Matching Items (26)
Description
In the area of hardware, reverse engineering was traditionally focused on developing clones—duplicated components that performed the same functionality of the original component. While reverse engineering techniques have been applied to software, these techniques have instead focused on understanding high-level software designs to ease the software maintenance burden. This approach works well for traditional applications that contain source code, however, there are circumstances, particularly regarding web applications, where it would be very beneficial to clone a web application and no source code is present, e.g., for security testing of the application or for offline mock testing of a third-party web service. We call this the web application cloning problem.
This thesis presents a possible solution to the problem of web application cloning. Our approach is a novel application of inductive programming, which we call inductive reverse engineering. The goal of inductive reverse engineering is to automatically reverse engineer an abstraction of the web application’s code in a completely black-box manner. We build this approach using recent advances in inductive programming, and we solve several technical challenges to scale the inductive programming techniques to realistic-sized web applications. We target the initial version of our inductive reverse engineering tool to a subset of web applications, i.e., those that do not store state and those that do not have loops. We introduce an evaluation methodology for web application cloning techniques and evaluate our approach on several real-world web applications. The results indicate that inductive reverse engineering can effectively reverse engineer specific types of web applications. In the future, we hope to extend the power of inductive reverse engineering to web applications with state and to learn loops, while still maintaining tractability.
This thesis presents a possible solution to the problem of web application cloning. Our approach is a novel application of inductive programming, which we call inductive reverse engineering. The goal of inductive reverse engineering is to automatically reverse engineer an abstraction of the web application’s code in a completely black-box manner. We build this approach using recent advances in inductive programming, and we solve several technical challenges to scale the inductive programming techniques to realistic-sized web applications. We target the initial version of our inductive reverse engineering tool to a subset of web applications, i.e., those that do not store state and those that do not have loops. We introduce an evaluation methodology for web application cloning techniques and evaluate our approach on several real-world web applications. The results indicate that inductive reverse engineering can effectively reverse engineer specific types of web applications. In the future, we hope to extend the power of inductive reverse engineering to web applications with state and to learn loops, while still maintaining tractability.
ContributorsLiao, Kevin (Author) / Doupe, Adam (Thesis director) / Ahn, Gail-Joon (Committee member) / Zhao, Ziming (Committee member) / Computer Science and Engineering Program (Contributor, Contributor) / W. P. Carey School of Business (Contributor) / Barrett, The Honors College (Contributor)
Created2017-05
Description
Smart cars are defined by the European Union Agency for Network and Information Security (ENISA) as systems providing connected, added-value features in order to enhance car users' experience or improve car safety. Because of their extra features, smart cars utilize sophisticated computer systems. These systems, particularly the Controller Area Network (CAN) bus and protocol, have been shown to provide information that can be used to accurately identify individual Electronic Control Units (ECUs) within a car and the driver that is operating a car. I expand upon this work to consider how information from in-vehicle computer systems can be used to identify individual vehicles. I consider fingerprinting vehicles as a means of aiding in stolen car recovery, thwarting VIN forgery, and supporting an intrusion detection system for networks of smart and autonomous vehicles in the near future. I provide an overview of in-vehicle computer systems and detail my work toward building an ECU testbed and fingerprinting vehicles.
ContributorsDavison, Paulina (Author) / Zhao, Ziming (Thesis director) / Ahn, Gail-Joon (Committee member) / Shoshitaishvili, Yan (Committee member) / Doupe, Adam (Committee member) / Computer Science and Engineering Program (Contributor) / Barrett, The Honors College (Contributor)
Created2018-05
Description
Malware forensics is a time-consuming process that involves a significant amount of data collection. To ease the load on security analysts, many attempts have been made to automate the intelligence gathering process and provide a centralized search interface. Certain of these solutions map existing relations between threats and can discover new intelligence by identifying correlations in the data. However, such systems generally treat each unique malware sample as its own distinct threat. This fails to model the real malware landscape, in which so many ``new" samples are actually variants of samples that have already been discovered. Were there some way to reliably determine whether two malware samples belong to the same family, intelligence for one sample could be applied to any sample in the family, greatly reducing the complexity of intelligence synthesis. Clustering is a common big data approach for grouping data samples which have common features, and has been applied in several recent papers for identifying related malware. It therefore has the potential to be used as described to simplify the intelligence synthesis process. However, existing threat intelligence systems do not use malware clustering. In this paper, we attempt to design a highly accurate malware clustering system, with the ultimate goal of integrating it into a threat intelligence platform. Toward this end, we explore the many considerations of designing such a system: how to extract features to compare malware, and how to use these features for accurate clustering. We then create an experimental clustering system, and evaluate its effectiveness using two different clustering algorithms.
