December 2024
·
6 Reads
What is this page?
This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.
Publications (82)
November 2024
·
39 Reads
July 2023
·
24 Reads
·
4 Citations
January 2023
·
5 Reads
Lecture Notes in Computer Science
December 2022
·
2 Reads
November 2022
·
16 Reads
·
14 Citations
May 2022
·
10 Reads
·
12 Citations
June 2021
·
161 Reads
In this paper, we propose a new approach to infer state machine models from protocol implementations. Our method, STATEINSPECTOR, learns protocol states by using novel program analyses to combine observations of run-time memory and I/O. It requires no access to source code and only lightweight execution monitoring of the implementation under test. We demonstrate and evaluate STATEINSPECTOR's effectiveness on numerous TLS and WPA/2 implementations. In the process, we show STATEINSPECTOR enables deeper state discovery, increased learning efficiency, and more insightful post-mortem analyses than existing approaches. Further to improved learning, our method led us to discover several concerning deviations from the standards and a high impact vulnerability in a prominent Wi-Fi implementation.
December 2020
·
86 Reads
·
22 Citations
Lecture Notes in Computer Science
Compared to many other areas of cyber security, vulnerabilities in industrial control systems (ICS) can be poorly understood. These systems form part of critical national infrastructure, where asset owners may not understand the security landscape and have potentially incorrect security assumptions for these closed source, operational technology (OT) systems. ICS vulnerability reports give useful information about single vulnerabilities, but there is a lack of guidance telling ICS owners what to look for next, or how to find these. In this paper, we analyse 9 years of ICS Advisory vulnerability announcements and we recategorise the vulnerabilities based on the detection methods and tools that could be used to find these weaknesses. We find that 8 categories are enough to cover 95% of the vulnerabilities in the dataset. This provides a guide for ICS owners to the most likely new vulnerabilities they may find in their systems and the best ways to detect them. We validate our proposed vulnerability categories by analysing a further 6 months of ICS Advisory reports, which shows that our categories continue to dominate the reported weaknesses. We further validate our proposed detection methods by applying them to a range of ICS equipment and finding four new critical security vulnerabilities.
November 2020
·
72 Reads
·
9 Citations
Citations (64)
... Other methods try to separate the asset concept into several types, such as EBIOS [ANS16] into primary and supporting, or as ISSRM into intangible business and tangible information system. Moreover, [Tzi+16] has proposed an asset-driven, security-aware, service selection framework for selecting services that best satisfy the security and cost constraints of assets. However, none of the above methods, even if they deal with the security of the assets, identify types of assets from the attackers' point of view. ...
- Citing Conference Paper
June 2016
... Timestamps, and the number of distinct functions called during each transition, are used to identify potential performance issues or functions requiring optimization. The lookup tables are used to identify which functions are called under which transitions, and how important each function is to the overall [27] Active Pulsar [13] Passive Prospex [31] Passive MACE [32] Active AFLNET [14] Active State Inspector [30] Active SLIME Active System [27] Model Extraction I/O Pulsar [13] Sate-aware fuzzing I/O Prospex [31] Protocol RE CF-I/O MACE [32] Input Discovery I/O AFLNET [14] State-aware fuzzing I/O State Inspector [30] Model Extraction Memory SLIME Model Extraction I/O behavior of the system. The lookup tables of function calls can be filtered to select a subset of function calls to be used for annotating the state machine. ...
- Citing Conference Paper
November 2022
... EMV contactless payment systems have been targeted by numerous attacks, including card cloning [36], [41], [70], passive attacks such as eavesdropping [19], [50] and transaction relaying [11], [12], [16], [39], [49], [56], [73], as well as active attacks including pre-play [36], [43], [74] and contactless limit bypass [8]- [10], [43]. Recent research has examined the security of contactless payment. ...
- Citing Conference Paper
May 2022
... However, while the goal of distance-bounding protocols is to ensure that the communication partners are close, protocols from the above mentioned class aim to ensure some classical security property, like secrecy or authentication, under the assumption of proximity of the communication partners. Such focus on distance bounding is reflected on the verification frameworks [8]- [13] developed for the verification of distance-bounding protocols using round-trip time, which ignore classical security properties. ...
- Citing Conference Paper
October 2020
... Some of these include confining sources of vulnerable information to texts found within journal articles while ignoring those found in blogs, white papers, or advisories. However, more general information sources are given, such as references [1], [2], [3]. ...
- Citing Chapter
December 2020
Lecture Notes in Computer Science
... Dealing with security problems in software development projects is, however, not a new research field. Specifically, the field of vulnerability management as part of risk management is well researched with proposed solutions ranging from enterprise-to project-level [20,34,40]. With concepts like unique vulnerability identifiers (CVE-IDs [3]) and vulnerability severity ratings (CVSS [10]) this domain contributed widely employed processes and technologies that are crucial for industrial practitioners. ...
- Citing Conference Paper
November 2020
... It has been established that cache partitioning is an effective approach for shared last-level caches [56], [63]. At the same time, prior research demonstrated that L1-caches can be flushed on context switches to prevent leakage with minimal loss in performance [28]. In this paper, we also make a case that private L2 caches have to be partitioned, and present TEE-SHirT, a security framework for multi-level cache hierarchies that combines a shared partitioned LLC, private partitioned L2 caches, and private L1 caches that are flushed on context switches and system calls. ...
- Citing Conference Paper
March 2019
... In contrast, mechanisms discussed in [36][37][38] introduce cryptographic verification methods during the 4-way handshake exchanges to combat nonce reuse vulnerabilities targeted by KRACK. These approaches additionally tackle cipher downgrade attacks on APs. ...
- Citing Conference Paper
September 2020
Lecture Notes in Computer Science
... They could use a distance fraud to pay for goods in a shop, while they are actually somewhere else committing a crime; the payment log from the shop's terminal would make them appear innocent. Distance-fraud counteraction in contactless payments is even more acutely called for by the fact that recent proposals [38] enforce proximity-checks be added to banks' payment-logs as well. ...
- Citing Chapter
September 2019
Lecture Notes in Computer Science
... Furthermore, in their research, Karagiannis and Magkos (2021) found that CTFs increased students' confidence, had positive outcomes in terms of technical skills and knowledge, and the learning process was considered engaging. In addition, Chothia et al. (2019) studied the narrative aspects of the CTF exercises and found that story engagement was associated with better course performance. Students appreciated the entertainment aspect of the narrative, which in turn improved their engagement. ...
- Citing Chapter
April 2019
Lecture Notes in Computer Science