283 research outputs found
Information Flow Control in Spring Web Applications
Companies rely extensively on frameworks and APIs when developing their systems,
as these mechanisms are quite advantageous. Two of the most conspicuous benefits
are their ease of use and workload reduction, allowing for shorter and more responsive
development cycles. However, most frameworks do not provide security properties such
as data confidentiality as other tools do. A prime example is a Spring. It is the most
heavily used Java web development framework, hosting a vast array of functionalities,
ranging from data layer functionalities (c.f. hibernate and JPA), security providers, and
metrics providers to provide statistical data on the application itself as well as a layer for
REST communication. However, to achieve such advanced functionalities, Spring resorts
to bytecode manipulation and generation during its startup period, hindering the use of
other formal analysis tools that use similar processes in their execution.
In a broader sense, we provide a comprehensive approach for the static analysis of
spring-based web applications. We introduce hooks in the Spring pipeline, making
feasible the formal analysis and manipulation of the complete, run-time-generated appli-
cation bytecode through a well-defined interface. The hooks provide not only access to
the entire web application’s bytecode but also allow for the replacement of the applica-
tion’s component, enabling more complex analysis requiring the instrumentation of the
application.
To address data confidentiality-related issues in web applications developed with this
framework, we propose integrating information flow control tools in the framework’s
pipeline. Namely, we combine Spring with Snitch, a tool for hybrid information flow
control in Java bytecode that will be used as a case-study.As empresas apoiam-se cada vez mais em frameworks e APIs quando desenvolvem
os seus sistemas, pois estas ferramentas fornecem grandes vantagens. Duas das maiores
vantages destes sistemas são a sua fácil utilização/integração nos sistemas bem como a
quantidade de trabalho que reduzem ao desenvolvedor, permitindo assim perÃodos de
desenvolvimento mais curtos e responsivos. Ainda assim, a mrioria das frameworks não
têm como lidar com propriedades de segurança fundamentais como confidencialidade dos
dados. Um dos exemplos mais conhecidos é o Spring. É a framework mais usada em Java
para desenvolvimento web, oferecendo um vasto leque de funcionalidades, variando entre
uma camada que lida com dados (eg: hibernate e JPA), uma camada gestora de segurança
nas aplicações, uma camada estatÃstica que permite analisar a performance do sistema e
também uma camada para comunicação REST. Para alcançar estas funcionalidades, que
não são triviais, o Spring recorre a mecanismos de manipulação de bytecode e geração
de código durante o seu perÃodo de inicialização, perturbando o uso de ferramentas de
análise formais que recorrem a processos semelhantes na sua execução.
Em geral, nós fornecemos uma nova forma de lidar com análise formal em aplicações
web Spring. Aqui introduzimos hooks no processo de inicialização do Spring, tornando
possÃvel que a análise formal e a manipulação de todo o bytecode gerado da aplicação a
partir duma interface cuidadosamente definida. Os hooks fornecidos fornecem acesso ao
bytecode da aplicação na sua totalidade bem como permitem a substituição do componente
da aplicação, permitindo assim a análise complexa e formal por parte da ferramenta que
pode requerer instrumentação da aplicação.
Para lidar com problemas relacionados com confidencialidade dos dados em aplicações
web desenvolvidas com a framework, propomos a integração de ferramentas de controlo
do fluxo de informação na prórpia framework. Assim, juntamos Spring e Snitch, uma
ferramenta que analisa bytecode para verificar a segurança do fluxo de informação hÃbrida
Malware Analysis and Privacy Policy Enforcement Techniques for Android Applications
The rapid increase in mobile malware and deployment of over-privileged applications over the years has been of great concern to the security community. Encroaching on user’s privacy, mobile applications (apps) increasingly exploit various sensitive data on mobile devices. The information gathered by these applications is sufficient to uniquely and accurately profile users and can cause tremendous personal and financial damage.
