Security analysis of bytecode interpreters using Alloy

Reynolds, Mark Clifford

January 2012

Thesis (Ph.D.)--Boston University / Security of programming languages, particularly programming languages used for network applications, is a major issue at this time. Despite the best efforts of language designers and implementers, serious security vulnerabilities continue to be discovered at an alarming rate. Thus, development of analysis tools that can be used to uncover insecure or malicious code is an important area of research. This thesis focuses on the use of the lightweight formal method tool Alloy to perform static analysis on binary code, Byte-compiled languages that run on virtual machines are of particular interest because of their relatively small instruction sets, and also because they are well represented on the Internet. This thesis describes a static analysis methodology in which desired security properties of a language are expressed as constraints in Alloy, while the actual bytes being analyzed are expressed as Alloy model initializers. The combination of these two components yields a complete Alloy model in which any model counterexample represents a constraint violation, and hence a security vulnerability. The general method of expressing security requirements as constraints is studied, and results are presented for Java bytecodes running on the Java Virtual Machine, as well as for Adobe Flash SWF files containing ActionScript bytecodes running on the Action Script Virtual Machine. It is demonstrated that many examples of malware are detected by this technique. In addition, analysis of benign software is shown to not produce any counterexamples. This represents a significant departure from standard methods based on signatures or anomaly detection.

Programming languages

Security analysis

Digital security

Bangladeshi Political Cartoons as Visual Rhetoric in the Context of Anti-Free Speech Laws

Tarannum, Aanila Kishwar

12 June 2023

Guided by Sonja Foss' (2005) theory of visual rhetoric, this thesis is an exploration of political cartoons from Bangladesh, published between October 2016 - October 2020. The study is framed by the Digital Security Act (DSA), an anti-freedom of speech law enacted by the ruling Awami League government in October 2018. The cartoons analyzed in this study are divided into two sets – 16 published in a two-year period prior to the enactment of the DSA, and 16 published within two years after the enactment of the law. A criterion-based sampling technique was used to select cartoons published online by two Bangladeshi cartoonists' – Mehedi Haque and Sadatuddin Ahmed Amil. A thematic analysis of the cartoons revealed that corruption and threats to freedom of expression are recurring themes in both sets of data, while cartoons published pre-DSA also contain commentary on the prime minister and the government's feelings of contentment. Declining democratic practices is a major theme in cartoons published post-DSA. By utilizing the method of visual rhetorical analysis on six cartoons, the study delved deeper into the cartoons' construction of visual arguments for each theme. Finally, a comparative analysis of the themes and visual arguments in cartoons from each data set revealed that cartoons published after October 2018 are differentiated by disappearing characters and storylines, the use of indirect language, and implicit visual arguments, as well as increased usage of metaphors. Cartoons published post-DSA also have a sharper focus on specific news events as indicators of national issues. This study contributes to a growing body of research on the DSA, highlights how a specific medium of expression can be affected by anti-freedom of speech laws, and provides implications for media industries facing legal challenges. / MACOM / Bangladesh, a country in South Asia, is currently following a democratic parliamentary system where Prime Minister (PM) Sheikh Hasina is the leader of the government. Her party, Awami League (AL) has been in power since 2008. Since AL's enactment of the draconian Digital Security Act (DSA) in October 2018, a culture of fear has persisted within the country's media industry as well as the public, as the law's vague wording allows people to be charged for the mildest criticism of the government and the PM. Guided by the theory of visual rhetoric (Foss, 2005), this study is framed by the DSA in its analysis of editorial cartoons published online by cartoonists Mehedi Haque and Sadatuddin Ahmed Amil between October 2016 – October 2020. A thematic analysis of cartoons published before and after the enactment of the law shows the major topics that emerge from Bangladeshi political cartoons, such as corruption, threats to freedom of expression, contentment of the government, and declining democratic practices. Visual rhetorical analysis performed on one cartoon that best represents each theme explains in detail how the cartoons use visual arguments to convey their message. Finally, a comparison between the pre- and post-DSA data sets shows that cartoons published after October 2018 are marked by disappearing characters and storylines, the use of indirect language, and implicit visual arguments, as well as increased usage of metaphors. Cartoons published post-DSA also have a sharper focus on specific news events as indicators of national issues. This study adds to developing scholarship on the DSA, highlights how editorial cartoons are affected by anti-free speech laws, and offers insights on the media sector encountering legal challenges.

