Software Integrity Research Articles

WEBSITE SECURITY ANALYSIS CURUG VILLAGE GOVERNMENT USING OPEN WEB APPLICATION SECURITY PROJECT (OWASP)

Cybersecurity has become a crucial issue in the current digital era, especially for government websites that are often targeted by attacks. According to the National Cyber and Crypto Agency (BSSN), government websites are vulnerable to hacking. This study aims to analyze the security of the Curug Village Government website using the Open Web Application Security Project (OWASP). The analysis was conducted on the ten main categories of web application security vulnerabilities listed in OWASP Top 10 2021, including Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and Server-side Request Forgery. The results of the testing showed that 4 out of 8 vulnerabilities fall into the OWASP TOP 10 for 2021, particularly in the categories of Injection and Security Misconfiguration. Recommendations for improvements are provided based on these findings, which are expected to help the Curug Village Government strengthen their cybersecurity.

Toward Remotely Verifiable Software Integrity in Resource-Constrained IoT Devices

Toward Remotely Verifiable Software Integrity in Resource-Constrained IoT Devices

Penetration Testing Tangerang City Web Application With Implementing OWASP Top 10 Web Security Risks Framework

The speed of technological development has made it possible for all people to be connected to one another. The creation of web-based information systems that help in all areas, including government, health, and education, is one of the forces behind the development of technology. With these technological advancements, websites are susceptible to cybercrimes that could end in the theft of crucial data. Top 10 Web Application Security Risks is the most effective prevention process for decrease company information leaks. On the website tangerangkota.go.id, the researcher will conduct a test using the Top 10 Web Application Security Risks technique. Top 10 Web Application Security Risks consist of Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, Server-Side Request Forgery. The penetration testing results found on the Tangerang City website which are 4 injections, 2 broken access controls, 1 security misconfiguration.

A Review on Software Quality Forensics: Techniques, Challenges, and Limitations

Software quality forensics plays a vibrant role related to software quality, security, and integrity. The paper aims to derive a software quality forensics model through existing software quality models and their factors. The papers explore quality models, factors, approaches, tools, techniques, and standards regarding software quality investigation and confine the research area for software quality integrity breach forensics. The explore the deviations of quality attributes, standards, factors, and artifacts, it leads to further investigation of root-cause followed by digital evidence procedure for alleged software quality issues. Therefore, there is a need for a software quality forensics model and dedicated standards to fulfill the digital evidence procedure validation, satisfiable, and prosecution in the court of law in the context of alleged or illegal activity investigation quality of software. The paper has derived the techniques, challenges, and limitations of software quality forensics based on the review of research questions.

Radiation exposure determination in a secure, cloud-based online environment.

Rapid sample processing and interpretation of estimated exposures will be critical for triaging exposed individuals after a major radiation incident. The dicentric chromosome (DC) assay assesses absorbed radiation using metaphase cells from blood. The Automated Dicentric Chromosome Identifier and Dose Estimator System (ADCI) identifies DCs and determines radiation doses. This study aimed to broaden accessibility and speed of this system, while protecting data and software integrity. ADCI Online is a secure web-streaming platform accessible worldwide from local servers. Cloud-based systems containing data and software are separated until they are linked for radiation exposure estimation. Dose estimates are identical to ADCI on dedicated computer hardware. Image processing and selection, calibration curve generation, and dose estimation of 9 test samples completed in<2days. ADCI Online has the capacity to alleviate analytic bottlenecks in intermediate-to-large radiation incidents. Multiple cloned software instances configured on different cloud environments accelerated dose estimation to within clinically relevant time frames.

Fortified-Grid: Fortifying Smart Grids through the Integration of the Trusted Platform Module in Internet of Things Devices

This paper presents a hardware-assisted security primitive that integrates the Trusted Platform Module (TPM) into IoT devices for authentication in smart grids. Data and device security plays a pivotal role in smart grids since they are vulnerable to various attacks that could risk grid failure. The proposed Fortified-Grid security primitive provides an innovative solution, leveraging the TPM for attestation coupled with standard X.509 certificates. This methodology serves a dual purpose, ensuring the authenticity of IoT devices and upholding software integrity, an indispensable foundation for any resilient smart grid security system. TPM is a hardware security module that can generate keys and store them with encryption so they cannot be compromised. Formal security verification has been performed using the random or real Oracle (ROR) model and widely accepted AVISPA simulation tool, while informal security verification uses the DY and CK adversary model. Fortified-Grid helps to validate the attested state of IoT devices with a minimal network overhead of 1984 bits.

