Visible to the public Biblio

Found 12055 results

2021-05-13
Jenkins, Ira Ray, Smith, Sean W..  2020.  Distributed IoT Attestation via Blockchain. 2020 20th IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing (CCGRID). :798—801.

We propose a novel attestation architecture for the Internet of Things (IoT). Our distributed attestation network (DAN) utilizes blockchain technology to store and share device information. We present the design of this new attestation architecture as well as a prototype system chosen to emulate an IoT deployment with a network of Raspberry Pi, Infineon TPMs, and a Hyperledger Fabric blockchain.

Sardar, Muhammad Usama, Quoc, Do Le, Fetzer, Christof.  2020.  Towards Formalization of Enhanced Privacy ID (EPID)-based Remote Attestation in Intel SGX. 2020 23rd Euromicro Conference on Digital System Design (DSD). :604—607.

Vulnerabilities in privileged software layers have been exploited with severe consequences. Recently, Trusted Execution Environments (TEEs) based technologies have emerged as a promising approach since they claim strong confidentiality and integrity guarantees regardless of the trustworthiness of the underlying system software. In this paper, we consider one of the most prominent TEE technologies, referred to as Intel Software Guard Extensions (SGX). Despite many formal approaches, there is still a lack of formal proof of some critical processes of Intel SGX, such as remote attestation. To fill this gap, we propose a fully automated, rigorous, and sound formal approach to specify and verify the Enhanced Privacy ID (EPID)-based remote attestation in Intel SGX under the assumption that there are no side-channel attacks and no vulnerabilities inside the enclave. The evaluation indicates that the confidentiality of attestation keys is preserved against a Dolev-Yao adversary in this technology. We also present a few of the many inconsistencies found in the existing literature on Intel SGX attestation during formal specification.

Yu, Chen, Chen, Liquan, Lu, Tianyu.  2020.  A Direct Anonymous Attestation Scheme Based on Mimic Defense Mechanism. 2020 International Conference on Internet of Things and Intelligent Applications (ITIA). :1—5.

Machine-to-Machine (M2M) communication is a essential subset of the Internet of Things (IoT). Secure access to communication network systems by M2M devices requires the support of a secure and efficient anonymous authentication protocol. The Direct Anonymous Attestation (DAA) scheme in Trustworthy Computing is a verified security protocol. However, the existing defense system uses a static architecture. The “mimic defense” strategy is characterized by active defense, which is not effective against continuous detection and attack by the attacker. Therefore, in this paper, we propose a Mimic-DAA scheme that incorporates mimic defense to establish an active defense scheme. Multiple heterogeneous and redundant actuators are used to form a DAA verifier and optimization is scheduled so that the behavior of the DAA verifier unpredictable by analysis. The Mimic-DAA proposed in this paper is capable of forming a security mechanism for active defense. The Mimic-DAA scheme effectively safeguard the unpredictability, anonymity, security and system-wide security of M2M communication networks. In comparison with existing DAA schemes, the scheme proposed in this paper improves the safety while maintaining the computational complexity.

Huo, Dongdong, Wang, Yu, Liu, Chao, Li, Mingxuan, Wang, Yazhe, Xu, Zhen.  2020.  LAPE: A Lightweight Attestation of Program Execution Scheme for Bare-Metal Systems. 2020 IEEE 22nd International Conference on High Performance Computing and Communications; IEEE 18th International Conference on Smart City; IEEE 6th International Conference on Data Science and Systems (HPCC/SmartCity/DSS). :78—86.

Unlike traditional processors, Internet of Things (IoT) devices are short of resources to incorporate mature protections (e.g. MMU, TrustZone) against modern control-flow attacks. Remote (control-flow) attestation is fast becoming a key instrument in securing such devices as it has proven the effectiveness on not only detecting runtime malware infestation of a remote device, but also saving the computing resources by moving the costly verification process away. However, few control-flow attestation schemes have been able to draw on any systematic research into the software specificity of bare-metal systems, which are widely deployed on resource-constrained IoT devices. To our knowledge, the unique design patterns of the system limit implementations of such expositions. In this paper, we present the design and proof-of-concept implementation of LAPE, a lightweight attestation of program execution scheme that enables detecting control-flow attacks for bare-metal systems without requiring hardware modification. With rudimentary memory protection support found in modern IoT-class microcontrollers, LAPE leverages software instrumentation to compartmentalize the firmware functions into several ”attestation compartments”. It then continuously tracks the control-flow events of each compartment and periodically reports them to the verifier. The PoC of the scheme is incorporated into an LLVM-based compiler to generate the LAPE-enabled firmware. By taking experiments with several real-world IoT firmware, the results show both the efficiency and practicality of LAPE.

