-
Towards new challenges of modern Pentest
Authors:
Daniel Dalalana Bertoglio,
Arthur Gil,
Juan Acosta,
Julia Godoy,
Roben Castagna Lunardi,
Avelino Francisco Zorzo
Abstract:
With the increasing number of internet-based resources and applications, the amount of attacks faced by companies has increased significantly in the past years. Likewise, the techniques to test security and emulate attacks need to be constantly improved and, as a consequence, help to mitigate attacks. Among these techniques, penetration test (Pentest) provides methods to assess the security postur…
▽ More
With the increasing number of internet-based resources and applications, the amount of attacks faced by companies has increased significantly in the past years. Likewise, the techniques to test security and emulate attacks need to be constantly improved and, as a consequence, help to mitigate attacks. Among these techniques, penetration test (Pentest) provides methods to assess the security posture of assets, using different tools and methodologies applied in specific scenarios. Therefore, this study aims to present current methodologies, tools, and potential challenges applied to Pentest from an updated systematic literature review. As a result, this work provides a new perspective on the scenarios where penetration tests are performed. Also, it presents new challenges such as automation of techniques, management of costs associated with offensive security, and the difficulty in hiring qualified professionals to perform Pentest.
△ Less
Submitted 21 November, 2023;
originally announced November 2023.
-
Context-based smart contracts for appendable-block blockchains
Authors:
Henry C. Nunes,
Roben C. Lunardi,
Avelin F. Zorzo,
Regio A. Michelin,
Salil S. Kanhere
Abstract:
Currently, blockchain proposals are being adopted to solve security issues, such as data integrity, resilience, and non-repudiation. To improve certain aspects, e.g., energy consumption and latency, of traditional blockchains, different architectures, algorithms, and data management methods have been recently proposed. For example, appendable-block blockchain uses a different data structure design…
▽ More
Currently, blockchain proposals are being adopted to solve security issues, such as data integrity, resilience, and non-repudiation. To improve certain aspects, e.g., energy consumption and latency, of traditional blockchains, different architectures, algorithms, and data management methods have been recently proposed. For example, appendable-block blockchain uses a different data structure designed to reduce latency in block and transaction insertion. It is especially applicable in domains such as Internet of Things (IoT), where both latency and energy are key concerns. However, the lack of some features available to other blockchains, such as Smart Contracts, limits the application of this model. To solve this, in this work, we propose the use of Smart Contracts in appendable-block blockchain through a new model called context-based appendable-block blockchain. This model also allows the execution of multiple smart contracts in parallel, featuring high performance in parallel computing scenarios. Furthermore, we present an implementation for the context-based appendable-block blockchain using an Ethereum Virtual Machine (EVM). Finally, we execute this implementation in four different testbed. The results demonstrated a performance improvement for parallel processing of smart contracts when using the proposed model.
△ Less
Submitted 2 May, 2020;
originally announced May 2020.
-
Data-Driven Model-Based Analysis of the Ethereum Verifier's Dilemma
Authors:
Maher Alharby,
Roben Castagna Lunardi,
Amjad Aldweesh,
Aad van Moorsel
Abstract:
In proof-of-work based blockchains such as Ethereum, verification of blocks is an integral part of establishing consensus across nodes. However, in Ethereum, miners do not receive a reward for verifying. This implies that miners face the Verifier's Dilemma: use resources for verification, or use them for the more lucrative mining of new blocks? We provide an extensive analysis of the Verifier's Di…
▽ More
In proof-of-work based blockchains such as Ethereum, verification of blocks is an integral part of establishing consensus across nodes. However, in Ethereum, miners do not receive a reward for verifying. This implies that miners face the Verifier's Dilemma: use resources for verification, or use them for the more lucrative mining of new blocks? We provide an extensive analysis of the Verifier's Dilemma, using a data-driven model-based approach that combines closed-form expressions, machine learning techniques and discrete-event simulation. We collect data from over 300,000 smart contracts and experimentally obtain their CPU execution times. Gaussian Mixture Models and Random Forest Regression transform the data into distributions and inputs suitable for the simulator. We show that, indeed, it is often economically rational not to verify. We consider two approaches to mitigate the implications of the Verifier's Dilemma, namely parallelization and active insertion of invalid blocks, both will be shown to be effective.
