Identifying Threat Factors of Vulnerabilities in Ethereum Smart Contracts

Noor, Mah, Murad, Syeda Hina

January 2023

Ethereum is one of the top blockchain platforms that represents this second generation of blockchain technology. However, the security vulnerabilities associated with smart contracts pose significant risks to confidentiality, integrity, and availability of applications supported by Ethereum. While several studies have enumerated various security issues in smart contracts, only a handful have identified the factors that determine the severity and potential of these issues to pose significant risks in practice. As its first contribution, this thesis presents a framework that identifies such factors and highlights the most critical security threats and vulnerabilities of Ethereum smart contracts. To achieve this, we conduct a comprehensive literature review to identify and categorize the vulnerabilities, assess their potential impact, and evaluate the likelihood of exploitation in real-life contracts. We classify the identified vulnerabilities based on their nature and severity and proposed mitigation recommendations. Our theoretical contribution is to establish a correlation between the security vulnerabilities of smart contracts and their potential impact on the security of smart contracts by identifying factors that pose a (practical) threat. Our practical contribution involves developing a tool based on staticanalysis that can automatically detect at least one critical securityissue with the highest threat factor. For the target vulnerability, wechoose the usage of input from external users without any validation.This vulnerability, as we call it, Missing Input Validation (MIV), actsas a root cause for further (well-known and well-researched) issues,for instance, the flow of tainted values into sensitive operations suchas the transfer of cryptocurrencies and self destruct instruction. Weimplement the tool MIV Checker and evaluate its efficacy on a test setof 36 smart contracts. Our evaluation results show that MIV Checkercorrectly detects 87.6 % of instances of MIV in the dataset.

Smart contract

Blockchain

Ethereum

attacks

security vulnerabilities

security audits

Computer Engineering

Datorteknik

Pharmaceutical supply chain resilience. An exploratory analysis of vulnerabilities and resilience strategies in the face of dynamic disruptions in the UK pharmaceutical supply chain

Yaroson, Emilia V.

January 2019

Pharmaceutical supply chains are susceptible to disruptions which impact on the operational and financial performance of firms as well as patient safety. This study aimed to explore why the Pharmaceutical Supply Chain (PSC) in the UK is susceptible to the impact of dynamic disruptions and examine how resilience strategies have were employed to reduce the effects of these disruptions. The Complex Adaptive System (CAS) theory was used as a framework in an exploratory research design using mixed-methods. The qualitative data were gathered through 23 semi-structured interviews with key supply chain actors across the PSC in the UK to explore their experiences. The findings from these semi-structured interviews were used to develop a survey which was distributed to a broader spectrum of supply chain actors where the final sample from the survey was (n=106). The data were triangulated to discuss the research findings. The initial results revealed power, conflict and complexities as drivers of vulnerabilities in the PSC. Antecedents for building resilience strategies included visibility, flexibility and joint decision making as recovery strategies and resource sharing as the resistance strategy. CAS provided a systemic approach to understanding PSC resilience rather than in parts. In doing so, it took into consideration the various elements that make up the entire system. Thus, vulnerabilities and resilience strategies were outcomes of the interactions between supply chain actors. The findings demonstrated that CAS, as a theory, provided a framework that was beneficial in exploring and gaining insights into PSC resilience. Also, by combining the two datasets (interviews and survey), an original output was proposed -the Pharmaceutical Supply Chain Resilience Framework (PSCRF)- which was used to recommend resilience strategies suitable for mitigating disruptions in the PSC.

Supply chain resilience

Pharmaceutical supply chain

Disruptions

Resilience strategies

Vulnerabilities

United Kingdom (UK)

Case Study: Assessing the Security of a ZigBee Smart HomeNetwork

Saker, Robal, Abu Issa, Obaida

January 2024

Utilizing the ZigBee protocol is pervasive in the context of smart homes, offering substantial convenience to individuals. However, smart home devices commonly handle significant quantities of real-world information, potentially giving rise to concerns related to information leakage. Therefore, in this study, we assess the security of a ZigBee smart homenetworkbyidentifying potential vulnerabilities and conducting a penetration test on the network. In addition, this study compared the potential damage inflicted on the ZigBee network bytechnical and non-technical users. Identifying the potential vulnerabilities was carried out by following a systematic literature review approach, while the penetration testing method was conducted with the help of a case study. The smart home network consisted of a gateway, a smart light bulb, a temperature and humidity sensor, and a motion sensor. The results show a vulnerability in the ZigBee protocol where the technical user could compromise all the security keys. However, the non-technical user was not able to compromise the ZigBee network. Consequently, the security of ZigBee-based smart devices still needs to be further investigated and strengthened. Finally, we discussed the future of the ZigBee network and the optimal scenarios for deploying it.

