Yudistira Asnar

A vulnerability scanning tool for session management vulnerabilities

Session management vulnerabilities can be categorized as a group of vulnerability that is still often discovered. Session management vulnerabilities consist of session fixation, CSRF, and insufficient cookies attributes. Based on OWASP Top 10 2013, issues on session management are ranked on 2nd place, while CSRF on 8th. To detect session management vulnerabilities, we developed a vulnerability scanning tool extending an existing open source tool, namely Nikto. To validate our tool, we have performed two types of testing, which are a functional and a field testing. In functional testing, we created some synthetic test cases to prove all the functionalities can function well. In the field testing, we used some existing projects and we can conclude that Nikto failed to execute some test cases and also found some false negative. The false negative is caused by the error in detecting random token performed by CSRF detector.

Reshaping software engineering education towards 2020 engineers

In this paper, we present an overview on how to reshape the software engineering education in our undergraduate study program (i.e., curriculum program, software engineering curriculum package, and learning process) so that our graduates have sufficient skills to be the 2020 software engineers. We believe that the corner blocks to produce fine engineers are good understanding in the following areas: basic fundamentals and principles of science and computing, methodology, techniques-tools-platform, capability to understand domain problems, communication and personal skill, attitude to be a good learner and self disciplined. We translate these values to our undergraduate curriculum with an aim to produce general software engineer who are quick to master specific platforms/technologies and devices and to understand domain problems.

Input injection detection in Java code

Input Injections are considered as the most common and effective vulnerabilities to exploit in many software systems (esp. web apps). In this paper, we propose a way to detect such vulnerabilities, such as SQL injection, command injection, and cross-site scripting. Input injection is caused by executing user inputs which have not been validated or sanitized, so that the purpose of execution is changed by malicious agents into their advantages. The input injection detector is done by extending an existing static analysis tool, namely FindBugs. The detection uses a dataflow analysis to monitor user-contaminated variables. To improve accuracy, reducing false positives and false negatives, dataflow analysis is used to monitor variables that have been validated or sanitized by developers. Our detector has only few false positives and false negatives based on our testing using our test cases and existing applications, i.e. WebGoat and ADempiere.

Android security assessment based on reported vulnerability

Android is considered as the leading platform on smartphone market. Thus, it becomes a prime target by many security crooks and its security becomes at most concern. This research aims at assessing Android Security, especially the fact whether Androids folks are getting better or worse in delivering a secure platform? In this research, we use data extracted from National Vulnerability Database (NVD) to answer such question. Surprisingly, the study discovers that 83.3% of reported Android vulnerability is originated from third-party apps that runs on Android platform and not inherently from the Android platform itself. We also discover strong evidence that Android security is getting better based on the declining numbers of reported Android vulnerability and the reducing of Android vulnerability Time-to-Patch.

Fraud detection based-on data mining on Indonesian E-Procurement System (SPSE)

This paper focuses on detection of potential fraud that occurs in the procurement process via the Indonesian E-Procurement System (SPSE). Potential frauds in procurement take very diverse forms such as corruption, collusion and tender fixation and more importantly, they are found in various stages ranging from the budgeting to the utilization stages.

A continuous fusion authentication for Android based on keystroke dynamics and touch gesture

As one of the most popular smartphone operating system nowadays, Android is used for various needs start from casual purpose such as games up to critical aims like banking. To avoid any access by impostor (unauthorized parties), the use of authentication system is a must. Android provides basic authentication system based on screen-lock using PIN, password, or pattern. However all those ways have several vulnerabilities, i.e: 1) leak or transfered key access, 2) only supports full binary authentication, and 3) no re-authentication nor revocation. This research aims at developing continuous behavioral authentication as a solution for those vulnerabilities. Our solution uses authentication score, not just a binary authentication. The score is constructed using fusion approach combining two modalities i.e. keystroke dynamics (typing behavior) and touch gesture (tap, swipe, and pinch behavior). Each of those authentication model is built using two-class machine learning classification. This authentication system is designed to run continuously on Android background, so it is possible to change authorization or make a revocation anytime needed. This proposed solution has been implemented as a prototype on a testing application. There are some tests have been held, first is modality experiment to find the best classifier each modality, second is continuous fusion authentication test, third is performance test. The result shows that our proposed fusion authentication get more accurate than if the modalities work respectively. Based on the continuous and live authentication testing on Android device, best fusion method is mean Olympic with a threshold 0.81 that makes the FAR and FRR equal in 0.26.

Developing translation rules of Java-JML source code to Event-B

This paper proposes translation rules of Java-JML source code to Event-B. Java Modeling Language (JML), a specification language for Java, provides an ease to make a code-level specification regarding to its similarity with Java syntax. However, the verification tools which support JML still have a lot of limitations. On the other hand, in formal method, Event-B has been frequently used to specify software and hardware systems. Also, its verification tools are widely available and supplements one another. These facts give the opportunity to combine the ease provided by JML and the maturity of Event-B in formal method. In this case, translating Java-JML source code to Event-B could be the way. Thus, systematic translation rules are needed. Through this work, the rules are successfully formulated. Besides, the soundness of the rules are also guaranteed according to its correct-by-construction approach. Then, the rules are also evaluated yielding that unique properties which are required by the Event-B model-assertion, convergence, and enabledness - are properly checked. By using these rules, limitation of verification tools for JML can be supplemented.

Data migration helper using domain information

Data migration is considered as a critical task to achieve a single source of data that is standardized and contains all-important data to the business. In this work, we propose a technique to define migration schema using an ETL tool that automates several mundane activities in mapping the data items from the source database into targeted database. The schema is generated automatically using a string-matching algorithm founded by a domain-related dictionary (i.e., oil & gas). However, human analysts are still needed to correct and validate the candidate-mapping schema. Several cases have been applied to validate this approach. We have also exercised the usage of a simple ontology to reduce the manual activities in defining the mapping schema. It produced promising results, and we believe further research in this direction, using ontology will be able to reduce the manual activities significantly.

Information system log visualization to monitor anomalous user activity based on time

As information systems start to manage the more crucial parts of human lives, their security cannot be neglected. One way to ensure the security is by analyzing their generated log files of anomalous user activity. Data visualization has become a common solution to help get around the problems in log analysis. In this paper, we tried to determine key characteristics of effective data visualization on detecting those anomalous user activity recorded in log files. First we analyzed the log data we have and derived 4 anomalies whose indicators are made into visualization topics. Hence we built 4 data visualizations to detect the 4 anomalies. Next, we transformed our data so that they can be visualized. After that, we analyzed the suitable time-based data visualization method to represent our data and decided on heatmap for its wide application on existing solutions and dot plot for it is able to accommodate all data variables needed on every visualization topic and has the suitable nuance for monitoring purposes. Next we decided on design concept of our data visualizations and implemented them as web-based data visualization. We conducted 2 tests in this paper to determine the key characteristics of effective data visualization. Even though the results are inconclusive, but they hinted that an effective data visualization on this matter should support large amount of perceived information through cognition and support focused exploration.