Matching Items (27)
Description
Web applications are ubiquitous. Accessible from almost anywhere, web applications support multiple platforms and can be easily customized. Most people interact with web applications daily for social media, communication, research, purchases, etc. Node.js has gained popularity as a programming language for web applications. A server-side JavaScript implementation, Node.js, allows both the front-end and back-end to be coded in JavaScript. Node.js contains many features such as dynamic inclusion of other modules using a built-in function named require which dynamically locates and loads code.
To be effective, web applications must perform actions quickly while avoiding unexpected interruptions. However, dynamically linked libraries can cause delays and thus downtime, because dynamically linked code must load multiple files, often from disk. As loading is one of the slowest operations a computer performs, seeking from disk can have a negative impact on performance which causes the server to feel less responsive for users. Dynamically linked code can also break when the underlying library is updated. Normally, when trying to update a server, developers will use test servers. However, if the developer accidentally updates a library in a dynamically linked system, it may be incompatible with another portion of the program.
Statically linking code makes it more reliable and faster (to load) than dynamically linking code. The static linking process varies by programming language. Therefore, different static linkers need to be developed for different languages. This thesis describes the creation of a static linker, called FrozenNode, for the popular back-end web application language, Node.js. FrozenNode resolves Node.js applications into a single file that does not rely on dynamic libraries. FrozenNode was built on top of Closure Compiler to accurately process JavaScript. We found that the resolved application was faster and self-contained yielding significant advantages over the dynamically loaded application. Furthermore, both had the same output.
Vulnerabilities in web applications can be found using static analysis tools, however static analysis tools must reason about dynamically linked application. FrozenNode can be used to statically link a Node.js application before being used by a JavaScript static analysis tool.
To be effective, web applications must perform actions quickly while avoiding unexpected interruptions. However, dynamically linked libraries can cause delays and thus downtime, because dynamically linked code must load multiple files, often from disk. As loading is one of the slowest operations a computer performs, seeking from disk can have a negative impact on performance which causes the server to feel less responsive for users. Dynamically linked code can also break when the underlying library is updated. Normally, when trying to update a server, developers will use test servers. However, if the developer accidentally updates a library in a dynamically linked system, it may be incompatible with another portion of the program.
Statically linking code makes it more reliable and faster (to load) than dynamically linking code. The static linking process varies by programming language. Therefore, different static linkers need to be developed for different languages. This thesis describes the creation of a static linker, called FrozenNode, for the popular back-end web application language, Node.js. FrozenNode resolves Node.js applications into a single file that does not rely on dynamic libraries. FrozenNode was built on top of Closure Compiler to accurately process JavaScript. We found that the resolved application was faster and self-contained yielding significant advantages over the dynamically loaded application. Furthermore, both had the same output.
Vulnerabilities in web applications can be found using static analysis tools, however static analysis tools must reason about dynamically linked application. FrozenNode can be used to statically link a Node.js application before being used by a JavaScript static analysis tool.
ContributorsHutchins, James (Author) / Doupe, Adam (Thesis advisor) / Shoshitaishvili, Yan (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2018
Description
Data breaches have been on a rise and financial sector is among the top targeted. It can take a few months and upto a few years to identify the occurrence of a data breach. A major motivation behind data breaches is financial gain, hence most of the data ends up being on sale on the darkweb websites. It is important to identify sale of such stolen information on a timely and relevant manner. In this research, we present a system for timely identification of sale of stolen data on darkweb websites. We frame identifying sale of stolen data as a multi-label classification problem and leverage several machine learning approaches based on the thread content (textual) and social network analysis of the user communication seen on darkweb websites. The system generates alerts about trends based on popularity amongst the users of such websites. We evaluate our system using the K-fold cross validation as well as manual evaluation of blind (unseen) data. The method of combining social network and textual features outperforms baseline method i.e only using textual features, by 15 to 20 % improved precision. The alerts provide a good insight and we illustrate our findings by cases studies of the results.
