Misconfiguration can happen at any level of an application stack, including the underlying platform, web server, database server, framework, and business logic code. We noted that the default security configurations on most of the server package environments, where web applications are deployed, are usually relaxed to allow flexibility to developers and deployers and hence are not reasonably secure when the environment is targeted for real production. This is further aggravated by the fact that a single (and possibly insecure) environment is often used for hosting multiple web applications in shared technologies context (e.g., shared web server). An insecure instance of a configuration may also be duplicated with potential risks.

Assisting web application developers and administrators in auditing security configuration, fixing configuration deficiencies to prepare the application and the environment for deployment with reasonable security posture, fits into the multi-layer approach of defense against attacks on web applications. However, there is a lack of available tools to assist developers and administrators by automatically auditing, fixing and rating security audit, fix and rate security configuration risks for web server environments on which web applications are tested and then deployed. To address these issues, we present a novel approach that supplements the existing web vulnerability analysis techniques by thoroughly analyzing web application directory hierarchy and application source code to automatically detect, quantify, and fix configuration vulnerabilities in web applications before deployment. A standard metrics based on the NIST Common Configuration Scoring System (CCSS) is adapted to quantify the severity of configuration vulnerabilities based on which finer-grained vulnerability reports are generated.

Static analysis and dynamic analysis techniques have shown their effectiveness in providing defense against a broader class of malicious program vulnerability. Unfortunately, the major assumption behind static analysis is that the statistical distribution of URL tokens and host details of malicious URLs tend to differ from that of benign. The feature values of URL lexical structure and host identity are encoded to train machine learning techniques to build classifiers based on which unknown web pages are classified. Likewise, dynamic analysis approaches are resource intensive as they need to load and execute the page under analysis. Modern web pages are usually stuffed with rich client-side code and content which take longer analysis time.

More importantly, application of static or dynamic analysis approaches in a complementary fashion is limited to capturing a partial snapshot of a malicious web page. We addressed this issues by developing a holistic, and lightweight solution. We leveraged a combination of static analysis and minimalistic emulation to characterize web pages and supervise learning techniques. We extended this work based on an evolution-aware and learning-based approach that takes into account the inevitable evolution of web page artifacts to more precisely analyze and detect malicious web pages.

Browser Security

Web browser extensions add extra features on top of the standard functionalities of a browser. These added features can augment some facilities already present in the browser (e.g., enhance the bookmarking facility), or provide entirely new functionalities (e.g., blocking unwanted advertisements). Browsers also provide powerful APIs that can access highly privileged browser components to facilitate the development of feature-rich extensions. The ability to customize browsers with a wide range of useful features have made extensions extremely popular among users. An extension can contain vulnerabilities which can be exploited by an attentive attacker to gain unauthorized access of sensitive information and even execute arbitrary code in the user's computer. Moreover, browser vendors let developers create extensions using standard web technologies (e.g., HTML, XML, JavaScript and CSS). Thus, an attacker needs nothing more than a rudimentary knowledge of these technologies to exploit an extension vulnerability.

We developed a model-based approach to detect vulnerable and malicious browser extensions by widening and complementing existing techniques. We also developed a runtime protection mechanism based on code randomization technique coupled with a static analysis technique to protect browser extensions from JavaScript injection attacks. The protection is enforced at runtime by distinguishing malicious code from the randomized extension code. We implemented our protection mechanism for Mozilla Firefox browser and evaluated it on a set of vulnerable and non-vulnerable Firefox extensions. The evaluation results indicate that our approach can be a viable solution for preventing attacks on JavaScript-based browser extensions. In designing and implementing our approach, we were also able to reduce false positives and achieve maximum backward compatibility with existing extensions by relieving developers from the burden of rewriting their extensions.

Web browser extensions add extra features on top of the standard functionalities of a browser. These added features can augment some facilities already present in the browser (e.g., enhance the bookmarking facility), or provide entirely new functionalities (e.g., blocking unwanted advertisements). Browsers also provide powerful APIs that can access highly privileged browser components to facilitate the development of feature-rich extensions. The ability to customize browsers with a wide range of useful features have made extensions extremely popular among users. An extension can contain vulnerabilities which can be exploited by an attentive attacker to gain unauthorized access of sensitive information and even execute arbitrary code in the user's computer. Moreover, browser vendors let developers create extensions using standard web technologies (e.g., HTML, XML, JavaScript and CSS). Thus, an attacker needs nothing more than a rudimentary knowledge of these technologies to exploit an extension vulnerability.

We developed a model-based approach to detect vulnerable and malicious browser extensions by widening and complementing existing techniques. We also developed a runtime protection mechanism based on code randomization technique coupled with a static analysis technique to protect browser extensions from JavaScript injection attacks. The protection is enforced at runtime by distinguishing malicious code from the randomized extension code. We implemented our protection mechanism for Mozilla Firefox browser and evaluated it on a set of vulnerable and non-vulnerable Firefox extensions. The evaluation results indicate that our approach can be a viable solution for preventing attacks on JavaScript-based browser extensions. In designing and implementing our approach, we were also able to reduce false positives and achieve maximum backward compatibility with existing extensions by relieving developers from the burden of rewriting their extensions.

