CONFU

Many software security vulnerabilities only reveal themselves under certain conditions, that is, particular configurations and inputs together with a certain runtime environment. One approach to detecting these vulnerabilities is fuzz testing. However, typical fuzz testing makes no guarantees regarding the syntactic and semantic validity of the input, or of how much of the input space will be explored. To address these problems, the authors present a new testing methodology called Configuration Fuzzing. Configuration Fuzzing is a technique whereby the configuration of the running application is mutated at certain execution points to check for vulnerabilities that only arise in certain conditions. As the application runs in the deployment environment, this testing technique continuously fuzzes the configuration and checks “security invariants’’ that, if violated, indicate vulnerability. This paper discusses the approach and introduces a prototype framework called ConFu (CONfiguration FUzzing testing framework) for implementation. Additionally, the results of case studies that demonstrate the approach’s feasibility are presented along with performance evaluations.

Download Full-text

The Research and Application of the Variant Fuzz Testing Framework for Log Based on the Structured Data

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.602-605.1749 ◽

2014 ◽

Vol 602-605 ◽

pp. 1749-1752

Author(s):

Li Yuan Sun ◽

Yan Mei Zhang

Keyword(s):

Computer Program ◽

Software Testing ◽

Structured Data ◽

Class Structure ◽

Random Data ◽

Testing Technique ◽

Testing Framework ◽

Design And Implementation ◽

Fuzz Testing ◽

Function Modules

Fuzz testing is a software testing technique,which provides invalid, unexpected, or random data to the inputs of a computer program to test the robustness and security of procedures[1]. For structured data like logging, the variant fuzz testing framework adopts a configuration file, apply traverse and stream processing to complete the structured fuzzing. This article starts with the features of the structured data, then introduces the design and implementation of the variant fuzz testing framework, including function modules, class structure, and logic processing. As a conclusion, this framework is compared with zzuf tool, and the advanced nature of this framework is elaborated.

Download Full-text

Software-driven Security Attacks: From Vulnerability Sources to Durable Hardware Defenses

ACM Journal on Emerging Technologies in Computing Systems ◽

10.1145/3456299 ◽

2021 ◽

Vol 17 (3) ◽

pp. 1-38

Author(s):

Lauren Biernacki ◽

Mark Gallagher ◽

Zhixing Xu ◽

Misiker Tadesse Aga ◽

Austin Harris ◽

...

Keyword(s):

Life Cycle ◽

Case Studies ◽

Gain Control ◽

Illustrative Case ◽

Security Attacks ◽

Specific Point ◽

Security Vulnerabilities ◽

Significant Challenge ◽

Hardware Realization ◽

Over Time

There is an increasing body of work in the area of hardware defenses for software-driven security attacks. A significant challenge in developing these defenses is that the space of security vulnerabilities and exploits is large and not fully understood. This results in specific point defenses that aim to patch particular vulnerabilities. While these defenses are valuable, they are often blindsided by fresh attacks that exploit new vulnerabilities. This article aims to address this issue by suggesting ways to make future defenses more durable based on an organization of security vulnerabilities as they arise throughout the program life cycle. We classify these vulnerability sources through programming, compilation, and hardware realization, and we show how each source introduces unintended states and transitions into the implementation. Further, we show how security exploits gain control by moving the implementation to an unintended state using knowledge of these sources and how defenses work to prevent these transitions. This framework of analyzing vulnerability sources, exploits, and defenses provides insights into developing durable defenses that could defend against broader categories of exploits. We present illustrative case studies of four important attack genealogies—showing how they fit into the presented framework and how the sophistication of the exploits and defenses have evolved over time, providing us insights for the future.

Download Full-text

Security Vulnerabilities, Threats, and Attacks in IoT and Big Data

Security, Privacy, and Forensics Issues in Big Data - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-5225-9742-1.ch006 ◽

2020 ◽

pp. 141-167

Author(s):

Prabha Selvaraj ◽

Sumathi Doraikannan ◽

Vijay Kumar Burugari

Keyword(s):

Big Data ◽

Case Studies ◽

Big Data Analytics ◽

Cloud Services ◽

Web Interface ◽

Security Vulnerabilities ◽

New Techniques ◽

Iot Security ◽

Web Interfaces ◽

The Web

Big data and IoT has its impact on various areas like science, health, engineering, medicine, finance, business, and mainly, the society. Due to the growth in security intelligence, there is a requirement for new techniques which need big data and big data analytics. IoT security does not alone deal with the security of the device, but it also has to care about the web interfaces, cloud services, and other devices that interact with it. There are many techniques used for addressing challenges like privacy of individuals, inference, and aggregation, which makes it possible to re-identify individuals' even though they are removed from a dataset. It is understood that a few security vulnerabilities could lead to insecure web interface. This chapter discusses the challenges in security and how big data can be used for it. It also analyzes the various attacks and threat modeling in detail. Two case studies in two different areas are also discussed.

Download Full-text

Survey of Vulnerabilities and Mitigation Techniques for Mooc-Based Applications

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2016100101 ◽

2016 ◽

Vol 7 (4) ◽

pp. 1-18 ◽

Cited By ~ 1

Author(s):

Hossain Shahriar ◽

Hisham M. Haddad ◽

David Lebron ◽

Rubana Lupu

Keyword(s):

Open Source Software ◽

Exploratory Study ◽

Online Courses ◽

Software Security ◽

Low Cost ◽

Massive Open Online Courses ◽

Massive Open Online ◽

Security Vulnerabilities ◽

Cloud Environments ◽

Mitigation Techniques

Massive Open Online Courses (MOOCs) are commonly hosted as web servers for learners worldwide to access education and learning materials at low cost. Many of the well-known MOOCs have adopted open source software and database technologies and frequently operate within cloud environments. It is likely that the well-known software security vulnerabilities may manifest to MOOC-based applications. Unfortunately, few studies have identified a set of common vulnerabilities applicable to MOOC-based applications. This paper1 presents an exploratory study of potential security vulnerabilities and challenges for MOOC platforms, and it provide some guidelines and suggestions to mitigate these concerns. This study helps practitioners (educators and developers) to adopt MOOC applications while considering potential vulnerabilities and be prepared to deal with these risks.

Download Full-text