Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response

Considerable delays often exist between the discovery of a vulnerability and the issue of a patch. One way to mitigate this window of vulnerability is to use a configuration workaround, which prevents the vulnerable code from being executed at the cost of some lost functionality -- but only if one is available. Since program configurations are not specifically designed to mitigate software vulnerabilities, we find that they only cover 25.2% of vulnerabilities. To minimize patch delay vulnerabilities and address the limitations of configuration workarounds, we propose Security Workarounds for Rapid Response (SWRRs), which are designed to neutralize security vulnerabilities in a timely, secure, and unobtrusive manner. Similar to configuration workarounds, SWRRs neutralize vulnerabilities by preventing vulnerable code from being executed at the cost of some lost functionality. However, the key difference is that SWRRs use existing error-handling code within programs, which enables them to be mechanically inserted with minimal knowledge of the program and minimal developer effort. This allows SWRRs to achieve high coverage while still being fast and easy to deploy. We have designed and implemented Talos, a system that mechanically instruments SWRRs into a given program, and evaluate it on five popular Linux server programs. We run exploits against 11 real-world software vulnerabilities and show that SWRRs neutralize the vulnerabilities in all cases. Quantitative measurements on 320 SWRRs indicate that SWRRs instrumented by Talos can neutralize 75.1% of all potential vulnerabilities and incur a loss of functionality similar to configuration workarounds in 71.3% of those cases. Our overall conclusion is that automatically generated SWRRs can safely mitigate 2.1x more vulnerabilities, while only incurring a loss of functionality comparable to that of traditional configuration workarounds.Comment: Published in Proceedings of the 37th IEEE Symposium on Security and Privacy (Oakland 2016

Using Context and Interactions to Verify User-Intended Network Requests

Client-side malware can attack users by tampering with applications or user interfaces to generate requests that users did not intend. We propose Verified Intention (VInt), which ensures a network request, as received by a service, is user-intended. VInt is based on "seeing what the user sees" (context). VInt screenshots the user interface as the user interacts with a security-sensitive form. There are two main components. First, VInt ensures output integrity and authenticity by validating the context, ensuring the user sees correctly rendered information. Second, VInt extracts user-intended inputs from the on-screen user-provided inputs, with the assumption that a human user checks what they entered. Using the user-intended inputs, VInt deems a request to be user-intended if the request is generated properly from the user-intended inputs while the user is shown the correct information. VInt is implemented using image analysis and Optical Character Recognition (OCR). Our evaluation shows that VInt is accurate and efficient

LIBRARY SELF SERVICE SYSTEM USING NFC AND 2FA GOOGLE AUTHENTICATOR

The implementation of a self-service system is already used by many libraries, mainly on self-loan books. Self-service generally only uses RFID as a medium for identifying members and borrowed books, but using RFID alone as the head of the identification process may lead to many crimes such as using someone else's member card to borrow books, scam, and so on. This study aims to propose a new business process for self loan books from the library by combining NFC or RFID technology and 2FA (two-factor authentication) to minimize the crimes such as fraudulence, scams, and so on. The results showed that the system or prototype could work and function properly. The process of reading NFC tags and the use of 2F also runs quickly and safely

Perancangan Kampanye Pengenalan Zero Waste untuk Anak Usia 7-12 Tahun

Zero waste merupakan sebuah prinsip atau gaya hidup yang diterapkan dalam kehidupan sehari-hari masyarakat untuk mencapai tujuan bebas atau nol sampah. Menurut United States Environmental Protection Agency (APA), zero waste merupakan suatu prinsip pada abad ke-21 dengan meminimalkan penghasilan limbah, mengurangi konsumsi, dan memastikan bahwa produk yang dibuat untuk digunakan kembali, diperbaiki, atau didaur ulang kembali. Bedasarkan hasil wawancara yang dilakukan penulis suatu pembentukan gaya hidup lebih tepat diajarkan kepada anak dalam masa perkembangan. Namun bedasarkan hasil kuesioner penulis, masih banyak dari anak-anak Indonesia yang belum mengetahui dan belum menerapkan gaya hidup zero waste, sedangkan tingginya angka permasalahan sampah yang ada di Indonesia terus meningkat pada setiap tahunnya. Karena itu penulis ingin merancang suatu kampanye pengenalan gaya hidup zero waste kepada anak berumur 7-12 tahun sebagai solusi agar dapat mengurangi permasalahan sampah yang ada di Indonesia melalui penerapan gaya hidup zero waste