Ammar, Mahmoud, Crispo, Bruno, Tsudik, Gene.  2020.  SIMPLE: A Remote Attestation Approach for Resource-constrained IoT devices. 2020 ACM/IEEE 11th International Conference on Cyber-Physical Systems (ICCPS). :247—258.

Remote Attestation (RA) is a security service that detects malware presence on remote IoT devices by verifying their software integrity by a trusted party (verifier). There are three main types of RA: software (SW)-, hardware (HW)-, and hybrid (SW/HW)-based. Hybrid techniques obtain secure RA with minimal hardware requirements imposed on the architectures of existing microcontrollers units (MCUs). In recent years, considerable attention has been devoted to hybrid techniques since prior software-based ones lack concrete security guarantees in a remote setting, while hardware-based approaches are too costly for low-end MCUs. However, one key problem is that many already deployed IoT devices neither satisfy minimal hardware requirements nor support hardware modifications, needed for hybrid RA. This paper bridges the gap between software-based and hybrid RA by proposing a novel RA scheme based on software virtualization. In particular, it proposes a new scheme, called SIMPLE, which meets the minimal hardware requirements needed for secure RA via reliable software. SIMPLE depends on a formally-verified software-based memory isolation technique, called Security MicroVisor (Sμ V). Its reliability is achieved by extending the formally-verified safety and correctness properties to cover the entire software architecture of SIMPLE. Furthermore, SIMPLE is used to construct SIMPLE+, an efficient swarm attestation scheme for static and dynamic heterogeneous IoT networks. We implement and evaluate SIMPLE and SIMPLE+ on Atmel AVR architecture, a common MCU platform.

Dave, Avani, Banerjee, Nilanjan, Patel, Chintan.  2020.  SRACARE: Secure Remote Attestation with Code Authentication and Resilience Engine. 2020 IEEE International Conference on Embedded Software and Systems (ICESS). :1—8.

Recent technological advancements have enabled proliferated use of small embedded and IoT devices for collecting, processing, and transferring the security-critical information and user data. This exponential use has acted as a catalyst in the recent growth of sophisticated attacks such as the replay, man-in-the-middle, and malicious code modification to slink, leak, tweak or exploit the security-critical information in malevolent activities. Therefore, secure communication and software state assurance (at run-time and boot-time) of the device has emerged as open security problems. Furthermore, these devices need to have an appropriate recovery mechanism to bring them back to the known-good operational state. Previous researchers have demonstrated independent methods for attack detection and safeguard. However, the majority of them lack in providing onboard system recovery and secure communication techniques. To bridge this gap, this manuscript proposes SRACARE - a framework that utilizes the custom lightweight, secure communication protocol that performs remote/local attestation, and secure boot with an onboard resilience recovery mechanism to protect the devices from the above-mentioned attacks. The prototype employs an efficient lightweight, low-power 32-bit RISC-V processor, secure communication protocol, code authentication, and resilience engine running on the Artix 7 Field Programmable Gate Array (FPGA) board. This work presents the performance evaluation and state-of-the-art comparison results, which shows promising resilience to attacks and demonstrate the novel protection mechanism with onboard recovery. The framework achieves these with only 8% performance overhead and a very small increase in hardware-software footprint.

Suriano, Antonio, Striccoli, Domenico, Piro, Giuseppe, Bolla, Raffele, Boggia, Gennaro.  2020.  Attestation of Trusted and Reliable Service Function Chains in the ETSI-NFV Framework. 2020 6th IEEE Conference on Network Softwarization (NetSoft). :479—486.

