DOCSLIB.ORG

Understanding and Securing Device Vulnerabilities Through Automated

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng1;2;5,∗ Xiaojing Liao2, XiaoFeng Wang2, Haining Wang3 Qiang Li4, Kai Yang1;5, Hongsong Zhu1;5, Limin Sun1;5† 1 Beijing Key Laboratory of IoT Information Security Technology, IIE,‡ CAS, China 2 Department of Computer Science, Indiana University Bloomington, USA 3 Department of Electrical and Computer Engineering, University of Delaware, USA 4 School of Computer and Information Technology, Beijing Jiaotong University, China 5 School of Cyber Security, University of Chinese Academy of Sciences , China Abstract in new security challenges: they are more vulnerable than Recent years have witnessed the rise of Internet-of-Things conventional computing systems. IoT systems may fall into (IoT) based cyber attacks. These attacks, as expected, are an adversary’s grip once their vulnerabilities are exposed. launched from compromised IoT devices by exploiting secu- Indeed, recent years have seen a wave of high-profile IoT rity flaws already known. Less clear, however, are the fun- related cyber attacks, with prominent examples including IoT damental causes of the pervasiveness of IoT device vulner- Reaper [25], Hajime [24], and Mirai [41]. Particularly, com- abilities and their security implications, particularly in how promised IoT systems are becoming the mainstay for today’s they affect ongoing cybercrimes. To better understand the botnets, playing a central role in recent distributed denial-of- problems and seek effective means to suppress the wave of service attacks and other cybercrimes [39]. An example is IoT-based attacks, we conduct a comprehensive study based Mirai, which involved hundreds of thousands of IoT devices on a large number of real-world attack traces collected from and generated an attack volume at 600 Gbps, overwhelming our honeypots, attack tools purchased from the underground, Krebs on Security, OVH, and Dyn. It does not come as a sur- and information collected from high-profile IoT attacks. This prise that these devices are reported to be hacked all through study sheds new light on the device vulnerabilities of today’s known vulnerabilities, including those caused by misconfig- IoT systems and their security implications: ongoing cyber uration or mismanagement, just like unpatched servers and attacks heavily rely on these known vulnerabilities and the personal computers that are routinely exploited [42]. Still attack code released through their reports; on the other hand, less clear, however, are the fundamental causes for this trend such a reliance on known vulnerabilities can actually be used of malicious activities that are disproportionately related to against adversaries. The same bug reports that enable the de- IoT systems and these vulnerable devices’ impact upon the velopment of an attack at an exceedingly low cost can also be cybercrime ecosystem. leveraged to extract vulnerability-specific features that help Understanding the perilous IoT world. More specifically, stop the attack. In particular, we leverage Natural Language we raise the following questions: Why are IoT devices more Processing (NLP) to automatically collect and analyze more favorable to cybercriminals than other Internet hosts? How than 7,500 security reports (with 12,286 security critical IoT important are known vulnerabilities to the ongoing attacks on flaws in total) scattered across bug-reporting blogs, forums, IoT systems? Is there an effective defense to mitigate ongoing and mailing lists on the Internet. We show that signatures attacks? The answers to these questions are critical for seeking can be automatically generated through an NLP-based report an effective means to thwart the wave of malicious attacks that analysis, and be used by intrusion detection or firewall sys- increasingly rely on a large number of vulnerable IoT devices. tems to effectively mitigate the threats from today’s IoT-based Finding these answers, however, is by no means trivial due to attacks. the challenges in (1) recovering disclosed IoT vulnerabilities from a large number of vulnerability reports scattered around 1 Introduction forums, mailing lists, and blogs, and (2) collecting artifacts from the cybercrime underground to study how known flaws The pervasiveness of Internet-of-Things (IoT) systems, rang- are utilized and how significant they are to ongoing criminal ing from cameras, routers, and printers to various home au- activities. tomation, industrial control and medical systems, also brings To understand how cybercriminals use these known vulner- ∗Work was done while visiting Indiana University Bloomington. abilities, we set up honeypots to collect the data of real-world †Corresponding author IoT exploits and also analyzed four popular attack toolkits. ‡Institute of