Sara Ricci, V. Janout, S. Parker, J. Jerabek, J. Hajny, Argyro Chatzopoulou, Rémi Badonnel
Cybersecurity is a vital part of digital economies and digital governing but the discipline is suffering from a pronounced skills shortage. Nevertheless, the reasons for the inability of academia to produce enough graduates with the skills that reflect the needs of the cybersecurity industry are not well understood. In this article, we have analysed the skills shortages, gaps, and mismatches affecting cybersecurity education. We performed a Political, Economic, Social, Technological, Legal, and Environmental (PESTLE) analysis, that allowed us to have an overview of the cybersecurity education environment from multiple perspectives. The results of this analysis highlight 31 different factors affecting cybersecurity education on a European level. These factors were further analysed from the specific perspectives of 11 European countries. In this further analysis, particular attention was given to the linkages between the identified factors. This helped to reveal which factors are connected and to describe how they are mutually dependent. A statistical approach was used to depict the results in a more general and comprehensive way and facilitated the development of our conclusions. Our analysis identifies a lack of European coordination and cooperation towards a common cybersecurity framework as one of the main factors affecting cybersecurity education.
{"title":"PESTLE Analysis of Cybersecurity Education","authors":"Sara Ricci, V. Janout, S. Parker, J. Jerabek, J. Hajny, Argyro Chatzopoulou, Rémi Badonnel","doi":"10.1145/3465481.3469184","DOIUrl":"https://doi.org/10.1145/3465481.3469184","url":null,"abstract":"Cybersecurity is a vital part of digital economies and digital governing but the discipline is suffering from a pronounced skills shortage. Nevertheless, the reasons for the inability of academia to produce enough graduates with the skills that reflect the needs of the cybersecurity industry are not well understood. In this article, we have analysed the skills shortages, gaps, and mismatches affecting cybersecurity education. We performed a Political, Economic, Social, Technological, Legal, and Environmental (PESTLE) analysis, that allowed us to have an overview of the cybersecurity education environment from multiple perspectives. The results of this analysis highlight 31 different factors affecting cybersecurity education on a European level. These factors were further analysed from the specific perspectives of 11 European countries. In this further analysis, particular attention was given to the linkages between the identified factors. This helped to reveal which factors are connected and to describe how they are mutually dependent. A statistical approach was used to depict the results in a more general and comprehensive way and facilitated the development of our conclusions. Our analysis identifies a lack of European coordination and cooperation towards a common cybersecurity framework as one of the main factors affecting cybersecurity education.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132090607","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Recently, steganographic techniques for hiding data in file system metadata gained focus. Tools for commonly used file systems were published but the exFAT file system did not get much attention – probably because its structure provides only few suitable locations to hide data. In this work we present two approaches to hide data in the exFAT file system. While the first approach is more flexible regarding embedding locations, it is rather fragile and provides a lower embedding rate. The second approach, called exHide, has stricter requirements for embedding, but is rather robust and provides a reasonable embedding rate. We describe the design of both approaches, evaluate them, and discuss their weaknesses and advantages.
{"title":"exHide: Hiding Data within the exFAT File System","authors":"J. Heeger, York Yannikos, M. Steinebach","doi":"10.1145/3465481.3470117","DOIUrl":"https://doi.org/10.1145/3465481.3470117","url":null,"abstract":"Recently, steganographic techniques for hiding data in file system metadata gained focus. Tools for commonly used file systems were published but the exFAT file system did not get much attention – probably because its structure provides only few suitable locations to hide data. In this work we present two approaches to hide data in the exFAT file system. While the first approach is more flexible regarding embedding locations, it is rather fragile and provides a lower embedding rate. The second approach, called exHide, has stricter requirements for embedding, but is rather robust and provides a reasonable embedding rate. We describe the design of both approaches, evaluate them, and discuss their weaknesses and advantages.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123720846","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Max van Haastrecht, I. Sarhan, Alireza Shojaifar, Louis Baumgartner, Wissam Mallouli, M. Spruit
Cybersecurity incidents are commonplace nowadays, and Small- and Medium-Sized Enterprises (SMEs) are exceptionally vulnerable targets. The lack of cybersecurity resources available to SMEs implies that they are less capable of dealing with cyber-attacks. Motivation to improve cybersecurity is often low, as the prerequisite knowledge and awareness to drive motivation is generally absent at SMEs. A solution that aims to help SMEs manage their cybersecurity risks should therefore not only offer a correct assessment but should also motivate SME users. From Self-Determination Theory (SDT), we know that by promoting perceived autonomy, competence, and relatedness, people can be motivated to take action. In this paper, we explain how a threat-based cybersecurity risk assessment approach can help to address the needs outlined in SDT. We propose such an approach for SMEs and outline the data requirements that facilitate automation. We present a practical application covering various user interfaces, showing how our threat-based cybersecurity risk assessment approach turns SME data into prioritised, actionable recommendations.
