Vulnerability Assessment in Software

Funder: CSIRO Research Office

Collaborators: Elisa Bertino (Purdue University), Robert H. Deng (Singapore Management University), David Lo (Singapore Management University), Juanru Li (Shanghai Jiao Tong University), Kangjie Lu (University of Minnesota Twin Cities), Sanjay Jha (University of New South Wales), Diet Ostry (CSIRO)

Description:

Software are developed to fulfill our daily requirements such as sending emails or contacting friends. However, without the cybersecurity knowledge, developers might design and implement vulnerable software. Suppose that a developer intends to implement an authentication module for identity verification, such a module might become vulnerable to replay attacks if all connections are acceptable. To help developers with designing and implementing software correctly and securely, we proposed several automated tools targeting on various vulnerabilities. Consider the most popular software platforms i.e., mobile systems (e.g., Android and iOS), IoT systems, blockchain, we analyze the corresponding software, i.e., mobile apps, IoT firmware and SDK, and smart contracts, and identify vulnerabilities from their system designs and practical implementations. Afterwards, we create automated repair tools to help repair vulnerabilities. As most software are not open-source, we obtain their binary code or source code by applying reverse engineering techniques such as decompilation and disassembly. Consider the authentication protocols implemented in mobile apps and IoT devices, we observed that the identity verification is not correctly implemented, which is vulnerable to various attacks (e.g., man-in-the-middle attacks); thus, we exploit these vulnerabilities and report them to the corresponding manufacturers for further fixing. We also explored smart contracts and found three types of vulnerabilities that might cause severe consequences. An automated repair tool is designed to help developers fix those vulnerabilities.

Publications:

  • Yuyao Zhang, Siqi Ma, Juanru Li, Kailai Li, Surya Nepal, Dawu Gu. SmartShield: Automatic Smart Contract Protection Made Easy. In the proceedings of the 27th IEEE International Conference on Software Analysis, Evolution and Reengineering, 2020.
  • Long Mai, Yuan Yan, Songlin Jia, Shuran Wang, Jianqiang Wang, Juanru Li, Siqi Ma, Dawu Gu. Accelerating SM2 Digital Signature Algorithm using Modern Processor Features. In the proceedings of the 21st International Conference on Information and Communications Security, 2019.
  • Siqi Ma, Runhan Feng, Juanru Li, Surya Nepal, Diethelm Ostry, Yang Liu, Elisa Bertino, Robert Deng, Sanjay Jha, Zhou Ma. An Empirical Study of the SMS One-Time Password Authentication in Android Apps. In the proceedings of the 2019 Annual Computer Security Applications Conference.
  • Siqi Ma, Elisa Bertino, Robert Deng, Juanru Li, Diet Ostry, Surya Nepal, Sanjay Jha. Finding Flaws from Password Authentication Code in Android Apps. In the proceedings of the 24th European Symposium on Research in Computer Security, 2019.
  • Jianqiang Wang, Siqi Ma, Yuanyuan Zhang, Zheyu Ma, Long Mai, Tiancheng Chen, Juanru Li, Dawu Gu. NLP-EYE: Detecting Memory Corruptions via Semantic-Aware Memory Operation Function Identification. In the proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses, 2019.