Full Program »

Posters and Work in Progress Talks 2

Chair: Kevin Alejandro Roundy, Norton Lifelock

RUSTY: A Fuzzing Tool for Rust

Authors: Mohammadreza Ashouri (Univeristy of Potsdam)

 

Abstract: Rust is a popular system programming language introduced by Mozilla in 2010 that provides strong compile-time correctness and high performance. The language has improved upon the ideas of other system languages, such as C++. For instance, the Rust compiler provides a reliable memory protection mechanism by performing a robust control over the memory life cycle to eradicate common reliability issues (e.g., memory violation and data race) in system programming languages. Consequently, a wide range of programs, such as operating systems (e.g., RustOS), web frameworks (e.g., Rocket), and blockchain clients (e.g., Parity Ethereum Client) have been built in Rust. In this work, we have evaluated the security of the Rust compiler in a real-world situation on a new benchmark suite, including core libraries and popular open-source projects. Our analysis aims to measure the usefulness of the memory model and the safety structure of the Rust memory model in practice. Particularly, we aim to determine the trade-off between high-level safety guarantees and low-level control over the memory model in this compiler. Accordingly, we implemented a scalable concolic fuzzing tool for the Rust compiler, which is called "RUSTY". We have evaluated our approach for 10,693 real-world projects and core libraries written in Rust. As a result, we could successfully identify 19 actual security vulnerabilities in our collected benchmark suite.

---

Security Evaluation of SmartHome Companion Web-based Mobile Apps

Authors: Abhinav Mohanty, Meera Sridhar (University of North Carolina at Charlotte)

 

Abstract: The web-based technology of building mobile apps, where the business code is written using HTML/JS/CSS, provides a quick and easy option to these manufacturers for developing companion apps for the IoT devices. This poster presents security issues affecting companion apps built using web-based app development frameworks, which can be exploited to launch serious cyberattacks against the IoT device or the smartphone itself and compromise user privacy. We present real-world case studies and possible attack scenarios to demonstrate how security issues can be exploited.

 

Integration of DevSecOps, Model Based Engineering and Cybersecurity

Authors: Carol Woody, Nataliya Shevchenko (Software Engineering Institute)

 

Abstract: A major challenge for cybersecurity comes from new technology approaches that focus primarily on the benefits of implementation, rather than on defining the governance and risk management changes necessary to establish and enforce appropriate protections. This is especially important for adoptions that impact critical infrastructure and shared services, such as voting and defense. A group of researchers examined the challenges and effective cybersecurity options for Department of Defense programs delivering cyber-physical systems that are adopting DevSecOps. They found programs are assuming adoption will be like installing a new tool and have not recognized the criticality of their involvement in management and governance that will impact the way they approach software development. There are three key decision areas that those responsible for the governance of the pipeline must consider: What trust relations will be acceptable, and how will they be managed? What flow control and monitoring are in place to establish that the pipeline is working properly? Are these sufficient for the level of cybersecurity required? What compliance mandates are required? How are they addressed by the pipeline? Is this sufficient? In addition, adoption of a software factory approach to system development using a DevSecOps pipeline will require the structuring of two systems: the first is constructing the pipeline and the second is constructing the system using the pipeline. Both will use the pipeline but by different resources for very different purposes. The pipeline administrators will use the pipeline to maintain the pipeline capabilities, and the developers will use the pipeline to build the software products for the system. We found little to help organizations define the scope of management and governance needed to ensure that a pipeline is secure and that it produces products with the appropriate security built in. We see those building the pipeline to be focused on speed of delivery without sufficient rigor for the management to ensure sufficient attention to cybersecurity. Most of the complex cyber-physical systems are using model-based engineering (MBE) to design the various system components and their interactions as well as the external relationships that must be established for mission performance. However, MBE typically is not a tool-of-choice to model development and operations environment. We propose the creation of a DevSecOps pipeline reference architecture based on the model-based engineering methodology for design, customization, deployment, and evaluation of the pipeline. The model will incorporate rigor and provide a set of shared views for all stakeholders to integrate all aspects of DevSecOps consistently. The model will also provide a single authoritative source of truth about the pipeline to support risk, threat and impact analysis as well as evolutionary transformation of the pipeline.

 

---

Mitigating Large-Scale Memory Exploits in IoT Devices using Software Diversity

Authors: Islam Obaidat, Meera Sridhar (University of North Carolina at Charlotte)

 

Abstract: Unlike traditional computing systems (such as desktop computers and servers), Internet of Things (IoT) devices have various constraints, such as low-power and low-cost requirements, which prevent software protections used in traditional systems from being utilized to protect IoT devices. Consequently, IoT devices continue to be susceptible to attacks that compromise their software integrity. In such attacks, attackers typically rely on the ability to predict specific details about the software implementation in the IoT devices to execute arbitrary code in these devices and control them remotely. Eradicating this predictability prevents or restricts what an attacker can do with the predicted knowledge. Software diversity techniques add probabilistic protection to the binary by randomizing its software implementations (i.e., multiple copies of IoT devices with the same functionality would have different instruction sequences in their software implementation). This work develops a software diversification tool that randomizes IoT devices' software implementation at the binary code level. This probabilistic protection implies that a successful attack on an IoT device is not guaranteed to work on multiple IoT devices, preventing mass attacks from being conducted.

