In the last decades, computer security has been a constantly growing concern. Nowadays it is a common understanding that, although crucial, technology alone is not the ultimate solution. To effectively and promptly face new menaces, well-trained security experts and a properly designed process are necessary. Both of them can only be attained via a proper cybersecurity culture. In this thesis, we address the problems related to the correct cybersecurity mindset. In particular, we focus on two important aspects, i.e., (i) using security testing to show the lack of a correct mindset in the wild, and (ii) develop new and effective security training techniques. For security testing, we present a novel attacker model targeting security scanners. We developed RevOK, an automatic testing tool for our attacker model, and we applied it to detect several ulnerabilities in real-world scanners, including two severe vulnerabilities (CVE-2020-7354 and CVE-2020-7355) that allowed Remote Command Execution in Metasploit Pro. We also investigate a recently proposed attacker model, i.e., adversarial machine learning, and explored its application to machine learning-based Web Application Firewalls (WAF). We developed a proof-of-concept mutational fuzzer, WAF-A-MoLE, that automatically performs SQL injection attacks that bypass WAF analysis. This work shows that both attacker models have been largely neglected by security product developers. For security training, we start by considering our experience with a non-formal, hands-on training course held at the University of Genova. The main lesson learned is that having fresh and stimulating exercises is fundamental for the training process. Then, leveraging on this experience, we developed a Damn Vulnerable Application Scanner (DVAS) that provides a training environment for the RevOK attacker model. Finally, we propose a computer-aided framework that supports trainers by partially automating the design and development of new exercises in order to avoid training repetition.
<script>alert('Expect the Unexpected')</script>: Raising Cybersecurity Awareness by Hook or by Crook
VALENZA, ANDREA
2021-03-25
Abstract
In the last decades, computer security has been a constantly growing concern. Nowadays it is a common understanding that, although crucial, technology alone is not the ultimate solution. To effectively and promptly face new menaces, well-trained security experts and a properly designed process are necessary. Both of them can only be attained via a proper cybersecurity culture. In this thesis, we address the problems related to the correct cybersecurity mindset. In particular, we focus on two important aspects, i.e., (i) using security testing to show the lack of a correct mindset in the wild, and (ii) develop new and effective security training techniques. For security testing, we present a novel attacker model targeting security scanners. We developed RevOK, an automatic testing tool for our attacker model, and we applied it to detect several ulnerabilities in real-world scanners, including two severe vulnerabilities (CVE-2020-7354 and CVE-2020-7355) that allowed Remote Command Execution in Metasploit Pro. We also investigate a recently proposed attacker model, i.e., adversarial machine learning, and explored its application to machine learning-based Web Application Firewalls (WAF). We developed a proof-of-concept mutational fuzzer, WAF-A-MoLE, that automatically performs SQL injection attacks that bypass WAF analysis. This work shows that both attacker models have been largely neglected by security product developers. For security training, we start by considering our experience with a non-formal, hands-on training course held at the University of Genova. The main lesson learned is that having fresh and stimulating exercises is fundamental for the training process. Then, leveraging on this experience, we developed a Damn Vulnerable Application Scanner (DVAS) that provides a training environment for the RevOK attacker model. Finally, we propose a computer-aided framework that supports trainers by partially automating the design and development of new exercises in order to avoid training repetition.
| File | Dimensione | Formato | |
|---|---|---|---|
|
phdunige_3276033.pdf
accesso aperto
Descrizione: Tesi di dottorato completa
Tipologia:
Tesi di dottorato
Dimensione
2.92 MB
Formato
Adobe PDF
|
2.92 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
