From 77d8ea40f61d80499fc6c9a201293fb0802a7030 Mon Sep 17 00:00:00 2001 From: Oliver Killane Date: Sat, 23 Mar 2024 19:04:53 +0000 Subject: [PATCH] 70004 & 70024: Added final software reliability and Avanced security notes --- .../Acoustic Attacks.md | 10 ++ .../Internet of Things Security.md | 9 ++ .../Mandatory Access Control.md | 2 +- .../Multi-Level Security.md | 1 + .../Skill Squatting.md | 15 +++ .../Voice Assistant Exploit.md | 1 + .../iOS Security.md | 26 +++++ .../Black-Box Fuzzing.md | 2 +- .../Coverage Criteria.md | 96 +++++++++++++++++++ .../Dynamic Analysis.md | 8 +- .../Mutation Testing.md | 0 .../Mutation-Based Fuzzer.md | 2 +- .../Random Program Generation.md | 2 +- 13 files changed, 166 insertions(+), 8 deletions(-) create mode 100644 70004 - Advanced Computer Security/Acoustic Attacks.md create mode 100644 70004 - Advanced Computer Security/Internet of Things Security.md create mode 100644 70004 - Advanced Computer Security/Skill Squatting.md create mode 100644 70004 - Advanced Computer Security/Voice Assistant Exploit.md create mode 100644 70004 - Advanced Computer Security/iOS Security.md create mode 100644 70024 - Software Reliability/Coverage Criteria.md create mode 100644 70024 - Software Reliability/Mutation Testing.md diff --git a/70004 - Advanced Computer Security/Acoustic Attacks.md b/70004 - Advanced Computer Security/Acoustic Attacks.md new file mode 100644 index 0000000..af5c218 --- /dev/null +++ b/70004 - Advanced Computer Security/Acoustic Attacks.md @@ -0,0 +1,10 @@ +## Description +A type of [[Voice Assistant Exploit]] that attempts to invoke an assistant audibly. + +| Type | Downside | +| ---------------- | ------------------------------------------- | +| Incomprehensible | Can be easily noticed by a human | +| Inaudible | Requires special hardware (i.e. ultrasound) | +| Hidden in music | ? | +## CommanderSong +Automatically embeds a set of commands into a song. \ No newline at end of file diff --git a/70004 - Advanced Computer Security/Internet of Things Security.md b/70004 - Advanced Computer Security/Internet of Things Security.md new file mode 100644 index 0000000..63e61f2 --- /dev/null +++ b/70004 - Advanced Computer Security/Internet of Things Security.md @@ -0,0 +1,9 @@ +## Main Challenges + +| Challenge | Description | +| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| LAN Mistrust | Where IoT devices that rely on local network based authentication | +| Environment Mistrust | When the IoT device trusts the physical environment (e.g. trust a camera is not moved, or for voice assistants that the voice speaking physically nearby is allowed) | +| App Over-Privilege | Where apps can perform unauthorized/unexpected actions on multi-app platforms (e.g. ) | +| Weak Athentication | For example speakers that allow anyone with bluetooth in range to connected. | +| Implementation Flaws | Hardcoded credentials, [[Cross Site Scripting\|XSS]], open ports and debugging functionality, unencrypted transmission | diff --git a/70004 - Advanced Computer Security/Mandatory Access Control.md b/70004 - Advanced Computer Security/Mandatory Access Control.md index bacf312..52b2cbf 100644 --- a/70004 - Advanced Computer Security/Mandatory Access Control.md +++ b/70004 - Advanced Computer Security/Mandatory Access Control.md @@ -1,5 +1,5 @@ Access control decisions cannot be changed by normal users. -- System wide set of enforced rukes +- System wide set of enforced rules - Normal (i.e. non root) users cannot change permissions ([[Control Schema]]) Offers stronger guarantees than [[Discretionary Access Control]] (does not trust normal users). diff --git a/70004 - Advanced Computer Security/Multi-Level Security.md b/70004 - Advanced Computer Security/Multi-Level Security.md index 131319e..bf6ea48 100644 --- a/70004 - Advanced Computer Security/Multi-Level Security.md +++ b/70004 - Advanced Computer Security/Multi-Level Security.md @@ -20,3 +20,4 @@ Encodes multiple users using category field: Used for managed profiles: - parental controls (restricted profile) - company managed profiles (work accounts, samsung KNOX) +revmans \ No newline at end of file diff --git a/70004 - Advanced Computer Security/Skill Squatting.md b/70004 - Advanced Computer Security/Skill