94,365 research outputs found
Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces
Embedded devices are becoming more widespread, interconnected, and
web-enabled than ever. However, recent studies showed that these devices are
far from being secure. Moreover, many embedded systems rely on web interfaces
for user interaction or administration. Unfortunately, web security is known to
be difficult, and therefore the web interfaces of embedded systems represent a
considerable attack surface.
In this paper, we present the first fully automated framework that applies
dynamic firmware analysis techniques to achieve, in a scalable manner,
automated vulnerability discovery within embedded firmware images. We apply our
framework to study the security of embedded web interfaces running in
Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable
modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement
a scalable framework for discovery of vulnerabilities in embedded web
interfaces regardless of the vendor, device, or architecture. To achieve this
goal, our framework performs full system emulation to achieve the execution of
firmware images in a software-only environment, i.e., without involving any
physical embedded devices. Then, we analyze the web interfaces within the
firmware using both static and dynamic tools. We also present some interesting
case-studies, and discuss the main challenges associated with the dynamic
analysis of firmware images and their web interfaces and network services. The
observations we make in this paper shed light on an important aspect of
embedded devices which was not previously studied at a large scale.
We validate our framework by testing it on 1925 firmware images from 54
different vendors. We discover important vulnerabilities in 185 firmware
images, affecting nearly a quarter of vendors in our dataset. These
experimental results demonstrate the effectiveness of our approach
On the Automated Synthesis of Enterprise Integration Patterns to Adapt Choreography-based Distributed Systems
The Future Internet is becoming a reality, providing a large-scale computing
environments where a virtually infinite number of available services can be
composed so to fit users' needs. Modern service-oriented applications will be
more and more often built by reusing and assembling distributed services. A key
enabler for this vision is then the ability to automatically compose and
dynamically coordinate software services. Service choreographies are an
emergent Service Engineering (SE) approach to compose together and coordinate
services in a distributed way. When mismatching third-party services are to be
composed, obtaining the distributed coordination and adaptation logic required
to suitably realize a choreography is a non-trivial and error prone task.
Automatic support is then needed. In this direction, this paper leverages
previous work on the automatic synthesis of choreography-based systems, and
describes our preliminary steps towards exploiting Enterprise Integration
Patterns to deal with a form of choreography adaptation.Comment: In Proceedings FOCLASA 2015, arXiv:1512.0694
Towards runtime discovery, selection and composition of semantic services
Service-orientation is gaining momentum in distributed software applications, mainly because it facilitates interoperability and allows application designers to abstract from underlying implementation technologies. Service composition has been acknowledged as a promising approach to create composite services that are capable of supporting service user needs, possibly by personalising the service delivery through the use of context information or user preferences. In this paper we discuss the challenges of automatic service composition, and present DynamiCoS, which is a novel framework that aims at supporting service composition on demand and at runtime for the benefit of service end-users. We define the DynamiCoS framework based on a service composition life-cycle. Framework mechanisms are introduced to tackle each of the phases and requirements of this life-cycle. Semantic services are used in our framework to enable reasoning on the service requests issued by end users, making it possible to automate service discovery, selection and composition. We validate our framework with a prototype that we have built in order to experiment with the mechanisms we have designed. The prototype was evaluated in a testing environment using some use case scenarios. The results of our evaluation give evidences of the feasibility of our approach to support runtime service composition. We also show the benefits of semantic-based frameworks for service composition, particularly for end-users who will be able to have more control on the service composition process
Discovery and Selection of Certified Web Services Through Registry-Based Testing and Verification
Reliability and trust are fundamental prerequisites for the establishment of functional relationships among peers in a Collaborative Networked Organisation (CNO), especially in the context of Virtual Enterprises where economic benefits can be directly at stake. This paper presents a novel approach towards effective service discovery and selection that is no longer based on informal, ambiguous and potentially unreliable service descriptions, but on formal specifications that can be used to verify and certify the actual Web service implementations. We propose the use of Stream X-machines (SXMs) as a powerful modelling formalism for constructing the behavioural specification of a Web service, for performing verification through the generation of exhaustive test cases, and for performing validation through animation or model checking during service selection
Automatically Generating a Large, Culture-Specific Blocklist for China
Internet censorship measurements rely on lists of websites to be tested, or
"block lists" that are curated by third parties. Unfortunately, many of these
lists are not public, and those that are tend to focus on a small group of
topics, leaving other types of sites and services untested. To increase and
diversify the set of sites on existing block lists, we use natural language
processing and search engines to automatically discover a much wider range of
websites that are censored in China. Using these techniques, we create a list
of 1125 websites outside the Alexa Top 1,000 that cover Chinese politics,
minority human rights organizations, oppressed religions, and more.
Importantly, . The list that we develop not only vastly expands the set
of sites that current Internet measurement tools can test, but it also deepens
our understanding of the nature of content that is censored in China. We have
released both this new block list and the code for generating it
- …