96 research outputs found
Always the Same, Never the Same
The basic technique used by antimalware software for identifying malicious code is signature detection. Even after years of refining, attackers can still easily circumvent it, relying on several ways to manipulate signatures without changing the malware logic. This article introduces the reader to the signature manipulation concept by means of a practical example
Return-Oriented Programming
Attackers able to compromise the memory of a target machine can change its behavior and usually gain complete control over it. Despite the ingenious prevention and protection mechanisms that have been implemented in modern operating systems, memory corruption attacks still account for a big share of the security breaches afflicting software systems. This article describes a growing attack trend that uses return-oriented programming (ROP) techniques to bypass the most common memory protection systems
A Model for E-voting Systems Evaluation Based on International Standards: Definition and Experimental Validation
In this work, we define a novel scheme for evaluating the compliance of e-voting system to technical standards. The ultimate goal of such a certification path should be guaranteeing that the tested system respects the expected outcome of an election, in terms of correctness of results, identification of voters, anonymity of ballots and other measurable properties. Two main contributions emerge in this field, each with different strengths and weaknesses. The EU Recommendation can be usefully adopted as a high-level guideline towards the intended result, but gives insufficient details for its implementation. The U.S.A. Voluntary Voting System Guidelines (VVSG) can provide the necessary concreteness to the operative side of the certification path, by means of the many associated field-tested procedures already available, but its parts are unclearly related to the big picture. In this work, we describe our attempt at taking the best of both worlds. We turned the EU Recommendation, a conceptually well-conceived, but not directly applicable document into a real testing and certification manual, by exploiting the experience and guidance provided by the more pragmatic, but less organized U.S.A. VVSG. The result of our work is an applied methodology which must be considered a first step towards an ambitious goal, yet it has been fully field-tested to certify a real e-voting system for official use, providing clear evidences of its usefulness and allowing to highlight directions for its improvement
Towards a practical and effective security testing methodology
Security testing is an important step in the lifetime of both newly-designed and existing systems. Different methodologies exist to guide testers to the selection, design, and implementation of the most appropriate testing procedures for various contexts. Typically, each methodology stems from the specific needs of a particular category of actors, and consequently is biased towards some aspect of peculiar interest to them. This work compares the most commonly adopted methodologies to point out their strengths and weaknesses, and, building on the results of the performed analysis, proposes a path towards the definition of an integrated approach, by defining the characteristics that a new methodology should exhibit in order to combine the best aspects of the existing ones
Redesigning remote system administration paradigms for enhanced security and flexibility
Remote system administration is usually performed according to the standard client–server model. However, important security and flexibility limitations, arising from the usage of a predictable access port for such a critical application, prevent a satisfactory trade-off between authentication strength and service availability. We illustrate an alternative solution, based on an additional system placed in between the remote server and its administrator. Our design ensures that the new component's role does not weaken the existing security mechanisms already in place, but it can instead enhance them, and provide a very effective decoupling between a server and its visible management ports
IENA: un approccio aperto e distribuito alla sicurezza e alla service exploitation prevention
La sicurezza informatica è diventata una delle principali tematiche della società dell’informazione, sia dal punto di vista della comunità scientifica, come importante argomento di ricerca, sia da quello degli amministratori di reti e servizi, come occupazione (e preoccupazione) giornaliera. In particolare il crescente diffondersi di servizi distribuiti e di applicazioni web aumenta la necessità di proteggere lo scambio e la conservazione delle informazioni e i sistemi coinvolti in questi processi, mantenendo alto il livello di sicurezza adottato. Tutto questo viene realizzato tipicamente applicando metodologie basate su politiche chiuse come quelle adottate da sistemi antivirus, da firewall, da sistemi di rilevazione e prevenzione delle intrusioni. Questo articolo presenta uno schema differente, sviluppando un approccio aperto e distribuito nel prevenire abusi dei servizi di rete da parte di utenti non autorizzati. Unito alle odierne tecniche di sicurezza, tale schema garantisce un miglioramento del livello di sicurezza negli ambienti di rete
Sensors for next-generation smart batteries in automotive: A review
Innovation of the battery technology is of paramount importance for the development and widespread of electrification in transport modes. In addition to the ongoing evolution and research on novel and better chemistries, the application of sensors and measurement techniques at the battery cell level could foster the electrification process by introducing novel concepts like the Smart Battery. This work presents the Smart Battery paradigm and reviews the state-of-the-art sensor technologies that can be of interest for its development in automotive
Comment Spam Injection Made Easy
Social networks heavily rely on the concept of
reputation. Some platforms implement formalized systems to
express reputation, for example as a rating, but the concept is
broader and very often the reputation of a user, the perceived
quality of a product, the popularity of a TV show or any
other subject of published information stems from a more
informal collection of comments and recommendations. Thus,
guaranteeing the authenticity of the published data has become
very important, and various systems have been developed to
deal with this problem. However, in this paper we are going to
demonstrate that the most commonly adopted filtering techniques
do not adequately protect the messaging platforms from the
automated injection of comments. The adopted methodology is
quite empirical, but nonetheless it allows to point out not only
the existence of the vulnerability, but also to make some educated
guess about the reasons behind the failure of the tested filters.
In the conclusion, we trace a possible path leading to a more
effective solution
Security Considerations about the Adoption of Web 2.0 Technologies in Sensitive e-Government Processes
In the recent past, the so-called “Web 2.0” became a powerful
tool to enable various eGovernment processes, especially as a
link between political bodies and citizens. Politicians and
managers, seeking to improve participation, embraced this
technology as if it simply were a new, enhanced version of
world wide web, better suited to retrieve information, opinions
and feedbacks from the general public on laws, acts and policies.
This approach was often naive, neglecting the less-obvious
aspects of the technology, and thus bringing on significant
security problems. This paper takes the decision making process
as an example to show how, in the end, the result could easily be
the opposite of what was desired. Malicious attackers, in fact,
could quite easily exploit the vulnerabilities in these systems to
hijack the process and lead to wrong decisions, also causing the
public to lose trust in the systems themselve
- …
