REU students will conduct research in broad areas of information assurance and security, such as access control, applied cryptography, computer forensics, data privacy, malware analysis, network security, risk management, secure software development, security protocols, security testing, security verification, system security, web security.
We are currently establishing a real online banking system that supports Internet and mobile banking. This system will be used in our projects.
The following are SAMPLE research projects.
Project 1. Threat Modeling and Verification
- Research Area: Secure Software Development
- Mentor: Dr. Dianxiang Xu
Design flaws of software have been a major source of cyber security problems. They result from decisions made during the software design phase. For example, around 50% of the security vulnerabilities uncovered during the Microsoft's "security push" in 2002 were closely related to design-level problems. In 2008, Falk et al. found that 76% of the websites of the 214 financial institutions suffered from design flaws. These flaws promote insecure user behavior, such as break in the chain of trust, presenting secure login options on insecure pages, and e-mailing sensitive information insecurely.
Threat modeling has become a widely-adopted approach to the design of secure software. As Howard and LeBlanc argued, “You cannot build a secure system until you understand your threats". Threat modeling is the process of producing a simplified, abstract description of security threats, i.e., how an adversary would perform potential attacks. In the Microsoft’s threat modeling approach, for example, we decompose a software application with Data Flow Diagrams (DFDs), identify security threats, specify them with attack trees, rank security threats, and choose mitigation techniques to reduce security risks. However, there are two major problems. First, how can we assure that the security threats are correctly identified and modeled with respect to the system functions? Without correct threat models, it is difficult to mitigate the threats effectively. Second, how can we assure that the secure design indeed prevent the security threats? Is it possible that the threats will still occur after the mitigations are applied? Existing threat modeling techniques are yet unable to provide effective solutions.
To address the above problems, students can explore innovative and original methods for verifying the absence (or existence) of security threats in secure (or insecure) design and for checking security requirements against the security design. They can develop rigorous techniques to capture system functions and security threats. For example, high-level Petri nets are a well-studied formal method for modeling and verifying distributed systems. High-level Petri nets can be used to model system functions, security threats, and threat mitigations. The unified approach makes it feasible to check threat model for correctness. The verification of a threat model against a functional model is to check if each of the attack paths is reachable. Such rigorous verification can make software provably secured from anticipated security threats and thus significantly reduce design flaws. In this research, students may also build rigorous patterns of threat models that can be reused in different applications (e.g., online banking).
Project 2: Software Security Testing
- Research Area: Security Testing
- Mentors: Drs. Dianxiang Xu and Joshua Pauli
Although secure design is critical to the success of secure software, it does not guarantee security because security policies and mechanisms may not be implemented correctly for various reasons, such as programming errors, omissions, and misunderstanding of the design. There is a crucial need for verifying whether or not the implementation of a secure application conforms to its secure design. A good method for secure design should facilitate testing the target implementation. Testing for security, however, is difficult because security attacks typically result from unintended behaviors or invalid inputs. Given the complexity of input space and program structure, it is hard, if ever possible, to test a program against all invalid inputs. Manual and ad hoc testing for security would be a daunting task. It is of paramount importance to automate or partially automate security testing.
This research aims at novel techniques for automated generation of security test code from models. The generated test code together with the system under test forms an executable system – the tests can be launched to exercise the system under test and determine whether they pass or fail by comparing the runtime system states with the expected results. If any of the security tests fails, then the system has not correctly enforced the security features.
In this research, there are several important research issues that REU students may choose to address. First, how can we automatically generate complete security tests from a threat model to check whether or not the system under test is still subject to the threat? Second, how can we automatically generate security tests from a security design to check whether or not the system under test has implemented the security features correctly? Here, a security design refers to functional design together with threat mitigations (i.e., security features). Third, how can we execute the security tests generated from a threat model or a security model against the system under test? Note that a design-level threat model or security model is in general implementation-independent because they have no knowledge about how the actions in the model are realized in the implementation, what the concrete values of actions’ parameters are, and how the expected results are corresponding to runtime system states.
