Visible to the public Biblio

Filters: Keyword is Writing  [Clear All Filters]
2023-07-21
Wang, Juan, Ma, Chenjun, Li, Ziang, Yuan, Huanyu, Wang, Jie.  2022.  ProcGuard: Process Injection Behaviours Detection Using Fine-grained Analysis of API Call Chain with Deep Learning. 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). :778—785.

New malware increasingly adopts novel fileless techniques to evade detection from antivirus programs. Process injection is one of the most popular fileless attack techniques. This technique makes malware more stealthy by writing malicious code into memory space and reusing the name and port of the host process. It is difficult for traditional security software to detect and intercept process injections due to the stealthiness of its behavior. We propose a novel framework called ProcGuard for detecting process injection behaviors. This framework collects sensitive function call information of typical process injection. Then we perform a fine-grained analysis of process injection behavior based on the function call chain characteristics of the program, and we also use the improved RCNN network to enhance API analysis on the tampered memory segments. We combine API analysis with deep learning to determine whether a process injection attack has been executed. We collect a large number of malicious samples with process injection behavior and construct a dataset for evaluating the effectiveness of ProcGuard. The experimental results demonstrate that it achieves an accuracy of 81.58% with a lower false-positive rate compared to other systems. In addition, we also evaluate the detection time and runtime performance loss metrics of ProcGuard, both of which are improved compared to previous detection tools.

2023-06-02
Singh, Hoshiyar, Balamurgan, K M.  2022.  Implementation of Privacy and Security in the Wireless Networks. 2022 International Conference on Futuristic Technologies (INCOFT). :1—6.

The amount of information that is shared regularly has increased as a direct result of the rapid development of network administrators, Web of Things-related devices, and online users. Cybercriminals constantly work to gain access to the data that is stored and transferred online in order to accomplish their objectives, whether those objectives are to sell the data on the dark web or to commit another type of crime. After conducting a thorough writing analysis of the causes and problems that arise with wireless networks’ security and privacy, it was discovered that there are a number of factors that can make the networks unpredictable, particularly those that revolve around cybercriminals’ evolving skills and the lack of significant bodies’ efforts to combat them. It was observed. Wireless networks have a built-in security flaw that renders them more defenceless against attack than their wired counterparts. Additionally, problems arise in networks with hub mobility and dynamic network geography. Additionally, inconsistent availability poses unanticipated problems, whether it is accomplished through mobility or by sporadic hub slumber. In addition, it is difficult, if not impossible, to implement recently developed security measures due to the limited resources of individual hubs. Large-scale problems that arise in relation to wireless networks and flexible processing are examined by the Wireless Correspondence Network Security and Privacy research project. A few aspects of security that are taken into consideration include confirmation, access control and approval, non-disavowal, privacy and secrecy, respectability, and inspection. Any good or service should be able to protect a client’s personal information. an approach that emphasises quality, implements strategy, and uses a poll as a research tool for IT and public sector employees. This strategy reflects a higher level of precision in IT faculties.

2023-05-12
Croitoru, Adrian-Florin, Stîngă, Florin, Marian, Marius.  2022.  A Case Study for Designing a Secure Communication Protocol over a Controller Area Network. 2022 26th International Conference on System Theory, Control and Computing (ICSTCC). :47–51.
This paper presents a case study for designing and implementing a secure communication protocol over a Controller Area Network (CAN). The CAN based protocol uses a hybrid encryption method on a relatively simple hardware / software environment. Moreover, the blockchain technology is proposed as a working solution to provide an extra secure level of the proposed system.
ISSN: 2372-1618
2023-04-14
Pise, Rohini, Patil, Sonali.  2022.  A Deep Dive into Blockchain-based Smart Contract-specific Security Vulnerabilities. 2022 IEEE International Conference on Blockchain and Distributed Systems Security (ICBDS). :1–6.
Blockchain smart contracts are prevalent nowadays as numerous applications are developed based on this feature. Though smart contracts are important and widely used, they contain certain vulnerabilities. This paper discusses various security issues that arise in smart contract applications. They are categorized in the smart contract platform, the applications that integrate with the Blockchain, and the vulnerabilities in smart contract code. A detailed study of smart contract-specific vulnerabilities and the defense against those vulnerabilities are presented in this article. Because of certain limitations of platforms or programming language used to write smart contract, there are possibilities of attacks on smart contracts. Hence different security measures or precautions to be taken while writing the smart contract code is discussed in this article. This will prevent the potential attacks happening on Blockchain distributed applications.
