Qixu Liu

VRSS: A new system for rating and scoring vulnerabilities

Vulnerabilities are extremely important for network security. IT management must identify and assess vulnerabilities across many disparate hardware and software platforms to prioritize these vulnerabilities and remediate those that pose the greatest risk. The focus of our research is the comparative analysis of existing vulnerability rating systems, so as to discover their respective advantages and propose a compatible rating framework to unify them. We do the statistic work on vulnerabilities of three famous vulnerability databases (IBM ISS X-Force, Vupen Security and National Vulnerability database) and analyze the distribution of vulnerabilities to expose the differences among different vulnerability rating systems. The statistical results show that the distributions of vulnerabilities are not much consistent with the normal distribution. Taking into account all kinds of existing vulnerability rating systems, we propose VRSS for qualitative rating and quantitative scoring vulnerabilities, which can combine respective advantages of all kinds of vulnerability rating systems. An experimental study of 33,654 vulnerabilities demonstrates that VRSS works well.

Improving VRSS-based vulnerability prioritization using analytic hierarchy process

The number of vulnerabilities discovered in computer systems has increased explosively. Thus, a key question for system administrators is which vulnerabilities to prioritize. The need for vulnerability prioritization in organizations is widely recognized. The significant role of the vulnerability evaluation system is to separate vulnerabilities from each other as far as possible. There are two major methods to assess the severity of vulnerabilities: qualitative and quantitative methods. In this paper, we first describe the design space of vulnerability evaluation methodology and discuss the measures of well-defined evaluation framework. We analyze 11,395 CVE vulnerabilities to expose the differences among three current vulnerability evaluation systems (X-Force, CVSS and VRSS). We find that vulnerabilities are not separated from each other as much as possible. In order to increase the diversity of the results, we firstly enable vulnerability type to prioritize vulnerabilities using analytic hierarchy process on the basis of VRSS. We quantitatively characterize the vulnerability type and apply the method on the set of 11,395 CVE vulnerabilities. The results show that the quality of the quantitative scores can be improved with the help of vulnerability type.

TFTP vulnerability finding technique based on fuzzing

The basic value proposition of vulnerability finding is simple: it is better for vulnerabilities to be found and fixed by good guys than for them to be found and exploited by bad guys. Fuzzing is the art of automatic vulnerability finding. In this paper, we propose a vulnerability finding approach based on fuzzing and apply our approach to TFTP protocol. We analyzed all the vulnerabilities that had been released about TFTP protocol, and summed up the vulnerable points in TFTP servers. Aiming at those vulnerable points, a fuzzing tool named tftpServerFuzzer was specifically designed and implemented to test TFTP servers. We collected 11 types of TFTP servers based on Windows via Internet. Testing those TFTP servers by tftpServerFuzzer, we discovered three unreleased and almost all the released vulnerabilities on those TFTP servers. The result indicates not only the validity and superiority of the tftpServerFuzzer we designed, but also the efficiency of our approach.

TrackerDetector: A system to detect third-party trackers through machine learning

Abstract Privacy violation caused by third-party tracking has become a serious problem, and the most effective defense against it is blocking. However, as the core part of blocking, the blacklist is usually manually curated and is difficult to maintain. To make it easier to generate a blacklist and reduce human work, we propose an effective system with high accuracy, named TrackerDetector, to detect third-party trackers automatically. Intuitively, the behaviors of trackers and non-trackers are different, which leads to different JavaScript API sets being called. Thus, an incremental classifier is trained from JavaScript files crawled from a large number of websites to detect whether a website is a third-party tracker. High accuracy of 97.34% is obtained with our dataset and that of 93.56% is obtained within a 10-fold cross validation.

A Static Technique For Detecting Input Validation Vulnerabilities in Android Apps

Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.创新点为了检测在Android应用软件中较为普遍的输入验证漏洞, 本文提出了一种基于静态分析的挖掘方法并实现了一个原型系统EasyIVD。本文首先利用后向程序切片技术从Java源码中提取事务切片和约束切片, 再利用预定义的安全规则检测已知模式的输入验证漏洞。对于未知模式的输入验证漏洞, 本文从相似切片中提取频繁模式, 将之作为隐式安全规范来挖掘漏洞。本文将该系统应用在四个版本的Android系统原生应用上, 共挖掘出58个输入验证漏洞。

