Decompilers are indispensable tools in Android malware analysis and app security auditing. Numerous academic works also employ an Android decompiler as the first step in a program analysis pipeline. In such settings, decompilation is frequently regarded as a "solved" problem, in that it is simply expected that source code can be accurately recovered from an app. On the other hand, it is known that, e.g, obfuscation can negatively impact a decompilers effectiveness. Therefore, in order to better understand potential failure modes of, e.g., automated analysis pipelines involving decompilation, it is important to characterize the performance of decompilers on both benign and malicious apps. To this end, we have performed what is, to the best of our knowledge, the first large-scale study of Android decompilation failure rates, using three sets of apps; namely, 3,018 open-source apps, 13,601 apps crawled from Google Play, and an existing collection of 24,553 malware samples. In addition to the state-of-the-art Dalvik bytecode decompiler Jadx, we also studied the performance of three popular Java decompilers. Furthermore, this paper also presents the findings from a follow-up study on 54,945 malware apps, where we additionally performed an analysis of the reasons for decompilation failures. Our study revealed that decompilers generally have very low failure rates, and that few failures on benign apps appear to be related to obfuscation. On malware, however, obfuscation appears to be a more prominent cause of failures, although the vast majority of malicious apps could still be fully decompiled by an ensemble of decompilers.

Code obfuscation is an important topic, both in terms of defense, when trying to prevent intellectual property theft, and from the offensive point of view, when trying to break obfuscation used in malware. Several recent works have discussed techniques for preventing or delaying reverse engineering of binaries. While most works focus on methods that obscure program logic, the complimentary approach of disassembly desynchronizationhas received relatively little attention, despite being often used by, for example, malware authors. The technique puts another hurdle in the way of attackers by targeting the most fundamental step of the reverse-engineering process: recovering assembly code from a program binary. In the interest of furthering research into this kind of obfuscation, we present desync-cc, a tool for automatic application of disassembly desynchronization. To facilitate maximal ease-of-use, the tool is designed as a drop-in replacement for gcc, and works by intercepting and modifying intermediate assembly-code during compilation. (c) 2023 The Authors. Published by Elsevier B.V.

Code obfuscation is an important topic, both in terms of defense, when trying to prevent intellectual property theft, and from the offensive point of view, when trying to break obfuscation used by malware authors to hide their malicious intents. Consequently, several works in recent years have discussed techniques that aim to prevent or delay reverse-engineering of binaries. While most works focus on methods that obscure the program logic from potential attackers, the complimentary approach of disassembly desynchronization has received relatively little attention. This technique puts another hurdle in the way of attackers by targeting the most fundamental step of the reverse-engineering process: recovering assembly code from a program binary. The technique works by tricking a disassembler into decoding the instruction stream at an invalid offset. On CPU architectures with variable-length instructions, this often yields valid albeit meaningless assembly code, while hiding a part of the original code.

In the interest of furthering research into disassembly desynchronization, both from a defensive and offensive point of view, we have created desync-cc, a tool for automatic application of disassembly-desynchronization obfuscation. The tool is designed as a drop-in replacement for gcc, and works by intercepting and modifying intermediate assembly code during compilation. By applying obfuscation after the code generation phase, our tool allows a much more granular control over where obfuscation is applied, compared to a source-code level obfuscator. In this paper, we describe the design and implementation of desync-cc, and present a preliminary evaluation of its effectiveness and efficiency on a number of real-world Linux programs.

Decompilers are indispensable tools in Android malware analysis and app security auditing. Numerous academic works also employ an Android decompiler as the first step in a program analysis pipeline. In such settings, decompilation is frequently regarded as a "solved" problem, in that it is simply expected that source code can be accurately recovered from an app. While a large proportion of methods in an app can typically be decompiled successfully, it is common that at least some methods fail to decompile. In order to better understand the practical applicability of techniques in which decompilation is used as part of an automated analysis, it is important to know the actual expected failure rate of Android decompilation. To this end, we have performed what is, to the best of our knowledge, the first large-scale study of Android decompilation failure rates. We have used three sets of apps, consisting of, respectively, 3,018 open-source apps, 13,601 apps from a recent crawl of Google Play, and a collection of 24,553 malware samples. In addition to the state-of-the-art Dalvik bytecode decompiler jadx, we used three popular Java decompilers. While jadx achieves an impressively low failure rate of only 0.02% failed methods per app on average, we found that it manages to recover source code for all methods in only 21% of the Google Play apps.We have also sought to better understand the degree to which in-the-wild obfuscation techniques can prevent decompilation. Our empirical evaluation, complemented with an indepth manual analysis of a number of apps, indicate that code obfuscation is quite rarely encountered, even in malicious apps. Moreover, decompilation failures mostly appear to be caused by technical limitations in decompilers, rather than by deliberate attempts to thwart source-code recovery by obfuscation. This is an encouraging finding, as it indicates that near-perfect Android decompilation is, at least in theory, achievable, with implementation-level improvements to decompilation tools.