ZigBee

vulnerabilities

smart home

technical user

non-technical user

Computer Sciences

Datavetenskap (datalogi)

The Everyday Internet, a Minefield in Disguise : Characterization of different types of domains including malicious and popularity / Internet, ett minfält i förklädnad.

Petersson, Linn, Lindkvist, Rebecka

January 2022

Today, security has become a growing concern for all internet users, where technology is developing faster than its security is implemented, which leads to insecure domains. In this thesis, we look at the reality of today’s domains and research if some categories of domains are safer than others and the reason behind it. The total amount of researched domains was 8080 divided into four categories; popular, categories, continents, and malicious. The analysis was made by looking closer at default protocols, cipher suites, certificate authorities (CAs), certificate classifications, page loading times, and vulnerabilities. Our result indicated that TLS 1.2 and TLS 1.3 are the most commonly used protocol. The largest difference between the domains could be seen among the CAs, even though no definite reason for this could be found. The most popular cipher suite for popular, categories, and malicious belonged to TLS 1.3 meanwhile, continents had a cipher suite belonging to TLS 1.2. All four categories were vulnerable to at least five out of eight different types of attacks. The least commonly used certificate classification is EV certificates, while DV is the most commonly used. Through our data collection and analysis, we could conclude that all domains are not as safe as one might think, while the underlying security infrastructure of malicious domains might be better than anyone expects.

characterisation

malicious

domains

vulnerabilities

cipher suites

TLS

protocols

security

certificates

Computer and Information Sciences

Data- och informationsvetenskap

Intrusion Detection for 0-Day Vulnerabilities

Truhan, Nathan D.

19 July 2011

No description available.

Computer Science

Information Systems

IDS

intrusion detection

0-day

zero-day

vulnerabilities

honeypot

Data-Driven Cyber Vulnerability Maintenance of Network Vulnerabilities with Markov Decision Processes

Jiang, Tianyu

23 October 2017

No description available.

Operations Research

Markov Decision Processes

Social Disaster Vulnerabilities: a Study of Gender and Foreign Residents in Japan / 災害における社会的な脆弱性―日本におけるジェンダーと外国人居住者に関する研究―

Petraroli, Irene

23 March 2022

京都大学 / 新制・課程博士 / 博士(地球環境学) / 甲第24062号 / 地環博第225号 / 新制||地環||43(附属図書館) / 京都大学大学院地球環境学舎地球環境学専攻 / (主査)講師 BAARS ROGER CLOUD, 教授 宇佐美 誠, 准教授 落合 知帆, 准教授 TRENCHER Gregory / 学位規則第4条第1項該当 / Doctor of Global Environmental Studies / Kyoto University / DFAM

Disaster Risk Reduction (DRR)

Social Vulnerabilities

Disaster Preparedness

Japan

Foreign residents

Gender

450

Gender-responsive peacebuilding in a changing climate : A qualitative content analysis of strengths and weaknesses in National Action Plans.

Jangbrand, Amanda

January 2022

Climate change can exacerbate violent conflict, create risks to human security, and prevent conflict recovery and peacebuilding in different contexts. Climate change nor conflict is rarely fair and have been argued to have different impacts on gender.In 2000, the UN Security Council adopted resolution 1325 on ‘Women, Peace and Security’ which promoted the advancement of women’s position in national agendas of peace and security. It has become increasingly clear that the climate-gender-conflict nexus is critical to both peacebuilding efforts and developing strong communities resilient to climate change impacts. While previous research on the nexus has been dominated by statistical quantitative studies, this seeks to contribute to qualitative research by adopting a qualitative content analysis. Of concern for this study is the implication of vulnerabilities and capacities in National Action Plans that support the Women, Peace, and Security Agenda. Leaning on the CAV Analytical Framework by March et al. 1999, vulnerabilities and capacities have been identified along different categories that focus on different dimensions of power dynamics. The study finds that climate change has primarily been recognized as contributing to the intensification and exacerbation of conflicts over access to natural resources, which in turn has caused vulnerabilities to become greater within all categories of the analysis. Other findings point to a major focus on women's vulnerabilities above those of men, and lastly how implementing bodies have developed promising methods for successful implementation.

climate change

gender

WPS Agenda

qualitative content analysis

vulnerabilities and capacities

Social Sciences

Samhällsvetenskap

Political Science

Statsvetenskap

Is local climate change adaptation [CCA] inclusive for/adapted to everybody? : A qualitative study and intersectional analysis of local CCA within Stockholm County / Är klimatanpassning anpassad för alla? : En kvalitativ studie och intersektionell analys av klimatanpassning i Stockholms län