△ Less
Submitted 27 April, 2020;
originally announced April 2020.
-
Impact of consensus on appendable-block blockchain for IoT
Authors:
Roben C. Lunardi,
Regio A. Michelin,
Charles V. Neu,
Avelino F. Zorzo,
Salil S. Kanhere
Abstract:
The Internet of Things (IoT) is transforming our physical world into a complex and dynamic system of connected devices on an unprecedented scale. Connecting everyday physical objects is creating new business models, improving processes and reducing costs and risks. Recently, blockchain technology has received a lot of attention from the community as a possible solution to overcome security issues…
▽ More
The Internet of Things (IoT) is transforming our physical world into a complex and dynamic system of connected devices on an unprecedented scale. Connecting everyday physical objects is creating new business models, improving processes and reducing costs and risks. Recently, blockchain technology has received a lot of attention from the community as a possible solution to overcome security issues in IoT. However, traditional blockchains (such as the ones used in Bitcoin and Ethereum) are not well suited to the resource-constrained nature of IoT devices and also with the large volume of information that is expected to be generated from typical IoT deployments. To overcome these issues, several researchers have presented lightweight instances of blockchains tailored for IoT. For example, proposing novel data structures based on blocks with decoupled and appendable data. However, these researchers did not discuss how the consensus algorithm would impact their solutions, i.e., the decision of which consensus algorithm would be better suited was left as an open issue. In this paper, we improved an appendable-block blockchain framework to support different consensus algorithms through a modular design. We evaluated the performance of this improved version in different emulated scenarios and studied the impact of varying the number of devices and transactions and employing different consensus algorithms. Even adopting different consensus algorithms, results indicate that the latency to append a new block is less than 161ms (in the more demanding scenario) and the delay for processing a new transaction is less than 7ms, suggesting that our improved version of the appendable-block blockchain is efficient and scalable, and thus well suited for IoT scenarios.
△ Less
Submitted 22 December, 2019;
originally announced December 2019.
-
Pentest on an Internet Mobile App: A Case Study using Tramonto
Authors:
Daniel Dalalana Bertoglio,
Guilherme Girotto,
Charles Varlei Neu,
Roben Castagna Lunardi,
and Avelino Francisco Zorzo
Abstract:
Mobile applications are used to handle different types of data. Commonly, there is a set of personal identifiable information present in the data stored, shared and used by these applications. From that, attackers can try to exploit the mobile application in order to obtain or to cause private data leakage. Therefore, performing security assessments is an important practice to find vulnerabilities…
▽ More
Mobile applications are used to handle different types of data. Commonly, there is a set of personal identifiable information present in the data stored, shared and used by these applications. From that, attackers can try to exploit the mobile application in order to obtain or to cause private data leakage. Therefore, performing security assessments is an important practice to find vulnerabilities in the applications and systems before the application is deployed, or even during their use. Regarding security assessments, Penetration Test (Pentest) is one of the security test types that can be used to detect vulnerabilities through simulated attacks. Additionally, Pentest can be performed using different methodologies and best practices, through several frameworks to: organize the test execution, execute tools, provide estimations, provide reports and document a Pentest. One such framework is Tramonto, which aims to assist a cybersecurity expert during the Pentest execution by providing organization, standardization and flexibility to the whole Pentest process. This paper presents a Pentest case study applied to a Brazilian university Mobile App using the Tramonto framework. The main goal of this case study is to present how Tramonto can be applied during a Pentest execution, assisting cybersecurity experts in the tasks included in the Pentest process. Our results show details on how to perform a Pentest using Tramonto and the found vulnerabilities in the Mobile App. Besides that, there is a discussion about the main contributions obtained from our results, and we were able to verify that Tramonto managed, organized and optimized the whole Pentest process.
△ Less
Submitted 20 December, 2019;
originally announced December 2019.
