Global ETD Search

31	Penetration Testing in a Web Application Environment Vernersson, Susanne January 2010 (has links) As the use of web applications is increasing among a number of different industries, many companies turn to online applications to promote their services. Companies see the great advantages with web applications such as convenience, low costs and little need of additional hardware or software configuration. Meanwhile, the threats against web applications are scaling up where the attacker is not in need of much experience or knowledge to hack a poorly secured web application as the service easily can be accessed over the Internet. While common attacks such as cross-site scripting and SQL injection are still around and very much in use since a number of years, the hacker community constantly discovers new exploits making businesses in need of higher security. Penetration testing is a method used to estimate the security of a computer system, network or web application. The aim is to reveal possible vulnerabilities that could be exploited by a malicious attacker and suggest solutions to the given problem at hand. With the right security fixes, a business system can go from being a threat to its users’ sensitive data to a secure and functional platform with just a few adjustments. This thesis aims to help the IT security consultants at Combitech AB with detecting and securing the most common web application exploits that companies suffer from today. By providing Combitech with safe and easy methods to discover and fix the top security deficiencies, the restricted time spent at a client due to budget concerns can be made more efficient thanks to improvements in the internal testing methodology. The project can additionally be of interest to teachers, students and developers who want to know more about web application testing and security as well as common exploit scenarios. penetration testing exploit XSS code injection CSRF web application security vulnerability assessment methodology Computer Sciences Datavetenskap (datalogi)
32	Differences in security between native applications and web based applications in the field of health care Dahl, Andreas, Nylander, Kristofer January 2015 (has links) Developing native applications for different platforms with different resolutions and screen sizes is both time consuming and costly. If developers were able to develop one web based application which can be used on multiple platforms, yet retain the same level of security as a native application, they would be able to reduce both development time and costs. In this thesis we will investigate the possibilities of achieving a level of security in a web-based application that can equal that of a native application, as well as how to develop an application that uses the Mina Vårdkontakter (My Healthcare Contacts) framework. Mobile application security Native and web applications Healthcare IT security Mina Vårdkontakter My Healthcare Contacts Computer Sciences Datavetenskap (datalogi)
33	Bezpečnost mobilních zařízení na platformě Android / Security of mobile devices running Android Novotný, Josef January 2015 (has links) The main subject of this thesis is the security of Android platform mobile devices. The goal of the thesis is to design and develop an application that will check given devices from the security point of view and to check the security of applications developed as the subject of theses created in the last few years at the University of Economics. In the first part of thesis there is an analysis of ways to secure the Android platform devices and applications and ways to attack them. Both the offline and the client/server architecture applications are also taken into consideration. The next part includes a security analysis of the selected application based on the beforehand determined criteria. An analysis and development of the application designated to examine the security of the given device is next. The outcome of the thesis is an easy to use application that can be launched on the mobile devices running Android 2.2 Froyo and higher.
34	Models for Risk assessment of Mobile applications Ikwuegbu, Chigozie Charles January 2020 (has links) Mobile applications are software that extend the functionality of our smartphones by connecting us with friends and a wide range of other services. Android, which is an operating system based on the Linux kernel, leads the market with over 2.6 million applications recorded on their official store. Application developers, due to the ever-growing innovation in smartphones, are compelled to release new ideas on limited budget and time, resulting in the deployment of malicious applications. Although there exists a security mechanism on the Google Play Store to remove these applications, studies have shown that most of the applications on the app store compromise privacy or pose security-related risks. It is therefore essential to investigate the security risk of installing any of these applications on a device. The objectives are to identify methods and techniques for assessing mobile application security, investigate how attributes indicate the harmfulness of applications, and evaluate the performance of K Nearest Neighbors(K-NN) and Random forest machine learning models in assessing the security risk of installing mobile applications based on information available on the application distribution platform. A literature analysis was done to gather information on the different methods and techniques for assessing security in mobile applications and investigations on how different attributes on the application distribution platform indicate the harmfulness of an application. An experiment was also conducted to examine how various machine learning models perform in evaluating the security risk associated with installing applications, based on information on the application distribution platform. Literature analysis