Ultra-Large Scale Systems Security


Projektbeschreibung:

Das ULS3-Vorhaben hat zum Ziel, Sicherheitsmechanismen für hochskalierbare REST-basierte Systeme zu entwickeln und zu evaluieren. Dabei werden zwei maßgebliche Faktoren im besonderen Maße fokussiert (Projektschwerpunkte): (1) die Entwicklung eines universellen REST-Sicherheitsframeworks, unter Berücksichtigung einer minimalen Interferenz der Sicherheitsmechanismen auf die REST- Architektureigenschaften und (2) die gebrauchstaugliche Ausgestaltung von REST-Security Programmierschnittstellen zur effektiven und effizienten Verwendung durch Softwareentwickler.

Projektdauer: April 2017 - März 2020

Projektmitarbeiter:

Luigi Lo Iacono

Luigi Lo Iacono

Professor

Raum:
ZW 10-4
Telefon:
+49 221-8275-2527
luigi.lo_iacono@th-koeln.de
Hoai Viet Nguyen

Hoai Viet Nguyen

Wissenschaftlicher Mitarbeiter

Raum:
ZW 10-2/3
Telefon:
+49 221-8275-2783
viet.nguyen@th-koeln.de
Peter Leo Gorski

Peter Leo Gorski

Wissenschaftlicher Mitarbeiter

Raum:
ZW 10-2/3
Telefon:
+49 221-8275-2782
peter.gorski@th-koeln.de

Fördermittelgeber:

Das Projekt ULS3 (Ultra-Large Scale Systems Security) wird unter dem Förderkennzeichen 13FH016IX6 im Förderprogramm "Forschung an Fachhochschulen" vom Bundesministerium für Bildung und Forschung (BMBF) gefördert.

Projektpartner:

iesy

, , , (), p.,

Publikationen:


@inproceedings{conf/ccs2019/nguyen,
  author = {H. V. Nguyen and L. Lo Iacono and H. Federrath},
  title = {{Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack}},
  booktitle = {{26th ACM Conference on Computer and Communications Security (CCS)}},
  year = {2019},
  url = {https://doi.org/10.1145/3319535.3354215},
  abstract = {{Web caching enables the reuse of HTTP responses with the aim to reduce the number of requests
  that reach the origin server, the volume of network traffic resulting from resource requests, and the user-
  perceived latency of resource access. For these reasons, a cache is a key component in modern distributed
  systems as it enables applications to scale at large. In addition to optimizing performance metrics, caches
  promote additional protection against Denial of Service (DoS) attacks.

  In this paper we introduce and analyze a new class of web cache poisoning attacks. By provoking an error on
  the origin server that is not detected by the intermediate caching system, the cache gets poisoned with the
  server-generated error page and instrumented to serve this useless content instead of the intended one,
  rendering the victim service unavailable. In an extensive study of fifteen web caching solutions we analyzed
  the negative impact of the Cache-Poisoned DoS (CPDoS) attack---as we coined it. We show the practical
  relevance by identifying one proxy cache product and five CDN services that are vulnerable to CPDoS. Amongst
  them are prominent solutions that in turn cache high-value websites. The consequences are severe as one simple
  request is sufficient to paralyze a victim website within a large geographical region. The awareness of the
  newly introduced CPDoS attack is highly valuable for researchers for obtaining a comprehensive understanding
  of causes and countermeasures as well as practitioners for implementing robust and secure distributed systems.
  }}
}

