Biblio

Bitcoin is popular not only with consumers, but also with cybercriminals (e.g., in ransomware and online extortion, and commercial online child exploitation). Given the potential of Bitcoin to be involved in a criminal investigation, the need to have an up-to-date and in-depth understanding on the forensic acquisition and analysis of Bitcoins is crucial. However, there has been limited forensic research of Bitcoin in the literature. The general focus of existing research is on postmortem analysis of specific locations (e.g. wallets on mobile devices), rather than a forensic approach that combines live data forensics and postmortem analysis to facilitate the identification, acquisition, and analysis of forensic traces relating to the use of Bitcoins on a system. Hence, the latter is the focus of this paper where we present an open source tool for live forensic and postmortem analysing automatically. Using this open source tool, we describe a list of target artifacts that can be obtained from a forensic investigation of popular Bitcoin clients and Web Wallets on different web browsers installed on Windows 7 and Windows 10 platforms.

Web applications, as a conventional platform for sensitive data and important transactions, are of great significance to human society. But with its open source framework, the existing security vulnerabilities can easily be exploited by malicious users, especially when web developers fail to follow the secure practices. Here we present a distributed scanning system, FalconEye, with great precision and high performance, it will help prevent potential threats to Web applications. Besides, our system is also capable of covering basically all the web vulnerabilities registered in the Common Vulnerabilities and Exposures (CVE). The FalconEye system is consists of three modules, an input source module, a scanner module and a support platform module. The input module is used to improve the coverage of target server, and other modules make the system capable of generic vulnerabilities scanning. We then experimentally demonstrate this system in some of the most common vulnerabilities test environment. The results proved that the FalconEye system can be a strong contender among the various detection systems in existence today.

The software development life cycle (SDLC) starts with business and functional specifications signed with a client. In addition to this, the specifications also capture policy / procedure / contractual / regulatory / legislation / standard compliances with respect to a given client industry. The SDLC must adhere to service level agreements (SLAs) while being compliant to development activities, processes, tools, frameworks, and reuse of open-source software components. In today's world, global software development happens across geographically distributed (autonomous) teams consuming extraordinary amounts of open source components drawn from a variety of disparate sources. Although this is helping organizations deal with technical and economic challenges, it is also increasing unintended risks, e.g., use of a non-complaint license software might lead to copyright issues and litigations, use of a library with vulnerabilities pose security risks etc. Mitigation of such risks and remedial measures is a challenge due to lack of visibility and transparency of activities across these distributed teams as they mostly operate in silos. We believe a unified model that non-invasively monitors and analyzes the activities of distributed teams will help a long way in building software that adhere to various compliances. In this paper, we propose a decentralized CAG - Compliance Adherence and Governance framework using blockchain technologies. Our framework (i) enables the capturing of required data points based on compliance specifications, (ii) analyzes the events for non-conformant behavior through smart contracts, (iii) provides real-time alerts, and (iv) records and maintains an immutable audit trail of various activities.

Smart Farming is driven by the emergence of precise positioning systems and Internet of Things technologies which have already enabled site-specific applications, sustainable resource management, and interconnected machinery. Nowadays, so-called Farm Management Information Systems (FMISs) enable farm-internal interconnection of agricultural machines and implements and, thereby, allow in-field data exchange and the orchestration of collaborative agricultural processes. Machine data is often directly logged during task execution. Moreover, interconnection of farms, agricultural contractors, and marketplaces ease the collaboration. However, current FMISs lack in security and particularly in user authentication. In this paper, we present a security architecture for a decentralized, manufacturer-independent, and open-source FMIS. Special attention is turned on the Radio Frequency Identification (RFID)-based continuous user authentication which greatly improves security and credibility of automated documentation, while at the same time preserves usability in practice.

OpenSSL is an open source library that implements the Secure Socket Layer (SSL), a security protocol used by the TCP/IP layer. All cryptographic systems require random number generation for many reasons, such as cryptographic key generation and protocol challenge/response, OpenSSL is also the same. OpenSSL can be run on a variety of operating systems. especially when generating random numbers on Unix-like operating systems, it can use /dev /(u)random [6], as a seed to add randomness. In this paper, we analyze the process provided by OpenSSL when random number generation is required. We also provide considerations for application developers and OpenSSL users to use /dev/urandom and real-time clock (nanoseconds of timespec structure) as a seed to generate cryptographic random numbers in the Unix family.