Squatting.md new file mode 100644 index 0000000..c7412bf --- /dev/null +++ b/70004 - Advanced Computer Security/Skill Squatting.md @@ -0,0 +1,15 @@ +## Description +A type of [[Voice Assistant Exploit]]. Addon apps for voice assistants such as Alexa are *skills*, by making skills likely to be activated accidentally by Alexa misinterpreting speech they can be activated in place of the intended app. +- Voice equivalent of typo squatting +- Predictable errors caused by homophones, and phonetic confusion (e.g. wet/what, rip/rap, been/bean) +- Longest string match resulting in commands being shadowed + +It is also possible to squat on common exit commands: +- For Alexa only *exit* is caught by the OS to exit the skill, *stop* and *cancel* are captured by the skill +## Defences +### Competitive Invocation Names +Identify suspicious variations of invocation names to detect potential squatting. +- Convert names to pronunciations (e.g. using the CMU Pronouncing Dictionary) and then get the edit-distance. +### Runtime Analysis +Detect the skill providing responses that are like the system's (e.g. pretending to have exited an application). +- Can use fuzzy matching (e.g. through encoding sentence semantics using a neural network), to quickly detect similarity diff --git a/70004 - Advanced Computer Security/Voice Assistant Exploit.md b/70004 - Advanced Computer Security/Voice Assistant Exploit.md new file mode 100644 index 0000000..e9c2fff --- /dev/null +++ b/70004 - Advanced Computer Security/Voice Assistant Exploit.md @@ -0,0 +1 @@ +[[TODO]] \ No newline at end of file diff --git a/70004 - Advanced Computer Security/iOS Security.md b/70004 - Advanced Computer Security/iOS Security.md new file mode 100644 index 0000000..41ce639 --- /dev/null +++ b/70004 - Advanced Computer Security/iOS Security.md @@ -0,0 +1,26 @@ +## iOS Structure + +| Component | Description | +| ------------------ | ----------------------------------------------------------------------------------- | +| kernel | Based on the Mach kernel from Mac OS X | +| Core OS & Services | APIs for files, network, SQLite, POSIX threads, UNIX sockets, and security services | +| Media Layer | Foundational framework, object oriented collections, file management, network. | +Implemented in C, Objective-C and swift. + +## System Security +Hardware Root of Trust (immutable code in the boot rom) ensures + +| Feature | Description | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | +| Secure Boot Chain | All startup processes are crypto-signed by Apple to ensure integrity. Only after **chain of trust** is verified does the iOS kernel start. | +| Secure Enclave Coprocessor | A secure crypto-processor (secure boot with encrypted memory) provides cryptographic functions and key storage. Processes fingerprint/face data. | +| Touch ID/Face ID sensors | Data for authentication kept in secure enclave on device. | +## App Security + +| Feature | Description | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Mandatory Code Signing | All apps must be signed with an apple-issued ID certificate | +| Sandboxing | Each app executes in its own sandbox to prevent access to other application's data. 3rd party apps and the majority of iOS run under a non-privileged *'mobile'* user. Inter-app communication on facilitated through iOS APIs. | +| Entitlements | Access to user information (e.g. camera, bluetooth, internet) is declared by the app (fixed, and part of the app's signature), some must be dynamically requested (e.g. location). | +| Encryption | Apps can use iOS APIs to use built-in hardware encryption. | +| System Extension Points | Extensions (e.g. 3rd party filter for the camera app) run as their own processes (isolated from the extended application). | diff --git a/70024 - Software Reliability/Black-Box Fuzzing.md b/70024 - Software Reliability/Black-Box Fuzzing.md index 0e2224a..1806ce5 100644 --- a/70024 - Software Reliability/Black-Box Fuzzing.md +++ b/70024 - Software Reliability/Black-Box Fuzzing.md @@ -1,4 +1,4 @@ -## Definition +its ## Definition The [[SUT]] is executed in an unmodified form (no sanitizers or coverage added). ### Advantages - Can be applied to closed source [[SUT]] diff --git a/70024 - Software Reliability/Coverage