The new generation of digital services are natively conceived as an ordered set of Virtual Network Functions, deployed across boundaries and organizations. In this context, security threats, variable network conditions, computational and memory capabilities and software vulnerabilities may significantly weaken the whole service chain, thus making very difficult to combat the newest kinds of attacks. It is thus extremely important to conceive a flexible (and standard-compliant) framework able to attest the trustworthiness and the reliability of each single function of a Service Function Chain. At the time of this writing, and to the best of authors knowledge, the scientific literature addressed all of these problems almost separately. To bridge this gap, this paper proposes a novel methodology, properly tailored within the ETSI-NFV framework. From one side, Software-Defined Controllers continuously monitor the properties and the performance indicators taken from networking domains of each single Virtual Network Function available in the architecture. From another side, a high-level orchestrator combines, on demand, the suitable Virtual Network Functions into a Service Function Chain, based on the user requests, targeted security requirements, and measured reliability levels. The paper concludes by further explaining the functionalities of the proposed architecture through a use case.

Sun, Zhichuang, Feng, Bo, Lu, Long, Jha, Somesh.  2020.  OAT: Attesting Operation Integrity of Embedded Devices. 2020 IEEE Symposium on Security and Privacy (SP). :1433—1449.

Due to the wide adoption of IoT/CPS systems, embedded devices (IoT frontends) become increasingly connected and mission-critical, which in turn has attracted advanced attacks (e.g., control-flow hijacks and data-only attacks). Unfortunately, IoT backends (e.g., remote controllers or in-cloud services) are unable to detect if such attacks have happened while receiving data, service requests, or operation status from IoT devices (remotely deployed embedded devices). As a result, currently, IoT backends are forced to blindly trust the IoT devices that they interact with.To fill this void, we first formulate a new security property for embedded devices, called "Operation Execution Integrity" or OEI. We then design and build a system, OAT, that enables remote OEI attestation for ARM-based bare-metal embedded devices. Our formulation of OEI captures the integrity of both control flow and critical data involved in an operation execution. Therefore, satisfying OEI entails that an operation execution is free of unexpected control and data manipulations, which existing attestation methods cannot check. Our design of OAT strikes a balance between prover's constraints (embedded devices' limited computing power and storage) and verifier's requirements (complete verifiability and forensic assistance). OAT uses a new control-flow measurement scheme, which enables lightweight and space-efficient collection of measurements (97% space reduction from the trace-based approach). OAT performs the remote control-flow verification through abstract execution, which is fast and deterministic. OAT also features lightweight integrity checking for critical data (74% less instrumentation needed than previous work). Our security analysis shows that OAT allows remote verifiers or IoT backends to detect both controlflow hijacks and data-only attacks that affect the execution of operations on IoT devices. In our evaluation using real embedded programs, OAT incurs a runtime overhead of 2.7%.

