cost-effective and easy to implement. We identify several items missing from a cybersecurity plan and propose methods to implement them. The results of this thesis show that cybersecurity at a research lab is difficult. We demonstrate that even as a member of Marquette University, GasDay cannot rely on Marquette for cybersecurity. We show that the primary obstacle is lack of information - about cybersecurity and the assets GasDay controls. We make recommendations on how these items can be effectively created and managed