This document provides an introduction to mobile security. It discusses how mobile security differs from traditional security due to factors like hardware architecture, device capabilities, and software ecosystems. It covers topics like processor architecture, device capabilities, malware types, software ecosystems, and case studies. The overview section summarizes that mobile security faces challenges from architectural complexity, new attack vectors, mobile operating systems, common software problems like cryptographic misuse, and current research techniques.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
University of Kent 2013 - CO899 System security
Presentation of the article:
Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
Introduction to Cyber Security. Chapter #1. Vulnerabilities in Information Systems. What is a vulnerability?
Cyberspace: From terra incognita to terra nullius.
Cyberspace performance expectations. Measuring vulnerabilities. CVSS XCCDF OVAL
Avoiding vulnerabilities through secure coding
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
Current devices are complex products: a result of an ecosystem effort, with HW and SW components provided by several manufacturers, across long supply chains.
System-level threats may materialize in the interaction of diverse sub-systems and components, due to assumptions occurring at different stages of the production chain. This encompasses not only the design phase, but also (HW & SW) development, threat modeling and even security testing.
This presentation explores some classes of such assumptions, as distilled by presenter’s experience.
Relevant attacks such as "Timing Attacks against IoT devices" or "Bypassing an encrypted Secure Boot with Fault Injection" are also discussed.
If you are involved in securing modern digital products, as a Developer, HW or SW System Architect, Product Security Manager or as a Security Researcher, you may find them interesting
This talk has been presented at HITB Dubai 2018 security conference.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
https://www.infosectrain.com/courses/offensive-cyber-security-engineer-training/
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
https://www.infosectrain.com/courses/offensive-cyber-security-engineer-training/
This presentation goes through several topics areas that are of specific interest in developing IoT Gateway solutions. IoT is a popular area of development that presents unique challenges like hardware and operating system selection, product life-cycle support and maintainability, software architectural solutions, connectivity, security, secure updates, and API availability. We discuss technologies and concepts like Hardware acceleration support, Linux kernel maintenance, Edge networking, LXC/Docker/KVM, Zigbee, 6loPAN, BLE, IoTivity, Allseen Alliance, SELinux and Trusted boot.
The aim of the presentation is to give an overview of the challenges in building an IoT Gateway and the Solutions available using Embedded Linux.
This presentation was delivered at LinuxCon Japan 2016 by Jim Gallagher
Application Explosion How to Manage Productivity vs SecurityLumension
Windows users today are more application oriented than ever, but that hunger often leads them to unsafe choices. In this presentation you’ll learn about the attributes of both free and commercial application security tools. You’ll also learn the key steps you need to follow to effectively accommodate user application needs without giving malefactors a foot in the door to your enterprise.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
University of Kent 2013 - CO899 System security
Presentation of the article:
Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
Introduction to Cyber Security. Chapter #1. Vulnerabilities in Information Systems. What is a vulnerability?
Cyberspace: From terra incognita to terra nullius.
Cyberspace performance expectations. Measuring vulnerabilities. CVSS XCCDF OVAL
Avoiding vulnerabilities through secure coding
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
Current devices are complex products: a result of an ecosystem effort, with HW and SW components provided by several manufacturers, across long supply chains.
System-level threats may materialize in the interaction of diverse sub-systems and components, due to assumptions occurring at different stages of the production chain. This encompasses not only the design phase, but also (HW & SW) development, threat modeling and even security testing.
This presentation explores some classes of such assumptions, as distilled by presenter’s experience.
Relevant attacks such as "Timing Attacks against IoT devices" or "Bypassing an encrypted Secure Boot with Fault Injection" are also discussed.