Yuvaraj, D., Anitha, M, Singh, Brijesh, Karyemsetty, Nagarjuna, Krishnamoorthy, R., Arun, S..  2022.  Systematic Review of Security Authentication based on Block Chain. 2022 3rd International Conference on Smart Electronics and Communication (ICOSEC). :768–771.
One of the fifth generation’s most promising solutions for addressing the network system capacity issue is the ultra-dense network. However, a new problem arises because the user equipment secure access is made up of access points that are independent, transitory, and dynamic. The APs are independent and equal in this. It is possible to think of it as a decentralized access network. The access point’s coverage is less than the standard base stations. The user equipment will interface with access points more frequently as it moves, which is a problem. The current 4G Authentication and Key Agreement method, however, is unable to meet this need for quick and frequent authentication. This study means to research how blockchain innovation is being utilized in production network the executives, as well as its forthcoming purposes and arising patterns. To more readily comprehend the direction of important exploration and illuminate the benefits, issues, and difficulties in the blockchain-production network worldview, a writing overview and a logical evaluation of the current examination on blockchain-based supply chains were finished. Multifaceted verification strategies have as of late been utilized as possible guards against blockchain attacks. To further develop execution, scatter administration, and mechanize processes, inventory network tasks might be upset utilizing blockchain innovation
2023-03-03
Shrestha, Raj, Leinonen, Juho, Zavgorodniaia, Albina, Hellas, Arto, Edwards, John.  2022.  Pausing While Programming: Insights From Keystroke Analysis. 2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET). :187–198.
Pauses in typing are generally considered to indicate cognitive processing and so are of interest in educational contexts. While much prior work has looked at typing behavior of Computer Science students, this paper presents results of a study specifically on the pausing behavior of students in Introductory Computer Programming. We investigate the frequency of pauses of different lengths, what last actions students take before pausing, and whether there is a correlation between pause length and performance in the course. We find evidence that frequency of pauses of all lengths is negatively correlated with performance, and that, while some keystrokes initiate pauses consistently across pause lengths, other keystrokes more commonly initiate short or long pauses. Clustering analysis discovers two groups of students, one that takes relatively fewer mid-to-long pauses and performs better on exams than the other.
2023-02-17
Vélez, Tatiana Castro, Khatchadourian, Raffi, Bagherzadeh, Mehdi, Raja, Anita.  2022.  Challenges in Migrating Imperative Deep Learning Programs to Graph Execution: An Empirical Study. 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR). :469–481.
Efficiency is essential to support responsiveness w.r.t. ever-growing datasets, especially for Deep Learning (DL) systems. DL frameworks have traditionally embraced deferred execution-style DL code that supports symbolic, graph-based Deep Neural Network (DNN) computation. While scalable, such development tends to produce DL code that is error-prone, non-intuitive, and difficult to debug. Consequently, more natural, less error-prone imperative DL frameworks encouraging eager execution have emerged at the expense of run-time performance. While hybrid approaches aim for the “best of both worlds,” the challenges in applying them in the real world are largely unknown. We conduct a data-driven analysis of challenges-and resultant bugs-involved in writing reliable yet performant imperative DL code by studying 250 open-source projects, consisting of 19.7 MLOC, along with 470 and 446 manually examined code patches and bug reports, respectively. The results indicate that hybridization: (i) is prone to API misuse, (ii) can result in performance degradation-the opposite of its intention, and (iii) has limited application due to execution mode incompatibility. We put forth several recommendations, best practices, and anti-patterns for effectively hybridizing imperative DL code, potentially benefiting DL practitioners, API designers, tool developers, and educators.
ISSN: 2574-3864
2023-01-13
Lin, Xinrong, Hua, Baojian, Fan, Qiliang.  2022.  On the Security of Python Virtual Machines: An Empirical Study. 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME). :223—234.