@ARTICLE{journal/IEEECOM2019/rudolph,
author={H. C. {Rudolph} and A. {Kunz} and L. {Lo Iacono} and H. V. {Nguyen}},
journal={IEEE Communications Standards Magazine},
title={{Security Challenges of the 3GPP 5G Service Based Architecture}},
year={2019},
volume={3},
number={1},
pages={60-65},
doi={10.1109/MCOMSTD.2019.1800034},
url = {https://doi.org/10.1109/MCOMSTD.2019.1800034},
abstract = {
  3GPP is currently finalizing the first publication of 5G specifications in their Release 15. Several new features and concepts are introduced to the radio interface and the core network in order to enhance the softwarization and virtualization of functional entities in the mobile core network. One of the driving new concepts is the service-based architecture (SBA). Service concepts and technologies are already well established in the area of Internet-based platforms and applications. With the 3GPP 5G SBA, flexible and on-demand service composition -- even across organizational boundaries -- provides a new level of flexibility and business opportunities to the mobile industry. However, this type of service orientation comes with new security implications that have not been present to their full extent in previous mobile network generations. This article introduces the foundational security concepts and technologies of SBA in 3GPP 5G, focusing mainly on non-roaming scenarios, and discusses security challenges arising from these architectural changes.
}
}

@article{journals/mpdifutureinternet/loiacono,
  author = {L. Lo Iacono and H. V. Nguyen and P. L. Gorski},
  year = {2019},
  month = {02},
  title = {On the Need for a General REST-Security Framework},
  volume = {11},
  number = {3},
  booktitle = {Future Internet },
  doi = {10.3390/fi11030056},
  abstract = {{Contemporary software is inherently distributed. The principles guiding the design of such software have been mainly manifested by the service-oriented architecture (SOA) concept. In a SOA, applications are orchestrated by software services generally operated by distinct entities. Due to the latter fact, service security has been of importance in such systems ever since. A dominant protocol for implementing SOA-based systems is SOAP, which comes with a well-elaborated security framework. As an alternative to SOAP, the architectural style representational state transfer (REST) is gaining traction as a simple, lightweight and flexible guideline for designing distributed service systems that scale at large. This paper starts by introducing the basic constraints representing REST. Based on these foundations, the focus is afterwards drawn on the security needs of REST-based service systems. The limitations of transport-oriented protection means are emphasized and the demand for specific message-oriented safeguards is assessed. The paper then reviews the current activities in respect to REST-security and finds that the available schemes are mostly HTTP-centered and very heterogeneous. More importantly, all of the analyzed schemes contain vulnerabilities. The paper contributes a methodology on how to establish REST-security as a general security framework for protecting REST-based service systems of any kind by consistent and comprehensive protection means. First adoptions of the introduced approach are presented in relation to REST message authentication with instantiations for REST-ful HTTP (web/cloud services) and REST-ful constraint application protocol (CoAP) (internet of things (IoT) services).}},
  url = {https://doi.org/10.3390/fi11030056}
}

@inproceedings{conf/sac2019/nguyen,
  author = {H.V. Nguyen and L. Lo Iacono and H. Federrath},
  title = {{Mind the Cache: Large-Scale Analysis of Web Caching}},
  booktitle = {{34rd ACM/SIGAPP Symposium on Applied Computing (SAC)}},
  year = {2019},
  url = {https://doi.org/10.1145/3297280.3297526},
  abstract = {{
  Modern software applications are widely interconnected systems mostly built on web technologies as foundation. Caching is an integral layer of such systems and thus needs to be carefully considered in development and operations. First reported incidents with caches leaking sensitive information emphasize the possible consequences of getting them and their dependencies with the whole system wrong and that those side effects are not solely related to performance.

  In this paper we argue that proper testing tools are required to enable the diverse stakeholders in carefully acting with shared caches including proxies and CDNs. As such tools are currently lacking in many respects, we propose a cache testing environment which allows to analyze shared caches of any kind. Our developed shared web cache testing tool includes 397 test cases and a simple specification language that allows to easily extend the base test suite. With this testing tool, we analyzed seven distinct shared caching systems. We found that they do behave different in many respect, not always conforming with the respective standardization. Some observed peculiarities do even have the potential for future incidents and they remain unnoticed by system integrators and administrators  without proper tooling. Developers of caching components and researchers can benefit from our tool too, as they can systematically investigate caching properties of interest.
  }}
}



