From Theory to Practice: Deployment-grade Tools and Methodologies for Software Security

Rahaman, Sazzadur

25 August 2020

Following proper guidelines and recommendations are crucial in software security, which is mostly obstructed by accidental human errors. Automatic screening tools have great potentials to reduce the gap between the theory and the practice. However, the goal of scalable automated code screening is largely hindered by the practical difficulty of reducing false positives without compromising analysis quality. To enable compile-time security checking of cryptographic vulnerabilities, I developed highly precise static analysis tools (CryptoGuard and TaintCrypt) that developers can use routinely. The main technical enabler for CryptoGuard is a set of detection algorithms that refine program slices by leveraging language-specific insights, where TaintCrypt relies on symbolic execution-based path-sensitive analysis to reduce false positives. Both CryptoGuard and TaintCrypt uncovered numerous vulnerabilities in real-world software, which proves the effectiveness. Oracle has implemented our cryptographic code screening algorithms for Java in its internal code analysis platform, Parfait, and detected numerous vulnerabilities that were previously unknown. I also designed a specification language named SpanL to easily express rules for automated code screening. SpanL enables domain experts to create domain-specific security checking. Unfortunately, tools and guidelines are not sufficient to ensure baseline security in internet-wide ecosystems. I found that the lack of proper compliance checking induced a huge gap in the payment card industry (PCI) ecosystem. I showed that none of the PCI scanners (out of 6), we tested are fully compliant with the guidelines, issuing certificates to merchants that still have major vulnerabilities. Consequently, 86% (out of 1,203) of the e-commerce websites we tested, are non-compliant. To improve the testbeds in the light of our work, the PCI Security Council shared a copy of our PCI measurement paper to the dedicated companies that host, manage, and maintain the PCI certification testbeds. / Doctor of Philosophy / Automatic screening tools have great potentials to reduce the gap between the theory and the practice of software security. However, the goal of scalable automated code screening is largely hindered by the practical difficulty of reducing false positives without compromising analysis quality. To enable compile-time security checking of cryptographic vulnerabilities, I developed highly precise static analysis tools (CryptoGuard and TaintCrypt) that developers can use routinely. Both CryptoGuard and TaintCrypt uncovered numerous vulnerabilities in real-world software, which proves the effectiveness. Oracle has implemented our cryptographic code screening algorithms for Java in its internal code analysis platform, Parfait, and detected numerous vulnerabilities that were previously unknown. I also designed a specification language named SpanL to easily express rules for automated code screening. SpanL enables domain experts to create domain-specific security checking. Unfortunately, tools and guidelines are not sufficient to ensure baseline security in internet-wide ecosystems. I found that the lack of proper compliance checking induced a huge gap in the payment card industry (PCI) ecosystem. I showed that none of the PCI scanners (out of 6), we tested are fully compliant with the guidelines, issuing certificates to merchants that still have major vulnerabilities. Consequently, 86% (out of 1,203) of the e-commerce websites we tested, are non-compliant. To improve the testbeds in the light of our work, the PCI Security Council shared a copy of our PCI measurement paper to the dedicated companies that host the PCI certification testbeds.

Cryptographic API misuses

Static program analysis

Benchmark

Payment card industry

Internet measurement

Website scanning

Web security

L'expertise et la lutte contre la fraude monétique / Solid forensic assessment and the fight against payment card fraud