Python continues to be one of the most popular programming languages and has been used in many safety-critical fields such as medical treatment, autonomous driving systems, and data science. These fields put forward higher security requirements to Python ecosystems. However, existing studies on machine learning systems in Python concentrate on data security, model security and model privacy, and just assume the underlying Python virtual machines (PVMs) are secure and trustworthy. Unfortunately, whether such an assumption really holds is still unknown.This paper presents, to the best of our knowledge, the first and most comprehensive empirical study on the security of CPython, the official and most deployed Python virtual machine. To this end, we first designed and implemented a software prototype dubbed PVMSCAN, then use it to scan the source code of the latest CPython (version 3.10) and other 10 versions (3.0 to 3.9), which consists of 3,838,606 lines of source code. Empirical results give relevant findings and insights towards the security of Python virtual machines, such as: 1) CPython virtual machines are still vulnerable, for example, PVMSCAN detected 239 vulnerabilities in version 3.10, including 55 null dereferences, 86 uninitialized variables and 98 dead stores; Python/C API-related vulnerabilities are very common and have become one of the most severe threats to the security of PVMs: for example, 70 Python/C API-related vulnerabilities are identified in CPython 3.10; 3) the overall quality of the code remained stable during the evolution of Python VMs with vulnerabilities per thousand line (VPTL) to be 0.50; and 4) automatic vulnerability rectification is effective: 166 out of 239 (69.46%) vulnerabilities can be rectified by a simple yet effective syntax-directed heuristics.We have reported our empirical results to the developers of CPython, and they have acknowledged us and already confirmed and fixed 2 bugs (as of this writing) while others are still being analyzed. This study not only demonstrates the effectiveness of our approach, but also highlights the need to improve the reliability of infrastructures like Python virtual machines by leveraging state-of-the-art security techniques and tools.
2023-01-06
Ham, MyungJoo, Woo, Sangjung, Jung, Jaeyun, Song, Wook, Jang, Gichan, Ahn, Yongjoo, Ahn, Hyoungjoo.  2022.  Toward Among-Device AI from On-Device AI with Stream Pipelines. 2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). :285—294.
Modern consumer electronic devices often provide intelligence services with deep neural networks. We have started migrating the computing locations of intelligence services from cloud servers (traditional AI systems) to the corresponding devices (on-device AI systems). On-device AI systems generally have the advantages of preserving privacy, removing network latency, and saving cloud costs. With the emergence of on-device AI systems having relatively low computing power, the inconsistent and varying hardware resources and capabilities pose difficulties. Authors' affiliation has started applying a stream pipeline framework, NNStreamer, for on-device AI systems, saving developmental costs and hardware resources and improving performance. We want to expand the types of devices and applications with on-device AI services products of both the affiliation and second/third parties. We also want to make each AI service atomic, re-deployable, and shared among connected devices of arbitrary vendors; we now have yet another requirement introduced as it always has been. The new requirement of “among-device AI” includes connectivity between AI pipelines so that they may share computing resources and hardware capabilities across a wide range of devices regardless of vendors and manufacturers. We propose extensions of the stream pipeline framework, NNStreamer, for on-device AI so that NNStreamer may provide among-device AI capability. This work is a Linux Foundation (LF AI & Data) open source project accepting contributions from the general public.
2022-12-06
Buzura, Sorin, Dadarlat, Vasile, Peculea, Adrian, Bertrand, Hugo, Chevalier, Raphaël.  2022.  Simulation Framework for 6LoWPAN Networks Using Mininet-WiFi. 2022 IEEE International Conference on Automation, Quality and Testing, Robotics (AQTR). :1-5.

The Internet of Things (IoT) continuously grows as applications require connectivity and sensor networks are being deployed in multiple application domains. With the increased applicability demand, the need for testing and development frameworks also increases. This paper presents a novel simulation framework for testing IPv6 over Low Power Wireless Personal Networks (6LoWPAN) networks using the Mininet-WiFi simulator. The goal of the simulation framework is to allow easier automation testing of large-scale networks and to also allow easy configuration. This framework is a starting point for many development scenarios targeting traffic management, Quality of Service (QoS) or security network features. A basic smart city simulation is presented which demonstrates the working principles of the framework.

2022-10-20
Liu, Wenyuan, Wang, Jian.  2021.  Research on image steganography information detection based on support vector machine. 2021 6th International Conference on Intelligent Computing and Signal Processing (ICSP). :631—635.