PROVE: Provable remote attestation for public verifiability

The expanding attack surface of Internet of Things (IoT) systems calls for innovative security approaches to verify the reliability of IoT devices. To this end, Remote Attestation (RA) serves as a key mechanism that remotely detects the presence of malware in IoT devices. Typically, RA allows a centralized trusted Verifier to retrieve reliable evidence about the software integrity of an untrusted Prover. Existing RA schemes generally rely on the assumption that the Verifier and the Prover know each other and have pre-shared cryptographic keys during the bootstrap phase. However, these assumptions are not realistic to employ over commonly used event-driven IoT networks, in which the interacting parties do not know each other and do not communicate directly.This paper proposes PROVE, a novel protocol that allows many Verifiers to attest one or more Provers without pre-shared key material and without using public-key cryptography which is often not suitable for resource-constraint IoT devices. In particular, PROVE considers a realistic IoT system where devices adopt the publish/subscribe communication paradigm. In PROVE, the subscribers act as untrusted Verifiers and attest not only the firmware integrity of the publishers that act as untrusted Provers but also the authenticity of the received data originated from these publishers. We simulate PROVE on the Contiki emulator and demonstrate the scalability of the solution. We also validate PROVE through two hardware proof-of-concept implementations: PROVE and PROVE+, which rely on different cryptographic cores. The results show that a complete execution of the protocol takes 4605 ns and 324 ns for PROVE and PROVE+, respectively.

A Software-Based Remote Attestation Scheme for Internet of Things Devices

With the rapid development of intelligent applications, many Internet of Things (IoT) devices are deployed in various application scenarios, playing an extremely important role. Remote attestation is an important method to ensure the software integrity of these devices and protect them from several attacks. Due to the lack of security hardware and no support of hardware extensions for Class-1 IoT devices, it is particularly important to design a suitable remote attestation scheme for these devices. In this paper, we first propose the delayed observation mechanism to alleviate the problem that the software-based remote attestation scheme is not suitable for wireless networks. At the same time, we propose a "filling memory at attestation-time" mechanism, which solves the problem that attackers hide malicious code through return-oriented programming. Finally, we introduce a reputation mechanism to assist our attestation, and adopt the principle of "making higher-performance verification nodes take on more work" to greatly reduce the time-consuming attestation. We analyze the security of the scheme and implement it on a UNO-R3 development board to prove its practicability and effectiveness. Compared with traditional software-based attestation schemes, our scheme can reduce the attestation time and resist proxy attacks.

Design and Programming for Multicore machines: An Empirical study on time and effort required by programmer

As the demand for high-performance computing continues to surge, harnessing the full potential of multicore architectures has become paramount. This paper explores a pragmatic approach to transition from sequential to parallel programming, capitalizing on the computational prowess of modern hardware systems. Recognizing the challenges of enforcing parallelism in early software development phases, we advocate for a focus on the implementation stage, where architects, designers, and developers can seamlessly introduce parallel constructs while preserving software integrity. To facilitate this paradigm shift, we introduce the “SDLC model with Parallel Constructs,” a modified Software Development Life Cycle (SDLC) framework comprising additional phases: “Parallel Constructs” and “Test Parallel Constructs.” This model empowers development teams to integrate parallel computing efficiently, enhancing performance and maintaining a structured development process. Our observations reveal intriguing dynamics. Initially, the single-threaded program outperforms its parallel counterpart for smaller datasets, but as data sizes grow, the parallel version demonstrates superior performance. We underscore the pivotal role of available CPU cores and task partitioning in determining efficiency. Our analysis also evaluates the programmer’s effort, measured by lines of code, needed for the transition. Leveraging OpenMP constructs streamlines this transition, reducing programming complexity.

Mitigating Software Integrity Attacks With Trusted Computing in a Time Distribution Network