{"title":"A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs","authors":"Max van Haastrecht, I. Sarhan, Alireza Shojaifar, Louis Baumgartner, Wissam Mallouli, M. Spruit","doi":"10.1145/3465481.3469199","DOIUrl":"https://doi.org/10.1145/3465481.3469199","url":null,"abstract":"Cybersecurity incidents are commonplace nowadays, and Small- and Medium-Sized Enterprises (SMEs) are exceptionally vulnerable targets. The lack of cybersecurity resources available to SMEs implies that they are less capable of dealing with cyber-attacks. Motivation to improve cybersecurity is often low, as the prerequisite knowledge and awareness to drive motivation is generally absent at SMEs. A solution that aims to help SMEs manage their cybersecurity risks should therefore not only offer a correct assessment but should also motivate SME users. From Self-Determination Theory (SDT), we know that by promoting perceived autonomy, competence, and relatedness, people can be motivated to take action. In this paper, we explain how a threat-based cybersecurity risk assessment approach can help to address the needs outlined in SDT. We propose such an approach for SMEs and outline the data requirements that facilitate automation. We present a practical application covering various user interfaces, showing how our threat-based cybersecurity risk assessment approach turns SME data into prioritised, actionable recommendations.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122349847","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Mileva, L. Caviglione, Aleksandar Velinov, S. Wendzel, V. Dimitrova
The increasing application of ICT technologies to medicine opens new usage patterns. Among the various standards, the Digital Imaging and COmmunication in Medicine (DICOM) has been gaining momentum, mainly due to its complete coverage of the diagnostic pipeline, including key applications such as CT, MRI and ultrasound scanners. However, owing to its complex and multifaceted nature, DICOM is prone to many risks especially due to the vast and complex attack surface characterizing the composite interplay of services, formats and technologies at the basis of the standard. Luckily, DICOM exhibits some room for improving its security. Specifically, information hiding and steganography can be used in a twofold manner. On one hand, they can help to watermark diagnostic images to improve their resistance against tampering and alterations. On the other hand, the digital infrastructure at the basis of DICOM can lead to data leaks or malicious manipulations via artificial intelligence techniques. Therefore, in this work we introduce risks and opportunities when applying information-hiding-based techniques to the DICOM standard. Our investigation highlights some opportunities as well as introduces possibilities of exploiting DICOM images to set up covert channels, i.e., hidden communication paths that can be used to exfiltrate data or launch attacks. To prove the effectiveness of our vision, this paper also showcases the performance evaluation of a covert channel built by applying text steganography principles on realistic DICOM images.
{"title":"Risks and Opportunities for Information Hiding in DICOM Standard","authors":"A. Mileva, L. Caviglione, Aleksandar Velinov, S. Wendzel, V. Dimitrova","doi":"10.1145/3465481.3470072","DOIUrl":"https://doi.org/10.1145/3465481.3470072","url":null,"abstract":"The increasing application of ICT technologies to medicine opens new usage patterns. Among the various standards, the Digital Imaging and COmmunication in Medicine (DICOM) has been gaining momentum, mainly due to its complete coverage of the diagnostic pipeline, including key applications such as CT, MRI and ultrasound scanners. However, owing to its complex and multifaceted nature, DICOM is prone to many risks especially due to the vast and complex attack surface characterizing the composite interplay of services, formats and technologies at the basis of the standard. Luckily, DICOM exhibits some room for improving its security. Specifically, information hiding and steganography can be used in a twofold manner. On one hand, they can help to watermark diagnostic images to improve their resistance against tampering and alterations. On the other hand, the digital infrastructure at the basis of DICOM can lead to data leaks or malicious manipulations via artificial intelligence techniques. Therefore, in this work we introduce risks and opportunities when applying information-hiding-based techniques to the DICOM standard. Our investigation highlights some opportunities as well as introduces possibilities of exploiting DICOM images to set up covert channels, i.e., hidden communication paths that can be used to exfiltrate data or launch attacks. To prove the effectiveness of our vision, this paper also showcases the performance evaluation of a covert channel built by applying text steganography principles on realistic DICOM images.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"55 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126107903","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The number of citations attracted by publications is a key criteria for measuring their success. To avoid discriminating newer research, such a metric is usually measured in average yearly citations. Understanding and characterizing how citations behave have been prime research topics, yet investigations targeting the cybersecurity domain seem to be particularly scarce. In this perspective, the paper aims at filling this gap by analyzing average yearly citations for 6,693 papers published in top-tier conferences and journals in cybersecurity. Results indicate the existence of three clusters, i.e., general security conferences, general security journals, and cryptography-centered publications. The analysis also suggests that the amount of conference-to-conference citations stands out compared to journal-to-journal and conference-to-journal citations. Besides, papers published at top conferences attract more citations although a direct comparison against other venues is not straightforward. To better quantify the impact of works dealing with cybersecurity aspects, the paper introduces two new metrics, namely the number of main words in the title, and the combined number of unique main words in title, abstract and keywords. Collected results show that they can be associated with average yearly citations (together with the number of cited references). Finally, the paper draws some ideas to take advantage from such findings.