We have identified a methodological problem in the empirical evaluation of the string encryption detection capabilities of the AndrODet system described by Mirzaei et al. in the recent paper "AndrODet: An adaptive Android obfuscation detector". The accuracy of string encryption detection is evaluated using samples from the AMD and PraGuard malware datasets. However, the authors failed to account for the fact that many of the AMD samples are highly similar due to the fact that they come from the same malware family. This introduces a risk that a machine learning system trained on these samples could fail to learn a generalizable model for string encryption detection, and might instead learn to classify samples based on characteristics of each malware family. Our own evaluation strongly indicates that the reported high accuracy of AndrODet's string encryption detection is indeed due to this phenomenon. When we evaluated AndrODet, we found that when we ensured that samples from the same family never appeared in both training and testing data, the accuracy dropped to around 50%. Moreover, the PraGuard dataset is not suitable for evaluating a static string encryption detector such as AndrODet, since the particular obfuscation tool used to produce the dataset effectively makes it impossible to extract meaningful features of static strings in Android apps.

While string obfuscation is a common technique used by mobile developers to prevent reverse engineering of their apps, malware authors also often employ it to, for example, avoid detection by signature-based antivirus products. For this reason, robust techniques for detecting obfuscated strings in apps are an important step towards more effective means of combating obfuscated malware. In this paper, we discuss and empirically characterize four significant limitations of existing machine-learning approaches to string obfuscation detection, and propose a novel method to address these limitations. The key insight of our method is that discriminative classification methods, which try to fit a decision boundary based on a set of positive and negative samples, are inherently bound to generalize poorly when used for string obfuscation detection. Since many different string obfuscation techniques exist, both in the form of commercial tools and as custom implementations, it is close to impossible to construct a training set that is representative of all possible obfuscations. We instead propose a generative approach based on the Naive Bayes method. We first model the distribution of natural-language strings, using a large corpus of strings from 235 languages, and then base our classification on a measure of the confidence with which a language can be assigned to a string. Crucially, this allows us to completely eliminate the need for obfuscated training samples. In our experiments, this new method significantly outperformed both an n-gram based random forest classifier and an entropy-based classifier, in terms of accuracy and generalizability.

Greybox fuzzing has recently emerged as a scalable and practical approach to finding security bugs in software. For example, AFL — the current state-of-the-art greybox fuzzer — has found hundreds of vulnerabilities in popular software since its release in 2013. The combination of lightweight coverage instrumentation and a simple evolutionary algorithm allows AFL to quickly generate inputs that exercise new code. AFL also obviates the need to manually set ad-hoc fuzzing ratios, which has been a major limitation of classical black-box fuzzers. Instead, AFL's first fuzzing pass exhaustively applies a set of mutations to every byte of a program input. While this approach allows for more thorough exploration of the input space, and therefore improves the chances of finding complex bugs, it also drastically slows down the fuzzing progress for "heavyweight" programs, or programs that take large inputs. This makes AFL less suitable for fuzzing input formats with large size overhead, such as various document formats. In this paper, we propose focused fuzzing as a practical trade-off between thoroughness and speed, for fuzzers that employ input mutation. We extend the notion of code coverage to individual bytes of input, and show how forward dynamic slicing can be used to efficiently determine the set of program instructions that are affected by a particular input byte. This information can then be used to restrict expensive mutations to a small subset of input bytes. We implement focused fuzzing on top of AFL, and evaluate it on four "real-life" Linux programs. Our evaluation shows that focused fuzzing noticeably improves bug discovery, compared to vanilla AFL.

This paper presents the design and data-driven overhead analysis of PrefiSec, a distributed framework that helps collaborating organizations to effectively maintain and share network information in the fight against miscreants. PrefiSec is a novel distributed IP-prefix-based solution, which maintains information about the activities associated with IP prefixes (blocks of IP addresses) and autonomous systems (AS) and enables efficient sharing of this information between participants. Within PrefiSec, we design and evaluate simple and scalable mechanisms that help to protect against prefixisubprefix attacks and interception attacks, and enable sharing of prefix related information related to a wide range of edge-based attacks, such as spamming and scanning. We also include an evaluation of which ASes need to collaborate, to what extent the size and locality of ASes matter, and how many ASes are needed to achieve good efficiency in detecting anomalous route announcements. Public wide-area BGP-announcements, traceroutes, and simulations are used to estimate the overhead, scalability, and alert rates. Our results show that PrefiSec helps improve system security, and can scale to large systems. (C) 2017 Elsevier B.V. All rights reserved.

Program trace alignment is the process of establishing a correspondence between dynamic instruction instances in executions of two semantically similar but syntactically different programs. In this paper we present what is, to the best of our knowledge, the first method capable of aligning realistically long execution traces of real programs. To maximize generality, our method works entirely on the machine code level, i.e. it does not require access to source code. Moreover, the method is based entirely on dynamic analysis, which avoids the many challenges associated with static analysis of binary code, and which additionally makes our approach inherently resilient to e.g. static code obfuscation. Therefore, we believe that our trace alignment method could prove to be a useful aid in many program analysis tasks, such as debugging, reverse-engineering, investigating plagiarism, and malware analysis. We empirically evaluate our method on 11 popular Linux programs, and show that it is capable of producing meaningful alignments in the presence of various code transformations such as optimization or obfuscation, and that it easily scales to traces with tens of millions of instructions.

