Your search keyword '"software security"' showing total 6 results

1. Security Monitoring during Software Development: An Industrial Case Study

Author

Miltiadis Siavvas, Dimitrios Tsoukalas, Ilias Kalouptsoglou, Evdoxia Manganopoulou, Georgios Manolis, Dionysios Kehagias, and Dimitrios Tzovaras

Subjects

software security, security by design, security monitoring, verification and validation, vulnerability prediction, experience report, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

The devastating consequences of successful security breaches that have been observed recently have forced more and more software development enterprises to shift their focus towards building software products that are highly secure (i.e., vulnerability-free) from the ground up. In order to produce secure software applications, appropriate mechanisms are required for enabling project managers and developers to monitor the security level of their products during their development and identify and eliminate vulnerabilities prior to their release. A large number of such mechanisms have been proposed in the literature over the years, but limited attempts with respect to their industrial applicability, relevance, and practicality can be found. To this end, in the present paper, we demonstrate an integrated security platform, the VM4SEC platform, which exhibits cutting-edge solutions for software security monitoring and optimization, based on static and textual source code analysis. The platform was built in a way to satisfy the actual security needs of a real software development company. For this purpose, an industrial case study was conducted in order to identify the current security state of the company and its security needs in order for the employed security mechanisms to be adapted to the specific needs of the company. Based on this analysis, the overall architecture of the platform and the parameters of the selected models and mechanisms were properly defined and demonstrated in the present paper. The purpose of this paper is to showcase how cutting-edge security monitoring and optimization mechanisms can be adapted to the needs of a dedicated company and to be used as a blueprint for constructing similar security monitoring platforms and pipelines.

Published

2023

2. SAViP: Semantic-Aware Vulnerability Prediction for Binary Programs with Neural Networks

Author

Xu Zhou, Bingjie Duan, Xugang Wu, and Pengfei Wang

Subjects

vulnerability prediction, binary program, neural networks, software security, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

Vulnerability prediction, in which static analysis is leveraged to predict the vulnerabilities of binary programs, has become a popular research topic. Traditional vulnerability prediction methods depend on vulnerability patterns, which must be predefined by security experts in a time-consuming manner. The development of Artificial Intelligence (AI) has yielded new options for vulnerability prediction. Neural networks allow vulnerability patterns to be learned automatically. However, current works extract only one or two types of features and use traditional models such as word2vec, which results in the loss of much instruction-level information. In this paper, we propose a model named SAViP to predict vulnerabilities in binary programs. To fully extract binary information, we integrate three kinds of features: semantic, statistical, and structural features. For semantic features, we apply the Masked Language Model (MLM) pre-training task of the RoBERTa model to the assembly code to build our language model. Using this model, we innovatively combine the beginning token and the operation-code token to create the instruction embedding. For the statistical features, we design a 56-dimensional feature vector that contains 43 kinds of instructions. For the structural features, we improve the ability of the structure2vec network to obtain the characteristic of the network by emphasizing node self-attention. Through these optimizations, we significantly increase the accuracy of vulnerability prediction over existing methods. Our experiments show that SAViP achieves a recall of 77.85% and Top 100∼600 accuracies all above 95%. The results are 10% and 13% higher than those of the state-of-the-art V-Fuzz, respectively.

Published

2023

3. Searching Open-Source Vulnerability Function Based on Software Modularization

Author

Xixi Guo, Ruijie Cai, Xiaokang Yin, Wenqiang Shao, and Shengli Liu

Subjects

open-source vulnerability, binary-to-source matching, program modularization, community detection, software security, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

Vulnerable open-source component reuse can lead to security problems. At present, open-source component detection for binary programs can only reveal whether open-source components with vulnerabilities are reused, which cannot determine the specific location of vulnerabilities. To address this problem, we propose BMVul, an open-source vulnerability function detection based on the software modularization method, which is oriented to binary programs. BMVul performs binary modularization by the overlapping clustering method DBM based on directed graph, then uses feature comparison technology to carry out modular software component analysis. After creating open-source component vulnerability function set through function signature, BMVul detects vulnerability function in the binary modules reusing open-source components. The experimental results show that compared with the component detection based on Louvain modularization and B2SFinder, BMVul improves the precision by 3.16% and 59.57%, respectively. Moreover, the precision of unique binary module matching is improved by 39.43% compared with the Louvain method. The F1 score is improved by 8.45% compared to B2SFinder. Module-level detection narrows the search space of vulnerability functions, thereby reducing the workload of open-source vulnerability detection, which is of great significance for software security analysis.

