STACK OVERWRITING ATTACKS AND DEFENCES IN UNIX ENVIRONMENT

Työn tarkoituksena on tutkia pinon ylikirjoitukseen perustuvien hyökkäysten toimintaa ja osoittaa kokeellisesti nykyisten suojaustekniikoiden olevan riittämättömiä. Tutkimus suoritetaan testaamalla miten valitut tietoturvatuotteet toimivat eri testitilanteissa. Testatut tuotteet ovat Openwall, PaX, Libsafe 2.0 ja Immunix 6.2. Testaus suoritetaan pääasiassa RedHat 7.0 ympäristössä testiohjelman avulla. Testeissä mitataan sekä tuotteiden kyky havaita hyökkäyksiä että niiden nopeusvaikutukset. Myös erityyppisten hyökkäysten ja niitä vastaan kehitettyjen metodien toimintaperiaatteet esitellään seikkaperäisesti ja havainnollistetaan yksinkertaistetuilla esimerkeillä. Esitellyt tekniikat sisältävät puskurin ylivuodot, laittomat muotoiluparametrit, loppumerkittömät merkkijonot ja taulukoiden ylivuodot. Testit osoittavat, etteivät valitut tuotteet estä kaikkia hyökkäyksiä, joten lopuksi perehdytään myös vahinkojen minimointiin onnistuneiden hyökkäysten varalta.

Detection of denial of service attacks

This thesis studies techniques used for detection of distributed denial of service attacks which during last decade became one of the most serious network security threats. To evaluate different detection algorithms and further improve them we need to test their performance under conditions as close to real-life situations as possible. Currently the only feasible solution for large-scale tests is the simulated environment. The thesis describes implementation of recursive non-parametric CUSUM algorithm for detection of distributed denial of service attacks in ns-2 network simulator – a standard de-facto for network simulation.

Is All Fair in Law and War? The Ambiguous Principle of Proportionality of Collateral Damage and the CIA Drone Attacks in Pakistan

Tutkielma käsittelee Yhdysvaltain CIAn miehittämättömiä lennokki-iskuja Pakistanissa kansainvälisen humanitaarisen oikeuden suhteellisuusperiaatteen näkökulmasta. Suhteellisuusperiaatteen mukaan aseellisista iskuista saatavan sotilaallisen hyödyn tulee olla suhteellinen verrattuna siviileille aiheutuvaan haittaan. CIAn iskuja Pakistanissa on kritisoitu, että ne eivät täytä suhteellisuusperiaatteen asettamia vaatimuksia. Tutkielmassa perehdytään ensinnäkin selvittämään ne velvollisuudet, jotka suhteellisuusperiaate asettaa hyökkääjille. Sen jälkeen CIAn lennokki-iskuja tutkitaan näiden velvollisuuksien valossa. Tutkielmassa pyritään selvittämään antaako suhteellisuusperiaatteen luomat oikeudelliset velvollisuudet riittävää suojaa Pakistanin siviileille lennokki-iskujen tuhoja vastaan. Lisäksi pyritään selvittämään, onko lennokki-iskuissa viitteitä suhteellisuusperiaatteen vastaisista iskuista. Tutkimusmenetelmänä käytetään positivistista lainopin metodia, jonka avulla selvitetään voimassa olevaa kansainvälisen humanitaarisen tapaoikeuden suhteellisuusperiaatteen sisältöä. Oikeudellisina lähteinä käytetään pääasiassa humanitaarista tapaoikeutta, mutta tulkinnallisena apuna myös kansainvälisiä sopimuksia sekä oikeuden päätöksiä. Lisäksi oikeudellinen kirjallisuus on tutkimuksessa tärkeässä asemassa. Tutkimuksessa päädytään siihen, että suhteellisuusperiaatteen asettamat velvollisuudet hyökkääjälle ovat niin epämääräiset, että ne eivät anna riittävää suojaa siviileille. Ensinnäkin hyökkääjä voi määrittää sotilaallisen hyödyn omien päämääriensä mukaisesti suhteellisuusanalyysissä. Lisäksi kynnys sille, mikä katsotaan suhteellisuusperiaatteen vastaisuudeksi on hyvin epämääräinen ja korkea. Tämän vuoksi varotoimenpiteet iskujen suunnittelussa ovat hyvin tärkeässä asemassa myös suhteellisuusanalyysissä. Kuitenkin jos hyökkääjä edes jossain määrin osoittaa, että on tehnyt iskut hyvässä uskossa niiden laillisuudesta, iskujen katsotaan yleensä olevan suhteellisuusperiaatteen mukaisia. CIAn lennokki-iskuissa Pakistanissa on viitteitä suhteellisuusperiaatteen vastaisuudesta erityisesti ”tunnusmerkki-iskujen” osalta. ”Tunnusmerkki-iskut” johtavat yleensä vain vähäiseen sotilaalliseen hyötyyn aiheuttaen silti siviiliuhreja. Lisäksi erityisesti tunnusmerkki-iskuissa edellytetään korkeampaa tarkkuutta varotoimenpiteissä. Kuitenkin useat siviiliuhrit voivat merkitä sitä, että näitä varotoimenpiteitä ei ole noudatettu iskuissa.

