331 |
Authentication and SQL-Injection Prevention Techniques in Web ApplicationsCetin, Cagri 17 June 2019 (has links)
This dissertation addresses the top two “most critical web-application security risks” by combining two high-level contributions.
The first high-level contribution introduces and evaluates collaborative authentication, or coauthentication, a single-factor technique in which multiple registered devices work together to authenticate a user. Coauthentication provides security benefits similar to those of multi-factor techniques, such as mitigating theft of any one authentication secret, without some of the inconveniences of multi-factor techniques, such as having to enter passwords or biometrics. Coauthentication provides additional security benefits, including: preventing phishing, replay, and man-in-the-middle attacks; basing authentications on high-entropy secrets that can be generated and updated automatically; and availability protections against, for example, device misplacement and denial-of-service attacks. Coauthentication is amenable to many applications, including m-out-of-n, continuous, group, shared-device, and anonymous authentications. The principal security properties of coauthentication have been formally verified in ProVerif, and implementations have performed efficiently compared to password-based authentication.
The second high-level contribution defines a class of SQL-injection attacks that are based on injecting identifiers, such as table and column names, into SQL statements. An automated analysis of GitHub shows that 15.7% of 120,412 posted Java source files contain code vulnerable to SQL-Identifier Injection Attacks (SQL-IDIAs). We have manually verified that some of the 18,939 Java files identified during the automated analysis are indeed vulnerable to SQL-IDIAs, including deployed Electronic Medical Record software for which SQL-IDIAs enable discovery of confidential patient information. Although prepared statements are the standard defense against SQL injection attacks, existing prepared-statement APIs do not protect against SQL-IDIAs. This dissertation therefore proposes and evaluates an extended prepared-statement API to protect against SQL-IDIAs.
|
332 |
Mass Shootings and Gun Sales: A Study on the Influence of Red and Blue PowerRozo Osuna, Maria Jose 19 March 2019 (has links)
Mass shootings are one of the most discussed issues in American society. While it is evident who the main victims are, the impact of such an event reaches far beyond the lives that were directly impacted. One of the main effects mass shootings have been found to have is a spike in gun sales (Wallace, 2015; Studert et. al., 2017 ; Turchan et. al., 2017). This finding has been found time and time again by academic and non-academic researchers, and it is one of the most commonly believed ideas regarding the effects of mass shootings (Aish & Keller, 2016). The current study builds on previous research to determine whether a Democratic Government has a moderating effect on the mass shootings - gun sales relationship. There are two main hypotheses. Hypothesis one is that mass shootings increase gun sales. Hypothesis two predicts that when Democrats are in power, the increase in gun sales following a mass shooting is higher than when Republicans are in power. This hypothesis comes from the idea that gun enthusiasts will not only fear attacks, but they will also fear changes in gun regulation when Democrats are in power (Adams & Daniel, 2017). To test this hypothesis, a Democratic Government variable was created, and it measured which party controls the Presidency, and holds majority at the House of Representatives, and the Senate. Using FBI background check information as a proxy for gun sales, OLS regressions determined hypothesis one did not have support, while hypothesis two was partially supported, meaning the interaction between a Democratic Government and mass shootings is relevant to gun sales. It is worth noting that this relationship went in the opposite direction than what was expected, since it was found that Democrats holding office actually lead to a decrease in gun sales following a mass shooting. An explanation for why this might be the case, and why the first hypothesis was not supported is presented. Study limitations and future research directions are also discussed.
|
333 |
ADVANCED LOW-COST ELECTRO-MAGNETIC AND MACHINE LEARNING SIDE-CHANNEL ATTACKSJosef A Danial (9520181) 16 December 2020 (has links)
Side-channel analysis (SCA) is a prominent tool to break mathematically secure cryptographic engines, especially on resource-constrained devices. SCA attacks utilize physical leakage vectors like the power consumption, electromagnetic (EM) radiation, timing, cache hits/misses, that reduce the complexity of determining a secret key drastically, going from 2<sup>128</sup> for brute force attacks to 2<sup>12</sup> for SCA in the case of AES-128. Additionally, EM SCA attacks can be performed non-invasively without any modifications to the target under attack, unlike power SCA. To develop defenses against EM SCA, designers must evaluate the cryptographic implementations against the most powerful side-channel attacks. In this work, systems and techniques that improve EM side-channel analysis have been explored, making it lower-cost and more accessible to the research community to develop better countermeasures against such attacks. The first chapter of this thesis presents SCNIFFER, a platform to perform efficient end-to-end EM SCA attacks. SCNIFFER introduces leakage localization – an often-overlooked step in EM attacks – into the loop of an attack. Following SCNIFFER, the second chapter presents a practical machine learning (ML) based EM SCA attack on AES-128. This attack addresses issues dealing with low signal-to-noise ratio (SNR) EM measurements, proposing training and pre-processing techniques to perform an efficient profiling attack. In the final chapter, methods for mapping from power to EM measurements, are analyzed, which can enable training a ML model with much lower number of encryption traces. Additionally, SCA evaluation of high-level synthesis (HLS) based cryptographic algorithms is performed, along with the study of futuristic neural encryption techniques.