On Android specifically, the security and privacy holes in the operating system and framework code has created a whole new dynamic for malware and privacy exploitation. This research work seeks to develop novel analysis techniques that monitor Android applications for possible unwanted behaviors and then suggest various ways to deal with the privacy leaks associated with them.
Current state-of-the-art static malware analysis techniques on Android-focused mainly on detecting known variants without factoring any kind of software obfuscation. The dynamic analysis systems, on the other hand, are heavily dependent on extending the Android OS and/or runtime virtual machine. These methodologies often tied the system to a single Android version and/or kernel making it very difficult to port to a new device. In privacy, accesses to the database system’s objects are not controlled by any security check beyond overly-broad read/write permissions. This flawed model exposes the database contents to abuse by privacy-agnostic apps and malware. This research addresses the problems above in three ways.
First, we developed a novel static analysis technique that fingerprints known malware based on three-level similarity matching. It scores similarity as a function of normalized opcode sequences found in sensitive functional modules and application permission requests. Our system has an improved detection ratio over current research tools and top COTS anti-virus products while maintaining a high level of resiliency to both simple and complex obfuscation.
Next, we augment the signature-related weaknesses of our static classifier with a hybrid analysis system which incorporates bytecode instrumentation and dynamic runtime monitoring to examine unknown malware samples. Using the concept of Aspect-oriented programming, this technique involves recompiling security checking code into an unknown binary for data flow analysis, resource abuse tracing, and analytics of other suspicious behaviors. Our system logs all the intercepted activities dynamically at runtime without the need for building custom kernels.
Finally, we designed a user-level privacy policy enforcement system that gives users more control over their personal data saved in the SQLite database. Using bytecode weaving for query re-writing and enforcing access control, our system forces new policies at the schema, column, and entity levels of databases without rooting or voiding device warranty
Enabling Auditing and Intrusion Detection of Proprietary Controller Area Networks
The goal of this dissertation is to provide automated methods for security researchers to overcome ‘security through obscurity’ used by manufacturers of proprietary Industrial Control Systems (ICS). `White hat\u27 security analysts waste significant time reverse engineering these systems\u27 opaque network configurations instead of performing meaningful security auditing tasks. Automating the process of documenting proprietary protocol configurations is intended to improve independent security auditing of ICS networks. The major contributions of this dissertation are a novel approach for unsupervised lexical analysis of binary network data flows and analysis of the time series data extracted as a result. We demonstrate the utility of these methods using Controller Area Network (CAN) data sampled from passenger vehicles
Transparent and Precise Malware Analysis Using Virtualization: From Theory to Practice
Dynamic analysis is an important technique used in malware analysis and is complementary to static analysis. Thus far, virtualization has been widely adopted for building fine-grained dynamic analysis tools and this trend is expected to continue. Unlike User/Kernel space malware analysis platforms that essentially co-exist with malware, virtualization based platforms benefit from isolation and fine-grained instrumentation support. Isolation makes it more difficult for malware samples to disrupt analysis and fine-grained instrumentation provides analysts with low level details, such as those at the machine instruction level. This in turn supports the development of advanced analysis tools such as dynamic taint analysis and symbolic execution for automatic path exploration.
The major disadvantage of virtualization based malware analysis is the loss of semantic information, also known as the semantic gap problem. To put it differently, since analysis takes place at the virtual machine monitor where only the raw system state (e.g., CPU and memory) is visible, higher level constructs such as processes and files must be reconstructed using the low level information. The collection of techniques used to bridge semantic gaps is known as Virtual Machine Introspection.
Virtualization based analysis platforms can be further separated into emulation and hardware virtualization. Emulators have the advantages of flexibility of analysis tool development and efficiency for fine-grained analysis; however, emulators suffer from the transparency problem. That is, malware can employ methods to determine whether it is executing in an emulated environment versus real hardware and cease operations to disrupt analysis if the machine is emulated. In brief, emulation based dynamic analysis has advantages over User/Kernel space and hardware virtualization based techniques, but it suffers from semantic gap and transparency problems.