Embedding, Extraction and Detection of Digital Watermark in Spectral Images

Tässä diplomityössä tutkitaan tekniikoita, joillavesileima lisätään spektrikuvaan, ja menetelmiä, joilla vesileimat tunnistetaanja havaitaan spektrikuvista. PCA (Principal Component Analysis) -algoritmia käyttäen alkuperäisten kuvien spektriulottuvuutta vähennettiin. Vesileiman lisääminen spektrikuvaan suoritettiin muunnosavaruudessa. Ehdotetun mallin mukaisesti muunnosavaruuden komponentti korvattiin vesileiman ja toisen muunnosavaruuden komponentin lineaarikombinaatiolla. Lisäyksessä käytettävää parametrijoukkoa tutkittiin. Vesileimattujen kuvien laatu mitattiin ja analysoitiin. Suositukset vesileiman lisäykseen esitettiin. Useita menetelmiä käytettiin vesileimojen tunnistamiseen ja tunnistamisen tulokset analysoitiin. Vesileimojen kyky sietää erilaisia hyökkäyksiä tarkistettiin. Diplomityössä suoritettiin joukko havaitsemis-kokeita ottamalla huomioon vesileiman lisäyksessä käytetyt parametrit. ICA (Independent Component Analysis) -menetelmää pidetään yhtenä mahdollisena vaihtoehtona vesileiman havaitsemisessa.

Software Security Design and Testing

Elektroninen kaupankäynti ja pankkipalvelut ovat herättäneet toiminnan jatkuvuuden kannalta erittäin kriittisen kysymyksen siitä, kuinka näitä palveluja pystytään suojaamaan järjestäytynyttä rikollisuutta ja erilaisia hyväksikäyttöjä vastaan.

”Kyllähän nyt pitäs olla jo semmonen aika, että pääsis niin kö keskustelemhan näistä asioista.” Tutkimus lappilaisten sotavankien, partisaanien uhrien ja huutolaisten elämänkulusta, voimavaroista, terveydestä ja sairauksista

