Secure Coding Practice in Java: Automatic Detection, Repair, and Vulnerability Demonstration

Zhang, Ying

12 October 2023

The Java platform and third-party open-source libraries provide various Application Programming Interfaces (APIs) to facilitate secure coding. However, using these APIs securely is challenging for developers who lack cybersecurity training. Prior studies show that many developers use APIs insecurely, thereby introducing vulnerabilities in their software. Despite the availability of various tools designed to identify API insecure usage, their effectiveness in helping developers with secure coding practices remains unclear. This dissertation focuses on two main objectives: (1) exploring the strengths and weaknesses of the existing automated detection tools for API-related vulnerabilities, and (2) creating better tools that detect, repair, and demonstrate these vulnerabilities. Our research started with investigating the effectiveness of current tools in helping with developers' secure coding practices. We systematically explored the strengths and weaknesses of existing automated tools for detecting API-related vulnerabilities. Through comprehensive analysis, we observed that most existing tools merely report misuses, without suggesting any customized fixes. Moreover, developers often rejected tool-generated vulnerability reports due to their concerns on the correctness of detection, and the exploitability of the reported issues. To address these limitations, the second work proposed SEADER, an example-based approach to detect and repair security-API misuses. Given an exemplar ⟨insecure, secure⟩ code pair, SEADER compares the snippets to infer any API-misuse template and corresponding fixing edit. Based on the inferred information, given a program, SEADER performs inter-procedural static analysis to search for security-API misuses and to propose customized fixes. The third work leverages ChatGPT-4.0 to automatically generate security test cases. These test cases can demonstrate how vulnerable API usage facilitates supply chain attacks on specific software applications. By running such test cases during software development and maintenance, developers can gain more relevant information about exposed vulnerabilities, and may better create secure-by-design and secure-by-default software. / Doctor of Philosophy / The Java platform and third-party open-source libraries provide various Application Pro- gramming Interfaces (APIs) to facilitate secure coding. However, using these APIs securely can be challenging, especially for developers who aren't trained in cybersecurity. Prior work shows that many developers use APIs insecurely, consequently introducing vulnerabilities in their software. Despite the availability of various tools designed to identify API insecure usage, it is still unclear how well they help developers with secure coding practices. This dissertation focuses on (1) exploring the strengths and weaknesses of the existing au- tomated detection tools for API-related vulnerabilities, and (2) creating better tools that detect, repair, and demonstrate these vulnerabilities. We first systematically evaluated the strengths and weaknesses of the existing automated API-related vulnerability detection tools. We observed that most existing tools merely report misuses, without suggesting any cus- tomized fixes. Additionally, developers often reject tool-generated vulnerability reports due to their concerns about the correctness of detection, and whether the reported vulnerabil- ities are truly exploitable. To address the limitations found in our study, the second work proposed a novel example-based approach, SEADER, to detect and repair API insecure usage. The third work leverages ChatGPT-4.0 to automatically generate security test cases, and to demonstrate how vulnerable API usage facilitates the supply chain attacks to given software applications.

API insecure usages

Static analysis

Repair

Cryptography

Supply chain attack

ChatGPT-4.0

Test generation.

A Multi-Agent Defense Methodology with Machine Learning against Cyberattacks on Distribution Systems