Project 3: Towards a Tool-Driven Penetration Testing Standard for Web Applications
- Research Area: Penetration Testing, Web Security
- Mentor: Dr. Joshua Pauli
Attacks on web applications continue to increase in terms of the frequency of attack, the complexity of these attacks, and the damage caused by these attacks. Even with the knowledge that these attacks are increasing, the inherent vulnerabilities of all web application technologies still plague all industries. There are a myriad of present-day vulnerabilities in web servers, source code, 3rd party add-ons, scripts, and trusting user input. The payload of these attacks is especially high because of the amount and sensitivity of the personal data that these web applications modify and access.
This project will focus on the following areas of a web application penetration test.
- Mapping the application for content and functionality by leveraging web spidering, brute-force analyzing techniques, and server-side technology identification.
- Bypassing client-side technologies including hidden form fields, HTTP cookies, URL parameters, HTTP headers, and script-based validation.
- Attacking authentication measures by exposing design flaws and implementation flaws of commonly used mechanisms including brute-force password guessing, verbose messaging, and password change functionality.
- Attacking session management by exploiting weak session token generation, handling, and termination by leveraging token hijacking.
- Injecting code in the web application including SQL commands to bypass logins, escalate privileges, and bypass input filters.
- Exploiting path traversal vulnerabilities to access system files not intended to be accessed.
- Attacking legitimate users via cross-site scripting (XSS) vulnerabilities, HTTP header injects, and cross-site request forgery (CSRF).
Project 4: External/Internal Attack Evidence Modeling and Reconstruction in a Simulated Online Business Information System
- Research Area: Computer Forensics, Network Security, System Security
- Mentor: Dr. Michael Tu
Developing digital forensic readiness for online business is urgent to support potential digital forensics investigation or auditing, in order to deter intrusions and frauds. To ensure evidence availability for forensics readiness, we will first develop threat models for the online business information systems using attack trees, and then map the threat modeling to augmented attack trees or attack graphs. The modeled attacks are then conducted against a simulated online business information system. Forensics investigation will be conducted, evidence will be collected, identified, and mapped to an evidence tree or graph, which can provide guidance for forensics evidence logging, forensic investigation, and auditing on both external and internal attacks or frauds.
1. Design and implement the simulated online business information system
2. determine the vulnerabilities of the information system
3. Identify the threats
4. Model two external attacks and two internal attacks
5. Conduct the four attacks against the system
6. Conduct Forensics investigation on each of the four attacks
7. Locate, identify, order the evidences
8. Built an evidence tree/graph for each of the four attacks
9. Reconstruct the attacks based on the evidences we discovered and then justify.
Project 5: Internal Attack Evidence Modeling in a Cloud Environment
- Research Area: Computer Forensics, Network Security, System Security
- Mentor: Dr. Michael Tu
With more and more companies and organization diving into the cloud world, we can expect to witness a large number of exploitations against clouds, and the likelihood that the creation, storage, processing and distribution of illicit material and fraud and identity theft will present major legal issues. To minimize financial loss and be compliant to laws and regulations, clouds and hosted services must be prepared for the investigation of unforeseen security incidents. The problem is that we lack genuine methodologies suitable for digital forensics investigation in the cloud.
In this research project, we will investigate new approach to improve the understanding of fingerprints that external/internal attacks and frauds leave in the cloud. We will develop systematic approach to identify what evidences are needed to reconstruct attacks, where to locate those evidences in the cloud, and which party (the cloud provider, service providers, end users) should be responsible for logging the needed evidence. An evidence model, sensitive fingerprint(s), and fingerprints based signature will be discovered for each attack studied.
1. Design and implement the simulated cloud environment
2. determine the vulnerabilities of the cloud and identify the threats
3. Model an external attack and an internal attack
4. Conduct the two attacks against the cloud
5. Conduct Forensics investigation on each of the two attacks
6. Locate, identify, order the evidences, and determine who which party should be responsible for the evidence logging
7. Built an evidence tree/graph for each of the two attacks, with appropriate metadata
8. Reconstruct the attacks based on the evidences we discovered and then justify.