Many websites act as relying parties (RPs) by allowing access to their services via third-party identity providers (IDPs), such as Facebook and Google. Using IDPs simplifies account creation, login activity, and information sharing across websites. However, different websites use of IDPs can have significant security and privacy implications for users. Here, the authors provide an overview of third-party identity managements current landscape. Using datasets collected through manual identification and large-scale crawling, they answer questions related to which sites act as RPs, which sites are the most successful IDPs, and how different classes of RPs select their IDPs.

The Border Gateway Protocol (BGP) was not designed with security in mind and is vulnerable to many attacks, including prefix/subprefix hijacks, interception attacks, and imposture attacks. Despite many protocols having been proposed to detect or prevent such attacks, no solution has been widely deployed. Yet, the effectiveness of most proposals relies on largescale adoption and cooperation between many large Autonomous Systems (AS). In this paper we use measurement data to evaluate some promising, previously proposed techniques in cases where they are implemented by different subsets of ASes, and answer questions regarding which ASes need to collaborate, the importance of the locality and size of the participating ASes, and how many ASes are needed to achieve good efficiency when different subsets of ASes collaborate. For our evaluation we use topologies and routing information derived from real measurement data. We consider collaborative detection and prevention techniques that use (i) prefix origin information, (ii) route path updates, or (iii) passively collected round-trip time (RTT) information. Our results and answers to the above questions help determine the effectiveness of potential incremental rollouts, incentivized or required by regional legislation, for example. While there are differences between the techniques and two of the three classes see the biggest benefits when detection/prevention is performed close to the source of an attack, the results show that significant gains can be achieved even with only regional collaboration.

Many modern websites offer single sign-on (SSO) services, which allow the user to use an existing account with a third-party website such as Facebook to authenticate. When using SSO the user must approve an app-rights agreement that specifies what data related to the user can be shared between the two websites and any actions (e.g., posting comments) that the origin website is allowed to perform on behalf of the user on the third-party provider (e.g., Facebook). Both cross-site data sharing and actions performed on behalf of the user can have significant privacy implications. In this paper we present a longitudinal study of the third-party authentication landscape, its structure, and the protocol usage, data sharing, and actions associated with individual third-party relationships. The study captures the current state, changes in the structure, protocol usage, and information leakage risks.

Establishing binary correspondence is the process of finding corresponding pairs of program elements, e.g., functions or individual instructions, between two semantically equivalent (or nearly-equivalent) but syntactically different program binaries. The binary-correspondence problem has applications in many fields, e.g., plagiarism and clone detection, reverse engineering, and security, and has therefore received significant attention both in industry and academia. Most binary-correspondence methods used in practice today are based on static analysis of the control structure in binaries. Unfortunately, such methods are often highly sensitive to syntactic differences between binaries, and discrepancies in the control structure due to, for example, using different compilers or optimization levels often severely reduce their accuracy. Several recent works have therefore proposed using dynamic analysis and comparing runtime-observed results of computations to establish binary correspondence. In this paper, we study the discriminative power of runtime-values for matching instructions in binaries, and propose several ways to increase the accuracy of value-based analyses. By utilizing techniques from the field of information retrieval combined with dynamic data-flow analysis, we improve matching accuracy by up to 55% in our experiments.

This paper considers the problem of providing users playing one streaming video the option of instantaneous and seamless playback of alternative videos. Recommendation systems can easily provide a list of alternative videos, but there is little research on how to best eliminate the startup time for these alternative videos. The problem is motivated by services that want to retain increasingly impatient users, who frequently watch the beginning of multiple videos, before viewing a video to the end. We present the design, implementation, and evaluation of an HTTP-based Adaptive Streaming (HAS) solution that provides careful prefetching and buffer management. We also present the design and evaluation of three fundamental policy classes that provide different tradeoffs between how aggressively new alternative videos are prefetched versus the importance of ensuring high playback quality. We show that our solution allows us to reduce the startup times of alternative videos by an order of magnitude and effectively adapt the quality such as to ensure the highest possible playback quality of the video being viewed. By improving the channel utilization we also address the discrimination problem that HAS clients often suffer from, allowing us to in some cases simultaneously improve the playback quality of the video being viewed and provide the value-added service of allowing instantaneous playback of the prefetched alternative videos.

The Internet is highly susceptible to routing attacks and there is no universally deployed solution that ensures that traffic is not hijacked by third parties. Individuals or organizations wanting to protect themselves from sustained attacks must therefore typically rely on measurements and traffic monitoring to detect attacks. Motivated by the high overhead costs of continuous active measurements, we argue that passive monitoring combined with collaborative information sharing and statistics can be used to provide alerts about traffic anomalies that may require further investigation. In this paper we present and evaluate a user-centric crowd-based approach in which users passively monitor their network traffic, share information about potential anomalies, and apply combined collaborative statistics to identify potential routing anomalies. The approach uses only passively collected round-trip time (RTT) measurements, is shown to have low overhead, regardless if a central or distributed architecture is used, and provides an attractive tradeoff between attack detection rates (when there is an attack) and false alert rates (needing further investigation) under normal conditions. Our data-driven analysis using longitudinal and distributed RTT measurements also provides insights into detector selection and the relative weight that should be given to candidate detectors at different distances from the potential victim node.