ContributorsDharaiya, Krishna Tushar (Author) / Shakarian, Paulo (Thesis advisor) / Doupe, Adam (Committee member) / Shoshitaishvili, Yan (Committee member) / Arizona State University (Publisher)
Created2018
Description
With the rise of the Internet of Things, embedded systems have become an integral part of life and can be found almost anywhere. Their prevalence and increased interconnectivity has made them a prime target for malicious attacks. Today, the vast majority of embedded devices are powered by ARM processors. To protect their processors from attacks, ARM introduced a hardware security extension known as TrustZone. It provides an isolated execution environment within the embedded device in which to deploy various memory integrity and malware detection tools.
Even though Secure World can monitor the Normal World, attackers can attempt to bypass the security measures to retain control of a compromised system. CacheKit is a new type of rootkit that exploits such a vulnerability in the ARM architecture to hide in Normal World cache from memory introspection tools running in Secure World by exploiting cache locking mechanisms. If left unchecked, ARM processors that provide hardware assisted cache locking for performance and time-critical applications in real-time and embedded systems would be completely vulnerable to this undetectable and untraceable attack. Therefore, a new approach is needed to ensure the correct use of such mechanisms and prevent malicious code from being hidden in the cache.
CacheLight is a lightweight approach that leverages the TrustZone and Virtualization extensions of the ARM architecture to allow the system to continue to securely provide these hardware facilities to users while preventing attackers from exploiting them. CacheLight restricts the ability to lock the cache to the Secure World of the processor such that the Normal World can still request certain memory to be locked into the cache by the secure operating system (OS) through a Secure Monitor Call (SMC). This grants the secure OS the power to verify and validate the information that will be locked in the requested cache way thereby ensuring that any data that remains in the cache will not be inconsistent with what exists in main memory for inspection. Malicious attempts to hide data can be prevented and recovered for analysis while legitimate requests can still generate valid entries in the cache.
Even though Secure World can monitor the Normal World, attackers can attempt to bypass the security measures to retain control of a compromised system. CacheKit is a new type of rootkit that exploits such a vulnerability in the ARM architecture to hide in Normal World cache from memory introspection tools running in Secure World by exploiting cache locking mechanisms. If left unchecked, ARM processors that provide hardware assisted cache locking for performance and time-critical applications in real-time and embedded systems would be completely vulnerable to this undetectable and untraceable attack. Therefore, a new approach is needed to ensure the correct use of such mechanisms and prevent malicious code from being hidden in the cache.
CacheLight is a lightweight approach that leverages the TrustZone and Virtualization extensions of the ARM architecture to allow the system to continue to securely provide these hardware facilities to users while preventing attackers from exploiting them. CacheLight restricts the ability to lock the cache to the Secure World of the processor such that the Normal World can still request certain memory to be locked into the cache by the secure operating system (OS) through a Secure Monitor Call (SMC). This grants the secure OS the power to verify and validate the information that will be locked in the requested cache way thereby ensuring that any data that remains in the cache will not be inconsistent with what exists in main memory for inspection. Malicious attempts to hide data can be prevented and recovered for analysis while legitimate requests can still generate valid entries in the cache.
ContributorsGutierrez, Mauricio (Author) / Zhao, Ziming (Thesis advisor) / Doupe, Adam (Committee member) / Shoshitaishvili, Yan (Committee member) / Arizona State University (Publisher)
Created2018
Description
Network Management is a critical process for an enterprise to configure and monitor the network devices using cost effective methods. It is imperative for it to be robust and free from adversarial or accidental security flaws. With the advent of cloud computing and increasing demands for centralized network control, conventional management protocols like Simple Network Management Protocol (SNMP) appear inadequate and newer techniques like Network Management Datastore Architecture (NMDA) design and Network Configuration (NETCONF) have been invented. However, unlike SNMP which underwent improvements concentrating on security, the new data management and storage techniques have not been scrutinized for the inherent security flaws.
In this thesis, I identify several vulnerabilities in the widely used critical infrastructures which leverage the NMDA design. Software Defined Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. I base my research on the security challenges put forth by the existing datastore’s design as implemented by the SDN controllers. The vulnerabilities identified in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using the threat detection methodology, I demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and confidentiality of the network. I finally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.