Research into the course of life, mental stamina and health status of wartime prisoners, victims of Soviet partisan attacks, and paupers in Finnish Lapland The basis of this research comprised the issues raised during the interviews conducted in my work as a general practitioner in Lapland, regarding factors that have possibly affected the life stories and health conditions of Lappish people who had lived through the war as war prisoners, victims of partisan attacks, or paupers. The purpose of the study was to describe how the different life phases and experiences emerged from the interviewees’ stories and to identify their mental stamina. Another goal was to make observations on their health status, in which the main emphasis became to address mental symptoms. The cohort consisted of elderly Finns who lived in Lapland during the war and experienced war imprisonment, pauperism, or became victims of partisan attacks. All three groups consisted of 12 interviewees. The interview transcripts were read several times and then investigated using the content analysis methods applicable to the material. The research methodology was based on building awareness and understanding. Thematic tagging and data coding were used as structured analysis tools. In all three groups most of the interviewees clearly identified their mental stamina, the most fundamental of which were home, family and work. The war prisoners’ injuries and nervous sensibility symptoms had been shown in earlier studies on war prisoners, and on this basis they had been granted disability pensions. However, many of them had suppressed their traumatic experiences and mental difficulties, and they could not talk about these issues until at the time of these interviews held at old age. Four of them still suffered from a post-traumatic stress disorder. The victims of Soviet partisans had had to carry their mental load alone for decades before the cruel ravages on civilians in remote areas of Lapland became publicly known. Most of them still had disturbing nervous sensibility symptoms. Four interviewees had a post-traumatic stress disorder, and in addition to these, the mental symptoms of one had developed into a post-traumatic stress disorder during old age. Many of the interviewees who had been left paupers remembered their childhood as filled with grief and feelings of inferiority, and had nightmares relating to their wartime experiences. Yet none of them suffered from post-traumatic stress disorder. The results showed that the exceptional suffering caused by the war, the wartime imprisonment and the devastating attacks by Soviet partisans had led especially to mental difficulties. These were left almost completely unnoticed in the post-war conditions, and the war victims were unable to seek help on their own. Based on the results, our health care for the elderly should focus on familiarization with the individual experiences and life stories of each elderly person. This can facilitate geriatric diagnostics and individual therapy planning. Empathic familiarization with the life experiences of the elderly may strengthen their mental stamina and improve the quality of successful aging.

Knapsack sets for cryptography

The basic goal of this study is to extend old and propose new ways to generate knapsack sets suitable for use in public key cryptography. The knapsack problem and its cryptographic use are reviewed in the introductory chapter. Terminology is based on common cryptographic vocabulary. For example, solving the knapsack problem (which is here a subset sum problem) is termed decipherment. Chapter 1 also reviews the most famous knapsack cryptosystem, the Merkle Hellman system. It is based on a superincreasing knapsack and uses modular multiplication as a trapdoor transformation. The insecurity caused by these two properties exemplifies the two general categories of attacks against knapsack systems. These categories provide the motivation for Chapters 2 and 4. Chapter 2 discusses the density of a knapsack and the dangers of having a low density. Chapter 3 interrupts for a while the more abstract treatment by showing examples of small injective knapsacks and extrapolating conjectures on some characteristics of knapsacks of larger size, especially their density and number. The most common trapdoor technique, modular multiplication, is likely to cause insecurity, but as argued in Chapter 4, it is difficult to find any other simple trapdoor techniques. This discussion also provides a basis for the introduction of various categories of non injectivity in Chapter 5. Besides general ideas of non injectivity of knapsack systems, Chapter 5 introduces and evaluates several ways to construct such systems, most notably the "exceptional blocks" in superincreasing knapsacks and the usage of "too small" a modulus in the modular multiplication as a trapdoor technique. The author believes that non injectivity is the most promising direction for development of knapsack cryptosystema. Chapter 6 modifies two well known knapsack schemes, the Merkle Hellman multiplicative trapdoor knapsack and the Graham Shamir knapsack. The main interest is in aspects other than non injectivity, although that is also exploited. In the end of the chapter, constructions proposed by Desmedt et. al. are presented to serve as a comparison for the developments of the subsequent three chapters. Chapter 7 provides a general framework for the iterative construction of injective knapsacks from smaller knapsacks, together with a simple example, the "three elements" system. In Chapters 8 and 9 the general framework is put into practice in two different ways. Modularly injective small knapsacks are used in Chapter 9 to construct a large knapsack, which is called the congruential knapsack. The addends of a subset sum can be found by decrementing the sum iteratively by using each of the small knapsacks and their moduli in turn. The construction is also generalized to the non injective case, which can lead to especially good results in the density, without complicating the deciphering process too much. Chapter 9 presents three related ways to realize the general framework of Chapter 7. The main idea is to join iteratively small knapsacks, each element of which would satisfy the superincreasing condition. As a whole, none of these systems need become superincreasing, though the development of density is not better than that. The new knapsack systems are injective but they can be deciphered with the same searching method as the non injective knapsacks with the "exceptional blocks" in Chapter 5. The final Chapter 10 first reviews the Chor Rivest knapsack system, which has withstood all cryptanalytic attacks. A couple of modifications to the use of this system are presented in order to further increase the security or make the construction easier. The latter goal is attempted by reducing the size of the Chor Rivest knapsack embedded in the modified system. '