Editorial Cartoons

Free Speech

Visual Rhetoric

Bangladesh

Digital Security Act

Mapeamento de incidentes com identidades digitais e estratégias de controle em ambientes virtuais

GOMES, Anselmo Lacerda

31 August 2015

Submitted by Fabio Sobreira Campos da Costa (fabio.sobreira@ufpe.br) on 2016-04-07T13:22:15Z No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) AnselmoLacerdaGomesCInMsc (19-11-2015).pdf: 2341760 bytes, checksum: 06c1abb20d748a6921088b434a7b7cb3 (MD5) / Made available in DSpace on 2016-04-07T13:22:15Z (GMT). No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) AnselmoLacerdaGomesCInMsc (19-11-2015).pdf: 2341760 bytes, checksum: 06c1abb20d748a6921088b434a7b7cb3 (MD5) Previous issue date: 2015-08-31 / O Roubo de Identidade Digital (RID) é o roubo de informações que resulta na possibilidade de alguém assumir a identidade da vítima. Em decorrência disso, credenciais de acesso e dados dispostos em qualquer meio eletrônico ficam vulneráveis, como em computadores e em dispositivos móveis. Ultimamente, esses dispositivos têm sido bastante visados pelos atacantes, devido à sensibilidade e pessoalidade dos dados nele armazenados. Senhas, informações bancárias, financeiras e de geolocalização são apenas alguns exemplos de dados expostos a essa vulnerabilidade moderna. O RID é uma prática que pode resultar no êxito de diversos outros crimes associados, por exemplo, estelionato, espionagem, ciberterrorismo e ciberguerra. Suas implicações são sérias, já que o atacante pode assumir o controle de instalações industriais, centros militares, governos e organizações inteiras, sendo imprevisíveis os danos à ordem pública e aos cidadãos. Neste trabalho foi utilizada a metodologia de mapeamento sistemático para identificar quais são os principais incidentes de segurança associados ao RID. Relações e relativizações foram realizadas a fim de mapear as suas principais causas e consequências. A principal contribuição desta dissertação é o mapeamento sistemático de RID. Finalmente, esta dissertação de mestrado objetivou delinear o conhecimento sobre o assunto, de forma atualizada, indicando diretrizes para a minimização ou completa prevenção de incidentes dessa natureza. / The Digital Identity Theft (DIT) is the stealing of information that allows the attacker to take the victim’s identity, somehow. This promotes the access to credentials and data disposed in computers, mobile devices or any electronic environment, making them vulnerable. Recently, mobile devices are being very targeted because of the sensibility and personality of the data found there. Passwords, bank, financial and geolocation information are just some examples of data being exposed by this modern vulnerability. DIT is a practice that may result in the success of many other associated crimes, like embezzlement, espionage, cyberterrorism and cyberwar. Its implications are serious because the attacker can assume the control of industrial facilities, military centres, government and entire organizations, damaging the public order and the people to an unpredictable extent. This work used the systematic mapping methodology to identify which are the main security incidents related to DIT. Relations and relativizations were performed to map its main causes and consequences. Finally, this dissertation aimed to delineate the knowledge on the subject, indicating guidelines to minimize or avoid entirely incidents with this nature.

Roubo de Identidade Digital

Mapeamento Sistemático

Segurança Digital

Cibercrimes

Digital Identity Theft

Systematic Mapping

Digital Security

Cybercrimes

Vem skyddar vi källan från? : En kvalitativ studie om digital säkerhet och källskydd bland svenska journalister

Lundberg, Emelie, Sadikovic, Adrian

January 2017

In the digital era, journalists’ source protection is facing new challenges. A big part of the communication between the journalists and their sources is now taking place online, thus exposing it to surveillance, national security interests and erosion of source protection laws. How engaged and interested are swedish journalists regarding these challenges? And what methods do they use to protect their sources in this new era? This study examines the knowledge and interest among swedish journalists regarding digital security and source protection issues, and which methods they use for source protection in the digital age. It also gives a brief introduction to the current laws and legislative proposals that may impact source protection in Sweden. This is done through interviews with journalists from four swedish media editors. Uppdrag granskning, Dagens Nyheter, HD/Sydsvenskan and P4 Västerbotten. Our study shows that the majority of our respondents are interested and engaged in issues regarding digital security and source protection, but the level of actual knowledge varies. Some journalists are so engaged that it affects how they live their private lives outside the newsroom, while others have little or no knowledge regarding the security of their own editorial office. It is also clear that there is a need for journalists to be educated in new secure methods so that they can, in turn, educate their own sources.