 

The Usability of a Debugger Designed for Compartmentalized Systems

Authors: Junyong Zhao (University of Pennsylvania); Henry Zhu (Amazon); Nik Sultana, Boon Thau Loo (University of Pennsylvania)

 

Abstract: Splitting software into small, isolated components called compartments is a well-known security technique. This technique tends to prevent vulnerability in a part of the program from affecting the entire software. However, it is not easy to debug such a system since all the compartments are isolated, may have different privileges, and execute as separated processes. Although there are widely used tools such as GDB, it is not easy to use when dealing with compartmentalized programs. In this poster, we describe a debugger we are developing specifically for compartmentalized systems, and its design considerations for usability. By making compartmentalized systems easier to debug, we hope that this will also make them easier to develop, and contribute towards research and application of software security through compartmentalization.

 

---

A Case Study of Fine-Grained Software Compartmentalization using cURL

Authors: Stephen Carrasquillo, Junyong Zhao (University of Pennsylvania); Henry Zhu (Amazon); Nik Sultana, Boon Tau Loo (University of Pennsylvania)

 

Abstract: Most software applications are designed to compile to a single binary executable that composes various modules to carry out the functions of the program. To improve security, large systems are decomposed into separate systems, running as independent processes that have access to different functions and data, but whose collective execution results in the same behavior as the monolothic program. This is referred to as compartmentalization or partitioning, and it makes it harder to exploit programs. By tailoring the access of compartments, it is easier to ensure that leaks of privileged information leaks are less likely. And it is easier to limit the abilities of an intruder if they exploit a compartment. Despite having these benefits, compartmentalization is not widely-applied to many systems as it is often painful to implement. To understand this better, we compartmentalized cURL, a widely used open-source data transfer utility. While the prototype was successful, there were several key challenges that needed to be overcome. This poster reports on our findings.

 

GitHub Experimentation Framework for Attribution Research

Authors: William La Cholter, Matthew Elder, Timothy Davison, Antonius Stalick (JHU/APL)

 

Abstract: Authorship attribution of malicious software binaries is important for law enforcement and nation state cyber deterrence. Code stylometry research shows promise in controlled experiments but has not been validated as an end-to-end solution to address all of the variability of software in the real-world. Without validation over representative data, approaches to attribution will fail to identify the real authors and may lead to false accusations that could cause legal and human rights harm, especially to open source developers whose code is swept into derivative works. Our research in attribution attempts to address some of these concerns by constructing experiments on software most akin to malware, controlling for version history, operating system, instruction set architecture, functionality, and programming language. In this paper we present work in progress and initial findings.

 

---

Learning and Generating Cyber Attack Netflows Using Generative Adversarial Networks

Authors: Bryan Quinn, Shanchieh Jay Yang, Matthew Wright, Bo Yuan (Rochester Institute of Technology)

 

Abstract: The most commonly cited issues holding back the research community from breakthroughs in applying machine learning techniques to the network-based intrusion detection (NIDS) field is the lack of quality labeled training data, and the data balance problem. This work investigates the use of Generative Adversarial Networks (GANs) to learn and generate netflows that resemble cyber attacks made available in open datasets. Specifically, we report the current work in progress on learning from the SSH-Bruteforce attack in CSE-CIC-IDS2018. The generated data can allow researchers to create more malicious examples needed to balance the training set against the benign samples. While still in the early stages of this work, we show that a GAN model can be trained to produce malicious SSH data samples that closely mirrors the feature distribution of the original data. Two metrics, GAN-test and GAN-train, are also used to analyze the validity of the generated data.

 

HIJaX: Human Intent JavaScript XSS Generator

Authors: Yaw Frempong, Yates Snyder, Erfan Al-Hossami, Meera Sridhar, Samira Shaikh (University of North Carolina at Charlotte)

 

Abstract: We present HIJaX, a novel Natural Language-to-JavaScript generator and syntax validation prototype, that creates workable XSS exploit code from English sentences. New research is needed to preemptively secure applications with the use of Automated Exploit Generation (AEG), whereby probing and patching of system vulnerabilities occurs autonomously. We frame our approach to exploit generation by identifying potentially targeted websites with natural language tools and auto-generating XSS exploits to test website vulnerabilities. We train and test the HIJaX model with a variety of datasets containing benign and malicious intents along with differing numbers of baseline code entries to demonstrate how to best create datasets for XSS code generation. We also examine Part-of-Speech tagging algorithms and automated dataset expansion scripts to aid the dataset creation and HIJaX model code generation processes. Finally, we demonstrate the feasibility of deploying natural language based auto-generated XSS scripts against multiple websites.

 

---

Guide Me to Exploit: Assisted ROP Exploit Generation for ActionScript Virtual Machine

Authors: Fadi Yilmaz, Meera sridhar (University of North Carolina at Charlotte); Wontae Choi (unaffiliated)

 

Abstract: Determining exploitability of a given vulnerability, or exploit generation for that vulnerability, has historically been a labor-intensive manual process requiring deep security knowledge. However, with the recent advances in fuzz testing and symbolic execution, several approaches for automatically generating exploits have been proposed. These approaches, collectively known as the field of automatic exploit generation (AEG), (such as AEG for return-oriented programming, or control-flow hijacking) are critical for auditing software security, and attack prevention. AEG implementations are usually driven by one of two engines: a fuzzer and a symbolic execution tool. The fuzzer helps explore the input-space by monitoring the execution of randomly generated inputs, and the symbolic execution tool helps explore the execution-path-space by symbolically executing every execution path. However, both approaches have their own limitations in the space of AEG for language virtual machines (VM). Typical fuzz testing approaches do not scale well for applications taking as input other computer programs, such as language VMs. They do not efficiently generate inputs for such applications. AEG implementations for language VMs also cannot utilize a typical symbolic execution tool due to its limitations. Symbolically executing a language VM raises the path-explosion problem in the early stage of the AEG process. For example, the VM produces an execution branch for every instruction it can read during the parsing phase to obtain the sequence of instructions to be executed.