@article{dunlap_thorn_enck_reaves_2023, title={Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis}, DOI={10.1109/EuroSP57164.2023.00036}, abstractNote={Software depends on upstream projects that regularly fix vulnerabilities, but the documentation of those vulnerabilities is often unreliable or unavailable. Automating the collection of existing vulnerability fixes is essential for downstream projects to reliably update their dependencies due to the sheer number of dependencies in modern software. Prior efforts rely solely on incomplete databases or imprecise or inaccurate statistical analysis of upstream repositories. In this paper, we introduce Differential Alert Analysis (DAA) to discover vulnerability fixes in software projects. In contrast to statistical analysis, DAA leverages static analysis security testing (SAST) tools, which reason over code context and semantics. We provide a language-independent implementation of DAA and show that for Python and Java based projects, DAA has high precision for a ground-truth dataset of vulnerability fixes — even with noisy and low-precision SAST tools. We then use DAA in two large-scale empirical studies covering several prominent ecosystems, finding hundreds of resolved alerts, including many never publicly disclosed. DAA thus provides a powerful, accurate primitive for software projects, code analysis tools, vulnerability databases, and researchers to characterize and enhance the security of software supply chains.}, journal={2023 IEEE 8TH EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY, EUROS&P}, author={Dunlap, Trevor and Thorn, Seaver and Enck, William and Reaves, Bradley}, year={2023}, pages={489–505} } @article{basak_neil_reaves_williams_2023, title={SecretBench: A Dataset of Software Secrets}, ISSN={["2160-1852"]}, DOI={10.1109/MSR59073.2023.00053}, abstractNote={According to GitGuardian’s monitoring of public GitHub repositories, the exposure of secrets (API keys and other credentials) increased two-fold in 2021 compared to 2020, totaling more than six million secrets. However, no benchmark dataset is publicly available for researchers and tool developers to evaluate secret detection tools that produce many false positive warnings. The goal of our paper is to aid researchers and tool developers in evaluating and improving secret detection tools by curating a benchmark dataset of secrets through a systematic collection of secrets from open-source repositories. We present a labeled dataset of source codes containing 97,479 secrets (of which 15,084 are true secrets) of various secret types extracted from 818 public GitHub repositories. The dataset covers 49 programming languages and 311 file types.}, journal={2023 IEEE/ACM 20TH INTERNATIONAL CONFERENCE ON MINING SOFTWARE REPOSITORIES, MSR}, author={Basak, Setu Kumar and Neil, Lorenzo and Reaves, Bradley and Williams, Laurie}, year={2023}, pages={347–351} } @article{ross_reaves_2023, title={Towards Simultaneous Attacks on Multiple Cellular Networks}, ISSN={["2770-8411"]}, DOI={10.1109/SPW59333.2023.00040}, abstractNote={Cellular network attack research has dramatically expanded its capabilities in the last decade, but threat models routinely assume an attacker who targets a single cell with a small number of moderately-priced software defined radios. In many settings, such as mass crowd surveillance, attackers seek to gain passive or active dominance over a given area that is virtually always served by multiple cells and network operators. To do so, the only method publicly available is to naively duplicate their hardware at extensive cost. This paper presents a preliminary analysis of the feasibility of using a single software defined radio to surveil multiple networks simultaneously. Our key insight is that an attacker is often interested in only a portion of transmissions in a cell, and by design cellular transmissions are rigidly and predictably scheduled. Our system, Intercellular, rapidly schedules a single radio to tune between cells, effectively multiplexing the downlink channels of cells together. We demonstrate that radio tuning time is quite low (around 100ms), radio clocks are sufficiently stable to skip synchronization when retuning, and that even when monitoring multiple cells a radio can quite accurately count the devices served by all cells under observation. In so doing, we open new research directions advancing the efficiency and broad applicability of cellular network attacks.}, journal={2023 IEEE SECURITY AND PRIVACY WORKSHOPS, SPW}, author={Ross, Alexander J. and Reaves, Bradley}, year={2023}, pages={394–405} } @article{basak_neil_reaves_williams_2023, title={What Challenges Do Developers Face About Checked-in Secrets in Software Artifacts?