presents the various methods and techniques for mobile application security assessment and identifies how mobile application attributes indicate the harmfulness of mobile applications. The experimental results demonstrate the performance of the aforementioned machine learning models in evaluating the security risk of installing mobile applications. In conclusion, Static, dynamic, and grey-box analysis are the methods used to evaluate mobile application security, and machine learning models including K-NN and Random forest are suitable techniques for evaluating mobile application security risk. Attributes such as the permissions, number of installations, and ratings reveal the likelihood and impact of an underlying security threat. The K-NN and Random forest models when compared to evaluate the security risk of installing mobile applications based on information on the application distribution platform showed high performance with little differences. Risk Assessment Security and Privacy Machine Learning Mobile application security Mo-bile application metadata Computer Sciences Datavetenskap (datalogi)
35	Symmetric Key Management for Mobile Financial Applications : A Key Hierarchy Approach Azam, Junaid January 2013 (has links) In recent times the usage of smart phones has significantly increased. Businesses are transforming to make more out of smart phones. As a consequence, there is an increasing demand to have more and more mobile applications. Among other areas, mobile applications are also being used to make financial transactions. Applications used for financial transactions need to be more reliable and have end-to-end security. To implement security we heavily depend on cryptography and the heart of cryptography is the keys which are used in cryptographic processes (encryption/decryption). Therefore, it is essential not only to protect, but also to properly manage these keys, so that a robust and secure system can be achieved. This research work provides a complete implementation of symmetric key management for mobile phone applications with a focus on financial data using a key hierarchy approach. We have developed a key management system which allows smart phones to download the cryptographic key hierarchy. This key hierarchy is used to encrypt and decrypt financial data, such as PIN and other transaction information. Using this application (key management system), we can achieve an end-to-end security between client (mobile phones) and payment server (banking server). This research work presents implementation of key management system for Android OS only. Symmetric Key Management Key Hierarchy Key Security Financial Transaction Mobile Phone Mobile Application Security mCommerce. Computer and Information Sciences Data- och informationsvetenskap
36	Revamping Binary Analysis with Sampling and Probabilistic Inference Zhuo Zhang (16398420) 19 June 2023 (has links) <p>Binary analysis, a cornerstone technique in cybersecurity, enables the examination of binary executables, irrespective of source code availability.</p> <p>It plays a critical role in understanding program behaviors, detecting software bugs, and mitigating potential vulnerabilities, specially in situations where the source code remains out of reach.</p> <p>However, aligning the efficacy of binary analysis with that of source-level analysis remains a significant challenge, primarily due to the uncertainty caused by the loss of semantic information during the compilation process.</p> <p><br></p> <p>This dissertation presents an innovative probabilistic approach, termed as <em>probabilistic binary analysis</em>, designed to combat the intrinsic uncertainty in binary analysis.</p> <p>It builds on the fundamental principles of program sampling and probabilistic inference, enhanced further by an iterative refinement architecture.</p> <p>The dissertation suggests that a thorough and practical method of sampling program behaviors can yield a substantial quantity of hints which could be instrumental in recovering lost information, despite the potential inclusion of some inaccuracies.</p> <p>Consequently, a probabilistic inference technique is applied to systematically incorporate and process the collected hints, suppressing the incorrect ones, thereby enabling the interpretation of high-level semantics.</p> <p>Furthermore, an iterative refinement mechanism is deployed to augment the efficiency of the probabilistic analysis in subsequent applications, facilitating the progressive enhancement of analysis outcomes through an automated or human-guided feedback loop.</p> <p><br></p> <p>This work offers an in-depth understanding of the challenges and solutions related to assessing low-level program representations and systematically handling the inherent uncertainty in binary analysis. </p> <p>It aims to contribute to the field by advancing the development of precise, reliable, and interpretable binary analysis solutions, thereby setting the groundwork for future exploration in this domain.</p> Software and application security Automated software engineering Binary Analysis Reverse Engineering Probabilistic Analysis Fuzzing
