seminar: secure systems engineering · 6 seminar secure systems engineering ws 2017/18 - prof. dr....
TRANSCRIPT
Software Engineering
Introduction – October 10. 2017
Linghui Luo
Seminar: Secure Systems Engineering
Requirements
2
Attendance at all meetings
Writing a seminar essay in English
15 – 20 pages in LaTeX
LaTeX-template provided by us
Delivering a presentation in English
20 mins presentation
10 mins discussion
Active participation in the peer review process
Peer reviewed by students
Reviewed by advisors
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
Schedule
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden3
First Meetings
Date Time & Place
Tuesday, 10 October 2017 11:00 – 13:00 E5.333 Introduction to topics & Assignment
Tuesday, 17 October 2017 11:00 – 13:00 E5.333 Seminar guidelines & Introduction to scientific work
Deadlines till 23:59 CET
Date Task Role
Monday, 20 November 2017 Outline & Literature references Students
Monday, 11 December 2017 Essay draft for review Students
Tuesday, 12 December 2017 Assignment of peer reviews Advisors
Monday, 18 December 2017 Completed peer review Students
Monday, 15 January 2018 Presentation slides for feedback Students
Monday, 22 January 2018 Advisor feedback Advisors
Monday, 5 February 2018 Essay for feedback Students
Friday, 16 February 2018 Advisor feedback Advisors
Wednesday, 28 February 2018 Final Essay Submission Students
Block Seminar
Date Time & Place
Thursday, 25 January 2018 9:00 - 13:00 F0.231
Friday, 26 January 2018 9:00 - 18:00 F0.231
Allocation of Topics
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden4
Doodle poll
You will receive an invitation via e-mail today
Choose exactly 3 preferences until 18:00, Thursday, 12th October
Collisions will be solved by applying the following criterion:
Students in higher semesters (at least 2nd semester) are preferred.
Students with main field “Software Technology and Information Systems” or
“Software Engineering” are preferred.
With equivalent qualifications: randomness
You will be informed via e-mail which topic you are assigned
Please confirm this mail until 18:00, Sunday, 15th October
You can also reject the topic, but inform us as early as possible!
If you confirm a topic, we expect you not to drop the seminar in the middle of the
semester
Relaxing Security Policies through DeclassificationAdvisor: Christopher Gerking ([email protected])
5 Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
Task for student:
Survey different approaches for declassification
Demonstrate advantages and shortcomings
Assess suitability of the approaches in the context of model-driven security
Literature:
Sabelfeld, A., Sands, D.: Declassification: Dimensions and Principles, JCS 17(5), 2009
Peng, L., Zdancewic, S.: Downgrading Policies and Relaxed Noninterference, POPL 2005
Askarov, A., Myers, A.: A Semantic Framework for Declassification and Endorsement, ESOP 2010
1
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden6
Preservation of Information Flow Security on CompositionAdvisor: Christopher Gerking ([email protected])
Task for student:
Compare different security models with respect to compositionality
Illustrate differences on a “common ground“
Point out assumptions and limitations for real-world applications
Literature:
McCullough, D.: A Hookup Theorem for Multilevel Security. IEEE TSE, 16(6), 1990
McLean, J.: A General Theory of Composition for a Class of Possibilistic Properties, IEEE TSE, 22(1),
1996
Mantel, H.: On the Composition of Secure Systems, IEEE S&P 2002
Mantel, H. et al.: Assumptions and Guarantees for Compositional Noninterference, CSF 2011
2
Security Requirements in Natural Language ArtifactsAdvisor: Dr. Marie Christin Platenius ([email protected])
7
Introduction :
In practice, requirements specifications are still written in natural language
This also includes different kinds of security requirements. Examples:
Natural language processing techniques can improve automated processing of such requirements
Task for student:
Inspect and critically reflect the given literature wrt. security requirements in natural language artifacts
text
Try to find related work and compare it to the given literature
Literature:
M. Riaz, J. King, J. Slankas and L. Williams, “Hidden in plain sight: Automatically identifying security requirements from
