Results 1-16 of 16.
((uid:50034478))

Bookmark and Share    
Full Text
Peer Reviewed
See detailConFuzzius: A Data Dependency-Aware Hybrid Fuzzer for Smart Contracts
Ferreira Torres, Christof UL; Iannillo, Antonio Ken UL; Gervais, Arthur et al

in European Symposium on Security and Privacy, Vienna 7-11 September 2021 (2021, September)

Smart contracts are Turing-complete programs that are executed across a blockchain. Unlike traditional programs, once deployed, they cannot be modified. As smart contracts carry more value, they become ... [more ▼]

Smart contracts are Turing-complete programs that are executed across a blockchain. Unlike traditional programs, once deployed, they cannot be modified. As smart contracts carry more value, they become more of an exciting target for attackers. Over the last years, they suffered from exploits costing millions of dollars due to simple programming mistakes. As a result, a variety of tools for detecting bugs have been proposed. Most of these tools rely on symbolic execution, which may yield false positives due to over-approximation. Recently, many fuzzers have been proposed to detect bugs in smart contracts. However, these tend to be more effective in finding shallow bugs and less effective in finding bugs that lie deep in the execution, therefore achieving low code coverage and many false negatives. An alternative that has proven to achieve good results in traditional programs is hybrid fuzzing, a combination of symbolic execution and fuzzing. In this work, we study hybrid fuzzing on smart contracts and present ConFuzzius, the first hybrid fuzzer for smart contracts. ConFuzzius uses evolutionary fuzzing to exercise shallow parts of a smart contract and constraint solving to generate inputs that satisfy complex conditions that prevent evolutionary fuzzing from exploring deeper parts. Moreover, ConFuzzius leverages dynamic data dependency analysis to efficiently generate sequences of transactions that are more likely to result in contract states in which bugs may be hidden. We evaluate the effectiveness of ConFuzzius by comparing it with state-of-the-art symbolic execution tools and fuzzers for smart contracts. Our evaluation on a curated dataset of 128 contracts and a dataset of 21K real-world contracts shows that our hybrid approach detects more bugs than state-of-the-art tools (up to 23%) and that it outperforms existing tools in terms of code coverage (up to 69%). We also demonstrate that data dependency analysis can boost bug detection up to 18%. [less ▲]

Detailed reference viewed: 236 (23 UL)
Full Text
Peer Reviewed
See detailThe Eye of Horus: Spotting and Analyzing Attacks on Ethereum Smart Contracts
Ferreira Torres, Christof UL; Iannillo, Antonio Ken UL; Gervais, Arthur et al

in International Conference on Financial Cryptography and Data Security, Grenada 1-5 March 2021 (2021)

Detailed reference viewed: 120 (13 UL)
Full Text
Peer Reviewed
See detailLeveraging eBPF to preserve user privacy for DNS, DoT, and DoH queries
Rivera, Sean UL; Gurbani, Vijay; Lagraa, Sofiane UL et al

in Proceedings of the 15th International Conference on Availability, Reliability and Security (2020, August)

The Domain Name System (DNS), a fundamental protocol that controls how users interact with the Internet, inadequately provides protection for user privacy. Recently, there have been advancements in the ... [more ▼]

The Domain Name System (DNS), a fundamental protocol that controls how users interact with the Internet, inadequately provides protection for user privacy. Recently, there have been advancements in the field of DNS privacy and security in the form of the DNS over TLS (DoT) and DNS over HTTPS (DoH) protocols. The advent of these protocols and recent advancements in large-scale data processing have drastically altered the threat model for DNS privacy. Users can no longer rely on traditional methods, and must instead take active steps to ensure their privacy. In this paper, we demonstrate how the extended Berkeley Packet Filter (eBPF) can assist users in maintaining their privacy by leveraging eBPF to provide privacy across standard DNS, DoH, and DoT communications. Further, we develop a method that allows users to enforce application-specific DNS servers. Our method provides users with control over their DNS network traffic and privacy without requiring changes to their applications while adding low overhead. [less ▲]

