Kevin Dennis

Variadic-function attacks and format-string attacks continue to threaten modern C/C++ software applications. When successfully executed, attackers are able to read, write, or execute arbitrary program memory. While such attacks are well-known, and a number of mitigating techniques have been proposed, the only widely adopted mitigations are compiler warnings. These warnings are an incomplete solution because they rely on programmers to take action. To address the problem of variadic-function attacks, this paper proposes Argument Width Counting (AWC), a new memory access-control policy that, when enforced, mitigates all observed variadic-function attacks, including format-string attacks. AWC tracks the initial width or size of variadic arguments allocated on the stack and requires that variadic functions cannot request more bytes than initially allocated. When enforced, this policy limits variadic functions to the segments of memory allocated to the variadic arguments.

A prototype for AWC has been implemented and evaluated on LLVM's Clang C/C++ compiler and the accompanying libc++ standard library. The implementation modifies the compiler's function-generation code to store variadic argument widths and to validate these values later when variadic arguments are accessed. As part of the evaluation, the prototype's performance overhead was tested and compared to existing solutions. Due to the simplicity of the related calculations and checks, the prototype incurs low overhead and outperforms the existing lightweight solutions. Microbenchmarking AWC returns around 22% overhead for 0 to 16 arguments. This overhead is less than 1% when benchmarked on real-world programs.

The Function-as-a-Service cloud computing paradigm has made large-scale application development convenient and efficient as developers no longer need to deploy or manage the necessary infrastructure themselves. However, as a consequence of this abstraction, developers lose insight into how their code is executed and data is processed. Cloud providers currently offer little to no assurance of the integrity of customer data. One approach to robust data integrity verification is the analysis of data provenance-—logs that describe the causal history of data, applications, users, and non-person entities. This paper introduces ProProv, a new domain-specific language and graphical user interface for specifying policies over provenance metadata to automate provenance analyses.

To evaluate the convenience and usability of the new ProProv interface, 61 individuals were recruited to construct provenance policies using both ProProv and the popular, general-purpose policy specification language Rego—used as a baseline for comparison. We found that, compared to Rego, the ProProv interface greatly increased the number of policies successfully constructed, improved the time taken to construct those policies, and reduced the failed-attempt rate. Participants successfully constructed 73% of the requested policies using ProProv, compared to 41% using Rego. To further evaluate the usability of the tools, participants were given a 10-question questionnaire measured using the System Usability Scale (SUS). The median SUS score for the graphical ProProv interface was above average and fell into the “excellent” category, compared to below average and “OK” for Rego. These results highlight the impacts that graphical domainspecific tools can have on the accuracy and speed of policy construction.

Mobile fare payment applications are becoming increasingly commonplace in the public transportation industry as both a customer convenience and an effort to reduce fare management costs and improve operations for agencies. However, there is relatively little literature on vulnerabilities and liabilities in mobile fare payment applications. Furthermore, few public agencies or supporting vendors have policies or established processes in place to receive vulnerability reports or patch vulnerabilities discovered in their technologies. Given the rapidly increasing number of data breaches in general industry IT systems, as well as the fact that mobile fare payment apps are a nexus between customer and agency financial information, the security of these mobile applications deserve further scrutiny. This paper presents a vulnerability discovered in a mobile fare payment application deployed at a transit agency in Florida that, due to the system architecture, may have affected customers in as many as 40 cities across the United States - an estimated 1,554,000 users. Lessons learned from the vulnerability disclosure process followed by the research team as well as recommendations for public agencies seeking to improve the security of these types of applications are also discussed. 

Transportation information technologies (IT) have significantly developed in recent years from individual nodes to large, interconnected networks of devices, similar to those seen in modern IT systems. With this rapid development comes security concerns that have typically been constrained to classical computer systems. This paper reviews the existing literature regarding the state of cybersecurity in public transportation, focusing on the technical aspects of security previously published in technical venues. In particular, the paper examines transit technologies, equipment, and protocols for known vulnerabilities and defenses. Existing attack and vulnerabilities were identified for the following technologies: connected vehicles (CVs), autonomous vehicles (AVs), electronic ticketing systems, traffic signal controllers, traffic signal priority/preemption (TSP), and dynamic message signs (DMS). No known vulnerabilities were found in the literature for AVL/CAD systems, online trip planners, mobile fare payment, onboard Wi-Fi, CCTV, and APCs, but given their complexity, their wide attack surfaces, and the known vulnerabilities in related technologies, the authors believe that it is reasonable to expect that security vulnerabilities do exist in these technologies as well. Several directions for future work are discussed, including better employee training, architecture of on-board Wi-Fi systems used for critical operational purposes, and data encryption and sharing policies at the agency, especially as related to customer data.