International Conferences: Software Security and Reliability (2014) San Francisco

The 2014 Eighth International Conference on Software Security and Reliability (SERE) was held June 30 2014-July 2 2014 in San Francisco, California. SERE 2014 brought together researchers and practitioners of software security and reliability and had 26 paper presentations.  The Science of Security-related papers are cited here.

Farhadi, M.R.; Fung, B.C.M.; Charland, P.; Debbabi, M., "BinClone: Detecting Code Clones in Malware," Software Security and Reliability, 2014 Eighth International Conference on, pp.78, 87, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.21 To gain an in-depth understanding of the behaviour of a malware, reverse engineers have to disassemble the malware, analyze the resulting assembly code, and then archive the commented assembly code in a malware repository for future reference. In this paper, we have developed an assembly code clone detection system called BinClone to identify the code clone fragments from a collection of malware binaries with the following major contributions. First, we introduce two deterministic clone detection methods with the goals of improving the recall rate and facilitating malware analysis. Second, our methods allow malware analysts to discover both exact and inexact clones at different token normalization levels. Third, we evaluate our proposed clone detection methods on real-life malware binaries. To the best of our knowledge, this is the first work that studies the problem of assembly code clone detection for malware analysis.

Keywords: invasive software; program diagnostics; reverse engineering; Bin Clone; BinClone; assembly code analysis; assembly code clone detection system ;code clone fragment identification; commented assembly code archiving; deterministic clone detection method; inexact clone discovery; malware analysis; malware behaviour understanding; malware binaries; malware disassembly; malware repository; recall rate; reverse engineers; token normalization level; Assembly; Cloning; Detectors; Feature extraction; Malware; Registers; Vectors; Assembly Code Clone Detection; Binary Analysis; Malware Analysis; Reverse Engineering (ID#: 15-3510)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895418&isnumber=6895396

Zech, P.; Felderer, M.; Katt, B.; Breu, R., "Security Test Generation by Answer Set Programming," Software Security and Reliability, 2014 Eighth International Conference on, pp.88,97, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.22 Security testing still is a hard task, especially if focusing on non-functional security testing. The two main reasons behind this are, first, at the most a lack of the necessary knowledge required for security testing, and second, managing the almost infinite amount of negative test cases, which result from potential security risks. To the best of our knowledge, the issue of the automatic incorporation of security expert knowledge, e.g., known vulnerabilities, exploits and attacks, in the process of security testing is not well considered in the literature. Furthermore, well-known "de facto" security testing approaches, like fuzzing or penetration testing, lack systematic procedures regarding the order of execution of test cases, which renders security testing a cumbersome task. Hence, in this paper we propose a new method for generating negative security tests by logic programming, which applies a risk analysis to establish a set of negative requirements for later test generation.

Keywords: logic programming; program testing; risk analysis; safety-critical software; answer set programming; logic programming; negative requirements; negative security tests; nonfunctional security testing; risk analysis; security expert knowledge; security risks; security test generation; Logic programming; Risk analysis; Security; Semantics; Software; Testing; Unified modeling language; Answer Set Programming; Knowledge Representation; Logic Programming; Security Engineering; Security Testing; Software Testing; Test Generation (ID#: 15-3511)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895419&isnumber=6895396

Herscheid, L.; Tröger, P., "Specification of Dynamic Fault Tree Concepts with Stochastic Petri Nets," Software Security and Reliability, 2014 Eighth International Conference on, pp.177, 186, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.31 Dependability modeling describes a set of approaches for analyzing the reliability of software and hardware systems. The most prominent approach are fault trees, which hierarchically express the causal dependencies between basic faults and an undesired failure event. Dynamic fault trees allow to express sequence-dependent error propagation, which is commonly found in software systems. In this paper, we present a complete behavioral specification of well-known dynamic fault tree concepts. We provide a novel connection rule definition for all commonly accepted node types, in combination with a description of their behavioral semantics in generalized stochastic petri nets. Both specifications together are not available in literature so far. The application of these specifications in fault tree generation and modeling tools can help to prevent syntactical and semantical ambiguity in the generated output.

Keywords: Petri nets; fault tolerant computing; fault trees; formal specification; software reliability; stochastic processes; behavioral semantics; behavioral specification; connection rule; dependability modeling; dynamic fault tree; failure event; semantical ambiguity; sequence-dependent error propagation; software reliability; stochastic Petri nets; syntactical ambiguity; Artificial neural networks; Fault trees; Logic gates; Petri nets; Semantics; Software; Stochastic processes; Dependability Modeling; Fault tolerant systems; Fault trees; Petri nets; Software reliability  (ID#: 15-3512)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895428&isnumber=6895396

Yen-Ju Liu; Chong-Kuan Chen; Cho, M.C.Y.; Shiuhpyng Shieh, "Fast Discovery of VM-Sensitive Divergence Points with Basic Block Comparison," Software Security and Reliability, 2014 Eighth International Conference on, pp.196,205, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.33 To evade VM-based malware analysis systems, VM-aware malware equipped with the ability to detect the presence of virtual machine has appeared. To cope with the problem, detecting VM-aware malware and locating VM-sensitive divergence points of VM-aware malware is in urgent need. In this paper, we propose a novel block-based divergence locator. In contrast to the conventional instruction-based schemes, the block-based divergence locator divides malware program into basic blocks, instead of binary instructions, and uses them as the analysis unit. The block-based divergence locator significantly decrease the cost of behavior logging and trace comparison, as well as the size of behavior traces. As the evaluation showed, behavior logging is 23.87-39.49 times faster than the conventional schemes. The total number of analysis unit, which is highly related to the cost of trace comparisons, is 11.95%-16.00% of the conventional schemes. Consequently, VM-sensitive divergence points can be discovered more efficiently. The correctness of our divergence point discovery algorithm is also proved formally in this paper.

