发布求助
文献互助 智能选刊 最新文献

2021 IEEE Secure Development Conference (SecDev)最新文献

筛选
英文 中文
Tutorial: A Lightweight Web Application for Software Vulnerability Demonstration 教程:一个轻量级Web应用程序的软件漏洞演示
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00014
David Lee, Brandon Steed, Yi Liu, O. Ezenwoye
{"title":"Tutorial: A Lightweight Web Application for Software Vulnerability Demonstration","authors":"David Lee, Brandon Steed, Yi Liu, O. Ezenwoye","doi":"10.1109/SecDev51306.2021.00014","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00014","url":null,"abstract":"In cybersecurity education, it is critical to introduce students to security concepts and keep them aware of common software security weaknesses. However, the effectiveness of delivering such knowledge is complicated by the lack of practical security content and a case study that embeds contemporary security vulnerabilities for education.In this tutorial, we propose to introduce the participants to common web application vulnerabilities using a novel lightweight application case study that demonstrates software security weaknesses in a practical manner. With this tutorial, we will facilitate discussion about ways to expose students to security weaknesses, how to mitigate software vulnerabilities through secure software design and coding practices, as well as share ideas on how to improve the case study application.This three-part tutorial will first introduce the National Vulnerability Database. In addition, we will discuss the Common Weakness Enumeration and the relationship between vulnerabilities and weaknesses. We will then illustrate how the database is used to derive the common web application weaknesses. The second part of the tutorial will demonstrate the lightweight web application as a case study to illustrate the most common web application weaknesses. The participants will be guided on how to download and use the web application. This will include practical exercises of how to activate the built-in vulnerabilities that expose the common security weaknesses. Lastly, we will facilitate a discussion on the efficacy of the case study as a means for practical software vulnerability demonstration for education with a view on ways to enhance the case study.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124008148","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Towards Improving Container Security by Preventing Runtime Escapes 通过防止运行时逃逸来提高容器安全性
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00022
M. Reeves, D. Tian, Antonio Bianchi, Z. Berkay Celik
{"title":"Towards Improving Container Security by Preventing Runtime Escapes","authors":"M. Reeves, D. Tian, Antonio Bianchi, Z. Berkay Celik","doi":"10.1109/SecDev51306.2021.00022","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00022","url":null,"abstract":"Container escapes enable the adversary to execute code on the host from inside an isolated container. These high severity escape vulnerabilities originate from three sources: (1) container profile misconfigurations, (2) Linux kernel bugs, and (3) container runtime vulnerabilities. While the first two cases have been studied in the literature, no works have investigated the impact of container runtime vulnerabilities. In this paper, to fill this gap, we study 59 CVEs for 11 different container runtimes. As a result of our study, we found that five of the 11 runtimes had nine publicly available PoC container escape exploits covering 13 CVEs. Our further analysis revealed all nine exploits are the result of a host component leaked into the container. We apply a user namespace container defense to prevent the adversary from leveraging leaked host components and demonstrate that the defense stops seven of the nine container escape exploits.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114759967","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Tutorial: Investigating Advanced Exploits for System Security Assurance 教程:调查系统安全保障的高级漏洞
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00013
Salman Ahmed, Long Cheng, Hans Liljestrand, N. Asokan, D. Yao
{"title":"Tutorial: Investigating Advanced Exploits for System Security Assurance","authors":"Salman Ahmed, Long Cheng, Hans Liljestrand, N. Asokan, D. Yao","doi":"10.1109/SecDev51306.2021.00013","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00013","url":null,"abstract":"Investigation of existing advanced exploits is crucial for system security assurance. One way to achieve system security assurance is through evaluating defenses using qualitative security metrics and accurate measurement methodologies. Analyzing existing exploit techniques can provide crucial insights about qualitative security metrics and measurement methodologies.In this tutorial, we investigate existing advanced exploit techniques by dividing the exploits into their constituent components. Our analyses focus on the impact of different defense techniques on the individual exploit components. These impact analyses provide insights for finding security metrics/methodologies as well as improving existing defenses. In this tutorial, we aim to focus on Return-Oriented Programming (ROP), Just-In-Time Return-Oriented Programming (JITROP), and Data-Oriented Attacks (DOAs). We aim to cover defenses such as fine-grained Address Space Layout Randomization (ASLR) and pointer protection techniques. More specifically, we aim to quantify the impact of fine-grained ASLR on different components of advanced ROP attacks. Besides, we will demonstrate a data-oriented exploit–an attack technique that circumvents currently deployed defenses– and explore defense techniques for defending against DOAs.Through this tutorial, we aim to improve people’s understanding and awareness of fundamental operating system security. The hands-on portion of the proposed tutorial will empower participants and researchers by providing knowledge on low-level security, application-level defenses, and security metrics/methodologies.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127731460","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Layered Formal Verification of a TCP Stack TCP栈的分层形式化验证
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00028
Guillaume Cluzel, Kyriakos Georgiou, Yannick Moy, C. Zeller
{"title":"Layered Formal Verification of a TCP Stack","authors":"Guillaume Cluzel, Kyriakos Georgiou, Yannick Moy, C. Zeller","doi":"10.1109/SecDev51306.2021.00028","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00028","url":null,"abstract":"The Transmission Control Protocol (TCP) at the heart of TCP/IP protocol stacks is a critical part of our current digital infrastructure. In this article, we show how an existing professional-grade open source embedded TCP/IP library can benefit from a formally verified TCP reimplementation. Our approach is to apply formal verification to the TCP layer only, relying on validated models of the lower layers on which it depends.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129516603","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Tutorial: The Correctness-by-Construction Approach to Programming Using CorC 教程:使用CorC编程的构造正确性方法
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00012
Ina Schaefer, Tobias Runge, L. Cleophas, B. Watson
