AJECT: Attack Injection on Software Components
From Navigators
- Research Line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
- Sponsor: FCT
- Project Number: POSC/EIA/61643/2004
- Total award amount: 48.5K Euros
- Coordinator: FCUL
- Partners: FCUL
- Start Date: May 2005
- Duration: 24 months
- Keywords: security, fault injection, software vulnerability, software tools
- Team at FCUL: 7 researchers, including Nuno Ferreira Neves, Paulo Verissimo, Miguel Correia, João Antunes, Manuel Mendonça, Emanuel Teixeira, Ana Cotrim
Computer security is an important research subject due to our reliance on computer systems for the execution of our everyday life activities. In the near future, this dependency will tend to increase as more and more tasks will be done with the help of computers and through open networks (e.g., e-commerce, e-government, e-health). These systems, however, are vulnerable, as indicated by the attacks to corporate networks that are reported daily in the news.
An attack to be executed successfully, and to result in an intrusion, has to be able to explore a vulnerability in the computer system. These vulnerabilities might be located in distinct components, ranging from the processor firmware to some library linked to an application. Many causes can explain why these vulnerabilities are inserted, for instance incorrect configuration parameters, ill defined relations between components, or bad programming.
In this project we want to study and analyze software vulnerabilities. Modern software is complex, but it will tend to become even more complicated in the future. For example, the number of lines of code (LOC) in common operating systems has grown steadily over the years, which is a sign of the increasing complexity (Windows 3.1 had roughly 3 million LOC while Windows XP has about 40 million LOC). Estimates indicate that around 5 to 50 bugs per thousand LOC remain after testing. Consequently, the potential number of vulnerabilities that exist in a modern operating system is very large, even if we assume that most bugs can not be exploited.
Therefore, if we want to prevent malicious adversaries from compromising our systems, we need first to get a better understanding about how vulnerabilities are exploited, and then we have to develop tools that will enable us to automatically detect potential software problems.
Aims
In this project we want to make contributions in the following important areas:
the project will research new techniques that will allow the automatic discovery of vulnerabilities. These techniques will be implemented in tools that will systematically inject attacks against software components. We will start by building injection tools for buffer overflows, since they correspond to the most common type of vulnerability. Then, we will look at more sophisticated vulnerabilities, such as race conditions.
the project will utilize the developed tools to evaluate relevant applications. We will select well known software components (e.g., operating system, browser) and then we will perform injection experiments to determine their behavior under attack.
Publications
- João Antunes, Nuno Ferreira Neves, Miguel Correia, Paulo Verissimo, Rui Neves, “Vulnerability Removal with Attack Injection”, IEEE Transactions on Software Engineering, Special issue on Evaluation and Improvement of Software Dependability, Jun. 2010.
- João Antunes, Nuno Ferreira Neves, Paulo Verissimo, “Detection and Prediction of Resource-Exhaustion Vulnerabilities”, in Proceedings of the 19th IEEE International Symposium on Software Reliability Engineering, Seattle/Redmond, WA, USA, Nov. 2008.
- João Antunes, Nuno Ferreira Neves, Paulo Verissimo, “Finding Local Resource Exhaustion Vulnerabilities”, in Student paper in Proceedings of the International Symposium on Software Reliability Engineering (ISSRE), Trollhättan, Sweden, November 2007., Nov. 2007.
- Emanuel Teixeira, João Antunes, Nuno Ferreira Neves, “Avaliação de Ferramentas de Análise Estática de Código para Detecção de Vulnerabilidades”, in Proceedings of the Segurança Informática nas Organizações, Nov. 2007.
- Nuno Ferreira Neves, João Antunes, Miguel Correia, Paulo Verissimo, Rui Neves, “Using Attack Injection to Discover New Vulnerabilities”, in Proceedings of the International Conference on Dependable Systems and Networks (DSN), Philadelphia, USA, June 2006., Jun. 2006.
- João Antunes, Nuno Ferreira Neves, Miguel Correia, Paulo Verissimo, Rui Neves, “Diagnóstico de Vulnerabilidades através da Injecção de Ataques”, in 1ª Conferência Nacional sobre Segurança Informática nas Organizações (SINO 2005), Covilhã, Portugal., Oct. 2005.
BibTeX
Navigators - AJECT projectCurrent projects: | VEDLIoT, SATO, ADMORPH, SEAL, AQUAMON, UPVN, REDBOOK, ThreatAdapt, SEL, Xivt |
---|---|
Past projects: | TCLOUDS, MASSIF, MAFTIA, RESIST NoE, DiSIEM, KARYON, HIDENETS, CORTEX, CRUTIAL, TRONE, SITAN, ReD, IRCoC, DIVERSE, CloudFIT, READAPT, REGENESYS, RC-Clouds, TACID, DARIO, RITAS, AJECT, MICRA, DEAR-COTS, COPE, DEFEATS, MOOSCO, TOPCOM, RE:DY, NORTH, Abyss, SUPERCLOUD, COST Action IC1402, SEGRID, BioBankCloud, SAPIENT, PROPHECY, SecFuNet, FTH-Grid, AIR-II, AIR, ESFORS, CaberNet, GODC, BROADCAST, CoDiCom, Delta-4, RAPTOR |