Introduction of IoT is a big step towards the convergence of physical and virtual world as everyday objects are connected to the internet nowadays. But due to its diversity and resource constraint nature, the security of these devices in the real world has become a major challenge. Although a number of security frameworks have been suggested to ensure the security of IoT devices, frameworks for auditing this security are rare. We propose an open-source framework to audit the security of IoT devices covering hardware, firmware and communication vulnerabilities. Using existing open-source tools, we formulate a modular approach towards the implementation of the proposed framework. Standout features in the suggested framework are its modular design, extensibility, scalability, tools integration and primarily autonomous nature. The principal focus of the framework is to automate the process of auditing. The paper further mentions some tools that can be incorporated in different modules of the framework. Finally, we validate the feasibility of our framework by auditing an IoT device using proposed toolchain.

Security patches in open source software (OSS) not only provide security fixes to identified vulnerabilities, but also make the vulnerable code public to the attackers. Therefore, armored attackers may misuse this information to launch N-day attacks on unpatched OSS versions. The best practice for preventing this type of N-day attacks is to keep upgrading the software to the latest version in no time. However, due to the concerns on reputation and easy software development management, software vendors may choose to secretly patch their vulnerabilities in a new version without reporting them to CVE or even providing any explicit description in their change logs. When those secretly patched vulnerabilities are being identified by armored attackers, they can be turned into powerful "0-day" attacks, which can be exploited to compromise not only unpatched version of the same software, but also similar types of OSS (e.g., SSL libraries) that may contain the same vulnerability due to code clone or similar design/implementation logic. Therefore, it is critical to identify secret security patches and downgrade the risk of those "0-day" attacks to at least "n-day" attacks. In this paper, we develop a defense system and implement a toolset to automatically identify secret security patches in open source software. To distinguish security patches from other patches, we first build a security patch database that contains more than 4700 security patches mapping to the records in CVE list. Next, we identify a set of features to help distinguish security patches from non-security ones using machine learning approaches. Finally, we use code clone identification mechanisms to discover similar patches or vulnerabilities in similar types of OSS. The experimental results show our approach can achieve good detection performance. A case study on OpenSSL, LibreSSL, and BoringSSL discovers 12 secret security patches.

Software security is becoming a high priority for both large companies and start-ups alike due to the increasing potential for harm that vulnerabilities and breaches carry with them. However, attaining robust security assurance while delivering features requires a precarious balancing act in the context of agile development practices. One path forward to help aid development teams in securing their software products is through the design and development of security-focused automation. Ergo, we present a novel approach, called SecureReqNet, for automatically identifying whether issues in software issue tracking systems describe security-related content. Our approach consists of a two-phase neural net architecture that operates purely on the natural language descriptions of issues. The first phase of our approach learns high dimensional word embeddings from hundreds of thousands of vulnerability descriptions listed in the CVE database and issue descriptions extracted from open source projects. The second phase then utilizes the semantic ontology represented by these embeddings to train a convolutional neural network capable of predicting whether a given issue is security-related. We evaluated SecureReqNet by applying it to identify security-related issues from a dataset of thousands of issues mined from popular projects on GitLab and GitHub. In addition, we also applied our approach to identify security-related requirements from a commercial software project developed by a major telecommunication company. Our preliminary results are encouraging, with SecureReqNet achieving an accuracy of 96% on open source issues and 71.6% on industrial requirements.

Companies develop their software in versions and iterations. Ensuring the security of each additional version using code review is costly and time consuming. This paper investigates automated tracing of the impacts of code changes on the security of a given software. To this end, we use call graphs to model the software code, and security assurance cases to model the security requirements of the software. Then we relate assurance case elements to code through the entry point methods of the software, creating a map of monitored security functions. This mapping allows to evaluate the security requirements that are affected by code changes. The approach is implemented in a set of tools and evaluated using three open-source ERP/E-commerce software applications. The limited evaluation showed that the approach is effective in identifying the impacts of code changes on the security of the software. The approach promises to considerably reduce the security assessment time of the subsequent releases and iterations of software, keeping the initial security state throughout the software lifetime.

This paper presents a fully automated static analysis approach and a tool, Taint-Things, for the identification of tainted flows in SmartThings IoT apps. Taint-Things accurately identified all tainted flows reported by one of the state-of the-art tools with at least 4 times improved performance. In addition, our approach reports potential vulnerable tainted flow in a form of a concise security slice, which could provide security auditors with an effective and precise tool to pinpoint security issues in SmartThings apps under test.

