Exploiting Generational Garbage Collection: Using Data Remnants to Improve Memory Analysis and Digital Forensics

Malware authors employ sophisticated tools and infrastructure to undermine information security and steal data on a daily basis. When these attacks or infrastructure are discovered, digital forensics attempts to reconstruct the events from evidence left over on file systems, network drives, and system memory dumps. In the last several years, malware authors have been observed used the Java managed runtimes to commit criminal theft [1, 2] and conduct espionage [3, 4, 5]. Fortunately for forensic analysts, the most prevalent versions of Java uses generational garbage collection to help improve runtime performance. The memory system allocates me mory fro m a managed heap. When memory is exhausted in this heap, the JVM will sweep over partitions reclaiming memory from dead objects. This memory is not sanitized or zero’ed. Hence, latent secrets and object data persist until it is overwritten. For example, sockets and open file recovery are possible even after resources are closed and purged from the OS kernel memory. This research measures the lifetime of latent data and implements a Python framework that can be used to recover this object data. Latent secret lifetimes are experimentally measured using TLS keys in a Java application. An application is configured to be very active and minimally active. The application also utilizes raw Java sockets and Apache HTTPClient to determine whether or not a Java framework impacts latent secret lifetimes. Depending on the heap size(512MiB to 16GiB), between 10-40% of the TLS keys are recoverable from the heap, which correlates directly to memory pressure. This research also exploi ts prope rties to identify and recover evidence from the Java heap. The RecOOP framework helps locate all the loaded types, identify the managed Java heaps, and scan for potential objects [6]. The framework then lifts these objects into Python where they can be analyzed further. One key findings include the fact that IO streams for processes started from within Java remained in memory, and the data in these buffers could be used to infer the program executed. Socket and data could also be recovered even when the socket structures were missing from the OS’s kernel memory

InSight2: An Interactive Web Based Platform for Modeling and Analysis of Large Scale Argus Network Flow Data

Monitoring systems are paramount to the proactive detection and mitigation of problems in computer networks related to performance and security. Degraded performance and compromised end-nodes can cost computer networks downtime, data loss and reputation. InSight2 is a platform that models, analyzes and visualizes large scale Argus network flow data using up-to-date geographical data, organizational information, and emerging threats. It is engineered to meet the needs of network administrators with flexibility and modularity in mind. Scalability is ensured by devising multi-core processing by implementing robust software architecture. Extendibility is achieved by enabling the end user to enrich flow records using additional user provided databases. Deployment is streamlined by providing an automated installation script. State-of-the-art visualizations are devised and presented in a secure, user friendly web interface giving greater insight about the network to the end user

MOSTO: A toolkit to facilitate security auditing of ICS devices using Modbus/TCP

The integration of the Internet into industrial plants has connected Industrial Control Systems (ICS) worldwide, resulting in an increase in the number of attack surfaces and the exposure of software and devices not originally intended for networking. In addition, the heterogeneity and technical obsolescence of ICS architectures, legacy hardware, and outdated software pose significant challenges. Since these systems control essential infrastructure such as power grids, water treatment plants, and transportation networks, security is of the utmost importance. Unfortunately, current methods for evaluating the security of ICS are often ad-hoc and difficult to formalize into a systematic evaluation methodology with predictable results. In this paper, we propose a practical method supported by a concrete toolkit for performing penetration testing in an industrial setting. The primary focus is on the Modbus/TCP protocol as the field control protocol. Our approach relies on a toolkit, named MOSTO, which is licensed under GNU GPL and enables auditors to assess the security of existing industrial control settings without interfering with ICS workflows. Furthermore, we present a model-driven framework that combines formal methods, testing techniques, and simulation to (formally) test security properties in ICS networks

Workflow Provenance: from Modeling to Reporting

Workflow provenance is a crucial part of a workflow system as it enables data lineage analysis, error tracking, workflow monitoring, usage pattern discovery, and so on. Integrating provenance into a workflow system or modifying a workflow system to capture or analyze different provenance information is burdensome, requiring extensive development because provenance mechanisms rely heavily on the modelling, architecture, and design of the workflow system. Various tools and technologies exist for logging events in a software system. Unfortunately, logging tools and technologies are not designed for capturing and analyzing provenance information. Workflow provenance is not only about logging, but also about retrieving workflow related information from logs. In this work, we propose a taxonomy of provenance questions and guided by these questions, we created a workflow programming model 'ProvMod' with a supporting run-time library to provide automated provenance and log analysis for any workflow system. The design and provenance mechanism of ProvMod is based on recommendations from prominent research and is easy to integrate into any workflow system. ProvMod offers Neo4j graph database support to manage semi-structured heterogeneous JSON logs. The log structure is adaptable to any NoSQL technology. For each provenance question in our taxonomy, ProvMod provides the answer with data visualization using Neo4j and the ELK Stack. Besides analyzing performance from various angles, we demonstrate the ease of integration by integrating ProvMod with Apache Taverna and evaluate ProvMod usability by engaging users. Finally, we present two Software Engineering research cases (clone detection and architecture extraction) where our proposed model ProvMod and provenance questions taxonomy can be applied to discover meaningful insights

