Deception has emerged as a novel and innovative strategy in the field of cybersecurity, involving the intentional creation of deceptive elements within a system to mislead potential attackers. By crafting false leads, deceptive defence aims to protect critical assets by confusing and delaying adversaries, ultimately reducing the risk of successful exploitation. This thesis explores the enhancement of software security through the strategic injection of non-exploitable bugs, designed to mislead attackers into perceiving genuine vulnerabilities. Building upon the concept of ‘chaff bugs’ initially proposed by Hu et al. in their research ‘Towards Deceptive Defense in Software Security with Chaff Bugs’, this work addresses and overcomes the limitations of realism and diversity present in the original implementation. Two principal methodologies were investigated. The first approach focused on the automatic extraction of bug patterns from authentic bug fixing commits, aiming to inject these patterns into the target program in a semantically informed manner. Despite efforts to mine data from relevant repositories and a dataset specifically curated for vulnerabilities, this method yielded inconclusive results. Consequently, the thesis includes recommendations for enhancing the quality and applicability of bug fixing commit datasets, addressing the limitations identified in the analysis, and aiming to facilitate more effective automatic extraction of meaningful bug patterns for future research. The second, more successful approach involved the manual identification of recurring bug patterns through an analysis of Common Vulnerabilities and Exposures (CVEs), followed by the formalisation of these patterns through a context-free grammar. Supported by syntactic and semantic analysis, as well as static reachability and dependence analysis during the injection phase, this methodology enhanced the realism of the chaff bugs while ensuring their non-exploitability. The injected bugs were evaluated using a recognised vulnerability classification tool, which confirmed their realism and demonstrated the improved practical efficacy of chaff bugs as a defensive measure. This research contributes to the advancement of deceptive cybersecurity strategies by producing more plausible decoy bugs, thereby strengthening the resilience of software systems against malicious exploitation attempts.
Deception has emerged as a novel and innovative strategy in the field of cybersecurity, involving the intentional creation of deceptive elements within a system to mislead potential attackers. By crafting false leads, deceptive defence aims to protect critical assets by confusing and delaying adversaries, ultimately reducing the risk of successful exploitation. This thesis explores the enhancement of software security through the strategic injection of non-exploitable bugs, designed to mislead attackers into perceiving genuine vulnerabilities. Building upon the concept of ‘chaff bugs’ initially proposed by Hu et al. in their research ‘Towards Deceptive Defense in Software Security with Chaff Bugs’, this work addresses and overcomes the limitations of realism and diversity present in the original implementation. Two principal methodologies were investigated. The first approach focused on the automatic extraction of bug patterns from authentic bug fixing commits, aiming to inject these patterns into the target program in a semantically informed manner. Despite efforts to mine data from relevant repositories and a dataset specifically curated for vulnerabilities, this method yielded inconclusive results. Consequently, the thesis includes recommendations for enhancing the quality and applicability of bug fixing commit datasets, addressing the limitations identified in the analysis, and aiming to facilitate more effective automatic extraction of meaningful bug patterns for future research. The second, more successful approach involved the manual identification of recurring bug patterns through an analysis of Common Vulnerabilities and Exposures (CVEs), followed by the formalisation of these patterns through a context-free grammar. Supported by syntactic and semantic analysis, as well as static reachability and dependence analysis during the injection phase, this methodology enhanced the realism of the chaff bugs while ensuring their non-exploitability. The injected bugs were evaluated using a recognised vulnerability classification tool, which confirmed their realism and demonstrated the improved practical efficacy of chaff bugs as a defensive measure. This research contributes to the advancement of deceptive cybersecurity strategies by producing more plausible decoy bugs, thereby strengthening the resilience of software systems against malicious exploitation attempts.
Deceptive Defence in Software Security: Injecting Non-Exploitable Bugs Using a Pattern-Based Strategy
DARDOURI, LEILA
2023/2024
Abstract
Deception has emerged as a novel and innovative strategy in the field of cybersecurity, involving the intentional creation of deceptive elements within a system to mislead potential attackers. By crafting false leads, deceptive defence aims to protect critical assets by confusing and delaying adversaries, ultimately reducing the risk of successful exploitation. This thesis explores the enhancement of software security through the strategic injection of non-exploitable bugs, designed to mislead attackers into perceiving genuine vulnerabilities. Building upon the concept of ‘chaff bugs’ initially proposed by Hu et al. in their research ‘Towards Deceptive Defense in Software Security with Chaff Bugs’, this work addresses and overcomes the limitations of realism and diversity present in the original implementation. Two principal methodologies were investigated. The first approach focused on the automatic extraction of bug patterns from authentic bug fixing commits, aiming to inject these patterns into the target program in a semantically informed manner. Despite efforts to mine data from relevant repositories and a dataset specifically curated for vulnerabilities, this method yielded inconclusive results. Consequently, the thesis includes recommendations for enhancing the quality and applicability of bug fixing commit datasets, addressing the limitations identified in the analysis, and aiming to facilitate more effective automatic extraction of meaningful bug patterns for future research. The second, more successful approach involved the manual identification of recurring bug patterns through an analysis of Common Vulnerabilities and Exposures (CVEs), followed by the formalisation of these patterns through a context-free grammar. Supported by syntactic and semantic analysis, as well as static reachability and dependence analysis during the injection phase, this methodology enhanced the realism of the chaff bugs while ensuring their non-exploitability. The injected bugs were evaluated using a recognised vulnerability classification tool, which confirmed their realism and demonstrated the improved practical efficacy of chaff bugs as a defensive measure. This research contributes to the advancement of deceptive cybersecurity strategies by producing more plausible decoy bugs, thereby strengthening the resilience of software systems against malicious exploitation attempts.| File | Dimensione | Formato | |
|---|---|---|---|
|
Dardouri_Leila.pdf
accesso riservato
Dimensione
818.22 kB
Formato
Adobe PDF
|
818.22 kB | Adobe PDF |
The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License
https://hdl.handle.net/20.500.12608/70904