Information Engineering From the adversary’s end, our study shows that today’s IoT attacks almost exclusively use known vulnerabilities for ex- observations demonstrate that IoT devices are indeed more ploitation. Specifically, among 81 different exploit scripts vulnerable, less patchable, and easier to attack than traditional recovered from our honeypots, we found that 78 of them are Internet hosts, elucidating the ongoing cybercrime trend that on our vulnerability list. Also, each of the four attack toolkits heavily relies on these devices. we studied incorporates the exploits on at least 34 vulnera- • New defense. More importantly, these findings also present bilities, with all of them on our list. More importantly, we us with an opportunity that could lead to the immediate de- evidence that an adversary extensively leverages the exploit feat of most attack vectors in today’s IoT-related attacks. We code released together with the vulnerability reports, and in demonstrate that from the same sources adversaries use to most cases, directly copies the code or slightly adjusts it. More build their exploits, vulnerability signatures can be automati- than 80% of the IoT-related reports come with working attack cally generated using NLP, and be quickly deployed to shield methods. Given our observations that most of IoT vulnerabil- IoT devices from malicious attacks. Given the adversary’s ities can be exploited to attack target devices (compared with dependence on these known vulnerabilities, we believe that only 5% exploitable ones in Linux kernel vulnerabilities [43]), this simple, low cost yet effective defense will significantly it is apparent that the cost for attacking IoT systems today is raise the bar for future IoT-related attacks. exceedingly low. Roadmap. The rest of the paper is organized as follows. Sec- Automated protection generation. On the other hand, we tion2 presents the background and our threat model. Section3 show that adversaries’ indulgence in such low-hanging fruits describes our new understandings on IoT vulnerabilities and can actually be used against themselves. Specifically, the re- real-world threats to IoT devices. Section4 introduces the liance on known vulnerabilities means that a large attack automated protection generation to defend against IoT attacks. surface would be closed once these problems have been fixed. Sections5 and6 present the implementation and evaluation of Interestingly, this turns out to be completely feasible, due our automated protection generation, respectively. Section7 to the simplicity of the problems and the availability of the discusses the limitations of this study and mitigation. Sec- vulnerability disclosure and attack code that carries all the tion8 surveys related work, and finally, Section9 concludes information we need to fix the reported flaws. Based on this the paper. observation, we developed a framework, called IoTShield, which utilizes Natural-Language Processing (NLP) to au- tomatically evaluate the content of vulnerability reports. In 2 Background particular, IoTShield is based upon a set of automatic content analysis techniques that accurately discover IoT-related vul- IoT vulnerability life cycle. Usually, an IoT device’s vulner- nerability disclosures from a large number of vulnerability ability is a loophole in its firmware that enables an attacker to reports published at different sources. circumvent the deployed security measures [57]. Such a vul- Using the approaches above, we automatically analyzed nerability has a life cycle with distinct phases characterized by 430,000 vulnerability reports and discovered more than 7,500 its discovery, disclosure, exploitation, and patching. The first IoT reports in the past 20 years. Then, IoTShield extracts phase starts when the vulnerability is discovered by a vendor, key knowledge from these reports to automatically generate a hacker, or a third-party security researcher. The security vulnerability-specific signatures, which can be used by exist- risk becomes particularly high if it is first found by hackers. ing intrusion detection systems (IDSes) or web application The next phase is the public disclosure of the vulnerability firewalls (WAFs) to screen the traffic received by IoT de- by those who discover it, and is supposed to be done through vices under protection. We validated the efficacy of IoTShield a coordinated process [22], during which the vulnerability over 178,778 traces harvested by our honeypots, as well as information is kept confidential allowing vendors to create a 11,602 traces of eight real devices, including both attack and patch. However, this procedure is not always followed. Actual legitimate traffic. Furthermore, we evaluated the effectiveness real-world disclosures could
Recommended publications
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

    BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
  • How to Analyze the Cyber Threat from Drones

    How to Analyze the Cyber Threat from Drones

    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
  • The CLASP Application Security Process

    The CLASP Application Security Process

    The CLASP Application Security Process Secure Software, Inc. Copyright (c) 2005, Secure Software, Inc. The CLASP Application Security Process The CLASP Application Security Process TABLE OF CONTENTS CHAPTER 1 Introduction 1 CLASP Status 4 An Activity-Centric Approach 4 The CLASP Implementation Guide 5 The Root-Cause Database 6 Supporting Material 7 CHAPTER 2 Implementation Guide 9 The CLASP Activities 11 Institute security awareness program 11 Monitor security metrics 12 Specify operational environment 13 Identify global security policy 14 Identify resources and trust boundaries 15 Identify user roles and resource capabilities 16 Document security-relevant requirements 17 Detail misuse cases 18 Identify attack surface 19 Apply security principles to design 20 Research and assess security posture of technology solutions 21 Annotate class designs with security properties 22 Specify database security configuration 23 Perform security analysis of system requirements and design (threat modeling) 24 Integrate security analysis into source management process 25 Implement interface contracts 26 Implement and elaborate resource policies and security technologies 27 Address reported security issues 28 Perform source-level security review 29 Identify, implement and perform security tests 30 The CLASP Application Security Process i Verify security attributes of resources 31 Perform code signing 32 Build operational security guide 33 Manage security issue disclosure process 34 Developing a Process Engineering Plan 35 Business objectives 35 Process
  • Threats and Vulnerabilities in Federation Protocols and Products

    Threats and Vulnerabilities in Federation Protocols and Products

    Threats and Vulnerabilities in Federation Protocols and Products Teemu Kääriäinen, CSSLP / Nixu Corporation OWASP Helsinki Chapter Meeting #30 October 11, 2016 Contents • Federation Protocols: OpenID Connect and SAML 2.0 – Basic flows, comparison between the protocols • OAuth 2.0 and OpenID Connect Vulnerabilities and Best Practices – Background for OAuth 2.0 security criticism, vulnerabilities related discussion and publicly disclosed vulnerabilities, best practices, JWT, authorization bypass vulnerabilities, mobile application integration. • SAML 2.0 Vulnerabilities and Best Practices – Best practices, publicly disclosed vulnerabilities • OWASP Top Ten in Access management solutions – Focus on Java deserialization vulnerabilites in different commercial and open source access management products • Forgerock OpenAM, Gluu, CAS, PingFederate 7.3.0 Admin UI, Oracle ADF (Oracle Identity Manager) Federation Protocols: OpenID Connect and SAML 2.0 • OpenID Connect is an emerging technology built on OAuth 2.0 that enables relying parties to verify the identity of an end-user in an interoperable and REST-like manner. • OpenID Connect is not just about authentication. It is also about authorization, delegation and API access management. • Reasons for services to start using OpenID Connect: – Ease of integration. – Ability to integrate client applications running on different platforms: single-page app, web, backend, mobile, IoT. – Allowing 3rd party integrations in a secure, interoperable and scalable manner. • OpenID Connect is proven to be secure and mature technology: – Solves many of the security issues that have been an issue with OAuth 2.0. • OpenID Connect and OAuth 2.0 are used frequently in social login scenarios: – E.g. Google and Microsoft Account are OpenID Connect Identity Providers. Facebook is an OAuth 2.0 authorization server.
  • Fuzzing with Code Fragments

