QRCloud: Android Vulnerability Query and Push Services Based on QR Code in Cloud Computing
|
|
- Ilene Cobb
- 8 years ago
- Views:
Transcription
1 Journal of Computational Information Systems 11: 11 (2015) Available at QRCloud: Android Vulnerability Query and Push Services Based on QR Code in Cloud Computing Jingzheng WU 1,2,, Yanjun WU 1,2, Mutian YANG 1, Zhifei WU 1, Tianyue LUO 1, Yongji WANG 1,2 1 Institute of Software, Chinese Academy of Sciences, Beijing , China 2 State Key Laboratory of Computer Sciences, Beijing , China Abstract The highest market share makes Android a target for attacking by exploiting vulnerabilities. However, because of the complexity and specialization of the vulnerabilities, only a few users can relate them to their phones. In this paper, we propose QRCloud, which is a private cloud providing Android vulnerability query and push services based on QR code. We first construct an Android vulnerability database by referring the public repositories and vulnerability detection, and automatically generate a QR code for each item. And then, an Android application is developed and scans the QR code to query whether the phone is injured. On the other hand, the identical information of the Android phone is sent to the cloud, and the vulnerabilities tips are pushed back to the application. Finally, the vulnerabilities are fixed following the patches, update suggestion or further URLs packed in the pushed tips. The experiment shows that it is convenient for users to query Android vulnerabilities and get pushed information. It is also believed that after small extension, other smartphone operating systems will be serviced in the cloud. Keywords: Android Vulnerability; Cloud Computing; QR Code; Query; Push 1 Introduction Android is the most successful operating system, which is being widely used in daily life, working, learning, communicating, and amusing. However, the highest market share makes Android system a target for secure attacking by exploiting vulnerabilities [1, 2]. Android vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that can be exploited by one or more threats. The ultimate purposes of the exploits are user privacy, sniffing, denial of service, and overbilling. Android vulnerabilities can be found in the public repositories, and they fall into one of a set of categories: buffer overflows, unvalidated input, race conditions, access-control problems, Project supported by the National Nature Science Foundation of China (No and No ). Corresponding author. address: jingzheng08@iscas.ac.cn (Jingzheng WU) / Copyright 2015 Binary Information Press DOI: /jcis14033 June 1, 2015
2 3876 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) weaknesses in authentication, authorization, or cryptographic practices, etc. Unfortunately, only a few users can relate the vulnerabilities to their own smartphones because of the complexity and specialization. In this paper, we build a private cloud, which provides Android vulnerability query and push services based on QR code (Quick Response Code). The distinguished contributions made in this paper are as follows: Complete Vulnerabilities. The sources of Android vulnerabilities database in QRCloud are from both the public repositories and the detected results, and each item includes the properties of patches, update suggestion and detail descriptions. Query and push services. Whether an Android phone is injured can be queried by scanning the QR code of the vulnerability, and the relative vulnerabilities can be pushed back to the phone as customized service. Scalability. The vulnerability storage, the query and push processes are executed in cloud, where the computing resources can be realtime rescheduled as needed. 2 Background Android is an operating system designed for smartphones providing execution environment for mobile applications. Android consists of Linux kernel, native libraries, Android runtime, application framework and applications. The customized embedded Linux system drives the phone hardwares, and the native libraries provide APIs for application framework. Each application is executed within a sandbox environment implemented as Dalvik Virtual Machine [3]. The basic security policies of Android are permission and sanbox model, but the incorrect permission and privilege may cause potential vulnerabilities and privacy leaks [2, 4]. PScout is designed to extract the permission specification from the Android source code using static analysis and determine whether it is redundant [5]. Stowaway is a tool to detects over privilege in applications by mapping the called API to permissions [6]. DroidChecker searches capabilities transitive vulnerability by using control flow graph searching and static taint checking to detect exploitable data paths in an Android application [7]. 2.1 Vulnerabilities of Android Although the sandbox provides separating mechanism between applications, Android is not immune to the attacks caused by vulnerabilities. Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that can be exploited by one or more threats. These exploits will result in a security breach or violation of the system s security policy causing information leakage or economic losses. Android system is as vulnerable as traditional computers to virus, worm, Trojan, rootkits, and botnet. Some of the vulnerabilities are exploited as malwares to collect confidential data stealthily, send a large number of malicious SMS, deny of application services, and deny of network services. Until Dec , 272 vulnerabilities have been presented in NVD (National Vulnerability Database). The vulnerability numbers are 2, 10, 20, 60, 180 posted during the year , which obviously increase year by year [8].
