Software Engineering

Introduction – October 10. 2017

Linghui Luo

Seminar: Secure Systems Engineering

Requirements

2

Attendance at all meetings

Writing a seminar essay in English

15 – 20 pages in LaTeX

LaTeX-template provided by us

Delivering a presentation in English

20 mins presentation

10 mins discussion

Active participation in the peer review process

Peer reviewed by students

Reviewed by advisors

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

Schedule

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden3

First Meetings

Date Time & Place

Tuesday, 10 October 2017 11:00 – 13:00 E5.333 Introduction to topics & Assignment

Tuesday, 17 October 2017 11:00 – 13:00 E5.333 Seminar guidelines & Introduction to scientific work

Deadlines till 23:59 CET

Date Task Role

Monday, 20 November 2017 Outline & Literature references Students

Monday, 11 December 2017 Essay draft for review Students

Tuesday, 12 December 2017 Assignment of peer reviews Advisors

Monday, 18 December 2017 Completed peer review Students

Monday, 15 January 2018 Presentation slides for feedback Students

Monday, 22 January 2018 Advisor feedback Advisors

Monday, 5 February 2018 Essay for feedback Students

Friday, 16 February 2018 Advisor feedback Advisors

Wednesday, 28 February 2018 Final Essay Submission Students

Block Seminar

Date Time & Place

Thursday, 25 January 2018 9:00 - 13:00 F0.231

Friday, 26 January 2018 9:00 - 18:00 F0.231

Allocation of Topics

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden4

Doodle poll

You will receive an invitation via e-mail today

Choose exactly 3 preferences until 18:00, Thursday, 12th October

Collisions will be solved by applying the following criterion:

Students in higher semesters (at least 2nd semester) are preferred.

Students with main field “Software Technology and Information Systems” or

“Software Engineering” are preferred.

With equivalent qualifications: randomness

You will be informed via e-mail which topic you are assigned

Please confirm this mail until 18:00, Sunday, 15th October

You can also reject the topic, but inform us as early as possible!

If you confirm a topic, we expect you not to drop the seminar in the middle of the

semester

Relaxing Security Policies through DeclassificationAdvisor: Christopher Gerking (christopher.gerking@hni.upb.de)

5 Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

Task for student:

Survey different approaches for declassification

Demonstrate advantages and shortcomings

Assess suitability of the approaches in the context of model-driven security

Literature:

Sabelfeld, A., Sands, D.: Declassification: Dimensions and Principles, JCS 17(5), 2009

Peng, L., Zdancewic, S.: Downgrading Policies and Relaxed Noninterference, POPL 2005

Askarov, A., Myers, A.: A Semantic Framework for Declassification and Endorsement, ESOP 2010

1

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden6

Preservation of Information Flow Security on CompositionAdvisor: Christopher Gerking (christopher.gerking@hni.upb.de)

Task for student:

Compare different security models with respect to compositionality

Illustrate differences on a “common ground“

Point out assumptions and limitations for real-world applications

Literature:

McCullough, D.: A Hookup Theorem for Multilevel Security. IEEE TSE, 16(6), 1990

McLean, J.: A General Theory of Composition for a Class of Possibilistic Properties, IEEE TSE, 22(1),

1996

Mantel, H.: On the Composition of Secure Systems, IEEE S&P 2002

Mantel, H. et al.: Assumptions and Guarantees for Compositional Noninterference, CSF 2011

2

Security Requirements in Natural Language ArtifactsAdvisor: Dr. Marie Christin Platenius (m.platenius@upb.de)

7

Introduction :

In practice, requirements specifications are still written in natural language

This also includes different kinds of security requirements. Examples:

Natural language processing techniques can improve automated processing of such requirements

Task for student:

Inspect and critically reflect the given literature wrt. security requirements in natural language artifacts

text

Try to find related work and compare it to the given literature

Literature:

M. Riaz, J. King, J. Slankas and L. Williams, “Hidden in plain sight: Automatically identifying security requirements from

natural language artifacts,” IEEE Int. Requirements Engineering Conference (RE), Karlskrona, 2014

(http://ieeexplore.ieee.org/abstract/document/6912260/)

