Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2016 | Buch | 1. Auflage

Security Testing Beyond Functional Tests Kapitel lesen Erstes Kapitel lesen

Engineering Secure Software and Systems

8th International Symposium, ESSoS 2016, London, UK, April 6–8, 2016. Proceedings

herausgegeben von: Juan Caballero, Eric Bodden, Elias Athanasopoulos

Verlag: Springer International Publishing

Buchreihe : Lecture Notes in Computer Science

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

This book constitutes the refereed proceedings of the 8th International Symposium on Engineering Secure Software and Systems, ESSoS 2016, held in London, UK, in April 2016. The 13 full papers presented together with 3 short papers and 1 invited talk were carefully reviewed and selected from 50 submissions.
The goal of this symposium, is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. The presentations and associated publications at ESSoS 2016 contribute to this goal in several directions: First, by improving methodologies for secure software engineering (such as flow analysis and policycompliance). Second, with results for the detection and analysis of software vulnerabilities and the attacks they enable. Finally, for securing software for specific application domains (such as mobile devices and access control).

Inhaltsverzeichnis

Frontmatter
Security Testing Beyond Functional Tests
Abstract
We present a theory of security testing based on the basic distinction between system specifications and security requirements. Specifications describe a system’s desired behavior over its interface. Security requirements, in contrast, specify desired properties of the world the system lives in. We propose the notion of a security rationale, which supports reductive security arguments for deriving a system specification and assumptions on the system’s environment sufficient for fulfilling stated security requirements. These reductions give rise to two types of tests: those that test the system with respect to its specification and those that test the validity of the assumptions about the adversarial environment. It is the second type of tests that distinguishes security testing from functional testing and defies systematization and automation.
Mohammad Torabi Dashti , David Basin
Progress-Sensitive Security for SPARK
Abstract
SPARK 2014 is a safety critical language subset of Ada developed by Altran and used for developing safe and secure software by major industrial players in the aviation, commercial, medical, space, and military domains. This paper puts a spotlight on the SPARK flow analysis. Articulating the boundaries of what is achievable by the analysis, we spell out attacks to exploit termination, progress, resource exhaustion, and timing channels. We harden the analysis to achieve security against stronger attackers, with the focus on progress-sensitive security as our baseline. Instead of redesigning and reimplementing the enforcement, we leverage known flow analyses for weaker attackers by a transform on program dependence graphs. We establish the soundness of this approach for a core language and demonstrate that it can be applied as a source-to-source transform of SPARK code when modifying the compiler is undesirable. A case study, derived from publicly available code for a control unit of a missile, indicates the usefulness of the approach.
Willard Rafnsson, Deepak Garg, Andrei Sabelfeld
Sound and Precise Cross-Layer Data Flow Tracking
Abstract
We connect runtime monitors for data flow tracking at different abstraction layers (a browser, a mail client, an operating system) and prove the soundness of this generic model w.r.t. a formal notion of explicit information flow. This allows us to (1) increase the precision of the analysis by exploiting the high-level semantics of events at higher levels of abstraction and (2) provide system-wide guarantees at the same time. For instance, using our model, we can soundly reason about the flow of a picture from the network through a browser into a cache file or a window on the screen by combining analyses at multiple layers.
Enrico Lovat, Martín Ochoa, Alexander Pretschner
Automatically Extracting Threats from Extended Data Flow Diagrams
Abstract
Architectural risk analysis is an important aspect of developing software that is free of security flaws. Knowledge on architectural flaws, however, is sparse, in particular in small or medium-sized enterprises. In this paper, we propose a practical approach to architectural risk analysis that leverages Microsoft’s threat modeling. Our technique decouples the creation of a system’s architecture from the process of detecting and collecting architectural flaws. This way, our approach allows an software architect to automatically detect vulnerabilities in software architectures by using a security knowledge base. We evaluated our approach with real-world case studies, focusing on logistics applications. The evaluation uncovered several flaws with a major impact on the security of the software.
Bernhard J. Berger, Karsten Sohr, Rainer Koschke
On the Static Analysis of Hybrid Mobile Apps
A Report on the State of Apache Cordova Nation
Abstract
Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing use of cross-platform development frameworks that allow developing an app once and offering it on multiple mobile platforms such as Android, iOS, or Windows.
Apache Cordova is a popular framework for developing multi-platform apps. Cordova combines HTML5 and JavaScript with native application code. Combining web and native technologies creates new security challenges as, e. g., an XSS attacker becomes more powerful.
In this paper, we present a novel approach for statically analysing the foreign language calls. We evaluate our approach by analysing the top Cordova apps from Google Play. Moreover, we report on the current state of the overall quality and security of Cordova apps.
Achim D. Brucker, Michael Herzberg
Semantics-Based Repackaging Detection for Mobile Apps
Abstract