If you are involved in securing modern digital products, as a Developer, HW or SW System Architect, Product Security Manager or as a Security Researcher, you may find them interesting
This talk has been presented at HITB Dubai 2018 security conference.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
https://www.infosectrain.com/courses/offensive-cyber-security-engineer-training/
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
https://www.infosectrain.com/courses/offensive-cyber-security-engineer-training/
This presentation goes through several topics areas that are of specific interest in developing IoT Gateway solutions. IoT is a popular area of development that presents unique challenges like hardware and operating system selection, product life-cycle support and maintainability, software architectural solutions, connectivity, security, secure updates, and API availability. We discuss technologies and concepts like Hardware acceleration support, Linux kernel maintenance, Edge networking, LXC/Docker/KVM, Zigbee, 6loPAN, BLE, IoTivity, Allseen Alliance, SELinux and Trusted boot.
The aim of the presentation is to give an overview of the challenges in building an IoT Gateway and the Solutions available using Embedded Linux.
This presentation was delivered at LinuxCon Japan 2016 by Jim Gallagher
Application Explosion How to Manage Productivity vs SecurityLumension
Windows users today are more application oriented than ever, but that hunger often leads them to unsafe choices. In this presentation you’ll learn about the attributes of both free and commercial application security tools. You’ll also learn the key steps you need to follow to effectively accommodate user application needs without giving malefactors a foot in the door to your enterprise.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
6. Software Ecosystem
7
• Resource-limited devices
– Compute
– Power
• Event-driven programming
– No main() method
– State transitions via callbacks
• Well-defined interfaces
– Application lifecycle
– Access to user data
• Centralized software distribution
– Can only download applications from a single source
– Vendor takes responsibility for filtering content
7. Overview
• Architectural complexity
– New attack vectors
• Mobile operating systems
– Operating system safety protections
– Software development and distribution model
• Common problems with real-world software
– Cryptographic misuse
– Personal information leakage
• Current research techniques
8
10. Baseband Processor
11
• Separate processor or core that manages
radio functionality (why?)
• Typically runs a proprietary real-time
operating system
– Apple iPhone: Nucleus RTOS, ThreadX
– Qualcomm: Advanced Mobile Subscriber
Software (AMSS/REX OS)
• L4A Pistachio microkernel
13. ARM TrustZone
14
• Provides a separate hardware-enforced
execution environment
– x86 protection rings (0, 3)
• Applications
– Digital rights management
– Secure key storage
– Mobile payments
– Secure boot management (Q-Fuses)
– Kernel integrity monitoring
14. ARM TrustZone
15
• Qualcomm Secure Execution Environment
(QSEE)
– Contains separate kernel with separate memory
space
– Has privileged access to all hardware and the
non-secure world
– Interfaces with the non-secure world via the
privileged Secure Monitor Call (SMC) instruction
15. Case Studies
16
• Baseband Attacks: Remote Exploitation of
Memory Corruptions in Cellular Protocol Stacks,
Ralf-Philpp Weinmann (WOOT 2012)
– Memory corruption in various baseband stacks led
to injection/execution of arbitrary code
• Reflections on Trusting TrustZone, Dan
Rosenberg (BlackHat 2014)
– Integer overflow vulnerability led to arbitrary write
of secure memory
• TrustNone, Sean Beaupre (11/28/15)
– Signed comparison on unsigned user input led to
arbitrary read/write of secure memory
16. Overview
• Architectural complexity
– New attack vectors
• Mobile operating systems
– Operating system safety protections
– Software development and distribution model
• Common problems with real-world software
– Cryptographic misuse
– Personal information leakage
• Current research techniques
17
17. Introduction: Android
• Originally developed by startup in 2003
– Bought out by Google in 2005
– Publicly released in 2007