Detailed reference viewed: 112 (5 UL)
Full Text
Peer Reviewed
See detailA comprehensive study on software aging across android versions and vendors
Iannillo, Antonio Ken UL; Cotroneo, Domenico; Natella, Roberto et al

in Empirical Software Engineering (2020)

Detailed reference viewed: 93 (2 UL)
Full Text
Peer Reviewed
See detailDependability Assessment of the Android OS Through Fault Injection
Iannillo, Antonio Ken UL; Cotroneo, Domenico; Natella, Roberto et al

in IEEE Transaction on Reliability (2019)

The reliability of mobile devices is a challenge for vendors since the mobile software stack has significantly grown in complexity. In this article, we study how to assess the impact of faults on the ... [more ▼]

The reliability of mobile devices is a challenge for vendors since the mobile software stack has significantly grown in complexity. In this article, we study how to assess the impact of faults on the quality of user experience in the Android mobile OS through fault injection. We first address the problem of identifying a realistic fault model for the Android OS, by providing developers a set of lightweight and systematic guidelines for fault modeling. Then, we present an extensible fault injection tool (AndroFIT) to apply such fault model on actual, commercial Android devices. Finally, we present a large fault injection experimentation on three Android products from major vendors and point out several reliability issues and opportunities for improving the Android OS. [less ▲]

Detailed reference viewed: 160 (4 UL)
Full Text
Peer Reviewed
See detailAuto-encoding Robot State against Sensor Spoofing Attacks
Rivera, Sean UL; Lagraa, Sofiane UL; Iannillo, Antonio Ken UL et al

in International Symposium on Software Reliability Engineering (2019, October)

In robotic systems, the physical world is highly coupled with cyberspace. New threats affect cyber-physical systems as they rely on several sensors to perform critical operations. The most sensitive ... [more ▼]

In robotic systems, the physical world is highly coupled with cyberspace. New threats affect cyber-physical systems as they rely on several sensors to perform critical operations. The most sensitive targets are their location systems, where spoofing attacks can force robots to behave incorrectly. In this paper, we propose a novel anomaly detection approach for sensor spoofing attacks, based on an auto-encoder architecture. After initial training, the detection algorithm works directly on the compressed data by computing the reconstruction errors. We focus on spoofing attacks on Light Detection and Ranging (LiDAR) systems. We tested our anomaly detection approach against several types of spoofing attacks comparing four different compression rates for the auto-encoder. Our approach has a 99% True Positive rate and a 10% False Negative rate for the 83% compression rate. However, a compression rate of 41% could handle almost all of the same attacks while using half the data. [less ▲]

Detailed reference viewed: 110 (23 UL)
Full Text
Peer Reviewed
See detailEvolutionary Fuzzing of Android OS Vendor System Services
Iannillo, Antonio Ken UL; Natella, Roberto; Cotroneo, Domenico

in Empirical Software Engineering (2019)

Android devices are shipped in several flavors by more than 100 manufacturer partners, which extend the Android “vanilla” OS with new system services and modify the existing ones. These proprietary ... [more ▼]

Android devices are shipped in several flavors by more than 100 manufacturer partners, which extend the Android “vanilla” OS with new system services and modify the existing ones. These proprietary extensions expose Android devices to reliability and security issues. In this paper, we propose a coverage-guided fuzzing platform (Chizpurfle) based on evolutionary algorithms to test proprietary Android system services. A key feature of this platform is the ability to profile coverage on the actual, unmodified Android device, by taking advantage of dynamic binary re-writing techniques. We applied this solution to three high-end commercial Android smartphones. The results confirmed that evolutionary fuzzing is able to test Android OS system services more efficiently than blind fuzzing. Furthermore, we evaluate the impact of different choices for the fitness function and selection algorithm. [less ▲]

Detailed reference viewed: 176 (2 UL)
Full Text
Peer Reviewed
See detailA Proposal for Security Assessment of Trustzone-M based Software
Iannillo, Antonio Ken UL; State, Radu UL

in 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE) (2019)

With the advent of the Internet of Things (IoT) paradigm, computing and networking capabilities are extending to devices that are not considered as computers, enabling them to interact with the physical ... [more ▼]