2021-05-18
Shen, Chao.  2020.  Laser-based high bit-rate visible light communications and underwater optical wireless network. 2020 Photonics North (PN). :1–1.
This talk presents an overview of the latest visible light communication (VLC) and underwater wireless optical communication (UWOC) research and development from the device to the system level. The utilization of laser-based devices and systems for LiFi and underwater Internet of Things (IoT) has been discussed.
Mir, Ayesha Waqar, Maqbool, Khawaja Qasim.  2020.  Robust Visible Light Communication in Intelligent Transportation System. 2020 Fourth World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4). :387–391.
Wireless communication in the field of radio frequency (RF) have modernized our society. People experience persistent connection and high-speed data through wireless technologies like Wi-Fi and LTE while browsing the internet. This causes congestion to network; users make it difficult for everyone to access the internet or to communicate reliably on time. The major issues of RF spectrum are intrusion, high latency and it requires an individual transmitter receiver setup in order to function. Dr. Herald Hass came up with an idea of `data through illumination'. Surmounting the drawbacks of RF spectrum, visible light communication (VLC) is more favored technique. In intelligent transportation system (ITS), this evolving technology of VLC has a strong hold in order to connect vehicle-to-infrastructure (V2I) and vehicle-to-vehicle (V2V) links wirelessly. Indoor VLC applications have been studied deeply while the field of vehicular VLC (V-VLC) networking is relatively a less researched domain because it has greater level of intrusion and additive ambient light noise is higher in outdoor VLC. Other factors due to which the implementation of VLC faces a lot of hurdles are mostly related to environment such as dust, haze, snow, sunlight, rain, fog, smog and atmospheric disturbances. In this paper, we executed a thorough channel modelling in order to study the effects of clear weather, fog, snow and rain quantitatively with respect to different wavelengths in consideration for an ITS. This makes ITS more robust in nature. The parameters under consideration will be signal-to-noise ratio (SNR), bit error rate (BER) and optical power received (OPR) for different LED wavelengths.
Chu, Wen-Yi, Yu, Ting-Guang, Lin, Yu-Kai, Lee, Shao-Chuan, Hsiao, Hsu-Chun.  2020.  On Using Camera-based Visible Light Communication for Security Protocols. 2020 IEEE Security and Privacy Workshops (SPW). :110–117.
In security protocol design, Visible Light Communication (VLC) has often been abstracted as an ideal channel that is resilient to eavesdropping, manipulation, and jamming. Camera Communication (CamCom), a subcategory of VLC, further strengthens the level of security by providing a visually verifiable association between the transmitter and the extracted information. However, the ideal security guarantees of visible light channels may not hold in practice due to limitations and tradeoffs introduced by hardware, software, configuration, environment, etc. This paper presents our experience and lessons learned from implementing CamCom for security protocols. We highlight CamCom's security-enhancing properties and security applications that it enables. Backed by real implementation and experiments, we also systematize the practical considerations of CamCom-based security protocols.
Yesilkaya, Anil, Cogalan, Tezcan, Erkucuk, Serhat, Sadi, Yalcin, Panayirci, Erdal, Haas, Harald, Poor, H. Vincent.  2020.  Physical-Layer Security in Visible Light Communications. 2020 2nd 6G Wireless Summit (6G SUMMIT). :1–5.
Optical wireless communications (OWC) and its potential to solve physical layer security (PLS) issues are becoming important research areas in 6G communications systems. In this paper, an overview of PLS in visible light communications (VLC), is presented. Then, two new PLS techniques based on generalized space shift keying (GSSK) modulation with spatial constellation design (SCD) and non-orthogonal multiple access (NOMA) cooperative relaying are introduced. In the first technique, the PLS of the system is enhanced by the appropriate selection of a precoding matrix for randomly activated light emitting diodes (LEDs). With the aid of a legitimate user's (Bob's) channel state information (CSI) at the transmitter (CSIT), the bit error ratio (BER) of Bob is minimized while the BER performance of the potential eavesdroppers (Eves) is significantly degraded. In the second technique, superposition coding with uniform signaling is used at the transmitter and relays. The design of secure beamforming vectors at the relay nodes along with NOMA techniques is used to enhance PLS in a VLC system. Insights gained from the improved security levels of the proposed techniques are used to discuss how PLS can be further improved in future generation communication systems by using VLC.
Liu, Xiaodong, Chen, Zezong, Wang, Yuhao, Zhou, Fuhui, Ma, Shuai, Hu, Rose Qingyang.  2020.  Secure Beamforming Designs in MISO Visible Light Communication Networks with SLIPT. GLOBECOM 2020 - 2020 IEEE Global Communications Conference. :1–6.
Visible light communication (VLC) is a promising technique in the fifth and beyond wireless communication networks. In this paper, a secure multiple-input single-output VLC network is studied, where simultaneous lightwave information and power transfer (SLIPT) is exploited to support energy-limited devices taking into account a practical non-linear energy harvesting model. Specifically, the optimal beamforming design problems for minimizing transmit power and maximizing the minimum secrecy rate are studied under the imperfect channel state information (CSI). S-Procedure and a bisection search is applied to tackle challenging non-convex problems and to obtain efficient resource allocation algorithm. It is proved that optimal beamforming schemes can be obtained. It is found that there is a non-trivial trade-off between the average harvested power and the minimum secrecy rate. Moreover, we show that the quality of CSI has a significant impact on achievable performance.