    Fuzzing with Code Fragments

    Fuzzing with Code Fragments Christian Holler Kim Herzig Andreas Zeller Mozilla Corporation∗ Saarland University Saarland University [email protected] [email protected] [email protected] Abstract JavaScript interpreter must follow the syntactic rules of JavaScript. Otherwise, the JavaScript interpreter will re- Fuzz testing is an automated technique providing random ject the input as invalid, and effectively restrict the test- data as input to a software system in the hope to expose ing to its lexical and syntactic analysis, never reaching a vulnerability. In order to be effective, the fuzzed input areas like code transformation, in-time compilation, or must be common enough to pass elementary consistency actual execution. To address this issue, fuzzing frame- checks; a JavaScript interpreter, for instance, would only works include strategies to model the structure of the de- accept a semantically valid program. On the other hand, sired input data; for fuzz testing a JavaScript interpreter, the fuzzed input must be uncommon enough to trigger this would require a built-in JavaScript grammar. exceptional behavior, such as a crash of the interpreter. Surprisingly, the number of fuzzing frameworks that The LangFuzz approach resolves this conflict by using generate test inputs on grammar basis is very limited [7, a grammar to randomly generate valid programs; the 17, 22]. For JavaScript, jsfunfuzz [17] is amongst the code fragments, however, partially stem from programs most popular fuzzing tools, having discovered more that known to have caused invalid behavior before. LangFuzz 1,000 defects in the Mozilla JavaScript engine. jsfunfuzz is an effective tool for security testing: Applied on the is effective because it is hardcoded to target a specific Mozilla JavaScript interpreter, it discovered a total of interpreter making use of specific knowledge about past 105 new severe vulnerabilities within three months of and common vulnerabilities.
  • Paul Youn from Isec Partners

    Paul Youn from Isec Partners

    Where do security bugs come from? MIT 6.858 (Computer Systems Security), September 19th, 2012 Paul Youn • Technical Director, iSEC Partners • MIT 18/6-3 (‘03), M.Eng ’04 Tom Ritter • Security Consultant, iSEC Partners • (Research) Badass Agenda • What is a security bug? • Who is looking for security bugs? • Trust relationships • Sample of bugs found in the wild • Operation Aurora • Stuxnet • I’m in love with security; whatever shall I do? What is a Security Bug? • What is security? • Class participation: Tacos, Salsa, and Avocados (TSA) What is security? “A system is secure if it behaves precisely in the manner intended – and does nothing more” – Ivan Arce • Who knows exactly what a system is intended to do? Systems are getting more and more complex. • What types of attacks are possible? First steps in security: define your security model and your threat model Threat modeling: T.S.A. • Logan International Airport security goal #3: prevent banned substances from entering Logan • Class Participation: What is the threat model? • What are possible avenues for getting a banned substance into Logan? • Where are the points of entry? • Threat modeling is also critical, you have to know what you’re up against (many engineers don’t) Who looks for security bugs? • Engineers • Criminals • Security Researchers • Pen Testers • Governments • Hacktivists • Academics Engineers (create and find bugs) • Goals: • Find as many flaws as possible • Reduce incidence of exploitation • Thoroughness: • Need coverage metrics • At least find low-hanging fruit • Access:
  • The Tangled Genealogy of Iot Malware

    The Tangled Genealogy of Iot Malware

    The Tangled Genealogy of IoT Malware Emanuele Cozzi Pierre-Antoine Vervier Matteo Dell’Amico emanuele:cozzi@eurecom:fr France della@linux:it EURECOM France Sophia Antipolis, France Yun Shen Leyla Bilge Davide Balzarotti yun:shen@nortonlifelock:com leylya:yumer@nortonlifelock:com davide:balzarotti@eurecom:fr NortonLifeLock, Inc. NortonLifeLock, Inc. EURECOM Reading, United Kingdom Sophia Antipolis, France Sophia Antipolis, France ABSTRACT 1 INTRODUCTION The recent emergence of consumer off-the-shelf embedded (IoT) Over the last few years we have witnessed an increase in both the devices and the rise of large-scale IoT botnets has dramatically in- volume and sophistication of malware targeting IoT systems. Tra- creased the volume and sophistication of Linux malware observed ditional botnets and DDoS tools now cohabit with crypto-mining, in the wild. The security community has put a lot of effort to docu- spyware, ransomware, and targeted samples designed to conduct ment these threats but analysts mostly rely on manual work, which cyber espionage. To make things worse, the public availability of makes it difficult to scale and hard to regularly maintain. Moreover, the source code associated with some of the main IoT malware the vast amount of code reuse that characterizes IoT malware calls families have paved the way for myriads of variants and tangled for an automated approach to detect similarities and identify the relationships of similarities and code reuse. To make sense of this phylogenetic tree of each family. complex evolution, the security community has devoted a consider- In this paper we present the largest measurement of IoT malware able effort to analyze and document these emerging threats, mostly to date.
  • Designing New Operating Primitives to Improve Fuzzing Performance

