Autor*innen mit den meisten Dokumenten
Auflistung nach:
Neueste Veröffentlichungen
- ZeitschriftenartikelPattern-based methods for vulnerability discovery(it - Information Technology: Vol. 59, No. 5, 2017) Yamaguchi, FabianDiscovering and eliminating critical vulnerabilities in program code is a key requirement for the secure operation of software systems. This task rests primarily on the shoulders of experienced code analysts who inspect programs in-depth to identify weaknesses. As software systems grow in complexity, while the amount of security critical code increases, supplying these analysts with effective methods to assist in their work becomes even more crucial. Unfortunately, exact methods for automated software analysis are rarely of help in practice, as they do not scale to the complexity of contemporary software projects, and are not designed to benefit from the analyst's domain knowledge. To address this problem, we present pattern-based vulnerability discovery, a novel approach of devising assistant methods for vulnerability discovery that are build with a high focus on practical requirements. The approach combines techniques of static analysis, machine learning, and graph mining to lend imprecise but highly effective methods that allow analysts to benefit from the machine's pattern recognition abilities without sacrificing the strengths of manual analysis.
- ZeitschriftenartikelE-mail Header Injection Vulnerabilities(it - Information Technology: Vol. 59, No. 5, 2017) Chandramouli, Sai Prashanth; Zhao, Ziming; Doupé, Adam; Ahn, Gail-JoonE-mail Header Injection vulnerability is a class of vulnerability that can occur in web applications that use user input to construct e-mail messages. E-mail Header Injection is possible when the mailing script fails to check for the presence of e-mail headers in user input (either form fields or URL parameters). The vulnerability exists in the reference implementation of the built-in mail functionality in popular languages such as PHP, Java, Python, and Ruby. With the proper injection string, this vulnerability can be exploited to inject additional headers, modify existing headers, and alter the content of the e-mail.
- Zeitschriftenartikel64-Bit Migration Vulnerabilities(it - Information Technology: Vol. 59, No. 5, 2017) Wressnegger, Christian; Yamaguchi, Fabian; Maier, Alwin; Rieck, KonradThe subtleties of correctly processing integers confronts developers with a multitude of pitfalls that frequently result in severe software vulnerabilities. Unfortunately, even code shown to be secure on one platform can be vulnerable on another, such that also the migration of code itself is a notable security challenge.
- ZeitschriftenartikelGPU-GIST – a case of generalized database indexing on modern hardware(it - Information Technology: Vol. 59, No. 5, 2017) Bratus, Sergey; Shubina, AnnaThis position paper discusses the need for modeling exploit computations and discusses possible formal approaches to it.
- ZeitschriftenartikelCross-architecture bug search in binary executables(it - Information Technology: Vol. 59, No. 5, 2017) Pewny, Jannik; Garmany, Behrad; Gawlik, Robert; Rossow, Christian; Holz, ThorstenWith the general availability of closed-source software for various CPU architectures, there is a need to identify security-critical vulnerabilities at the binary level. Unfortunately, existing bug finding methods fall short in that they i) require source code, ii) only work on a single architecture (typically x86), or iii) rely on dynamic analysis, which is difficult for embedded devices. In this paper, we propose a system to derive bug signatures for known bugs. First, we compute semantic hashes for the basic blocks of the binary. When can then use these semantics to find code parts in the binary that behave similarly to the bug signature, effectively revealing code parts that contain the bug. As a result, we can find vulnerabilities, e.g., the famous Heartbleed vulnerabilities, in buggy binary code for any of the supported architectures (currently, ARM, MIPS and x86).
- ZeitschriftenartikelVulnerability analysis(it - Information Technology: Vol. 59, No. 5, 2017) Rieck, Konrad
- ZeitschriftenartikelOn the misuse of graphical user interface elements to implement security controls(it - Information Technology: Vol. 59, No. 5, 2017) Mulliner, Collin; Robertson, William; Kirda, EnginGUIs are the predominant means by which users interact with modern programs. GUIs contain a number of common visual elements widgets such as buttons, textfields, and lists, and GUIs typically provide the ability to change attributes on these widgets to control their visibility and behavior. While these attributes are extremely useful to provide visual cues to users to guide them through an application's GUI, they can also be misused for purposes they were not intended. In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes may be misused as a mechanism for enforcing access control policies. This work presents a method to detect misuse of user interface elements to implement access control, it is based on our earlier work1 that introduced the vulnerability class the we refer to as GEMs, or instances of GUI element misuse. Using our GEM detection method we discovered unknown vulnerabilities in several applications.