Security Failures in Modern Software

dc.contributorAalto Universityen
dc.contributor.advisorAntikainen, Markku, Dr., Aalto University, Finland
dc.contributor.authorBui, Thanh
dc.contributor.departmentTietotekniikan laitosfi
dc.contributor.departmentDepartment of Computer Scienceen
dc.contributor.schoolPerustieteiden korkeakoulufi
dc.contributor.schoolSchool of Scienceen
dc.contributor.supervisorAura, Tuomas, Prof., Aalto University, Department of Computer Science, Finland
dc.description.abstractSecurity vulnerabilities are a major concern for software developers. Some vulnerabilities are simple software bugs, while others result from fundamental changes in the software architecture and the underlying technologies. This dissertation studies the security concerns that arise from these ongoing architectural developments in modern software. A major change in software systems over time has been the shift towards more distributed architectures. This development takes place on several levels. One of the most prominent changes has been the transformation of cloud applications towards a microservice architecture, in which loosely-coupled software modules communicate over the network through well-defined APIs. This architecture enables each module to be developed and operated independently. Moreover, the APIs can be opened for third parties to build add-on features. A similar architectural transformation can also be seen in desktop applications. Instead of running as a single computer program, many follow the client-server architecture and have separate frontend and backend components. The components run on the same computer and connect to each other through inter-process communication (IPC). There have also been changes to the underlying networking technologies. In enterprise and data-center networks, the traditional network paradigm is gradually replaced with software-defined networking (SDN) for more flexibility and control. Regular users, on the other hand, have adopted virtual private networks (VPN), which were initially developed for corporate networking, as a solution for enhanced security and privacy in the distributed software world. The contributions of this dissertation include discovery of several new types of security failures in modern software, and empirical analysis of these vulnerabilities in deployed software products. We study the security of third-party add-ons in cloud applications and explain how they can bring cross-site scripting vulnerabilities to the applications. We show that such vulnerabilities appear widely in the wild. We also study the security of IPC between software components inside the computer and show that desktop application developers have overlooked critical security issues. We find IPC in many applications, including password managers, security tokens, and cryptocurrency wallets, to be vulnerable to impersonation and man-in-the-middle attacks mounted by local attackers. Furthermore, we study the security of SDN with focus on topology poisoning attacks by compromised network elements. We also examine commercial VPN services and identify several configuration flaws in the VPN clients. Finally, we analyze the potential solutions of each type of vulnerability.en
dc.format.extent66 + app. 82
dc.identifier.isbn978-952-64-0327-4 (electronic)
dc.identifier.isbn978-952-64-0326-7 (printed)
dc.identifier.issn1799-4942 (electronic)
dc.identifier.issn1799-4934 (printed)
dc.identifier.issn1799-4934 (ISSN-L)
dc.opnLagerström, Robert, Assoc. Prof., KTH Royal Institute of Technology, Sweden
dc.publisherAalto Universityen
dc.relation.haspart[Publication 1]: Thanh Bui, Siddharth Rao, Markku Antikainen, Viswanathan Bojan, Tuomas Aura. Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer. In 27th USENIX Security Symposium (USENIX Security 18), pp. 1511–1525, August 2018. Full text in Acris/Aaltodoc:
dc.relation.haspart[Publication 2]: Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura. Pitfalls of Open Architecture: How Friends Can Exploit Your Cryptocurrency Wallet. In Proceedings of the 12th ACM European Workshop on Systems Security, pp. 1–6, March 2019. DOI: 10.1145/3301417.3312495
dc.relation.haspart[Publication 3]: Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura. Client-side Vulnerabilities in Commercial VPNs. In 24th Nordic Conference on Secure IT Systems, LNCS vol. 11875, pp. 103–119, November 2019. DOI: 10.1007/978-3-030-35055-0_7
dc.relation.haspart[Publication 4]: Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura. XSS Vulnerabilities in Cloud-Application Add-ons. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 610–621, October 2020. DOI: 10.1145/3320269.3384744
dc.relation.haspart[Publication 5]: Thanh Bui, Markku Antikainen, Tuomas Aura. Analysis of Topology Poisoning Attacks in Software-Defined Networking. In 24th Nordic Conference on Secure IT Systems, LNCS vol. 11875, pp. 87–102, November 2019. DOI: 10.1007/978-3-030-35055-0_6
dc.relation.ispartofseriesAalto University publication series DOCTORAL DISSERTATIONSen
dc.revStock,Ben, Dr., CISPA Helmholtz Center for Information Security, Germany
dc.revBalzarotti, Davide, Prof., Eurecom, France
dc.subject.keywordinter-process communicationen
dc.subject.keywordcloud-application add-onsen
dc.subject.keywordvirtual private network (VPN)en
dc.subject.keywordsoftware-defined networking (SDN)en
dc.subject.otherComputer scienceen
dc.titleSecurity Failures in Modern Softwareen
dc.typeG5 Artikkeliväitöskirjafi
dc.type.ontasotDoctoral dissertation (article-based)en
dc.type.ontasotVäitöskirja (artikkeli)fi
local.aalto.acrisexportstatuschecked 2021-05-18_1215
Original bundle
Now showing 1 - 1 of 1
No Thumbnail Available
515.08 KB
Adobe Portable Document Format