Vulnerability Detection in Web Browser Heap overflows

profilecybacatx
software_security.pdf
Home>Information Systems homework help>Vulnerability Detection in Web Browser Heap overflows

In this assignment, your task is to review the software security literature to research a type of

software vulnerability of your choice, the associated hacking techniques used to exploit it, and

defensive techniques used to detect and/or mitigate this type of vulnerability.

Tasks

1. Chosen Vulnerability: Pick one software vulnerability that we have not covered in detail in

our lectures or labs as your topic of investigation for this assignment. Example

vulnerabilities include, but not limited to:

tbleed, Shellshock)

-channel leakage (e.g. Timing/Power/EM/Acoustic/Cross-VM...)

-Oriented Programming (ROP)

-related vulnerabilities (e.g. TLS vulnerabilities such as: BEAST,

CRIME, BREACH, POODLE, FREAK, or Logjam, Wireless protocol cryptographic

vulnerabilities).

-boot’ attacks, Stuxnet)

You are not required to choose from the above list; you can choose your own topic (if you are

unsure if a topic is suitable, ask your tutor or lecturer).

IMPORTANT NOTE: To avoid duplication of topics, each student in this unit will have to choose

a different vulnerability as his/her chosen topic. Topics will be allocated by your tutor on a `first

come first serve’ basis. Once you have decided on a chosen vulnerability, let your tutor know as

soon as possible to avoid the possibility of another student choosing this vulnerability before you. If

your chosen vulnerability was already `taken’ by another student, your tutor will ask you to choose

a different topic.

2. Vulnerability Explanation: Explain what your chosen vulnerability is and how it can arise

in software systems.

3. Vulnerability Exploitation: Investigate how your chosen vulnerability can be exploited,

and provide detailed explanation of how the exploitation attacks work, illustrating your

explanation with either a piece of real code (or, if this is not practical, an algorithm written

in pseudocode) that demonstrates the vulnerability and its exploitation with some example

data. Explain any variants of the vulnerability/attacks and their relative advantages and

2

limitations. Assess the current security implications of the attacks in terms of potential risk

to software systems that have such vulnerabilities.

4. Vulnerability Detection: Investigate methods that can be used to test for and detect the

vulnerability in software systems and assess their effectiveness.

5. Vulnerability Mitigation: Investigate mitigation approaches that could be used to eliminate

such vulnerabilities from software or reduce the effectiveness of exploit attacks, and assess

their effectiveness. Illustrate your explanation with example mitigation code (or, if this is

not practical, an algorithm written in pseudocode), explaining how it resists previous

exploitation attacks, why you think it is difficult to break the secure code with any other

attack, along with any assumptions needed for the mitigation to be effective, and an

assessment of the validity of these assumptions in typical applications.

6. Research Directions: Explain whether/how you think this type of vulnerability may be

modified or extended in future, and identify possible directions for improving detection

and/or mitigation of similar vulnerabilities in future systems.

Your research for this assignment should make use of, and your report should cite and discuss, at

least 4 relevant research papers from the software security research literature.

Your report will graded with the following mark allocation:

- Quality/depth of explanation of vulnerability, its exploitation, detection, and mitigation (40%)

- Clarity/correctness of demonstration insecure/secure code/pseudocode in Tasks 3 and 6. (20%)

- Evaluation of security implications and research directions of improvement for

attacks/mitigation/detection techniques. (20%)

- Quality of answers to interview questions on report. (20%)

Submission:

Your report must answer all the 6 tasks. Submit a report of your findings with six sections. Section

1 will be an introduction to your report, introducing the chosen vulnerability and the summarizing

the contents of the remaining sections. The following five sections should cover your findings with

respect to tasks 2-6 above, respectively (e.g. Section 2 should be titled `Vulnerability Explanation’

and contain your findings for task 2 above). You may include screen shots and any long pieces of

code used to demonstrate the task as an appendix. The page limit for the reports is 18 pages (not

including references and appendix).