A Combined Approach to Vulnerability for Research Ethics

Vaters, Jordan

January 2021

There is a problem associated with the concept of vulnerability for research ethics. This problem is that we must identify populations in need of additional protections while also delineating these protections. Some have argued that the concept is too nebulous to warrant use since an increasing number of individuals may be deemed vulnerable such that virtually everyone is vulnerable in some way. In opposition to this, many have argued that that the concept of vulnerability needs to be more specific. In this thesis, I evaluate the concept of vulnerability in a number of ways. I touch on rejections of the concept, the history of the concept though both research guidelines and research ethics and seek to explore a way forward to a more useable account of vulnerability. I argue that no current account of vulnerability is adequality able to address the challenging questions posed by research trials involving human participants. A persuasive account of vulnerability should (1) have a plausible/persuasive definition of vulnerability; (2) figure out what the application of a theory of vulnerability looks like; and (3) what obligations or duties are owed to the vulnerable (and who is responsible for fulfilling these duties). In order to address this, I propose the Combined approach to vulnerability. This approach defines vulnerability as an increased likelihood to incur additional or greater wrongs. The Combined approach functions like a taxonomy and categorizes vulnerability into three groups with the use of layers and restricts the application of these layers with its formal the definition of vulnerability. This thesis marks a new novel contribution to the field of research ethics, in the way of a new theory to vulnerability that emerges from the current literature and makes progress towards a more useful concept of duties and obligations owed to the vulnerable grounded communal engagement. / Thesis / Master of Arts (MA) / Vulnerability as a concept is thoroughly debated in the field of research ethics. Some argue that the concept is useless, while others argue that the concept of vulnerability needs to be more specific about who it applies to and why. This thesis situates itself within the latter side of the debate. The Combined approach to vulnerability is my answer to this question. The Combined approach defines vulnerability as an increased likelihood to incur additional or greater wrongs. The Combined approach functions like a taxonomy and categorizes vulnerability into three groups (inherent layers, contextual layers, cascade layers) with the use of the metaphor of layers and restricts the application of these layers with its formal the definition of vulnerability. The main contributions of this approach are its novel combination as well as its new approach to the duties owed to the vulnerable.

Analyse de codes auto-modifiants pour la sécurité logicielle / Self-modifying code analysis for software security

Reynaud, Daniel

15 October 2010

Les programmes auto-modifiants fonctionnent de manière singulière car ils sont capables de réécrire leur propre code en cours d'exécution. Absents des modèles de calcul théoriques, ils sont pourtant omniprésents dans les ordinateurs et les systèmes d'exploitations actuels. Ils sont en effet utilisés par les chargeurs d'amorçages, pour la compilation à la volée ou encore l'optimisation dynamique de code. Ils sont également omniprésents dans les programmes malveillants, dont les auteurs ont bien compris qu'ils constituaient des objets complexes à analyser. Ils sont également virtuellement présents dans tous les autres programmes mais de manière non-intentionnelle. En effet, on peut voir certaines classes de vulnérabilités, par exemple les failles par débordement de tampon, comme la possibilité d'exécuter accidentellement des données -- ce qui est un comportement caractéristique des programmes auto-modifiants.Au cours de cette thèse, nous avons proposé un modèle théorique permettant de caractériser un certain nombre de comportements auto-modifiants avancés. Nous avons également mis au point un prototype, TraceSurfer, permettant de détecter efficacement ces comportements à partir de l'analyse de traces et de les visualiser sous forme de graphes d'auto-référence. Enfin, nous avons validé par l'expérience à la fois le modèle théorique et l'outil en les testant sur un grand nombre de programmes malveillants / Self-modifying programs run in a very specific way: they are capable to rewrite their own code at runtime. Remarkably absent from theoretical computation models, they are present in every modern computer and operating system. Indeed, they are used by bootloaders, for just-in-time compilation or dynamic optimizations. They are also massively used by malware authors in order to bypass antivirus signatures and to delay analysis. Finally, they are unintentionally present in every program, since we can model code injection vulnerabilities (such as buffer overflows) as the ability for a program to accidentally execute data.In this thesis, we propose a formal framework in order to characterize advanced self-modifying behaviors and code armoring techniques. A prototype, TraceSurfer, allows us to detect these behaviors by using fine-grained execution traces and to visualize them as self-reference graphs. Finally, we assess the performance and efficiency of the tool by running it on a large corpus of malware samples

Analyse binaire

Comportement

Politique de sécurité

Programmes malveillants

Recherche de vulnérabilités

Auto-référence

Binary analysis

Behaviour

Security policy

Malware

Vulnerability research

Self-reference