Experience

Vendors who wish to provide software or services to large corporations and governments must often obtain numerous certificates of compliance. Each certificate asserts that the software satisfies a compliance regime, like SOC or the PCI DSS, to protect the privacy and security of sensitive data. Manual compliance audits of source code (the industry standard) are expensive, error-prone, partial, and prone to regressions.

We propose \emph{continuous compliance} to guarantee that the codebase stays compliant on each code change using lightweight verification tools. Continuous compliance increases assurance and reduces cost in the domain of source-code compliance.

We evaluated continuous compliance by building and deploying verification tools for five common audit controls related to data security: cryptographically unsafe algorithms must not be used, keys must be at least 256 bits long, credentials must not be hard-coded into program text, HTTPS must always be used instead of HTTP, and cloud data stores must not be world-readable. We report on our experience deploying these verification tools at a large company, where they are integrated into the compliance process (including auditors accepting their output as evidence) and have been run on over 68 million lines of code. We open-sourced our tools and applied them to over 5 million lines of open-source software. Compared to other publicly-available tools for detecting misuses of encryption, only ours are suitable for continuous compliance.

Martin Kellogg

University of Washington, Seattle

United States

Martin Schäf

Amazon Web Services

United States

Serdar Tasiran

Amazon Web Services

Michael D. Ernst

University of Washington, USA

The security guarantee of SSL/TLS critically depends on the correct validation of X.509 certificate. Therefore, it is important to check whether certificate validation in SSL/TLS is implemented correctly. Differential testing has been used successfully to find semantic bugs in this domain. However, existing differential testing tools suffer from three limitations: (1) inputs are not guaranteed to be syntactically correct. (2) the diversity of inputs is not enough. (3) requiring a large number inputs for finding each semantic bug.

This paper tackles these problems by introducing SADT, a novel syntax-aware differential testing framework for testing certificate validation code. Our core insight is to mutate input by tree-based mutation to ensure generated inputs are syntactically correct, and diversify inputs by share interesting inputs among all tested SSL/TLS implementations. The generated certificates are then employed to reveal discrepancies (potential bugs) among certificate validation in all SSL/TLS implementations.

We have implemented the new syntax-aware differential testing framework, named SADT, and evaluated it against other differential testing frameworks (such as NEZHA and RFCcert) and the fuzzer AFL. In our experiment, SADT yields 64 unique discrepancies when 6 SSL/TLS implementations are tested while NEZHA, RFCcert and AFL yield 31, 15 and 2 unique discrepancies respectively. In adition, we have been reporting bugs found by SADT to the software developers. Until now, 13 bugs have been confirmed or fixed, 10 of which were previously unknown bugs among all projects.

Lili Quan

College of Intelligence and Computing,Tianjin University

Qianyu Guo

College of Intelligence and Computing, Tianjin University

China

Hongxu Chen

Research Associate

xiexiaofei

Li Xiaohong

TianJin University

China

Yang Liu

Nanyang Technological University, Singapore

Singapore

Jing Hu

Tianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing,Tianjin University

Serialisation related security vulnerabilities have recently been reported for numerous Java applications. Since serialisation presents both soundness and precision challenges for static analysis, it can be difficult for analyses to precisely pinpoint serialisation vulnerabilities in a Java library. In this paper, we propose a hybrid approach that extends a static analysis with fuzzing to detect serialisation vulnerabilities. The novelty of our approach is in its use of a heap model to direct fuzzing for vulnerabilities in Java libraries. The advantage is that the analysis guides fuzzing to quickly and effectively produce results, which may also automatically validate static analysis reports.

Shawn Rasheed

Massey University

New Zealand

Jens Dietrich

Victoria University of Wellington

New Zealand

As most smart systems such as smart logistic and smart manufacturing are delay sensitive, the current mainstream cloud computing based system architecture is facing the critical issue of high latency over the Internet. Meanwhile, as huge amount of data is generated by smart devices with limited battery and computing power, the increasing demand for energy-efficient machine learning and secure data communication at the network edge has become a hurdle to the success of smart systems. To address these challenges with using smart UAV (Unmanned Aerial Vehicle) delivery system as an example, we propose EXPRESS, a novel energy-efficient and secure framework based on mobile edge computing and blockchain technologies. We focus on computation and data (resource) management which are two of the most prominent components in this framework. The effectiveness of the EXPRESS framework is demonstrated through the implementation of a real-world UAV delivery system. As an open-source framework, EXPRESS can help researchers implement their own prototypes and test their computation and data management strategies in different smart systems. The demo video can be found at https://youtu.be/r3U1iU8tSmk.

Jia Xu

School of Computer Science and Technology, Anhui University

Xiao Liu

School of Information Technology, Deakin University

Australia

Xuejun Li

School of Computer Science and Technology, Anhui University

Lei Zhang

Antwork Robotics Co., Ltm., Hangzhou, China

Yun Yang

Swinburne University of Technology