Appiah-Kubi, Jennifer

17 August 2022

The introduction of communication technology into the electric power grid has made the grid more reliable. Power system operators gain visibility over the power system and are able to resolve operational issues remotely via Supervisory Control And Data Acquisition (SCADA) technology. This reduces outage periods. Nonetheless, the remote-control capability has rendered the power grid vulnerable to cyberattacks. In December 2015, over 200,000 people in Ukraine became victims of the first publicly reported cyberattack on the power grid. Consequently, cyber-physical security research for the power system as a critical infrastructure is in critical need. Research on cybersecurity for power grids has produced a diverse literature; the multi-faceted nature of the grid makes it vulnerable to different types of cyberattacks, such as direct power grid, supply chain and ransom attacks. The attacks may also target different levels of grid operation, such as the transmission system, distribution system, microgrids, and generation. As these levels are characterized by varying operational constraints, the literature may be categorized not only according to the type of attack it targets, but also according to the level of power system operation under consideration. It is noteworthy that cybersecurity research for the transmission system dominates the literature, although the distribution system is noted to have a larger attack surface. For the distribution system, a notable attack type is the so-called direct switching attack, in which an attacker aims to disrupt power supply by compromising switching devices that connect equipment such as generators, and power grid lines. To maximize the damage, this attack tends to be coordinated as the attacker optimally selects the nodes and switches to attack. This decision-making process is often a bi- or tri-level optimization problem which models the interaction between the attacker and the power system defender. It is necessary to detect attacks and establish coordination/correlation among them. Determining coordination is a necessary step to predict the targets of an attack before attack completion, and aids in the mitigation strategy that ensues. While the literature has addressed the direct switching attack on the distribution system in different ways, there are also shortcomings. These include: (i) techniques to establish coordination among attacks are centralized, making them prone to single-point failures; (ii) techniques to establish coordination among attacks leverage only power system models, ignoring the influence of communication network vulnerabilities and load criticality in the decisions of the attacker; (iii) attacker-defender optimization models assume specific knowledge of the attacker resources and constraints by the defender, a strong unrealistic assumption that reduces their usability; (iv) and, mitigation strategies tend to be static and one-sided, being implemented only at the physical level, or at the communication network level. In light of this, this dissertation culminates in major contributions concerning real-time decentralized correlation of detected direct switching attacks and hybrid mitigation for electric power distribution systems. Concerning this, four novel contributions are presented: (i) a framework for decentralized correlation of attacks and mitigation; (ii) an attacker-defender optimization model that accounts for power system laws, load criticality, and cyber vulnerabilities in the decision-making process of the attacker; (iii) a real-time learning-based mechanism for determining correlation among detected attacks and predicting attack targets, and which does not assume knowledge of the attacker's resources and constraints by the power system defender; (iv) a hybrid mitigation strategy optimized in real-time based on information learned from detected attacks, and which combines both physical level and communication network level mitigation. Since the execution of intrusion detection systems and mechanisms such as the ones proposed in this dissertation may deter attackers from directly attacking the power grid, attackers may perform a supply chain cyberattack to yield the same results. Although, supply chain cyberattacks have been acknowledged as potentially far-reaching, and compliance directives put forward for this, the detection of supply chain cyberattacks is in a nascent stage. Consequently, this dissertation also proposes a novel method for detecting supply chain cyberattacks. To the best of the knowledge of the author, this work is the first preliminary work on supply chain cyberattack detection. / Doctor of Philosophy / The electric power grid is the network that transports electricity from generation to consumers, such as homes and factories. The power grid today is highly remote-monitored and controlled. Should there be a fault on the grid, the human operator, often remotely located, may only need to resolve it by sending a control signal to telemetry points, called nodes, via a communication network. This significantly reduces outage periods and improves the reliability of the grid. Nonetheless, the high level connectivity also exposes the grid to cyberattacks. The cyber connectivity between the power grid and the human operator, like all communication networks, is vulnerable to cyberattacks that may allow attackers to gain control of the power grid. If and when successful, wide-spread and extended outages, equipment damage, etc. may ensue. Indeed, in December 2015, over 200,000 people in Ukraine became victims to the first publicly reported cyberattack on a power grid. As a critical infrastructure, cybersecurity for the power grid is, therefore, in critical need. Research on cybersecurity for power grids has produced a diverse literature; the multi-faceted nature of the grid makes it vulnerable to different types of cyberattacks, such as direct power grid, supply chain and ransom attacks. Notable is the so-called direct switching attack, in which an attacker aims to compromise the power grid communication network in order to toggle switches that connect equipment such as generators, and power grid lines. The aim is to disrupt electricity service. To maximize the damage, this attack tends to be coordinated; the attacker optimally selects several grid elements to attack. Thus, it is necessary to both detect attacks and establish coordination among them. Determining coordination is a necessary step to predict the targets of an attack before attack completion. This aids the power grid owner to intercept and mitigate attacks. While the literature has addressed the direct switching attack in different ways, there are also shortcomings. Three outstanding ones are: (i) techniques to determine coordination among attacks and predict attack targets are centralized, making them prone to single-point failures; (ii) techniques to establish coordination among attacks leverage only power system physical laws, ignoring the influence of communication network vulnerabilities in the decisions of the attacker; (iii) and, studies on the interaction between the attacker and the defender (i.e., power grid owner) assume specific knowledge of the attacker resources and constraints by the defender, a strong unrealistic assumption that reduces their usability. This research project addresses several of the shortcomings in the literature, particularly the aforementioned. The work focuses on the electric distribution system, which is the power grid that connects directly to consumers. Indeed, this choice is ideal, as the distribution system has a larger attack surface than other parts of the grid and is characterized by computing devices with more constrained computational capability. Thus, adaptability to simple computing devices is a priority. The contributions of this dissertation provide leverage to the power grid owner to intercept and mitigate attacks in a resilient manner. The original contributions of the work are: (i) a novel realistic model that shows the decision making process of the attacker and their interactions with the defender; (ii) a novel decentralized mechanism for predicting the targets of coordinated cyberattacks on the electric distribution grid in real-time and which is guided by the attack model, (iii) and a novel hybrid optimized mitigation strategy that provides security to the power grid at both the communication network level and the physical power grid level. Since the power grid is constructed with smart equipment from various vendors, attackers may launch effective attacks by compromising the devices deployed in the power grid through a compromised supply chain. By nature, such an attack is evasive to traditional intrusion detection systems and algorithms such as the aforementioned. Therefore, this work also provides a new method to defend the grid against supply chain attacks, resulting in a mechanism for its detection in a critical power system communication device.