Uusien uhkakuvien luominen: tapaus 'kiinalaiset kybersoturit' : lingvistinen uhka-analyysi kyberdiskurssista

Since his inauguration, President Barack Obama has emphasized the need for a new cybersecurity policy, pledging to make it a "national security priority". This is a significant change in security discourse after an eight-year war on terror – a term Obama announced to be no longer in use. After several white papers, reports and the release of the so-called 60-day Cybersecurity Review, Obama announced the creation of a "cyber czar" position and a new military cyber command to coordinate American cyber defence and warfare. China, as an alleged cyber rival, has played an important role in the discourse that introduced the need for the new office and the proposals for changes in legislation. Research conducted before this study suggest the dominance of state-centric enemy descriptions paused briefly after 9/11, but returned soon into threat discourse. The focus on China's cyber activities fits this trend. The aim of this study is to analyze the type of modern threat scenarios through a linguistic case study on the reporting on Chinese hackers. The methodology of this threat analysis is based on the systemic functional language theory, and realizes as an analysis of action and being descriptions (verbs) used by the American authorities. The main sources of data include the Cybersecurity Act 2009, Securing Cyberspace for the 44th Presidency, and 2008 Report to Congress of the U.S. - China Economic and Security Review Commission. Contrary to the prevailing and popularized terrorism discourse, the results show the comeback of Cold War rhetoric as well as the establishment of a state-centric threat perception in cyber discourse. Cyber adversaries are referred to with descriptions of capacity, technological superiority and untrustworthiness, whereas the ‘self’ is described as vulnerable and weak. The threat of cyber attacks is compared to physical attacks on critical military and civilian infrastructure. The authorities and the media form a cycle, in which both sides quote each other and foster each other’s distrust and rhetoric. The white papers present China's cyber army as an existential threat. This leads to cyber discourse turning into a school-book example of a securitization process. The need for security demands action descriptions, which makes new rules and regulations acceptable. Cyber discourse has motives and agendas that are separate from real security discourse: the arms race of the 21st century is about unmanned war.

BotCloud Detection System

Leveraging cloud services, companies and organizations can significantly improve their efficiency, as well as building novel business opportunities. Cloud computing offers various advantages to companies while having some risks for them too. Advantages offered by service providers are mostly about efficiency and reliability while risks of cloud computing are mostly about security problems. Problems with security of the cloud still demand significant attention in order to tackle the potential problems. Security problems in the cloud as security problems in any area of computing, can not be fully tackled. However creating novel and new solutions can be used by service providers to mitigate the potential threats to a large extent. Looking at the security problem from a very high perspective, there are two focus directions. Security problems that threaten service user’s security and privacy are at one side. On the other hand, security problems that threaten service provider’s security and privacy are on the other side. Both kinds of threats should mostly be detected and mitigated by service providers. Looking a bit closer to the problem, mitigating security problems that target providers can protect both service provider and the user. However, the focus of research community mostly is to provide solutions to protect cloud users. A significant research effort has been put in protecting cloud tenants against external attacks. However, attacks that are originated from elastic, on-demand and legitimate cloud resources should still be considered seriously. The cloud-based botnet or botcloud is one of the prevalent cases of cloud resource misuses. Unfortunately, some of the cloud’s essential characteristics enable criminals to form reliable and low cost botclouds in a short time. In this paper, we present a system that helps to detect distributed infected Virtual Machines (VMs) acting as elements of botclouds. Based on a set of botnet related system level symptoms, our system groups VMs. Grouping VMs helps to separate infected VMs from others and narrows down the target group under inspection. Our system takes advantages of Virtual Machine Introspection (VMI) and data mining techniques.

