Finding Security Vulnerabilities Research Articles

BertRLFuzzer: A BERT and Reinforcement Learning Based Fuzzer (Student Abstract)

We present a novel tool BertRLFuzzer, a BERT and Reinforcement Learning (RL) based fuzzer aimed at finding security vulnerabilities for Web applications. BertRLFuzzer works as follows: given a set of seed inputs, the fuzzer performs grammar-adhering and attack-provoking mutation operations on them to generate candidate attack vectors. The key insight of BertRLFuzzer is the use of RL with a BERT model as an agent to guide the fuzzer to efficiently learn grammar-adhering and attack-provoking mutation operators. In order to establish the efficacy of BertRLFuzzer we compare it against a total of 13 black box and white box fuzzers over a benchmark of 9 victim websites with over 16K LOC. We observed a significant improvement, relative to the nearest competing tool in terms of time to first attack (54% less), new vulnerabilities found (17 new vulnerabilities), and attack rate (4.4% more attack vectors generated).

A Proposed Framework of Vulnerability Assessment and Penetration Testing (VAPT) in Cloud Computing Environments from Penetration Tester Perspective

Penetration testing is a process that focuses on finding security vulnerabilities in a target environment that could let an attacker penetrate the network or computer system or steal information. Due to the COVID-19 endemic, most employees still implement working from home or a hybrid approach, even though the number of new cases of COVID-19 is decreasing. However, working from home depends mainly on cloud computing applications that help employees efficiently accomplish their daily work. This situation also increased the number of data generated from various sources, so they may be exposed to different security risks. This research will propose a framework to conduct vulnerability assessment and penetration testing (VAPT) in cloud service models such as SaaS, PaaS, and IaaS from the perspective of penetration testers. This proposed framework is developed through the integration and mapping of existing frameworks and guidelines to conduct VAPT on testing components such as web applications, APIs, network testing, etc. In this proposed framework, the method of conducting VAPT for each cloud service model will be discussed in detail, from the planning and reconnaissance stage until the report is delivered to the cloud subscriber or cloud provider. An advantage of this proposed framework for the penetration tester is that there is still a lack of methods or guidelines for conducting VAPT that cover all the cloud service models in one comprehensive document

Automated Extension-Based Penetration Testing for Web Vulnerabilities

Depending on manual solutions for finding security vulnerabilities in web applications is time-consuming, error-prone, and requires high levels of expertise. This paper proposes a model for an automated extension-based penetration testing for web vulnerabilities that is compatible with any web application. It consists of three stages that start with information gathering, followed by a vulnerability assessment process to test for exploit. The results are then automatically generated as a report at the conclusion. To examine the model, a tool is developed based on the suggested model. Results demonstrate that the proposed technique has effectively and promptly identified application’s vulnerabilities.

A qualitative study of penetration testers and what they can tell us about information security in organisations

PurposeThis paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts.Design/methodology/approachThe articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis.FindingsThe starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation.Originality/valueThis paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.

Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases

Enterprise environment often screens large-scale (millions of lines of code) codebases with static analysis tools to find bugs and vulnerabilities. Parfait is a static code analysis tool used in Oracle to find security vulnerabilities in industrial codebases. Recently, many studies show that there are complicated cryptographic vulnerabilities caused by misusing cryptographic APIs in Java TM 1 In this paper, we describe how we realize a precise and scalable detection of these complicated cryptographic vulnerabilities based on Parfait framework. The key challenge in the detection of cryptographic vulnerabilities is the high false alarm rate caused by pseudo-influences. Pseudo-influences happen if security-irrelevant constants are used in constructing security-critical values. Static analysis is usually unable to distinguish them from hard-coded constants that expose sensitive information. We tackle this problem by specializing the backward dataflow analysis used in Parfait with refinement insights, an idea from the tool CryptoGuard [ 20 ]. We evaluate our analyzer on a comprehensive Java cryptographic vulnerability benchmark and eleven large real-world applications. The results show that the Parfait-based cryptographic vulnerability detector can find real-world cryptographic vulnerabilities in large-scale codebases with high true-positive rates and low runtime cost.