Just like bugs in single-threaded programs can lead to vulnerabilities, bugs in multithreaded programs can also lead to concurrency attacks. We studied 31 real-world concurrency attacks, including privilege escalations, hijacking code executions, and bypassing security checks. We found that compared to concurrency bugs' traditional consequences (e.g., program crashes), concurrency attacks' consequences are often implicit, extremely hard to be observed and diagnosed by program developers. Moreover, in addition to bug-inducing inputs, extra subtle inputs are often needed to trigger the attacks. These subtle features make existing tools ineffective to detect concurrency attacks. To tackle this problem, we present OWL, the first practical tool that models general concurrency attacks' implicit consequences and automatically detects them. We implemented OWL in Linux and successfully detected five new concurrency attacks, including three confirmed and fixed by developers, and two exploited from previously known and well-studied concurrency bugs. OWL has also detected seven known concurrency attacks. Our evaluation shows that OWL eliminates 94.1% of the reports generated by existing concurrency bug detectors as false positive, greatly reducing developers' efforts on diagnosis. All OWL source code, concurrency attack exploit scripts, and results are available on github.com/hku-systems/owl.

Computational Intelligence (CI) algorithms/techniques are packaged in a variety of disparate frameworks/applications that all vary with respect to specific supported functionality and implementation decisions that drastically change performance. Developers looking to employ different CI techniques are faced with a series of trade-offs in selecting the appropriate library/framework. These include resource consumption, features, portability, interface complexity, ease of parallelization, etc. Considerations such as language compatibility and familiarity with a particular library make the choice of libraries even more difficult. The paper introduces MeetCI, an open source software framework for computational intelligence software design automation that facilitates the application design decisions and their software implementation process. MeetCI abstracts away specific framework details of CI techniques designed within a variety of libraries. This allows CI users to benefit from a variety of current frameworks without investigating the nuances of each library/framework. Using an XML file, developed in accordance with the specifications, the user can design a CI application generically, and utilize various CI software without having to redesign their entire technology stack. Switching between libraries in MeetCI is trivial and accessing the right library to satisfy a user's goals can be done easily and effectively. The paper discusses the framework's use in design of various applications. The design process is illustrated with four different examples from expert systems and machine learning domains, including the development of an expert system for security evaluation, two classification problems and a prediction problem with recurrent neural networks.

After suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F* are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssembly, a new instruction set that is supported by all major JavaScript runtimes. We present a new toolchain that compiles Low*, a low-level subset of the F* programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL*, a WebAssembly version of the existing, verified HACL* cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.

In Software Defined Networking (SDN) control plane of forwarding devices is concentrated in the SDN controller, which assumes the role of a network operating system. Big share of today's commercial SDN controllers are based on OpenDaylight, an open source SDN controller platform, whose bug repository is publicly available. In this article we provide a first insight into 8k+ bugs reported in the period over five years between March 2013 and September 2018. We first present the functional components in OpenDaylight architecture, localize the most vulnerable modules and measure their contribution to the total bug content. We provide high fidelity models that can accurately reproduce the stochastic behaviour of bug manifestation and bug removal rates, and discuss how these can be used to optimize the planning of the test effort, and to improve the software release management. Finally, we study the correlation between the code internals, derived from the Git version control system, and software defect metrics, derived from Jira issue tracker. To the best of our knowledge, this is the first study to provide a comprehensive analysis of bug characteristics in a production grade SDN controller.

Code churn has been successfully used to identify defect inducing changes in software development. Our recent analysis of the cross-release code churn showed that several design metrics exhibit moderate correlation with the number of defects in complex systems. The goal of this paper is to explore whether cross-release code churn can be used to identify critical design change and contribute to prediction of defects for software in evolution. In our case study, we used two types of data from consecutive releases of open-source projects, with and without cross-release code churn, to build standard prediction models. The prediction models were trained on earlier releases and tested on the following ones, evaluating the performance in terms of AUC, GM and effort aware measure Pop. The comparison of their performance was used to answer our research question. The obtained results showed that the prediction model performs better when cross-release code churn is included. Practical implication of this research is to use cross-release code churn to aid in safe planning of next release in software development.