Proximity Based Authentication in IoT

IoT consists of essentially thousands of tiny sensor nodes interconnected to the internet, each one of which executes the programmed functions under memory and power limita- tions. The sensor nodes are distributed mainly for gathering data in various situations. IoT envisions the future technologies such as e-health, smart city, auto-mobiles automa- tion, construction sites automation, and smart home. Secure communication of data under memory and energy constraints is major challenge in IoT. Authentication is the first and important phase of secure communication. This study presents a protocol to authenticate resource constraint devices in physical proximity by solely using the shared wireless communication interfaces. This model of authentication only relies on the abundance of ambient radio signals to authenticate in less than a second. To evaluate the designed protocol, SkyMotes are emulated in a network environment simulated by Contiki/COOJA. Results presented during this study proves that this approach is immune against passive and active attacks. An adversary located as near as two meters can be identified in less than a second with minimal expense of energy. Since, only radio device is used as required hardware for the authentication, this technique is scalable and interoperable to heterogeneous nature of IoT.

Evaluation of Machine Learning Classifiers for Mobile Network Intrusion Detection Systems

Mobile malwares are increasing with the growing number of Mobile users. Mobile malwares can perform several operations which lead to cybersecurity threats such as, stealing financial or personal information, installing malicious applications, sending premium SMS, creating backdoors, keylogging and crypto-ransomware attacks. Knowing the fact that there are many illegitimate Applications available on the App stores, most of the mobile users remain careless about the security of their Mobile devices and become the potential victim of these threats. Previous studies have shown that not every antivirus is capable of detecting all the threats; due to the fact that Mobile malwares use advance techniques to avoid detection. A Network-based IDS at the operator side will bring an extra layer of security to the subscribers and can detect many advanced threats by analyzing their traffic patterns. Machine Learning(ML) will provide the ability to these systems to detect unknown threats for which signatures are not yet known. This research is focused on the evaluation of Machine Learning classifiers in Network-based Intrusion detection systems for Mobile Networks. In this study, different techniques of Network-based intrusion detection with their advantages, disadvantages and state of the art in Hybrid solutions are discussed. Finally, a ML based NIDS is proposed which will work as a subsystem, to Network-based IDS deployed by Mobile Operators, that can help in detecting unknown threats and reducing false positives. In this research, several ML classifiers were implemented and evaluated. This study is focused on Android-based malwares, as Android is the most popular OS among users, hence most targeted by cyber criminals. Supervised ML algorithms based classifiers were built using the dataset which contained the labeled instances of relevant features. These features were extracted from the traffic generated by samples of several malware families and benign applications. These classifiers were able to detect malicious traffic patterns with the TPR upto 99.6% during Cross-validation test. Also, several experiments were conducted to detect unknown malware traffic and to detect false positives. These classifiers were able to detect unknown threats with the Accuracy of 97.5%. These classifiers could be integrated with current NIDS', which use signatures, statistical or knowledge-based techniques to detect malicious traffic. Technique to integrate the output from ML classifier with traditional NIDS is discussed and proposed for future work.