We believe that the quality and security of a software system can be achieved if a good development process is appropriately devised and used. Secure software development allows development teams to incorporate security planning from the very beginning in the development lifecycle. The use of prior development knowledge such as, knowledge contained in defect data can help the adoption of secure development process for effective quality assurance. A concise view of a software profile, its development process, and their relationships can be systematically extracted and analyzed to deduce adequate corrective measures based on previously discovered weaknesses. On top of the orthogonal defect classification scheme, we built a structured security- specific defect classification scheme. We perform a detailed analysis on the classified data and obtain in-process feedback so that the next version of the software can be more secure and reliable. We experimented our methodology on open-source projects (e.g., Mozilla Firefox and Chrome). We found that in- process feedback can help development team to take corrective actions as early as possible. We also studied the correlations between software defect types and software development lifecycle to understand development improvement. We plan to continue this research in order to understand the relation between dependencies and defects in rapid software development (e.g., scrum, agile) environments.

E-voting is about the behavior of all the voting components (be them electronic, mechanic or human) and so assurance of electronic elections require to investigate all these aspects in an integrated way. It brings to the polling station several advantages such as improved turn out, accessibility for impaired people, and improved accuracy and speed. E-voting systems must be so designed and operated as to ensure the reliability and security of the voting process. However, the adoption of e-voting system in various countries has been slow and/or cause of debates and controversies. One of the reasons is the poor design and implementation of (some of) the systems currently deployed for elections in several countries, as different studies have reported and demonstrated. These studies have also revealed that such systems show serious flaws in their requirements' specifications, design, and implementation. Such weaknesses expose the system, and consequently elections, to various threats and attacks, ranging from a denial of service to alteration of the final results.

The correct specification and development of e-voting system can be achieved by an integrated analysis of the voting scenarios and by a clear allocation of the requirements for the different components of an election system. In other words, the fairness and security of electronic elections depend upon a careful allocation of requirements to the procedures and to the systems used. In fact, the correct behavior of the electronic systems can be guaranteed when they are used according to their operating specifications. This has to be guaranteed by the procedures and the people responsible for executing them. The application of formal methods would greatly help to better address problems associated with assurance against requirements and standards. More specifically, it would help to thoroughly specify and analyze the underlying assumptions and security specific properties, and it would improve the trustworthiness of the final systems. With respect to this, our research was investigating and appplying how formal techniques can be used to analysis the security and intergirty of e-voting systems.

More information and related publications can be found here.

Deploying a system in a safe and secure manner requires ensuring the technical and procedural levels of assurance also with respect to social and regulatory frameworks. This is because threats and attacks may not only derive from pitfalls in complex security critical system, but also from ill-designed procedures. However, existing methodologies are not mature enough to embrace procedural implications and the need for multidisciplinary approach on the safe and secure operation of system.

This research presented a systematic approach for analyzing processes and critical assets that hold sensitive information from the point of view of security. Our goal was understanding how the switch to the new technology changes risks with the ultimate goal of defining the laws and the procedures regulating system process, that guarantee a higher level of security. We introduced what we called procedural security and devised repeatable methodology to perform the analysis.

Performing such analysis has the following two benefits:

• First, it helps to identify the security boundaries. That is, the conditions under which procedures can be carried out securely. More specifically, using the facilities of formal analysis tools, it is possible to understand what are the hypotheses and conditions under which a given security goal is achieved or breached.
• Secondly, it helps to devise a set of requirement, to be applied both at the organizational level and on the (software) systems used to make systems and system processes secure. This can be achieved by analyzing the generated counterexamples by the NuSMV analysis tool, since counterexamples provide information to try and modify the existing procedures so that security breaches are taken care of.

More information and related publications can be found here.

ICT for development (ICTD or ICT4D) attempts to use ICTs to address the needs of developing regions and marginalized communities --- the so-called Bottom Billion . By definition, ICTD is multidisciplinary as it brings together competences from technical (e.g., engineering, computer science) and non- technical (e.g., social sciences, development studies) disciplines to address the numerous challenges of using ICTs where resources are scarce and most of the population are illiterate. Among the noticeable ICTD domains, access to agricultural information services is vital to improve the livelihood of farmers in developing countries. There are several requirements for these services most of which stem from the nature and livelihood of involved stakeholders. Though various systems have been put to use so far, most failed to integrate these stakeholders in their requirement elicitation and design strategies. In this research, we combined the views of goal-oriented requirement engineering technique and ICTD-based design space to understand, analyze and design agricultural information services in developing countries. The goal-oriented approach provided an exhaustive view on the domain from specific design ideas to abstract requirements. The approach allowed us to consider alternatives when developing novel services and balance the impact that each design space can have on functional requirements of the system to-be.