Alresheedi, Mohammed T..  2020.  Improving the Confidentiality of VLC Channels: Physical-Layer Security Approaches. 2020 22nd International Conference on Transparent Optical Networks (ICTON). :1–5.
Visible light communication (VLC) is considered as an emerging system for wireless indoor multimedia communications. As any wireless communication system, its channels are open and reachable to both licensed and unlicensed users owing to the broadcast character of visible-light propagation in public areas or multiple-user scenarios. In this work, we consider the physical-layer security approaches for VLC to mitigate this limitation. The physical-layer security approaches can be divided into two categories: keyless security and key-based security approaches. In the last category, recently, the authors introduced physical-layer key-generation approaches for optical orthogonal frequency division multiplexing (OFDM) systems. In these approaches, the cyclic prefix (CP) samples are exploited for key generation. In this paper, we study the effect of the length of key space and order of modulation on the security level, BER performance, and key-disagreement-rate (KDR) of the introduced key-based security approaches. From the results, our approaches are more efficient in higher order of modulation as the KDR decreases with the increase of order of modulation.
Soderi, Simone.  2020.  Enhancing Security in 6G Visible Light Communications. 2020 2nd 6G Wireless Summit (6G SUMMIT). :1–5.
This paper considers improving the confidentiality of the next generation of wireless communications by using the watermark-based blind physical layer security (WBPLSec) in Visible Light Communications (VLCs). Since the growth of wireless applications and service, the demand for a secure and fast data transfer connection requires new technology solutions capable to ensure the best countermeasure against security attacks. VLC is one of the most promising new wireless communication technology, due to the possibility of using environmental artificial lights as data transfer channel in free-space. On the other hand, VLCs are even inherently susceptible to eavesdropping attacks. This work proposes an innovative scheme in which red, green, blue (RGB) light-emitting-diodes (LEDs) and three color-tuned photo-diodes (PDs) are used to secure a VLC by using a jamming receiver in conjunction with the spread spectrum watermarking technique. To the best of the author's knowledge, this is the first work that deals with physical layer security on VLC by using RGB LEDs.
Sun, Yu, Zhao, Xiang.  2020.  On the Secrecy Performance of Random Mobile User in Visible Light Communication Systems. 2020 12th International Conference on Communication Software and Networks (ICCSN). :172–177.
For most of the current research on physical-layer security in indoor visible light communication (VLC) systems, a static communication environment was mainly considered, where secure communication about static users was investigated. However, much secure problems remain to be settled about mobile users. To improve the secrecy performance of mobile users, a two-dimensional circular optical atto-cell with security protected zone is considered. The proposed VLC systems include a LED transmitter Alice, a mobile user Bob and a passive eavesdropper Eve. A typical random waypoint model (RWP) being assumed, the secrecy outage probability (SOP) and secrecy throughput (ST) have been investigated for mobile users in VLC systems. The theoretical analysis results have been verified through Monte Carlo simulations. The simulation results show that the secrecy performance of mobile users in VLC can be improved by enlarging the radius of protected zone, and it also depends on the target secrecy rate and the LEDs' configuration.
Cho, Sunghwan, Chen, Gaojie, Coon, Justin P..  2020.  Enhancing Security in VLC Systems Through Beamforming. GLOBECOM 2020 - 2020 IEEE Global Communications Conference. :1–6.
This paper proposes a novel zero-forcing (ZF) beamforming strategy that can simultaneously cope with active and passive eavesdroppers (EDs) in visible light communication systems. A related optimization problem is formulated to maximize the signal-to-noise ratio (SNR) of the legitimate user (UE) while suppressing the SNR of active ED to zero and constraining the average SNR of passive EDs. The proposed beamforming directs the transmission along a particular eigenmode related to the null space of the active ED channel and the intensity of the passive ED point process. An inverse free preconditioned Krylov subspace projection method is used to find the eigenmode. The numerical results show that the proposed ZF beamforming scheme yields better performance relative to a traditional ZF beamforming scheme in the sense of increasing the SNR of the UE and reducing the secrecy outage probability.
Morapitiya, Sumali S., Furqan Ali, Mohammad, Rajkumar, Samikkannu, Wijayasekara, Sanika K., Jayakody, Dushantha Nalin K., Weerasuriya, R.U..  2020.  A SLIPT-assisted Visible Light Communication Scheme. 2020 16th International Conference on Distributed Computing in Sensor Systems (DCOSS). :368–375.