    Designing New Operating Primitives to Improve Fuzzing Performance

    Designing New Operating Primitives to Improve Fuzzing Performance Wen Xu Sanidhya Kashyap Changwoo Miny Taesoo Kim Georgia Institute of Technology Virginia Techy ABSTRACT from malicious attacks, various financial organizations and com- Fuzzing is a software testing technique that finds bugs by repeatedly munities, that implement and use popular software and OS kernels, injecting mutated inputs to a target program. Known to be a highly have invested major efforts on finding and fixing security bugsin practical approach, fuzzing is gaining more popularity than ever their products, and one such effort to finding bugs in applications before. Current research on fuzzing has focused on producing an and libraries is fuzzing. Fuzzing is a software-testing technique input that is more likely to trigger a vulnerability. that works by injecting randomly mutated input to a target pro- In this paper, we tackle another way to improve the performance gram. Compared with other bug-finding techniques, one of the of fuzzing, which is to shorten the execution time of each itera- primary advantages of fuzzing is that it ensures high throughput tion. We observe that AFL, a state-of-the-art fuzzer, slows down by with less manual efforts and pre-knowledge of the target software. 24× because of file system contention and the scalability of fork() In addition, it is one of the most practical approach to finding system call when it runs on 120 cores in parallel. Other fuzzers bugs in various critical software. For example, the state-of-the-art are expected to suffer from the same scalability bottlenecks inthat coverage-driven fuzzer, American Fuzzy Lop (AFL), has discovered they follow a similar design pattern.
  • Empirical Analysis and Automated Classification of Security Bug Reports

    Empirical Analysis and Automated Classification of Security Bug Reports

    Graduate Theses, Dissertations, and Problem Reports 2016 Empirical Analysis and Automated Classification of Security Bug Reports Jacob P. Tyo Follow this and additional works at: https://researchrepository.wvu.edu/etd Recommended Citation Tyo, Jacob P., "Empirical Analysis and Automated Classification of Security Bug Reports" (2016). Graduate Theses, Dissertations, and Problem Reports. 6843. https://researchrepository.wvu.edu/etd/6843 This Thesis is protected by copyright and/or related rights. It has been brought to you by the The Research Repository @ WVU with permission from the rights-holder(s). You are free to use this Thesis in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you must obtain permission from the rights-holder(s) directly, unless additional rights are indicated by a Creative Commons license in the record and/ or on the work itself. This Thesis has been accepted for inclusion in WVU Graduate Theses, Dissertations, and Problem Reports collection by an authorized administrator of The Research Repository @ WVU. For more information, please contact [email protected]. Empirical Analysis and Automated Classification of Security Bug Reports Jacob P. Tyo Thesis submitted to the Benjamin M. Statler College of Engineering and Mineral Resources at West Virginia University in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering Katerina Goseva-Popstojanova, Ph.D., Chair Roy S. Nutter, Ph.D. Matthew C. Valenti, Ph.D. Lane Department of Computer Science and Electrical Engineering CONFIDENTIAL. NOT TO BE DISTRIBUTED. Morgantown, West Virginia 2016 Keywords: Cybersecurity, Machine Learning, Issue Tracking Systems, Text Mining, Text Classification Copyright 2016 Jacob P.
  • Functional and Non Functional Requirements

