invited-talk

Public Access

How Inadequate Specification, Buggy Implementation, and Deficient Platform-Support Hinder Security

Author:

Omar ChowdhuryAuthors Info & Claims

SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies

Page 221

https://doi.org/10.1145/3205977.3206002

Published: 07 June 2018 Publication History

PDF eReader

Abstract

Developing a secure system (or, protocol) in general boils down to having a correct and robust specification which developers faithfully implement with the available platform support. Vulnerabilities can thus crop up due to inadequate specification, buggy implementations, or the lack of appropriate security constructs in the platform. In this talk, I will present examples of insecurity due to inadequate specification, wrong implementations, and deficient platform support. I will particularly focus on how automated reasoning and formal verification techniques can greatly contribute towards detecting vulnerabilities. In the first example, I will show how 4G LTE telecommunication protocol specification lacks security considerations which can be exploited by adversaries to have catastrophic impacts. Next, I will present how incorrect X.509 certificate validation implementations in open-source SSL/TLS libraries leave users prone to impersonation attacks. Finally, I will conclude my talk with a discussion of how lack of hardware support makes enforcing Digital Rights Management (DRM) policies infeasible for mobile devices.

References

[1]

S. Y. Chau, O. Chowdhury, E. Hoque, H. Ge, A. Kate, C. Nita-Rotaru, and N. Li. 2017. SymCerts: Practical Symbolic Execution for Exposing Noncompliance in X.509 Certificate Validation Implementations. In 2017 IEEE Symposium on Security and Privacy (SP). 503--520.

Google Scholar

[2]

Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE 2018 Network and Distributed System Security Symposium (NDSS).

Google Scholar

Index Terms

How Inadequate Specification, Buggy Implementation, and Deficient Platform-Support Hinder Security
1. Security and privacy

Recommendations

Network (In)security: Leniency in Protocols' Design, Code and Configuration
SACMAT '22: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies

Protocols are one of the founding pillars of network communication. Given their importance, protocols have received great attention not only from the research community but also from adversaries. Protocols, particularly their implementations, have been ...
Design and Implementation of a Tool for Specifying Specification in SOFL
Revised Selected Papers of the Second International Workshop on Structured Object-Oriented Formal Language and Method - Volume 7787

Structure Object-oriented Formal Language SOFL is not just a formal language for writing formal specification. It is also an approach and a methodology. SOFL provides a three-step approach for modelling a software system using formal specification. ...
Display-only file server: a solution against information theft due to insider attack
DRM '04: Proceedings of the 4th ACM workshop on Digital rights management

Insider attack is one of the most serious cybersecurity threats to corporate America. Among all insider threats, information theft is considered the most damaging in terms of potential financial loss. Moreover, it is also especially difficult to detect ...

Comments

Information & Contributors

Information

Published In

SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies

June 2018

271 pages

ISBN:9781450356664

DOI:10.1145/3205977

General Chair:
Elisa Bertino
Purdue University, USA
,
Program Chairs:
Dan Lin
Missouri University of Science and Technology, USA
,
Jorge Lobo
Universitat Pompeu Fabra, Spain

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2018

Check for updates

Author Tags

Qualifiers

Invited-talk

Funding Sources

Conference

SACMAT '18

Sponsor:

SIGSAC

SACMAT '18: The 23rd ACM Symposium on Access Control Models and Technologies

June 13 - 15, 2018

Indiana, Indianapolis, USA

Acceptance Rates

SACMAT '18 Paper Acceptance Rate 14 of 50 submissions, 28%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
178
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)9

Reflects downloads up to 20 Feb 2025

Other Metrics

View Author Metrics

Citations

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Index Terms

Recommendations

Network (In)security: Leniency in Protocols' Design, Code and Configuration

Design and Implementation of a Tool for Specifying Specification in SOFL

Display-only file server: a solution against information theft due to insider attack