Security Failures in Modern Software

Thumbnail Image
Journal Title
Journal ISSN
Volume Title
School of Science | Doctoral thesis (article-based) | Defence date: 2021-04-27
Degree programme
66 + app. 82
Aalto University publication series DOCTORAL DISSERTATIONS, 46/2021
Security vulnerabilities are a major concern for software developers. Some vulnerabilities are simple software bugs, while others result from fundamental changes in the software architecture and the underlying technologies. This dissertation studies the security concerns that arise from these ongoing architectural developments in modern software. A major change in software systems over time has been the shift towards more distributed architectures. This development takes place on several levels. One of the most prominent changes has been the transformation of cloud applications towards a microservice architecture, in which loosely-coupled software modules communicate over the network through well-defined APIs. This architecture enables each module to be developed and operated independently. Moreover, the APIs can be opened for third parties to build add-on features. A similar architectural transformation can also be seen in desktop applications. Instead of running as a single computer program, many follow the client-server architecture and have separate frontend and backend components. The components run on the same computer and connect to each other through inter-process communication (IPC). There have also been changes to the underlying networking technologies. In enterprise and data-center networks, the traditional network paradigm is gradually replaced with software-defined networking (SDN) for more flexibility and control. Regular users, on the other hand, have adopted virtual private networks (VPN), which were initially developed for corporate networking, as a solution for enhanced security and privacy in the distributed software world. The contributions of this dissertation include discovery of several new types of security failures in modern software, and empirical analysis of these vulnerabilities in deployed software products. We study the security of third-party add-ons in cloud applications and explain how they can bring cross-site scripting vulnerabilities to the applications. We show that such vulnerabilities appear widely in the wild. We also study the security of IPC between software components inside the computer and show that desktop application developers have overlooked critical security issues. We find IPC in many applications, including password managers, security tokens, and cryptocurrency wallets, to be vulnerable to impersonation and man-in-the-middle attacks mounted by local attackers. Furthermore, we study the security of SDN with focus on topology poisoning attacks by compromised network elements. We also examine commercial VPN services and identify several configuration flaws in the VPN clients. Finally, we analyze the potential solutions of each type of vulnerability.
Supervising professor
Aura, Tuomas, Prof., Aalto University, Department of Computer Science, Finland
Thesis advisor
Antikainen, Markku, Dr., Aalto University, Finland
inter-process communication, cloud-application add-ons, virtual private network (VPN), software-defined networking (SDN)
Other note
  • [Publication 1]: Thanh Bui, Siddharth Rao, Markku Antikainen, Viswanathan Bojan, Tuomas Aura. Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer. In 27th USENIX Security Symposium (USENIX Security 18), pp. 1511–1525, August 2018.
    Full text in Acris/Aaltodoc:
  • [Publication 2]: Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura. Pitfalls of Open Architecture: How Friends Can Exploit Your Cryptocurrency Wallet. In Proceedings of the 12th ACM European Workshop on Systems Security, pp. 1–6, March 2019.
    DOI: 10.1145/3301417.3312495 View at publisher
  • [Publication 3]: Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura. Client-side Vulnerabilities in Commercial VPNs. In 24th Nordic Conference on Secure IT Systems, LNCS vol. 11875, pp. 103–119, November 2019.
    DOI: 10.1007/978-3-030-35055-0_7 View at publisher
  • [Publication 4]: Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura. XSS Vulnerabilities in Cloud-Application Add-ons. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 610–621, October 2020.
    DOI: 10.1145/3320269.3384744 View at publisher
  • [Publication 5]: Thanh Bui, Markku Antikainen, Tuomas Aura. Analysis of Topology Poisoning Attacks in Software-Defined Networking. In 24th Nordic Conference on Secure IT Systems, LNCS vol. 11875, pp. 87–102, November 2019.
    DOI: 10.1007/978-3-030-35055-0_6 View at publisher