natural language artifacts,” IEEE Int. Requirements Engineering Conference (RE), Karlskrona, 2014
(http://ieeexplore.ieee.org/abstract/document/6912260/)
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
"The system shall enforce access privileges that
enable authorized users to edit discharge
instructions for a particular patient." (confidentiality)
"The system shall log every time
discharge instructions for a particular
patient are edited." (accountability)
3
Static Analysis Based on User-Defined ConstraintsAdvisor: Johannes Späth ([email protected])
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden8
Problem
Implementations of software evolve and are affected by constant change
…but the quality of the implementation, including the derived security, has to be ensured
Minor modifications to the code easily break the complete security model
Approach
The developer specifies constraints in the code
From the constraints a static model of the program’s behavior is build
The model is solved and potentially invalidated constraints are reported to the developer
Task for student:
Describe the proposed approach and highlight its advantages and disadvantages
Literature
[Fähndrich, M.; Logozzo, F.: “Static Contract Checking with Abstract Interpretation”. Formal Verification of Object-
Oriented Software - International Conference, FoVeOOS 2010, Paris, France, June 28-30, 2010]
[Christakis, M.; Müller, P.; Wüstholz, V.: “An Experimental Evaluation of Deliberate Unsoundness in a Static Program
Analyzer”. Verification, Model Checking, and Abstract Interpretation - 16th International Conference, VMCAI 2015, Mumbai,
India, January 12-14, 2015]
4
Scalable and Precise String AnalysisAdvisor: Linghui Luo ([email protected])
9
Introduction :
Client side software may process string-based user input
Vulnerabilities: SQL injection, Cross-Site Scripting
Some program paths only execute under certain string inputs
Imprecise string analysis could miss possible vulnerabilities
Task for student:
Understand the importance of string analysis and review existing frameworks for it
Select and compare frameworks which are precise and scalable for large programs and can be used for java
and android applications
Literature:
Ding Li, Yingjun Lyu, Mian Wan, and William G. J. Halfond. 2015. String analysis for Java and Android applications. In Proceedings of the 2015 10th Joint Meeting
on Foundations of Software Engineering (ESEC/FSE 2015). ACM, New York, NY, USA, 661-672. (https://doi.org/10.1145/2786805.2786879)
Adam Kiezun, Vijay Ganesh, Philip J. Guo, Pieter Hooimeijer, and Michael D. Ernst. 2009. HAMPI: a solver for string constraints. In Proceedings of the eighteenth
international symposium on Software testing and analysis (ISSTA '09). ACM, New York, NY, USA, 105-116. (http://dx.doi.org/10.1145/1572272.1572286)
Yunhui Zheng, Xiangyu Zhang, and Vijay Ganesh. 2013. Z3-str: a z3-based string solver for web application analysis. In Proceedings of the 2013 9th Joint Meeting
on Foundations of Software Engineering (ESEC/FSE 2013). ACM, New York, NY, USA, 114-124. (https://doi.org/10.1145/2491411.2491456)
Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jaffar. 2014. S3: A Symbolic String Solver for Vulnerability Detection in Web Applications. In Proceedings of the 2014
ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 1232-1243. (http://dx.doi.org/10.1145/2660267.2660372)
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
5
Inferring Specifications for Taint-Style VulnerabilitiesAdvisor: Goran Piskachev ([email protected])
10
Introduction :
Many vulnerabilities (e.g. SQL injection) can be detected via taint analysis
To configure these analyses, the users need to specify different configuration methods (e.g. source,
sink)
This is a manual task that requires security-related domain knowledge
The users often face many false positives
One of the main reason is incomplete or wrong specifications
Few approaches (e.g. Merlin) propose an automatic creation of these specifications
Task for student:
Give an overview of the Merlin approach
Compare the Merlin approach to other similar approaches (e.g. SuSi)
Literature:
Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani, and Anindya Banerjee. Merlin: specification inference for explicit
information flow problems. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and
Implementation (PLDI '09). ACM, New York, NY, USA, 75-86.