With the rapid development of the internet of things and cloud computing, users can instantly transmit a large amount of data to various fields, with the development of communication technology providing convenience for people's life, information security is becoming more and more important. Therefore, it is of great significance to study the technology of image hiding information detection. This paper mainly uses the support vector machine learning algorithm to detect the hidden information of the image, based on a standard image library, randomly selecting images for embedding secret information. According to the bit-plane correlation and the gradient energy change of a single bit-plane after encryption of an image LSB matching algorithm, gradient energy change is selected as characteristic change, and the gradient energy change is innovatively applied to a support vector machine classifier algorithm, and has very good detection effect and good stability on the dense image with the embedding rate of more than 40 percent.
2022-09-30
Baptiste, Millot, Julien, Francq, Franck, Sicard.  2021.  Systematic and Efficient Anomaly Detection Framework using Machine Learning on Public ICS Datasets. 2021 IEEE International Conference on Cyber Security and Resilience (CSR). :292–297.
Industrial Control Systems (ICSs) are used in several domains such as Transportation, Manufacturing, Defense and Power Generation and Distribution. ICSs deal with complex physical systems in order to achieve an industrial purpose with operational safety. Security has not been taken into account by design in these systems that makes them vulnerable to cyberattacks.In this paper, we rely on existing public ICS datasets as well as on the existing literature of Machine Learning (ML) applications for anomaly detection in ICSs in order to improve detection scores. To perform this purpose, we propose a systematic framework, relying on established ML algorithms and suitable data preprocessing methods, which allows us to quickly get efficient, and surprisingly, better results than the literature. Finally, some recommendations for future public ICS dataset generations end this paper, which would be fruitful for improving future attack detection models and then protect new ICSs designed in the next future.
2022-09-09
Gonçalves, Luís, Vimieiro, Renato.  2021.  Approaching authorship attribution as a multi-view supervised learning task. 2021 International Joint Conference on Neural Networks (IJCNN). :1—8.
Authorship attribution is the problem of identifying the author of texts based on the author's writing style. It is usually assumed that the writing style contains traits inaccessible to conscious manipulation and can thus be safely used to identify the author of a text. Several style markers have been proposed in the literature, nevertheless, there is still no consensus on which best represent the choices of authors. Here we assume an agnostic viewpoint on the dispute for the best set of features that represents an author's writing style. We rather investigate how different sources of information may unveil different aspects of an author's style, complementing each other to improve the overall process of authorship attribution. For this we model authorship attribution as a multi-view learning task. We assess the effectiveness of our proposal applying it to a set of well-studied corpora. We compare the performance of our proposal to the state-of-the-art approaches for authorship attribution. We thoroughly analyze how the multi-view approach improves on methods that use a single data source. We confirm that our approach improves both in accuracy and consistency of the methods and discuss how these improvements are beneficial for linguists and domain specialists.
Saini, Anu, Sri, Manepalli Ratna, Thakur, Mansi.  2021.  Intrinsic Plagiarism Detection System Using Stylometric Features and DBSCAN. 2021 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS). :13—18.
Plagiarism is the act of using someone else’s words or ideas without giving them due credit and representing it as one’s own work. In today's world, it is very easy to plagiarize others' work due to advancement in technology, especially by the use of the Internet or other offline sources such as books or magazines. Plagiarism can be classified into two broad categories on the basis of detection namely extrinsic and intrinsic plagiarism. Extrinsic plagiarism detection refers to detecting plagiarism in a document by comparing it against a given reference dataset, whereas, Intrinsic plagiarism detection refers to detecting plagiarism with the help of variation in writing styles without using any reference corpus. Although there are many approaches which can be adopted to detect extrinsic plagiarism, few are available for intrinsic plagiarism detection. In this paper, a simplified approach is proposed for developing an intrinsic plagiarism detector which is helpful in detecting plagiarism even when no reference corpus is available. The approach deals with development of an intrinsic plagiarism detection system by identifying the writing style of authors in the document using stylometric features and Density-Based Spatial Clustering of Applications with Noise (DBSCAN) clustering. The proposed system has an easy to use interactive interface where user has to upload a text document to be checked for plagiarism and the result is displayed on the web page itself. In addition, the user can also see the analysis of the document in the form of graphs.
Cardaioli, Matteo, Conti, Mauro, Sorbo, Andrea Di, Fabrizio, Enrico, Laudanna, Sonia, Visaggio, Corrado A..  2021.  It’s a Matter of Style: Detecting Social Bots through Writing Style Consistency. 2021 International Conference on Computer Communications and Networks (ICCCN). :1—9.