Time Distribution Networks (TDNs) evolve as new technologies occur to ensure more accurate, reliable, and secure timing information. These networks typically exploit several distributed time servers, organized in a master-slave architecture, that communicate via dedicated timing protocols. From the security perspective, timing data must be protected since its modification or filtering can lead to grave consequences in different time-based contexts, such as health, energy, finance, or transportation. Thus, adequate countermeasures must be employed in all the stages and systems handling timing data from its calculation until it reaches the final users. We consider a TDN offering highly accurate (nanosecond level) time synchronization through specific time unit devices that exploit terrestrial atomic or rubidium clocks and Global Navigation Satellite Systems (GNSS) receivers. Such devices are appealing targets for attackers, who might exploit various attack vectors to compromise their functionality. We individuate three possible software integrity attacks against time devices, and we propose a solution to counter them by exploiting the cryptographic Trusted Platform Module (TPM), defined and supported by the Trusted Computing Group. We used remote attestation software for cloud environments, namely the Keylime framework, to verify (periodically) the software daemons running on the time devices (or their configuration) from a trusted node. Experiments performed on a dedicated testbed set up in the ROOT project with customized time unit devices from Seven Solutions (currently Orolia Spain) allow us to demonstrate that exploiting TPMs and remote attestation in the TDNs is not only helpful but is fundamental for discovering some attacks that would remain otherwise undetected. Our work helps thus TDN operators build more robust, accurate, and secure time synchronization services.

Four Generations of Quality: software and data integrity—an essential partnership?

The latest in this series of “Four Generations of Quality” considers the essential component that controls our modern instrument systems and the associated concept of data integrity that is fundamental to the quality of the data being generated.

Methods for Protecting Control Commands in the Instrumental Environment for Automated Process Control Systems

The paper discusses methods that ensure the execution of only correct and legal control commands in the process control system. Protection of the integrity of the APCS software at all nodes of the industrial network, including protection against unauthorized substitution, is carried out by checking the control parameters of the software during their startup. Protection of control commands from distortions during transmission over the network is realized by double coding at different levels of the system. Protection against the submission of unauthorized control commands to technological equipment is carried out by recognizing these commands in the lower-level subsystem and comparing their current characteristics with the control ones.A certain contribution to the safety of the process control system is made by the use of a secure execution environment – OS CentOS 7.

Deep Learning Empowered Cybersecurity Spam Bot Detection for Online Social Networks

Cybersecurity encompasses various elements such as strategies, policies, processes, and techniques to accomplish availability, confidentiality, and integrity of resource processing, network, software, and data from attacks. In this scenario, the rising popularity of Online Social Networks (OSN) is under threat from spammers for which effective spam bot detection approaches should be developed. Earlier studies have developed different approaches for the detection of spam bots in OSN. But those techniques primarily concentrated on hand-crafted features to capture the features of malicious users while the application of Deep Learning (DL) models needs to be explored. With this motivation, the current research article proposes a Spam Bot Detection technique using Hybrid DL model abbreviated as SBD-HDL. The proposed SBD-HDL technique focuses on the detection of spam bots that exist in OSNs. The technique has different stages of operations such as pre-processing, classification, and parameter optimization. Besides, SBD-HDL technique hybridizes Graph Convolutional Network (GCN) with Recurrent Neural Network (RNN) model for spam bot classification process. In order to enhance the detection performance of GCN-RNN model, hyperparameters are tuned using Lion Optimization Algorithm (LOA). Both hybridization of GCN-RNN and LOA-based hyperparameter tuning process make the current work, a first-of-its-kind in this domain. The experimental validation of the proposed SBD-HDL technique, conducted upon benchmark dataset, established the supremacy of the technique since it was validated under different measures.

En-AR-PRNS: Entropy-Based Reliability for Configurable and Scalable Distributed Storage Systems

Storage-as-a-service offers cost savings, convenience, mobility, scalability, redundant locations with a backup solution, on-demand with just-in-time capacity, syncing and updating, etc. While this type of cloud service has opened many opportunities, there are important considerations. When one uses a cloud provider, their data are no longer on their controllable local storage. Thus, there are the risks of compromised confidentiality and integrity, lack of availability, and technical failures that are difficult to predict in advance. The contribution of this paper can be summarized as follows: (1) We propose a novel mechanism, En-AR-PRNS, for improving reliability in the configurable, scalable, reliable, and secure distribution of data storage that can be incorporated along with storage-as-a-service applications. (2) We introduce a new error correction method based on the entropy (En) paradigm to correct hardware and software malfunctions, integrity violation, malicious intrusions, unexpected and unauthorized data modifications, etc., applying a polynomial residue number system (PRNS). (3) We use the concept of an approximation of the rank (AR) of a polynomial to reduce the computational complexity of the decoding. En-AR-PRNS combines a secret sharing scheme and error correction codes with an improved multiple failure detection/recovery mechanism. (4) We provide a theoretical analysis supporting the dynamic storage configuration to deal with varied user preferences and storage properties to ensure high-quality solutions in a non-stationary environment. (5) We discuss approaches to efficiently exploit parallel processing for security and reliability optimization. (6) We demonstrate that the reliability of En-AR-PRNS is up to 6.2 times higher than that of the classic PRNS.