A Machine Learning Approach for Detecting Third-Party Trackers on the Web

Nowadays, privacy violation caused by third-party tracking has become a serious problem and yet the most effective method to defend against third-party tracking is based on blacklists. Such method highly depends on the quality of the blacklist database, whose records need to be updated frequently. However, most records are curated manually and very difficult to maintain. To efficiently generate blacklists, we propose a system with high accuracy, named DMTrackerDetector, to detect third-party trackers automatically. Existing methods to detect online tracking have two shortcomings. Firstly, they treat first-party tracking and third-party tracking the same. Secondly, they always focus on a certain way of tracking and can only detect limited trackers. Since anti-tracking technology based on blacklists highly depends on the coverage of the blacklist database, these methods cannot generate high-quality blacklists. To solve these problems, we firstly use the structural hole theory to preserve first-party trackers, and only detect third-party trackers based on supervised machine learning by exploiting the fact that trackers and non-trackers always call different JavaScript APIs for different purposes. The results show that 97.8 % of the third-party trackers in our test set can be correctly detected. The blacklist generated by our system not only covers almost all records in the Ghostery list (one of the most popular anti-tracking tools), but also detects 35 unrevealed trackers.

IVDroid: Static Detection for Input Validation Vulnerability in Android Inter-component Communication

Input validation vulnerability in Android inter-component communication is a kind of severe vulnerabilities in Android apps. Malicious attacks can exploit the vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at source code level designed for app developers to detect such vulnerabilities. In this paper we propose a novel approach aiming at detecting input validation flaws in Android apps and implement a prototype named IVDroid, which provides practical static analysis of Java source code. IVDroid leverages backward program slicing to abstract application logic from Java source code. On slice level, IVDroid detects flaws of known pattern by security rule matching and detects flaws of unknown pattern by duplicate validation behavior mining. Then IVDroid semi-automatically confirms the suspicious rule violations and report the confirmed ones as vulnerabilities. We evaluate IVDroid on 3 versions of Android spanning from version 2.2 to 4.4.2 and it detects 37 vulnerabilities including confused deputy and denial of service attack. Our results prove that IVDroid can provide a practical defence solution for app developers.

XAS: Cross-API scripting attacks in social ecosystems

With the rapid development of online social networks, various Web application programming interfaces (APIs) on social platforms are released to share profitable social data with all kinds of third-party online services. However, it also brings new risks to social networks once Web APIs are insecurely designed, implemented, and invoked. The focused topic in this paper is security analysis of a new type of cross-site scripting (XSS) which is based on Web APIs in new complicated social ecosystems which consist of social networks, third-party apps, and other online services. In this paper, we refer to Web API-based XSS as cross-API scripting (XAS). For the first time, we take typical XAS attacks in diversified context as cases to demonstrate the new exploiting opportunities and threats in social ecosystems. Also, we design a tool to identify the design and implementation flaws of Web APIs in 11 popular social networks. We discover several security flaws of API via our experiment. According to the results, we conclude causes of XAS flaws in depth. We also examined 143 Web-based apps and verified the prevalence of XAS flaws. Finally, we proposed preliminary measures both in social networks and third-party applications to alleviate XAS.

Static detection of logic vulnerabilities in Java web applications

Logic vulnerabilities occur when mistakes arise in the control flow associated to critical functionalities. We propose a lightweight static analysis approach to detect logic vulnerabilities in Java Web applications. The core idea of our approach is to discover deviant behaviors among duplication samples. Program slicing technique is leveraged to extract duplicated invocations targeted similar functionalities. Subsequently, path exploration is conducted to split slices into several path sensitive slices. Then we make comparison between any two similar slices on their path condition, and report the slices with abnormal path condition as logic vulnerabilities. We implemented our approach in a prototype tool named LVD (Logic Vulnerability Detector), and evaluated it on seven real world applications scaled from thousands to million lines of code. The evaluation results show that our approach achieves bigger coverage with acceptable cost and better scalability than previous approaches.

Eliminating human specification in static analysis

We present a totally automatic static analysis approach for detecting code injection vulnerabilities in web applications on top of JSP/servlet framework. Our approach incorporates origin and destination information of data passing in information flows, and developers beliefs on vulnerable information flows extracted via statistical analysis and pattern recognition technique, to infer specifications for flaws without any human participation. According to experiment, our algorithm is proved to be able to cover the most comprehensive range of attack vectors and lessen the manual labor greatly.