Social bots are computer algorithms able to produce content and interact with other users on social media autonomously, trying to emulate and possibly influence humans’ behavior. Indeed, bots are largely employed for malicious purposes, like spreading disinformation and conditioning electoral campaigns. Nowadays, bots’ capability of emulating human behaviors has become increasingly sophisticated, making their detection harder. In this paper, we aim at recognizing bot-driven accounts by evaluating the consistency of users’ writing style over time. In particular, we leverage the intuition that while bots compose posts according to fairly deterministic processes, humans are influenced by subjective factors (e.g., emotions) that can alter their writing style. To verify this assumption, by using stylistic consistency indicators, we characterize the writing style of more than 12,000 among bot-driven and human-operated Twitter accounts and find that statistically significant differences can be observed between the different types of users. Thus, we evaluate the effectiveness of different machine learning (ML) algorithms based on stylistic consistency features in discerning between human-operated and bot-driven Twitter accounts and show that the experimented ML algorithms can achieve high performance (i.e., F-measure values up to 98%) in social bot detection tasks.
Khan, Aazar Imran, Jain, Samyak, Sharma, Purushottam, Deep, Vikas, Mehrotra, Deepti.  2021.  Stylometric Analysis of Writing Patterns Using Artificial Neural Networks. 2021 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT). :29—35.
Plagiarism checkers have been widely used to verify the authenticity of dissertation/project submissions. However, when non-verbatim plagiarism or online examinations are considered, this practice is not the best solution. In this work, we propose a better authentication system for online examinations that analyses the submitted text's stylometry for a match of writing pattern of the author by whom the text was submitted. The writing pattern is analyzed over many indicators (i.e., features of one's writing style). This model extracts 27 such features and stores them as the writing pattern of an individual. Stylometric Analysis is a better approach to verify a document's authorship as it doesn't check for plagiarism, but verifies if the document was written by a particular individual and hence completely shuts down the possibility of using text-convertors or translators. This paper also includes a brief comparative analysis of some simpler algorithms for the same problem statement. These algorithms yield results that vary in precision and accuracy and hence plotting a conclusion from the comparison shows that the best bet to tackle this problem is through Artificial Neural Networks.
Teodorescu, Horia-Nicolai.  2021.  Applying Chemical Linguistics and Stylometry for Deriving an Author’s Scientific Profile. 2021 International Symposium on Signals, Circuits and Systems (ISSCS). :1—4.
The study exercises computational linguistics, specifically chemical linguistics methods for profiling an author. We analyze the vocabulary and the style of the titles of the most visible works of Cristofor I. Simionescu, an internationally well-known chemist, for detecting specific patterns of his research interests and methods. Somewhat surprisingly, while the tools used are elementary and there is only a small number of words in the analysis, some interesting details emerged about the work of the analyzed personality. Some of these aspects were confirmed by experts in the field. We believe this is the first study aiming to author profiling in chemical linguistics, moreover the first to question the usefulness of Google Scholar for author profiling.
2022-08-12
Camenisch, Jan, Dubovitskaya, Maria, Rial, Alfredo.  2021.  Concise UC Zero-Knowledge Proofs for Oblivious Updatable Databases. 2021 IEEE 34th Computer Security Foundations Symposium (CSF). :1–16.
We propose an ideal functionality FCD and a construction ΠCD for oblivious and updatable committed databases. FCD allows a prover P to read, write, and update values in a database and to prove to a verifier V in zero-knowledge (ZK) that a value is read from or written into a certain position. The following properties must hold: (1) values stored in the database remain hidden from V; (2) a value read from a certain position is equal to the value previously written into that position; (3) (obliviousness) both the value read or written and its position remain hidden from V.ΠCD is based on vector commitments. After the initialization phase, the cost of read and write operations is independent of the database size, outperforming other techniques that achieve cost sublinear in the dataset size for prover and/or verifier. Therefore, our construction is especially appealing for large datasets. In existing “commit-and-prove” two-party protocols, the task of maintaining a committed database between P and V and reading and writing values into it is not separated from the task of proving statements about the values read or written. FCD allows us to improve modularity in protocol design by separating those tasks. In comparison to simply using a commitment scheme to maintain a committed database, FCD allows P to hide efficiently the positions read or written from V. Thanks to this property, we design protocols for e.g. privacy-preserving e-commerce and location-based services where V gathers aggregate statistics about the statements that P proves in ZK.
2022-07-12
Ivanov, Michael A., Kliuchnikova, Bogdana V., Chugunkov, Ilya V., Plaksina, Anna M..  2021.  Phishing Attacks and Protection Against Them. 2021 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus). :425—428.
Phishing, ransomware and cryptojacking are the main threats to cyber security in recent years. We consider the stages of phishing attacks, examples of such attacks, specifically, attacks using ransomware, malicious PDF files, and banking trojans. The article describes the specifics of phishing emails. Advices on phishing protection are given.
2022-05-19
Zhang, Feng, Pan, Zaifeng, Zhou, Yanliang, Zhai, Jidong, Shen, Xipeng, Mutlu, Onur, Du, Xiaoyong.  2021.  G-TADOC: Enabling Efficient GPU-Based Text Analytics without Decompression. 2021 IEEE 37th International Conference on Data Engineering (ICDE). :1679–1690.
Text analytics directly on compression (TADOC) has proven to be a promising technology for big data analytics. GPUs are extremely popular accelerators for data analytics systems. Unfortunately, no work so far shows how to utilize GPUs to accelerate TADOC. We describe G-TADOC, the first framework that provides GPU-based text analytics directly on compression, effectively enabling efficient text analytics on GPUs without decompressing the input data. G-TADOC solves three major challenges. First, TADOC involves a large amount of dependencies, which makes it difficult to exploit massive parallelism on a GPU. We develop a novel fine-grained thread-level workload scheduling strategy for GPU threads, which partitions heavily-dependent loads adaptively in a fine-grained manner. Second, in developing G-TADOC, thousands of GPU threads writing to the same result buffer leads to inconsistency while directly using locks and atomic operations lead to large synchronization overheads. We develop a memory pool with thread-safe data structures on GPUs to handle such difficulties. Third, maintaining the sequence information among words is essential for lossless compression. We design a sequence-support strategy, which maintains high GPU parallelism while ensuring sequence information. Our experimental evaluations show that G-TADOC provides 31.1× average speedup compared to state-of-the-art TADOC.
2022-04-19
Wang, Pei, Bangert, Julian, Kern, Christoph.  2021.  If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening. 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). :1360–1372.
With tons of efforts spent on its mitigation, Cross-site scripting (XSS) remains one of the most prevalent security threats on the internet. Decades of exploitation and remediation demonstrated that code inspection and testing alone does not eliminate XSS vulnerabilities in complex web applications with a high degree of confidence. This paper introduces Google's secure-by-design engineering paradigm that effectively prevents DOM-based XSS vulnerabilities in large-scale web development. Our approach, named API hardening, enforces a series of company-wide secure coding practices. We provide a set of secure APIs to replace native DOM APIs that are prone to XSS vulnerabilities. Through a combination of type contracts and appropriate validation and escaping, the secure APIs ensure that applications based thereon are free of XSS vulnerabilities. We deploy a simple yet capable compile-time checker to guarantee that developers exclusively use our hardened APIs to interact with the DOM. We make various of efforts to scale this approach to tens of thousands of engineers without significant productivity impact. By offering rigorous tooling and consultant support, we help developers adopt the secure coding practices as seamlessly as possible. We present empirical results showing how API hardening has helped reduce the occurrences of XSS vulnerabilities in Google's enormous code base over the course of two-year deployment.
2022-03-14
Tempel, Sören, Herdt, Vladimir, Drechsler, Rolf.  2021.  Towards Reliable Spatial Memory Safety for Embedded Software by Combining Checked C with Concolic Testing. 2021 58th ACM/IEEE Design Automation Conference (DAC). :667—672.
In this paper we propose to combine the safe C dialect Checked C with concolic testing to obtain an effective methodology for attaining safer C code. Checked C is a modern and backward compatible extension to the C programming language which provides facilities for writing memory-safe C code. We utilize incremental conversions of unsafe C software to Checked C. After each increment, we leverage concolic testing, an effective test generation technique, to support the conversion process by searching for newly introduced and existing bugs.Our RISC-V experiments using the RIOT Operating System (OS) demonstrate the effectiveness of our approach. We uncovered 4 previously unknown bugs and 3 bugs accidentally introduced through our conversion process.