{"title":"Tutorial: The Correctness-by-Construction Approach to Programming Using CorC","authors":"Ina Schaefer, Tobias Runge, L. Cleophas, B. Watson","doi":"10.1109/SecDev51306.2021.00012","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00012","url":null,"abstract":"The Correctness-by-Construction tutorial focuses on a structured programming approach for correct software development. Besides functional correctness, also non-functional properties such as security properties can be guaranteed using the CbC approach. In this tutorial, the participants learn a good practice to develop software that is midway between formal approaches and a “hack into correctness” style.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"111 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130738544","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Tutorial: LLVM for Security Practitioners 教程:LLVM安全从业人员
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00016
J. Criswell, Ethan Johnson, Colin Pronovost
{"title":"Tutorial: LLVM for Security Practitioners","authors":"J. Criswell, Ethan Johnson, Colin Pronovost","doi":"10.1109/SecDev51306.2021.00016","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00016","url":null,"abstract":"Many security researchers need to build tools that analyze and transform code. For example, researchers may want to build security hardening tools, tools that find vulnerabilities within software, or tools that prove that a program is invulnerable to attack. This tutorial will guide attendees through creating extensions to the LLVM compiler that perform simple analysis and transformation operations.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"79 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134313341","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Enclave-Based Secure Programming with JE 基于enclave的JE安全编程
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00026
Aditya Oak, Amir M. Ahmadian, Musard Balliu, G. Salvaneschi
{"title":"Enclave-Based Secure Programming with JE","authors":"Aditya Oak, Amir M. Ahmadian, Musard Balliu, G. Salvaneschi","doi":"10.1109/SecDev51306.2021.00026","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00026","url":null,"abstract":"Over the past few years, major hardware vendors have started offering processors that support Trusted Execution Environments (TEEs) allowing confidential computations over sensitive data on untrusted hosts. Unfortunately, developing applications that use TEEs remains challenging. Current solutions require using low-level languages (e.g., C/C++) to handle the TEE management process manually – a complex and error-prone task. Worse, the separation of the application into components that run inside and outside the TEE may lead to information leaks. In summary, TEEs are a powerful means to design secure applications, but there is still a long way to building secure software with TEEs alone.In this work, we present J E, a programming model for developing TEE-enabled applications where developers only need to annotate Java programs to define application-level security policies and run them securely inside enclaves.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131240523","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Tutorial: Sandboxing (unsafe) C code with RLBox 教程:使用RLBox进行沙箱(不安全)C代码
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00017
Shravan Narayan, Craig Disselkoen, D. Stefan
{"title":"Tutorial: Sandboxing (unsafe) C code with RLBox","authors":"Shravan Narayan, Craig Disselkoen, D. Stefan","doi":"10.1109/SecDev51306.2021.00017","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00017","url":null,"abstract":"RLBox is a C++ framework for building secure systems from untrusted libraries. RLBox uses a static type system to (1) abstract isolation mechanisms like WebAssembly (2) make data and control flow across the application-library boundary explicit and safe, and (3) help developers retrofit their application with sandboxing. In this tutorial, we first give an overview of RLBox and demonstrate how the RLBox framework helps sandbox a (buggy) C library in a simple C++ application. Then, we walk through the process of using RLBox to sandbox libraries in larger C++ codebases like the Firefox Web browser.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127686387","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Developers Are Neither Enemies Nor Users: They Are Collaborators 开发者既不是敌人也不是用户:他们是合作者
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00023
Partha Das Chowdhury, Joseph Hallett, Nikhil Patnaik, Mohammad Tahaei, A. Rashid
{"title":"Developers Are Neither Enemies Nor Users: They Are Collaborators","authors":"Partha Das Chowdhury, Joseph Hallett, Nikhil Patnaik, Mohammad Tahaei, A. Rashid","doi":"10.1109/SecDev51306.2021.00023","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00023","url":null,"abstract":"Developers struggle to program securely. Prior works have reviewed the methods used to run user-studies with developers, systematized the ancestry of security API usability recommendations, and proposed research agendas to help understand developers’ knowledge, attitudes towards security and priorities. In contrast we study the research to date and abstract out categories of challenges, behaviors and interventions from the results of developer-centered studies. We analyze the abstractions and identify five misplaced beliefs or tropes about developers embedded in the core design of APIs and tools. These tropes hamper the effectiveness of interventions to help developers program securely. Increased collaboration between developers, security experts and API designers to help developers understand the security assumptions of APIs alongside creating new useful abstractions—derived from such collaborations—will lead to systems with better security.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131713822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
Vivienne: Relational Verification of Cryptographic Implementations in WebAssembly WebAssembly中加密实现的关系验证
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-09-03 DOI: 10.1109/SecDev51306.2021.00029
R. Tsoupidi, Musard Balliu, B. Baudry
{"title":"Vivienne: Relational Verification of Cryptographic Implementations in WebAssembly","authors":"R. Tsoupidi, Musard Balliu, B. Baudry","doi":"10.1109/SecDev51306.2021.00029","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00029","url":null,"abstract":"We investigate the use of relational symbolic execution to counter timing side channels in WebAssembly programs. We design and implement Vivienne, an open-source tool to automatically analyze WebAssembly cryptographic libraries for constant-time violations. Our approach features various optimizations that leverage the structure of WebAssembly and automated theorem provers, including support for loops via relational invariants. We evaluate Vivienne on 57 real-world cryptographic implementations, including a previously unverified implementation of the HACL* library in WebAssembly. The results indicate that Vivienne is a practical solution for constant-time analysis of cryptographic libraries in WebAssembly.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114829979","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
首页 上一页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信