Distribution Automation

Anomaly Detection

Direct Switching Attack

Intrusion Prevention

Multi-agent System

Reinforcement Learning

Bi-level Optimization

Unbalanced Multi-Phase System

Supply Chain Attack Detection

Petri Net

Software Supply Chain Security: Attacks, Defenses, and the Adoption of Signatures

Taylor R Schorlemmer (14674685)

27 April 2024

<p dir="ltr">Modern software relies heavily on third-party dependencies (often distributed via public package registries), making software supply chain attacks a growing threat. Prior work investigated attacks and defenses, but only taxonomized attacks or proposed defensive techniques, did not consistently define software supply chain attacks, and did not provide properties to assess the security of software supply chains. We do not have a unified definition of software supply chain attacks nor a set of properties that a secure software supply chain should follow.</p><p dir="ltr">Guaranteeing authorship in a software supply chain is also a challenge. Package maintainers can guarantee package authorship through software signing. However, it is unclear how common this practice is or if existing signatures are created properly. Prior work provided raw data on registry signing practices, but only measured single platforms, did not consider quality, did not consider time, and did not assess factors that may influence signing. We do not have up-to-date measurements of signing practices nor do we know the quality of existing signatures. Furthermore, we lack a comprehensive understanding of factors that influence signing adoption.</p><p dir="ltr">This thesis addresses these gaps. First, we systematize existing knowledge into: (1) a four-stage supply chain attack pattern; and (2) a set of properties for secure supply chains (transparency, validity, and separation). Next, we measure current signing quantity and quality across three kinds of package registries: traditional software (Maven Central, PyPI), container images (Docker Hub), and machine learning models (Hugging Face). Then, we examine longitudinal trends in signing practices. Finally, we use a quasi-experiment to estimate the effect that various factors had on software signing practices.</p><p dir="ltr">To summarize the findings of our quasi-experiment: (1) mandating signature adoption improves the quantity of signatures; (2) providing dedicated tooling improves the quality of signing; (3) getting started is the hard part — once a maintainer begins to sign, they tend to continue doing so; and (4) although many supply chain attacks are mitigable via signing, signing adoption is primarily affected by registry policy rather than by public knowledge of attacks, new engineering standards, etc. These findings highlight the importance of software package registry managers and signing infrastructure.</p>

System and network security

Empirical software engineering

software supply chain

signing

software signing

digital signature

cybersecurity

software supply chain attack

cryptography

quasi experiment

empirical software engineering

provenance

package registry

software reuse