Preventing Premature Death in the M&S Lifecycle: Lessons Learned from Resurrection and Modernization of a Space System Contamination Model

Models and simulations (M&S) are often developed to meet specific needs and unique requirements for a particular situation. Once the M&S is implemented for a specific case and questions are answered, the M&S may go dormant until a similar need arises again at a later time, perhaps months to years later. Possible modification of the M&S may be required, and issues may arise if the M&S is not well documented, captured, or available. This can severely limit the useful life of the M&S and hinder future development or enhancements. This situation occurred with an M&S tool that had been developed to determine the impact to space system performance due to the presence of molecular contaminant films accumulating on key spacecraft surfaces. The challenges and issues encountered when resurrecting, executing, and modernizing the tool will be presented as a case study. To stay ahead of tomorrows challenges, resources to create M&S tools must be utilized efficiently. Lessons learned from this case study will aid M&S developers and users in planning for proper maintenance, transfer, and capture of key M&S tools and knowledge to avoid increased cost, increased development time, and wasted resources for projects relying on M&S

Strategies for protecting intellectual property when using CUDA applications on graphics processing units

Recent advances in the massively parallel computational abilities of graphical processing units (GPUs) have increased their use for general purpose computation, as companies look to take advantage of big data processing techniques. This has given rise to the potential for malicious software targeting GPUs, which is of interest to forensic investigators examining the operation of software. The ability to carry out reverse-engineering of software is of great importance within the security and forensics elds, particularly when investigating malicious software or carrying out forensic analysis following a successful security breach. Due to the complexity of the Nvidia CUDA (Compute Uni ed Device Architecture) framework, it is not clear how best to approach the reverse engineering of a piece of CUDA software. We carry out a review of the di erent binary output formats which may be encountered from the CUDA compiler, and their implications on reverse engineering. We then demonstrate the process of carrying out disassembly of an example CUDA application, to establish the various techniques available to forensic investigators carrying out black-box disassembly and reverse engineering of CUDA binaries. We show that the Nvidia compiler, using default settings, leaks useful information. Finally, we demonstrate techniques to better protect intellectual property in CUDA algorithm implementations from reverse engineering

A Survey of Techniques for Improving Security of GPUs

Graphics processing unit (GPU), although a powerful performance-booster, also has many security vulnerabilities. Due to these, the GPU can act as a safe-haven for stealthy malware and the weakest `link' in the security `chain'. In this paper, we present a survey of techniques for analyzing and improving GPU security. We classify the works on key attributes to highlight their similarities and differences. More than informing users and researchers about GPU security techniques, this survey aims to increase their awareness about GPU security vulnerabilities and potential countermeasures

Exploiting Input Sanitization for Regex Denial of Service

Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings — and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS. In this paper, we conduct the first black-box study measuring the extent of ReDoS vulnerabilities in live web services. We apply the Consistent Sanitization Assumption: that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side. We identify a service’s regex-based input sanitization in its HTML forms or its API, find vulnerable regexes among these regexes, craft ReDoS probes, and pinpoint vulnerabilities. We analyzed the HTML forms of 1,000 services and the APIs of 475 services. Of these, 355 services publish regexes; 17 services publish unsafe regexes; and 6 services are vulnerable to ReDoS through their APIs (6 domains; 15 subdomains). Both Microsoft and Amazon Web Services patched their web services as a result of our disclosure. Since these vulnerabilities were from API specifications, not HTML forms, we proposed a ReDoS defense for a popular API validation library, and our patch has been merged. To summarize: in client-visible sanitization logic, some web services advertise ReDoS vulnerabilities in plain sight. Our results motivate short-term patches and long-term fundamental solutions

The XBOX 360 and Steganography: How Criminals and Terrorists Could Be Going Dark

Video game consoles have evolved from single-player embedded systems with rudimentary processing and graphics capabilities to multipurpose devices that provide users with parallel functionality to contemporary desktop and laptop computers. Besides offering video games with rich graphics and multiuser network play, today\u27s gaming consoles give users the ability to communicate via email, video and text chat; transfer pictures, videos, and file;, and surf the World-Wide-Web. These communication capabilities have, unfortunately, been exploited by people to plan and commit a variety of criminal activities. In an attempt to cover the digital tracks of these unlawful undertakings, anti-forensic techniques, such as steganography, may be utilized to hide or alter evidence. This paper will explore how criminals and terrorists might be using the Xbox 360 to convey messages and files using steganographic techniques. Specific attention will be paid to the going dark problem and the disjoint between forensic capabilities for analyzing traditional computers and forensic capabilities for analyzing video game consoles. Forensic approaches for examining Microsoft\u27s Xbox 360 will be detailed and the resulting evidentiary capabilities will be discussed. Keywords: Digital Forensics, Xbox Gaming Console, Steganography, Terrorism, Cyber Crim