With the rapid development of information technology,audit objects and audit itself are more and more inseparable from software.As an important means of software security audit,code security audit will become an impor...With the rapid development of information technology,audit objects and audit itself are more and more inseparable from software.As an important means of software security audit,code security audit will become an important aspect of future audit that cannot be ignored.However,the existing code security audit ismainly based on source code,which is difficult to meet the audit needs of more and more programming languages and binary commercial software.Based on the idea of normalized transformation,this paper constructs a cross language code security audit framework(CLCSA).CLCSA first uses compile/decompile technology to convert different highlevel programming languages and binary codes into normalized representation,and then usesmachine learning technology to build a cross language code security audit model based on normalized representation to evaluate code security and find out possible code security vulnerabilities.Finally,for the discovered vulnerabilities,the heuristic search strategy will be used to find the best repair scheme from the existing normalized representation sample library for automatic repair,which can improve the effectiveness of code security audit.CLCSA realizes the normalized code security audit of different types and levels of code,which provides a strong support for improving the breadth and depth of code security audit.展开更多
Secure Coding is an indispensable part of the undergraduate training program for Information Security Major.As a basic course for undergraduates to carry out project engineering,its importance is self-evident.In the a...Secure Coding is an indispensable part of the undergraduate training program for Information Security Major.As a basic course for undergraduates to carry out project engineering,its importance is self-evident.In the actual teaching activities,the program design courses have to be solved in terms of content update,practical ability improvement and scientific research project,so the curriculum reform is imperative.This paper analyses the main problems existing in the Secure Coding course,explores the solution,proposes teaching methods,and gives the evaluation method.The practice shows that the reform exploration can obtain good teaching results.展开更多
Under the assumption that the wiretapper can get at most r(r < n) independent messages, Cai et al. showed that any rate n multicast code can be modified to another secure network code with transmitting rate n- r by...Under the assumption that the wiretapper can get at most r(r < n) independent messages, Cai et al. showed that any rate n multicast code can be modified to another secure network code with transmitting rate n- r by a properly chosen matrix Q^(-1). They also gave the construction for searching such an n × n nonsingular matrix Q. In this paper, we find that their method implies an efficient construction of Q. That is to say, Q can be taken as a special block lower triangular matrix with diagonal subblocks being the(n- r) ×(n- r)and r × r identity matrices, respectively. Moreover, complexity analysis is made to show the efficiency of the specific construction.展开更多
In the absence of specialized encryption hardware,cryptographic operationsmust be performed in main memory.As such,it is common place for cybercriminals to examine the content of main memory with a view to retrievingh...In the absence of specialized encryption hardware,cryptographic operationsmust be performed in main memory.As such,it is common place for cybercriminals to examine the content of main memory with a view to retrievinghigh-value data in plaintext form and/or the associated decryption key.Inthis paper,the author presents a number of simple methods for identifyingand extracting crypfographic keys from memory dumps of softwareapplications that utilize the Microsoft.NET Framework,as well as source-code level countermeasures to protect against same.Given the EXE file ofan application and a basic knowledge of the cryptographic libraries utilizedin the NET Framework,the author shows how to create a memory dumpof a running application and how to extract cryptographic keys from sameusing WinDBG-without any prior knowledgel of the cryptographic keyutilized.Whilst the proof-of-concept application utilized as part of thispaper uses an implementation of the DES cipher,it should be noted that thesteps shown can be utilized against all three generations of symmetric andasymmetric ciphers supported within the NET Framework.展开更多
Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the soft...Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.展开更多
Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the soft...Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.展开更多
This paper considers the use of polar codes to enable secure transmission over parallel relay channels.By exploiting the properties of polar codes over parallel channels, a polar encoding algorithm is designed based o...This paper considers the use of polar codes to enable secure transmission over parallel relay channels.By exploiting the properties of polar codes over parallel channels, a polar encoding algorithm is designed based on Channel State Information(CSI) between the legitimate transmitter(Alice) and the legitimate receiver(Bob).Different from existing secure transmission schemes, the proposed scheme does not require CSI between Alice and the eavesdropper(Eve). The proposed scheme is proven to be reliable and shown to be capable of transmitting information securely under Amplify-and-Forward(AF) relay protocol, thereby providing security against passive and active attackers.展开更多
Network coding is vulnerable to pollution at- tacks, which prevent receivers from recovering the source message correctly. Most existing schemes against pollution attacks either bring significant redundancy to the ori...Network coding is vulnerable to pollution at- tacks, which prevent receivers from recovering the source message correctly. Most existing schemes against pollution attacks either bring significant redundancy to the original message or require a high computational complexity to ver- ify received blocks. In this paper, we propose an efficient scheme against pollution attacks based on probabilistic key pre-distribution and homomorphic message authentication codes (MACs). In our scheme, each block is attached with a small number of MACs and each node can use these MACs to verify the integrity of the corresponding block with a high probability. Compared to previous schemes, our scheme still leverages a small number of keys to generate MACs for each block, but more than doubles the detection probability. Mean- while, our scheme is able to efficiently restrict pollution prop- agation within a small number of hops. Experimental results show that our scheme is more efficient in verification than existing ones based on public-key cryptography.展开更多
基金This work was supported by the Universities Natural Science Research Project of Jiangsu Province under Grant 20KJB520026the Natural Science Foundation of Jiangsu Province under Grant BK20180821.
