China 
Africa 
Explore chapters and articles related to this topic
The Security Development Lifecycle
Published in James F. Ransome, Anmol, Mark S. Merkow, Practical Core Software Security, 2023
James F. Ransome, Anmol, Mark S. Merkow
Limiting the elevation of privilege is a significant part of threat modeling as a core component of the Architecture (A2) phase of our SDL, which we will discuss in Chapter 4. The concept of elevation of privilege is considered so important that it is the theme of a Microsoft Security Development Lifecycle card game designed to train developers and security professionals to quickly and easily find threats to software or computer systems.38 An unauthorized privilege escalation attack takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications. These attacks can be either vertical, where the attacker grants himself privileges, or horizontal, where the attacker uses the same level of privileges he has already been granted, but assumes the identity of another user with similar privileges.
Cyber Offence Landscape
Published in Stanislav Abaimov, Maurizio Martellini, Cyber Arms, 2020
Stanislav Abaimov, Maurizio Martellini
Privilege escalation is the process of gaining higher level access rights to the target system, by exploiting the system vulnerabilities using already existing partial access. It can be accomplished through the exploitation of the system kernel or by taking advantage of misconfigurations or insecurely set configurations and local applications that are operating with higher permissions. In misconfigured systems the low-privileged user may have the ability to act as an administrator directly and run specific commands, which might be misused by an attacker. The attackers may be able to access and modify custom made scripts or shell scripts that are not secured properly, in order to pass operating system commands through them or gain direct access to an operating system shell.
Securing Web Applications Using Security Patterns
Published in Durgesh Kumar Mishra, Nilanjan Dey, Bharat Singh Deora, Amit Joshi, ICT for Competitive Strategies, 2020
Charu Gupta, R. K. Singh, A. K. Mohapatra
For prevention of attacks due to Broken Authentication, security patterns namely Password Design and Use, Identification and Authentication, Authorisation, Secure Session, Multilevel Security, Account Lockout, XML Message Inspector, XML Message Router are required. No framework considered in this paper has implemented all. A developer should incorporate these to ensure strong password policy, account lockout for preventing brute force attack, creating and managing session securely to prevent spoofing attacks in a web application. These patterns alongwith authorizer, role based access, single access point, check point and secure state machine will prevent privilege escalation.
AI-enabled IoT penetration testing: state-of-the-art and research challenges
Published in Enterprise Information Systems, 2023
Claudia Greco, Giancarlo Fortino, Bruno Crispo, Kim-Kwang Raymond Choo
Giaretta, Donno, and Dragoni (2018) tested the security of Pepper, a commercial humanoid social robot by SoftBank Robotics, performing both automated and manual assessment, which revealed a relevant number of security flaws. Automated assessment showed that Pepper was running outdated software and supporting SSH weak encryption and SSH weak MAC (Message Authentication Code) algorithms, but neither X-Frame-Options Header nor Web Browser XSS Protection were enabled. Then, several attacks were made possible, including spoofing login credentials, privilege escalation, stealing data stored in the robot, hacking other devices connected to it, and even physically harm people. Also, Pepper turned out to be prone to Meltdown and Spectre attacks. Larsson Forsberg and Olsson (2019) examined the security of a robot vacuum cleaner. The tests are performed on a device designed and produced by the Chinese company Shenzhen Jisiwei Intelligent Technology Co., Ltd, revealing that the communication between the mobile application and the server takes place over insecure HTTP, allowing an attacker to steal sensitive information such as username and password. Also, the authors discovered that the attacker can easily guess the device QR-code needed to bind the targeted robot vacuum cleaner to his own account. Hollerer et al. (2021) tested Panda robot by Franka Emika, revealing serious vulnerabilities on the web application such as broken authentication and exposure to attacks such as DoS, valid credentials theft, and XSS.
A lightweight privacy-preserving data aggregation scheme with provable security for internet-of-things
Published in International Journal of Computers and Applications, 2020
In this study, we put forward a new pairing-free privacy-aware data aggregation scheme suitable for IoT applications. The scheme was designed using elliptic curve cryptography and hash function operations. It enjoyed the property of autonomy in which IoT nodes need not maintain any permanent or frequent contact with the key generation center. In addition, our scheme is anonymous, supported conditional traceability and non-repudiation, provided countermeasure against privilege escalation and resistant against various attacks. We demonstrated the security of the scheme using a game process in the random oracle model and proved that it is secure against both Type I and II adversaries provided the Elliptic Curve Discrete Logarithm problem is intractable. Compared with related state-of-the-art schemes, the scheme has a significant improvement in efficiency. Therefore, the proposed scheme is suitable for practical deployment in IoT environments.
FloVasion: Towards Detection of non-sensitive Variable Based Evasive Information-Flow in Android Apps
Published in IETE Journal of Research, 2022
Bharat Buddhadev, Parvez Faruki, Manoj Singh Gaur, Shubham Kharche, Akka Zemmari
An attacker may break security systems by violating the initial defense assumptions. Covert [37] illustrates the same with a novel covert channel attack. Two entities can communicate by manipulating shared resources in unintended ways, endangering critical assets. Attackers employ similar mechanisms to leak sensitive information from a device. The approaches presented in Section 4 can be used to improve the detection rate. DroidScope [38] is OS based dynamic analysis framework. Unlike other dynamic analysis platforms, it stays out of the emulator and monitors the OS and Dalvik semantics which makes it possible to detect privilege escalation attacks on the Android kernel. It also makes the attacker’s task of disrupting analysis difficult. DroidScope is built upon a QEMU emulator with a rich set of APIs to customize the malware analysis prototype. Android malware families DroidKungFu and DroidDream were analyzed and detected with this technique. TriFlow [39] combines a probabilistic model to predict the existence of information flows with a significance matrix to differentiate benign from malware apps. Unauthorized access of a protected resources is a clear indicator of risk and most triage systems for Android apps have relied quite heavily on requested permissions [40–45]. Using permissions alone to assess risk has significant limitations [46]. Triflow predicts the existence of information flow based on extracted features from apps. Triflow also takes help of FlowDroid to detect app information-flow. Droid Chameleon is a systematic framework with various transformation techniques that may be used to transform Android apps automatically [47]. Droid Chameleon is employed to generate synthetic variants of the existing malware for the Android platform through specific transformation techniques.