@inproceedings{conf/haisa2018/gorski,
author = {P. L. Gorski and L. Lo Iacono and S. Wiefling and S. M{\"o}ller},
title = {Warn if Secure or How to Deal with Security by Default in Software Development?},
booktitle = {{12th International Symposium on Human Aspects of Information Security and Assurance (HAISA)}},
year = {2018},
url = {https://www.cscan.org/?page=openaccess&eid=20&id=388},
abstract = {{
Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.
}}
}

@inproceedings {conf/soups2018/gorski,
author = {P. L. Gorski and L. Lo Iacono and D. Wermke and C. Stransky and S. M{\"o}ller and Y. Acar and S. Fahl},
title = {Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic {API} Misuse},
booktitle = {{14th Symposium on Usable Privacy and Security (SOUPS)}},
year = {2018},
pages = {265--281},
url = {https://www.usenix.org/conference/soups2018/presentation/gorski},
publisher = {{USENIX} Association},
abstract = {{

Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e.g. easy-to-use documentation or meaningful warning and error messages) leading to an especially high likelihood of writing functionally correct but insecure code.

To support software developers in writing more secure code, this work investigates a novel approach aimed at these hard-to-use cryptographic APIs. In a controlled online experiment with 53 participants, we study the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer. This allows us to address insecure cryptographic choices including encryption algorithms, key sizes, modes of operation and hashing algorithms with helpful documentation in the guise of warnings. Whenever possible, the security advice proposes code changes to fix the responsible security issues. We find that our approach significantly improves code security. 73% of the participants who received the security advice fixed their insecure code.

We evaluate the opportunities and challenges of adopting API-integrated security advice and illustrate the potential to reduce the negative implications of cryptographic API misuse and help developers write more secure code.
}}
}

@inproceedings{conf/webstudies2018/nguyen,
author = {H. V. Nguyen and L. {Lo Iacono} and H. Federrath},
title = {{Systematic Analysis of Web Browser Caches}},
booktitle = {{2nd International conference on Web Studies (WS)}},
year = {2018},
url = {https://doi.org/10.1145/3240431.3240443},
note = {to be appear},
abstract = {{
The caching of frequently requested web resources is an integral part of the web ever since. Cacheability is the main pillar for the web's scalability and an important mechanism for optimizing resource consumption and performance. Caches exist in many variations and locations on the path between web client and server with the browser cache being ubiquitous to date. Web developers need to have a profound understanding of the concepts and policies of web caching even when exploiting these advantages is not relevant. Neglecting web caching may otherwise result in more serve consequences than the simple loss of scalability and efficiency. Recent misuse of web caching systems shows to affect the application's behavior as well as privacy and security.

In this paper we introduce a tool-based approach to disburden web developers while keeping them informed about caching influences. Our first contribution is a structured test suite containing 397 web caching test cases. In order to make this collection easily adoptable we introduce an automated testing tool for executing the test cases against web browsers. Based on the developed testing tool we conduct a systematic analysis on the behavior of web browser caches and their compliance with relevant caching standards. Our findings on desktop and mobile versions of Chrome, Firefox, Safari and Edge show many diversities as well as discrepancies. Appropriate tooling supports web developers in uncovering such adversities. As our baseline of test cases is specified using a specification language that enables extensibility, developers as well as administrators and researchers can systematically add and empirically explore caching properties of interest even in non-browser scenarios.
}}
}


