mohammadali hadavi

With the increasing use of RFID tags, there is a need for specific protocols to communicate with these tags. Among these protocols, the ownership transfer stands out as it ensures the security and privacy of objects for the new owner after a change of ownership. Recently, a lightweight object ownership transfer protocol has been proposed for RFID networks. This protocol utilizes a lightweight linear function for security. The designers of the protocol claim that it is secure against known attacks while also being lightweight. In this paper, we identify vulnerabilities in the function used in this protocol and demonstrate that it is susceptible to the secret disclosure attack. We show that with at most 4 × L executions of the protocol (where L is the key length), one can obtain the necessary information from intercepted data to execute the attack and subsequently recover the shared keys used in the protocol.

How to exploit vulnerabilities and their damage potentials are mainly affected by the capability of attackers. The more powerful the attacker, the greater risk of threats and vulnerabilities. Therefore, the security analysis of a web application and choosing risk mitigation countermeasures depend on the ability of the attackers threaten the application. Focusing on SQL injection attacks, this paper is aimed at modeling the attacker’s capability to be further used for appropriate security evaluation and choosing cost-effective security controls. We model the attacker’s capability with the triple ⟨Type, Technique, Entry_Point⟩. The value in each component of the triple is obtained from the payloads through which the attacker tries to exploit the injection vulnerabilities. The Type represents the injection type, including a known set of injection attack types namely, Error_based, Union_based, Boolean_based_Blind and etc. The Technique represents the techniques, which are used by the attacker during the attack, e.g. using Special Character, using UNION, using Complex Query, using Encoding and etc. Finally, the Entry_Point represents the set of known injection entry points including GET/POST method, Http_Variables, Frequenc_based_Primary_Application and etc. This model is used for leveling and comparing the attacker’s capabilities as well as for leveling the security of a web application with respect to the level of the attacker who is able to compromise the web application. The results of the experimental evaluation show that the proposed model can be used to determine the attacker’s capability level. The model can be simply extended to adopt other security vulnerabilities attacks.

The use of NoSQL data and its storage in the Cloud is growing rapidly. Due to the accumulation of data in the Cloud, data security against untrusted service providers as well as external attackers becomes a more serious problem. Over the past few years, there are some efforts to secure the outsourcing of NoSQL data, especially column-based and document-based models. However, practical solutions for secure outsourcing of key-value databases have not been identified. This paper attempts to introduce SecureKV as a secure method for outsourcing key-value databases. This method employs a multi-Cloud storage scenario to preserve outsourced data confidentiality. Besides security issues, the proposed method supports executing major key-value queries directly on outsourced data. A prototype of the Redis database management system hasbeen implemented to show the efficiency and effectiveness of the proposed method. The results imply that, besides security issues, it is efficient and scalable enough in executing key-value-specific queries.

Web application firewalls (WAFs) are used for protecting web applications from attacks such as SQL injection, cross-site request forgery, and cross-site scripting. As a result of the growing complexity of web attacks, WAFs need to be tested and updated on a regular basis. There are various tools and techniques to verify the correct performance of WAFs but most of them are manual or use brute-force attacks, so suffer from poor efficacy. In this work, we propose a solution based on Reinforcement Learning (RL) to discover malicious payloads, which can bypass WAFs. We provide an RL framework with an environment compatible with OpenAI gym toolset standards. This environment is employed for training agents to implement WAF circumvention tasks. The agent mutates a malicious payload syntax using a set of modification operators as actions, without changes to its semantic. Then, upon WAF's reaction to the payload, the environment ascertains a reward for the agent. Eventually, based on the rewards, the agent learns a suitable sequence of mutations for any malicious payload. The payloads, which bypass the WAF can determine rules defects, which can be further used in rule tuning for rule-based WAFs. Also, it can enrich the machine learning-based datasets for retraining. We use Q-learning, advantage actor-critic (A2C), and proximal policy optimization (PPO) algorithms with the deep neural network. Our solution is successful in evading signature-based and machine learning-based WAFs. While we focus on SQL injection in this work, the method can be simply extended to use for any string-based injection attacks.

Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such tools may detect the absence of access control by static or dynamic testing, they cannot verify if it is properly functioning when it is present. When a tool detects requesting access to an object, it is not aware of access control policies to infer whether the request is permitted. This completely depends on the access control logic and there is no automatic way to fully and precisely capture it from software behavior. Taking this challenge into consideration, this article proposes a black-box method to detect IDOR vulnerabilities in web applications without knowing access control logic. To this purpose, we first, gather information from the web application by a semi-automatic crawling process. Then, we tricksily manipulate legal requests to create effective attacks on the web application. Finally, we analyze received responses to check whether the requests are vulnerable to IDOR. The detection process in the analysis phase is supported by our set theory based formal modeling of such vulnerabilities. The proposed method has been implemented as an IDOR detection tool (IDOT) and evaluated on a couple of vulnerable web applications. Evaluation results show that the method can effectively detect IDOR vulnerabilities provided that enough information is gathered in the crawling phase.