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

"The system shall enforce access privileges that

enable authorized users to edit discharge

instructions for a particular patient." (confidentiality)

"The system shall log every time

discharge instructions for a particular

patient are edited." (accountability)

3

Static Analysis Based on User-Defined ConstraintsAdvisor: Johannes Späth (johannes.spaeth@iem.fraunhofer.de)

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden8

Problem

Implementations of software evolve and are affected by constant change

…but the quality of the implementation, including the derived security, has to be ensured

Minor modifications to the code easily break the complete security model

Approach

The developer specifies constraints in the code

From the constraints a static model of the program’s behavior is build

The model is solved and potentially invalidated constraints are reported to the developer

Task for student:

Describe the proposed approach and highlight its advantages and disadvantages

Literature

[Fähndrich, M.; Logozzo, F.: “Static Contract Checking with Abstract Interpretation”. Formal Verification of Object-

Oriented Software - International Conference, FoVeOOS 2010, Paris, France, June 28-30, 2010]

[Christakis, M.; Müller, P.; Wüstholz, V.: “An Experimental Evaluation of Deliberate Unsoundness in a Static Program

Analyzer”. Verification, Model Checking, and Abstract Interpretation - 16th International Conference, VMCAI 2015, Mumbai,

India, January 12-14, 2015]

4

Scalable and Precise String AnalysisAdvisor: Linghui Luo (linghui.luo@upb.de)

9

Introduction :

Client side software may process string-based user input

Vulnerabilities: SQL injection, Cross-Site Scripting

Some program paths only execute under certain string inputs

Imprecise string analysis could miss possible vulnerabilities

Task for student:

Understand the importance of string analysis and review existing frameworks for it

Select and compare frameworks which are precise and scalable for large programs and can be used for java

and android applications

Literature:

Ding Li, Yingjun Lyu, Mian Wan, and William G. J. Halfond. 2015. String analysis for Java and Android applications. In Proceedings of the 2015 10th Joint Meeting

on Foundations of Software Engineering (ESEC/FSE 2015). ACM, New York, NY, USA, 661-672. (https://doi.org/10.1145/2786805.2786879)

Adam Kiezun, Vijay Ganesh, Philip J. Guo, Pieter Hooimeijer, and Michael D. Ernst. 2009. HAMPI: a solver for string constraints. In Proceedings of the eighteenth

international symposium on Software testing and analysis (ISSTA '09). ACM, New York, NY, USA, 105-116. (http://dx.doi.org/10.1145/1572272.1572286)

Yunhui Zheng, Xiangyu Zhang, and Vijay Ganesh. 2013. Z3-str: a z3-based string solver for web application analysis. In Proceedings of the 2013 9th Joint Meeting

on Foundations of Software Engineering (ESEC/FSE 2013). ACM, New York, NY, USA, 114-124. (https://doi.org/10.1145/2491411.2491456)

Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jaffar. 2014. S3: A Symbolic String Solver for Vulnerability Detection in Web Applications. In Proceedings of the 2014

ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 1232-1243. (http://dx.doi.org/10.1145/2660267.2660372)

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

5

Inferring Specifications for Taint-Style VulnerabilitiesAdvisor: Goran Piskachev (goran.piskachev@iem.fraunhofer.de)

10

Introduction :

Many vulnerabilities (e.g. SQL injection) can be detected via taint analysis

To configure these analyses, the users need to specify different configuration methods (e.g. source,

sink)

This is a manual task that requires security-related domain knowledge

The users often face many false positives

One of the main reason is incomplete or wrong specifications

Few approaches (e.g. Merlin) propose an automatic creation of these specifications

Task for student:

Give an overview of the Merlin approach

Compare the Merlin approach to other similar approaches (e.g. SuSi)

Literature:

Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani, and Anindya Banerjee. Merlin: specification inference for explicit

information flow problems. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and

Implementation (PLDI '09). ACM, New York, NY, USA, 75-86.