Mattsson, Sara

January 2020

Stockholm County is currently implementing climate change adaptation, making it essential to distinguish the priorities being made. Previous research has suggested that social dimensions of climate change adaptation in cities, especially in the Global North, are largely ignored. Therefore, this thesis aims to identify how social dimension issues of current local Climate Change Adaptation [CCA] in Stockholm County is perceived by CCA-practitioners and provide an overall understanding of how current local Climate Change Adaptation [CCA] materializes in Stockholm County. Five civil servants working as environmental planners/strategists were interviewed and part of a semi-structured interview study, which was analyzed through thematic analysis and an intersectional framework. The results suggest that current local CCA prioritizes specific climate hazards (Floods and different erosion- related hazards), certain buildings (new developments), and certain evaluations (technical). In addition, heatwaves, existing built environments, and social dimension assessments were shown to be of less focus in current local CCA. The results from the intersectional franmework showed that specific identity categories are considered in certain climate hazards, specifically in heatwaves that have clear health outcomes compared to the other hazards. It also shows that gender seems to be the least explored identity category of vulnerability in current local CCA-practice. / Stockholms län genomför för närvarande klimatanpassnings-åtgärder, vilket gör det viktigt att urskilja hur det tar sig i uttryck. Tidigare forskning har signalerat att sociala dimensioner klimatanpassning av städer, särskilt i det globala Nord, i stort sett har ignorerats. Därför syftar denna uppsats till att ge en övergripande förståelse för hur klimatanpassning inom Stockholms län tar sig i uttryck och vilka sociala perspektiv bedöms relevanta verksamma tjänstemän inom klimatanpassning. Uppsatsen hade två forskningsfrågor: 1) Enligt tjänstemän som arbetar med klimatanpassning inom Stockholms län, vad prioriteras och vad prioriteras inte inom nuvarande klimatanpassnings-praxis för en klimatrisk, och varför? 2)Enligt tjänstemän som arbetar med klimatanpassning inom Stockholms län, vem anses vara sårbar inom klimatanpassning, och var inom nuvarande klimatanpassnings-praxis tas det i åtanke? Uppsatsen har förlitats sig i stort på intersektionalitet som ett analytiskt verktyg och som vägledning i en litteraturstudie. Eftersom klimatanpassning utförs inom fysisk planering av kommunen, har fem tjänstemän som arbetar som miljöplanerare eller miljö-strateger intervjuats i en semistrukturerad intervjustudie. Materialet har analyserades genom tematisk analys. Den tematiska analysen gav tre typer av teman, där en viss prioritering kunde urskiljas. Resultaten tyder på att nuvarande klimatanpassning prioriterar specifika klimatrisker (översvämningar, ras och skred), vissa byggnader (ny bebyggelse) och vissa utvärderingar (tekniska). Dessutom visade resultatet på att värmeböljor, befintliga miljöer och bedömningar av sociala dimensioner är av mindre vikt och fokus inom klimatanpassning. Den tematiska analysen gav även ett fjärde tema kallat Sårbarheter. Under detta tema, presenterades hur sårbarheter inför klimatförändringar uppfattas av de intervjuade tjänstemännen och de angivna sårbarheterna analyserades med ett befintligt intersektionellt ramverk. Resultaten från den intersektionella analysen visar att specifika identitetskategorier beaktas mer i vissa klimatrisker, till exempel vid värmeböljor som har tydliga hälsokonsekvenser jämfört med andra extrema väderhändelser. Den visar också att kön är den minst utforskade i dagens klimatanpassnings- praxis i Stockholms Län.

Urban Climate Change Adaptation

Physical Planning

Stockholm County

Vulnerabilities

Intersectional Framework

Engineering and Technology

Teknik och teknologier

Visualizing Memory Utilization for the Purpose of Vulnerability Analysis

McConnell, William Charles

02 July 2008

The expansion of the internet over recent years has resulted in an increase in digital attacks on computers. Most attacks, including the more dangerous ones, directly target program vulnerabilities. The increase in attacks has prompted a need to develop new ways to classify, detect, and avoid vulnerabilities. The effectiveness of these goals relies on the development of new methods and tools that facilitate the process of detecting vulnerabilities and exploits. This thesis presents the development of a tool that provides a visual representation of main memory for the purpose of security analysis. The tool provides new insight into memory utilization by software; users are able to see memory utilization as execution time progression, visually distinguish between memory behaviors (allocations, writes, etc), and visually observe special relationships between memory locations. The insight enables users to search for visual evidence that software is vulnerable, violated, or utilizing memory incorrectly. The development process for our visual tool has three stages: (1) identifying the memory utilization policies of the Windows 32-bit operating system; (2) identifying the data required for visual representations of memory and then implementing one possible method to capture the data; and (3) enumerating and implementing requirements for a memory tool that generates visual representations of memory for the purpose of vulnerability and exploit analysis. / Master of Science

main memory

memory API

data capturing

function hooks

exploits

security

resource utilization

visualization

software vulnerabilities