37	SUNNYMILKFUZZER - AN OPTIMIZED FUZZER FOR JVM-BASED LANGUAGE Junyang Shao (16649343) 27 July 2023 (has links) <p>This thesis presents an in-depth investigation into the opportunities of optimizing the performance (throughput) of fuzzing on Java Virtual Machine (JVM)-based languages. The study identifies five main areas for potential optimization, each of which contributes to the performance bottlenecks in the existing state-of-the-art Java fuzzer, Jazzer.</p> <p><br></p> <p>Firstly, the use of coverage probes is recognized as costly due to the native method call, including call frame generation and destruction, while it only performs a simple byte increment. Secondly, the probes may become exhausted, which subsequently cease to generate signals for new interesting inputs, while the associated costs persist. Thirdly, the scanning of the coverage map is expensive, particularly for targets with a large loaded bytecode. Given that test inputs can only execute a portion of these, the probes for most bytecodes are scanned repeatedly without generating any signals, indicating a need for a more structured coverage map design to skip the code probes effectively. Lastly, exception handling in JVM is costly as it automatically fills in the stack trace whenever an exception object is created, even when most targets don't utilize this information. </p> <p><br></p> <p>The study then designs and implements optimization techniques for these opportunities. We believe we provide the optimal solution for the first opportunity, while better optimizations could be proposed for the second, third, and fourth. The collective improvement brought about by these implementations is on average 138% and up to 441% in throughput. This work, thus, offers valuable insights into enhancing the efficiency of fuzz testing in JVM languages and paves the way for further research in optimizing other areas of JVM-based-language fuzzing performance.</p> Software and application security Performance evaluation Java and Virtual Machine Semantics Java Fuzzing Fuzzing JVM JIT Jazzer
38	DEFEATING CYBER AND PHYSICAL ATTACKS IN ROBOTIC VEHICLES Hyungsub Kim (17540454) 05 December 2023 (has links) <p dir="ltr">The world is increasingly dependent on cyber-physical systems (CPSs), e.g., robotic vehicles (RVs) and industrial control systems (ICSs). CPSs operate autonomously by processing data coming from both “cyberspace”—such as user commands—and “physical space”—such as sensors that measure the physical environment in which they operate. However, even after decades of research, CPSs remain susceptible to threats from attackers, primarily due to the increased complexity created by interaction with cyber and physical space (e.g., the cascading effects that changes in one space can impact on the other). In particular, the complexity causes two primary threats that increase the risk of causing physical damage to RVs: (1) logic bugs causing undesired physical behavior from the developers expectations; and (2) physical sensor attacks—such as GPS or acoustic noise spoofing—that disturb an RV’s sensor readings. Dealing with these threats requires addressing the interplay between cyber and physical space. In this dissertation, we systematically analyze the interplay between cyber and physical space, thereby tackling security problems created by such complexity. We present novel algorithms to detect logic bugs (PGFuzz in Chapter 2), help developers fix them (PGPatch in Chapter 3), and test the correctness of the patches attempting to address them (PatchVerif in Chapter 4). Further, we explain algorithms to discover the root causes and formulate countermeasures against physical sensor attacks that target RVs in Chapter 5.</p> Hardware security Software and application security System and network security Cybersecurity Robotic vehicle Cyber–physical system Logic bug Physical sensor attack
39	REHOSTING EMBEDDED APPLICATIONS AS LINUX APPLICATIONS FOR DYNAMIC ANALYSIS Jayashree Srinivasan (17683698) 20 December 2023 (has links) <p dir="ltr">Dynamic analysis of embedded firmware is a necessary capability for many security tasks, e.g., vulnerability detection. Rehosting is a technique that enables dynamic analysis by facilitating the execution of firmware in a host environment decoupled from the actual hardware. Current rehosting techniques focus on high-fidelity execution of the entire firmware. Consequently, these techniques try to execute firmware in an emulated environment, with precise models of hardware (i.e., peripheral) interactions. However, these techniques are hard to scale and have various drawbacks. </p><p dir="ltr">Therefore, a novel take on rehosting is proposed by focusing on the application components and their interactions with the firmware without the need to model hardware dependencies. This is achieved by rehosting the embedded application as a Linux application. In addition to avoiding precise peripheral modeling, such a rehosting technique enables the use of existing dynamic analysis techniques on these embedded applications. The feasibility of this approach is demonstrated first by manually performing the rehosting on real-world embedded applications. The challenges in each of the phases – retargeting to x86-64, peripheral handling, and fuzzing the rehosted applications are elaborated. Furthermore, automated steps for retargeting to the x86-64 and peripheral handling are developed. The peripheral handling achieves 89% accuracy if reserved regions are also considered. The testing of these rehosted applications found 2 previously unknown defects in driver components.</p> Software and application security System and network security Cybersecurity Firmware Rehosting Real-Time Systems RTOS Dynamic Analysis Embedded Systems Embedded Systems Security
40	Web-Based Intrusion Detection System Ademi, Muhamet January 2013 (has links) Web applications are growing rapidly and as the amount of web sites globallyincreases so do security threats. Complex applications often interact with thirdparty services and databases to fetch information and often interactions requireuser input. Intruders are targeting web applications specifically and they are ahuge security threat to organizations and a way to combat this is to haveintrusion detection systems. Most common web attack methods are wellresearched and documented however due to time constraints developers oftenwrite applications fast and may not implement the best security practices. Thisreport describes one way to implement a intrusion detection system thatspecifically detects web based attacks. intrusion detection system ids web application security web application network security web security Engineering and Technology Teknik och teknologier

Search results