3 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) Vulnerability detection Most of the prior works on Android vulnerability detection have focused on the application layer detection using static and dynamic methods [9, 10]. For example, CHEX is a static analysis method to automatically vet Android applications for component hijacking vulnerabilities [11]. CHEX analyzes the applications and detects possible hijack-enabling flows by conducting reachability tests on system dependence graphs modeled from a data-flow analysis perspective of the vulnerabilities. CHEX found 254 potential component hijacking vulnerabilities from 5,486 real Android application. RiskRanker is a proactive scheme to spot zero-day Android malware by assessing potential security risks and analyzeing whether a particular application exhibits dangerous behavior [12]. Although many static analysis and dynamic analysis methods have been presented, vulnerability detection is always a difficult task. Static analysis is to detect vulnerabilities in computer software by evaluating its source code without actually executing it [13, 14]. Some static analysis methods have been implemented as automated tools such as Flawfinder [15], ITS4 [16], Checkmarx, etc., which can detect different vulnerability categories including buffer overflow, cross-site scripting and SQL injection. However, static analysis tools produce numerous false positives meaning the reported vulnerabilities not really exist. To identify the real vulnerabilities, the output results should be audited manually, which is time consuming and knowledge intensive. Unlike static analysis, dynamic analysis detects vulnerabilities by observing the executing behavior of the computer softwares [17]. When the tested program is running under certain configuration and environment, some code slices of the program cannot be covered. So, dynamic analysis is susceptible to false negatives meaning some real vulnerabilities are missed in detection. The output results are low false positive, and they are potential vulnerabilities that should be taken further analysis. It is believed that static and dynamic analysis complement each other s disadvantages. If the static results are tested by dynamic analysis, some vulnerabilities may appear in running. But, a single execution may not trigger the appearance because of the inadequate coverage. The ideal scheme is enlarge the test cases for a certain potential code slice, and runs all the cases to trigger the vulnerabilities. 3 Design of QRCloud QRCloud is a cloud computing based architecture designed to service vulnerability query and push. Its design is to deal with the following challenges: complete vulnerability database, customized services and scalability. 3.1 Overview of QRCloud Fig. 1 shows the overview of QRCloud, which includes two parts: the Android vulnerability database in cloud and the Android application in smartphone. In the cloud part, QRCloud first initializes the database by referring the public data from the NVD (National Vulnerability Database) [18], CVE (Common Vulnerabilities and Exposures),
4 3878 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) Fig. 1: High-level overview of QRCloud CNNVD (China National Vulnerability Database of Information Security). And then, the Android system is statically, dynamically and fuzzing analyzed, and the detected results are added to the database after determining. In the smartphone part, the QRCloud application scans a QR code of a vulnerability, which tells the phone is whether injured or not. If an Android phone has registered in QRCloud, the relative vulnerabilities information will be pushed back to it timely. Then, the users browse the detail pushed information, and decide to adopt the recommend schemes to fix the vulnerabilities. 3.2 Android vulnerability database in QRCloud Each vulnerability collected from the public repositories includes the properties: name, number, description, threat level, type, infected version, patch info, detail URL, fix methods, etc. On the other hand, vulnerability detection methods have been adopted in QRCloud. For example, static analysis tools such as Flawfinder, ITS4, RATS, Checkmarx, Canalyze are used to detect buffer overflow, cross-site scripting and SQL injection. Dynamic analysis tools such as Kmemcheck, Kmemleak, Valgrind are used to realtime monitor execution and catch the exceptions and crashes. Fuzzing is also used to automatically test invalid, unexpected, or random cases as application input to detect the vulnerabilities. When all these vulnerabilities have been stored in database, QR code is generated for each item and displayed on web page. QR code is a type of matrix barcode, and the maximum storage characters of Alphanumeric is 4,296. Because of the space limit only the vulnerability name, infected version, patch info, detail URL and fix method URL are encoded into the QR code as follows, QR vul = encode(φnameφverionφpatchφdetailφfixφ). where the final vulnerability QR code QR vul is expressed as a two-dimensional digital image.