Analysis of Cross Site Request Forgery (CSRF) Attacks on West Lampung Regency Websites Using OWASP ZAP Tools

Technological developments in the field of increasingly advanced computers and networks have caused many organizations to use web applications to provide business services. With the increasing popularity of the internet, the number of cyber-attacks has also increased. To overcome these negative impacts, the role of network security is very necessary. The Cross Site Request Forgery (CSRF) method is a penetration technique aimed at exploiting website security vulnerabilities and there is one tool commonly used to find security vulnerabilities on websites, namely OWASP ZAP. The research has succeeded in proving security vulnerabilities on the website of the West Lampung district by conducting attack simulations. From the results of the experiment, it was found that there were 12 alerts with low risk on the website of West Lampung Regency. In 12 alerts there are 53 URL pages that are vulnerable to attack.

Wasmati: An efficient static vulnerability scanner for WebAssembly

WebAssembly is a new binary instruction format that allows targeted compiled code written in high-level languages to be executed with near-native speed by the browser’s JavaScript engine. However, given that WebAssembly binaries can be compiled from unsafe languages like C/C++, classical code vulnerabilities such as buffer overflows or format strings can be transferred over from the original programs down to the cross-compiled binaries. As a result, this possibility of incorporating vulnerabilities in WebAssembly modules has widened the attack surface of modern web applications. This paper presents Wasmati, a static analysis tool for finding security vulnerabilities in WebAssembly binaries. It is based on the generation of a code property graph (CPG), a program representation previously adopted for detecting vulnerabilities in various languages but hitherto unapplied to WebAssembly. We formalize the definition of CPG for WebAssembly, introduce techniques to generate CPG for complex WebAssembly, and present four different query specification languages for finding vulnerabilities by traversing a program’s CPG. We implemented ten queries capturing different vulnerability types and extensively tested Wasmati on four heterogeneous datasets. We show that Wasmati can scale the generation of CPGs for large real-world applications and can efficiently find vulnerabilities for all our query types. We have also tested our tool on WebAssembly binaries collected in the wild and identified several potential vulnerabilities, some of which we have manually confirmed to exist unless the enclosing application properly sanitizes the interaction with such affected binaries.

ETHICAL HACKING AND CYBER SECURITY IN NIGERIAN TELECOMMUNICATION INDUSTRY

The issue of cyber security is one that has been discussed by many people in various perspectives, most coming at it from different sides than the others. Cyber-crimes have gone beyond conventional crimes and now have threatening ramifications to the national security of all countries, even to technologically developed countries as the United States. The illegal act may be targeted at a computer network or devices e.g., computer virus, denial of service attacks (DOS), malware (malicious code). However, ethical hacking has been used by various telecommunication companies to cover the loophole and this study is identifying the problems and providing an overview on the issues and the solutions. Cybersecurity through ethical hacking plays an important role in the ongoing development of telecommunication industry, as well as Internet services. Enhancing Cybersecurity and protecting critical information infrastructures are essential to each nation’s security and economic well-being (Odinma, 2013). Making the Internet safer (and protecting Internet users) has become integral to the development of new services as well as government policy. An ethical hacker is a computer and networking expert who systematically attempts to penetrate a computer system or telecommunication network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit (Okonigene & Adekanle, 20016). Ethical hackers use the same methods and techniques to test and bypass a system's defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide actionable advice on how to fix them so the organization can improve its overall security (Laura, 2015). The purpose of ethical hacking is to evaluate the security of a network or system's infrastructure. It entails finding and attempting to exploit any vulnerabilities to determine whether unauthorized access or other malicious activities are possible. Vulnerabilities tend to be found in poor or improper system configuration, known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures. One of the recent examples of ethical hacking occurred in the 2010, when the United States government used groups of experts called "red teams" to hack its own computer systems (Laura, 2015). It has become a sizable sub-industry within the information security market and has expanded to also cover the physical and human elements of an organization's defenses. A successful test doesn't necessarily mean a network or system is 100% secure, but it should be able to withstand automated attacks and unskilled hackers. The exceptional outbreak of cyber-crime in Nigeria in recent times was quite alarming, and the negative impact on the socio-economy of the country is highly disturbing. Over the past twenty years, immoral cyberspace users have continued to use the internet to commit crimes; this has evoked mixed feelings of admiration and fear in the general populace along with a growing unease about the state of cyber and personal security (Oliver, 2010). This phenomenon has seen sophisticated and extraordinary increase recently and has called for quick response in providing laws that would protect the cyber space and its users. Nigerian cyber criminals are daily devising new ways of perpetrating this form of crime and the existing methods of tracking these criminals are no longer suitable for dealing with their new tricks (Adebusuyi, 2018). The victims as well, show increasing naivety and gullibility at the prospects incited by these fraudsters. This paper seeks to give an overview of ethical hacking and cyber-security in Nigerian telecommunication industry, outline some challenges and proffer solutions. KEYWORDS: CYBERSECURITY, ETHICAL HACKING, TELECOMMUNICATION, CHALLENGES, INFRASTRUCTURES, VULNERABILITIES.

