Timing attacks are considered one of the most damaging side-channel attacks. These attacks exploit timing fluctuations caused by certain operations to disclose confidential information to an attacker. For instance, in...
详细信息
ISBN:
(纸本)9798350339451
Timing attacks are considered one of the most damaging side-channel attacks. These attacks exploit timing fluctuations caused by certain operations to disclose confidential information to an attacker. For instance, in asymmetric encryption, operations such as multiplication and division can cause time-varying execution times that can be ill-treated to obtain an encryption key. Whilst several efforts have been devoted to exploring the various aspects of timing attacks, particularly in cryptography, little attention has been paid to empirically studying the timing attack-related vulnerabilities in non-cryptographic software. By inspecting these software vulnerabilities, this study aims to gain an evidence-based understanding of weaknesses in non-cryptographic software that may help timing attacks succeed. We used qualitative and quantitative research approaches to systematically study the timing attackrelated vulnerabilities reported in the National Vulnerability Database (NVD) from March 2003 to December 2022. Our analysis was focused on the modifications made to the code for patching the identified vulnerabilities. We found that a majority of the timing attack-related vulnerabilities were introduced due to not following known secure coding practices. The findings of this study are expected to help the software security community gain evidence-based information about the nature and causes of the vulnerabilities related to timing attacks.
Security tools like Firewalls, IDS, IPS, SIEM, EDR, and NDR effectively detect and block threats. However, these tools depend on the system, application, and event logs. Logs are the key ingredient for various purpose...
详细信息
ISBN:
(纸本)9783031459320;9783031459337
Security tools like Firewalls, IDS, IPS, SIEM, EDR, and NDR effectively detect and block threats. However, these tools depend on the system, application, and event logs. Logs are the key ingredient for various purposes, including troubleshooting performance issues, satisfying compliance mandates, and monitoring and improving security. In addition, logs from multiple machines are collected and fed to the Security Information and Event Management (SIEM) system for further security analysis. Therefore, a SIEM system's efficiency and effectiveness depend heavily on the quality and quantity of logs provided. Unfortunately, logs are often targeted brutally and tampered with after a successful intrusion to cover the attack's traces. Thus it becomes critical to protect the confidentiality, integrity, availability, and authenticity of logs at rest or transit. This paper proposes a novel scheme to prevent logs from tampering, detect any tampering, and recuperate logs if lost or corrupt. Our scheme is forward-secure, replicated, randomized, and rate-less, aiming to help securely store and transmit logs to SIEM.
As cloud deployments are becoming ubiquitous, the rapid adoption of this new paradigm may potentially bring additional cyber security issues. It is crucial that practitioners and researchers pose questions about the c...
详细信息
ISBN:
(数字)9789811904684
ISBN:
(纸本)9789811904684;9789811904677
As cloud deployments are becoming ubiquitous, the rapid adoption of this new paradigm may potentially bring additional cyber security issues. It is crucial that practitioners and researchers pose questions about the current state of cloud deployment security. By better understanding existing vulnerabilities, progress towards a more secure cloud can be accelerated. This is of paramount importance especially with more and more critical infrastructures moving to the cloud, where the consequences of a security incident can be significantly broader. This study presents a data-centric approach to security research - by using three static code analysis tools and scraping the internet for publicly available codebases, a footprint of the current state of open-source infrastructure-as-code repositories can be achieved. Out of the scraped 44485 repository links, the study is concentrated on 8256 repositories from the same cloud provider, across which 292538 security violations have been collected. Our contributions consist of: understanding on existing security vulnerabilities of cloud deployments, contributing a list of Top Guidelines for practitioners to follow to securely deploy systems in the cloud, and providing the raw data for further studies.
Over the last decade, there has been an increase in the number of attacks on web applications. The proliferation of these attacks is partially a result of increased adoption of IT systems in organisations and the incr...
详细信息
ISBN:
(纸本)9781665489089
Over the last decade, there has been an increase in the number of attacks on web applications. The proliferation of these attacks is partially a result of increased adoption of IT systems in organisations and the increasing role digital technologies play in our lives. The success of an attack relies upon the existence of vulnerabilities in the code base and there is consensus within literature that many of these vulnerabilities can be avoided through developers adopting secure code practices and standards which are often not formally taught. Whilst gamification has been shown to be an effective educational tool in fields such as health, education and security awareness, there is a scarcity of research regarding the application of gamification in the context of secure code practices. This paper evaluates the efficacy of a bespoke gamified application in creating awareness and fostering an understanding of the threats and secure coding practices. The application presented in this work focuses on JavaScript with the aim of reducing the number of vulnerabilities in web applications. The analysis is conducted using first and second-year undergraduate participants, who are viewed as the primary target for this software. As part of a participant study involving the application, it was found that gamification elements were effective in increasing user engagement. Initial findings suggest potential for the integration of secure-code gamification in traditional pedagogical methods, but further investigation is required to strengthen this claim.
We present a first evaluation of a Serious Slow Game Jam (SSGJ) methodology as a mechanism for co-designing serious games in the application domain of cybersecurity to assess how the SSGJ contributed to improving the ...
详细信息
We present a first evaluation of a Serious Slow Game Jam (SSGJ) methodology as a mechanism for co-designing serious games in the application domain of cybersecurity to assess how the SSGJ contributed to improving the understanding of cybersecurity. To this end, we engaged 13 participants with no experience in cybersecurity in a multidisciplinary SSGJ involving domain-specific, pedagogical and game design knowledge and encouraged engagement in between scheduled days of the SSGJ. Findings show improved confidence of participants in their knowledge of cybersecurity (from 12.5% to 62.5%) after undertaking the SSGJ, with free-text answers specifically indicating an improved understanding in terms of vulnerabilities, attacks and defences for three-quarters of the participants. Also, confidence in knowledge of game design improved (12.5% to 75%), and the SSGJ successfully engaged participants in between scheduled days. Finally, a serious game is presented that was co-designed with participants during our SSGJ and produced as an output of the SSGJ methodology.