5 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) Query service in QRCloud The QRCloud application scans a QR code displayed on the web page, and decodes the QR code to get the vulnerability information. And then, the information is matched with the Android system and all the applications to determine whether the Android is injured, expressed as res = match(decode(qr vul ), (system, app)). If res is true, the detail information and the fix methods are recommended to the users. 3.4 Push service in QRCloud To get customized service, information of Android system and the applications is collected and sent to QRCloud, id = [φnameϕhash(version)ϕhash(patch)] +. where hash() hashes version and patch, and the final id consists of one or more hashed applications. If the system changes, the id will be recomputed and sent again timely. The QRCloud stores id for each customer, and matches it in cloud. If a vulnerability is matched, the corresponding information will be pushed to the customer. When a new vulnerability is added, the match process executes again. 4 Implementation and Evaluation The prototype of QRCloud is implemented in servers with 2 physical Intel Xeon X Hz CPU, 16GB main memory and 320GB hard disk, and the resources are dynamically rescheduled as needed. 290 Android vulnerabilities collected from NVD are stored in QRCloud as shown in Table 1, and more types will be stored to support other systems [8]. QRCloud application have also been implemented in Android system. Fig. 2(a) shows the query result of a vulnerability, where the details information is displayed. Fig. 2(b) shows the QRCloud push service, where the vulnerable applications are identified. Fig. 2(c) shows the recommended information for a certain vulnerability, which includes a list of URL. Following the URLs, the vulnerability can be fixed. 5 Conclusion In this paper, QRCloud is proposed as a a private cloud providing Android vulnerability query and push services based on QR code. The QRCloud application is developed to query and get pushed information by referring the Android vulnerability database. It is convenient for users to determine their Android phone whether injured and fix the vulnerabilities. The computing resources can be realtime rescheduled in QRCloud, and it will server other smartphone operating systems after small extension.
6 3880 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) Table 1: Top-10 categories of Android vulnerabilities Vulnerability Types Number 1 Buffer Errors 79 2 Insufficient Information 66 3 Permissions, Privileges, and Access Control 38 4 Information Leak / Disclosure 23 5 Input Validation 21 6 Numeric Errors 17 7 Cross-Site Scripting 6 8 Code Injection 6 9 Cryptographic Issues 4 10 Resource Management Errors 3 (a) Query (b) Push (c) Recommend Fig. 2: Query and push services in cloud computing Acknowledgements This work is supported by the National Natural Science Foundation of China No , No , and the National Science and Technology Major Project No. 2012ZX References [1] W. Z. X. J. Yajin Zhou, Zhi Wang, Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets, in NDSS, [2] M. Grace, Y. Zhou, Z. Wang, and X. Jiang, Systematic detection of capability leaks in stock
7 J. Wu et al. /Journal of Computational Information Systems 11: 11 (2015) android smartphones, in Proceedings of the 19th Annual Symposium on Network and Distributed System Security, [3] A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer, Google android: A comprehensive security assessment, Security Privacy, IEEE, vol. 8, no. 2, pp , march-april [4] C. Mann and A. Starostin, A framework for static detection of privacy leaks in android applications, in Proceedings of the 27th Annual ACM Symposium on Applied Computing, ser. SAC 12. ACM, 2012, pp [5] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, Pscout: analyzing the android permission specification, in Proceedings of the 2012 ACM conference on Computer and communications security, ser. CCS 12. New York, NY, USA: ACM, 2012, pp [6] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, Android permissions demystified, in Proceedings of the 18th ACM conference on Computer and communications security, ser. CCS 11. New York, NY, USA: ACM, 2011, pp [7] P. P. Chan, L. C. Hui, and S. M. Yiu, Droidchecker: analyzing android applications for capability leak, in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, ser. WISEC 12. New York, NY, USA: ACM, 2012, pp [8] R. Scandariato and J. Walden, Predicting vulnerable classes in an android application, in Proceedings of the 4th international workshop on Security measurements and metrics, ser. MetriSec 12. ACM, 2012, pp [9] M. La Polla, F. Martinelli, and D. Sgandurra, A survey on security for mobile devices, Communications Surveys Tutorials, IEEE, vol. PP, no. 99, pp. 1 26, [10] T.