Siegfried Rasthofer, Steven Arzt, and Eric Bodden. A Machine-learning Approach for Classifying and Categorizing
Android Sources and Sinks. NDSS 2014
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
6
Model-driven Security for Embedded SystemsAdvisor: Johannes Geismann ([email protected])
11
Introduction :
When designing safe and secure embedded systems not only software but also hardware has to be
considered
Model-driven approaches are used to assist designers and developers in early development steps
SysML-Sec is a method for this task
Task for student:
Give a comprehensive overview
Which threats / attacks are considered?
Which viewpoints are covered?
What are the limitations of this approach?
Compare to related approaches
Literature:
Ludovic Apvrille, Yves Roudier, "SysML-Sec: A Model-Driven Environment for Developing Secure Embedded Systems", Proceedings of the
8th conference on the security of network architecture and information systems (SARSSI'2013), Mont de Marsan, France, 16-18 sept. 2013
Ludovic Apvrille, Yves Roudier, "SysML-Sec: A Model Driven Approach for Designing Safe and Secure Systems", Special session on Security
and Privacy in Model Based Engineering, 3rd International Conference on Model-Driven Engineering and Software Development (Modelsward),
Angers, France, Feb. 2015
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
7
Compositional Verification of Security PropertiesAdvisor: Johannes Geismann ([email protected])
12
Introduction :
On architectural level, formal methods can be used to prove security
requirements, e.g., model checking
For large systems, model checking is infeasible since the state space of
the system is too large
Compositional verification can help to tackle this problem
Task for student:
Explain the approach presented in [1]
Explain how compositional model checking can help to analyze security
properties of large-scale systems
Survey other compositional verification approaches for analyzing
security properties and relate them to [1]
Literature:
[1] Gunawan, L. A., & Herrmann, P. (2013). Compositional Verification of Application-Level Security
Properties. In ESSoS (pp. 75–90)
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
8
A Comparison of Hooking Approaches for ARTAdvisor: Andreas Peter Dann ([email protected])
Introduction :
What happens with the personal information?
Can we enforce that our address book is not leaked to any suspicious network?
To give an answer, we need to extract runtime information from an app.
Thus, we need to hook into its methods and check which data it reads or
which server it connects to.
For hooking exist several approaches, with different drawbacks and advantages.
Task for student:
Compare the approaches
Point out for each approach: Advantages, Drawbacks, What is covered, What is missing?
Draw your own conclusion based on your results and literature
Literature:
Costamagna, et al. (2016). ARTDroid: A virtual-method hooking framework on android ART
Wang, F., et al. (2016). Stay in Your Cage! A Sound Sandbox for Third-Party Libraries on Android
Bianchi, A., et al. (2015). NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running
stock Android
13 Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
9
Object-Capabilities as Means of Permission and Authority
in Software SystemsAdvisor: Dr. Ben Hermann ([email protected])
14
Introduction:
What do we mean when a system is secure?
How do we characterize its security?
Recent research in the field of Object-Capability security helps to find answers.
Task for student:
Go beyond the given literature – systematically find CLOSELY related work
Give a comprehensive overview and comparison of the different approaches
What are the open challenges in the field
Literature:
Sophia Drossopoulou, James Noble, Mark S. Miller, and Toby Murray. 2016. Permission and Authority Revisited towards a formalisation.
In Proceedings of the 18th Workshop on Formal Techniques for Java-like Programs (FTfJP'16). ACM, New York, NY, USA, , Article 10 , 6
pages. DOI: http://dx.doi.org/10.1145/2955811.2955821
Sophia Drossopoulou and James Noble. 2013. The need for capability policies. In Proceedings of the 15th Workshop on Formal Techniques
for Java-like Programs (FTfJP '13). ACM, New York, NY, USA, Article 6, 7 pages. DOI: https://doi.org/10.1145/2489804.2489811
Sylvan Clebsch, Sophia Drossopoulou, Sebastian Blessing, and Andy McNeil. 2015. Deny capabilities for safe, fast actors. In Proceedings of
the 5th International Workshop on Programming Based on Actors, Agents, and Decentralized Control (AGERE! 2015). ACM, New York, NY,
USA, 1-12. DOI: http://dx.doi.org/10.1145/2824815.2824816
Sophia Drossopoulou, James Noble, and Mark S. Miller. 2015. Swapsies on the Internet: First Steps towards Reasoning about Risk and
Trust in an Open World. In Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security (PLAS'15). ACM,
New York, NY, USA, 2-15. DOI: http://dx.doi.org/10.1145/2786558.2786564
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
10
Type Systems as Means to Secure Software SystemsAdvisor: Dr. Ben Hermann ([email protected])
15
Introduction :
One class of security problems are confidentiality issues.
