The complexity of networked systems has been continuously growing, and the abundance of online resources has presented practical management challenges. Specifically, system administrators are required to carefully configure their online systems to minimize security vulnerabilities of resource management, including resource creation, maintenance, and disposal. However, numerous networked systems have been exploited or compromised by adversaries, due to misconfiguration and mismanagement of human errors. In this dissertation, we explore different network systems to identify security vulnerabilities that adversaries could exploit for malicious purposes.
First, we investigate the identity-account inconsistency threat, a new SSO vulnerability that can cause the compromise of online accounts. We demonstrate that this inconsistency in SSO authentication allows adversaries controlling a reused email address to take over online accounts without using any credentials. To substantiate our findings, we conduct a measurement study on the account management policies of various cloud email providers, highlighting the feasibility of acquiring previously used email accounts. To gain insight into email reuse in the wild, we examine commonly employed naming conventions that contribute to a significant number of potential email address collisions. To mitigate the identity-account inconsistency threat, we propose a range of useful practices for end-users, service providers, and identity providers.
Secondly, we present a comprehensive study on the vulnerability of container registries to typosquatting attacks. In typosquatting attacks, adversaries intentionally upload malicious container images with identifiers similar to those of benign images, leading users to inadvertently download and execute malicious images. Our study demonstrates that typosquatting attacks can pose a significant security threat across public and private container registries, as well as across multiple platforms. To mitigate the typosquatting attacks in container registries, we propose CRYSTAL, a lightweight extension to the existing Docker command-line interface.
Thirdly, we present an in-depth study on hardware resource management in cloud gaming services. Our research uncovers that adversaries can intentionally inject malicious programs or URLs into these services using game mods. To demonstrate the severity of these vulnerabilities, we conduct four proof-of-concept attacks on cloud gaming services, including crypto-mining, machine-learning model training, Command and Control, and censorship circumvention. In response to these threats, we propose several countermeasures that cloud gaming services can implement to safeguard their valuable assets from malicious exploitation. These countermeasures aim to enhance the security of cloud gaming services and mitigate the security risks associated with hardware mismanagement.
Last but not least, we present a comprehensive and systematic study on NXDomain, examining its scale, origin, and security implications. By leveraging a large-scale passive DNS database, we analyze a vast dataset spanning from 2014 to 2022, identifying an astonishing 146 trillion NXDomains queried by DNS users. To gain further insights into the usage patterns and security risks associated with NXDomains, we carefully select and register 19 NXDomains in the DNS database. To analyze the behavior and sources of these queries, we deploy a honeypot for our registered domains and collect 5,925,311 queries over a period of six months. Furthermore, we conduct extensive traffic analysis on the collected data, uncovering various malicious uses of NXDomains, including botnet takeovers, malicious file injections, and exploitation of residual trust. / Doctor of Philosophy / This dissertation investigates the security risks arising from resource management in various network systems. On the one hand, we explore the security risks of software resource mismanagement, examining two specific threats: the identity-account inconsistency threat in Single Sign-On authentication schemes and the typosquatting attack in container registries. On the other hand, we investigate hardware resource misuse in network systems, focusing on two security issues: the exploitation of computing hardware in cloud gaming services and the analysis of NXDomains within the Domain Name System (DNS). By thoroughly analyzing and understanding these security risks, this dissertation contributes to the advancement of networked system security and provides necessary countermeasures to protect Internet users against these threats.
Identifer | oai:union.ndltd.org:VTETD/oai:vtechworks.lib.vt.edu:10919/116018 |
Date | 10 August 2023 |
Creators | Liu, Guannan |
Contributors | Electrical and Computer Engineering, Wang, Haining, Min, Chang Woo, Sun, Kun, Stavrou, Angelos, Yao, Danfeng |
Publisher | Virginia Tech |
Source Sets | Virginia Tech Theses and Dissertation |
Language | English |
Detected Language | English |
Type | Dissertation |
Format | ETD, application/pdf |
Rights | In Copyright, http://rightsstatements.org/vocab/InC/1.0/ |
Page generated in 0.0022 seconds