    Functional and Non Functional Requirements

    Building Security Into Applications Marco Morana OWASP Chapter Lead Blue Ash, July 30th 2008 OWASP Cincinnati Chapter Meetings Copyright 2008 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Agenda 1. Software Security Awareness: Business Cases 2. Approaches To Application Security 3. Software Security Roadmap (CMM, S-SDLCs) 4. Software Security Activities And Artifacts Security Requirements and Abuse Cases Threat Modeling Secure Design Guidelines Secure Coding Standards and Reviews Security Tests Secure Configuration and Deployment 5. Metrics and Measurements 6. Business Cases OWASP 2 Software Security Awareness Business Cases OWASP 3 Initial Business Cases For Software Security Avoid Mis-Information: Fear Uncertainty Doubt (FUD) Use Business Cases: Costs, Threat Reports, Root Causes OWASP 4 Business Case #1: Costs “Removing only 50 percent of software vulnerabilities before use will reduce defect management and incident response costs by 75 percent.” (Gartner) The average cost of a security bulletin is 100,000 $ (M. Howard and D. LeBlanc in Writing Secure Software book) It is 100 Times More Expensive to Fix Security Bug at Production Than Design” (IBM Systems Sciences Institute) OWASP 5 Business Case #2: Threats To Applications 93.8% of all phishing attacks in 2007 are targeting financial institutions (Anti- Phishing Group) Phishing attacks soar in 2007 (Gartner) 3.6 Million victims, $ 3.2 Billion Loss (2007)
  • Software Bug Bounties and Legal Risks to Security Researchers Robin Hamper

    Software Bug Bounties and Legal Risks to Security Researchers Robin Hamper

    Software bug bounties and legal risks to security researchers Robin Hamper (Student #: 3191917) A thesis in fulfilment of the requirements for the degree of Masters of Law by Research Page 2 of 178 Rob Hamper. Faculty of Law. Masters by Research Thesis. COPYRIGHT STATEMENT ‘I hereby grant the University of New South Wales or its agents a non-exclusive licence to archive and to make available (including to members of the public) my thesis or dissertation in whole or part in the University libraries in all forms of media, now or here after known. I acknowledge that I retain all intellectual property rights which subsist in my thesis or dissertation, such as copyright and patent rights, subject to applicable law. I also retain the right to use all or part of my thesis or dissertation in future works (such as articles or books).’ ‘For any substantial portions of copyright material used in this thesis, written permission for use has been obtained, or the copyright material is removed from the final public version of the thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. AUTHENTICITY STATEMENT ‘I certify that the Library deposit digital copy is a direct equivalent of the final officially approved version of my thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. Thesis/Dissertation Sheet Surname/Family Name : Hamper Given Name/s : Robin Abbreviation for degree as give in the University calendar : Masters of Laws by Research Faculty : Law School : Thesis Title : Software bug bounties and the legal risks to security researchers Abstract 350 words maximum: (PLEASE TYPE) This thesis examines some of the contractual legal risks to which security researchers are exposed in disclosing software vulnerabilities, under coordinated disclosure programs (“bug bounty programs”), to vendors and other bug bounty program operators.
  • Early Detection of Mirai-Like Iot Bots in Large-Scale Networks Through Sub-Sampled Packet Traffic Analysis

    Early Detection of Mirai-Like Iot Bots in Large-Scale Networks Through Sub-Sampled Packet Traffic Analysis

    Early Detection Of Mirai-Like IoT Bots In Large-Scale Networks Through Sub-Sampled Packet Traffic Analysis Ayush Kumar and Teng Joon Lim Department of Electrical and Computer Engineering, National University of Singapore, Singapore 119077 [email protected], [email protected] Abstract. The widespread adoption of Internet of Things has led to many secu- rity issues. Recently, there have been malware attacks on IoT devices, the most prominent one being that of Mirai. IoT devices such as IP cameras, DVRs and routers were compromised by the Mirai malware and later large-scale DDoS at- tacks were propagated using those infected devices (bots) in October 2016. In this research, we develop a network-based algorithm which can be used to detect IoT bots infected by Mirai or similar malware in large-scale networks (e.g. ISP network). The algorithm particularly targets bots scanning the network for vul- nerable devices since the typical scanning phase for botnets lasts for months and the bots can be detected much before they are involved in an actual attack. We analyze the unique signatures of the Mirai malware to identify its presence in an IoT device. The prospective deployment of our bot detection solution is discussed next along with the countermeasures which can be taken post detection. Further, to optimize the usage of computational resources, we use a two-dimensional (2D) packet sampling approach, wherein we sample the packets transmitted by IoT devices both across time and across the devices. Leveraging the Mirai signatures identified and the 2D packet sampling approach, a bot detection algorithm is pro- posed.