Keywords: invasive software; virtual machines; VM-based malware analysis systems; VM-sensitive divergence points; basic block comparison; binary instructions; block-based divergence locator; virtual machine; Emulation; Hardware; Indexes; Malware; Timing; Virtual machining; Virtualization; Malware Behavior Analysis; VM-Aware Malware; Virtual Machine  (ID#: 15-3513)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895430&isnumber=6895396

Mell, P.; Harang, R.E., "Using Network Tainting to Bound the Scope of Network Ingress Attacks," Software Security and Reliability, 2014 Eighth International Conference on, pp.206,215, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.34 This research describes a novel security metric, network taint, which is related to software taint analysis. We use it here to bound the possible malicious influence of a known compromised node through monitoring and evaluating network flows. The result is a dynamically changing defense-in-depth map that shows threat level indicators gleaned from monotonically decreasing threat chains. We augment this analysis with concepts from the complex networks research area in forming dynamically changing security perimeters and measuring the cardinality of the set of threatened nodes within them. In providing this, we hope to advance network incident response activities by providing a rapid automated initial triage service that can guide and prioritize investigative activities.

Keywords: network theory (graphs); security of data; defense-in-depth map; network flow evaluation; network flow monitoring; network incident response activities; network ingress attacks; network tainting metric; security metric; security perimeters; software taint analysis ;threat level indicators; Algorithm design and analysis; Complex networks; Digital signal processing; Measurement; Monitoring; Security; Software; complex networks; network tainting; scale-free; security  (ID#: 15-3514)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895431&isnumber=6895396

Howser, G.; McMillin, B., "A Modal Model of Stuxnet Attacks on Cyber-physical Systems: A Matter of Trust," Software Security and Reliability, 2014 Eighth International Conference on, pp.225, 234, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.36 Multiple Security Domains Nondeducibility, MSDND, yields results even when the attack hides important information from electronic monitors and human operators. Because MSDND is based upon modal frames, it is able to analyze the event system as it progresses rather than relying on traces of the system. Not only does it provide results as the system evolves, MSDND can point out attacks designed to be missed in other security models. This work examines information flow disruption attacks such as Stuxnet and formally explains the role that implicit trust in the cyber security of a cyber physical system (CPS) plays in the success of the attack. The fact that the attack hides behind MSDND can be used to help secure the system by modifications to break MSDND and leave the attack nowhere to hide. Modal operators are defined to allow the manipulation of belief and trust states within the model. We show how the attack hides and uses the operator's trust to remain undetected. In fact, trust in the CPS is key to the success of the attack.

Keywords: security of data; trusted computing; CPS; MSDND; Stuxnet attacks; belief manipulation; cyber physical system; cyber security; cyber-physical systems; electronic monitors; event system analysis; human operators; implicit trust; information flow disruption attacks; modal frames; modal model; multiple security domains nondeducibility; security models; trust state manipulation; Analytical models; Bismuth; Cognition; Cost accounting; Monitoring; Security; Software; Stuxnet; cyber-physical systems; doxastic logic; information flow security; nondeducibility; security models  (ID#: 15-3515)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895433&isnumber=6895396

Hsiao-Ying Lin; Li-Ping Tung; Lin, B.S.P., "Reliable Repair Mechanisms with Low Connection Cost for Code Based Distributed Storage Systems," Software Security and Reliability, 2014 Eighth International Conference on, pp.235,244, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.37 Erasure codes are applied in distributed storage systems for fault-tolerance with lower storage overhead than replications. Later, decentralized erasure codes are proposed for decentralized or loosely-organized storage systems. Repair mechanisms aim at maintaining redundancy over time such that stored data are still retrievable. Two recent repair mechanisms, Noop and Coop, are designed for decentralized erasure code based distributed storage system to minimize connection cost in theoretical manner. We propose a generalized repair framework, which includes Noop and Coop as two extreme cases. We then investigate trade-off between connection cost and data retrievability from an experimental aspect in our repair framework. Our results show that a reasonable data retrievability is achievable with constant connection cost, which is less than previously analytical values. These results are valuable references for a system manager to build a reliable storage system with low connection cost.

Keywords: software fault tolerance; software maintenance; storage management; Coop repair mechanism; Noop repair mechanism; code based distributed storage system; decentralized erasure codes; erasure codes; fault-tolerance; low connection cost; reliable repair mechanism; Analytical models; Data models; Encryption; Maintenance engineering; Mathematical model; Reliability; Servers; Erasure codes; code based distributed storage systems; data retrievability; fault tolerance; regenerating codes  (ID#: 15-3516)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895434&isnumber=6895396

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.