Strategies for protecting intellectual property when using CUDA applications on graphics processing units

Recent advances in the massively parallel computational abilities of graphical processing units (GPUs) have increased their use for general purpose computation, as companies look to take advantage of big data processing techniques. This has given rise to the potential for malicious software targeting GPUs, which is of interest to forensic investigators examining the operation of software. The ability to carry out reverse-engineering of software is of great importance within the security and forensics elds, particularly when investigating malicious software or carrying out forensic analysis following a successful security breach. Due to the complexity of the Nvidia CUDA (Compute Uni ed Device Architecture) framework, it is not clear how best to approach the reverse engineering of a piece of CUDA software. We carry out a review of the di erent binary output formats which may be encountered from the CUDA compiler, and their implications on reverse engineering. We then demonstrate the process of carrying out disassembly of an example CUDA application, to establish the various techniques available to forensic investigators carrying out black-box disassembly and reverse engineering of CUDA binaries. We show that the Nvidia compiler, using default settings, leaks useful information. Finally, we demonstrate techniques to better protect intellectual property in CUDA algorithm implementations from reverse engineering

Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed

The Design and Evaluation of an Interactive Social Engineering Training Programme

Social engineering is a major issue affecting organisational security. Educating employees on how to avoid social engineering attacks is important because social engineering tries to penetrate an organisation by using employees to grant authorized access to sensitive information. While there are a number of theoretical studies about social engineering, a few practical studies have moved towards educating and training employees on how to spot such attacks. In this research, we emphasise the importance of educating employees to make them more resilient to these kinds of attacks. We developed an educational video encapsulated within a Social Engineering Training Programme. This is essentially an interactive training video during which the learner interacts with three different scenarios; educational content, a knowledge-check, and a web page containing the latest news about current social engineering attacks. The training programme was evaluated in a Saudi trading company with 24 employees. The evaluation showed that the programme delivered a positive impact in terms of awareness, as tested by a post-training qui

Using Security and Domain ontologies for Security Requirements Analysis

International audienceRecent research has argued about the importance of considering security during Requirements Engineering (RE) stage. Literature also emphasizes the importance of using ontologies to facilitate requirements elicitation. Ontologies are known to be rich sources of knowledge, and, being structured and equipped with reasoning features, they form a powerful tool to handle requirements. We believe that security being a multi-faceted problem, a single security ontology is not enough to guide SR Engineering (SRE) efficiently. Indeed, security ontologies only focus on technical and domain independent aspects of security. Therefore, one can hypothesize that domain knowledge is needed too. Our question is "how to combine the use of security ontologies and domain ontologies to guide requirements elicitation efficiently and effectively?" We propose a method that exploits both types of ontologies dynamically through a collection of heuristic production rules. We demonstrate that the combined use of security ontologies with domain ontologies to guide SR elicitation is more effective than just relying on security ontologies. This paper presents our method and reports a preliminary evaluation conducted through critical analysis by experts. The evaluation shows that the method provides a good balance between the genericity with respect to the ontologies (which do not need to be selected in advance), and the specificity of the elicited requirements with respect to the domain at hand

Introducing Safety and Security Co-engineering Related Research Orientations in the Field of Automotive Security

Since modern vehicles are connected and their transport processes are strongly supported by different automated functions, malicious external interventions can impair safety integrity. Therefore, it seems to be reasonable in the future to introduce safety and security co-engineering approaches in the automotive industry. With regard to the performed evaluation, three main promising research orientations have been identified. Automotive safety and security related development of co-engineering methodology and validation framework are of key importance from the viewpoint of autonomous transportation. Accordingly, a scenario based, integrated evaluation of automotive safety and security would be closely fit to the concept of SOTIF and the SoS approach. Beyond this, the communication and network security of "vehicle to everything" channels have to also be in the focus of automotive researches. Additionally, the development of automotive anomaly detection systems, especially focusing on the complex SoS operation processes will be a highly important research orientation

Security Testing: A Survey

Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application