Käyttäjien manipulointi internetin yhteisöpalveluissa: Systemaattinen kirjallisuuskatsaus

Internetin yhteisöpalveluiden käyttäjien avoimuus ja sosiaalisuus altistavat heidät monenlaisille riskeille. “Social engineering” eli käyttäjien manipulointi on uhka, joka liittyy informaation hankkimiseen perinteisen kanssakäymisen kautta, mutta yhä enenevissä määrin myös internetissä. Kun kanssakäyminen tapahtuu internetin välityksellä, käyttäjien manipuloijat hyödyntävät yhteisöpalveluita yhteydenpitoon uhrien kanssa sekä paljon käyttäjäinformaatiota sisältävänä alustana. Tämän tutkielman tarkoitus on löytää internetin yhteisöpalveluiden ja käyttäjien manipuloinnin välinen yhteys. Tämä päämäärä saavutettiin etsimällä vastauksia kysymyksiin kuten: Mitkä ovat tyypilliset hyökkäystyypit? Miksi informaatiolla on niin suuri rooli? Mitä seurauksia ilmiöllä on ja miten hyökkäyksiltä on mahdollista suojautua? Vastaukset kysymyksiin löydettiin toteuttamalla systemaattinen kirjallisuuskatsaus. Katsaus muodostui yhdistämällä tärkeimmät löydökset 60 tarkoin valitusta ilmiötä käsittelevästä artikkelista. Käyttäjien manipuloinnin huomattiin olevan hyvin laaja ja monimutkainen ilmiö internetin yhteisöpalveluissa. Huomattiin, että manipulointia ilmenee sivustoilla useissa erilaisissa muodoissa, joita ovat muun muassa tietojen kalastelu, profiilien yhdistäminen, sosiaaliset sovellukset, roskaposti, haitalliset linkit, identiteettivarkaudet, tietovuodot ja erilaiset huijaukset, jotka hyödyntävät sekä ihmisluonnon että sivustojen perusominaisuuksia. Haavoittuvuus ja luottamus havaittiin myös tärkeiksi aspekteiksi, sillä ne yhdistävät informaation merkityksen ja ihmisluonnon, jotka molemmat ovat avaintekijöitä sekä manipuloinnissa että yhteisöpalvelusivustoilla. Vaikka ilmiön seurausten huomattiin olevan negatiivisia niin käyttäjien olemukselle internetissä kuin todellisessakin elämässä, havaittiin myös, että ilmiön ymmärtäminen ja tunnistaminen helpottaa siltä suojautumista

Analysis of Automotive Cybersecurity - Attack surfaces and users’ privacy concerns

Modern automobiles are no longer just mechanical tools. The electronics and computing services they are shipping with are making them not less than a computer. They are massive kinetic devices with sophisticated computing power. Most of the modern vehicles are made with the added connectivity in mind which may be vulnerable to outside attack. Researchers have shown that it is possible to infiltrate into a vehicle’s internal system remotely and control the physical entities such as steering and brakes. It is quite possible to experience such attacks on a moving vehicle and unable to use the controls. These massive connected computers can be life threatening as they are related to everyday lifestyle. First part of this research studied the attack surfaces in the automotive cybersecurity domain. It also illustrated the attack methods and capabilities of the damages. Online survey has been deployed as data collection tool to learn about the consumers’ usage of such vulnerable automotive services. The second part of the research portrayed the consumers’ privacy in automotive world. It has been found that almost hundred percent of modern vehicles has the capabilities to send vehicle diagnostic data as well as user generated data to their manufacturers, and almost thirty five percent automotive companies are collecting them already. Internet privacy has been studies before in many related domain but no privacy scale were matched for automotive consumers. It created the research gap and motivation for this thesis. A study has been performed to use well established consumers privacy scale – IUIPC to match with the automotive consumers’ privacy situation. Hypotheses were developed based on the IUIPC model for internet consumers’ privacy and they were studied by the finding from the data collection methods. Based on the key findings of the research, all the hypotheses were accepted and hence it is found that automotive consumers’ privacy did follow the IUIPC model under certain conditions. It is also found that a majority of automotive consumers use the services and devices that are vulnerable and prone to cyber-attacks. It is also established that there is a market for automotive cybersecurity services and consumers are willing to pay certain fees to avail that.