2022-02-24
Zhou, Andy, Sultana, Kazi Zakia, Samanthula, Bharath K..  2021.  Investigating the Changes in Software Metrics after Vulnerability Is Fixed. 2021 IEEE International Conference on Big Data (Big Data). :5658–5663.
Preventing software vulnerabilities while writing code is one of the most effective ways for avoiding cyber attacks on any developed system. Although developers follow some standard guiding principles for ensuring secure code, the code can still have security bottlenecks and be compromised by an attacker. Therefore, assessing software security while developing code can help developers in writing vulnerability free code. Researchers have already focused on metrics-based and text mining based software vulnerability prediction models. The metrics based models showed higher precision in predicting vulnerabilities although the recall rate is low. In addition, current research did not investigate the impact of individual software metric on the occurrences of vulnerabilities. The main objective of this paper is to track the changes in every software metric after the developer fixes a particular vulnerability. The results of our research will potentially motivate further research on building more accurate vulnerability prediction models based on the appropriate software metrics. In particular, we have compared a total of 250 files from Apache Tomcat and Apache CXF. These files were extracted from the Apache database and were chosen because Apache released these files as vulnerable in their publicly available security advisories. Using a static analysis tool, metrics of the targeted vulnerable files and relevant fixed files (files where vulnerable code is removed by the developers) were extracted and compared. We show that eight of the 40 metrics have an average increase of 2% from vulnerable to fixed files. These metrics include CountDeclClass, CountDeclClassMethod, CountDeclClassVariable, CountDeclInstanceVariable, CountDeclMethodDefault, CountLineCode, MaxCyclomaticStrict, MaxNesting. This study will help developers to assess software security through utilizing software metrics in secure coding practices.
2022-02-04
Xie, Xin, Liu, Xiulong, Guo, Song, Qi, Heng, Li, Keqiu.  2021.  A Lightweight Integrity Authentication Approach for RFID-enabled Supply Chains. IEEE INFOCOM 2021 - IEEE Conference on Computer Communications. :1—10.
Major manufacturers and retailers are increasingly using RFID systems in supply-chain scenarios, where theft of goods during transport typically causes significant economic losses for the consumer. Recent sample-based authentication methods attempt to use a small set of random sample tags to authenticate the integrity of the entire tag population, which significantly reduces the authentication time at the expense of slightly reduced reliability. The problem is that it still incurs extensive initialization overhead when writing the authentication information to all of the tags. This paper presents KTAuth, a lightweight integrity authentication approach to efficiently and reliably detect missing tags and counterfeit tags caused by stolen attacks. The competitive advantage of KTAuth is that it only requires writing the authentication information to a small set of deterministic key tags, offering a significant reduction in initialization costs. In addition, KTAuth strictly follows the C1G2 specifications and thus can be deployed on Commercial-Off-The-Shelf RFID systems. Furthermore, KTAuth proposes a novel authentication chain mechanism to verify the integrity of tags exclusively based on data stored on them. To evaluate the feasibility and deployability of KTAuth, we implemented a small-scale prototype system using mainstream RFID devices. Using the parameters achieved from the real experiments, we also conducted extensive simulations to evaluate the performance of KTAuth in large-scale RFID systems.
2022-02-03
Mafioletti, Diego Rossi, de Mello, Ricardo Carminati, Ruffini, Marco, Frascolla, Valerio, Martinello, Magnos, Ribeiro, Moises R. N..  2021.  Programmable Data Planes as the Next Frontier for Networked Robotics Security: A ROS Use Case. 2021 17th International Conference on Network and Service Management (CNSM). :160—165.
In-Network Computing is a promising field that can be explored to leverage programmable network devices to offload computing towards the edge of the network. This has created great interest in supporting a wide range of network functionality in the data plane. Considering a networked robotics domain, this brings new opportunities to tackle the communication latency challenges. However, this approach opens a room for hardware-level exploits, with the possibility to add a malicious code to the network device in a hidden fashion, compromising the entire communication in the robotic facilities. In this work, we expose vulnerabilities that are exploitable in the most widely used flexible framework for writing robot software, Robot Operating System (ROS). We focus on ROS protocol crossing a programmable SmartNIC as a use case for In-Network Hijacking and In-Network Replay attacks, that can be easily implemented using the P4 language, exposing security vulnerabilities for hackers to take control of the robots or simply breaking the entire system.