}, ISSN={["0270-5257"]}, DOI={10.1109/ICSE48619.2023.00141}, abstractNote={Throughout 2021, GitGuardian's monitoring of public GitHub repositories revealed a two-fold increase in the number of secrets (database credentials, API keys, and other credentials) exposed compared to 2020, accumulating more than six million secrets. To our knowledge, the challenges developers face to avoid checked-in secrets are not yet characterized. The goal of our paper is to aid researchers and tool developers in understanding and prioritizing opportunities for future research and tool automation for mitigating checked-in secrets through an empirical investigation of challenges and solutions related to checked-in secrets. We extract 779 questions related to checked-in secrets on Stack Exchange and apply qualitative analysis to determine the challenges and the solutions posed by others for each of the challenges. We identify 27 challenges and 13 solutions. The four most common challenges, in ranked order, are: (i) store/version of secrets during deployment; (ii) store/version of secrets in source code; (iii) ignore/hide of secrets in source code; and (iv) sanitize VCS history. The three most common solutions, in ranked order, are: (i) move secrets out of source code/version control and use template config file; (ii) secret management in deployment; and (iii) use local environment variables. Our findings indicate that the same solution has been mentioned to mitigate multiple challenges. However, our findings also identify an increasing trend in questions lacking accepted solutions substantiating the need for future research and tool automation on managing secrets.}, journal={2023 IEEE/ACM 45TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, ICSE}, author={Basak, Setu Kumar and Neil, Lorenzo and Reaves, Bradley and Williams, Laurie}, year={2023}, pages={1635–1647} } @article{basak_neil_reaves_williams_2022, title={What are the Practices for Secret Management in Software Artifacts?}, DOI={10.1109/SecDev53368.2022.00026}, abstractNote={Throughout 2021, GitGuardian's monitoring of public GitHub repositories revealed a two-fold increase in the number of secrets (database credentials, API keys, and other credentials) exposed compared to 2020, accumulating more than six million secrets. A systematic derivation of practices for managing secrets can help practitioners in secure development. The goal of our paper is to aid practitioners in avoiding the exposure of secrets by identifying secret management practices in software artifacts through a systematic derivation of practices disseminated in Internet artifacts. We conduct a grey literature review of Internet artifacts, such as blog articles and question and answer posts. We identify 24 practices grouped in six categories comprised of developer and organizational practices. Our findings indicate that using local environment variables and external secret management services are the most recommended practices to move secrets out of source code and to securely store secrets. We also observe that using version control system scanning tools and employing short-lived secrets are the most recommended practices to avoid accidentally committing secrets and limit secret exposure, respectively.}, journal={2022 IEEE SECURE DEVELOPMENT CONFERENCE (SECDEV 2022)}, author={Basak, Setu Kumar and Neil, Lorenzo and Reaves, Bradley and Williams, Laurie}, year={2022}, pages={69–76} } @article{mcniece_li_reaves_2021, title={Characterizing the Security of Endogenous and Exogenous Desktop Application Network Flows}, volume={12671}, ISBN={["978-3-030-72581-5"]}, ISSN={["1611-3349"]}, DOI={10.1007/978-3-030-72582-2_31}, abstractNote={Most desktop applications use the network, and insecure communications can have a significant impact on the application, the system, the user, and the enterprise. Understanding at scale whether desktop application use the network securely is a challenge because the application provenance of a given network packet is rarely available at centralized collection points. In this paper, we collect flow data from 39,758 MacOS devices on an enterprise network to study the network behaviors of individual applications. We collect flows locally on-device and can definitively identify the application responsible for every flow. We also develop techniques to distinguish “endogenous” flows common to most executions of a program from “exogenous” flows likely caused by unique inputs. We find that popular MacOS applications are in fact using the network securely, with 95.62% of the applications we study using HTTPS. Notably, we observe security sensitive-services (including certificate management and mobile device management) do not use ports associated with secure communications. Our study provides important insights for users, device and network administrators, and researchers interested in secure communication.