Published

2023

4. The Evaluation of Software Security through Quantum Computing Techniques: A Durability Perspective

Author

Hashem Alyami, Mohd Nadeem, Abdullah Alharbi, Wael Alosaimi, Md Tarique Jamal Ansari, Dhirendra Pandey, Rajeev Kumar, and Raees Ahmad Khan

Subjects

software security, software durability, quantum computing, symmetrical technique, fuzzy AHP, fuzzy TOPSIS, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

The primary goal of this research study, in the field of information technology (IT), is to improve the security and durability of software. A quantum computing-based security algorithm springs quite a lot of symmetrical approaches and procedures to ensure optimum software retreat. The accurate assessment of software’s durability and security is a dynamic aspect in assessing, administrating, and controlling security for strengthening the features of security. This paper essentially emphasises the demarcation and depiction of quantum computing from a software security perspective. At present, different symmetrical-based cryptography approaches or algorithms are being used to protect different government and non-government sectors, such as banks, healthcare sectors, defense, transport, automobiles, navigators, weather forecasting, etc., to ensure software durability and security. However, many crypto schemes are likely to collapse when a large qubit-based quantum computer is developed. In such a scenario, it is necessary to pay attention to the security alternatives based on quantum computing. Presently, the different factors of software durability are usability, dependability, trustworthiness, and human trust. In this study, we have also classified the durability level in the second stage. The intention of the evaluation of the impact on security over quantum duration is to estimate and assess the security durability of software. In this research investigation, we have followed the symmetrical hybrid technique of fuzzy analytic hierarchy process (FAHP) and fuzzy technique for order of preference by similarity to ideal solution (FTOPSIS). The obtained results, and the method used in this estimation, would make a significant contribution to future research for organising software security and durability (SSD) in the presence of a quantum computer.

Published

2021

5. AEMB: An Automated Exploit Mitigation Bypassing Solution

Author

Ruipeng Wang, Zulie Pan, Fan Shi, and Min Zhang

Subjects

software security, automated exploit generation, exploit mitigation, symbolic execution, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

Modern operating systems set exploit mitigations to thwart the exploit, which has also become a barrier to automated exploit generation (AEG). Many current AEG solutions do not fully account for exploit mitigations, and as a result, they are unable to accurately assess the exploitability of vulnerabilities in such settings.This paper proposes AEMB, an automated solution for bypassing exploit mitigations and generating useable exploits (EXPs). Initially, AEMB identifies exploit mitigations in the system based on characteristics of the program execution environment. Then, AEMB implements exploit mitigations bypassing the payload generation by modeling expert experience and constructs the corresponding constraints. Next, during the program’s execution, AEMB uses symbol execution to collect symbol information and create exploit constraints. Finally, AEMB utilizes a solver to solve the constraints, including payload constraints and exploit constraints, to generate the EXP. In this paper, we evaluated a prototype of AEMB on six test programs and seven real-world applications. Furthermore, we conducted 54 sets of experiments on six different combinations of exploit mitigations. Experiment results indicate that AEMB can automatically overcome exploit mitigations and produce successful exploits for 11 out of 13 applications.

Published

2021

6. AEMB: An Automated Exploit Mitigation Bypassing Solution

Author

Zulie Pan, Ruipeng Wang, Min Zhang, and Fan Shi

Subjects

Technology, Exploit, QH301-705.5, Computer science, QC1-999, Distributed computing, Symbolic execution, automated exploit generation, Symbol (chemistry), Set (abstract data type), General Materials Science, Biology (General), exploit mitigation, QD1-999, Instrumentation, Fluid Flow and Transfer Processes, software security, Payload, Physics, Process Chemistry and Technology, General Engineering, Solver, Engineering (General). Civil engineering (General), Computer Science Applications, Chemistry, Software security assurance, TA1-2040, symbolic execution

Abstract

Modern operating systems set exploit mitigations to thwart the exploit, which has also become a barrier to automated exploit generation (AEG). Many current AEG solutions do not fully account for exploit mitigations, and as a result, they are unable to accurately assess the exploitability of vulnerabilities in such settings.This paper proposes AEMB, an automated solution for bypassing exploit mitigations and generating useable exploits (EXPs). Initially, AEMB identifies exploit mitigations in the system based on characteristics of the program execution environment. Then, AEMB implements exploit mitigations bypassing the payload generation by modeling expert experience and constructs the corresponding constraints. Next, during the program’s execution, AEMB uses symbol execution to collect symbol information and create exploit constraints. Finally, AEMB utilizes a solver to solve the constraints, including payload constraints and exploit constraints, to generate the EXP. In this paper, we evaluated a prototype of AEMB on six test programs and seven real-world applications. Furthermore, we conducted 54 sets of experiments on six different combinations of exploit mitigations. Experiment results indicate that AEMB can automatically overcome exploit mitigations and produce successful exploits for 11 out of 13 applications.

Published

2021