Simultaneous Wireless Information and Power Transfer (SWIPT) technique is introduced in Radio Frequency (RF) communication to carry both information and power in same medium. In this approach, the energy can be harvested while decoding the information carries in an RF wave. Recently, the same concept applied in Visible Light Communication (VLC) namely Simultaneous Light Wave Information and Power Transfer (SLIPT), which is highly recommended in an indoor applications to overcome the problem facing in RF communication. Thus, SLIPT is introduced to transmit the power through a Light Emitting Diode (LED) luminaries. In this work, we compare both SWIPT and SLIPT technologies and realize SLIPT technology archives increased performance in terms of the amount of harvested energy, outage probability and error rate performance.
Zhang, Chi, Chen, Jinfu, Cai, Saihua, Liu, Bo, Wu, Yiming, Geng, Ye.  2020.  iTES: Integrated Testing and Evaluation System for Software Vulnerability Detection Methods. 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). :1455–1460.
To find software vulnerabilities using software vulnerability detection technology is an important way to ensure the system security. Existing software vulnerability detection methods have some limitations as they can only play a certain role in some specific situations. To accurately analyze and evaluate the existing vulnerability detection methods, an integrated testing and evaluation system (iTES) is designed and implemented in this paper. The main functions of the iTES are:(1) Vulnerability cases with source codes covering common vulnerability types are collected automatically to form a vulnerability cases library; (2) Fourteen methods including static and dynamic vulnerability detection are evaluated in iTES, involving the Windows and Linux platforms; (3) Furthermore, a set of evaluation metrics is designed, including accuracy, false positive rate, utilization efficiency, time cost and resource cost. The final evaluation and test results of iTES have a good guiding significance for the selection of appropriate software vulnerability detection methods or tools according to the actual situation in practice.
Ogawa, Yuji, Kimura, Tomotaka, Cheng, Jun.  2020.  Vulnerability Assessment for Machine Learning Based Network Anomaly Detection System. 2020 IEEE International Conference on Consumer Electronics - Taiwan (ICCE-Taiwan). :1–2.
In this paper, we assess the vulnerability of network anomaly detection systems that use machine learning methods. Although the performance of these network anomaly detection systems is high in comparison to that of existing methods without machine learning methods, the use of machine learning methods for detecting vulnerabilities is a growing concern among researchers of image processing. If the vulnerabilities of machine learning used in the network anomaly detection method are exploited by attackers, large security threats are likely to emerge in the near future. Therefore, in this paper we clarify how vulnerability detection of machine learning network anomaly detection methods affects their performance.
Zheng, Wei, Gao, Jialiang, Wu, Xiaoxue, Xun, Yuxing, Liu, Guoliang, Chen, Xiang.  2020.  An Empirical Study of High-Impact Factors for Machine Learning-Based Vulnerability Detection. 2020 IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF). :26–34.
Ahstract-Vulnerability detection is an important topic of software engineering. To improve the effectiveness and efficiency of vulnerability detection, many traditional machine learning-based and deep learning-based vulnerability detection methods have been proposed. However, the impact of different factors on vulnerability detection is unknown. For example, classification models and vectorization methods can directly affect the detection results and code replacement can affect the features of vulnerability detection. We conduct a comparative study to evaluate the impact of different classification algorithms, vectorization methods and user-defined variables and functions name replacement. In this paper, we collected three different vulnerability code datasets. These datasets correspond to different types of vulnerabilities and have different proportions of source code. Besides, we extract and analyze the features of vulnerability code datasets to explain some experimental results. Our findings from the experimental results can be summarized as follows: (i) the performance of using deep learning is better than using traditional machine learning and BLSTM can achieve the best performance. (ii) CountVectorizer can improve the performance of traditional machine learning. (iii) Different vulnerability types and different code sources will generate different features. We use the Random Forest algorithm to generate the features of vulnerability code datasets. These generated features include system-related functions, syntax keywords, and user-defined names. (iv) Datasets without user-defined variables and functions name replacement will achieve better vulnerability detection results.
Li, Zesong, Yang, Hui, Ge, Junwei, Yu, Qinyong.  2020.  Research on Dynamic Detection Method of Buffer Overflow Vulnerabilities Based on Complete Boundary Test. 2020 IEEE 6th International Conference on Computer and Communications (ICCC). :2246–2250.
At present, when the device management application programs the devices (such as mobile terminals, Internet of things terminals and devices, etc.), buffer overflow will inevitably occur due to the defects of filter input condition setting, variable type conversion error, logical judgment error, pointer reference error and so on. For this kind of software and its running environment, it is difficult to reduce the false positive rate and false negative rate with traditional static detection method for buffer overflow vulnerability, while the coverage rate of dynamic detection method is still insufficient and it is difficult to achieve full automation. In view of this, this paper proposes an automatic dynamic detection method based on boundary testing, which has complete test data set and full coverage of defects. With this method, the input test points of the software system under test are automatically traversed, and each input test point is analyzed automatically to generate complete test data; driven by the above complete test data, the software under test runs automatically, in which the embedded dynamic detection code automatically judges the conditions of overflow occurrence, and returns the overflow information including the location of the error code before the overflow really occurs. Because the overflow can be located accurately without real overflow occurrence, this method can ensure the normal detection of the next input test point, thus ensuring the continuity of the whole automatic detection process and the full coverage of buffer overflow detection. The test results show that all the indexes meet the requirements of the method and design.