ContributorsSmith, Joshua Michael (Author) / Ahn, Gail-Joon (Thesis director) / Zhao, Ziming (Committee member) / School of Mathematical and Statistical Sciences (Contributor) / Computer Science and Engineering Program (Contributor, Contributor) / Barrett, The Honors College (Contributor)
Created2017-05
Description
Node.js is an extremely popular development framework for web applications. The appeal of its event-driven, asynchronous flow and the convenience of JavaScript as its programming language have driven its rapid growth, and it is currently deployed by leading companies in retail, finance, and other important sectors. However, the tools currently available for Node.js developers to secure their applications against malicious attackers are notably scarce. While there has been a substantial amount of security tools created for web applications in many other languages such as PHP and Java, very little exists for Node.js applications. This could compromise private information belonging to companies such as PayPal and WalMart. We propose a tool to statically analyze Node.js web applications for five popular vulnerabilites: cross-site scripting, SQL injection, server-side request forgery, command injection, and code injection. We base our tool off of JSAI, a platform created to parse client-side JavaScript for security risks. JSAI is novel because of its configuration capabilities, which allow a user to choose between various analysis options at runtime in order to select the most thorough analysis with the least amount of processing time. We contribute to the development of our tool by rigorously analyzing and documenting vulnerable functions and objects in Node.js that are relevant to the vulnerabilities we have selected. We intend to use this documentation to build a robust Node.js static analysis tool and we hope that other developers will also incorporate this analysis into their Node.js security projects.
ContributorsWasserman, Jonathan Kanter (Author) / Doupe, Adam (Thesis director) / Ahn, Gail-Joon (Committee member) / Zhao, Ziming (Committee member) / School of Historical, Philosophical and Religious Studies (Contributor) / Computer Science and Engineering Program (Contributor) / Barrett, The Honors College (Contributor)
Created2017-05
Description
The purpose of this project was to implement and analyze a new proposed rootkit that claims a greater level of stealth by hiding in cache. Today, the vast majority of embedded devices are powered by ARM processors. To protect their processors from attacks, ARM introduced a hardware security extension known as TrustZone. It provides an isolated execution environment within the embedded device that enables us to run various memory integrity and malware detection tools to identify possible breaches in security to the normal world. Although TrustZone provides this additional layer of security, it also adds another layer of complexity, and thus comes with its own set of vulnerabilities. This new rootkit identifies and exploits a cache incoherence in the ARM device as a result of TrustZone. The newly proposed rootkit, called CacheKit, takes advantage of this cache incoherence to avoid memory introspection from tools in secure world. We implement CacheKit on the i.MX53 development board, which features a single ARM Cortex A8 processor, to analyze the limitations and vulnerabilities described in the original paper. We set up the Linux environment on the computer to be able to cross-compile for the development board which will be running the FreeScale android 2.3.4 platform with a 2.6.33 Linux kernel. The project is implemented as a kernel module that once installed on the board can manipulate cache as desired to conceal the rootkit. The module exploits the fact that in TrustZone, the secure world does not have access to the normal world cache. First, a technique known as Cache-asRAM is used to ensure that the rootkit is loaded only into cache of the normal world where it can avoid detection from the secure world. Then, we employ the cache maintenance instructions and resisters provided in the cp15 coprocessor to keep the code persistent in cache. Furthermore, the cache lines are mapped to unused I/O address space so that if cache content is flushed to RAM for inspection, the data is simply lost. This ensures that even if the rootkit were to be flushed into memory, any trace of the malicious code would be lost. CacheKit prevents defenders from analyzing the code and destroys any forensic evidence. This provides attackers with a new and powerful tool that is excellent for certain scenarios that were previously thought to be secure. Finally, we determine the limitations of the prototype to determine possible areas for future growth and research into the security of networked embedded devices.