In this thesis, I identify several vulnerabilities in the widely used critical infrastructures which leverage the NMDA design. Software Defined Networking (SDN), a proponent of NMDA, heavily relies on its datastores to program and manage the network. I base my research on the security challenges put forth by the existing datastore’s design as implemented by the SDN controllers. The vulnerabilities identified in this work have a direct impact on the controllers like OpenDayLight, Open Network Operating System and their proprietary implementations (by CISCO, Ericsson, RedHat, Brocade, Juniper, etc). Using the threat detection methodology, I demonstrate how the NMDA-based implementations are vulnerable to attacks which compromise availability, integrity, and confidentiality of the network. I finally propose defense measures to address the security threats in the existing design and discuss the challenges faced while employing these countermeasures.
ContributorsDixit, Vaibhav Hemant (Author) / Ahn, Gail-Joon (Thesis advisor) / Doupe, Adam (Thesis advisor) / Shoshitaishvili, Yan (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2018
Description
Third-party mixers are used to heighten the anonymity of Bitcoin users. The mixing techniques implemented by these tools are often untraceable on the blockchain, making them appealing to money launderers. This research aims to analyze mixers currently available on the deep web. In addition, an in-depth case study is done on an open-source bitcoin mixer known as Penguin Mixer. A local version of Penguin Mixer was used to visualize mixer behavior under specific scenarios. This study could lead to the identification of vulnerabilities in mixing tools and detection of these tools on the blockchain.
ContributorsPakki, Jaswant (Author) / Doupe, Adam (Thesis director) / Shoshitaishvili, Yan (Committee member) / Computer Science and Engineering Program (Contributor, Contributor) / Barrett, The Honors College (Contributor)
Created2018-12
Description
Despite the more tightly controlled permissions and Java framework used by most programs in the Android operating system, an attacker can use the same classic vulnerabilities that exist for traditional Linux binaries on the programs in the Android operating system. Some classic vulnerabilities include stack overows, string formats, and heap meta-information corruption. Through the exploitation of these vulnerabilities an attacker can hijack the execution ow of an application. After hijacking the execution ow, an attacker can then violate the con_dentiality, integrity, or availability of the operating system. Over the years, the operating systems and compliers have implemented a number of protections to prevent the exploitation of vulnerable programs. The most widely implemented protections include Non-eXecutable stack (NX Stack), Address Space Layout Randomization (ASLR), and Stack Canaries (Canaries). NX Stack protections prevent the injection and execution of arbitrary code through the use of a permissions framework within a program. Whereas, ASLR and Canaries rely on obfuscation techniques to protect control ow, which requires su_cient entropy between each execution. Early in the implementation of these protections in Linux, researchers discovered that without su_cient entropy between executions, ASLR and Canaries were easily bypassed. For example, the obfuscation techniques were useless in programs that ran continuously because the programs did not change the canaries or re-randomize the address space. Similarly, aws in the implementation of ASLR and Canaries in Android only re-randomizes the values after rebooting, which means the address space locations and canary values remain constant across the executions of an Android program. As a result, an attacker can hijack the control ow Android binaries that contain control ow vulnerabilities. The purpose of this paper is to expose these aws and the methodology used to verify their existence in Android versions 4.1 (Jelly Bean) through 8.0 (Oreo).
ContributorsGibbs, Wil (Author) / Doupe, Adam (Thesis director) / Shoshitaishvili, Yan (Committee member) / Barrett, The Honors College (Contributor) / Computer Science and Engineering Program (Contributor)
Created2018-12
Description
Smart cars are defined by the European Union Agency for Network and Information Security (ENISA) as systems providing connected, added-value features in order to enhance car users' experience or improve car safety. Because of their extra features, smart cars utilize sophisticated computer systems. These systems, particularly the Controller Area Network (CAN) bus and protocol, have been shown to provide information that can be used to accurately identify individual Electronic Control Units (ECUs) within a car and the driver that is operating a car. I expand upon this work to consider how information from in-vehicle computer systems can be used to identify individual vehicles. I consider fingerprinting vehicles as a means of aiding in stolen car recovery, thwarting VIN forgery, and supporting an intrusion detection system for networks of smart and autonomous vehicles in the near future. I provide an overview of in-vehicle computer systems and detail my work toward building an ECU testbed and fingerprinting vehicles.