Data Provenance has created an emerging requirement for technologies that enable end users to access, evaluate, and act on the provenance of data in recent years. In the era of Big Data, the amount of data created by corporations around the world has grown each year. As an example, both in the Social Media and e-Science domains, data is growing at an unprecedented rate. As the data has grown rapidly, information on the origin and lifecycle of the data has also grown. In turn, this requires technologies that enable the clarification and interpretation of data through the use of data provenance. This study proposes methodologies towards the visualization of W3C-PROV-O Specification compatible provenance data. The visualizations are done by summarization and comparison of the data provenance. We facilitated the testing of these methodologies by providing a prototype, extending an existing open source visualization tool. We discuss the usability of the proposed methodologies with an experimental study; our initial results show that the proposed approach is usable, and its processing overhead is negligible.

Smartphones have evolved over the years from simple devices to communicate with each other to fully functional portable computers although with comparatively less computational power but inholding multiple applications within. With the smartphone revolution, the value of personal data has increased. As technological complexities increase, so do the vulnerabilities in the system. Smartphones are the latest target for attacks. Android being an open source platform and also the most widely used smartphone OS draws the attention of many malware writers to exploit the vulnerabilities of it. Attackers try to take advantage of these vulnerabilities and fool the user and misuse their data. Malwares have come a long way from simple worms to sophisticated DDOS using Botnets, the latest trends in computer malware tend to go in the distributed direction, to evade the multiple anti-virus apps developed to counter generic viruses and Trojans. However, the recent trend in android system is to have a combination of applications which acts as malware. The applications are benign individually but when grouped, these may result into a malicious activity. This paper proposes a new category of distributed malware in android system, how it can be used to evade the current security, and how it can be detected with the help of graph matching algorithm.

The interconnection of networks between several techno-socio-economic sectors such as energy, transport, and communication, questions the manageability and resilience of the digital society. System interdependencies alter the fundamental dynamics that govern isolated systems, which can unexpectedly trigger catastrophic instabilities such as cascading failures. This paper envisions a general-purpose, yet simple prototyping of self-management software systems that can turn system interdependencies from a cause of instability to an opportunity for higher resilience. Such prototyping proves to be challenging given the highly interdisciplinary scope of interdependent networks. Different system dynamics and organizational constraints such as the distributed nature of interdependent networks or the autonomy and authority of system operators over their controlled infrastructure perplex the design for a general prototyping approach, which earlier work has not yet addressed. This paper contributes such a modular design solution implemented as an open source software extension of SFINA, the Simulation Framework for Intelligent Network Adaptations. The applicability of the software artifact is demonstrated with the introduction of a novel self-healing mechanism for interdependent power networks, which optimizes power flow exchanges between a damaged and a healer network to mitigate power cascading failures. Results show a significant decrease in the damage spread by self-healing synergies, while the degree of interconnectivity between the power networks indicates a tradeoff between links survivability and load served. The contributions of this paper aspire to bring closer several research communities working on modeling and simulation of different domains with an economic and societal impact on the resilience of real-world interdependent networks.

Web application technologies are growing rapidly with continuous innovation and improvements. This paper focuses on the popular Spring Boot [1] java-based framework for building web and enterprise applications and how it provides the flexibility for service-oriented architecture (SOA). One challenge with any Spring-based applications is its level of complexity with configurations. Spring Boot makes it easy to create and deploy stand-alone, production-grade Spring applications with very little Spring configuration. Example, if we consider Spring Model-View-Controller (MVC) framework [2], we need to configure dispatcher servlet, web jars, a view resolver, and component scan among other things. To solve this, Spring Boot provides several Auto Configuration options to setup the application with any needed dependencies. Another challenge is to identify the framework dependencies and associated library versions required to develop a web application. Spring Boot offers simpler dependency management by using a comprehensive, but flexible, framework and the associated libraries in one single dependency, which provides all the Spring related technology that you need for starter projects as compared to CRUD web applications. This framework provides a range of additional features that are common across many projects such as embedded server, security, metrics, health checks, and externalized configuration. Web applications are generally packaged as war and deployed to a web server, but Spring Boot application can be packaged either as war or jar file, which allows to run the application without the need to install and/or configure on the application server. In this paper, we discuss how Atmospheric Radiation Measurement (ARM) Data Center (ADC) at Oak Ridge National Laboratory, is using Spring Boot to create a SOA based REST [4] service API, that bridges the gap between frontend user interfaces and backend database. Using this REST service API, ARM scientists are now able to submit reports via a user form or a command line interface, which captures the same data quality or other important information about ARM data.