Security has become recognized as a critical aspect of software development, leading to the development of various security-enhancing techniques, many of which use some kind of custom modeling language. Models in different languages cannot readily be related to each other, which is an obstacle to using several techniques together. The sheer number of languages is, in itself, also an obstacle to adoption by developers. The authors have developed a modeling language that can be used in place of four existing modeling languages: attack trees, vulnerability cause graphs, security activity graphs, and security goal indicator trees. Models in the new language can be transformed to and from the earlier language, and a precise definition of model semantics enables an even wider range of applications, such as testing and static analysis. This chapter explores this new language.

Third-party identity management services enable cross-site information sharing, making Web access seamless but also raise significant privacy implications for the users. Using a combination of manual analysis of identified third-party identity management relationships and targeted case studies we capture how the protocol usage and third-party selection is changing, profile what information is requested to be shared (and actions to be performed) between websites, and identify privacy issues and practical problems that occur when using multiple accounts (associated with these services). The study highlights differences in the privacy leakage risks associated with different classes of websites, and shows that the use of multiple third-party websites, in many cases, can cause the user to lose (at least) partial control over which information is shared/posted on their behalf.

The cross-site information sharing and authorized actions of third-party identity management can have significant privacy implications for the users. In this paper, we use a combination of manual analysis of identified third-party identity management relationships and targeted case studies to (i) capture how the protocol usage and third-party selection is changing, (ii) profile what information is requested to be shared (and actions to be performed) between websites, and (iii) identify privacy issues and practical problems that occur when using multiple accounts (associated with these services). By characterizing and quantifying the third-party relationships based on their cross-site information sharing, the study highlights differences in the privacy leakage risks associated with different classes of websites, and provides concrete evidence for how the privacy risks are increasing. For example, many news and file/video-sharing sites ask users to authorize the site to post information to the third-party website. We also observe a general increase in the breadth of information that is shared across websites, and find that due to usage of multiple third-party websites, in many cases, the user can lose (at least) partial control over which identities they can merge/relate and the information that is shared/posted on their behalf.

Mutation-based fuzzing is a popular and widely employed black-box testing technique for finding security and robustness bugs in software. It owes much of its success to its simplicity; a well-formed seed input is mutated, e.g. through random bit-flipping, to produce test inputs. While reducing the need for human effort, and enabling security testing even of closed-source programs with undocumented input formats, the simplicity of mutation-based fuzzing comes at the cost of poor code coverage. Often millions of iterations are needed, and the results are highly dependent on configuration parameters and the choice of seed inputs. In this paper we propose a novel method for automated generation of high-coverage test cases for robustness testing. Our method is based on the observation that, even for closed-source programs with proprietary input formats, an implementation that can generate well-formed inputs to the program is typically available. By systematically mutating the program code of such generating programs, we leverage information about the input format encoded in the generating program to produce high-coverage test inputs, capable of reaching deep states in the program under test. Our method works entirely at the machine-code level, enabling use-cases similar to traditional black-box fuzzing. We have implemented the method in our tool MutaGen, and evaluated it on 7 popular Linux programs. We found that, for most programs, our method improves code coverage by one order of magnitude or more, compared to two well-known mutation-based fuzzers. We also found a total of 8 unique bugs.

Dynamic program slicing is widely recognized as a powerful aid for e.g. Program comprehension during debugging. However, its widespread use has been impeded in part by scalability issues that occur when constructing the dynamic dependence graph necessary to compute dynamic slices. A few seconds of execution time on a modern CPU can easily yield dynamic dependence graphs on the order of tens of gigabytes in size. Existing methods either produce imprecise slices, incur large time overheads during slice computation, or run out of memory for long program executions. By carefully designing our method to take advantage of locality, we are able to efficiently use secondary storage for dynamic dependence graphs, thus allowing our method to scale to long program executions. Our prototype implementation runs directly on x86 executables, eliminating problems with e.g. Binary-only libraries. We show in our experiments that graphs can be constructed for program runs with billions of executed instructions, at slowdowns ranging from 62x to 173x. Our optimized format also allows graphs to be traversed at speeds of several million dependence edges per second.

This paper presents the design and data-driven overhead analysis of PrefiSec, a distributed framework that helps collaborating organizations to effectively maintain and share network information in the fight against miscreants. PrefiSec is a novel distributed IP-prefix-based solution, which maintains information about the activities associated with IP prefixes (blocks of IP addresses) and autonomous systems (AS). Within PrefiSec, we design and evaluate simple and scalable mechanisms and policies that allow participating entities to effectively share network information, which helps to protect against prefix/subprefix attacks, interception attacks, and a wide range of edge-based attacks, such as spamming, scanning, and botnet activities. Timely reporting of such information helps participants improve their security, keep their security footprints clean, and incentivizes participation. Public wide-area BGP-announcements, traceroutes, and simulations are used to estimate the overhead, scalability, and alert rates. Our results show that PrefiSec helps improve system security, and can scale to large systems.

Interactive branched video that allows users to select their own paths through the video, provides creative content designers with great personalization opportunities; however, such video also introduces significant new challenges for the system developer. For example, without careful prefetching and buffer management, the use of multiple alternative playback paths can easily result in playback interruptions. In this paper, we present a full implementation of an interactive branched video player using HTTP-based Adaptive Streaming (HAS) that provides seamless playback even when the users defer their branch path choices to the last possible moment. Our design includes optimized prefetching policies that we derive under a simple optimization framework, effective buffer management of prefetched data, and the use of parallel TCP connections to achieve efficient buffer workahead. Through performance evaluation under a wide range of scenarios, we show that our optimized policies can effectively prefetch data of carefully selected qualities along multiple alternative paths such as to ensure seamless playback, offering users a pleasant viewing experience without playback interruptions.