}, journal={PASSIVE AND ACTIVE MEASUREMENT, PAM 2021}, author={McNiece, Matthew R. and Li, Ruidan and Reaves, Bradley}, year={2021}, pages={531–546} } @article{oconnor_enck_reaves_2019, title={Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things}, DOI={10.1145/3317549.3319724}, abstractNote={The always-on, always-connected nature of smart home devices complicates Internet-of-Things (IoT) security and privacy. Unlike traditional hosts, IoT devices constantly send sensor, state, and heartbeat data to cloud-based servers. These data channels require reliable, routine communication, which is often at odds with an IoT device's storage and power constraints. Although recent efforts such as pervasive encryption have addressed protecting data intransit, there remains little insight into designing mechanisms for protecting integrity and availability for always-connected devices. This paper seeks to better understand smart home device security by studying the vendor design decisions surrounding IoT telemetry messaging protocols, specifically, the behaviors taken when an IoT device loses connectivity. To understand this, we hypothesize and evaluate sensor blinding and state confusion attacks, measuring their effectiveness against an array of smart home IoT device types. Our analysis uncovers pervasive failure in designing telemetry that reports data to the cloud, and buffering that fails to properly cache undelivered data. We uncover that 22 of 24 studied devices suffer from critical design flaws that (1) enable attacks to transparently disrupt the reporting of device status alerts or (2) prevent the uploading of content integral to the device's core functionality. We conclude by considering the implications of these findings and offer directions for future defense. While the state of the art is rife with implementation flaws, there are several countermeasures IoT vendors could take to reduce their exposure to attacks of this nature.}, journal={PROCEEDINGS OF THE 2019 CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '19)}, author={OConnor, T. J. and Enck, William and Reaves, Bradley}, year={2019}, pages={140–150} } @article{oconnor_mohamed_miettinen_enck_reaves_sadeghi_2019, title={HOMESNITCH: Behavior Transparency and Control for Smart Home IoT Devices}, DOI={10.1145/3317549.3323409}, abstractNote={The widespread adoption of smart home IoT devices has led to a broad and heterogeneous market with flawed security designs and privacy concerns. While the quality of IoT device software is unlikely to be fixed soon, there is great potential for a network-based solution that helps protect and inform consumers. Unfortunately, the encrypted and proprietary protocols used by devices limit the value of traditional network-based monitoring techniques. In this paper, we present HomeSnitch, a building block for enhancing smart home transparency and control by classifying IoT device communication by semantic behavior (e.g., heartbeat, firmware check, motion detection). HomeSnitch ignores payload content (which is often encrypted) and instead identifies behaviors using features of connection-oriented application data unit exchanges, which represent application-layer dialog between clients and servers. We evaluate HomeSnitch against an independent labeled corpus of IoT device network flows and correctly detect over 99% of behaviors. We further deployed HomeSnitch in a home environment and empirically evaluated its ability to correctly classify known behaviors as well as discover new behaviors. Through these efforts, we demonstrate the utility of network-level services to classify behaviors of and enforce control on smart home devices.}, journal={PROCEEDINGS OF THE 2019 CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '19)}, author={OConnor, T. J. and Mohamed, Reham and Miettinen, Markus and Enck, William and Reaves, Bradley and Sadeghi, Ahmad-Reza}, year={2019}, pages={128–139} } @article{goutam_enck_reaves_2019, title={Hestia: Simple Least Privilege Network Policies for Smart Homes}, DOI={10.1145/3317549.3323413}, abstractNote={The long-awaited smart home revolution has arrived, and with it comes the challenge of managing dozens of potentially vulnerable network devices by average users. While research has developed techniques to fingerprint these devices, and even provide for sophisticated network access control models, such techniques are too complex for end users to manage, require sophisticated systems or unavailable public device descriptions, and proposed network policies have not been tested against real device behaviors. As a result, none of these solutions are available to users today. In this paper, we present Hestia, a mechanism to enforce simple-but-effective network isolation policies. Hestia segments the network into just two device categories: controllers (e.g., Smart Hubs) and non-controllers (e.g., motion sensors and smart lightbulbs). The key insight (validated with a large IoT dataset) is that noncontrollers only connect to cloud endpoints and controller devices, and practically never to each other over IP networks. This means that non-controllers can be isolated from each other without preventing functionality. Perhaps more importantly, smart home owners need only specify which devices are controllers. We develop a prototype and show negligible performance overhead resulting from the increased isolation. Hestia drastically improves smart home security without complex, unwieldy policies or lengthy learning of device behaviors.