-E. Wei, C.-H. Mao, A. B. Jeng, H.-M. Lee, H.-T. Wang, and D.-J. Wu, Android malware detection via a latent network behavior analysis, in TrustCom, 2012, pp [11] L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, Chex: statically vetting android apps for component hijacking vulnerabilities, in Proceedings of the 2012 ACM conference on Computer and communications security, ser. CCS 12. ACM, 2012, pp [12] M. C. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, Riskranker: scalable and accurate zero-day android malware detection, in MobiSys, 2012, pp [13] J. Walden and M. Doyle, Savi: Static-analysis vulnerability indicator, Security Privacy, IEEE, vol. 10, no. 3, pp , may-june [14] J. Wu, L. Ding, Y. Wang, and W. Han, Identification and evaluation of sharing memory covert timing channel in Xen virtual machines, in IEEE CLOUD, Washington DC, USA, 2011, pp [15] C. Cowan, Software security for open-source systems, Security Privacy, IEEE, vol. 1, no. 1, pp , jan.-feb [16] J. Viega, J. Bloch, Y. Kohno, and G. McGraw, Its4: a static vulnerability scanner for c and c++ code, in Computer Security Applications, ACSAC th Annual Conference, dec 2000, pp [17] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones, in Proceedings of the 9th USENIX conference on Operating systems design and implementation, ser. OSDI 10. Berkeley, CA, USA: USENIX Association, 2010, pp [18] National Vulnerability Database, 2013,
Research on Situation and Key Issues of Smart Mobile Terminal Security
Research on Situation and Key Issues of Smart Mobile Terminal Security Hao-hao Song, Jun-bing Zhang, Lei Lu and Jian Gu Abstract As information technology continues to develop, smart mobile terminal has
More informationInternational Journal of Advance Research in Computer Science and Management Studies
Volume 3, Issue 3, March 2015 ISSN: 2321 7782 (Online) International Journal of Advance Research in Computer Science and Management Studies Research Article / Survey Paper / Case Study Available online
More informationDETECTION OF CONTRAVENTION IN MOBILE CLOUD SERVICES
IJITE Vol. 4 No.1-2 January-December 2013, pp.13-17 International Sciences Press DETECTION OF CONTRAVENTION IN MOBILE CLOUD SERVICES D. Lakshmana Kumar 1 and G. Draksha 2 1 M.Tech. Student, Department
More informationAndroid Security - Common attack vectors
Institute of Computer Science 4 Communication and Distributed Systems Rheinische Friedrich-Wilhelms-Universität Bonn, Germany Lab Course: Selected Topics in Communication Management Android Security -
More informationDetection and Identification of Android Malware Based on Information Flow Monitoring
Detection and Identification of Android Malware Based on Information Flow Monitoring Radoniaina Andriatsimandefitra, Valérie Viet Triem Tong To cite this version: Radoniaina Andriatsimandefitra, Valérie
More informationPerformance Measuring in Smartphones Using MOSES Algorithm
Performance Measuring in Smartphones Using MOSES Algorithm Ms.MALARVIZHI.M, Mrs.RAJESWARI.P ME- Communication Systems, Dept of ECE, Dhanalakshmi Srinivasan Engineering college, Perambalur, Tamilnadu, India,
More informationA proposal to realize the provision of secure Android applications - ADMS: an application development and management system -
2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing A proposal to realize the provision of secure Android applications - ADMS: an application development
More informationImplementation and Direct Accessing of Android Authority Application in Smart Phones
Implementation and Direct Accessing of Android Authority Application in Smart Phones Amit H. Choksi 1, Jaimin J. Sarvan 2 and Ronak R. Vashi 3 1 ET Dept, BVM Engg. College, V.V.Nagar-388120, Gujarat, India
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationThe Behavioral Analysis of Android Malware
, pp.41-47 http://dx.doi.org/10.14257/astl.2014.63.09 The Behavioral Analysis of Android Malware Fan Yuhui, Xu Ning Department of Computer and Information Engineering, Huainan Normal University, Huainan,
More informationDetection of Malicious Android Mobile Applications Based on Aggregated System Call Events
Detection of Malicious Android Mobile Applications Based on Aggregated System Call Events You Joung Ham and Hyung-Woo Lee devices, and analyses the characteristics of malicious apps with activation pattern
More informationDetecting privacy leaks in Android Apps
Detecting privacy leaks in Android Apps Li Li, Alexandre Bartel, Jacques Klein, and Yves le Traon University of Luxembourg - SnT, Luxembourg {li.li,alexandre.bartel,jacques.klein,yves.letraon}@uni.lu Abstract.
