Application to Security Testing

In a world where software gradually plays a key role daily, a failure may bring unpleasant consequences for its users. An example of a serious failure was the case Apple iCloud security exploit in 2014 where several private photos of celebrities have been accessed without permission[icl14a][icl14b]. Apart from economic and commercial implications, these faults lead to loss of trust in software by users, thus leading to the consequent search for an alternative and even result in leaving the old software for a new alternative. To address these shortcomings, the software industry started to use software testing to make sure that the software contains the minimum possible failures before is deployment. Software tests are used to analyse the program, namely to search some bugs. This analysis can be done without program execution (static analysis) or during execution (dynamic analysis). Static analysis tools can be used to check for potential execution of the program that have not been prematurely aborted due to unexpected event at runtime, not ensuring that the program will display the correct result. We studied some static analysis tools, JSFlow, JSPrime and TAJS, which analyse JavaScript code. These tools have been modified so they can be integrated into the Nibiru framework. Nibiru is a modular framework that aims to help in the implementation of software testing. It uses a micro-services architecture, enabling the use of multiple programming languages in his modules and has the ability to enable the implementation of its modules on multiple machines. So far the Nibiru has three operating modules and its ready to start growing with the community, so they can contribute in the construction of new modules or make small adjustments on the existing testing software to integrate the Nibiru framework.Num mundo onde cada vez mais o software tem um papel fundamental nas atividades do dia-a-dia, uma falha pode trazer consequências desagradáveis para os seus utilizadores. Como exemplo de uma falha grave, temos o caso Apple iCloud security exploit em 2014 [icl14a][icl14b], onde várias fotos de celebridades foram acedidas sem permissão. Para além de repercussões económicas e comerciais estas falhas levam à perca de confiança no software por parte dos utilizadores, levando assim à consequente procura de alternativas ao mesmo, podendo até resultar no abandono do software antigo. Para colmatar estas falhas, hoje em dia a indústria cada vez aposta mais nos testes de software para certificar-se que o software contém o mínimo de falhas possíveis antes de sair para o mercado. Os testes de software servem para analisar o programa, nomeadamente na obtenção de bugs. Esta análise pode ser feita sem execução do programa (análise estática) ou durante a sua execução (análise dinâmica). As ferramentas de análise estática são utilizadas para verificar se existem potenciais execuções do programa que possam falhar durante a sua execução devido a eventos inesperados, isto faz com que o programa apresente um resultado incorreto ou até mesmo bloqueie. Foram estudadas algumas ferramentas de análise estática, JSFlow, JSPrime e TAJS, que analisam código JavaScript. Estas ferramentas foram modificadas para serem integradas na framework Nibiru. O Nibiru é uma framework modular que tem como intuito ajudar na execução de testes de software. Esta utiliza uma arquitetura de micro-serviços, possibilitando o uso de múltiplas linguagens de programação nos seus módulos e tem a capacidade de possibilitar a execução dos seus módulos em várias máquinas. Até ao momento o Nibiru conta com três módulos operacionais, encontrando-se pronto para crescer com a comunidade informática, podendo esta contribuir na construção de novos módulos

A Study on Formal Verification for JavaScript Software

Information security is still a major problem for users of websites and hybrid mobile applications. While many apps and websites come with terms of service agreements between the developer and end user, there is no rigorous mechanism in place to ensure that these agreements are being followed. Formal methods can offer greater confidence that these policies are being followed, but there is currently no widely adopted tool that makes formal methods available for average consumers. After studying the current state-of-the-art in JavaScript policy enforcement and verification, this research proposes several new techniques for applying model checking to JavaScript that strikes a balance of low runtime overhead and fine-grained policy enforcement that other techniques do not achieve

Principled Flow Tracking in IoT and Low-Level Applications

Significant fractions of our lives are spent digitally, connected to and dependent on Internet-based applications, be it through the Web, mobile, or IoT. All such applications have access to and are entrusted with private user data, such as location, photos, browsing habits, private feed from social networks, or bank details.In this thesis, we focus on IoT and Web(Assembly) apps. We demonstrate IoT apps to be vulnerable to attacks by malicious app makers who are able to bypass the sandboxing mechanisms enforced by the platform to stealthy exfiltrate user data. We further give examples of carefully crafted WebAssembly code abusing the semantics to leak user data.We are interested in applying language-based technologies to ensure application security due to the formal guarantees they provide. Such technologies analyze the underlying program and track how the information flows in an application, with the goal of either statically proving its security, or preventing insecurities from happening at runtime. As such, for protecting against the attacks on IoT apps, we develop both static and dynamic methods, while for securing WebAssembly apps we describe a hybrid approach, combining both.While language-based technologies provide strong security guarantees, they are still to see a widespread adoption outside the academic community where they emerged.In this direction, we outline six design principles to assist the developer in choosing the right security characterization and enforcement mechanism for their system.We further investigate the relative expressiveness of two static enforcement mechanisms which pursue fine- and coarse-grained approaches for tracking the flow of sensitive information in a system.\ua0Finally, we provide the developer with an automatic method for reducing the manual burden associated with some of the language-based enforcements