Criteria.md b/70024 - Software Reliability/Coverage Criteria.md new file mode 100644 index 0000000..3a07d2c --- /dev/null +++ b/70024 - Software Reliability/Coverage Criteria.md @@ -0,0 +1,96 @@ +## Definition +Criteria used to measure the progress of a testing/fuzzing campaign. +## Black Box Coverage +Based on a specification (e.g. behaviour of a public API) without knowledge of the programs internal structure. +- Works when code is unavailable (black box) +- Can uncover unimplemented parts of the specification (e.g. postconditions on public library function incorrect) +## White Box Coverage +Based on a the code / internal knowledge (control & data flow, logic). +```C +int foo(int x, int y) { + if (x > 0) + printf("A"); + else + printf("B"); + if (y < 10 || y > 20) + printf("C") + else + printf("D") +} +``` + +| Coverage Measure | Description | 100% Coverage | Tests for Example 100% Coverage | +| ------------------------------ | ----------------------------------------------------------------------------------------- | ------------------------------- | ------------------------------------------------------------------ | +| Function | How many/which functions are called | No unreachable functions | Any test (1) | +| Instruction / Statement / Line | Instructions hit during execution | No unreachable code | `(10,0)` and `(-10, 15)` to get `A,C` and `B, D` | +| Branch / Decision | How many branches covered (with each side of the conditional) | No dead branches | *Same as instruction coverage* | +| Path Coverage | How many possible paths are covered (can be bounded on loops, e.g. 0, 1 or >1 iterations) | verification (full, or bounded) | `(10,0)`, `(-10, 15)`, `(10, 15)`, `(-10, 0)` (all possible paths) | +*Note: Cost increasing in descending order* +### Condition Coverage +A condition is an atomic clause in a logical predicate. Condition coverage is the number of condition outcomes exercised. +```C +if ( (x > y) || ( (x < 0) && (y > 0) ) ) // x > y, x < 0, y > 0 are atoms + +// Given the tests +{.x=1, .y=0} +{.x=0, .y=1} +``` + +| Short Circuiting | Conditions | Coverage | +| ---------------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------ | +| On | $\top \lor (\bot \land \bot)$, $\bot \lor(\bot \land \top)$ | $\cfrac{5}{6}$ as $x>y$ and $y>0$ both get $\top/\bot$ and $x < 0$ gets $\bot$ only. | +| Off | $\top \lor (\_ \land \_ )$, $\bot \lor (\bot \land \_)$ | $\cfrac{3}{6}$ as $x>y$ gets \bot/\top$ and $x < 0$ gets $\bot$ | +### Multiple Condition Coverage +Take all possible combinations (in general $\approx 2^N$ for $N$ conditions). + +| Short Circuiting | Conditions | Coverage | +| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | +| On | $\top \lor (\_ \land \_)$, $\bot \lor (\bot \land \_)$, $\bot \lor (\top \land \top)$, $\bot \lor (\top \land \bot)$ | $\cfrac{2}{4}$ | +| Off | $\bot \lor (\bot \land \bot)$, $\bot \lor (\bot \land \top)$, $\bot \lor (\top \land \bot)$, $\bot \lor (\top \land \top)$,$\top \lor (\bot \land \bot)$, $\top \lor (\bot \land \top)$, $\top \lor (\top \land \bot)$, $\top \lor (\top \land \top)$ | $\cfrac{2}{8}$ | +### Modified Condition/Decision Coverage +Decision coverage $+$ Condition Coverage $+$ Must show each atomic condition independently influences the branch outcome. +$$\text{MC/DC Coverage} = \text{Percentage of conditions that meet MCDC criteria}$$ +In general $n+1$ tests are required for $n$ atoms, to pairs of test cases where only one atom changes, and the result of the condition changes. + +| Test | $x$ | $y$ | $x>y$ | $x < 0$ | $y > 0$ | Branch | +| ---- | --- | --- | ------ | ------- | ------- | ------ | +| T1 | 1 | 1 | $\bot$ | $\bot$ | $\top$ | $\bot$ | +| T2 | 2 | 1 | $\top$ | $\bot$ | $\top$ | $\top$ | +| T3 | -1 | 1 | $\bot$ | $\top$ | $\top$ | $\top$ | +| T4 | -1 | 0 | $\bot$ | $\top$ | $\bot$ | $\bot$ | +The test cases demonstrate that each condition does independently affect the branch outcome. +- T1 $\to$ T2 shows $x > y$ changes branch outcome +- T3 $\to$ T4 shows $y > 0$ changes branch outcome +- T1 $\to$ T3 shows $x < 0$ changes the branch outcome +### Data Flow Coverage +```C +int foo(int x /* def(x, 1) */) { + while (X > 0) { // use(x, 1) + x = x - 1; // def(x, 2), use(x, 2) + } +} +``` +We