|
334 |
Attacking and securing Network Time ProtocolMalhotra, Aanchal 14 February 2020 (has links)
Network Time Protocol (NTP) is used to synchronize time between computer systems communicating over unreliable, variable-latency, and untrusted network paths. Time is critical for many applications; in particular it is heavily utilized by cryptographic protocols. Despite its importance, the community still lacks visibility into the robustness of the NTP ecosystem itself, the integrity of the timing information transmitted by NTP, and the impact that any error in NTP might have upon the security of other protocols that rely on timing information. In this thesis, we seek to accomplish the following broad goals:
1. Demonstrate that the current design presents a security risk, by showing that network attackers can exploit NTP and then use it to attack other core Internet protocols that rely on time.
2. Improve NTP to make it more robust, and rigorously analyze the security of the improved protocol.
3. Establish formal and precise security requirements that should be satisfied by a network time-synchronization protocol, and prove that these are sufficient for the security of other protocols that rely on time.
We take the following approach to achieve our goals incrementally.
1. We begin by (a) scrutinizing NTP's core protocol (RFC 5905) and (b) statically analyzing code of its reference implementation to identify vulnerabilities in protocol design, ambiguities in specifications, and flaws in reference implementations. We then leverage these observations to show several off- and on-path denial-of-service and time-shifting attacks on NTP clients. We then show cache-flushing and cache-sticking attacks on DNS(SEC) that leverage NTP. We quantify the attack surface using Internet measurements, and suggest simple countermeasures that can improve the security of NTP and DNS(SEC).
2. Next we move beyond identifying attacks and leverage ideas from Universal Composability (UC) security framework to develop a cryptographic model for attacks on NTP's datagram protocol. We use this model to prove the security of a new backwards-compatible protocol that correctly synchronizes time in the face of both off- and on-path network attackers.
3. Next, we propose general security notions for network time-synchronization protocols within the UC framework and formulate ideal functionalities that capture a number of prevalent forms of time measurement within existing systems. We show how they can be realized by real-world protocols (including but not limited to NTP), and how they can be used to assert security of time-reliant applications-specifically, cryptographic certificates with revocation and expiration times. Our security framework allows for a clear and modular treatment of the use of time in security-sensitive systems.
Our work makes the core NTP protocol and its implementations more robust and secure, thus improving the security of applications and protocols that rely on time.
|
335 |
Moderna putsade fasader : En fördjupningsstudie om putsade fasaders beständighet / Contemporary stucco walls : An in-depth study of the resistance in stucco wallsBrandhorst-Satzkorn, Erik, Edling, Amanda January 2015 (has links)
Problematik med moderna putsfasader rörande hållbarhet har på senare år uppenbarat sig. Trots modern byggnadsteknik är skaderisken idag större än den var med äldre byggnadsteknik. Sprickbildningar, missfärgningar, mikrobiella angrepp, frostsprängningar, mögelangrepp m.m. är alla exempel på skador som kan uppstå. Rapporten syftar till att identifiera risker och problem med dagens putsfasadkonstruktion, samt undersöka hur dessa problem kan avhjälpas byggnadstekniskt och arkitektoniskt. Projektet avgränsas till fasader på nybyggda flerbostadshus i svenskt klimat. Fokus ligger på att undersöka putsade fasader. Vägguppbyggnaden avgränsas till utfackningsväggar av regelkonstruktion då det är en vanlig ytterväggskonstruktion. Underlaget till rapporten baseras på litteraturstudier, tekniska rapporter och rådgivning från handledare och yrkeskunniga experter. Fördjupningsstudier görs inom putsfasader för att reda ut det bästa lösningsförslaget för hållbara putsfasader. Resultatet av rapporten pekar på att det inte finns en enkel lösning till problematiken. Förebyggs ett problem uppstår ett annat. Det finns dock vissa parametrar som bör tas i anspråk. Ytterväggen bör tvåstegstätas för att förebygga mögelrisk i konstruktionen. Grovkornigt putsbruk bör användas för att förebygga sprickbildning och eventuellt minska adsorption. Vattenavvisande detaljer i det arkitektoniska formspråket bör finnas för att minska vattenbelastningen. Ytfärgen bör vara oorganisk och alkalisk för att ytterligare förebygga uppkomsten av mikrobiella angrepp. För vidare studier föreslås att putsprovväggskonstruktionen konstrueras och testas i praktiken. Faktorer som kornstorlek, vattenavvisande detaljer, adsorption bör vara fokus. Konstruktionernas RF i ytskiktet studeras därefter för att ge en idé över vilken konstruktion som förebygger skador effektivast. / In recent years, sustainability problems