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationensuring security the way how we do it
ensuring security the way how we do it HUSTEF, 2015.11.18 Attila Tóth 1 Nokia Solutions and Networks 2014 Disclaimer The ideas, processes, tools are presented from a practitioner s point of view working
More informationControl Theoretic Adaptive Monitoring Tools for the Android Platform
Control Theoretic Adaptive Monitoring Tools for the Android Platform DAVID REYNOLDS Department of Computer Science Texas State University San Marcos, USA dr1299@txstate.edu MINA GUIRGUIS Department of
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationCDM Vulnerability Management (VUL) Capability
CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation
More informationOn the value of hybrid security testing
On the value of hybrid security testing Saad Aloteibi and Frank Stajano Computer Laboratory University of Cambridge {firstname.lastname}@cl.cam.ac.uk Abstract. We propose a framework for designing a security
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationIJREAT International Journal of Research in Engineering & Advanced Technology, Volume 1, Issue 1, March, 2013 ISSN: 2320-8791 www.ijreat.
Intrusion Detection in Cloud for Smart Phones Namitha Jacob Department of Information Technology, SRM University, Chennai, India Abstract The popularity of smart phone is increasing day to day and the
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationWHITEPAPER. Nessus Exploit Integration
Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationKeyword: Cloud computing, service model, deployment model, network layer security.
Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging
More informationDroidTrace: A Ptrace Based Android Dynamic Analysis System with Forward Execution Capability
DroidTrace: A Ptrace Based Android Dynamic Analysis System with Forward Execution Capability Min Zheng, Mingshen Sun, John C.S. Lui The Chinese University of Hong Kong {mzheng,mssun,cslui}@cse.cuhk.edu.hk
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationRecDroid: A Resource Access Permission Control Portal and Recommendation Service for Smartphone Users
RecDroid: A Resource Access Permission Control Portal and Recommendation Service for Smartphone Users Bahman Rashidi Virginia Commonwealth University rashidib@vcu.edu Carol Fung Virginia Commonwealth University
More informationAndroid s External Device Attack: Demonstration and Security Suggestions
, pp. 317-326 http://dx.doi.org/10.14257/ijsia.2015.9.4.29 Android s External Device Attack: Demonstration and Security Suggestions Zhang Wei, Yang Chao and Chen Yunfang * Nanjing University of Posts and
More informationA Practical Analysis of Smartphone Security*
A Practical Analysis of Smartphone Security* Woongryul Jeon 1, Jeeyeon Kim 1, Youngsook Lee 2, and Dongho Won 1,** 1 School of Information and Communication Engineering, Sungkyunkwan University, Korea
More informationFORBIDDEN - Ethical Hacking Workshop Duration
Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once
More informationStudying Security Weaknesses of Android System
, pp. 7-12 http://dx.doi.org/10.14257/ijsia.2015.9.3.02 Studying Security Weaknesses of Android System Jae-Kyung Park* and Sang-Yong Choi** *Chief researcher at Cyber Security Research Center, Korea Advanced
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationREAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL
REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL AWF Series Web application firewalls provide industry-leading Web application attack protection, ensuring continuity
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationIJMIE Volume 2, Issue 9 ISSN: 2249-0558
Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance
More informationCourse Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)
Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses
More informationA Research on Camera Based Attack and Prevention Techniques on Android Mobile Phones
A Research on Camera Based Attack and Prevention Techniques on Android Mobile Phones Anushree Pore, Prof. Mahip Bartere PG Student, Dept. of CSE, G H Raisoni College of Engineering, Amravati, Maharashtra,
More informationHarvesting Developer Credentials in Android Apps
8 th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, Jun 24-26 Harvesting Developer Credentials in Android Apps Yajin Zhou, Lei Wu, Zhi Wang, Xuxian Jiang Florida
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationCEH Version8 Course Outline
CEH Version8 Course Outline Module 01: Introduction to Ethical Hacking Information Security Overview Information Security Threats and Attack Vectors Hacking Concepts Hacking Phases Types of Attacks Information
More informationAdobe Flash Player and Adobe AIR security