Siegfried Rasthofer, Steven Arzt, and Eric Bodden. A Machine-learning Approach for Classifying and Categorizing

Android Sources and Sinks. NDSS 2014

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

6

Model-driven Security for Embedded SystemsAdvisor: Johannes Geismann (johannes.geismann@upb.de)

11

Introduction :

When designing safe and secure embedded systems not only software but also hardware has to be

considered

Model-driven approaches are used to assist designers and developers in early development steps

SysML-Sec is a method for this task

Task for student:

Give a comprehensive overview

Which threats / attacks are considered?

Which viewpoints are covered?

What are the limitations of this approach?

Compare to related approaches

Literature:

Ludovic Apvrille, Yves Roudier, "SysML-Sec: A Model-Driven Environment for Developing Secure Embedded Systems", Proceedings of the

8th conference on the security of network architecture and information systems (SARSSI'2013), Mont de Marsan, France, 16-18 sept. 2013

Ludovic Apvrille, Yves Roudier, "SysML-Sec: A Model Driven Approach for Designing Safe and Secure Systems", Special session on Security

and Privacy in Model Based Engineering, 3rd International Conference on Model-Driven Engineering and Software Development (Modelsward),

Angers, France, Feb. 2015

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

7

Compositional Verification of Security PropertiesAdvisor: Johannes Geismann (johannes.geismann@upb.de)

12

Introduction :

On architectural level, formal methods can be used to prove security

requirements, e.g., model checking

For large systems, model checking is infeasible since the state space of

the system is too large

Compositional verification can help to tackle this problem

Task for student:

Explain the approach presented in [1]

Explain how compositional model checking can help to analyze security

properties of large-scale systems

Survey other compositional verification approaches for analyzing

security properties and relate them to [1]

Literature:

[1] Gunawan, L. A., & Herrmann, P. (2013). Compositional Verification of Application-Level Security

Properties. In ESSoS (pp. 75–90)

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

8

A Comparison of Hooking Approaches for ARTAdvisor: Andreas Peter Dann (andreas.peter.dann@upb.de)

Introduction :

What happens with the personal information?

Can we enforce that our address book is not leaked to any suspicious network?

To give an answer, we need to extract runtime information from an app.

Thus, we need to hook into its methods and check which data it reads or

which server it connects to.

For hooking exist several approaches, with different drawbacks and advantages.

Task for student:

Compare the approaches

Point out for each approach: Advantages, Drawbacks, What is covered, What is missing?

Draw your own conclusion based on your results and literature

Literature:

Costamagna, et al. (2016). ARTDroid: A virtual-method hooking framework on android ART

Wang, F., et al. (2016). Stay in Your Cage! A Sound Sandbox for Third-Party Libraries on Android

Bianchi, A., et al. (2015). NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running

stock Android

13 Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

9

Object-Capabilities as Means of Permission and Authority

in Software SystemsAdvisor: Dr. Ben Hermann (ben.hermann@upb.de)

14

Introduction:

What do we mean when a system is secure?

How do we characterize its security?

Recent research in the field of Object-Capability security helps to find answers.

Task for student:

Go beyond the given literature – systematically find CLOSELY related work

Give a comprehensive overview and comparison of the different approaches

What are the open challenges in the field

Literature:

Sophia Drossopoulou, James Noble, Mark S. Miller, and Toby Murray. 2016. Permission and Authority Revisited towards a formalisation.

In Proceedings of the 18th Workshop on Formal Techniques for Java-like Programs (FTfJP'16). ACM, New York, NY, USA, , Article 10 , 6

pages. DOI: http://dx.doi.org/10.1145/2955811.2955821

Sophia Drossopoulou and James Noble. 2013. The need for capability policies. In Proceedings of the 15th Workshop on Formal Techniques

for Java-like Programs (FTfJP '13). ACM, New York, NY, USA, Article 6, 7 pages. DOI: https://doi.org/10.1145/2489804.2489811

Sylvan Clebsch, Sophia Drossopoulou, Sebastian Blessing, and Andy McNeil. 2015. Deny capabilities for safe, fast actors. In Proceedings of

the 5th International Workshop on Programming Based on Actors, Agents, and Decentralized Control (AGERE! 2015). ACM, New York, NY,

USA, 1-12. DOI: http://dx.doi.org/10.1145/2824815.2824816

Sophia Drossopoulou, James Noble, and Mark S. Miller. 2015. Swapsies on the Internet: First Steps towards Reasoning about Risk and

Trust in an Open World. In Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for Security (PLAS'15). ACM,

New York, NY, USA, 2-15. DOI: http://dx.doi.org/10.1145/2786558.2786564

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

10

Type Systems as Means to Secure Software SystemsAdvisor: Dr. Ben Hermann (ben.hermann@upb.de)

15

Introduction :

One class of security problems are confidentiality issues.