Paul Butcher on Fuzz Testing

Paul Butcher, senior software engineer, AdaCore, and lead U.K. engineer for the company’s High-Integrity, Complex, Large Software and Electronic Systems initiative, discusses fuzz testing, an automated technique to find security vulnerabilities and other software flaws. Host Philip Winston speaks with Butcher about positive and negative testing, how fuzz testing fits into software development, brute force and blunt force fuzz testing, the American Fuzzy Lop fuzzer from Google, and how fuzz testing works for Ada. We provide summary excerpts below; to hear the full interview, visit http://www.se-radio.net or access our archives via RSS at http://feeds.feedburner.com/se-radio.—Robert Blumen

Protocol fuzzing to find security vulnerabilities of RabbitMQ

SummaryA message broker is widely used to enable applications, systems, and services to communicate with each other. One of the widely used message brokers is RabbitMQ that provides various functions and stability. However, as presented in this paper, RabbitMQ is vulnerable. In this paper, we present how RabbitMQ is exploited by protocol fuzzing, which is a common way to find unknown vulnerabilities inherent in software. We describe our protocol fuzzing procedures in detail and present conducted results.

Web Security Aware by using Naive Baye’s ML Technique

Web applications support many of our daily activities, but they often have security issues, and their accessibility makes them easy to use. This paper presents an analysis for finding vulnerabilities that directly address weak or absent of input validation. We present the techniques for finding security vulnerabilities in Web applications. We implement our proposed system with a machine learning technique (ML technique) to measure the accuracy and provide an extensive evaluation that finds all vulnerabilities in web applications. SQL injection, Cross-Site Scripting (XSS), HTTP and command inj1ection vulnerabilities are addressed in the proposed system and also Naive Bayes ML technique is used to calculate the accurateness. The experimental result shows the technique is more efficient and accurate.

Fuzzing

Reviewing software testing techniques for finding security vulnerabilities.

FuzzFactory: domain-specific fuzzing with waypoints

Coverage-guided fuzz testing has gained prominence as a highly effective method of finding security vulnerabilities such as buffer overflows in programs that parse binary data. Recently, researchers have introduced various specializations to the coverage-guided fuzzing algorithm for different domain-specific testing goals, such as finding performance bottlenecks, generating valid inputs, handling magic-byte comparisons, etc. Each such solution can require non-trivial implementation effort and produces a distinct variant of a fuzzing tool. We observe that many of these domain-specific solutions follow a common solution pattern. In this paper, we present FuzzFactory, a framework for developing domain-specific fuzzing applications without requiring changes to mutation and search heuristics. FuzzFactory allows users to specify the collection of dynamic domain-specific feedback during test execution, as well as how such feedback should be aggregated. FuzzFactory uses this information to selectively save intermediate inputs, called waypoints, to augment coverage-guided fuzzing. Such waypoints always make progress towards domain-specific multi-dimensional objectives. We instantiate six domain-specific fuzzing applications using FuzzFactory: three re-implementations of prior work and three novel solutions, and evaluate their effectiveness on benchmarks from Google's fuzzer test suite. We also show how multiple domains can be composed to perform better than the sum of their parts. For example, we combine domain-specific feedback about strict equality comparisons and dynamic memory allocations, to enable the automatic generation of LZ4 bombs and PNG bombs.

An empirical study of security warnings from static application security testing tools

The Open Web Application Security Project (OWASP) defines Static Application Security Testing (SAST) tools as those that can help find security vulnerabilities in the source code or compiled code of software. Such tools detect and classify the vulnerability warnings into one of many types (e.g., input validation and representation). It is well known that these tools produce high numbers of false positive warnings. However, what is not known is if specific types of warnings have a higher predisposition to be false positives or not. Therefore, our goal is to investigate the different types of SAST-produced warnings and their evolution over time to determine if one type of warning is more likely to have false positives than others. To achieve our goal, we carry out a large empirical study where we examine 116 large and popular C++ projects using six different state-of-the-art open source and commercial SAST tools that detect security vulnerabilities. In order to track a piece of code that has been tagged with a warning, we use a new state of the art framework called cregit+ that traces source code lines across different commits. The results demonstrate the potential of using SAST tools as an assessment tool to measure the quality of a product and the possible risks without manually reviewing the warnings. In addition, this work shows that pattern-matching static analysis technique is a very powerful method when combined with other advanced analysis methods.