@inproceedings{conference/gisicherheit2018/gorski,
  title = {{Usability von Security-APIs für massiv-skalierbare vernetzte Service-orientierte Systeme}},
  url = {https://sicherheit2018.in.htwg-konstanz.de/programm/},
  year = {2018},
  abstract = {{Kontemporäre Service-orientierte Systeme sind hochgradig vernetzt und haben zudem die Eigenschaft massiv-skalierbar zu sein. Diese Charakteristiken stellen im besonderen Maße Anforderungen an die Datensicherheit der Anwender solcher Systeme und damit primär an alle Stakeholder der Softwareentwicklung, die in der Verantwortung sind, passgenaue Sicherheitsmechanismen effektiv in die Softwareprodukte zu bringen. Die Effektivität von Sicherheitsarchitekturen in service-orientierten Systemen hängt maßgeblich von der richtigen Nutzung und Integration von Security-APIs durch eine heterogene Gruppe von Softwareentwicklern ab, bei der nicht per se ein fundiertes Hintergrundwissen über komplexe digitale Sicherheitsmechanismen vorausgesetzt werden kann. Die Diskrepanz zwischen komplexen und in der Anwendung fehleranfälligen APIs und einem fehlenden Verständnis für die zugrundeliegenden Sicherheitskonzepte auf Seiten der Nutzer begünstigt in der Praxis unsichere Softwaresysteme. Aus diesem Grund ist die Gebrauchstauglichkeit von Security-APIs besonders relevant, damit Programmierer den benötigten Funktionsumfang effektiv, effizient und zufriedenstellend verwenden können. Abgeleitet von dieser Problemstellung, konzentriert sich das Dissertationsvorhaben auf die gebrauchstaugliche Ausgestaltung von Security-APIs und den Herausforderungen die sich aus den Methoden zur Evaluation der Usability in typischen Umgebungen der Softwareentwicklung ergeben.}},
  booktitle = {{Doctoral Forum - Fachbereichs Sicherheit – Schutz und Zuverlässigkeit der Gesellschaft für Informatik e.V. (Sicherheit)}},
  author = {P. L. Gorski},
  note = {{To Appear}}
}

@inproceedings{conference/trustbus2017/nguyen,
  title = {{On the Security Expressiveness of REST-Based API Definition Languages}},
  url = {https://doi.org/10.1007/978-3-319-64483-7_14},
  year = {2017},
  doi = {10.1007/978-3-319-64483-7_14},
  abstract = {{Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized specification of the service’s functionalities is required. Apart from functional aspects, such an interface definition language needs to offer expressions for specifying important non-functional facets in addition, such as security. With WSDL and WS-Security such a standardized service description language and a mature security framework are available for the SOAP domain. For REST-based web services such standards are, however, missing. To overcome these shortcomings, many distinct sources propose service description languages and security schemes for REST-based web services. This paper provides a systematic analysis of these languages with a specific focus on their ability to express security policies. The obtained results reveal substantial limitations in all analyzed specification languages.}},
  booktitle = {{International Conference on Trust and Privacy in Digital Business (TrustBus)}},
  author = {H.V. Nguyen and J. Tolsdorf and L. {Lo Iacono}}
}

@inproceedings{conf/soups/Gorski,
  author = {L. {Lo Iacono} and P. L. Gorski},
  title = {{Poster: I Do and I Understand. Not Yet True for Security APIs. So Sad}},
  booktitle = {{13th Symposium on Usable Privacy and Security (SOUPS)}},
  year = {2017},
  url = {https://www.internetsociety.org/sites/default/files/eurousec2017_15_LoIacono_paper.pdf},
  abstract = {{Usable security puts the users into the center of
  cyber security developments. Software developers are a very
  specific user group in this respect, since their points of contact
  with security are application programming interfaces (APIs). In
  contrast to APIs providing functionalities of other domains than
  security, security APIs are not approachable by habitual means.
  Learning by doing exploration exercises is not well supported.
  Reasons for this range from missing documentation, tutorials and
  examples to lacking tools and impenetrable APIs, that makes this
  complex matter accessible. In this paper we study what abstraction level of security
  APIs is more suitable to meet common developers’ needs and
  expectations. For this purpose, we firstly define the term security
  API. Following this definition, we introduce a classification of
  security APIs according to their abstraction level. We then
  adopted this classification in two studies. In one we gathered
  the current coverage of the distinct classes by the standard set of
  security functionality provided by popular software development
  kits. The other study has been an online questionnaire in which we
  asked 55 software developers about their experiences and opinion
  in respect of integrating security mechanisms into their coding
  projects. Our findings emphasize that the right abstraction level
  of a security API is one important aspect to consider in usable
  security API design that has not been addressed much so far.}}
}