Many websites utilize third-party identity management services to simplify access to their services. Given the privacy and security implications for end users, an important question is how websites select their third-party identity providers and how this impacts the characteristics of the emerging identity management landscape seen by the users. In this paper we first present a novel Selenium-based data collection methodology that identifies and captures the identity management relationships between sites and the intrinsic characteristics of the websites that form these relationships. Second, we present the first large-scale characterization of the third-party identity management landscape and the relationships that makes up this emerging landscape. As a reference point, we compare and contrast our observations with the somewhat more understood third-party content provider landscape. Interesting findings include a much higher skew towards websites selecting popular identity provider sites than is observed among content providers, with sites being more likely to form identity management relationships that have similar cultural, geographic, and general site focus. These findings are both positive and negative. For example, the high skew in usage places greater responsibility on fewer organizations that are responsible for the increased information leakage cost associated with highly aggregated personal information, but also reduces the users control of the access to this information. © 2014 Springer International Publishing Switzerland.

This paper presents the design, implementation, and validation of a novel system that supports streaming and playout of personalized, multi-path, nonlinear video. In contrast to regular video, in which the file content is played sequentially, our design allows multiple nonlinear video sequences of the underlying (linear) video to be stitched together and played in any personalized order, and clients can be provided multiple path choices. The design combines the ideas of HTTP-based adaptive streaming (HAS) and multi-path nonlinear video. Personalization of the content is achieved with the use of a customized metafile, which is downloaded separately from the underlying media and the manifest file that defines the HAS structure. An extension to the user interface allows path choices to be presented to and made by the user. Novel buffer management and prefetching policies are used to ensure seamless uninterrupted playback regardless of client path choices, even under scenarios in which clients defer their choices until the last possible moment. Our solution allows creative home users to easily create their own multi-path nonlinear video, opening the door to an endless possibility of new opportunities and media forms.

This paper presents the design, implementation, and validation of a novel system that supports streaming and playout of personalized, multi-path, nonlinear video. In contrast to regular video, in which the file content is played sequentially, our design allows multiple nonlinear video sequences of the underlying (linear) video to be stitched together and played in any personalized order, and clients can be provided multiple path choices. The design combines the ideas of HTTP-based adaptive streaming (HAS) and multi-path nonlinear video. Personalization of the content is achieved with the use of a customized metafile, which is downloaded separately from the underlying media and the manifest file that defines the HAS structure. An extension to the user interface allows path choices to be presented to and made by the user. Novel buffer management and prefetching policies are used to ensure seamless uninterrupted playback regardless of client path choices, even under scenarios in which clients defer their choices until the last possible moment. Our solution allows creative home users to easily create their own multi-path nonlinear video, opening the door to an endless possibility of new opportunities and media forms.

HTTP-based Adaptive Streaming (HAS) has become a widely-used video delivery technology. Use of HTTP enables relatively easy firewall/NAT traversal and content caching. While caching is an important aspect of HAS, there is not much public research on the performance impact proxies and their policies have on HAS. In this paper we build an experimental framework using open source Squid proxies and the most recent Open Source Media Framework (OSMF). A range of content-aware policies can be implemented in the proxies and tested, while the player software can be instrumented to measure performance as seen at the client. Using this framework, the paper makes three main contributions. First, we present a scenario-based performance evaluation of the latest version of the OSMF player. Second, we quantify the benefits using different proxy-assisted solutions, including basic best effort policies and more advanced content quality aware prefetching policies. Finally, we present and evaluate a cooperative framework in which clients and proxies share information to improve performance. In general, the bottleneck location and network conditions play central roles in which policy choices are most advantageous, as they significantly impact the relative performance differences between policy classes. We conclude that careful design and policy selection is important when trying to enhance HAS performance using proxy assistance.

Context: Passive testing is a technique in which traces collected from the execution of a system under testare examined for evidence of flaws in the system.

Objective: In this paper we present a method for detecting the presence of security vulnerabilities bydetecting evidence of their causes in execution traces. This is a new approach to security vulnerabilitydetection.

Method: Our method uses formal models of vulnerability causes, known as security goal models and vulnerabilitydetection conditions (VDCs). The former are used to identify the causes of vulnerabilities andmodel their dependencies, and the latter to give a formal interpretation that is suitable for vulnerabilitydetection using passive testing techniques. We have implemented modeling tools for security goal modelsand vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces ofcompiled programs for evidence of VDCs.

Results: We present the full definitions of security goal models and vulnerability detection conditions, aswell as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in severalopen source projects. By testing versions with known vulnerabilities, we can quantify the effectivenessof the approach.

Conclusion: Although the current implementation has some limitations, passive testing for vulnerabilitydetection works well, and using models as the basis for testing ensures that users of the testing tool caneasily extend it to handle new vulnerabilities.