}, journal={PROCEEDINGS OF THE 2019 CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '19)}, author={Goutam, Sanket and Enck, William and Reaves, Bradley}, year={2019}, pages={215–220} } @article{whitaker_prasad_reaves_enck_2019, title={Thou Shalt Discuss Security: Quantifying the Impacts of Instructions to RFC Authors}, DOI={10.1145/3338500.3360332}, abstractNote={The importance of secure development of new technologies is unquestioned, yet the best methods to achieve this goal are far from certain. A key issue is that while significant effort is given to evaluating the outcomes of development (e.g., security of a given project), it is far more difficult to determine what organizational practices result in secure projects. In this paper, we quantitatively examine efforts to improve the consideration of security in Requests for Comments (RFCs)--- the design documents for the Internet and many related systems --- through the mandates and guidelines issued to RFC authors. We begin by identifying six metrics that quantify the quantity and quality of security informative content. We then apply these metrics longitudinally over 8,437 documents and 49 years of development to determine whether guidance to RFC authors changed these security metrics in later documents. We find that even a simply worded --- but effectively enforced --- mandate to explicitly consider security created a significant effect in increased discussion and topic coverage of security content both in and outside of a mandated security considerations section. We find that later guidelines with more detailed advice on security also improve both volume and quality of security informative content in RFCs. Our work demonstrates that even modest amounts of guidance can correlate to significant improvements in security focus in RFCs, indicating a promising approach for other network standards bodies.}, journal={PROCEEDINGS OF THE 5TH ACM WORKSHOP ON SECURITY STANDARDISATION RESEARCH WORKSHOP (SSR '19)}, author={Whitaker, Justin and Prasad, Sathvik and Reaves, Bradley and Enck, William}, year={2019}, pages={57–68} } @article{wermke_huaman_acar_reaves_traynor_fahl_2018, title={A Large Scale Investigation of Obfuscation Use in Google Play}, DOI={10.1145/3274694.3274726}, abstractNote={Android applications are frequently plagiarized or repackaged, and software obfuscation is a recommended protection against these practices. However, there is very little data on the overall rates of app obfuscation, the techniques used, or factors that lead to developers to choose to obfuscate their apps. In this paper, we present the first comprehensive analysis of the use of and challenges to software obfuscation in Android applications. We analyzed 1.7 million free Android apps from Google Play to detect various obfuscation techniques, finding that only 24.92% of apps are obfuscated by the developer. To better understand this rate of obfuscation, we surveyed 308 Google Play developers about their experiences and attitudes about obfuscation. We found that while developers feel that apps in general are at risk of plagiarism, they do not fear theft of their own apps. Developers also report difficulties obfuscating their own apps. To better understand, we conducted a follow-up study where the vast majority of 70 participants failed to obfuscate a realistic sample app even while many mistakenly believed they had been successful. These findings have broad implications both for improving the security of Android apps and for all tools that aim to help developers write more secure software.}, journal={34TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE (ACSAC 2018)}, author={Wermke, Dominik and Huaman, Nicolas and Acar, Yasemin and Reaves, Bradley and Traynor, Patrick and Fahl, Sascha}, year={2018}, pages={222–235} } @article{reaves_vargas_scaife_tian_blue_traynor_butler_2019, title={Characterizing the Security of the SMS Ecosystem with Public Gateways}, volume={22}, ISSN={["2471-2574"]}, DOI={10.1145/3268932}, abstractNote={Recent years have seen the Short Message Service (SMS) become a critical component of the security infrastructure, assisting with tasks including identity verification and second-factor authentication. At the same time, this messaging infrastructure has become dramatically more open and connected to public networks than ever before. However, the implications of this openness, the security practices of benign services, and the malicious misuse of this ecosystem are not well understood. In this article, we provide a comprehensive longitudinal study to answer these questions, analyzing over 900,000 text messages sent to public online SMS gateways over the course of 28 months. From this data, we uncover the geographical distribution of spam messages, study SMS as a transmission medium of malicious content, and find that changes in benign and malicious behaviors in the SMS ecosystem have been minimal during our collection period. The key takeaways of this research show many services sending sensitive security-based messages through an unencrypted medium, implementing low entropy solutions for one-use codes, and behaviors indicating that public gateways are primarily used for evading account creation policies that require verified phone numbers. This latter finding has significant implications for combating phone-verified account fraud and demonstrates that such evasion will continue to be difficult to detect and prevent.}, number={1}, journal={ACM TRANSACTIONS ON PRIVACY AND SECURITY}, author={Reaves, Bradley and Vargas, Luis and Scaife, Nolen and Tian, Dave and Blue, Logan and Traynor, Patrick and Butler, Kevin R. B.