Aesthetic Programming

Aesthetic Programming explores the technical as well as cultural imaginaries of programming from its insides. It follows the principle that the growing importance of software requires a new kind of cultural thinking — and curriculum — that can account for, and with which to better understand the politics and aesthetics of algorithmic procedures, data processing and abstraction. It takes a particular interest in power relations that are relatively under-acknowledged in technical subjects, concerning class and capitalism, gender and sexuality, as well as race and the legacies of colonialism. This is not only related to the politics of representation but also nonrepresentation: how power differentials are implicit in code in terms of binary logic, hierarchies, naming of the attributes, and how particular worldviews are reinforced and perpetuated through computation. Using p5.js, it introduces and demonstrates the reflexive practice of aesthetic programming, engaging with learning to program as a way to understand and question existing technological objects and paradigms, and to explore the potential for reprogramming wider eco-socio-technical systems. The book itself follows this approach, and is offered as a computational object open to modification and reversioning

JPEG: the quadruple object

The thesis, together with its practice-research works, presents an object-oriented perspective on the JPEG standard. Using the object-oriented philosophy of Graham Harman as a theoretical and also practical starting point, the thesis looks to provide an account of the JPEG digital object and its enfolding within the governmental scopic regime. The thesis looks to move beyond accounts of digital objects and protocols within software studies that position the object in terms of issues of relationality, processuality and potentiality. From an object-oriented point of view, the digital object must be seen as exceeding its relations, as actual, present and holding nothing in reserve. The thesis presents an account of JPEG starting from that position as well as an object-oriented account of JPEG’s position within the distributed, governmental scopic regime via an analysis of Facebook’s Timeline, tagging and Haystack systems. As part of a practice-research project, the author looked to use that perspective within photographic and broader imaging practices as a spur to new work and also as a “laboratory” to explore Harman’s framework. The thesis presents the findings of those “experiments” in the form of a report alongside practice-research eBooks. These works were not designed to be illustrations of the theory, nor works to be “analysed”. Rather, following the lead of Ian Bogost and Mark Amerika, they were designed to be “philosophical works” in the sense of works that “did” philosophy

EFFICIENT RUNTIME SECURITY SYSTEM FOR DECENTRALISED DISTRIBUTED SYSTEMS

Distributed systems can be defined as systems that are scattered over geographical distances and provide different activities through communication, processing, data transfer and so on. Thus, increasing the cooperation, efficiency, and reliability to deal with users and data resources jointly. For this reason, distributed systems have been shown to be a promising infrastructure for most applications in the digital world. Despite their advantages, keeping these systems secure, is a complex task because of the unconventional nature of distributed systems which can produce many security problems like phishing, denial of services or eavesdropping. Therefore, adopting security and privacy policies in distributed systems will increase the trustworthiness between the users and these systems. However, adding or updating security is considered one of the most challenging concerns and this relies on various security vulnerabilities which existing in distributed systems. The most significant one is inserting or modifying a new security concern or even removing it according to the security status which may appear at runtime. Moreover, these problems will be exacerbated when the system adopts the multi-hop concept as a way to deal with transmitting and processing information. This can pose many significant security challenges especially if dealing with decentralized distributed systems and the security must be furnished as end-to-end. Unfortunately, existing solutions are insufficient to deal with these problems like CORBA which is considered a one-to-one relationship only, or DSAW which deals with end-to-end security but without taking into account the possibility of changing information sensitivity during runtime. This thesis provides a proposed mechanism for enforcing security policies and dealing with distributed systems’ security weakness in term of the software perspective. The proposed solution utilised Aspect-Oriented Programming (AOP), to address security concerns during compilation and running time. The proposed solution is based on a decentralized distributed system that adopts the multi-hop concept to deal with different requested tasks. The proposed system focused on how to achieve high accuracy, data integrity and high efficiency of the distributed system in real time. This is done through modularising the most efficient security solutions, Access Control and Cryptography, by using Aspect-Oriented Programming language. The experiments’ results show the proposed solution overcomes the shortage of the existing solutions by fully integrating with the decentralized distributed system to achieve dynamic, high cooperation, high performance and end-to-end holistic security