Jitana: A modern hybrid program analysis framework for android platforms

Abstract Security vetting of Android apps is often performed under tight time constraints (e.g., a few minutes). As such, vetting activities must be performed “at speed”, when an app is submitted for distribution or a device is analyzed for malware. Existing static and dynamic program analysis approaches are not feasible for use in security analysis tools because they require a much longer time to operate than security analysts can afford. There are two factors that limit the performance and efficiency of current analysis approaches. First, existing approaches analyze only one app at a time. Finding security vulnerabilities in collaborative environments such as Android, however, requires collaborating apps to be analyzed simultaneously. Thus, existing approaches are not adequate when applied in this context. Second, existing static program analysis approaches tend to operate in a “closed world” fashion; therefore, they are not easily integrated with dynamic analysis processes to efficiently produce hybrid analysis results within a given time constraint. In this work, we introduce Jitana , an efficient and scalable hybrid program analysis framework for Android. Jitana has been designed from the ground up to be used as a building block to construct efficient and scalable program analysis techniques. Jitana also operates in an open world fashion, so malicious code detected as part of dynamic analysis can be quickly analyzed and the analysis results can be seamlessly integrated with the original static analysis results. To illustrate Jitana ’s capability, we used it to analyze a large collection of apps simultaneously to identify potential collaborations among apps. We have also constructed several analysis techniques on top of Jitana and we use these to perform security vetting under four realistic scenarios. The results indicate that Jitana is scalable and robust; it can effectively and efficiently analyze complex apps including Facebook, Pokemon Go, and Pandora that the state-of-the-art approach cannot handle. In addition, we constructed a visualization engine as a plugin for Jitana to provide real-time feedback on code coverage to help analysts assess their vetting efforts. Such feedback can lead analysts to hard to reach code segments that may need further analysis. Finally we illustrate the effectiveness of Jitana in detecting and analyzing dynamically loaded code.

A machine learning attack against variable-length Chinese character CAPTCHAs

CAPTCHA (Completely Automated Public Turing test to tell Computer and Human Apart) is widely used as a standard security mechanism to protect resources on websites. Among various kinds of CAPTCHAs, the text-based CAPTCHA is the most popular scheme, which consists of English letters, Arabic digits and other character sets, such as Chinese characters. Due to the large quantity of Chinese characters and complicated character structure, it is difficult for bots to crack Chinese character CAPTCHAs. Thus, Chinese character CAPTCHAs have been widely applied in China. Nevertheless, effective offensive approaches are necessary to help CAPTCHA designers find security vulnerabilities to improve defense mechanisms. To deal with variable-length Chinese character CAPTCHAs with noises, an automatic attacking approach is proposed, which includes preprocessing, character segmentation and character recognition. For character recognition, two methods are proposed: MGLCR (Multi-scale Gabor and Logistic regression based CAPTCHA Recognition) and CCR (Convolutional neural network based CAPTCHA Recognition). MGLCR extracts features by multi-scale Gabor filters and classifies characters with logistic regression. CCR extracts features and recognize characters automatically with CNN (Convolutional Neural Network). Experimental results show that the proposed approaches are efficient in attacking variable-length Chinese character CAPTCHAs with noises. The pros and cons of proposed MGLCR and CCR methods are discussed, which outperform state-of-the-art methods. Besides, the proposed methods could achieve satisfactory results in breaking the mixed character CAPTCHAs which consist of English letters, Arabic digits, Chinese characters and mathematical operators.

MQTT Security: A Novel Fuzzing Approach

The Internet of Things is a concept that is increasingly present in our lives. The emergence of intelligent devices has led to a paradigm shift in the way technology interacts with the environment, leading society to a smarter planet. Consequently, new advanced telemetry approaches appear to connect all kinds of devices with each other, with companies, or with other networks, such as the Internet. On the road to an increasingly interconnected world, where critical devices rely on communication networks to provide an essential service, there arises the need to ensure the security and reliability of these protocols and applications. In this paper, we discuss a security‐based approach for MQTT (Message Queue Telemetry Transport), which stands out as a very lightweight and widely used messaging and information exchange protocol for IoT (Internet of Things) devices throughout the world. To that end, we propose the creation of a framework that allows for performing a novel, template‐based fuzzing technique on the MQTT protocol. The first experimental results showed that performance of the fuzzing technique presented here makes it a good candidate for use in network architectures with low processing power sensors, such as Smart Cities. In addition, the use of this fuzzer in widely used applications that implement MQTT has led to the discovery of several new security flaws not hitherto reported, demonstrating its usefulness as a tool for finding security vulnerabilities.