With the advent of the Internet of Things (IoT) paradigm, computing and networking capabilities are extending to devices that are not considered as computers, enabling them to interact with the physical world or other software entities with minimal or no human input. This fast abstract proposes a methodology for the security assessment of software based on TrustZone-M, the ARM hardware security extension for microcontrollers. The methodology consists of the exploitation of a verification and validation framework to automatically test TrustZone-M based software. [less ▲]

Detailed reference viewed: 202 (15 UL)
Full Text
Peer Reviewed
See detailAnalyzing the Context of Bug-Fixing Changes in the OpenStack Cloud Computing Platform
Cotroneo, Domenico; De Simone, Luigi; Iannillo, Antonio Ken UL et al

in 2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE) (2019)

Detailed reference viewed: 209 (2 UL)
Full Text
See detailDependability Assessment of Android OS
Iannillo, Antonio Ken UL

Doctoral thesis (2018)

In this brave new world of smartphone-dependent society, dependability is a strong requirement and needs to be addressed properly. Assessing the dependability of these mobile systems is still an open ... [more ▼]

In this brave new world of smartphone-dependent society, dependability is a strong requirement and needs to be addressed properly. Assessing the dependability of these mobile systems is still an open issue, and companies should have the tools to improve their devices and beat the competition against other vendors. The main objective of this dissertation is to provide the methods to assess the dependability of mobile OS, fundamental for further improvements. Mobile OS are threatened mainly by traditional residual faults (when errors spread across components as failures), aging-related faults (when errors accumulate over time), and misuses by users and applications. This thesis faces these three aspects. First, it presents a qualitative method to define the fault model of a mobile OS, and an exhaustive fault model for Android. I designed and developed AndroFIT, a novel fault injection tool for Android smartphones, and performed an extensive fault injection campaign on three Android devices from different vendors to analyze the impact of component failure on the mobile OS. Second, it presents an experimental methodology to analyze the software aging phenomenon in mobile OS. I performed a software aging analysis campaign on Android devices to identify the impacting factors on performance degradation and resource consumption. Third, it presents the design and implementation of a novel fuzzing tool, namely Chizpurfle, able to automatically test Android vendor customizations by leveraging code coverage information at run-time. [less ▲]

Detailed reference viewed: 232 (2 UL)
Full Text
Peer Reviewed
See detailChizpurfle: A Gray-Box Android Fuzzer for Vendor Service Customizations
Iannillo, Antonio Ken UL; Natella, R.; Cotroneo, D. et al

in 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE) (2017)

Detailed reference viewed: 151 (3 UL)
Full Text
Peer Reviewed
See detailSoftware Aging Analysis of the Android Mobile OS
Cotroneo, D.; Fucci, F.; Iannillo, Antonio Ken UL et al

in 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE) (2016)

Detailed reference viewed: 143 (1 UL)
Full Text
Peer Reviewed
See detailThe software aging and rejuvenation repository: Http://openscience.us/repo/software-aging/
Cotroneo, D.; Iannillo, Antonio Ken UL; Natella, R. et al

in 2015 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) (2015)

Detailed reference viewed: 109 (0 UL)
Full Text
Peer Reviewed
See detailDependability evaluation and benchmarking of Network Function Virtualization Infrastructures
Cotroneo, D.; De Simone, Luigi; Iannillo, Antonio Ken UL et al

in Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft) (2015)

Detailed reference viewed: 74 (0 UL)
Full Text
Peer Reviewed
See detailImproving Usability of Fault Injection
Cotroneo, D.; Simone, L. De; Iannillo, Antonio Ken UL et al

in 2014 IEEE International Symposium on Software Reliability Engineering Workshops (2014)

Detailed reference viewed: 85 (1 UL)
Full Text
Peer Reviewed
See detailNetwork Function Virtualization: Challenges and Directions for Reliability Assurance
Cotroneo, D.; Simone, L. De; Iannillo, Antonio Ken UL et al

in 2014 IEEE International Symposium on Software Reliability Engineering Workshops (2014)

Detailed reference viewed: 84 (1 UL)