• Mostly released under open source license
– Proprietary device-specific drivers distributed in
binary form
– Access to Play Store and Google applications
requires licensing agreement
• Fire OS, Baidu, Yandex.Store, etc
18
19. Security Model
• Utilizes a modified version of the Linux kernel
– Changes are slowly being merged back upstream
• UNIX permission model for applications
– Mandatory sandbox as separate users (distinct UID)
• Limited interface for inter-process
communication
• Applications are cryptographically signed and
verified
20
22. Safety Enhancements
• Android 4.1+
– Position Independent Executables (PIE)
– Read-only relocations (-Wl,-z,relro –Wl,-z,now)
• Android 5.0+
– Default full disk encryption
– Mandatory PIE
– SELinux
• Android 6.0+
– Verified boot
– USB access control
– Monthly security patches
23
23. Permission Model
• Capability-based access control model
• Categorized into various functional groups
– Bluetooth
– Camera
– Location (fine/coarse-grained)
– Network/data connection
– SMS/MMS
– Telephony
• User receives permission prompt at install-time
– All-or-nothing
24
26. Permission Model
• Starting with Android 6.0 (Marshmallow),
permissions are queried at run-time
– Allows users to deny individual permissions
– Was briefly available for Android 4.4.0 – 4.4.2
• 3rd party solutions
– Xposed Framework (requires root)
27
27. Application Structure
• Written in Java
– Interpreted by Dalvik bytecode virtual machine
• Uses just-in-time (JIT) techniques to compile native
code
– Replaced with Android Runtime (ART) in 5.0+
• Introduces ahead-of-time (AOT) compilation instead
of JIT
• Can also call into native code
– Uses Java Native Interface (JNI) to interface with
C/C++ libraries
28
28. Application Structure
• Activity
– Portions of the application’s user interface
• Login window, registration interface, etc.
• Service
– Performs background processing
• Download a file, play music, etc.
• Broadcast Receiver
– Handlers for global messages
• Boot completed, power disconnected, etc.
• Content Provider
– Manages access to structured data
• User calendar, contacts, etc.
29
29. Case Studies
• Stagefright, Zimperium (2015)
– Integer overflow vulnerabilities in system
multimedia library leads to remote code
execution
• Fixed in November monthly security patch
• Master Key, Bluebox Security (2013)
– Structure of Android application packages
allows manipulation of contents without
invalidating digital signatures
30
30. Introduction: iOS
• Originally developed in 2005
– Publicly released in 2007
• Based off of the Macintosh XNU kernel
– Supports memory-protection features
• ASLR, DEP, etc.
– UNIX-like
31
31. Security Model
• All applications must be signed by Apple
– Unless system is jailbroken to remove checks
• Individual applications are encrypted and
sandboxed from one another
• Code integrity is verified during execution
– Makes injection of shellcode difficult
32
33. Application Structure
• Written in Objective-C or Swift
– Compiled by Clang/LLVM into native code
– Adds automatic reference counting for garbage
collection in Swift
• Transitioning to open source later this year
• Uses Model-View-Controller (MVC) design
paradigm
– Applications objects are model, view, or
controller
– Abstracts data from logic and presentation
34
34. Application Approvals
• Applications are typically submitted by
developers to App Store for inclusion
• These undergo a review process for unwanted
behavior or policy violations
– Objectionable content
– Game emulators
– Internal API’s
• Techniques
– Static analysis
– Manual review
35
35. Enterprise Provisioning
• Enterprise developer certificates allow
bypass of the App Store
– Designed for deployment of internal applications
to employees
• Historically, have also been used to bypass
platform security
– Game emulators
– Jailbreaking
– Malware
36
36. Case Studies
• XcodeGhost, Alibaba (2015)
– Modified version of Xcode uploaded to a Chinese file
sharing service inserted malicious code into binaries
• Pangu8, Pangu Team (2015)
– Heap overflow in kernel battery gauge service for
iOS 8 led to arbitrary writes of kernel memory
• limera1n, George Hotz (2010)
– Heap overflow in bootloader USB protocol
implementation led to arbitrary writes of memory
37