These problems have been exacerbated by recent discoveries of anti-emulation malware that detects emulators and Android malware with two semantic gaps, Java and native. Also, it is foreseeable that malware authors will have a similar response to taint analysis. In other words, once taint analysis becomes widely used to understand how malware operates, the authors will create new malware that attacks the imprecisions in taint analysis implementations and induce false-positives and false-negatives in an effort to frustrate analysts.
This dissertation addresses these problems by presenting concepts, methods and techniques that can be used to transparently and precisely analyze both desktop and mobile malware using virtualization. This is achieved in three parts. First, precise heterogeneous record and replay is presented as a means to help emulators benefit from the transparency characteristics of hardware virtualization. This technique is implemented in a tool called V2E that uses KVM for recording and TEMU for replaying and analysis. It was successfully used to analyze real-world anti-emulation malware that evaded analysis using TEMU alone. Second, the design of an emulation based Android malware analysis platform that uses virtual machine introspection to bridge both the Java and native level semantic gaps as well as seamlessly bind the two views together into a single view is presented. The core introspection and instrumentation techniques were implemented in a new analysis platform called DroidScope that is based on the Android emulator. It was successfully used to analyze two real-world Android malware samples that have cooperating Java and native level components. Taint analysis was also used to study their information ex-filtration behaviors. Third, formal methods for studying the sources of false-positives and false-negatives in dynamic taint analysis designs and for verifying the correctness of manually defined taint propagation rules are presented. These definitions and methods were successfully used to analyze and compare previously published taint analysis platforms in terms of false-positives and false-negatives
Security-Pattern Recognition and Validation
The increasing and diverse number of technologies that are connected to the Internet, such as distributed enterprise systems or small electronic devices like smartphones, brings the topic IT security to the foreground. We interact daily with these technologies and spend much trust on a well-established software development process. However, security vulnerabilities appear in software on all kinds of PC(-like) platforms, and more and more vulnerabilities are published, which compromise systems and their users. Thus, software has also to be modified due to changing requirements, bugs, and security flaws and software engineers must more and more face security issues during the software design; especially maintenance programmers must deal with such use cases after a software has been released. In the domain of software development, design patterns have been proposed as the best-known solutions for recurring problems in software design. Analogously, security patterns are best practices aiming at ensuring security. This thesis develops a deeper understanding of the nature of security patterns. It focuses on their validation and detection regarding the support of reviews and maintenance activities. The landscape of security patterns is diverse. Thus, published security patterns are collected and organized to identify software-related security patterns. The description of the selected software-security patterns is assessed, and they are compared against the common design patterns described by Gamma et al. to identify differences and issues that may influence the detection of security patterns. Based on these insights and a manual detection approach, we illustrate an automatic detection method for security patterns. The approach is implemented in a tool and evaluated in a case study with 25 real-world Android applications from Google Play
Finding Differences in Privilege Protection and their Origin in Role-Based Access Control Implementations
Les applications Web sont très courantes, et ont des besoins de sécurité. L’un d’eux est le contrôle d’accès. Le contrôle d’accès s’assure que la politique de sécurité est respectée. Cette politique définit l’accès légitime aux données et aux opérations de l’application. Les applications Web utilisent régulièrement le contrôle d’accès à base de rôles (en anglais, « Role-Based Access Control » ou RBAC). Les politiques de sécurité RBAC permettent aux développeurs
