Top

Published in:

2024 | OriginalPaper | Chapter

Hardening Systems Against Data Corruption Attacks at Design Time

Authors : John Breton, Jason Jaskolka, George O. M. Yee

Published in: Foundations and Practice of Security

Publisher: Springer Nature Switzerland

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Despite advancements in security research, systems continue to be susceptible to all kinds of threats. To better support designers, we present a method and tool called Dubhe that can be employed during the design phase of development to harden systems against data corruption attacks. We highlight the benefits of this approach by applying it to an online seller of merchandise system to analyze various “what-if” scenarios with different defence objectives. Using our approach, Dubhe (1) analyzes the XML form of UML activity diagrams created to define the behavioural view of the system, (2) determines optimal locations for data sanitization using novel protection techniques and activity centrality concepts, and (3) communicates the results to the designers so that they can incorporate the suggestions back into their system designs. This example application of Dubhe shows that our approach can provide valuable security advice to designers to ensure that their systems are designed with protection against data corruption attacks, using only artifacts that designers would normally create during the design phase.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Attacking and Securing the Clock Randomization and Duplication Side-Channel Attack Countermeasure

next chapter Design of an Efficient Distributed Delivery Service for Group Key Agreement Protocols

Dubhe is a star in the Ursa Major constellation. It is commonly referred to as a “pointer star” as it helps find Polaris, also known as the North Star.

Apple: CVE-2023-32435. Available from MITRE, CVE-2023-32435 (2023). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32435

Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating memory corruption attacks via pointer taintedness detection. In: 2005 International Conference on Dependable Systems and Networks, pp. 378–387. DSN 2005 (2005)

Cheng, L., et al.: Exploitation techniques and defenses for data-oriented attacks. In: 2019 IEEE Cybersecurity Development (SecDev), pp. 114–128. IEEE (2019)

Chowdhury, I., Chan, B., Zulkernine, M.: Security metrics for source code structures. In: 4th International Workshop on Software Engineering for Secure Systems, pp. 57–64. SESS 2008, ACM (2008)

Fiala, D., Mueller, F., Engelmann, C., Riesen, R., Ferreira, K., Brightwell, R.: Detection and correction of silent data corruption for large-scale high-performance computing. In: 2012 International Conference on High Performance Computing, Networking, Storage and Analysis, pp. 1–12 (2012)

Google: CVE-2023-3079. Available from MITRE, CVE-2023-3079 (2023). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3079

Howard, M., Lipner, S.: The Security Development Lifecycle, vol. 8. Microsoft Press, Redmond (2006)

Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_32CrossRef

Jürjens, J., Shabalin, P.: Tools for secure systems development with uml: security analysis with ATPs. In: Cerioli, M. (ed.) FASE 2005. LNCS, vol. 3442, pp. 305–309. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31984-9_23CrossRef

10.

Kang, S., Kim, S.: CIA-level driven secure SDLC framework for integrating security into SDLC process. J. Ambient. Intell. Humaniz. Comput. 13(10), 4601–4624 (2022)CrossRef

11.

Kontouras, E., Tzes, A., Dritsas, L.: Set-theoretic detection of data corruption attacks on cyber physical power systems. J. Mod. Power Syst. Clean Energy 6, 872–886 (2018)CrossRef

12.

Lee, M., Davis, C.: XMI extension for StarUML (2018). https://github.com/staruml/staruml-xmi

13.

Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_33CrossRef

14.

lxml Development Team: lxml: XML and HTML with python (2023). https://lxml.de/. version 4.9.3 [Software library]

15.

Microsoft: Microsoft outlook elevation of privilege vulnerability (2023). https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397

16.

MKLabs Co.,Ltd.: StarUML (2023). https://staruml.io. version 6.0 [Software]

17.

Nie, X., Chen, L., Wei, H., Zhang, Y., Cui, N., Shi, G.: KPDFI: efficient data flow integrity based on key property against data corruption attack. In: Computers & Security, pp. 103–183 (2023)

18.

Object Management Group: Unified Modeling Language (2017). https://www.omg.org/spec/UML/2.5.1/PDF. version 2.5.1

19.

Ozkaya, M.: Are the UML modelling tools powerful enough for practitioners? a literature review. IET Softw. 13(5), 338–354 (2019)CrossRef

20.

Rodríguez, A., Fernández-Medina, E., Piattini, M.: Capturing security requirements in business processes through a UML 2.0 activity diagrams profile. In: Roddick, J.F., et al. (eds.) ER 2006. LNCS, vol. 4231, pp. 32–42. Springer, Heidelberg (2006). https://doi.org/10.1007/11908883_6CrossRef

21.

Samuel, J., Jaskolka, J., Yee, G.O.M.: Analyzing structural security posture to evaluate system design decisions. In: 21st IEEE International Conference on Software Quality, Reliability, and Security, QRS 2021, pp. 8–17 (2021)

22.

Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: Sawyer, P., Paech, B., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73031-6_27CrossRef

23.

Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy, pp. 48–62. IEEE (2013)

24.

The Eclipse Foundation: Eclipse Papyrus (2023). https://www.eclipse.org/papyrus/. version 6.5.0 [Software]

25.

van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_5CrossRef

26.

Yee, G.O.M.: Reducing the attack surface for private data. In: 13th International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2019, pp. 28–34 (2019)

Title: Hardening Systems Against Data Corruption Attacks at Design Time
Authors: John Breton
Jason Jaskolka
George O. M. Yee
Publisher: Springer Nature Switzerland
Book: Foundations and Practice of Security
Print ISBN: 978-3-031-57536-5

Electronic ISBN: 978-3-031-57537-2

Copyright Year: 2024
DOI: https://doi.org/10.1007/978-3-031-57537-2_24

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner