56 research outputs found
Secure Communication in Disaster Scenarios
Während Naturkatastrophen oder terroristischer Anschläge ist die bestehende Kommunikationsinfrastruktur häufig überlastet oder fällt komplett aus. In diesen Situationen können mobile Geräte mithilfe von drahtloser ad-hoc- und unterbrechungstoleranter Vernetzung miteinander verbunden werden, um ein Notfall-Kommunikationssystem für Zivilisten und Rettungsdienste einzurichten. Falls verfügbar, kann eine Verbindung zu Cloud-Diensten im Internet eine wertvolle Hilfe im Krisen- und Katastrophenmanagement sein.
Solche Kommunikationssysteme bergen jedoch ernsthafte Sicherheitsrisiken, da Angreifer versuchen könnten, vertrauliche Daten zu stehlen, gefälschte Benachrichtigungen von Notfalldiensten einzuspeisen oder Denial-of-Service (DoS) Angriffe durchzuführen. Diese Dissertation schlägt neue Ansätze zur Kommunikation in Notfallnetzen von mobilen Geräten vor, die von der Kommunikation zwischen Mobilfunkgeräten bis zu Cloud-Diensten auf Servern im Internet reichen. Durch die Nutzung dieser Ansätze werden die Sicherheit der Geräte-zu-Geräte-Kommunikation, die Sicherheit von Notfall-Apps auf mobilen Geräten und die Sicherheit von Server-Systemen für Cloud-Dienste verbessert
To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild
Recent studies have revealed that 87 % to 96 % of the Android apps using
cryptographic APIs have a misuse which may cause security vulnerabilities. As
previous studies did not conduct a qualitative examination of the validity and
severity of the findings, our objective was to understand the findings in more
depth. We analyzed a set of 936 open-source Java applications for cryptographic
misuses. Our study reveals that 88.10 % of the analyzed applications fail to
use cryptographic APIs securely. Through our manual analysis of a random
sample, we gained new insights into effective false positives. For example,
every fourth misuse of the frequently misused JCA class MessageDigest is an
effective false positive due to its occurrence in a non-security context. As we
wanted to gain deeper insights into the security implications of these misuses,
we created an extensive vulnerability model for cryptographic API misuses. Our
model includes previously undiscussed attacks in the context of cryptographic
APIs such as DoS attacks. This model reveals that nearly half of the misuses
are of high severity, e.g., hard-coded credentials and potential
Man-in-the-Middle attacks.Comment: 8 pages, published in 2022 IEEE International Conference on Trust,
Security and Privacy in Computing and Communications (TrustCom), December
09-11, 2022, Wuhan, Chin
UNGOML: Automated Classification of unsafe Usages in Go
The Go programming language offers strong protection from memory corruption.
As an escape hatch of these protections, it provides the unsafe package.
Previous studies identified that this unsafe package is frequently used in
real-world code for several purposes, e.g., serialization or casting types. Due
to the variety of these reasons, it may be possible to refactor specific usages
to avoid potential vulnerabilities. However, the classification of unsafe
usages is challenging and requires the context of the call and the program's
structure. In this paper, we present the first automated classifier for unsafe
usages in Go, UNGOML, to identify what is done with the unsafe package and why
it is used. For UNGOML, we built four custom deep learning classifiers trained
on a manually labeled data set. We represent Go code as enriched control-flow
graphs (CFGs) and solve the label prediction task with one single-vertex and
three context-aware classifiers. All three context-aware classifiers achieve a
top-1 accuracy of more than 86% for both dimensions, WHAT and WHY. Furthermore,
in a set-valued conformal prediction setting, we achieve accuracies of more
than 93% with mean label set sizes of 2 for both dimensions. Thus, UNGOML can
be used to efficiently filter unsafe usages for use cases such as refactoring
or a security audit. UNGOML: https://github.com/stg-tud/ungoml Artifact:
https://dx.doi.org/10.6084/m9.figshare.22293052Comment: 13 pages, accepted at the 2023 IEEE/ACM 20th International Conference
on Mining Software Repositories (MSR 2023
DTN7: An Open-Source Disruption-tolerant Networking Implementation of Bundle Protocol 7
In disruption-tolerant networking (DTN), data is transmitted in a
store-carry-forward fashion from network node to network node. In this paper,
we present an open source DTN implementation, called DTN7, of the recently
released Bundle Protocol Version 7 (draft version 13). DTN7 is written in Go
and provides features like memory safety and concurrent execution. With its
modular design and interchangeable components, DTN7 facilitates DTN research
and application development. Furthermore, we present results of a comparative
experimental evaluation of DTN7 and other DTN systems including Serval,
IBR-DTN, and Forban. Our results indicate that DTN7 is a flexible and efficient
open-source multi-platform implementation of the most recent Bundle Protocol
Version 7.Comment: 18th International Conference on Ad Hoc Networks and Wireless
(AdHoc-Now 2019
Smart Street Lights and Mobile Citizen Apps for Resilient Communication in a Digital City
Currently, nearly four billion people live in urban areas. Since this trend
is increasing, natural disasters or terrorist attacks in such areas affect an
increasing number of people. While information and communication technology is
crucial for the operation of urban infrastructures and the well-being of its
inhabitants, current technology is quite vulnerable to disruptions of various
kinds. In future smart cities, a more resilient urban infrastructure is
imperative to handle the increasing number of hazardous situations. We present
a novel resilient communication approach based on smart street lights as part
of the public infrastructure. It supports people in their everyday life and
adapts its functionality to the challenges of emergency situations. Our
approach relies on various environmental sensors and in-situ processing for
automatic situation assessment, and a range of communication mechanisms (e.g.,
public WiFi hotspot functionality and mesh networking) for maintaining a
communication network. Furthermore, resilience is not only achieved based on
infrastructure deployed by a digital city's municipality, but also based on
integrating citizens through software that runs on their mobile devices (e.g.,
smartphones and tablets). Web-based zero-installation and platform-agnostic
apps can switch to device-to-device communication to continue benefiting people
even during a disaster situation. Our approach, featuring a covert channel for
professional responders and the zero-installation app, is evaluated through a
prototype implementation based on a commercially available street light.Comment: 2019 IEEE Global Humanitarian Technology Conference (GHTC
ReactiFi: Reactive Programming of Wi-Fi Firmware on Mobile Devices
Network programmability will be required to handle future increased network
traffic and constantly changing application needs. However, there is currently
no way of using a high-level, easy to use programming language to program Wi-Fi
firmware. This impedes rapid prototyping and deployment of novel network
services/applications and hinders continuous performance optimization in Wi-Fi
networks, since expert knowledge is required for both the used hardware
platforms and the Wi-Fi domain. In this paper, we present ReactiFi, a
high-level reactive programming language to program Wi-Fi chips on mobile
consumer devices. ReactiFi enables programmers to implement extensions of PHY,
MAC, and IP layer mechanisms without requiring expert knowledge of Wi-Fi chips,
allowing for novel applications and network protocols. ReactiFi programs are
executed directly on the Wi-Fi chip, improving performance and power
consumption compared to execution on the main CPU. ReactiFi is conceptually
similar to functional reactive languages, but is dedicated to the
domain-specific needs of Wi-Fi firmware. First, it handles low-level
platform-specific details without interfering with the core functionality of
Wi-Fi chips. Second, it supports static reasoning about memory usage of
applications, which is important for typically memory-constrained Wi-Fi chips.
Third, it limits dynamic changes of dependencies between computations to
dynamic branching, in order to enable static reasoning about the order of
computations. We evaluate ReactiFi empirically in two real-world case studies.
Our results show that throughput, latency, and power consumption are
significantly improved when executing applications on the Wi-Fi chip rather
than in the operating system kernel or in user space. Moreover, we show that
the high-level programming abstractions of ReactiFi have no performance
overhead compared to manually written C code
Secure Communication in Disaster Scenarios
Während Naturkatastrophen oder terroristischer Anschläge ist die bestehende Kommunikationsinfrastruktur häufig überlastet oder fällt komplett aus. In diesen Situationen können mobile Geräte mithilfe von drahtloser ad-hoc- und unterbrechungstoleranter Vernetzung miteinander verbunden werden, um ein Notfall-Kommunikationssystem für Zivilisten und Rettungsdienste einzurichten. Falls verfügbar, kann eine Verbindung zu Cloud-Diensten im Internet eine wertvolle Hilfe im Krisen- und Katastrophenmanagement sein.
Solche Kommunikationssysteme bergen jedoch ernsthafte Sicherheitsrisiken, da Angreifer versuchen könnten, vertrauliche Daten zu stehlen, gefälschte Benachrichtigungen von Notfalldiensten einzuspeisen oder Denial-of-Service (DoS) Angriffe durchzuführen. Diese Dissertation schlägt neue Ansätze zur Kommunikation in Notfallnetzen von mobilen Geräten vor, die von der Kommunikation zwischen Mobilfunkgeräten bis zu Cloud-Diensten auf Servern im Internet reichen. Durch die Nutzung dieser Ansätze werden die Sicherheit der Geräte-zu-Geräte-Kommunikation, die Sicherheit von Notfall-Apps auf mobilen Geräten und die Sicherheit von Server-Systemen für Cloud-Dienste verbessert
- …