Third-party security analysis of closed-source programs has become an important part of a defense-in-depth approach to software security for many companies. In the absence of efficient tools, the analysis has generally been performed through manual reverse engineering of the machine code. As reverse engineering is an extremely time-consuming and costly task, much research has been performed to develop more powerful methods for analysis of program binaries. One such popular method is dynamic taint analysis (DTA), which is a type of runtime data-flow analysis, where certain input data is marked as tainted. By tracking the flow of tainted data, DTA can, for instance, be used to determine which computations in a program are affected by a certain part of the input. In this paper we present InputTracer, a tool that utilizes DTA for aiding in manual program comprehension and analysis of unmodified x86 executables running in Linux. A brief overview of dynamic taint analysis is given, followed by a description of the tool and its implementation. We also demonstrate the tool’s ability to provide exact information on the origin of tainted data through a detailed use case, where the tool is used to find the root cause of a memory corruption bug.

The telecommunication industry has been successful in turning the Internet into a mobile service and stimulating the creation of a new set of networked, remote services. In this paper we argue that embracing cloud computing solutions is fundamental for the telecommunication industry to remain competitive. However, there are legal, regulatory, business, market-related and technical challenges that must be considered. In this paper we list such challenges and define a set of privacy, security and trust requirements that must be taken into account before cloud computing solutions can be fully integrated and deployed by telecommunication providers.

Internet users often have usernames and passwords at multiple web sites. To simplify things, many sites support federated identity management, which enables users to have a single account allowing them to log on to different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, all of the user’s accounts become compromised. Therefore a more secure authentication method is desirable. This paper implements 2-clickAuth, a multimedia-based challenge-response solution which uses a web camera and a camera phone for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is more secure than passwords while easy to use and distribute. 2-clickAuth is a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. This paper implements an identity provider in the OpenID federated identity management system that uses 2-clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge, and MySpace.

Security is becoming recognized as an important aspect of software development, leading to the development of various security-enhancing techniques, many of which use some kind of custom modeling language. Models in different languages cannot readily be related to each other, which is an obstacle to using several techniques together. The sheer number of languages is, in itself, also an obstacle to adoption by developers.

We have developed a modeling language that can be used in place of four existing modeling languages: attack trees, vulnerability cause graphs, security activity graphs, and security goal indicator trees. Our language is more precise than earlier languages, which allows models to be used in automated applications such as testing and static analysis. Models in the new language can be transformed to and from earlier languages. We also present a data model that allows users to relate different kinds of models and model elements to each other and to core security knowledge.

Mobile phones offer unique advantages for secure authentication: they are small and portable, provide multiple data transfer channels, and are nearly ubiquitous. While phones provide a flexible and capable platform, phone designs vary, and the security level of an authentication solution is influenced by the choice of channels and authentication methods. It can be a challenge to get a consistent overview of the strengths and weaknesses of the available alternatives. Existing guidelines for authentication usually do not consider the specific problems in mobile phone authentication. We provide a method for evaluating and designing authentication solutions using mobile phones, using an augmented version of the Electronic Authentication Guideline.

Spam is a significant problem in the day-to-day operations of large networks and information systems, as well as a common conduit for malicious software. The problem of detecting and eliminating spam remains of great interest, both commercially and in a research context. In this paper we present TRAP, a reputation-based open, decentralized and distributed system to aid in detecting unwanted e-mail. In TRAP, all participants are equal, all participants can see how the system works, and there is no reliance on any member or subset of members. This paper outlines the TRAP system itself and shows, through simulation, that the fundamental component of TRAP, a distributed low-overhead trust management system, is efficient and robust under the normal conditions present on the Internet.

Internet users today often have usernames and passwords at multiple web sites. To simplify things, many sites support some form of federated identity management, such as OpenID, that enables users to have a single account that allows them to log on to many different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, e. g. captured by a key logger or malware on an untrusted computer, all the users accounts become compromised. Therefore a more secure authentication method is desirable. We have implemented 2-clickAuth, an optical challenge-response solution where a web camera and a camera phone are used for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is considerably more secure than passwords while still being easy to use and easy to distribute to users. This makes 2-clickAuth a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. We have implemented an identity provider in the OpenID federated identity management system that uses 2clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge and MySpace.

Mobile phones offer unique advantages for secure authentication: they are small and portable, provide multiple data transfer channels, and are nearly ubiquitous. While phones provide a flexible and capable platform, phone designs vary, and the security level of an authentication solution is influenced by the choice of channels and authentication methods. It can be a challenge to get a consistent overview of the strengths and weaknesses of the available alternatives. In this paper we provide a method for evaluating and designing authentication solutions using mobile phones. The method also considers availability and usability, which are often overlooked factors. The goal is to help developers to create secure authentication, considering the user's priorities on security, availability and usability.

Security is becoming recognized as an important aspect of software development, leading to the development of many different security-enhancing techniques, many of which use some kind of custom modeling language. Models in these different languages cannot readily be related to each other, which is an obstacle to using several techniques together. The sheer number of languages is, in itself, also an obstacle to adoption by developers.

In this paper we present a modeling language that can be used in place of four existing modeling languages: attacktrees, vulnerability cause graphs, security activity graphs, and security goal indicator trees. Models in our language can be more precise than earlier models, which allows them to be used in automated applications, such as automatic testing and static analysis. Models in the new language can be derived automatically from models in the existing languages, and can be viewed using existing notation.