{"title":"Crème de la Crème: Lessons from Papers in Security Publications","authors":"Simon L. R. Vrhovec, L. Caviglione, S. Wendzel","doi":"10.1145/3465481.3470027","DOIUrl":"https://doi.org/10.1145/3465481.3470027","url":null,"abstract":"The number of citations attracted by publications is a key criteria for measuring their success. To avoid discriminating newer research, such a metric is usually measured in average yearly citations. Understanding and characterizing how citations behave have been prime research topics, yet investigations targeting the cybersecurity domain seem to be particularly scarce. In this perspective, the paper aims at filling this gap by analyzing average yearly citations for 6,693 papers published in top-tier conferences and journals in cybersecurity. Results indicate the existence of three clusters, i.e., general security conferences, general security journals, and cryptography-centered publications. The analysis also suggests that the amount of conference-to-conference citations stands out compared to journal-to-journal and conference-to-journal citations. Besides, papers published at top conferences attract more citations although a direct comparison against other venues is not straightforward. To better quantify the impact of works dealing with cybersecurity aspects, the paper introduces two new metrics, namely the number of main words in the title, and the combined number of unique main words in title, abstract and keywords. Collected results show that they can be associated with average yearly citations (together with the number of cited references). Finally, the paper draws some ideas to take advantage from such findings.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115327104","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Reliable IT-based communication in agriculture is becoming increasingly important for regular operations. For example, if a farmer is in the field during a network outage, such as a failure of the mobile network, an alternative communication channel is needed to continue to connect to IT components and required data. With increasing digitalization, Low Power Wide Area Network (LPWAN) technologies are being used more and more frequently, e.g. for sensor networks. The LPWAN technologies offer a high range and can be used autonomously for the most part, but do not allow classic TCP/IP communication. In this work, a popular LPWAN technology, namely LoRaWAN, is experimentally supplemented by AX.25 on OSI layer 2 (Data Link Layer) to allow end devices TCP/IP-based communication over long distances. The evaluation shows that classic low-bandwidth applications are thus functional and can enable reliable, crisis-capable data transmission.
{"title":"Reliable Data Transmission using Low Power Wide Area Networks (LPWAN) for Agricultural Applications","authors":"Franz Kuntke, Marcel Sinn, Christian Reuter","doi":"10.1145/3465481.3469191","DOIUrl":"https://doi.org/10.1145/3465481.3469191","url":null,"abstract":"Reliable IT-based communication in agriculture is becoming increasingly important for regular operations. For example, if a farmer is in the field during a network outage, such as a failure of the mobile network, an alternative communication channel is needed to continue to connect to IT components and required data. With increasing digitalization, Low Power Wide Area Network (LPWAN) technologies are being used more and more frequently, e.g. for sensor networks. The LPWAN technologies offer a high range and can be used autonomously for the most part, but do not allow classic TCP/IP communication. In this work, a popular LPWAN technology, namely LoRaWAN, is experimentally supplemented by AX.25 on OSI layer 2 (Data Link Layer) to allow end devices TCP/IP-based communication over long distances. The evaluation shows that classic low-bandwidth applications are thus functional and can enable reliable, crisis-capable data transmission.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130614552","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mitigating vulnerabilities in software requires first identifying the vulnerabilities with an organization’s software assets. This seemingly trivial task involves maintaining vendor product vulnerability notification for a kludge of hardware and software packages from innumerable software publishers, coding projects, and third-party package managers. On the other hand, software vulnerability databases are often consistently reported and categorized in clean, standard formats and neatly tied to a common software product enumerator (i.e., CPE). Currently it is a heavy workload for cybersecurity analysts at organizations to match their hardware and software package inventory to target CPEs. This hinders organizations from getting notifications for new vulnerabilities, and identifying applicable vulnerabilities. In this paper, we present a recommender system to automatically identify a minimal candidate set of CPEs for software names to improve vulnerability identification and alerting accuracy. The recommender system uses a pipeline of natural language processing, fuzzy matching, and machine learning to significantly reduce the human effort needed for software product vulnerability matching.