ContributorsGutierrez Barnett, Mauricio Antonio (Author) / Zhao, Ziming (Thesis director) / Doupe, Adam (Committee member) / Computer Science and Engineering Program (Contributor) / Barrett, The Honors College (Contributor)
Created2016-12
Description
E-Mail header injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-Mail injection is possible when the mailing script fails to check for the presence of e-mail headers in user input (either form fields or URL parameters). The vulnerability exists in the reference implementation of the built-in “mail” functionality in popular languages like PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to inject additional headers and/or modify existing headers in an e-mail message, allowing an attacker to completely alter the content of the e-mail.
This thesis develops a scalable mechanism to automatically detect E-Mail Header Injection vulnerability and uses this mechanism to quantify the prevalence of E- Mail Header Injection vulnerabilities on the Internet. Using a black-box testing approach, the system crawled 21,675,680 URLs to find URLs which contained form fields. 6,794,917 such forms were found by the system, of which 1,132,157 forms contained e-mail fields. The system used this data feed to discern the forms that could be fuzzed with malicious payloads. Amongst the 934,016 forms tested, 52,724 forms were found to be injectable with more malicious payloads. The system tested 46,156 of these and was able to find 496 vulnerable URLs across 222 domains, which proves that the threat is widespread and deserves future research attention.
This thesis develops a scalable mechanism to automatically detect E-Mail Header Injection vulnerability and uses this mechanism to quantify the prevalence of E- Mail Header Injection vulnerabilities on the Internet. Using a black-box testing approach, the system crawled 21,675,680 URLs to find URLs which contained form fields. 6,794,917 such forms were found by the system, of which 1,132,157 forms contained e-mail fields. The system used this data feed to discern the forms that could be fuzzed with malicious payloads. Amongst the 934,016 forms tested, 52,724 forms were found to be injectable with more malicious payloads. The system tested 46,156 of these and was able to find 496 vulnerable URLs across 222 domains, which proves that the threat is widespread and deserves future research attention.
ContributorsChandramouli, Sai Prashanth (Author) / Doupe, Adam (Thesis advisor) / Ahn, Gail-Joon (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2016
Description
Data protection has long been a point of contention and a vastly researched field. With the advent of technology and advances in Internet technologies, securing data has become much more challenging these days. Cloud services have become very popular. Given the ease of access and availability of the systems, it is not easy to not use cloud to store data. This however, pose a significant risk to data security as more of your data is available to a third party. Given the easy transmission and almost infinite storage of data, securing one's sensitive information has become a major challenge.
Cloud service providers may not be trusted completely with your data. It is not very uncommon to snoop over the data for finding interesting patterns to generate ad revenue or divulge your information to a third party, e.g. government and law enforcing agencies. For enterprises who use cloud service, it pose a risk for their intellectual property and business secrets. With more and more employees using cloud for their day to day work, business now face a risk of losing or leaking out information.
In this thesis, I have focused on ways to protect data and information over cloud- a third party not authorized to use your data, all this while still utilizing cloud services for transfer and availability of data. This research proposes an alternative to an on-premise secure infrastructure giving exibility to user for protecting the data and control over it. The project uses cryptography to protect data and create a secure architecture for secret key migration in order to decrypt the data securely for the intended recipient. It utilizes Intel's technology which gives it an added advantage over other existing solutions.
Cloud service providers may not be trusted completely with your data. It is not very uncommon to snoop over the data for finding interesting patterns to generate ad revenue or divulge your information to a third party, e.g. government and law enforcing agencies. For enterprises who use cloud service, it pose a risk for their intellectual property and business secrets. With more and more employees using cloud for their day to day work, business now face a risk of losing or leaking out information.
In this thesis, I have focused on ways to protect data and information over cloud- a third party not authorized to use your data, all this while still utilizing cloud services for transfer and availability of data. This research proposes an alternative to an on-premise secure infrastructure giving exibility to user for protecting the data and control over it. The project uses cryptography to protect data and create a secure architecture for secret key migration in order to decrypt the data securely for the intended recipient. It utilizes Intel's technology which gives it an added advantage over other existing solutions.