Souvignet, Thomas

18 December 2014

Le montant annuel de la fraude européenne à la carte de paiement se monte à plus d’1,5 milliard d’euros. Cette manne aiguise l’appétit des groupes criminels qui exploitent la moindre faille de la monétique (écosystème de la carte de paiement). Les cinq principaux acteurs de la monétique (porteurs, émetteurs, accepteurs, acquéreurs et systèmes de paiement) s’appuient pourtant sur des systèmes et réseaux normalisés dont la sécurité est encadrée par des standards internationaux contraignants. Néanmoins, la fraude monétique ne cesse de progresser alors que les moyens de lutte (étatiques, collaboratifs ou individuels) restent limités.Après étude de la fraude monétique, cette thèse propose différentes actions (passives,réactives et proactives) visant à améliorer la lutte contre la fraude monétique. D’abord,il convient de mieux connaître la fraude en étudiant la provenance des données volées et plus seulement leur usage. Ensuite l’expertise de ces fraudes doit être améliorée, en développant par exemple une captation du progrès scientifique. Une expertise qui doit être en partie transmise aux enquêteurs afin qu’ils puissent conduire leurs enquêtes. Enquêtes qui peuvent être dynamisées par des opérations réactives associant investigateurs et sachants techniques. Enfin, de manière proactive, les enquêtes et analyses de demain doivent être facilitées par les technologies monétiques conçues aujourd’hui. / Every year, payment card fraud exceeds 1.5 billion euros in Europe. Organised crime groups are exploiting any vulnerability possible to take a piece of this lucrative activity. Even though the five principal entities in the payment card industry (cardholders, issuers,acceptors, acquirers and payment system providers) are implementing binding security measures through out standardized systems and networks, fraud continues to increase. Efforts by the state, industry collaboration, and individuals have been unsuccessful in decreasing criminal advances. Having analysed the elements of payment card fraud, this thesis proposes several actions (passive, reactive and proactive) to help improve the fight against this fraud. First, itis relevant to gain knowledge of the source of the card details and not to focus only on its reuse. Next, forensic assessment has to be improved, for example by developing an increased scientific understanding of the technology. Such an expertise should then be passed on to investigators through effective training and knowledge transfer. Investigations should also be made more dynamic with reactive operations conducted in concert by investigators and technicians. Finally, in an ideal proactive spirit, future investigations and assessments should be oriented and facilitated by studying and influencing current payment card technology developments.

Fraude monétique

Terminaux

Carte de paiement

Expertise

Enquête

Cybercriminalité

Outils criminalistiques

Pays de l'Union européenne

Payment card industry

Forensic assessment

Investigation

Cybercrime

Forensic tools

Terminals

Payment card

The Standardization Vs. Customization Debate Continues for PCI DSS Compliant Products

IMERI, DODONA

January 2015

When it comes to cloud services, security has many a times been the hot topic. This has been especially relevant within the payment card industry and the secure handling of payment card data. The Payment Card Industry Security Standards Council (the council) was formed in order to ensure a global enhancement of payment card data. The council has issued requirements that all companies that handle payment card data are obliged to follow. However, the council has become much more strict as of recently, creating an urgency to become compliant. Thus, cloud service providers (CSP) have constructed standardized, PCI DSS compliant products so as to relief such customers. Since this emerging market is somewhat new, this thesis has researched how CSPs should relate to products within that market and the potential customer base. The case study for this research was conducted at Tieto, an IT service company, and its standardized, PCI DSS compliant product TiCC. The study collected empirical data in the form of qualitative interviews as well as quantitative telephone interviews with companies within the payment card industry. The study came to the conclusion that there is a demand that is not being met within the payment card industry related to products that aid organizations to become PCI DSS compliant. Standardized products have been constructed so as to fit financial customers while overlooking the demand of another large customer base, retail. Additionally, the products are being tweaked and features are being added, thus providing customization. CSPs are striving for both standardization as well as customization, something that has been considered counterproductive. The existing demand is thus not met with the current supply in the market, which has both multiple competitors and heterogeneity in market demand. The above mentioned thus leaves room for market seizure, to create own rules and thus making all competitors irrelevant. A potential way of doing that is through mass customization by standardizing higher levels of cloud computing.

Customization

Cloud Service Provider

cloud layers

cloud services

mass customization

PCI DSS compliant

Standardization

retail

the payment card industry

Economics and Business

Ekonomi och näringsliv