have the pairs: +$$\begin{split} +P1 : & \ def_1(x) \to use_1(x) \\ +P2 : & \ def_1(x) \to use_2(x) \\ +P3: & \ def_2(x) \to use_1(x) \\ +P4: & \ def_2(x) \to use_2(x) \\ +\end{split}$$ +When $x \geq 2$ we get all data flows, when $x = 1$ we only get $P1, P2, P3$, and when $x = 0$ we only get $P1$. +### Mutation-Based Coverage +We use a [[Mutation-Based Fuzzer]] and apply small transformations to the program. +- Aim to generate a test that has different behaviour between the original and mutated programs +- Can apply many mutations, on top of mutations (Higher Order Mutants) +Mutants are *killed* when a test results in differing behaviour to the original. + +| Type | Description | +| --------------- | -------------------------------------------------------------------------------------------------- | +| Strongly Killed | Different program outputs | +| Weakly Killed | Different program states (an internal component computes a different value, but outputs unchanged) | +$$\text{Mutation Coverage} = \cfrac{\text{Killed Mutants}}{\text{Total Mutants}}$$ +Mutants not killed are *surviving mutants*. + +Main issues +- *Equivalent Mutants* (Syntactically different, semantically identical) to the original, can never be killed. Determining if it is identical is undecidable in the general case. +- *Indistinguishable Mutants* (equivalent mutants, but to another mutant rather than the original), as many can be killed, but are actually identical, this can inflate the mutation score above what it would be if *Indistinguishable Mutants* could be eliminated. diff --git a/70024 - Software Reliability/Dynamic Analysis.md b/70024 - Software Reliability/Dynamic Analysis.md index 10d5b64..906e76c 100644 --- a/70024 - Software Reliability/Dynamic Analysis.md +++ b/70024 - Software Reliability/Dynamic Analysis.md @@ -4,10 +4,10 @@ Analysis of behaviour collected from running programs. - [[70024 - Software Reliability/Symbolic Execution]] - alternative to [[Static Analysis]] -| Advantage | Description | -| ---- | ---- | -| Precise | No false positives - the behaviour observed **is** from the program's execution. | -| Scalable | Can instrument software and deploy at scale (performance is proportional to regular execution). | +| Advantage | Description | +| --------- | ----------------------------------------------------------------------------------------------- | +| Precise | No false positives - the behaviour observed **is** from the program's execution. | +| Scalable | Can instrument software and deploy at scale (performance is proportional to regular execution). | | Disadvantage | Description | | ---- | ---- | diff --git a/70024 - Software Reliability/Mutation Testing.md b/70024 - Software Reliability/Mutation Testing.md new file mode 100644 index 0000000..e69de29 diff --git a/70024 - Software Reliability/Mutation-Based Fuzzer.md b/70024 - Software Reliability/Mutation-Based Fuzzer.md index 48c63ff..aabcf1c 100644 --- a/70024 - Software Reliability/Mutation-Based Fuzzer.md +++ b/70024 - Software Reliability/Mutation-Based Fuzzer.md @@ -1,3 +1,3 @@ ## Definition -A [[fuzzer|Fuzzing]] that produces inputs by modifying or combining existing inputs. +A [[fuzzer|Fuzzing]] that produces inputs by modifying or combining existing inputs. A kind of [[Mutation Testing]] diff --git a/70024 - Software Reliability/Random Program Generation.md b/70024 - Software Reliability/Random Program Generation.md index 835aafd..7fe13db 100644 --- a/70024 - Software Reliability/Random Program Generation.md +++ b/70024 - Software Reliability/Random Program Generation.md @@ -34,5 +34,5 @@ By being less conservative about [[Undefined Behaviour]] (and language semantics - Generating expressions that could contain [[Undefined Behaviour]] The weakened constraints are weighted (e.g. allow null ptr dereference in $\approx10\%$ of generated programs). -A volation of a short circuiting rule for modulus/ `%` was found, that required the removal of safe wrappers which included bracketing that disuaded the compiler from optimising incorrectly. +A violation of a short circuiting rule for modulus/ `%` was found, that required the removal of safe wrappers which included bracketing that dissuaded the compiler from optimising incorrectly.