-
Performance and Cost Evaluation of Smart Contracts in Collaborative Health Care Environments
Authors:
Roben Castagna Lunardi,
Henry Cabral Nunes,
Vinicius da Silva Branco,
Bruno Hugentobler Lipper,
Charles Varlei Neu,
Avelino Francisco Zorzo
Abstract:
Blockchain emerged as a solution for data integrity, non-repudiation, and availability in different applications. Data sensitive scenarios, such as Health Care, can also benefit from these blockchain properties. Consequently, different research proposed the adoption of blockchain in Health Care applications. However, few are discussed about incentive methods to attract new users, as well as to mot…
▽ More
Blockchain emerged as a solution for data integrity, non-repudiation, and availability in different applications. Data sensitive scenarios, such as Health Care, can also benefit from these blockchain properties. Consequently, different research proposed the adoption of blockchain in Health Care applications. However, few are discussed about incentive methods to attract new users, as well as to motivate the system or application usage by existing end-users. Also, little is discussed about performance during code execution in blockchains. In order to tackle these issues, this work presents the preliminary evaluation of TokenHealth, an application for collaborative health practice monitoring with gamification and token-based incentives. The proposed solution is implemented through smart contracts using Solidity in the Ethereum blockchain. We evaluated the performance of both in Ropsten test network and in a Private instance. The preliminary results show that the execution of smart contracts takes less than a minute for a full cycle of different smart contracts. Also, we present a discussion about costs for using a Private instance and the public Ethereum main network.
△ Less
Submitted 20 December, 2019;
originally announced December 2019.
-
A journey in applying blockchain for cyberphysical systems
Authors:
Volkan Dedeoglu,
Ali Dorri,
Raja Jurdak,
Regio A. Michelin,
Roben C. Lunardi,
Salil S. Kanhere,
Avelino F. Zorzo
Abstract:
Cyberphysical Systems (CPS) are transforming the way we interact with the physical world around us. However, centralised approaches for CPS systems are not capable of addressing the unique challenges of CPS due to the complexity, constraints, and dynamic nature of the interactions. To realize the true potential of CPS, a decentralized approach that takes into account these unique features is requi…
▽ More
Cyberphysical Systems (CPS) are transforming the way we interact with the physical world around us. However, centralised approaches for CPS systems are not capable of addressing the unique challenges of CPS due to the complexity, constraints, and dynamic nature of the interactions. To realize the true potential of CPS, a decentralized approach that takes into account these unique features is required. Recently, blockchain-based solutions have been proposed to address CPS challenges.Yet, applying blockchain for diverse CPS domains is not straight-forward and has its own challenges. In this paper, we share our experiences in applying blockchain technology for CPS to provide insights and highlight the challenges and future opportunities.
△ Less
Submitted 3 December, 2019;
originally announced December 2019.
-
SpeedyChain: A framework for decoupling data from blockchain for smart cities
Authors:
Regio A. Michelin,
Ali Dorri,
Roben C. Lunardi,
Marco Steger,
Salil S. Kanhere,
Raja Jurdak,
Avelino F. Zorzo
Abstract:
There is increased interest in smart vehicles acting as both data consumers and producers in smart cities. Vehicles can use smart city data for decision-making, such as dynamic routing based on traffic conditions. Moreover, the multitude of embedded sensors in vehicles can collectively produce a rich data set of the urban landscape that can be used to provide a range of services. Key to the succes…
▽ More
There is increased interest in smart vehicles acting as both data consumers and producers in smart cities. Vehicles can use smart city data for decision-making, such as dynamic routing based on traffic conditions. Moreover, the multitude of embedded sensors in vehicles can collectively produce a rich data set of the urban landscape that can be used to provide a range of services. Key to the success of this vision is a scalable and private architecture for trusted data sharing. This paper proposes a framework called SpeedyChain, that leverages blockchain technology to allow smart vehicles to share their data while maintaining privacy, integrity, resilience and non-repudiation in a decentralized, and tamper-resistant manner. Differently from traditional blockchain usage (e.g., Bitcoin and Ethereum), the proposed framework uses a blockchain design that decouples the data stored in the transactions from the block header, thus allowing for fast addition of data to the blocks. Furthermore, an expiration time for each block to avoid large sized blocks is proposed. This paper also presents an evaluation of the proposed framework in a network emulator to demonstrate its benefits.
△ Less
Submitted 5 July, 2018;
originally announced July 2018.