How Inadequate Specification, Buggy Implementation, and Deficient Platform-Support Hinder Security

Author:
Omar Chowdhury

University of Iowa, Iowa City, IA, USA

University of Iowa, Iowa City, IA, USA
View Profile

SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and TechnologiesJune 2018Pages 221https://doi.org/10.1145/3205977.3206002

Published:07 June 2018Publication History

SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies

Pages 221

ABSTRACT

Developing a secure system (or, protocol) in general boils down to having a correct and robust specification which developers faithfully implement with the available platform support. Vulnerabilities can thus crop up due to inadequate specification, buggy implementations, or the lack of appropriate security constructs in the platform. In this talk, I will present examples of insecurity due to inadequate specification, wrong implementations, and deficient platform support. I will particularly focus on how automated reasoning and formal verification techniques can greatly contribute towards detecting vulnerabilities. In the first example, I will show how 4G LTE telecommunication protocol specification lacks security considerations which can be exploited by adversaries to have catastrophic impacts. Next, I will present how incorrect X.509 certificate validation implementations in open-source SSL/TLS libraries leave users prone to impersonation attacks. Finally, I will conclude my talk with a discussion of how lack of hardware support makes enforcing Digital Rights Management (DRM) policies infeasible for mobile devices.

References

S. Y. Chau, O. Chowdhury, E. Hoque, H. Ge, A. Kate, C. Nita-Rotaru, and N. Li. 2017. SymCerts: Practical Symbolic Execution for Exposing Noncompliance in X.509 Certificate Validation Implementations. In 2017 IEEE Symposium on Security and Privacy (SP). 503--520.Google Scholar
Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE 2018 Network and Distributed System Security Symposium (NDSS).Google Scholar

Index Terms

How Inadequate Specification, Buggy Implementation, and Deficient Platform-Support Hinder Security
1. Security and privacy

Recommendations

Network (In)security: Leniency in Protocols' Design, Code and Configuration
SACMAT '22: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies

Protocols are one of the founding pillars of network communication. Given their importance, protocols have received great attention not only from the research community but also from adversaries. Protocols, particularly their implementations, have been ...
Read More
Design and Implementation of a Tool for Specifying Specification in SOFL
Revised Selected Papers of the Second International Workshop on Structured Object-Oriented Formal Language and Method - Volume 7787

Structure Object-oriented Formal Language SOFL is not just a formal language for writing formal specification. It is also an approach and a methodology. SOFL provides a three-step approach for modelling a software system using formal specification. ...
Read More
Display-only file server: a solution against information theft due to insider attack
DRM '04: Proceedings of the 4th ACM workshop on Digital rights management

Insider attack is one of the most serious cybersecurity threats to corporate America. Among all insider threats, information theft is considered the most damaging in terms of potential financial loss. Moreover, it is also especially difficult to detect ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies
June 2018
271 pages
ISBN:9781450356664
DOI:10.1145/3205977
General Chair:
Elisa Bertino
Purdue University, USA
,
Program Chairs:
Dan Lin
Missouri University of Science and Technology, USA
,
Jorge Lobo
Universitat Pompeu Fabra, Spain
Copyright © 2018 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 June 2018
Check for updates
Author Tags
4G LTE
X.509 public-key infrastructure
digital rights management
implementation bugs
inadequate platform constructs
inconsistent specification
Qualifiers
- invited-talk
Conference

Acceptance Rates
SACMAT '18 Paper Acceptance Rate14of50submissions,28%Overall Acceptance Rate177of597submissions,30%
More
Upcoming Conference
SACMAT 2024

Sponsor:

sigsac

The 29th ACM Symposium on Access Control Models and Technologies

May 15 - 17, 2024

San Antonio , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 144
  Total Downloads
- Downloads (Last 12 months)23
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

How Inadequate Specification, Buggy Implementation, and Deficient Platform-Support Hinder Security

SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies

ABSTRACT

References

Cited By

Index Terms

Recommendations

Network (In)security: Leniency in Protocols' Design, Code and Configuration

Design and Implementation of a Tool for Specifying Specification in SOFL

Display-only file server: a solution against information theft due to insider attack