Adobe Flash Player and Adobe AIR security Both Adobe Flash Platform runtimes Flash Player and AIR include built-in security and privacy features to provide strong protection for your data and privacy,
More informationSecurity Model for VM in Cloud
Security Model for VM in Cloud 1 Venkataramana.Kanaparti, 2 Naveen Kumar R, 3 Rajani.S, 4 Padmavathamma M, 5 Anitha.C 1,2,3,5 Research Scholars, 4Research Supervisor 1,2,3,4,5 Dept. of Computer Science,
More informationSpyware Doctor Enterprise Technical Data Sheet
Spyware Doctor Enterprise Technical Data Sheet The Best of Breed Anti-Spyware Solution for Businesses Spyware Doctor Enterprise builds on the strength of the industry-leading and multi award-winning Spyware
More informationLecture Embedded System Security A. R. Sadeghi, @TU Darmstadt, 2011 2012 Introduction Mobile Security
Smartphones and their applications have become an integral part of information society Security and privacy protection technology is an enabler for innovative business models Recent research on mobile
More informationCIT 668: System Architecture
CIT 668: System Architecture Cloud Security Topics 1. The Same Old Security Problems 2. Virtualization Security 3. New Security Issues and Threat Model 4. Data Security 5. Amazon Cloud Security Data Loss
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationComputer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON
Introduction to Computer Security International Edition Michael T. Goodrich Department of Computer Science University of California, Irvine Roberto Tamassia Department of Computer Science Brown University
More informationProfessional Penetration Testing Techniques and Vulnerability Assessment ...
Course Introduction Today Hackers are everywhere, if your corporate system connects to internet that means your system might be facing with hacker. This five days course Professional Vulnerability Assessment
More informationSecure Your Mobile Workplace
Secure Your Mobile Workplace Sunny Leung Senior System Engineer Symantec 3th Dec, 2013 1 Agenda 1. The Threats 2. The Protection 3. Q&A 2 The Mobile Workplaces The Threats 4 Targeted Attacks up 42% in
More informationDefending Behind The Device Mobile Application Risks
Defending Behind The Device Mobile Application Risks Tyler Shields Product Manager and Strategist Veracode, Inc Session ID: MBS-301 Session Classification: Advanced Agenda The What The Problem Mobile Ecosystem
More informationMeasuring the Effect of Code Complexity on Static Analysis Results
Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, and Alex Kuhl Department of Computer Science Northern Kentucky University Highland Heights, KY 41099 Abstract.
More informationThe Droid Knight: a silent guardian for the Android kernel, hunting for rogue smartphone malware applications
Virus Bulletin 2013 The Droid Knight: a silent guardian for the Android kernel, hunting for rogue smartphone malware applications Next Generation Intelligent Networks Research Center (nexgin RC) http://wwwnexginrcorg/
More informationLoophole+ with Ethical Hacking and Penetration Testing
Loophole+ with Ethical Hacking and Penetration Testing Duration Lecture and Demonstration: 15 Hours Security Challenge: 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once said,
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More informationSecurity Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)
Security Management of Cloud-Native Applications Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM) 1 Outline Context State-of-the-Art Design Patterns Threats to cloud systems Security
More informationThreat Center. Real-time multi-level threat detection, analysis, and automated remediation
Threat Center Real-time multi-level threat detection, analysis, and automated remediation Description Advanced targeted and persistent threats can easily evade standard security, software vulnerabilities
More informationPenetration Test Report
Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System
More informationPRESENTING RISKS INTRODUCED BY ANDROID APPLICATION PERMISSIONS IN A USER-FRIENDLY WAY
Ø Ñ Å Ø Ñ Ø Ð ÈÙ Ð Ø ÓÒ DOI: 10.2478/tmmp-2014-0026 Tatra Mt. Math. Publ. 60 (2014), 85 100 PRESENTING RISKS INTRODUCED BY ANDROID APPLICATION PERMISSIONS IN A USER-FRIENDLY WAY Juraj Varga Peter Muska
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationStudent Tech Security Training. ITS Security Office
Student Tech Security Training ITS Security Office ITS Security Office Total Security is an illusion security will always be slightly broken. Find strategies for living with it. Monitor our Network with
More informationBad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up
Bad Romance: Three Reasons Hackers
More informationCutting Edge Practices for Secure Software Engineering
Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationDISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, 2009. The OWASP Foundation http://www.owasp.
