@article{thorn_english_butler_enck_2024, title={5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network Functions}, url={https://doi.org/10.1145/3643833.3656134}, DOI={10.1145/3643833.3656134}, abstractNote={5G technology transitions the cellular network core from specialized hardware into software-based cloud-native network functions (NFs). As part of this change, the 3GPP defines an access control policy to protect NFs from one another and third-party network applications. A manual review of this policy by the 3GPP identified an over-privilege flaw that exposes cryptographic keys to all NFs. Unfortunately, such a manual review is difficult due to ambiguous documentation. In this paper, we use static program analysis to extract NF functionality from four 5G core implementations and compare that functionality to what is permissible by the 3GPP policy. We discover two previously unknown instances of over-privilege that can lead denial-of-service and extract sensitive data. We have reported our findings to the GSMA, who has confirmed the significance of these policy flaws.}, journal={PROCEEDINGS OF THE 17TH ACM CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS, WISEC 2024}, author={Thorn, Seaver and English, K. Virgil and Butler, Kevin R. B. and Enck, William}, year={2024}, pages={66–77} } @article{english_bennett_thorn_butler_enck_traynor_2024, title={Examining Cryptography and Randomness Failures in Open-Source Cellular Cores}, url={https://doi.org/10.1145/3626232.3653259}, DOI={10.1145/3626232.3653259}, journal={PROCEEDINGS OF THE FOURTEENTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY, CODASPY 2024}, author={English, K. Virgil and Bennett, Nathaniel and Thorn, Seaver and Butler, Kevin R. B. and Enck, William and Traynor, Patrick}, year={2024}, pages={43–54} } @article{dunlap_thorn_enck_reaves_2023, title={Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis}, DOI={10.1109/EuroSP57164.2023.00036}, abstractNote={Software depends on upstream projects that regularly fix vulnerabilities, but the documentation of those vulnerabilities is often unreliable or unavailable. Automating the collection of existing vulnerability fixes is essential for downstream projects to reliably update their dependencies due to the sheer number of dependencies in modern software. Prior efforts rely solely on incomplete databases or imprecise or inaccurate statistical analysis of upstream repositories. In this paper, we introduce Differential Alert Analysis (DAA) to discover vulnerability fixes in software projects. In contrast to statistical analysis, DAA leverages static analysis security testing (SAST) tools, which reason over code context and semantics. We provide a language-independent implementation of DAA and show that for Python and Java based projects, DAA has high precision for a ground-truth dataset of vulnerability fixes — even with noisy and low-precision SAST tools. We then use DAA in two large-scale empirical studies covering several prominent ecosystems, finding hundreds of resolved alerts, including many never publicly disclosed. DAA thus provides a powerful, accurate primitive for software projects, code analysis tools, vulnerability databases, and researchers to characterize and enhance the security of software supply chains.}, journal={2023 IEEE 8TH EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY, EUROS&P}, author={Dunlap, Trevor and Thorn, Seaver and Enck, William and Reaves, Bradley}, year={2023}, pages={489–505} } @article{mahmud_english_thorn_enck_oest_saad_2022, title={Analysis of Payment Service Provider SDKs in Android}, url={https://doi.org/10.1145/3564625.3564641}, DOI={10.1145/3564625.3564641}, abstractNote={Payment Service Providers (PSPs) provide software development toolkits (SDKs) for integrating complex payment processing code into applications. Security weaknesses in payment SDKs can impact thousands of applications. In this work, we propose AARDroid for statically assessing payment SDKs against OWASP’s MASVS industry standard for mobile application security. In creating AARDroid, we adapted application-level requirements and program analysis tools for SDK-specific analysis, tailoring dataflow analysis for SDKs using domain-specific ontologies to infer the security semantics of application programming interfaces (APIs). We apply AARDroid to 50 payment SDKs and discover security weaknesses including saving unencrypted credit card information to files, use of insecure cryptographic primitives, insecure input methods for credit card information, and insecure use of WebViews. These results demonstrate the value of applying security analysis at the SDK granularity to prevent the widespread deployment of insecure code.}, journal={PROCEEDINGS OF THE 38TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, ACSAC 2022}, author={Mahmud, Samin Yaseer and English, K. Virgil and Thorn, Seaver and Enck, William and Oest, Adam and Saad, Muhammad}, year={2022}, pages={576–590} }