정적 분석 툴을 이용한 비용 기반의 취약점 처리 방안

소프트웨어 개발 시 보안을 고려한 개발방법의 적용은 추가비용을 발생시키고, 이러한 추가 비용은 많은 개발조직에서 보안을 고려하지 못하는 원인이 된다. 보안을 고려한 개발을 진행 하더라도, 주어진 비용 내에서 처리할 수 있는 취약점 처리량을 산출하는 방법이 부족한 실정이다. 본 논문에서는 보안 취약점 처리 비용을 효율적으로 사용하여 취약점 처리량을 산출하는 방법을 제안한다. 제안한 방법에서는 소프트웨어 개발단계 중 구현 단계에 중점을 두고, 정적 분석 툴을 활용하여 CWE TOP25에 대한 보안 취약점을 찾아낸다. 찾아진 취약점은 CWE의 정보를 활용하여, 각 취약점의 위험도, 처리 비용, 비용 당 위험도를 정의하고, 처리 우선순위를 정의한다. 정의된 우선순위를 통하여 탐지된 취약점 처리에 소모되는 비용을 산출하고, 투입 비용 내에서 취약점 처리량을 제어한다. 본 방법을 적용하면, 투입 비용 내에서 최대의 취약점의 위험도를 처리할 수 있을 것으로 기대된다. When, Software is developed, Applying development methods considering security, it is generated the problem of additional cost. These additional costs are caused not consider security in many developing organization. Even though, proceeding the developments, considering security, lack of ways to get the cost of handling the vulnerability throughput within the given cost. In this paper, propose a method for calculating the vulnerability throughput for using a security vulnerability processed cost-effectively. In the proposed method focuses on the implementation phase of the software development phase, leveraging static analysis tools to find security vulnerabilities in CWE TOP25. The found vulnerabilities are define risk, transaction costs, risk costs and defines the processing priority. utilizing the information in the CWE, Calculating a consumed cost in a detected vulnerability processed through a defined priority, and controls the vulnerability throughput in the input cost. When applying the method, it is expected to handle the maximum risk of vulnerability in the input cost.

Irresponsible Disclosure: Google's Project Zero Deadline Game

Responsible disclosure policies govern the release of vulnerabilities to the public after giving a software vendor time to fix them. They were designed as an alternative to full disclosure, which embraced the idea that the only way to have vulnerabilities repaired by software companies was to immediately release them to the public. The debate between responsible disclosure and full disclosure has evolved alongside the growing awareness that vulnerabilities in software can create risks not just for the operator of that particular computer, but for the Internet at large. Markets for the purchase for zero day bugs have led some developers to sidestep the idea of disclosure and try to profit off vulnerabilities they discover. This has led many companies to now have bug bounties, where they pay developers who find security vulnerabilities in their software. Bug bounty programs are designed to encourage ethical hackers to disclose vulnerabilities to the software companies that can patch them, rather than allowing them to remain unpatched in the wild.Google went beyond just paying for vulnerabilities in their own software and launched Project Zero to actively look for vulnerabilities in code developed by other groups. By seeking out issues in the software created by their competitors, Google has taken an aggressive stance for user safety on the Internet. This paper explores the legal implications of the announcement by Google's Project Zero of unpatched bugs in Microsoft software, weighing the consumer benefits of security research and hard deadlines for disclosure against the risk of unpatched bugs in the wild.

Herramienta para la Detección de Vulnerabilidades basada en la Identificación de Servicios

The main objective of this work was the design of a new approach for discovering and assessing vulnerabilities in network services through banner grabbing. This approach consists of identifying the services that are active in a network system to then find security vulnerabilities of such systems in the National Vulnerability Database. A tool called UdeCEscaner was implemented and some laboratories were selected for testing. The results show that this approach can effectively detect vulnerabilities in network services. It is concluded that the proposed approach helps managers of information and communication technology administrators to better understand the risks to which they are exposed to facilitate mitigation actions of security vulnerabilities.