aalto1 untyped-item.component.html
Analyzing Communications and Software Systems Security
Loading...
URL
Journal Title
Journal ISSN
Volume Title
School of Science |
Doctoral thesis (article-based)
| Defence date: 2023-08-28
Electronic archive copy is available via Aalto Thesis Database.
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.
Authors
Date
Major/Subject
Mcode
Degree programme
Language
en
Pages
84 + app. 118
Series
Aalto University publication series DOCTORAL THESES, 107/2023
Abstract
We rely on various communications and software systems where security is critical. Many of these systems have transformed drastically over time with the addition of new features and technologies to accommodate our increasing needs. Unfortunately, such a transformation can introduce new security threats and weaknesses. This dissertation studies security threats and weaknesses in systems that continue to evolve with legacy and modern software components and paradigms.
In this dissertation, we study four different types of information systems: desktop, mobile communications, cloud, and hardware. Our analysis mainly involved building attacks to exploit the vulnerabilities to demonstrate the practicality of our research findings. We uncovered various security issues in each of the systems analyzed. Also, we present various defense and mitigation solutions to address the security issues we found. We discussed our research findings with a wide range of audiences through peer-reviewed publications, responsible disclosure efforts, and by giving talks at various conferences.
The summary of the results is as follows. First, we found insecure use of local communication channels in desktop applications. Second, we discovered several security issues in commercial VPN clients that a network adversary can exploit. Third, we studied mobile communication systems and uncovered security weaknesses of signaling protocols. Also, we present a conceptual framework to model the threats and attacks to mobile networks. Fourth, we demonstrate how adversaries can conduct cross-site scripting attacks by exploiting third-party add-ons of cloud application suites. Finally, we also conduct a human factor analysis to identify usability and security pitfalls faced by software developers when using trusted platform module library APIs. In summary, the contributions of this dissertation include a novel adversary model to study local communication inside a computer, a conceptual framework to study mobile communication systems, the discovery of several new types of security vulnerabilities, and insights into developers' struggles while using security technologies.
Description
Supervising professor
Aura,Tuomas, Prof., Aalto University, Department of Computer Science, FinlandOther note
Parts
- [Publication 1]: Thanh Bui, Siddharth Prakash Rao, Markku Antikainen, Viswanathan Manihatty Bojan, and Tuomas Aura. Man-in-the-machine: Exploiting Illsecured Communication Inside the Computer. In 27th USENIX Security Symposium (USENIX Security 18), pp. 1511-1525. Baltimore, Maryland, USA, August 2018.
Full text in Acris/Aaltodoc: http://urn.fi/URN:NBN:fi:aalto-201901301452
- [Publication 2]: Thanh Bui, Siddharth Prakash Rao, Markku Antikainen, and Tuomas Aura. Pitfalls of Open Architecture: How Friends Can Exploit Your Cryptocurrency Wallet. In Proceedings of the 12th European Workshop on Systems Security (EuroSec ’19), pp. 1-6. Dresden, Germany, March 2019.
DOI: 10.1145/3301417.3312495 View at publisher
- [Publication 3]: Thanh Bui, Siddharth Prakash Rao, Markku Antikainen, and Tuomas Aura. Client-Side Vulnerabilities in Commercial VPNs. In The 24th Nordic Conference on Secure IT Systems (NordSec 2019), LNCS vol 11875, pp. 103-119. Aalborg, Denmark, November 2019
- [Publication 4]: Siddharth Prakash Rao, Silke Holtmanns, Ian Oliver, and Tuomas Aura. Unblocking Stolen Mobile Devices Using SS7-MAP Vulnerabilities: Exploiting the Relationship between IMEI and IMSI for EIR Access. In Proceedings of 14th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom), vol. 1, pp. 1171-1176. Helsinki, Finland, July 2015.
DOI: 10.1109/Trustcom.2015.500 View at publisher
- [Publication 5]: Silke Holtmanns, Siddharth Prakash Rao, and Ian Oliver. User Location Tracking Attacks for LTE Networks Using the Interworking Functionality. In 2016 IFIP Networking Conference (IFIP Networking) and Workshops, pp. 315-322. Vienna, Austria, May 2016.
DOI: 10.1109/IFIPNetworking.2016.7497239 View at publisher
- [Publication 6]: Siddharth Prakash Rao, Hsin-Yi Chen, and Tuomas Aura. Threat Modeling Framework for Mobile Communication Systems. Elsevier Computers & Security , December 2022.
Full text in Acris/Aaltodoc: http://urn.fi/URN:NBN:fi:aalto-202301181179DOI: 10.1016/j.cose.2022.103047 View at publisher
- [Publication 7]: Thanh Bui, Siddharth Prakash Rao, Markku Antikainen, and Tuomas Aura. XSS Vulnerabilities in Cloud-Application Add-Ons. In The 15th ACM ASIA Conference on Computer and Communications Security (ASIACCS 2020), Taipei, Taiwan, October 2020.
Full text in Acris/Aaltodoc: http://urn.fi/URN:NBN:fi:aalto-202205103049DOI: 10.1145/3320269.3384744 View at publisher
- [Publication 8]: Siddharth Prakash Rao, Gabriela Limonta, and Janne Lindqvist. Usability and Security of Trusted Platform Module (TPM) Library APIs. In In Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) , pp. 213-232. Boston, Massachusetts, USA , August 2022.
Full text in Acris/Aaltodoc: http://urn.fi/URN:NBN:fi:aalto-202302011898