with regards to contemporary stucco facades have revealed themselves. Despite modern construction techniques, the risk of damage today is greater than it was with older techniques. Damage such as cracks, discoloration, microbial attacks, frost damage, mold, etc. are all examples of risk factors. The report aims to identify the risks and problems of today's plaster facade construction, as well as explore how these problems can be remedied through constructional and architectural solutions. The project is constrained to facades of newly constructed apartment buildings in the Swedish climate. The focus is to examine the plastered facades. Wall construction is constrained to pre-fabricated wall panels of regulatory structure as it is the most common exterior wall construction in Sweden. The basis for the report is based on literature studies, technical reports and guidance from supervisors and skilled experts. In-depth studies have been performed on plaster facades to find the best recommendations for durable plaster facades. The results of the report indicate that there is no simple solution to the problem. However, there are some guidelines that should be followed. The outer wall should be “two way sealed” to prevent the risk of mold in the construction. Coarse plaster should be used to prevent cracking and to reduce adsorption. Water repellent details should be implemented to reduce the water load on the walls. The surface paint should be inorganic and alkaline in order to further prevent the development of microbial attacks. For further study, the report suggests that a stucco sample wall structure is tested in practice. Factors such as particle size, water repellent details and adsorption properties should be the focus. The RH in the surface layer should thereafter be studied to give an idea of which structure that prevents damage most efficiently.
|
336 |
Systematic Literature Review of the Adversarial Attacks on AI in Cyber-Physical SystemsValeev, Nail January 2022 (has links)
Cyber-physical systems, built from the integration of cyber and physical components, are being used in multiple domains ranging from manufacturing and healthcare to traffic con- trol and safety. Ensuring the security of cyber-physical systems is crucial because they provide the foundation of the critical infrastructure, and security incidents can result in catastrophic failures. Recent publications report that machine learning models are vul- nerable to adversarial examples, crafted by adding small perturbations to input data. For the past decade, machine learning security has become a growing interest area, with a significant number of systematic reviews and surveys that have been published. Secu- rity of artificial intelligence in cyber-physical systems is more challenging in comparison to machine learning security, because adversaries have a wider possible attack surface, in both cyber and physical domains. However, comprehensive systematic literature re- views in this research field are not available. Therefore, this work presents a systematic literature review of the adversarial attacks on artificial intelligence in cyber-physical sys- tems, examining 45 scientific papers, selected from 134 publications found in the Scopus database. It provides the classification of attack algorithms and defense methods, the sur- vey of evaluation metrics, an overview of the state of the art in methodologies and tools, and, as the main contribution, identifies open problems and research gaps and highlights future research challenges in this area of interest.
|
337 |
Intrusion Detection For The Controller Pilot Data Link Communication : Detecting CPDLC attacks using machine learning / Intrångsdetektering för CPDLCWestergren, Adam, Skoglund, Alexander January 2022 (has links)
Controller Pilot Data Link Communications (CPDLC) is a system for text-based communication between air traffic control and flight crew. It currently lacks protection against many common types of attacks, making the system vulnerable to attackers. This can have severe consequences for the safety and reliability of air travel. One such attack is alteration attacks. This thesis focuses on detecting alteration attacks with the use of machine learning. It also goes over how CPDLC messages are structured and how to prepare a dataset of CPDLC messages before applying machine learning models. Using Datawig for data imputation made it possible to prepare the dataset by filling in missing values, which could be used for machine learning. With the prepared dataset, two deep learning models, RNN and LSTM, were trained on the dataset to identify genuine and fabricated messages. The dataset consists of a combination of real and altered CPDLC messages. It was found that both models could be used, with high accuracy, to identify real and fake CPDLC messages from the dataset. The implication of this means it is possible to build and train models to detect and differentiate altered messages from genuine messages, which could be further built upon to develop a system for both detecting and preventing alteration attacks.