They occur whenever information is leaked to parties that are not permitted to receive the information.
But, how can we prove that a system does not have such issues?
Type systems may be the answer to that.
Task for student:
Go beyond the given literature – systematically find CLOSELY related work
Give a comprehensive overview and comparison of the different approaches
What are the open challenges in the field
Literature:
Chen, H., Tiu, A., Xu, Z. and Liu, Y., 2017. A Permission-Dependent Type System for Secure Information Flow
Analysis. arXiv preprint arXiv:1709.09623. https://arxiv.org/abs/1709.09623
Sabelfeld, A. and Myers, A.C., 2003. Language-based information-flow security. IEEE Journal on selected areas in
communications, 21(1), pp.5-19. http://ieeexplore.ieee.org/abstract/document/1159651/
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
11
Probabilistic Program Modeling for High-precision Anomaly
ClassificationAdvisor: David Schubert ([email protected])
16
Introduction :
Task for student:
Introduce fundamentals: Intrusion Detection Systems, Hidden Markov Models
Construct a running example for your thesis
Recap the approach by Xu et al. using the running example
Literature:
Xu, et al. “Probabilistic program modeling for high-precision anomaly classification.” Computer Security Foundations
Symposium (CSF), 2015 IEEE 28th. IEEE, 2015
Lazarevic, Aleksandar, Vipin Kumar, and Jaideep Srivastava. “Intrusion detection: A survey .” DOI 10.1007/0-387-24230-
9_2
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
12
Executable Misuse Cases for Modeling Security ConcernsAdvisor: Thorsten Koch ([email protected])
17
Problem:
Security is a crucial issues for information systems. However, in Software Engineering security
is mainly considered as non-function requirements after the definition of the systems. This
approach often leads to problems, which translate to security vulnerabilities.
Approach:
The approach of Whittle et al. is supposed to model and analyze security requirements
alongside functional requirements by means of misuse cases. It provides a formalization of
UML interaction overview diagrams to model scenarios precisely. This formalization is
transformed into a set of communicating FSMs to perform the analysis.
Task for student:
Describe the approach
Especially focus on security attacks that can be detected by the approach
Literature:
Jon Whittle, Duminda Wijesekera, and Mark Hartong. 2008. Executable misuse cases for modeling
security concerns. http://dx.doi.org/10.1145/1368088.1368106
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
13
Analyzing IEC 61131 Languages using SootAdvisor: Sven Merschjohann ([email protected])
18
Introduction:
PLCs are written in IEC 61131 languages
Despite being widely used sophisticated static analysis is rare
Writing static analysis is complex and time-consuming
Approaches:
Reuse existing analysis framework Soot (Java) by transforming Structured Text to
Jimple
Task for student:
Describe the approach and highlight its advantages and limitations using an own
example
Evaluate whether this approach can be applied to the other IEC languages as well
Literature:
[A. Grimmer, F. Angerer, H. Prähofer, and P. Grünbacher, “Supporting Program Analysis for Non-Mainstream
Languages: Experiences and Lessons Learned” in Proceedings of 23rd International Conference on Software
Analysis, Evolution, and Reengineering (SANER), 2016]
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
14
The State of the Art of Disassembly of x86/x64 codeAdvisor: Martin Mory ([email protected])
19
Introduction :
Compilation from high-level programming language to machine code brings information loss
Disassembly of machine code is required for understanding, but challenging
Task for student: (can be done by 2 students)
Point out challenges for disassembly of x86/x64 code
Summarise, compare and assess recent approaches towards disassembly of x86/x64 code
Literature:
Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, Herbert Bos: An In-Depth Analysis of
Disassembly on Full-Scale x86/x64 Binaries
… more papers to be identified
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
15
How to Track Configuration OptionsAdvisor: Linghui Luo ([email protected])
20
Introduction :
Many modern software systems are highly configurable
Increases flexibility
Hard to be understood, maintained and analyzed
It is necessary to determine how configuration options affect program behavior
Task for student: (can be done by 2 students)
Review and compare existing approaches to track configuration options
Literature:
Elnatan Reisner, Charles Song, Kin-Keung Ma, Jeffrey S. Foster, and Adam Porter. 2010. Using symbolic evaluation to understand behavior
in configurable software systems. In Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1 (ICSE
'10), Vol. 1. ACM, New York, NY, USA, 445-454. (http://dx.doi.org/10.1145/1806799.1806864)
Florian Angerer, Andreas Grimmer, Herbert Prahofer, and Paul Grunbacher. 2015. Configuration-Aware Change Impact Analysis (T).
In Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE) (ASE '15). IEEE Computer
Society, Washington, DC, USA, 385-395. (http://dx.doi.org/10.1109/ASE.2015.58)
Z. Dong, A. Andrzejak and K. Shao, "Practical and accurate pinpointing of configuration errors using static analysis," 2015 IEEE
International Conference on Software Maintenance and Evolution (ICSME), Bremen, 2015, pp. 171-180.
(http://dx.doi.org/10.1109/ICSM.2015.7332463)
ThanhVu Nguyen, Ugur Koc, Javran Cheng, Jeffrey S. Foster, and Adam A. Porter. 2016. iGen: dynamic interaction inference for
configurable software. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software
Engineering (FSE 2016). ACM, New York, NY, USA, 655-665. (https://doi.org/10.1145/2950290.2950311)
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden
16
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden21
A Survey on Common Android Malware SchemesAdvisor: Manuel Benz ([email protected])
Introduction :
With more than 2 billion monthly active Android devices and lots of sensitive data stored on
them, the platform constitutes a perfect target for malware developers. Common schemes of
Android malware typically include silently sending premium SMS to raise a fee on the user or
encrypting the user‘s data, to blackmail her for money afterward. Many more exist…
Task for student: (can be done by 2 students)
Dig into literature starting from the given publications.
Collect a comprehensive list of common Android malware schemes.
The given literature is “old“ (2011/12). Try to find current references and elaborate the evolution
of malware schemes since then.
Literature:
https://doi.org/10.1007/978-3-319-24018-3_12
https://doi.org/10.1109/SP.2012.16
https://doi.org/10.1109/BADGERS.2014.7
https://doi.org/10.1145/2046614.2046618
17
Language Theoretic Security for Input HandlingAdvisor: Martin Mory ([email protected])
Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden22
Introduction:
Parsing expected tokens/inputs for an application may be an easy task. But how to react to the invalid/malicious ones?
Hand-crafted parsers for complex input languages are difficult to implement and prone to vulnerabilities.
Language Thereoretic Security (LangSec) is an upcoming field that intends to handle input using grammars and thereby
prevent input-specific threats.
Hammer is a toolkit for parser construction following the LangSec philosophy.
Task for student:
Examine, where and how flaws in traditional input handling caused severe vulnerabilites and provide prominent examples of
recent years.
What are the LangSec concepts behind the Hammer toolkit? Show why and how these help preventing vulnerabilites. Give a
non-trivial example where the utilization of hammer provides a notable security-benefit.
How does Hammer compare to the state of the art of LangSec parser generators?
Literature:
The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them
Falcon Momot, Sergey Bratus, Sven M. Hallberg, Meredith L. Patterson
Building Hardened Internet-of-Things Clients with Language-theoretic Security
Prashant Anantharaman, Michael Locasto, Gabriela F. Ciocarlie, Ulf Lindqvist
https://github.com/UpstandingHackers/hammer
18