Cross-Site Request Forgery (CSRF) is an attack in which an infected website causes a victim's browser to perform an unwanted operation on a trusted website. The main solution to tackle this attack is to use random tokens in requests, sent by the browser. Since such tokens cannot be guessed or rebuilt by the attacker, he is not able to forge the requests. The tokens can be specific to a request, a page, or a session. Existing methods for detecting CSRF vulnerabilities mainly rely on simulating an attack by manipulating a request, submitting it to the server, and analysis of the response to the forged request. This kind of test must be repeated for each request in a web application to identify whether the application is vulnerable. Moreover, it may lead to undesired changes to the application database by submitting fake requests.   This paper presents a method to passively detect CSRF-resistant requests by analyzing the traffic to the target website. To this end, we formulate a set of rules to analyze the possible existence of anti-CSRF tokens. Traffic analysis based on the proposed rules outputs resistant requests due to the use of random tokens. Consequently, the requests without such tokens are deduced to be potentially vulnerable. The proposed method is implemented and evaluated by the traffic extracted from several websites. The results confirm that the method can effectively detect anti-CSRF tokens in requests and the more complete the website traffic, the more accurate the results.

Correctness verification of query results is a significant challenge in database outsourcing. Most of the proposed approaches impose high overhead, which makes them impractical in real scenarios. Probabilistic approaches are proposed in order to reduce the computation overhead pertaining to the verification process. In this paper, we use the notion of trust as the basis of our probabilistic approach to efficiently verify the correctness of query results. The trust is computed based on observing the history of interactions between clients and the service provider. Our approach exploits Merkle Hash Tree as an authentication data structure. The amount of trust value towards the service provider leads to investigating just an appropriate portion of the tree. Implementation results of our approach show that considering the trust, derived from the history of interactions, provides a trade-off between performance and security, and reduces the imposed overhead for both clients and the service provider in database outsourcing scenario.

Although data outsourcing provides many benefits, it suffers from privacy and security concerns such as enforcement of access control policies and confidentiality of stored sensitive data. Current encryption-based security solutions are inflexible in enforcing fine-grained access control policies and it is necessary for data owner to laboriously specify access control permissions per data item. Additionally, the current indexing methods disregard any control on accessing the relevant data and may cause information leakage. This paper proposes a novel indexing technique to enforce access control policies at server side and based on the value of encrypted data. By exploiting this indexing method and selective encryption, we introduce an access control aware indexing technique, which we refer to as Inference Resistant Indexing Technique (IRIT). The proposed technique, not only prevents leakage of information but also overcomes the overheads associated with a separate access control enforcement mechanism. Meanwhile, the overhead associated with updating access control policies is noticeably reduced. The paper provides a simulation of the proposed technique and a comparison with the alternative approaches to assess the performance of the proposed technique.

Adoption of data outsourcing to cloud servers is hindered by data integrity issues due to the lack of trust to the servers. Existing solutions to deal with the problem often require costly verification processes to build a verification object (VO) at the server side and to verify it at the client side, especially when the verification is to be performed at a low-level of granularity. This paper proposes an efficient and privacy-preserving solution, which verifies both the integrity and completeness of query results at the finest level of granularity — an individual attribute value. Outsourced data confidentiality is also preserved by securely dividing attribute values into several pieces. As a key novelty, our solution does not require building VOs at the server side for query results. Consequently, 1) no computation overhead is imposed on the server to construct VOs, 2) no change is required to the existing DBMS engines due to calculating VOs and accompanying them with the results, and 3) no information leakage occurs due to building or observing VOs by the server. Our theoretical and empirical analyses indicate the effectiveness of our solution compared to the existing solutions in terms of communication, query execution, and verification overheads.

Correctness verification of query results is an important security concern in data outsourcing scenarios. In previous approaches, the correctness verification was impossible in real applications due to its high overhead. A trust-based approach is proposed here to reduce the correctness verification overhead which relies on the previous positive behavior of service provider. A client maintains a trust value for service provider showing the history of service provider comportment. Considering the trust value, the client selects a portion of query result randomly, and forwards it toward the data owner as a result-proof request. The data owner responses to the correctness of the result-proof request using a bloom filter structure. Based on the result-proof response and the trust in the service provider, the client decides whether to accept or reject its query result. In terms of performance, this approach outperforms previous approaches since it does not contain signature overhead in the verification process (which is presented by simulation results). In terms of correctness, this approach is modeled using a transition system and the correctness properties are verified through the Linear Temporal Logic.

Database outsourcing is an idea to eliminate the burden of database management from organizations. Since data is a critical asset of organizations, preserving its privacy from outside adversary and untrusted server should be warranted. In this paper, we present a distributed scheme based on storing shares of data on different servers and separating indexes from data on a distinct server. Shamir's secret sharing scheme is used for distributing data to data share servers. A B+ -tree index on the order preserved encrypted values for each searchable attribute is stored in the index server. To process a query, the client receives responses including record numbers from the index server and asks these records from data share servers. The final result is computed by the client using data shares. While the proposed approach is secure against different database attacks, it supports exact match, range, aggregation, and pattern matching queries efficiently. Simulation results show the prominence of our approach in comparison with the bucketing scheme as it imposes lower computation and communication costs on the client.