They occur whenever information is leaked to parties that are not permitted to receive the information.

But, how can we prove that a system does not have such issues?

Type systems may be the answer to that.

Task for student:

Go beyond the given literature – systematically find CLOSELY related work

Give a comprehensive overview and comparison of the different approaches

What are the open challenges in the field

Literature:

Chen, H., Tiu, A., Xu, Z. and Liu, Y., 2017. A Permission-Dependent Type System for Secure Information Flow

Analysis. arXiv preprint arXiv:1709.09623. https://arxiv.org/abs/1709.09623

Sabelfeld, A. and Myers, A.C., 2003. Language-based information-flow security. IEEE Journal on selected areas in

communications, 21(1), pp.5-19. http://ieeexplore.ieee.org/abstract/document/1159651/

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

11

Probabilistic Program Modeling for High-precision Anomaly

ClassificationAdvisor: David Schubert (david.schubert@iem.fraunhofer.de)

16

Introduction :

Task for student:

Introduce fundamentals: Intrusion Detection Systems, Hidden Markov Models

Construct a running example for your thesis

Recap the approach by Xu et al. using the running example

Literature:

Xu, et al. “Probabilistic program modeling for high-precision anomaly classification.” Computer Security Foundations

Symposium (CSF), 2015 IEEE 28th. IEEE, 2015

Lazarevic, Aleksandar, Vipin Kumar, and Jaideep Srivastava. “Intrusion detection: A survey .” DOI 10.1007/0-387-24230-

9_2

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

12

Executable Misuse Cases for Modeling Security ConcernsAdvisor: Thorsten Koch (thorsten.koch@iem.fraunhofer.de)

17

Problem:

Security is a crucial issues for information systems. However, in Software Engineering security

is mainly considered as non-function requirements after the definition of the systems. This

approach often leads to problems, which translate to security vulnerabilities.

Approach:

The approach of Whittle et al. is supposed to model and analyze security requirements

alongside functional requirements by means of misuse cases. It provides a formalization of

UML interaction overview diagrams to model scenarios precisely. This formalization is

transformed into a set of communicating FSMs to perform the analysis.

Task for student:

Describe the approach

Especially focus on security attacks that can be detected by the approach

Literature:

Jon Whittle, Duminda Wijesekera, and Mark Hartong. 2008. Executable misuse cases for modeling

security concerns. http://dx.doi.org/10.1145/1368088.1368106

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

13

Analyzing IEC 61131 Languages using SootAdvisor: Sven Merschjohann (sven.merschjohann@iem.fraunhofer.de)

18

Introduction:

PLCs are written in IEC 61131 languages

Despite being widely used sophisticated static analysis is rare

Writing static analysis is complex and time-consuming

Approaches:

Reuse existing analysis framework Soot (Java) by transforming Structured Text to

Jimple

Task for student:

Describe the approach and highlight its advantages and limitations using an own

example

Evaluate whether this approach can be applied to the other IEC languages as well

Literature:

[A. Grimmer, F. Angerer, H. Prähofer, and P. Grünbacher, “Supporting Program Analysis for Non-Mainstream

Languages: Experiences and Lessons Learned” in Proceedings of 23rd International Conference on Software

Analysis, Evolution, and Reengineering (SANER), 2016]

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

14

The State of the Art of Disassembly of x86/x64 codeAdvisor: Martin Mory (martin.mory@upb.de)

19

Introduction :

Compilation from high-level programming language to machine code brings information loss

Disassembly of machine code is required for understanding, but challenging

Task for student: (can be done by 2 students)

Point out challenges for disassembly of x86/x64 code

Summarise, compare and assess recent approaches towards disassembly of x86/x64 code

