Workshop Program

Web applications are the target of many known exploits and also a fertile ground for the discovery of security vulnerabilities. Those applications may be exploitable not only because of the vulnerabilities in their source code, but also because of the environments on which they are deployed and run. Execution environments usually consist of application servers, databases and other supporting applications. In order to test whether known exploits can be reproduced in different settings, better understand their effects and facilitate the discovery of new vulnerabilities, we need to have a reliable testbed. In this paper, we present TESTREX, a testbed for repeatable exploits, which has as main features: packing and running applications with their environments; injecting exploits and monitoring their success; and generating security reports. We also provide a corpus of example applications, taken from related works or implemented by us.

The code is available on the web at https://securitylab.disi.unitn.it/doku.php?id=software

Ensuring that exploitable vulnerabilities do not exist in a piece of software written using type-unsafe languages (e.g., C/C++) is still a challenging, largely unsolved problem. Current commercial security tools are improving but still have shortcomings, including limited detection rates for certain vulnerability classes and high falsepositive rates (which require a security expert’s knowledge to analyze). To address this there is a great deal of ongoing research in software vulnerability detection and mitigation as well as in experimentation and evaluation of the associated software security tools. We present the secondgeneration prototype of the MINESTRONE architecture along with a large-scale evaluation conducted under the IARPA STONESOUP program. This second evaluation includes improvements in the scale and realism of the test suite with real-world test programs up to 200+KLOC. This paper presents three main contributions. First, we show that the MINESTRONE framework remains a useful tool for evaluating real-world software for security vulnerabilities. Second, we enhance the existing tools to provide detection of previously omitted vulnerabilities. Finally, we provide an analysis of the test corpus and give lessons learned from the test and evaluation.

User space memory randomization techniques are an emerging field of cyber defensive technology which attempts to protect computing systems by randomizing the layout of memory. Quantitative metrics are needed to evaluate their effectiveness at securing systems against modern adversaries and to compare between randomization technologies. We introduce Effective Entropy, a measure of entropy in user space memory which quantitatively considers an adversary’s ability to leverage low entropy regions of memory via absolute and dynamic inter-section connections. Effective Entropy is indicative of adversary workload and enables comparison between different randomization techniques. Using Effective Entropy, we present a comparison of static Address Space Layout Randomization (ASLR), Position Independent Executable (PIE) ASLR, and a theoretical fine grain randomization technique.

In the field of IT security the development of Proof of Concept (PoC) implementations is a commonly accepted method to determine the exploitability of an identified weakness. Most security issues provide a rather straightforwad method of asserting the PoCs efficiency. That is, it either works or it does not. Hence, data gathering and exfiltration techniques usually remain in a position where the viability has to be empirically verified. One of these cases are mobile device keyloggers, which only recently have been starting to exploit side-channels to infer heuristic information on a user’s input. With this introduction of side channels exploiting heuristic information the performance of a keylogger may no longer be described with “it works and gathered what was typed”. Instead, the viability of the keylogger has to be assessed based on various typing speeds, user input styles and many metrics more as documented in this paper. The authors of this document provide a survey of the required metrics and features. Furthermore, they have developed a framework to assess the performance of a keylogger. This paper provides the documentation on how such a study can be conducted, while the required source code is shared online.

In order for the field of computer security to progress, we need to know the true value of different security technologies and understand how they work in practice. It is important to evaluate their effectiveness as they are being used in an ecologically valid environment. To this end, we postulate that security products could be evaluated by conducting computer security clinical trials. To show the feasibility of such approach, we did a 4-month proof of concept study with 50 users, that aimed to evaluate an anti-malware product. In this paper, we present the study we performed and provide lessons learned and recommendations on the challenges, limitations and considerations of conducting computer security clinical trials.

Cyber security education and outreach is a national priority. It is critical to encourage high school students to pursue studies in cyber security and related fields. High school outreach is a fundamental component of a cohesive cyber security education program. Most high school outreach programs in cyber security focus on short-term events such as a capture the flag contest or the CyberPatriot competition. While a competitive event is engaging for high school students, it does not give a comprehensive overview of cyber security education and careers.

We explored the use of a four-week, hands-on, intensive summer programfor engaging and encouraging high school students to pursue cyber security education and careers. The program brings high school students and high school teachers onto the university campus to interact with university professors and university students.