文摘With the rapid development of information technology,audit objects and audit itself are more and more inseparable from software.As an important means of software security audit,code security audit will become an important aspect of future audit that cannot be ignored.However,the existing code security audit ismainly based on source code,which is difficult to meet the audit needs of more and more programming languages and binary commercial software.Based on the idea of normalized transformation,this paper constructs a cross language code security audit framework(CLCSA).CLCSA first uses compile/decompile technology to convert different highlevel programming languages and binary codes into normalized representation,and then usesmachine learning technology to build a cross language code security audit model based on normalized representation to evaluate code security and find out possible code security vulnerabilities.Finally,for the discovered vulnerabilities,the heuristic search strategy will be used to find the best repair scheme from the existing normalized representation sample library for automatic repair,which can improve the effectiveness of code security audit.CLCSA realizes the normalized code security audit of different types and levels of code,which provides a strong support for improving the breadth and depth of code security audit.
文摘Secure Coding is an indispensable part of the undergraduate training program for Information Security Major.As a basic course for undergraduates to carry out project engineering,its importance is self-evident.In the actual teaching activities,the program design courses have to be solved in terms of content update,practical ability improvement and scientific research project,so the curriculum reform is imperative.This paper analyses the main problems existing in the Secure Coding course,explores the solution,proposes teaching methods,and gives the evaluation method.The practice shows that the reform exploration can obtain good teaching results.
基金Supported by the National Natural Science Foundation of China(61201253)
文摘Under the assumption that the wiretapper can get at most r(r < n) independent messages, Cai et al. showed that any rate n multicast code can be modified to another secure network code with transmitting rate n- r by a properly chosen matrix Q^(-1). They also gave the construction for searching such an n × n nonsingular matrix Q. In this paper, we find that their method implies an efficient construction of Q. That is to say, Q can be taken as a special block lower triangular matrix with diagonal subblocks being the(n- r) ×(n- r)and r × r identity matrices, respectively. Moreover, complexity analysis is made to show the efficiency of the specific construction.
文摘In the absence of specialized encryption hardware,cryptographic operationsmust be performed in main memory.As such,it is common place for cybercriminals to examine the content of main memory with a view to retrievinghigh-value data in plaintext form and/or the associated decryption key.Inthis paper,the author presents a number of simple methods for identifyingand extracting crypfographic keys from memory dumps of softwareapplications that utilize the Microsoft.NET Framework,as well as source-code level countermeasures to protect against same.Given the EXE file ofan application and a basic knowledge of the cryptographic libraries utilizedin the NET Framework,the author shows how to create a memory dumpof a running application and how to extract cryptographic keys from sameusing WinDBG-without any prior knowledgel of the cryptographic keyutilized.Whilst the proof-of-concept application utilized as part of thispaper uses an implementation of the DES cipher,it should be noted that thesteps shown can be utilized against all three generations of symmetric andasymmetric ciphers supported within the NET Framework.
文摘Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.
文摘Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.
基金supported in part by the National Natural Science Foundation of China(No.61371075)Beijing Municipal Science and Technology Project(No.D171100006317001)
文摘This paper considers the use of polar codes to enable secure transmission over parallel relay channels.By exploiting the properties of polar codes over parallel channels, a polar encoding algorithm is designed based on Channel State Information(CSI) between the legitimate transmitter(Alice) and the legitimate receiver(Bob).Different from existing secure transmission schemes, the proposed scheme does not require CSI between Alice and the eavesdropper(Eve). The proposed scheme is proven to be reliable and shown to be capable of transmitting information securely under Amplify-and-Forward(AF) relay protocol, thereby providing security against passive and active attackers.
文摘Network coding is vulnerable to pollution at- tacks, which prevent receivers from recovering the source message correctly. Most existing schemes against pollution attacks either bring significant redundancy to the original message or require a high computational complexity to ver- ify received blocks. In this paper, we propose an efficient scheme against pollution attacks based on probabilistic key pre-distribution and homomorphic message authentication codes (MACs). In our scheme, each block is attached with a small number of MACs and each node can use these MACs to verify the integrity of the corresponding block with a high probability. Compared to previous schemes, our scheme still leverages a small number of keys to generate MACs for each block, but more than doubles the detection probability. Mean- while, our scheme is able to efficiently restrict pollution prop- agation within a small number of hops. Experimental results show that our scheme is more efficient in verification than existing ones based on public-key cryptography.