37. Overview
• Architectural complexity
– New attack vectors
• Mobile operating systems
– Operating system safety protections
– Software development and distribution model
• Common problems with real-world software
– Cryptographic misuse
– Personal information leakage
• Current research techniques
38
38. Common Problems
• Developers are not experts in implementing
or using cryptography
– Tendency to copy-paste “template” code
– Need to disable certain cryptographic features
for ease of debugging
• Developers tend to inadvertently or
maliciously request extraneous permissions
– Can use user information for advertising or
analytics
39
39. Cryptographic Misuse
1. Usage of ECB mode for encryption
2. Usage of static IV’s in CBC mode
3. Usage of hardcoded symmetric encryption
keys
4. Usage of low iterations for password-based
encryption
5. Bad seeding of random-number generators
40
40. Cryptographic Misuse
• CryptoLint, Manuel Egele et al. (CCS 2013)
1. Extract a control flow graph of an application
2. Identify calls to sensitive cryptographic API’s
3. Perform static backward slicing to evaluate
security rules
• Allows for automatic detection of
cryptographic misuse
41
48. Case Study
• TaintDroid, William Enck et al. (OSDI 2010)
– Dataset of 30 randomly selected popular
applications
– Flagged 105 TCP connections for containing
tainted privacy-sensitive information
• Leakage of device IMEI
• Leakage of device location
49
49. Overview
• Architectural complexity
– New attack vectors
• Mobile operating systems
– Operating system safety protections
– Software development and distribution model
• Common problems with real-world software
– Cryptographic misuse
– Personal information leakage
• Current research techniques
50
50. Program Analysis
• Taint Analysis
– Mechanism for identifying data flows in an
application
• Concepts:
– Basic Blocks
– Control Flow Graphs
– Call Graphs
51
51. Basic Block
• Sequence of instructions executed
consecutively
– Only the first instruction can be reached from
outside the block
– Only the last instruction may transition outside
the block
52
52. Basic Block
53
1. x = y + z
2. z = t + i
3. x = y + z
4. z = t + i
5. jmp 1
6. jmp 3
3 basic blocks
53. Control Flow Graph
54
• Each vertex is a basic block
• There is an edge between two vertexes if
there may be a transfer of control between
the blocks
• Typically limited to a single function or
procedure (intraprocedural)
54. Control Flow Graph
55
a = readline()
x = 0
if (a > 5) {
t = “gt”
x = 42
} else {
t = “lte”
x = 7
}
print(“input was ” +
t + “ 5”)
a = readline();
x = 0
if (a > 5)
print( … )
t = “lte”
x = 7
t = “gt”
x = 42
55. Call Graph
56
• Each node is a function
• There is an edge between nodes if a function
calls another
57. Taint Analysis
• Technique or identifying movement of data
in an application
– Sources: Originations of privacy sensitive
information, e.g. address book API
– Sinks: Destinations of network communication,
e.g. socket API
• Determine what flows occur between
sources and sinks
58
58. Challenges
• Object-oriented languages encapsulate data as
objects in memory
– Callbacks and local functions are used to transfer
data
– Need to perform and propagate type recovery
• Class hierarchy
– Determine relationships between parent and child
classes
– Identify overridden and virtual functions
• Handle dynamic object introspection
– e.g. Reflection
59
59. Backward/Forward Slicing
• Identify all instructions that may influence a
given variable
– Program point
– Variable
• Can be performed in both directions
60
60. Backward/Forward Slicing
int main() {
int x, y, z;
x = 5 + 2 * 6;
y = getchar();
z = 8 + 10 % 3;
y = x + z * 5;
if (z > 9) {
x = 2 * z + 1;
} else {
x = 4 * z - 1;
}
y = 10 * y + 3;
return foo(x);
}
61
61
61. Usage
• Identify sources of data that is used in
cryptographic API’s
– Constant values
– Uninitialized data
• Identify sinks of data that originate from
user data
– Address book
– Calendar
– IMEI
62
62. Conclusion
• Architectural complexity
– New attack vectors
• Mobile operating systems
– Operating system safety protections
– Software development and distribution model
• Common problems with real-world software
– Cryptographic misuse
– Personal information leakage
• Current research techniques
63