Information Flow for Web Security and Privacy

The use of libraries is prevalent in modern web development. But how to ensure sensitive data is not being leaked through these libraries? This is the first challenge this thesis aims to solve. We propose the use of information-flow control by developing a principled approach to allow information-flow tracking in libraries, even if the libraries are written in a language not supporting information-flow control. The approach allows library functions to have unlabel\ua0and relabel models that explain how values are unlabeled and relabeled when marshaled between the labeled program and the unlabeled library. The approach handles primitive values and lists, records, higher-order functions, and references through the use of lazy marshaling.Web pages can combine benign properties of a user\u27s browser to a fingerprint, which can identify the user. Fingerprinting can be intrusive and often happens without the user\u27s consent. The second challenge this thesis aims to solve is to bridge the gap between the principled approach of handling libraries, to practical use in the information-flow aware JavaScript interpreter JSFlow. We extend JSFlow to handle libraries and be deployed in a browser, enabling information-flow tracking on web pages to detect fingerprinting.Modern browsers allow for browser modifications through browser\ua0extensions. These extensions can be intrusive by, e.g., blocking content ormodifying the DOM, and it can be in the interest of web pages to detect which extensions are installed in the browser. The third challenge this thesis aims to solve is finding which browser extensions are executing in a user\u27s browser, and investigate how the installed browser extensions can be used to decrease the privacy of users. We do this by conducting several large-scale studies and show that due to added security by browser vendors, a web page may uniquely identify a user based on the installed browser extension alone.It is popular to use filter lists to block unwanted content such as ads and tracking scripts on web pages. These filter lists are usually crowd-sourced andmainly focus on English speaking regions. Non-English speaking regions should use a supplementary filter list, but smaller linguistic regions may not have an up to date filter list. The fourth challenge this thesis aims to solve is how to automatically generate supplementary filter lists for regions which currently do not have an up to date filter list

Securing the Foundations of Practical Information Flow Control

Language-based information flow control (IFC) promises to secure computer programs against malicious or incompetent programmers by addressing key shortcomings of modern programming languages. In spite of showing great promise, the field remains under-utilised in practise. This thesis makes contributions to the theoretical foundations of IFC aimed at making the techniques practically applicable. The paper addresses two primary topics, IFC as a library and IFC without false alarms. The contributions range from foundational observations about soundness and completeness, to practical considerations of efficiency and expressiveness

Hybrid Information Flow Analysis for Programs with Arrays

Information flow analysis checks whether certain pieces of (confidential) data may affect the results of computations in unwanted ways and thus leak information. Dynamic information flow analysis adds instrumentation code to the target software to track flows at run time and raise alarms if a flow policy is violated; hybrid analyses combine this with preliminary static analysis. Using a subset of C as the target language, we extend previous work on hybrid information flow analysis that handled pointers to scalars. Our extended formulation handles arrays, pointers to array elements, and pointer arithmetic. Information flow through arrays of pointers is tracked precisely while arrays of non-pointer types are summarized efficiently. A prototype of our approach is implemented using the Frama-C program analysis and transformation framework. Work on a full machine-checked proof of the correctness of our approach using Isabelle/HOL is well underway; we present the existing parts and sketch the rest of the correctness argument.Comment: In Proceedings VPT 2016, arXiv:1607.0183