Side-channel Programming for Software Integrity Checking

Verifying software integrity for embedded systems, especially legacy and deployed systems, is very challenging. Ordinary integrity protection and verification methods rely on sophisticated processors or security hardware, and cannot be applied to many embedded systems due to c

Trusted GNSS-Based Time Synchronization for Industry 4.0 Applications

The protection of satellite-derived timing information is becoming a fundamental requirement in Industry 4.0 applications, as well as in a growing number of critical infrastructures. All the industrial systems where several nodes or devices communicate and/or coordinate their functionalities by means of a communication network need accurate, reliable and trusted time synchronization. For instance, the correct operation of automation and control systems, measurement and automatic test systems, power generation, transmission, and distribution typically require a sub-microsecond time accuracy. This paper analyses the main attack vectors and stresses the need for software integrity control at network nodes of Industry 4.0 applications to complement existing security solutions that focus on Global Navigation Satellite System (GNSS) radio-frequency spectrum and Precision Time Protocol (PTP), also known as IEEE-1588. A real implementation of a Software Integrity Architecture in accordance with Trusted Computing principles concludes the work, together with the presentation of promising results obtained with a flexible and reconfigurable testbed for hands-on activities.

BlindTrust: Oblivious Remote Attestation for Secure Service Function Chains

With the rapidly evolving next-generation systems-of-systems, we face new security, resilience, and operational assurance challenges. In the face of the increasing attack landscape, it is necessary to cater to efficient mechanisms to verify software and device integrity to detect run-time modifications. Towards this direction, remote attestation is a promising defense mechanism that allows a third party, the verifier, to ensure a remote device's (the prover's) integrity. However, many of the existing families of attestation solutions have strong assumptions on the verifying entity's trustworthiness, thus not allowing for privacy preserving integrity correctness. Furthermore, they suffer from scalability and efficiency issues. This paper presents a lightweight dynamic configuration integrity verification that enables inter and intra-device attestation without disclosing any configuration information and can be applied on both resource-constrained edge devices and cloud services. Our goal is to enhance run-time software integrity and trustworthiness with a scalable solution eliminating the need for federated infrastructure trust.

A Review and Catalog of Security Metric during the Secure Software Development Life Cycle

Background: With the advancement in the field of software development, software poses threats and risks to customers’ data and privacy. Most of these threats are persistent because security is mostly considered as a feature or a non-functional requirement, not taken into account during the Software Development Life Cycle (SDLC). Introduction: In order to evaluate the security performance of a software system, it is necessary to integrate the security metrics during the SDLC. The appropriate security metrics adopted for each phase of SDLC aids in defining the security goals and objectives of the software as well as quantify the security in the software. Methods: This paper presents a review and catalog of security metrics that can be adopted during the distinguishable phases of SDLC, security metrics for vulnerability and risk assessment reported in the literature for secure development of software. The practices of these metrics enable software security experts to improve the security characteristics of the software being developed. The critical analysis of security metrics of each phase and their comparison are also discussed. Results: Security metrics obtained during the development processes help to improve the confidentiality, integrity, and availability of software. Hence, it is imperative to consider security during the development of the software, which can be done with the use of software security metrics. Conclusion: This paper reviews the various security metrics that are meditated in the copious phases during the progression of the SDLC in order to provide researchers and practitioners with substantial knowledge for adaptation and further security assessment.

ICS Software Trust Measurement Method Based on Dynamic Length Trust Chain

Aiming at the real-time requirements for industrial control systems, we proposed a corresponding trust chain method for industrial control system application software and a component analysis method based on security sensitivity weights. A dynamic length trust chain structure is also proposed in this paper. Based on this, the industrial control system software integrity measurement method is constructed. Aimed at the validity of the model, a simulation attack experiment was performed, and the performance of the model was repeated from multiple perspectives to verify the performance of the method. Experiments show that this method can effectively meet the integrity measurement under the condition of high real-time performance, protect the integrity of files, and improve the software credibility of industrial control system.

Using SPARK to Ensure System to Software Integrity

This paper describes work in progress on a workflow that supports consistent property-preservation proofs from early stages of system requirements specifications down to software requirements and final implementation. This workflow, called System-to-Software Integrity (SSI), demonstrates that the implemented software satisfies constraints defined in system requirements.