DISA's Application Security and Development STIG: How Can Help You AppSec DC November 12, 2009 Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com The Foundation http://www.owasp.org
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationMobile Application Security Sharing Session May 2013
Mobile Application Security Sharing Session Agenda Introduction of speakers Mobile Application Security Trends and Challenges 5 Key Focus Areas for an mobile application assessment 2 Introduction of speakers
More informationIdea: Measuring the Effect of Code Complexity on Static Analysis Results
Idea: Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, and Alex Kuhl Department of Computer Science Northern Kentucky University Highland Heights, KY 41099
More informationA Review on Android Security
A Review on Android Security Dr. Vikash Kumar Singh 1, Devendra Singh Kushwaha 2, Raju Sujane 3, Roshni Tiwari 4 Head (I/C), Dept. of computer Science IGNTU Amarkantak (M.P.) 1 Assistant Professor, Faculty
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationIndex Terms: Smart phones, Malwares, security, permission violation, malware detection, mobile devices, Android, security
Permission Based Malware Detection Approach Using Naive Bayes Classifier Technique For Android Devices. Pranay Kshirsagar, Pramod Mali, Hrishikesh Bidwe. Department Of Information Technology G. S. Moze
More informationWhite Paper Secure Reverse Proxy Server and Web Application Firewall
White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationResearch on Monitoring Method of. Permission Requests by Mobile Applications
Contemporary Engineering Sciences, Vol. 7, 2014, no. 31, 1683-1689 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ces.2014.411226 Research on Monitoring Method of Permission Requests by Mobile
More informationSecurity Threats for Mobile Platforms
Security Threats for Mobile Platforms Goran Delac Faculty of Electrical Engineering and Computing, University of Zagreb, Zagreb, Croatia Abstract - The proliferation of smart-phone devices, with ever advancing
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationINTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY
INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY Asst.Prof. S.N.Wandre Computer Engg. Dept. SIT,Lonavala University of Pune, snw.sit@sinhgad.edu Gitanjali Dabhade Monika Ghodake Gayatri
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationCross-site site Scripting Attacks on Android WebView
IJCSN International Journal of Computer Science and Network, Vol 2, Issue 2, April 2013 1 Cross-site site Scripting Attacks on Android WebView 1 Bhavani A B 1 Hyderabad, Andhra Pradesh-500050, India Abstract
More informationHow To Fix A Web Application Security Vulnerability
Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of
More informationApplication Intrusion Detection
Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction
More informationSecuring Network Software using Static Analysis
Securing Network Software using Static Analysis Lauri Kolmonen Helsinki University of Technology lauri.kolmonen@hut.fi Abstract Writing network software is not easy and developing secure network software
More informationReview of Malware Defense in Mobile Network using Dynamic Analysis of Android Application
Review of Malware Defense in Mobile Network using Dynamic Analysis of Android Application Miss. Ashwini A. Dongre M. E. 3 rd sem, Dept. of Computer Science and engineering P. R. Patil College of engineering
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 Security Inside Out Latest Innovations in Oracle Database 12c Jukka Männistö Database Architect Oracle Nordic Coretech Presales The 1995-2014 Security Landscape Regulatory Landscape HIPAA, SOX (2002),
More informationSmartphone Security. A Holistic view of Layered Defenses. David M. Wheeler, CISSP, CSSLP, GSLC. (C) 2012 SecureComm, Inc. All Rights Reserved
Smartphone Security A Holistic view of Layered Defenses David M. Wheeler, CISSP, CSSLP, GSLC 1 The Smartphone Market The smartphone security market is expected to grow at a rate of 44 percent annually
More informationDroidBarrier: Know What is Executing on Your Android
DroidBarrier: Know What is Executing on Your Android Hussain M. J. Almohri almohri@cs.ku.edu.kw Department of Computer Science Kuwait University, Kuwait Danfeng (Daphne) Yao danfeng@cs.vt.edu Department
More informationAN OVERVIEW OF VULNERABILITY SCANNERS
AN OVERVIEW OF VULNERABILITY SCANNERS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole
More informationAbstract. 1. Introduction. 2. Threat Model
Beyond Ring-3: Fine Grained Application Sandboxing Ravi Sahita (ravi.sahita@intel.com), Divya Kolar (divya.kolar@intel.com) Communication Technology Lab. Intel Corporation Abstract In the recent years
More information