Literature:

Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, Herbert Bos: An In-Depth Analysis of

Disassembly on Full-Scale x86/x64 Binaries

… more papers to be identified

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

15

How to Track Configuration OptionsAdvisor: Linghui Luo (linghui.luo@upb.de)

20

Introduction :

Many modern software systems are highly configurable

Increases flexibility

Hard to be understood, maintained and analyzed

It is necessary to determine how configuration options affect program behavior

Task for student: (can be done by 2 students)

Review and compare existing approaches to track configuration options

Literature:

Elnatan Reisner, Charles Song, Kin-Keung Ma, Jeffrey S. Foster, and Adam Porter. 2010. Using symbolic evaluation to understand behavior

in configurable software systems. In Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1 (ICSE

'10), Vol. 1. ACM, New York, NY, USA, 445-454. (http://dx.doi.org/10.1145/1806799.1806864)

Florian Angerer, Andreas Grimmer, Herbert Prahofer, and Paul Grunbacher. 2015. Configuration-Aware Change Impact Analysis (T).

In Proceedings of the 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE) (ASE '15). IEEE Computer

Society, Washington, DC, USA, 385-395. (http://dx.doi.org/10.1109/ASE.2015.58)

Z. Dong, A. Andrzejak and K. Shao, "Practical and accurate pinpointing of configuration errors using static analysis," 2015 IEEE

International Conference on Software Maintenance and Evolution (ICSME), Bremen, 2015, pp. 171-180.

(http://dx.doi.org/10.1109/ICSM.2015.7332463)

ThanhVu Nguyen, Ugur Koc, Javran Cheng, Jeffrey S. Foster, and Adam A. Porter. 2016. iGen: dynamic interaction inference for

configurable software. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software

Engineering (FSE 2016). ACM, New York, NY, USA, 655-665. (https://doi.org/10.1145/2950290.2950311)

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden

16

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden21

A Survey on Common Android Malware SchemesAdvisor: Manuel Benz (manuel.benz@upb.de)

Introduction :

With more than 2 billion monthly active Android devices and lots of sensitive data stored on

them, the platform constitutes a perfect target for malware developers. Common schemes of

Android malware typically include silently sending premium SMS to raise a fee on the user or

encrypting the user‘s data, to blackmail her for money afterward. Many more exist…

Task for student: (can be done by 2 students)

Dig into literature starting from the given publications.

Collect a comprehensive list of common Android malware schemes.

The given literature is “old“ (2011/12). Try to find current references and elaborate the evolution

of malware schemes since then.

Literature:

https://doi.org/10.1007/978-3-319-24018-3_12

https://doi.org/10.1109/SP.2012.16

https://doi.org/10.1109/BADGERS.2014.7

https://doi.org/10.1145/2046614.2046618

17

Language Theoretic Security for Input HandlingAdvisor: Martin Mory (martin.mory@upb.de)

Seminar Secure Systems Engineering WS 2017/18 - Prof. Dr. Eric Bodden22

Introduction:

Parsing expected tokens/inputs for an application may be an easy task. But how to react to the invalid/malicious ones?

Hand-crafted parsers for complex input languages are difficult to implement and prone to vulnerabilities.

Language Thereoretic Security (LangSec) is an upcoming field that intends to handle input using grammars and thereby

prevent input-specific threats.

Hammer is a toolkit for parser construction following the LangSec philosophy.

Task for student:

Examine, where and how flaws in traditional input handling caused severe vulnerabilites and provide prominent examples of

recent years.

What are the LangSec concepts behind the Hammer toolkit? Show why and how these help preventing vulnerabilites. Give a

non-trivial example where the utilization of hammer provides a notable security-benefit.

How does Hammer compare to the state of the art of LangSec parser generators?

Literature:

The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them

Falcon Momot, Sergey Bratus, Sven M. Hallberg, Meredith L. Patterson

Building Hardened Internet-of-Things Clients with Language-theoretic Security

Prashant Anantharaman, Michael Locasto, Gabriela F. Ciocarlie, Ulf Lindqvist

https://github.com/UpstandingHackers/hammer

18

Linghui Luo

Thank you for your attention