On the Foundations of Practical Language-Based Security

Language-based information flow control (IFC) promises to provide programming languages and tools that make it easy for developers to write secure code. Traditionally,\ua0research in this field aims to build a variant on a programming language or system\ua0that lets developers write code that gives them strong guarantees beyond the potential\ua0memory- and type-safety guarantees of modern languages. However, two developments\ua0in the field challenge this paradigm. Firstly, backwards-compatible security enforcement\ua0without false alarms promises to retrofit security enforcement on code that was not written with the enforcement mechanism in mind. This has the potential to greatly increase\ua0the applicability of IFC enforcement to legacy and mobile code from untrusted sources.Secondly, library-based security, a technique by which IFC researchers provide a software\ua0library in an established language whose programming interface gives the same guarantees as a stand-alone IFC tool for developers to use promises to do away with specialized\ua0IFC languages. This technique also has the potential to increase the applicability of IFC\ua0enforcement as developers no longer need to adopt a whole new language to get securityguarantees.This thesis makes contributions to both these recent developments that come in two\ua0parts; the first part concerns enforcing secure information flow without introducing false\ua0alarms while the second part concerns the correctness of using libraries instead of fullyfledged IFC programming languages to write secure code.The first part of the thesis makes the following contributions:1. It unifies the existing literature, in the form of Secure Multi-Execution and MultipleFacets, on security enforcement without false alarms by introducing Faceted SecureMulti-Execution.2. It explores the unique optimisation challenges that appear in this setting. Specifically, mixing multi-execution and facets means that unnecessarily large facetedtrees give rise to unnecessary executions in multi-execution and vice verse. Thisthesis proposes optimisation strategies that can overcome this hurdle.3. It proves an exponential lower bound on black-box false-alarm-free enforcementand new possibility results for false-alarm-free enforcement of a variant of the noninterference security condition known as termination insensitive noninterference.4. It classifies the special cases of enforcement that is not subject to the aforementionedexponential lower bound. Specifically, this thesis shows how and why the choice ofsecurity lattice makes the difference between exponential, polynomial, and constantoverheads in multi-execution.In short, the first part of the thesis unifies the existing literature on false-alarm-freeIFC enforcement and presents a number of results on the performance of enforcementmechanisms of this kind.The second part of the thesis meanwhile makes the following contributions:1. It reduces the trusted computing base of security libraries by showing how to implement secure effects on top of an already secure core without incurring any newproof obligations.2. It shows how to simplify DCC, the core language in the literature, without losingexpressiveness.3. It proves that noninterference can be derived in a simple and straightforward wayfrom parametricity for both static and dynamic security libraries. This in turnreduces the conceptual gap between the kind of security libraries that are writtentoday and the proofs one can write to prove that the libraries ensure noninterference.In short, the second part of the thesis provides a new direction for thinking about thecorrectness of security libraries by both reducing the amount of trusted code and by introducing improved means of proving that a security library guarantees noninterference

Clockwork: Tracking Remote Timing Attacks

International audienc

A Principled Approach to Securing IoT Apps

IoT apps are becoming increasingly popular as they allow users to manage their digital lives by connecting otherwise unconnected devices and services: cyberphysical “things” such as smart homes, cars, or fitness armbands, to online services such as Google or Dropbox, to social networks such as Facebook or Twitter. IoT apps rely on end-user programming, such that anyone with an active account on the platform can create and publish apps, with the majority of apps being created by third parties.We demonstrate that the most popular IoT app platforms are susceptible to attacks by malicious app makers and suggest short and longterm countermeasures for securing the apps. For short-term protection we rely on access\ua0control and suggest the apps to be classified either as exclusively private or exclusively public, disallowing in this way information from private sources to flow to public sinks.For longterm protection we rely on a principled approach for designing information flow controls. Following these principles we define projected security, a variant of noninterference that captures the attacker’s view of an app, and design two mechanisms for enforcing it. A static enforcement based on a flow-sensitive type system may be used by the platform to statically analyze the apps before being published on the app store. This enforcement covers leaks stemming from both explicit and implicit flows, but is not expressive enough to address timing attacks. Hence we design a second enforcement based on a dynamic monitor that covers the timing channels as well

Secure FaaS orchestration in the fog: how far are we?

AbstractFunction-as-a-Service (FaaS) allows developers to define, orchestrate and run modular event-based pieces of code on virtualised resources, without the burden of managing the underlying infrastructure nor the life-cycle of such pieces of code. Indeed, FaaS providers offer resource auto-provisioning, auto-scaling and pay-per-use billing at no costs for idle time. This makes it easy to scale running code and it represents an effective and increasingly adopted way to deliver software. This article aims at offering an overview of the existing literature in the field of next-gen FaaS from three different perspectives: (i) the definition of FaaS orchestrations, (ii) the execution of FaaS orchestrations in Fog computing environments, and (iii) the security of FaaS orchestrations. Our analysis identify trends and gaps in the literature, paving the way to further research on securing FaaS orchestrations in Fog computing landscapes