{"title":"A Recommender System for Tracking Vulnerabilities","authors":"P. Huff, Kylie McClanahan, Thao Le, Qinghua Li","doi":"10.1145/3465481.3470039","DOIUrl":"https://doi.org/10.1145/3465481.3470039","url":null,"abstract":"Mitigating vulnerabilities in software requires first identifying the vulnerabilities with an organization’s software assets. This seemingly trivial task involves maintaining vendor product vulnerability notification for a kludge of hardware and software packages from innumerable software publishers, coding projects, and third-party package managers. On the other hand, software vulnerability databases are often consistently reported and categorized in clean, standard formats and neatly tied to a common software product enumerator (i.e., CPE). Currently it is a heavy workload for cybersecurity analysts at organizations to match their hardware and software package inventory to target CPEs. This hinders organizations from getting notifications for new vulnerabilities, and identifying applicable vulnerabilities. In this paper, we present a recommender system to automatically identify a minimal candidate set of CPEs for software names to improve vulnerability identification and alerting accuracy. The recommender system uses a pipeline of natural language processing, fuzzy matching, and machine learning to significantly reduce the human effort needed for software product vulnerability matching.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130574227","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nora Hofer, Pascal Schöttle, A. Rietzler, Sebastian Stabinger
The BERT model is de facto state-of-the-art for aspect-based sentiment analysis (ABSA), an important task in natural language processing. Similar to every other model based on deep learning, BERT is vulnerable to so-called adversarial examples: strategically modified inputs that cause a change in the model’s prediction of the underlying input. In this paper we propose three new methods to create character-level adversarial examples against BERT and evaluate their effectiveness on the ABSA task. Specifically, our attack methods mimic human behavior and use leetspeak, common misspellings, or misplaced commas. By concentrating these changes on important words, we are able to maximize misclassification rates with minimal changes. To the best of our knowledge, we are the first to look into adversarial examples for the ABSA task and the first to propose these attacks.
{"title":"Adversarial Examples Against a BERT ABSA Model – Fooling Bert With L33T, Misspellign, and Punctuation,","authors":"Nora Hofer, Pascal Schöttle, A. Rietzler, Sebastian Stabinger","doi":"10.1145/3465481.3465770","DOIUrl":"https://doi.org/10.1145/3465481.3465770","url":null,"abstract":"The BERT model is de facto state-of-the-art for aspect-based sentiment analysis (ABSA), an important task in natural language processing. Similar to every other model based on deep learning, BERT is vulnerable to so-called adversarial examples: strategically modified inputs that cause a change in the model’s prediction of the underlying input. In this paper we propose three new methods to create character-level adversarial examples against BERT and evaluate their effectiveness on the ABSA task. Specifically, our attack methods mimic human behavior and use leetspeak, common misspellings, or misplaced commas. By concentrating these changes on important words, we are able to maximize misclassification rates with minimal changes. To the best of our knowledge, we are the first to look into adversarial examples for the ABSA task and the first to propose these attacks.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130884979","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
While memory corruption bugs stemming from the use of unsafe programming languages are an old and well-researched problem, the resulting vulnerabilities still dominate real-world exploitation today. Various mitigations have been proposed to alleviate the problem, mainly in the form of language dialects, static program analysis, and code or binary instrumentation. Solutions like AdressSanitizer (ASan) and Softbound/CETS have proven that the latter approach is very promising, being able to achieve memory safety without requiring manual source code adaptions, albeit suffering substantial performance and memory overheads. While performance overhead can be seen as a flexible constraint, extensive memory overheads can be prohibitive for the use of such solutions in memory-constrained environments. To address this problem, we propose MESH, a highly memory-efficient safe heap for C/C++. With its constant, very small memory overhead (configurable up to 2 MB on x86-64) and constant complexity for pointer access checking, MESH offers efficient, byte-precise spatial and temporal memory safety for memory-constrained scenarios. Without jeopardizing the security of safe heap objects, MESH is fully compatible with existing code and uninstrumented libraries, making it practical to use in heterogeneous environments. We show the feasibility of our approach with a full LLVM-based prototype supporting both major architectures, i.e., x86-64 and ARM64, in a Linux runtime environment. Our prototype evaluation shows that, compared to ASan and Softbound/CETS, MESH can achieve huge memory savings while preserving similar execution performance.