|
338 |
Keyboard Acoustic Emanations Attack : An Empirical studyPonnam, Sravanthi January 2013 (has links)
The sounds produced from the keystrokes when a user types on the keyboard are called keyboard acoustic emanations. These sounds can be recorded with a microphone and stored as a file on the computer. Different techniques can be used to retrieve each keystroke. In this way sensitive information, such as passwords used to unlock the system or enter various protected cyber spaces can be collected and misused. This study investigates the seriousness of the keyboard acoustic emanations attack and possible threats from this type of eavesdropping. The aim of the research is to show this type of attack can be performed using simple equipment and easy to use signal processing techniques and to suggest protective measures against the threat from the attack. We use empirical methodology and perform experiments under different scenarios. Unlike the previous research, the experiments are performed in a moderately noisy environment. Our attack includes two phases, training and recognition phase. The structure of the attack is created considering views of previous research and having in mind the aim of the study. Six scenarios are created based on how the characteristics of the waveforms are presented and what types of techniques are used at the recognition phase. A separate procedure for identifying which scenario produces the highest recognition rate is designed. The results show that the waveform of the acoustic signal in presence of noise has similar shape as in silent environment and that an attacker can easily perform our experiment with keyboard acoustic emanations attack. We achieved 60% recognition rate that can be considered as satisfactory. The experiment is compared with similar ones from the previous research. Easy computation, analysis and simplicity are the advantages of our approach. At the end of the thesis we suggest preventive measures for mitigating the attack.
|
339 |
Threat modelling of historical attacks with CySeMoL / Hotmodellering av historiska attacker med CySeMoLSvensson, Carl January 2015 (has links)
This report investigates the modelling power of the Cyber Security Modelling Language, CySeMoL by looking at three documented cyber attacks and attempting to model the respective systems in which they occurred. By doing this, strengths and weaknesses of the model are investigated and proposals for improvements to the CySeMoL model are explored. / Denna rapport undersöker modellingsförmågan hos Cyber Security Modelling Language, CySeMoL genom att titta på tre dokumenterade IT-angrepp och försöka modellera systemen som respektive attack skedde i. Genom att göra detta undersöks styrkor och svagheter i modellen och förslag på förbättringar till modellen utforskas.
|
340 |
Datasäkerhet för webbaserade systemIngverud, Patrik, Ryrstedt, Emmy January 2015 (has links)
Webbattacker är i dagens läge ett välkänt problem. Syftet med en attack kan vara allt från att enbart förstöra, till att komma åt sekretessklassad information eller drivas av organiserad brottslighet för ekonomisk vinning. Ett stort behov hos många företag är därför att skydda sig mot attacker. Ett system måste garantera att information som finns i systemet enbart kan kommas åt av autentiserade användare. Information som skickas och lagras i systemet får inte avlyssnas eller gå att förändra. Denna rapport redogör för ett projekt där ett webbaserat system, som ett företag ska utveckla, undersöks. För att detta system ska bli säkert mot attacker görs en bedömning av vilken nivå av säkerhet som krävs, samt en riskanalys av systemet och en analys av säkerhetslösningar som täcker dessa risker. Projektet resulterade i en beskrivning av de säkerhetslösningar som skyddar mot systemets risker och som täcker företagets krav på säkerhetsnivå. Resultatet är informativt och ska kunna användas som grund vid utveckling av säkerheten i webbaserade system. / Web attacks are today a well-known problem. The purpose of an attack can vary from only destroying, to access confidential information or be operated by criminal activities for financial gain. Many businesses therefore have a great need to protect themselves against attacks. A system must ensure that only authenticated users can access the information contained in the system. I should not be possible to intercept or change the information that is sent and stored in the system. This report describes a project where a web-based system, that a company is going to develop, will be analyzed. An assessment of the level of security that the system require, a risk analysis of the system and an analysis of security solutions that cover these risks, are made to make the system secure against attacks. The project resulted in a description of the security solutions that protects against the systems risks, and that covers the company's requirements of security. The result is informative and can be used as a basis for the development of the security in web-based systems.
|
Page generated in 0.0579 seconds