A popular form of software reuse is the use of open source software libraries hosted on centralized code repositories, such as Maven or npm. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. Recent incidents, such as the Equifax data breach and the leftpad package removal, demonstrate the difficulty in assessing the severity, impact and spread of bugs in dependency networks. While dependency checkers are being adapted as a counter measure, they only provide indicative information. To remedy this situation, we propose a fine-grained dependency network that goes beyond packages and into call graphs. The result is a versioned ecosystem-level call graph. In this paper, we outline the process to construct the proposed graph and present a preliminary evaluation of a security issue from a core package to an affected client application.

Among the threats to information systems of state institutions, enterprises and financial organizations of particular importance are those originating from organized criminal groups that specialize in obtaining unauthorized access to the computer information protected by law. Criminal groups often possess a material base including financial, technical, human and other resources that allow to perform targeted attacks on information resources as secretly as possible. The principal features of such targeted attacks are the use of software created or modified specifically for use in illegal purposes with respect to specific organizations. Due to these circumstances, the detection of such attacks is quite difficult, and their prevention is even more complicated. In this regard, the task of identifying and analyzing such threats is very relevant. One effective way to solve it is to implement the Honeypot system, which allows to research the strategy and tactics of the attackers. In the present article, there is proposed the original architecture of the Honeypot system designed to study targeted attacks on information systems of criminogenic objects. The architectural design includes such basic elements as the functional component, the registrar of events occurring in the system and the protector. The key features of the proposed Honeypot system are considered, and the functional purpose of its main components is described. The proposed system can find its application in providing information security of institutions, organizations and enterprises, it can be used in the development of information security systems.

There are different traditional approaches to handling a large number of computers or workstations in a campus setting, ranging from imaging to virtualized environments. The common factor among the traditional approaches is to have a user workstation with a local hard drive (nonvolatile storage), scratchpad volatile memory, a CPU (Central Processing Unit) and connectivity to access resources on the network. This paper presents the use of block streaming, normally used for storage, to serve operating system and applications on-demand over the network to a workstation, also referred to as a client, a client computer, or a client workstation. In order to avoid per seat licensing, an Open Source solution is used, and in order to minimize the field maintenance and meet security privacy constraints, a workstation need not have a permanent storage such as a hard disk drive. A complete blue print, based on performance analyses, is provided to determine the type of network architecture, servers, workstations per server, and minimum workstation configuration, suitable for supporting such a solution. The results of implementing the proposed solution campus wide, supporting more than 450 workstations, are presented as well.

This research was an experimental analysis of the Intrusion Detection Systems(IDS) with Honey Pot conducting through a study of using Honey Pot in tricking, delaying or deviating the intruder to attack new media broadcasting server for IPTV system. Denial of Service(DoS) over wire network and wireless network consisted of three types of attacks: TCP Flood, UDP Flood and ICMP Flood by Honey Pot, where the Honeyd would be used. In this simulation, a computer or a server in the network map needed to be secured by the inactivity firewalls or other security tools for the intrusion of the detection systems and Honey Pot. The network intrusion detection system used in this experiment was SNORT (www.snort.org) developed in the form of the Open Source operating system-Linux. The results showed that, from every experiment, the internal attacks had shown more threat than the external attacks. In addition, attacks occurred through LAN network posted 50% more disturb than attacks occurred on WIFI. Also, the external attacks through LAN posted 95% more attacks than through WIFI. However, the number of attacks presented by TCP, UDP and ICMP were insignificant. This result has supported the assumption that Honey Pot was able to help detecting the intrusion. In average, 16% of the attacks was detected by Honey Pot in every experiment.

As one of the most commonly used protocols in VPN technology, IPsec has many advantages. However, certain difficulties are posed to the audit work by the protection of in-formation. In this paper, we propose an audit method via man-in-the-middle mechanism, and design a prototype system with DPDK technology. Experiments are implemented in an IPv4 network environment, using default configuration of IPsec VPN configured with known PSK, on operating systems such as windows 7, windows 10, Android and iOS. Experimental results show that the prototype system can obtain the effect of content auditing well without affecting the normal communication between IPsec VPN users.

This paper presents our results from identifying anddocumenting false positives generated by static code analysistools. By false positives, we mean a static code analysis toolgenerates a warning message, but the warning message isnot really an error. The goal of our study is to understandthe different kinds of false positives generated so we can (1)automatically determine if an error message is truly indeed a truepositive, and (2) reduce the number of false positives developersand testers must triage. We have used two open-source tools andone commercial tool in our study. The results of our study haveled to 14 core false positive patterns, some of which we haveconfirmed with static code analysis tool developers.