While Android app stores keep growing in size and in number, app repackaging has become a major threat to the health of the mobile ecosystem. Different from many syntax-based repackaging detection techniques, in this work we propose a semantic-based approach, RepDetector, which is more robust against code obfuscation attacks. To capture an app’s semantics, our approach extracts input-output states of core functions in the app and then compare function and app similarity. We implement a prototype of RepDetector, and evaluate it against various obfuscation technologies. The results show that our approach can detect repackaged apps effectively. It is also at least a hundred times faster than Androguard.
Quanlong Guan, Heqing Huang, Weiqi Luo, Sencun Zhu
Accelerometer-Based Device Fingerprinting for Multi-factor Mobile Authentication
Abstract
Due to the numerous data breaches, often resulting in the disclosure of a substantial amount of user passwords, the classic authentication scheme where just a password is required to log in, has become inadequate. As a result, many popular web services now employ risk-based authentication systems where various bits of information are requested in order to determine the authenticity of the authentication request. In this risk assessment process, values consisting of geo-location, IP address and browser-fingerprint information, are typically used to detect anomalies in comparison with the user’s regular behavior.
In this paper, we focus on risk-based authentication mechanisms in the setting of mobile devices, which are known to fall short of providing reliable device-related information that can be used in the risk analysis process. More specifically, we present a web-based and low-effort system that leverages accelerometer data generated by a mobile device for the purpose of device re-identification. Furthermore, we evaluate the performance of these techniques and assess the viability of embedding such a system as part of existing risk-based authentication processes.
Tom Van Goethem, Wout Scheepers, Davy Preuveneers, Wouter Joosen
POODLEs, More POODLEs, FREAK Attacks Too: How Server Administrators Responded to Three Serious Web Vulnerabilities
Abstract
We present an empirical study on the patching characteristics of the top 100,000 web sites in response to three recent vulnerabilities: the POODLE vulnerability, the POODLE TLS vulnerability, and the FREAK vulnerability. The goal was to identify how the web responds to newly discovered vulnerabilities and the remotely observable characteristics of websites that contribute to the response pattern over time. Using open source tools, we found that there is a slow patch adoption rate in general; for example, about one in four servers hosting Alexa top 100,000 sites we sampled remained vulnerable to the POODLE attack even after five months. It was assuring that servers handling sensitive data were more aggressive in patching the vulnerabilities. However, servers that had more open ports were more likely to be vulnerable. The results are valuable for practitioners to understand the state of security engineering practices and what can be done to improve.
Benjamin Fogel, Shane Farmer, Hamza Alkofahi, Anthony Skjellum, Munawar Hafiz
HexPADS: A Platform to Detect “Stealth” Attacks
Abstract
Current systems are under constant attack from many different sources. Both local and remote attackers try to escalate their privileges to exfiltrate data or to gain arbitrary code execution. While inline defense mechanisms like DEP, ASLR, or stack canaries are important, they have a local, program centric view and miss some attacks. Intrusion Detection Systems (IDS) use runtime monitors to measure current state and behavior of the system to detect an attack orthogonal to active defenses.
Attacks change the execution behavior of a system. Our attack detection system HexPADS detects attacks through divergences from normal behavior using attack signatures. HexPADS collects information from the operating system on runtime performance metrics with measurements from hardware performance counters for individual processes. Cache behavior is a strong indicator of ongoing attacks like rowhammer, side channels, covert channels, or CAIN attacks. Collecting performance metrics across all running processes allows the correlation and detection of these attacks. In addition, HexPADS can mitigate the attacks or significantly reduce their effectiveness with negligible overhead to benign processes.
Mathias Payer
Analyzing the Gadgets
Towards a Metric to Measure Gadget Quality
Abstract
Current low-level exploits often rely on code-reuse, whereby short sections of code (gadgets) are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this attack vector by applying code transformations to reduce the number of available gadgets. Nevertheless, it has emerged that the residual gadgets can still be sufficient to conduct a successful attack. Crucially, the lack of a common metric for “gadget quality” hinders the effective comparison of current mitigations.
This work proposes four metrics that assign scores to a set of gadgets, measuring quality, usefulness, and practicality. We apply these metrics to binaries produced when compiling programs for architectures implementing Intel’s recent MPX CPU extensions. Our results demonstrate a 17 % increase in useful gadgets in MPX binaries, and a decrease in side-effects and preconditions, making them better suited for ROP attacks.
Andreas Follner, Alexandre Bartel, Eric Bodden
Empirical Analysis and Modeling of Black-Box Mutational Fuzzing
Abstract
Black-box mutational fuzzing is a simple yet effective method for finding software vulnerabilities. In this work, we collect and analyze fuzzing campaign data of 60,000 fuzzing runs, 4,000 crashes and 363 unique bugs, from multiple Linux programs using CERT Basic Fuzzing Framework. Motivated by the results of empirical analysis, we propose a stochastic model that captures the long-tail distribution of bug discovery probability and exploitability. This model sheds light on practical questions such as what is the expected number of bugs discovered in a fuzzing campaign within a given time, why improving software security is hard, and why different parties (e.g., software vendors, white hats, and black hats) are likely to find different vulnerabilities. We also discuss potential generalization of this model to other vulnerability discovery approaches, such as recently emerged bug bounty programs.