Fidalgo, Ana, Medeiros, Ibéria, Antunes, Paulo, Neves, Nuno.  2020.  Towards a Deep Learning Model for Vulnerability Detection on Web Application Variants. 2020 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). :465–476.
Reported vulnerabilities have grown significantly over the recent years, with SQL injection (SQLi) being one of the most prominent, especially in web applications. For these, such increase can be explained by the integration of multiple software parts (e.g., various plugins and modules), often developed by different organizations, composing thus web application variants. Machine Learning has the potential to be a great ally on finding vulnerabilities, aiding experts by reducing the search space or even by classifying programs on their own. However, previous work usually does not consider SQLi or utilizes techniques hard to scale. Moreover, there is a clear gap in vulnerability detection with machine learning for PHP, the most popular server-side language for web applications. This paper presents a Deep Learning model able to classify PHP slices as vulnerable (or not) to SQLi. As slices can belong to any variant, we propose the use of an intermediate language to represent the slices and interpret them as text, resorting to well-studied Natural Language Processing (NLP) techniques. Preliminary results of the use of the model show that it can discover SQLi, helping programmers and precluding attacks that would eventually cost a lot to repair.
Iorga, Denis, Corlătescu, Dragos, Grigorescu, Octavian, Săndescu, Cristian, Dascălu, Mihai, Rughiniş, Razvan.  2020.  Early Detection of Vulnerabilities from News Websites using Machine Learning Models. 2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet). :1–6.
The drawbacks of traditional methods of cybernetic vulnerability detection relate to the required time to identify new threats, to register them in the Common Vulnerabilities and Exposures (CVE) records, and to score them with the Common Vulnerabilities Scoring System (CVSS). These problems can be mitigated by early vulnerability detection systems relying on social media and open-source data. This paper presents a model that aims to identify emerging cybernetic vulnerabilities in cybersecurity news articles, as part of a system for automatic detection of early cybernetic threats using Open Source Intelligence (OSINT). Three machine learning models were trained on a novel dataset of 1000 labeled news articles to create a strong baseline for classifying cybersecurity articles as relevant (i.e., introducing new security threats), or irrelevant: Support Vector Machines, a Multinomial Naïve Bayes classifier, and a finetuned BERT model. The BERT model obtained the best performance with a mean accuracy of 88.45% on the test dataset. Our experiments support the conclusion that Natural Language Processing (NLP) models are an appropriate choice for early vulnerability detection systems in order to extract relevant information from cybersecurity news articles.
Sinhabahu, Nadun, Wimalaratne, Prasad, Wijesiriwardana, Chaman.  2020.  Secure Codecity with Evolution: Visualizing Security Vulnerability Evolution of Software Systems. 2020 20th International Conference on Advances in ICT for Emerging Regions (ICTer). :1–2.
The analysis of large-scale software and finding security vulnerabilities while its evolving is difficult without using supplementary tools, because of the size and complexity of today's systems. However just by looking at a report, doesn't transmit the overall picture of the system in terms of security vulnerabilities and its evolution throughout the project lifecycle. Software visualization is a program comprehension technique used in the context of the present and explores large amounts of information precisely. For the analysis of security vulnerabilities of complex software systems, Secure Codecity with Evolution is an interactive 3D visualization tool that can be utilized. Its studies techniques and methods are used for graphically illustrating security aspects and the evolution of software. The Main goal of the proposed Framework defined as uplift, simplify, and clarify the mental representation that a software engineer has of a software system and its evolution in terms of its security. Static code was visualised based on a city metaphor, which represents classes as buildings and packages as districts of a city. Identified Vulnerabilities were represented in a different color according to the severity. To visualize a number of different aspects, A large variety of options were given. Users can evaluate the evolution of the security vulnerabilities of a system on several versions using Matrices provided which will help users go get an overall understanding about security vulnerabilities varies with different versions of software. This framework was implemented using SonarQube for software vulnerability detection and ThreeJs for implementing the City Metaphor. The evaluation results evidently show that our framework surpasses the existing tools in terms of accuracy, efficiency and usability.