}, year={2019}, month={Jan} } @inproceedings{reaves_blue_abdullah_vargas_traynor_shrimpton_2017, title={Authenticall: Efficient identity and content authentication for phone calls}, booktitle={Proceedings of the 26th Usenix Security Symposium (USENIX Security '17)}, author={Reaves, B. and Blue, L. and Abdullah, H. and Vargas, L. and Traynor, P. and Shrimpton, T.}, year={2017}, pages={575–592} } @article{traynor_butler_bowers_reaves_2017, title={FinTechSec: Addressing the Security Challenges of Digital Financial Services}, volume={15}, ISSN={["1558-4046"]}, DOI={10.1109/msp.2017.3681060}, abstractNote={Digital financial systems such as mobile money and online credit have tremendous potential to enable financial inclusion. However, in the rush to provide such systems, security and privacy have often been overlooked. This article looks into the challenges facing these truly transformative technologies and discusses how this community can help.}, number={5}, journal={IEEE SECURITY & PRIVACY}, author={Traynor, Patrick and Butler, Kevin and Bowers, Jasmine and Reaves, Bradley}, year={2017}, pages={85–89} } @article{reaves_morris_2012, title={An open virtual testbed for industrial control system security research}, volume={11}, ISSN={1615-5262 1615-5270}, url={http://dx.doi.org/10.1007/S10207-012-0164-7}, DOI={10.1007/S10207-012-0164-7}, number={4}, journal={International Journal of Information Security}, publisher={Springer Science and Business Media LLC}, author={Reaves, Bradley and Morris, Thomas}, year={2012}, month={Apr}, pages={215–229} } @article{reaves_morris_2012, title={Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems}, volume={5}, ISSN={1874-5482}, url={http://dx.doi.org/10.1016/j.ijcip.2012.10.001}, DOI={10.1016/j.ijcip.2012.10.001}, abstractNote={Industrial radios deployed in critical infrastructure provide a potential vector for attackers to penetrate control systems used in the food and agriculture, chemical, critical manufacturing, dams, energy, defense industrial base, government facilities, nuclear reactors, materials and waste, transportation and water sectors. Industrial radios offer convenience and flexibility in deployment while presenting cyber security challenges that wired communications do not. This paper presents a survey of literature related to wireless communications cyber security. The paper focuses on vulnerabilities and mitigations related to multiple industrial radio technologies deployed in control systems including IEEE 802.15.4, WirelessHART, ZigBee, Bluetooth, and IEEE 802.11. This paper also discusses how industrial radio vulnerabilities may be used as vectors for simple and complex attacks on control systems found in critical infrastructure. Finally, this paper provides a set of recommendations for securing wireless networks used in control systems.}, number={3-4}, journal={International Journal of Critical Infrastructure Protection}, publisher={Elsevier BV}, author={Reaves, Bradley and Morris, Thomas}, year={2012}, month={Dec}, pages={154–174} } @article{morris_srivastava_reaves_gao_pavurapu_reddi_2011, title={A control system testbed to validate critical infrastructure protection concepts}, volume={4}, ISSN={1874-5482}, url={http://dx.doi.org/10.1016/j.ijcip.2011.06.005}, DOI={10.1016/j.ijcip.2011.06.005}, abstractNote={This paper describes the Mississippi State University SCADA Security Laboratory and Power and Energy Research laboratory. This laboratory combines model control systems from multiple critical infrastructure industries to create a testbed with functional physical processes controlled by commercial hardware and software over common industrial control system routable and non-routable networks. Laboratory exercises, functional demonstrations, and lecture material from the testbed have been integrated into a newly developed industrial control system cybersecurity course, into multiple other engineering and computer science courses, and into a series of short courses targeted to industry. Integration into the classroom allows the testbed to provide a workforce development function, prepares graduate students for research activities, and raises the profile of this research area with students. The testbed enables a research process in which cybersecurity vulnerabilities are discovered, exploits are used to understand the implications of the vulnerability on controlled physical processes, identified problems are classified by criticality and similarities in type and effect, and finally cybersecurity mitigations are developed and validated against within the testbed. Overviews of research enabled by the testbed are provided, including descriptions of software and network vulnerability research, a description of forensic data logger capability developed using the testbed to retrofit existing serial port MODBUS and DNP3 devices, and a description of intrusion detection research which leverages unique characteristics of industrial control systems.}, number={2}, journal={International Journal of Critical Infrastructure Protection}, publisher={Elsevier BV}, author={Morris, Thomas and Srivastava, Anurag and Reaves, Bradley and Gao, Wei and Pavurapu, Kalyan and Reddi, Ram}, year={2011}, month={Aug}, pages={88–103} }