ContributorsSrivastava, Abhijeet (Author) / Ahn, Gail-Joon (Thesis advisor) / Zhao, Ziming (Committee member) / Doupe, Adam (Committee member) / Arizona State University (Publisher)
Created2016
Description
Access control has been historically recognized as an effective technique for ensuring that computer systems preserve important security properties. Recently, attribute-based
access control (ABAC) has emerged as a new paradigm to provide access mediation
by leveraging the concept of attributes: observable properties that become relevant under a certain security context and are exhibited by the entities normally involved in the mediation process, namely, end-users and protected resources. Also recently, independently-run organizations from the private and public sectors have recognized the benefits of engaging in multi-disciplinary research collaborations that involve sharing sensitive proprietary resources such as scientific data, networking capabilities and computation time and have recognized ABAC as the paradigm that suits their needs for restricting the way such resources are to be shared with each other. In such a setting, a robust yet flexible access mediation scheme is crucial to guarantee participants are granted access to such resources in a safe and secure manner.
However, no consensus exists either in the literature with respect to a formal model that clearly defines the way the components depicted in ABAC should interact with each other, so that the rigorous study of security properties to be effectively pursued. This dissertation proposes an approach tailored to provide a well-defined and formal definition of ABAC, including a description on how attributes exhibited by different independent organizations are to be leveraged for mediating access to shared resources, by allowing for collaborating parties to engage in federations for the specification, discovery, evaluation and communication of attributes, policies, and access mediation decisions. In addition, a software assurance framework is introduced to support the correct construction of enforcement mechanisms implementing our approach by leveraging validation and verification techniques based on software assertions, namely, design by contract (DBC) and behavioral interface specification languages (BISL). Finally, this dissertation also proposes a distributed trust framework that allows for exchanging recommendations on the perceived reputations of members of our proposed federations, in such a way that the level of trust of previously-unknown participants can be properly assessed for the purposes of access mediation.
access control (ABAC) has emerged as a new paradigm to provide access mediation
by leveraging the concept of attributes: observable properties that become relevant under a certain security context and are exhibited by the entities normally involved in the mediation process, namely, end-users and protected resources. Also recently, independently-run organizations from the private and public sectors have recognized the benefits of engaging in multi-disciplinary research collaborations that involve sharing sensitive proprietary resources such as scientific data, networking capabilities and computation time and have recognized ABAC as the paradigm that suits their needs for restricting the way such resources are to be shared with each other. In such a setting, a robust yet flexible access mediation scheme is crucial to guarantee participants are granted access to such resources in a safe and secure manner.
However, no consensus exists either in the literature with respect to a formal model that clearly defines the way the components depicted in ABAC should interact with each other, so that the rigorous study of security properties to be effectively pursued. This dissertation proposes an approach tailored to provide a well-defined and formal definition of ABAC, including a description on how attributes exhibited by different independent organizations are to be leveraged for mediating access to shared resources, by allowing for collaborating parties to engage in federations for the specification, discovery, evaluation and communication of attributes, policies, and access mediation decisions. In addition, a software assurance framework is introduced to support the correct construction of enforcement mechanisms implementing our approach by leveraging validation and verification techniques based on software assertions, namely, design by contract (DBC) and behavioral interface specification languages (BISL). Finally, this dissertation also proposes a distributed trust framework that allows for exchanging recommendations on the perceived reputations of members of our proposed federations, in such a way that the level of trust of previously-unknown participants can be properly assessed for the purposes of access mediation.
ContributorsRubio Medrano, Carlos Ernesto (Author) / Ahn, Gail-Joon (Thesis advisor) / Doupe, Adam (Committee member) / Zhao, Ziming (Committee member) / Santanam, Raghu (Committee member) / Huang, Dijiang (Committee member) / Arizona State University (Publisher)
Created2016
Description
Software-Defined Networking (SDN) is an emerging network paradigm that decouples the control plane from the data plane, which allows network administrators to consolidate common network services into a centralized module named SDN controller. Applications’ policies are transformed into standardized network rules in the data plane via SDN controller. Even though this centralization brings a great flexibility and programmability to the network, network rules generated by SDN applications cannot be trusted because there may exist malicious SDN applications, and insecure network flows can be made due to complex relations across network rules. In this dissertation, I investigate how to identify and resolve these security violations in SDN caused by the combination of network rules and applications’ policies. To this end, I propose a systematic policy management framework that better protects SDN itself and hardens existing network defense mechanisms using SDN.