de définir des rôles et d’assigner des utilisateurs à ces rôles. De plus, l’assignation des privilèges d’accès se fait au niveau des rôles. Les applications Web évoluent durant leur maintenance et des changements du code source peuvent affecter leur sécurité de manière inattendue. Pour éviter que ces changements engendrent des régressions et des vulnérabilités, les développeurs doivent revalider l’implémentation RBAC de leur application. Ces revalidations peuvent exiger des ressources considérables. De plus, la tâche est compliquée par l’éloignement possible entre le changement et son impact sur la sécurité (e.g. dans des procédures ou fichiers différents). Pour s’attaquer à cette problématique, nous proposons des analyses statiques de programmes autour de la protection garantie des privilèges. Nous générons automatiquement des modèles de protection des privilèges. Pour ce faire, nous utilisons l’analyse de flux par traversement de patron (en anglais, « Pattern Traversal Flow Analysis » ou PTFA) à partir du code source de l’application. En comparant les modèles PTFA de différentes versions, nous déterminons les impacts des changements de code sur la protection des privilèges. Nous appelons ces
impacts de sécurité des différences de protection garantie (en anglais, « Definite Protection Difference » ou DPD). En plus de trouver les DPD entre deux versions, nous établissons une classification des différences reposant sur la théorie des ensembles.----------ABSTRACT : Web applications are commonplace, and have security needs. One of these is access control. Access control enforces a security policy that allows and restricts access to information and operations. Web applications often use Role-Based Access Control (RBAC) to restrict operations
and protect security-sensitive information and resources. RBAC allows developers to assign users to various roles, and assign privileges to the roles. Web applications undergo maintenance and evolution. Their security may be affected by
source code changes between releases. Because these changes may impact security in unexpected ways, developers need to revalidate their RBAC implementation to prevent regressions
and vulnerabilities. This may be resource-intensive. This task is complicated by the fact that the code change and its security impact may be distant (e.g. in different functions or files). To address this issue, we propose static program analyses of definite privilege protection. We automatically generate privilege protection models from the source code using Pattern Traversal Flow Analysis (PTFA). Using differences between versions and PTFA models, we determine privilege-level security impacts of code changes using definite protection differences (DPDs) and apply a set-theoretic classification to them. We also compute explanatory counter-examples for DPDs in PTFA models. In addition, we shorten them using graph transformations in order to facilitate their understanding. We define protection-impacting changes (PICs), changed code during evolution that impact privilege protection. We do so
using graph reachability and differencing of two versions’ PTFA models. We also identify a superset of source code changes that contain root causes of DPDs by reverting these changes. We survey the distribution of DPDs and their classification over 147 release pairs of Word-Press, spanning from 2.0 to 4.5.1. We found that code changes caused no DPDs in 82 (56%) release pairs. The remaining 65 (44%) release pairs are security-affected. For these release
pairs, only 0.30% of code is affected by DPDs on average. We also found that the most common change categories are complete gains (� 41%), complete losses (� 18%) and substitution (� 20%)
Microservice API Evolution in Practice: A Study on Strategies and Challenges
Nowadays, many companies design and develop their software systems as a set
of loosely coupled microservices that communicate via their Application
Programming Interfaces (APIs). While the loose coupling improves
maintainability, scalability, and fault tolerance, it poses new challenges to
the API evolution process. Related works identified communication and
integration as major API evolution challenges but did not provide the
underlying reasons and research directions to mitigate them. In this paper, we
aim to identify microservice API evolution strategies and challenges in
practice and gain a broader perspective of their relationships. We conducted 17
semi-structured interviews with developers, architects, and managers in 11
companies and analyzed the interviews with open coding used in grounded theory.
In total, we identified six strategies and six challenges for REpresentational
State Transfer (REST) and event-driven communication via message brokers. The
strategies mainly focus on API backward compatibility, versioning, and close
collaboration between teams. The challenges include change impact analysis
efforts, ineffective communication of changes, and consumer reliance on
outdated versions, leading to API design degradation. We defined two important
problems in microservice API evolution resulting from the challenges and their
coping strategies: tight organizational coupling and consumer lock-in. To
mitigate these two problems, we propose automating the change impact analysis
and investigating effective communication of changes as open research
directions
Remote Policy Enforcement Using Java Virtual Machine
Tanenbaum, A.S. [Promotor]Crispo, B. [Copromotor
- …