ContributorsDavison, Paulina (Author) / Zhao, Ziming (Thesis director) / Ahn, Gail-Joon (Committee member) / Shoshitaishvili, Yan (Committee member) / Doupe, Adam (Committee member) / Computer Science and Engineering Program (Contributor) / Barrett, The Honors College (Contributor)
Created2018-05
Description
Cryptojacking is a process in which a program utilizes a user’s CPU to mine cryptocurrencies unknown to the user. Since cryptojacking is a relatively new problem and its impact is still limited, very little has been done to combat it. Multiple studies have been conducted where a cryptojacking detection system is implemented, but none of these systems have truly solved the problem. This thesis surveys existing studies and provides a classification and evaluation of each detection system with the aim of determining their pros and cons. The result of the evaluation indicates that it might be possible to bypass detection of existing systems by modifying the cryptojacking code. In addition to this classification, I developed an automatic code instrumentation program that replaces specific instructions with functionally similar sequences as a way to show how easy it is to implement simple obfuscation to bypass detection by existing systems.
ContributorsLarson, Kent Merle (Author) / Bazzi, Rida (Thesis director) / Shoshitaishvili, Yan (Committee member) / Computer Science and Engineering Program (Contributor) / Barrett, The Honors College (Contributor)
Created2021-05
Description
Fuzzing is currently a thriving research area in the cybersecurity field. This work begins by introducing code that brings partial replayability capabilities to AFL++ in an attempt to solve the challenge of the highly random nature of fuzzing that comes from the large amount of random mutations on input seeds. The code addresses two of the three sources of nondeterminism described in this work. Furthermore, this work introduces Fuzzing Debugger (FDB), a highly configurable framework to facilitate the debugging of fuzzing by interfacing with GDB. Three debugging modes are described which attempt to tackle two use cases of FDB: (1) pinpointing nondeterminism in fuzz runs, therefore paving the way for replayable fuzz runs and (2) systematically finding preferable stopping points seed analysis.
ContributorsLiu, Denis (Author) / Bao, Tiffany (Thesis director) / Shoshitaishvili, Yan (Committee member) / Barrett, The Honors College (Contributor) / School of Mathematical and Statistical Sciences (Contributor) / Computer Science and Engineering Program (Contributor)
Created2023-05
Description
This thesis presents a study on the fuzzing of Linux binaries to find occluded bugs. Fuzzing is a widely-used technique for identifying software bugs. Despite their effectiveness, state-of-the-art fuzzers suffer from limitations in efficiency and effectiveness. Fuzzers based on random mutations are fast but struggle to generate high-quality inputs. In contrast, fuzzers based on symbolic execution produce quality inputs but lack execution speed. This paper proposes FlakJack, a novel hybrid fuzzer that patches the binary on the go to detect occluded bugs guarded by surface bugs. To dynamically overcome the challenge of patching binaries, the paper introduces multiple patching strategies based on the type of bug detected. The performance of FlakJack was evaluated on ten widely-used real-world binaries and one chaff dataset binary. The results indicate that many bugs found recently were already present in previous versions but were occluded by surface bugs. FlakJack’s approach improved the bug-finding ability by patching surface bugs that usually guard occluded bugs, significantly reducing patching cycles. Despite its unbalanced approach compared to other coverage-guided fuzzers, FlakJack is fast, lightweight, and robust. False- Positives can be filtered out quickly, and the approach is practical in other parts of the target. The paper shows that the FlakJack approach can significantly improve fuzzing performance without relying on complex strategies.
ContributorsPraveen Menon, Gokulkrishna (Author) / Bao, Tiffany (Thesis advisor) / Shoshitaishvili, Yan (Thesis advisor) / Doupe, Adam (Committee member) / Arizona State University (Publisher)
Created2023