This Full paper in the Innovative Practice Category describes a novel research study that is based upon an experimental scaffolding of live coding techniques used towards teaching a traditional face to face undergrad ...
详细信息
ISBN:
(数字)9781665462440
ISBN:
(纸本)9781665462440
This Full paper in the Innovative Practice Category describes a novel research study that is based upon an experimental scaffolding of live coding techniques used towards teaching a traditional face to face undergrad computer programming class. It discusses our hybrid pedagogical model, which comprises of a scaffolded collection of our class instructional methods that include fine blend of live coding-based teaching strategies, and traditional lectures. Our combination of live coding styles, as used in this study, consists of the standard live coding technique and our live secure coding demonstrations, which lead to a uniquely blended and integrated live coding approach for teaching coding along with software security concepts. To our knowledge, this is a new research study based upon a hybrid, integrated live coding approach that represents a scaffolding of distinct teaching styles, which combines coding instructions with teaching of secure coding components. We demonstrate an improvised teaching model that enhances the classical live coding pedagogy by adding the live secure coding components, which holistically represent a new variant in a traditional undergrad coding class, for an engaged and enhanced learning experience. Existing literature indicates that there is limited number of prior educational research studies on the usage of a hybrid, non-traditional live secure coding approach blended with the traditional live coding style. Thus, this paper discusses a fresh, nifty teaching strategy that involves new variants of the standard live coding instructional method and forms a hybrid pedagogical model for a more effective and relatable learning of coding skills. We discuss the results of our experimental study in the form of data obtained over a couple of semesters from an upper-level undergrad coding class through learning assessments and collected survey data on learner experiences. We have analyzed the overall gathered learner data to evaluate the performanc
In this paper, we analyze mistakes that web developers can make when using the Web Cryptography API. We evaluate the impact of the uncovered mistakes and discuss how they can be prevented. Furthermore, we derive best ...
详细信息
ISBN:
(纸本)9781450396707
In this paper, we analyze mistakes that web developers can make when using the Web Cryptography API. We evaluate the impact of the uncovered mistakes and discuss how they can be prevented. Furthermore, we derive best practices from these mistakes to provide guidance to developers. To assess the relevance of the Web Cryptography API, we empirically evaluate how prevalently it is used by popular web applications on the Internet and in GitHub repositories, finding that only a small proportion of web applications use it. The most widely used operation by far is the generation of cryptographically secure random values, which was not possible in browser-based JavaScript prior to the Web Cryptography API.
The CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources a...
详细信息
ISBN:
(纸本)9781450326056
The CS 2013 curriculum includes Information Assurance and Security as a pervasive knowledge area. However, introducing security in lower level courses is challenging because of lack of appropriate teaching resources and training. This workshop will provide a well-tested strategy for introducing secure coding concepts in CS0, CS1, and CS2. We will introduce attendees to secure coding through hands-on exercises, and provide self-contained, lab-based modules designed to be injected into CS0-CS2 with minimal impact on the course (***/securityinjections). Participants will be encouraged to bring in their own syllabus and labs to modify to include secure coding concepts. The first 15 participants will be reimbursed for the workshop cost on attendance. Laptop recommended.
secure application development is becoming even more critical as the impact of insecure code becomes deeper and more pervasive in our personal and professional lives. The approach described in this paper seeks to moti...
详细信息
ISBN:
(纸本)9781450330497
secure application development is becoming even more critical as the impact of insecure code becomes deeper and more pervasive in our personal and professional lives. The approach described in this paper seeks to motivate computer science students to write secure code almost from the very beginning by focusing on concrete examples of common software vulnerabilities in the second freshman-level programming course. Sample exercises and assignments are given as examples that can be reused in similar courses. While long-term data collection is still ongoing, initial results are promising enough that the method is presented here in detail to support university faculty interested in incorporating lessons and real-world examples in secure app development in their programming courses at any level.
Improper deployment of software can have serious consequences, ranging from simple downtime to permanent data loss and data breaches. Infrastructure as Code tools serve to streamline delivery by promising consistency ...
详细信息
ISBN:
(纸本)9781450390514
Improper deployment of software can have serious consequences, ranging from simple downtime to permanent data loss and data breaches. Infrastructure as Code tools serve to streamline delivery by promising consistency and speed, by abstracting away from the underlying actions. However, this simplicity may distract from architectural or configuration faults, potentially compromising the secure development lifecycle. One way to address this issue involves awareness training. Sifu is a platform that provides education on security through serious games, developed in the industry, for the industry. The presented work extends the Sifu platform with challenges addressing Terraform-aided cloud deployment on Amazon Web Services. This paper proposes an evaluation pipeline behind the challenges, and provides details of the vulnerability detection and feedback mechanisms, as well as a novel technique for detecting undesired differences between a given architecture and a target result. Furthermore, this paper quantifies the challenges' perceived usefulness and impact, by evaluating the challenges among a total of twelve participants. Our preliminary results show that the challenges are suitable for education and the industry, with potential usage in internal training. A key finding is that, although the participants understand the importance of secure coding, their answers indicate that universities leave them unprepared in this area. Finally, our results are compared with related industry works, to extract and provide good practices and advice for practitioners.
暂无评论