Our modeling language exploits a data model, also presented in this paper, that permits rich interconnections between various items of security knowledge. In this data model it is straightforward to relate different kinds of models, and thereby different software security techniques, to each other.

Incident post-mortem analysis after recovery from incidents is recommended by most incident response experts. An analysis of why and how an incident happened is crucial for determining appropriate countermeasures to prevent the recurrence of the incident. Currently, there is a lack of structured methods for such an analysis, which would identify the causes of a security incident. In this paper, we present a structured method to perform the post-mortem analysis and to model the causes of an incident visually in a graph structure. This method is an extension of our earlier work on modeling software vulnerabilities. The goal of modeling incidents is to develop an understanding of what could have caused the security incident and how its recurrence can be prevented in the future. The method presented in this paper is intended to be used during the post-mortem analysis of incidents by incident response teams.

Tools for disk imaging (or more generally speaking, digital acquisition) are a foundation for forensic examination of digital evidence. Therefore it is crucial that such tools work as expected. The only way to determine whether this is the case or not is through systematic testing of each tool. In this paper we present such an evaluation of the disk imaging functions of EnCase 6.8® and LinEn 6.1, conducted on behalf of the Swedish National Laboratory of Forensic Science. Although both tools performed as expected under most circumstances, we identified cases where flaws that can lead to inaccurate and incomplete acquisition results in LinEn 6.1 were exposed. We have also identified limitations in the tool that were not evident from its documentation. In addition summarizing the test results, we present our testing methodology, which has novel elements that we think can benefit other evaluation projects.

Within the field of software security we have yet to find efficient ways on how to learn from past mistakes and in- tegrate security as a natural part of software development. This situation can be improved by using an online reposi- tory, the SHIELDS SVRS, that facilitates fast and easy inter- change of security artefacts between security experts, soft- ware developers and their assisting tools. Such security artefacts are embedded in or represented as security mod- els containing the needed information to detect, remove and prevent vulnerabilities in software, independent of the ap- plied development process. The purpose of this paper is to explain the main reference architecture description of the repository and the more general tool stereotypes that can communicate with it.

Advances in technology are causing new privacy concerns as an increasing number of citizens are engaging in online activities.

Techniques and Applications for Advanced Information Privacy and Security: Emerging Organizational, Ethical, and Human Issues provides a thorough understanding of issues and concerns in information technology security. An advanced reference source covering topics such as security management, privacy preservation, and authentication, this book outlines the field and provides a basic understanding of the most salient issues in privacy concerns for researchers and practitioners.

Show more Show less

Security of software systems has become one of the biggest concerns in our everyday life, since software systems are increasingly used by individuals, companies and governments. One way to help software system consumers gain assurance about the security measures of software products is to evaluate and certify these products with standard evaluation processes. The Common Criteria (ISO/IEC 15408) evaluation scheme is a standard that is widely used by software vendors. This process does not include information about already known vulnerabilities, their attack data and lessons learned from them. This has resulted in criticisms concerning the accuracy of this evaluation scheme since it might not address the areas in which actual vulnerabilities might occur.

In this paper, we present a methodology that introduces information about threats from vulnerabilities to Common Criteria documents. Our methodology improves the accuracy of the Common Criteria by providing information about known vulnerabilities in Common Criteria’s security target. Our methodology also provides documentation about how to fulfill certain security requirements, which can reduce the time for evaluation of the products.

Software security is accomplished by introducing security-related activities into the software development process or by altering existing activities so that security is taken into account. Since the importance of software security has only relatively recently received the recognition it deserves, security is not ingrained into the development processes in common use today. A variety of approaches to software security have been proposed, but they rarely support developers in determining which security activities are appropriate for them and which they should choose to implement. An exception to this rule is the Sustainable Software Security Process (S3P). This paper describes the final step of the S3P, which helps developers estimate the cost of security-related activities and select the combination of security activities that best suits their needs. This is accomplished by applying the Analytic Hierarchy Process and an automated search heuristic, scatter search, to the models created as part of the S3P.  

Security is often an afterthought in software development, sometimes even bolted on during deployment or in maintenance through add-on security software and penetrate-and-patch maintenance. We think that security needs to be an integral part of software development and that preventing vulnerabilities by addressing their causes is as important as detecting and fixing them. In this paper we present a method for determining how to prevent vulnerabilities from being introduced during software development. Our method allows developers to select the set of activities that suits them best while being assured that those activities will prevent vulnerabilities. Our method is based on formal modeling of vulnerability causes and is independent of the software development process being used.

When using certain tools to image drives that contain faulty sectors, the tool may fail to acquire a run of sectors even though only one of the sectors is really faulty. This phenomenon, which we have dubbed "contagious errors was reported by James Lyle and Mark Wozar in a recent paper presented at DFRWS 2007 [Lyle, J., Wozar, M. Issues with imaging drives containing faulty sectors. Digital Investigation 2007; 4S: S13-5.]. Their results agree with our own experience from testing disk imaging software as part of our work for the Swedish National Laboratory of Forensic Science. We have explored the issue further, in order to determine the cause of contagious errors and to find ways around the issue. In this paper we present our analysis of the cause of contagious errors as well as several ways practitioners can avoid the problem. In addition we present our insights into the problem of consistently faulty drives in forensic tool testing.