Journalism

sources

source protection

digital security

surveillance

Media and Communications

Medie- och kommunikationsvetenskap

‘As a journalist I should not be fearful’ : How democracy’s watchdogs use digital tools to mitigate threats

Orebäck, Johan

January 2022

Journalism is an ever-changing profession that is right now getting increasingly impacted by advancements in technology. These advancements make it easier, faster, and possibly safer to conduct journalism. At the same time, journalists are subjected to threats, and while some level of safety comes with digital advancements, they might also provide opportunities for reaching and threatening journalists that were not possible just a few years ago. This requires journalists to stay up to date on technological advancements in order to mitigate threats.  This thesis is based on interviews with five journalists whose work put them in or near danger and utilizes an inductive approach to iteratively study the data and analyze it using existing frameworks to categorize tactics used by journalists. This study identifies three larger categories of threats that journalists are subjected to, and the measures taken to defend against these threats with a special focus on the digital technologies at their disposal. It finds that the tactics vary depending on the source of the threats and range from being non-violent, to legitimate threats on journalists’ lives. In response, journalists use tactics to remain under the radar of danger, or to find safety using low-tech tools and to even use digital tools as an opportunity to conduct journalism that would otherwise be out of their reach. The study concludes that rather than categorizing journalists, it is better to categorize their actions in order to see them as changeable and possible to be used as reactions to threats.

Journalist Safety

Digital tools

Threat assessment

Risk Assessment

Media Affordances

Digital Security

Surveillance

Media and Communications

Medie- och kommunikationsvetenskap

Secure Reprogramming of a Network Connected Device : Securing programmable logic controllers

Tesfaye, Mussie

January 2012

This is a master’s thesis project entitled “Secure reprogramming of network connected devices”. The thesis begins by providing some background information to enable the reader to understand the current vulnerabilities of network-connected devices, specifically with regard to cyber security and data integrity. Today supervisory control and data acquisition systems utilizing network connected programmable logic controllers are widely used in many industries and critical infrastructures. These network-attached devices have been under increasing attack for some time by malicious attackers (including in some cases possibly government supported efforts). This thesis evaluates currently available solutions to mitigate these attacks. Based upon this evaluation a new solution based on the Trusted Computing Group (TCG’s) Trusted Platform Modules (TPM) specification is proposed. This solution utilizes a lightweight version of TPM and TCG’s Reliable Computing Machine (RCM) to achieve the desired security. The security of the proposed solution is evaluated both theoretically and using a prototype. This evaluation shows that the proposed solution helps to a great extent to mitigate the previously observed vulnerabilities when reprogramming network connected devices. The main result of this thesis project is a secure way of reprogramming these network attached devices so that only a valid user can successfully reprogram the device and no one else can reprogram the device (either to return it to an earlier state, perhaps with a known attack vector, or even worse prevent a valid user from programming the device). / Avhandlingen börjar med att ge lite bakgrundsinformation för att läsaren att förstå de nuvarande sårbarheten i nätverksanslutna enheter, särskilt när det gäller IT-säkerhet och dataintegritet. Idag övervakande kontroll och datainsamlingssystem använder nätverksanslutna programmerbara styrsystem används allmänt i många branscher och kritisk infrastruktur. Dessa nätverk anslutna enheter har under ökande attacker under en tid av illvilliga angripare (inklusive i vissa fall eventuellt regeringen stöds insatser). Denna avhandling utvärderar för närvarande tillgängliga lösningar för att minska dessa attacker. Baserat på denna utvärdering en ny lösning baserad på Trusted Computing Group (TCG) Trusted Platform Modules (TPM) specifikation föreslås. Denna lösning använder en lätt version av TPM och TCG:s pålitliga dator (RCM) för att uppnå önskad säkerhet. Säkerheten i den föreslagna lösningen utvärderas både teoretiskt och med hjälp av en prototyp. Utvärderingen visar att den föreslagna lösningen bidrar i stor utsträckning för att minska de tidigare observerade sårbarheter när omprogrammering nätverksanslutna enheter.  Huvudresultatet av denna avhandling projektet är ett säkert sätt omprogrammering dessa nätverksanslutna enheter så att endast ett giltigt användarnamn framgångsrikt kan omprogrammera enheten och ingen annan kan programmera enheten (antingen att återställa den till ett tidigare tillstånd, kanske med en känd attack vector, eller ännu värre förhindra en giltig användare från programmering av enheten).

SCADA

PLC

SCADA security

SCADA networks

PLC security

Trusted computing

TCM

TPM

Embedded security

Digital security

SCADA

PLC

SCADA säkerhet

SCADA-nätverk

PLC säkerhet

pålitlig datoranvändning

TCM

TPM

inbäddad säkerhetlösningar

datasäkerhet

Communication Systems

Kommunikationssystem