More specifically, I discuss the following four security challenges in this dissertation: (1) In SDN, generating reliable network rules is challenging because SDN applications cannot be trusted and have complicated dependencies each other. To address this problem, I analyze applications’ policies and remove those dependencies by applying grid-based policy decomposition mechanism; (2) One network rule could accidentally affect others (or by malicious users), which lead to creating of indirect security violations. I build systematic and automated tools that analyze network rules in the data plane to detect a wide range of security violations and resolve them in an automated fashion; (3) A fundamental limitation of current SDN protocol (OpenFlow) is a lack of statefulness, which is extremely important to several security applications such as stateful firewall. To bring statelessness to SDN-based environment, I come up with an innovative stateful monitoring scheme by extending existing OpenFlow specifications; (4) Existing honeynet architecture is suffering from its limited functionalities of ’data control’ and ’data capture’. To address this challenge, I design and implement an innovative next generation SDN-based honeynet architecture.
More specifically, I discuss the following four security challenges in this dissertation: (1) In SDN, generating reliable network rules is challenging because SDN applications cannot be trusted and have complicated dependencies each other. To address this problem, I analyze applications’ policies and remove those dependencies by applying grid-based policy decomposition mechanism; (2) One network rule could accidentally affect others (or by malicious users), which lead to creating of indirect security violations. I build systematic and automated tools that analyze network rules in the data plane to detect a wide range of security violations and resolve them in an automated fashion; (3) A fundamental limitation of current SDN protocol (OpenFlow) is a lack of statefulness, which is extremely important to several security applications such as stateful firewall. To bring statelessness to SDN-based environment, I come up with an innovative stateful monitoring scheme by extending existing OpenFlow specifications; (4) Existing honeynet architecture is suffering from its limited functionalities of ’data control’ and ’data capture’. To address this challenge, I design and implement an innovative next generation SDN-based honeynet architecture.
ContributorsHan, Wonkyu (Author) / Ahn, Gail-Joon (Thesis advisor) / Zhao, Ziming (Thesis advisor) / Doupe, Adam (Committee member) / Huang, Dijiang (Committee member) / Zhang, Yanchao (Committee member) / Arizona State University (Publisher)
Created2016
Description
The Internet traffic, today, comprises majorly of Hyper Text Transfer Protocol (HTTP). The first version of HTTP protocol was standardized in 1991, followed by a major upgrade in May 2015. HTTP/2 is the next generation of HTTP protocol that promises to resolve short-comings of HTTP 1.1 and provide features to greatly improve upon its performance.
There has been a 1000\% increase in the cyber crimes rate over the past two years. Since HTTP/2 is a relatively new protocol with a very high acceptance rate (around 68\% of all HTTPS traffic), it gives rise to an urgent need of analyzing this protocol from a security vulnerability perspective.
In this thesis, I have systematically analyzed the security concerns in HTTP/2 protocol - starting from the specifications, testing all variation of frames (basic entity in HTTP/2 protocol) and every new introduced feature.
In this thesis, I also propose the Context Aware fuzz Testing for Binary communication protocols methodology. Using this testing methodology, I was able to discover a serious security susceptibility using which an attacker can carry out a denial-of-service attack on Apache
There has been a 1000\% increase in the cyber crimes rate over the past two years. Since HTTP/2 is a relatively new protocol with a very high acceptance rate (around 68\% of all HTTPS traffic), it gives rise to an urgent need of analyzing this protocol from a security vulnerability perspective.
In this thesis, I have systematically analyzed the security concerns in HTTP/2 protocol - starting from the specifications, testing all variation of frames (basic entity in HTTP/2 protocol) and every new introduced feature.
In this thesis, I also propose the Context Aware fuzz Testing for Binary communication protocols methodology. Using this testing methodology, I was able to discover a serious security susceptibility using which an attacker can carry out a denial-of-service attack on Apache
ContributorsTiwari, Naveen (Author) / Ahn, Gail-Joon (Thesis advisor) / Doupe, Adam (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2017