Good tools are critical to successful examination of digital evidence, yet the quality of such tools is very often an unknown. Independent testing is currently the only way to assess the performance and quality of the tools available to digital forensic examiners, and independent testing is critical in order to know whether tools deliver what they promise, and to assess the level of trust one can place in them.   This project has aimed to thoroughly assess the quality of the disk imaging functionality in EnCase 6.8 and LinEn 6.1 under a variety of conditions and with respect to the requirements of Swedish law enforcement. The project has been conducted in four phases: survey, requirements, test planning and testing and analysis.   Details of the project results are published in separate reports related to each phase. The overall conclusions are as follows:

• No independent, public evaluations of EnCase version 6 other than this one exist.
• EnCase 6.8 performs as expected on the Windows platform when using a hardware write blocker. Operation without a write blocker was not assessed, as this was not a requirement. Hidden sectors were, as expected, not acquired.
• LinEn 6.1 performs as expected only when operating in “BIOS mode”, but fails many tests when operating under “direct ATA mode”. Hidden sectors were, as expected, not acquired in “BIOS mode”.

Based on the test results, we conclude that provided the limitation of not acquiring hidden sectors is acceptable, EnCase 6.8 is an adequate tool for imaging ATA drives when using a hardware write blocker, whereas LinEn 6.1 should be avoided if complete and accurate acquisition is a desired.

All the work was conducted by experienced staff in test labs belonging to the Security and Networks group within the Division for Database and Information Techniques (ADIT) at the Department of Computer and Information Science (IDA) at Linköping University under the supervision of Professor Nahid Shahmehri.

Linköping, March 5, 2008

In this paper we present a security plug-in for the OpenUP/Basic development process. Our security plug-in is based on a structured unified process for secure software development, named S3P (sustainable software security process). This process provides the formalism required to identify the causes of vulnerabilities and the mitigation techniques that prevent these vulnerabilities. We also present the results of an expert evaluation of the security plug-in. The lessons learned from development of the plug-in and the results of the evaluation will be used when adapting S3P to other software development processes.

An advanced look at smart technology to promote the independence of the elderly and disabled

Ongoing research and advancements in technology are essential for the continuing independence of elderly and disabled persons. The Engineering Handbook of Smart Technology for Aging, Disability, and Independenceprovides a thorough analysis of these technologies and the needs of the elderly and disabled, including a breakdown of demographics, government spending, growth rate, and much more.

Each chapter is written by an expert in his or her respective field, and gives readers unparalleled insight into the research and developments in a multitude of important areas, including:

• User-need analyses, classifications, and policies
• Assistive devices and systems for people with motor disabilities
• Assistive devices and systems for people with visual and hearing impairments
• Human-machine interaction and virtual reality
• Assistive robotics
• Technology for user mobility and object manipulation
• Smart homes as assistant environments
• A discussion of emerging standards and guidelines to build accessible devices, tools, and environments

This book is an indispensable resource for researchers and professionals in computer science, rehabilitation science, and clinical engineering. It also serves as a valuable textbook for graduate students in the aforementioned fields.

A fragmented JPEG image is currently not possible to reassemble without knowing the ordering of the fragments. This is a problem for the police when they search for illegal digital images. This paper presents a method to reassemble fragmented JPEG images containing restart markers. Empirical evaluations show that it is possible to reassemble images taken from a set containing fragments of several images.

An advanced look at smart technology to promote the independence of the elderly and disabled

Ongoing research and advancements in technology are essential for the continuing independence of elderly and disabled persons. The Engineering Handbook of Smart Technology for Aging, Disability, and Independenceprovides a thorough analysis of these technologies and the needs of the elderly and disabled, including a breakdown of demographics, government spending, growth rate, and much more.

Each chapter is written by an expert in his or her respective field, and gives readers unparalleled insight into the research and developments in a multitude of important areas, including:

• User-need analyses, classifications, and policies
• Assistive devices and systems for people with motor disabilities
• Assistive devices and systems for people with visual and hearing impairments
• Human-machine interaction and virtual reality
• Assistive robotics
• Technology for user mobility and object manipulation
• Smart homes as assistant environments
• A discussion of emerging standards and guidelines to build accessible devices, tools, and environments

This book is an indispensable resource for researchers and professionals in computer science, rehabilitation science, and clinical engineering. It also serves as a valuable textbook for graduate students in the aforementioned fields.

We present a publicly available, OWL-based ontology of information security which models assets, threats, vulnerabilities, countermeasures and their relations. The ontology can be used as a general vocabulary, roadmap, and extensible dictionary of the domain of information security. With its help, users can agree on a common language and definition of terms and relationships. In addition to browsing for information, the ontology is also useful for reasoning about relationships between its entities, for example, threats and countermeasures. The ontology helps answer questions like: Which countermeasures detect or prevent the violation of integrity of data? Which assets are protected by SSH? Which countermeasures thwart buffer overflow attacks? At the moment, the ontology comprises 88 threat classes, 79 asset classes, 133 countermeasure classes and 34 relations between those classes. We provide the means for extending the ontology, and provide examples of the extendibility with the countermeasure classes ‘memory protection’ and ‘source code analysis’. This article describes the content of the ontology as well as its usages, potential for extension, technical implementation and tools for working with it.