Mingyi Zhao, Peng Liu
On the Security Cost of Using a Free and Open Source Component in a Proprietary Product
Abstract
The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software (FOSS) components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized (the company checks each component and propagates changes to the different product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (only the least used components are checked individually by each development team). We investigated publicly available factors (e. g., development activity such as commits, code size, or fraction of code size in different programming languages) to identify which one has the major impact on the security effort of using a FOSS component in a larger software product.
Stanislav Dashevskyi, Achim D. Brucker, Fabio Massacci
Idea: Usable Platforms for Secure Programming – Mining Unix for Insight and Guidelines
Abstract
Just as security mechanisms for end users need to be usable, programming platforms and APIs need to be usable for programmers. To date the security community has assembled large catalogs of dos and don’ts for programmers, but rather little guidance for the design of APIs that make secure programming easy and natural. Unix with its setuid mechanism lets us study usable security issues of programming platforms. Setuid allows certain programs to run with higher privileges than the user or process controlling them. Operating across a privilege boundary entails security obligations for the program. Obligations are known and documented, yet developers often fail to fulfill them. Using concepts and vocabulary from usable security and usability of notations theory, we can explain how the Unix platform provokes vulnerabilities in such programs. This analysis is a first step towards developing platform design guidelines to address human factors issues in secure programming.
Sven Türpe
AppPAL for Android
Capturing and Checking Mobile App Policies
Abstract
It can be difficult to find mobile apps that respect one’s security and privacy. Businesses rely on employees enforcing company mobile device policies correctly. Users must judge apps by the information shown to them by the store. Studies have found that most users do not pay attention to an apps permissions during installation [19] and most users do not understand how permissions relate to the capabilities of an app [30]. To address these problems and more, we present AppPAL: a machine-readable policy language for Android that describes precisely when apps are acceptable. AppPAL goes beyond existing policy enforcement tools, like Kirin [16], adding delegation relationships to allow a variety of authorities to contribute to a decision. AppPAL also acts as a “glue”, allowing connection to a variety of local constraint checkers (e.g., static analysis tools, packager manager checks) to combine their results. As well as introducing AppPAL and some examples, we apply it to explore whether users follow certain intended policies in practice, finding privacy preferences and actual behaviour are not always aligned in the absence of a rigorous enforcement mechanism.
Joseph Hallett, David Aspinall
Inferring Semantic Mapping Between Policies and Code: The Clue is in the Language
Abstract
A common misstep in the development of security and privacy solutions is the failure to keep the demands resulting from high-level policies in line with the actual implementation that is supposed to operationalize those policies. This is especially problematic in the domain of social networks, where software typically predates policies and then evolves alongside its user base and any changes in policies that arise from their interactions with (and the demands that they place on) the system. Our contribution targets this specific problem, drawing together the assurances actually presented to users in the form of policies and the large codebases with which developers work. We demonstrate that a mapping between policies and code can be inferred from the semantics of the natural language. These semantics manifest not only in the policy statements but also coding conventions. Our technique, implemented in a tool (CASTOR), can infer semantic mappings with F1 accuracy of 70 % and 78 % for two social networks, Diaspora and Friendica respectively – as compared with a ground truth mapping established through manual examination of the policies and code.
Pauline Anthonysamy, Matthew Edwards, Chris Weichel, Awais Rashid
Idea: Supporting Policy-Based Access Control on Database Systems
Abstract
Applications are increasingly operating on large data sets. This trend creates problems for access control, which in principle restricts the actions that subjects can perform on any item in that data set. Performance issues therefore emerge, typically for operations on entire data sets. Emerging access control models such as attribute-based access control do meet their limitations in this context. Worse, few solutions exist that addresses performance problems while supporting separation of concerns. In this paper, we present a first approach towards addressing this challenge. We propose a middleware architecture that performs policy transformations and query rewriting for externalized policies to optimize the access control process on the data set. We argue that this offers a promising approach for reducing the policy evaluation overhead for access control on large data sets.
Jasper Bogaerts, Bert Lagaisse, Wouter Joosen
Idea: Enforcing Security Properties by Solving Behavioural Equations
Abstract
We present a novel theory of security property enforcement based on universal coalgebra and coinductive calculus. As an example, we show that it is possible to define sound and transparent runtime enforcers for noninterference using behavioural equations, and we preliminarily validate our approach by means of a Haskell implementation.
Eric Rothstein Morris, Joachim Posegga
Backmatter
Metadaten
Titel
Engineering Secure Software and Systems
herausgegeben von
Juan Caballero
Eric Bodden
Elias Athanasopoulos
Copyright-Jahr
2016
Verlag
Springer International Publishing
Electronic ISBN
978-3-319-30806-7
Print ISBN
978-3-319-30805-0
DOI
https://doi.org/10.1007/978-3-319-30806-7