{"title":"MESH: A Memory-Efficient Safe Heap for C/C++","authors":"Emanuel Q. Vintila, Philipp Zieris, Julian Horsch","doi":"10.1145/3465481.3465760","DOIUrl":"https://doi.org/10.1145/3465481.3465760","url":null,"abstract":"While memory corruption bugs stemming from the use of unsafe programming languages are an old and well-researched problem, the resulting vulnerabilities still dominate real-world exploitation today. Various mitigations have been proposed to alleviate the problem, mainly in the form of language dialects, static program analysis, and code or binary instrumentation. Solutions like AdressSanitizer (ASan) and Softbound/CETS have proven that the latter approach is very promising, being able to achieve memory safety without requiring manual source code adaptions, albeit suffering substantial performance and memory overheads. While performance overhead can be seen as a flexible constraint, extensive memory overheads can be prohibitive for the use of such solutions in memory-constrained environments. To address this problem, we propose MESH, a highly memory-efficient safe heap for C/C++. With its constant, very small memory overhead (configurable up to 2 MB on x86-64) and constant complexity for pointer access checking, MESH offers efficient, byte-precise spatial and temporal memory safety for memory-constrained scenarios. Without jeopardizing the security of safe heap objects, MESH is fully compatible with existing code and uninstrumented libraries, making it practical to use in heterogeneous environments. We show the feasibility of our approach with a full LLVM-based prototype supporting both major architectures, i.e., x86-64 and ARM64, in a Linux runtime environment. Our prototype evaluation shows that, compared to ASan and Softbound/CETS, MESH can achieve huge memory savings while preserving similar execution performance.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"108 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117253285","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Endres Puschner, Christoph Saatjohann, Markus Willing, Christian Dresen, J. Köbe, B. Rath, C. Paar, L. Eckardt, Uwe Haverkamp, Sebastian Schinzel
Modern implantable cardiologic devices communicate via radio frequency techniques and nearby gateways to a backend server on the internet. Those implanted devices, gateways, and servers form an ecosystem of proprietary hardware and protocols that process sensitive medical data and is often vital for patients’ health. This paper analyzes the security of this Ecosystem, from technical gateway aspects, via the programmer, to configure the implanted device, up to the processing of personal medical data from large cardiological device producers. Based on a real-world attacker model, we evaluated different devices and found several severe vulnerabilities. Furthermore, we could purchase a fully functional programmer for implantable cardiological devices, allowing us to re-program such devices or even induce electric shocks on untampered implanted devices. Additionally, we sent several Art. 15 and Art. 20 GDPR inquiries to manufacturers of implantable cardiologic devices, revealing non-conforming processes and a lack of awareness about patients’ rights and companies’ obligations. This, and the fact that many vulnerabilities are still to be found after many vulnerability disclosures in recent years, present a worrying security state of the whole ecosystem.
{"title":"Listen to Your Heart: Evaluation of the Cardiologic Ecosystem","authors":"Endres Puschner, Christoph Saatjohann, Markus Willing, Christian Dresen, J. Köbe, B. Rath, C. Paar, L. Eckardt, Uwe Haverkamp, Sebastian Schinzel","doi":"10.1145/3465481.3465753","DOIUrl":"https://doi.org/10.1145/3465481.3465753","url":null,"abstract":"Modern implantable cardiologic devices communicate via radio frequency techniques and nearby gateways to a backend server on the internet. Those implanted devices, gateways, and servers form an ecosystem of proprietary hardware and protocols that process sensitive medical data and is often vital for patients’ health. This paper analyzes the security of this Ecosystem, from technical gateway aspects, via the programmer, to configure the implanted device, up to the processing of personal medical data from large cardiological device producers. Based on a real-world attacker model, we evaluated different devices and found several severe vulnerabilities. Furthermore, we could purchase a fully functional programmer for implantable cardiological devices, allowing us to re-program such devices or even induce electric shocks on untampered implanted devices. Additionally, we sent several Art. 15 and Art. 20 GDPR inquiries to manufacturers of implantable cardiologic devices, revealing non-conforming processes and a lack of awareness about patients’ rights and companies’ obligations. This, and the fact that many vulnerabilities are still to be found after many vulnerability disclosures in recent years, present a worrying security state of the whole ecosystem.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"2022 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123541669","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: