Advances in Intelligent Systems and Computing 773 Leonard Barolli · Fatos Xhafa Nadeem Javaid · Tomoya Enokido Editors Innovative Mobile and Internet Services in Ubiquitous Computing Proceedings of the 12th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS-2018) Advances in Intelligent Systems and Computing Volume 773 Series editor Janusz Kacprzyk, Polish Academy of Sciences, Warsaw, Poland e-mail: kacprzyk@ibspan.waw.pl The series “Advances in Intelligent Systems and Computing” contains publications on theory, applications, and design methods of Intelligent Systems and Intelligent Computing Virtually all disciplines such as engineering, natural sciences, computer and information science, ICT, economics, business, e-commerce, environment, healthcare, life science are covered The list of topics spans all the areas of modern intelligent systems and computing such as: computational intelligence, soft computing including neural networks, fuzzy systems, evolutionary computing and the fusion of these paradigms, social intelligence, ambient intelligence, computational neuroscience, artificial life, virtual worlds and society, cognitive science and systems, Perception and Vision, DNA and immune based systems, self-organizing and adaptive systems, e-Learning and teaching, human-centered and human-centric computing, recommender systems, intelligent control, robotics and mechatronics including human-machine teaming, knowledge-based paradigms, learning paradigms, machine ethics, intelligent data analysis, knowledge management, intelligent agents, intelligent decision making and support, intelligent network security, trust management, interactive entertainment, Web intelligence and multimedia The publications within “Advances in Intelligent Systems and Computing” are primarily proceedings of important conferences, symposia and congresses They cover significant recent developments in the field, both of a foundational and applicable character An important characteristic feature of the series is the short publication time and world-wide distribution This permits a rapid and broad dissemination of research results Advisory Board Chairman Nikhil R Pal, Indian Statistical Institute, Kolkata, India e-mail: nikhil@isical.ac.in Members Rafael Bello Perez, Universidad Central “Marta Abreu” de Las Villas, Santa Clara, Cuba e-mail: rbellop@uclv.edu.cu Emilio S Corchado, University of Salamanca, Salamanca, Spain e-mail: escorchado@usal.es Hani Hagras, University of Essex, Colchester, UK e-mail: hani@essex.ac.uk László T Kóczy, Széchenyi István University, Győr, Hungary e-mail: koczy@sze.hu Vladik Kreinovich, University of Texas at El Paso, El Paso, USA e-mail: vladik@utep.edu Chin-Teng Lin, National Chiao Tung University, Hsinchu, Taiwan e-mail: ctlin@mail.nctu.edu.tw Jie Lu, University of Technology, Sydney, Australia e-mail: Jie.Lu@uts.edu.au Patricia Melin, Tijuana Institute of Technology, Tijuana, Mexico e-mail: epmelin@hafsamx.org Nadia Nedjah, State University of Rio de Janeiro, Rio de Janeiro, Brazil e-mail: nadia@eng.uerj.br Ngoc Thanh Nguyen, Wroclaw University of Technology, Wroclaw, Poland e-mail: Ngoc-Thanh.Nguyen@pwr.edu.pl Jun Wang, The Chinese University of Hong Kong, Shatin, Hong Kong e-mail: jwang@mae.cuhk.edu.hk More information about this series at http://www.springer.com/series/11156 Leonard Barolli Fatos Xhafa Nadeem Javaid Tomoya Enokido • • Editors Innovative Mobile and Internet Services in Ubiquitous Computing Proceedings of the 12th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS-2018) 123 Editors Leonard Barolli Faculty of Information Engineering, Department of Information and Communication Engineering Fukuoka Institute of Technology Fukuoka Japan Fatos Xhafa Technical University of Catalonia Barcelona Spain Nadeem Javaid Department of Computer Science COMSATS Institute of Information Technology Islamabad Pakistan Tomoya Enokido Rissho University Tokyo Japan ISSN 2194-5357 ISSN 2194-5365 (electronic) Advances in Intelligent Systems and Computing ISBN 978-3-319-93553-9 ISBN 978-3-319-93554-6 (eBook) https://doi.org/10.1007/978-3-319-93554-6 Library of Congress Control Number: 2018946631 © Springer International Publishing AG, part of Springer Nature 2019 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations Printed on acid-free paper This Springer imprint is published by the registered company Springer International Publishing AG part of Springer Nature The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Welcome Message of IMIS-2018 International Conference Organizers Welcome to the 12th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS-2018), which will be held from July 4th to July 6th, 2018, at Kunibiki Messe, Matsue, Japan, in conjunction with the 12th International Conference on Complex, Intelligent and Software Intensive Systems (CISIS-2018) This International Conference focuses on the challenges and solutions for Ubiquitous and Pervasive Computing (UPC) with an emphasis on innovative, mobile, and Internet services With the proliferation of wireless technologies and electronic devices, there is a fast-growing interest in UPC UPC enables to create a human-oriented computing environment where computer chips are embedded in everyday objects and interact with physical world Through UPC, people can get online even while moving around, thus having almost permanent access to their preferred services With a great potential to revolutionize our lives, UPC also poses new research challenges The conference provides an opportunity for academic and industry professionals to discuss the latest issues and progress in the area of UPC For IMIS-2018, we received many paper submissions from all over the world The papers included in the proceedings cover important aspects of UPC research domain This year, we received 168 submissions and after a careful review process of independent reviews per submission, 47 papers were accepted (about 28% acceptance rate) It is impossible to organize such a successful program without the help of many individuals We would like to express our great appreciation to the authors of the submitted papers, the program committee members, who provided timely and significant reviews, and special session chairs for their great efforts We are grateful to Honorary Chair: Prof Makoto Takizawa, Hosei University, Japan, for his advice and support This year in conjunction with IMIS-2018 we have International Workshops that complemented IMIS-2018 program with contributions for specific topics We would like to thank the Workshop Co-chairs and all workshop organizers for organizing these workshops v vi Welcome Message of IMIS-2018 International Conference Organizers We thank Donald Elmazi, Yi Liu, Miralda Cuka, and Kosuke Ozera, Fukuoka Institute of Technology, Japan, for their excellent work and support as Web Administrators Finally, we would like to thank: Matsue City, Shimane Prefecture, Support Center for Advanced Telecommunications Technology Research (SCAT), Foundation, Japan, for their support We hope that all of you enjoy IMIS-2018 and find this a productive opportunity to learn, exchange ideas, and make new contacts IMIS-2018 International Conference Organizers IMIS-2018 General Chair Leonard Barolli Fukuoka Institute of Technology (FIT), Japan IMIS-2018 Program Committee Co-chairs Tomoya Enokido Nadeem Javaid Hsing-Chung Chen Rissho University, Japan COMSATS Institute of IT, Pakistan Asia University, Taiwan Welcome Message from IMIS-2018 Workshops Co-chairs Welcome to the Workshops of the 12th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS-2018), which will be held from July 4th to July 6th, 2018 at Kunibiki Messe, Matsue, Japan This year we have workshops, which will be held together with IMIS-2018 The objective was to complement as much as possible the main themes of IMIS-2018 with the specific topics of the different workshops to cover many topics of Ubiquitous and Pervasive Computing (UPC) The list of workshops follows below: The 12th International Workshop on Advances in Information Security (WAIS-2018) The 8th International Workshop on Mobile Commerce, Cloud Computing, Network and Communication Security (MCNCS-2018) The 8th International Workshop on Intelligent Techniques and Algorithms for Ubiquitous Computing (ITAUC-2018) The 8th international workshop on Future Internet and Next Generation Networks (FINGNet-2018) The 7th International Workshop on Frontiers in Innovative Mobile and Internet Services (FIMIS-2018) The 7th International Workshop on Sustainability Management of e-Business and Ubiquitous Commerce Engineering (SMEUCE-2018) The 4th International Workshop on Big Data and IoT Security (BDITS-2018) We would like to thank IMIS-2018 International Conference Organizers for their help and support We are grateful to the workshop organizers for their great efforts and hard work in proposing the workshops, selecting the papers, organizing interesting programs, and for the arrangements of the workshops during the conference days We are grateful to Donald Elmazi, Yi Liu, Miralda Cuka, and Kosuke Ozera, Fukuoka Institute of Technology, Japan, for their excellent work and support as Web Administrators We hope you enjoy the workshops programs and proceedings vii viii Welcome Message from IMIS-2018 Workshops Co-chairs Workshops Co-chairs of IMIS-2018 International Conference Hae-Duck Joshua Jeong Hiroaki Kikuchi Fang-Yie Leu Korean Bible University, Korea Meiji University, Japan Tunghai University, Taiwan Welcome Message from IMIS-2018 Workshops Co-chairs ix IMIS-2018 Organizing Committee Honorary Chair Makoto Takizawa Hosei University, Japan General Chair Leonard Barolli Fukuoka Institute of Technology, Japan Program Committee Co-chairs Tomoya Enokido Nadeem Javaid Hsing-Chung Chen Rissho University, Japan COMSATS Institute of IT, Pakistan Asia University, Taiwan Workshops Co-chairs Hae-Duck Joshua Jeong Hiroaki Kikuchi Fang-Yie Leu Korean Bible University, Korea Meiji University, Japan Tunghai University, Taiwan Advisory Committee Members Vincenzo Loia Arjan Durresi Kouichi Sakurai University of Salerno, Italy IUPUI, USA Kyushu University, Japan Award Co-chairs Kangbin Yim Antonio J Jara Marek Ogiela SCH University, Korea HES-SO, Switzerland AGH University of Science and Technology, Poland International Liaison Co-chairs Francesco Palmieri Xiaofeng Chen Kin Fun Li University of Salerno, Italy Xidian University, China University of Victoria, Canada 920 H.-C Chen et al and consumer based IoT applications Bahga et al [12] they presented a Blockchain Platform for Industrial Internet of Things (BPIIoT) The BPIIoT platform could enable a marketplace of manufacturing services where the machines have their own Blockchain accounts and the users who are able to provision and transact with the machines directly to avail manufacturing services In [4], they had identified the key security and trust related challenges and shown how blockchains could be used to overcome them Also presented the design of a blockchain assisted information distribution system for the IoT and analyzed how the key security mechanisms could be built by leveraging blockchain technology Thereefore, IoT application development has been done with various technologies to improve service and security In this paper, the proposed approach compared with the related works mentioned above, which could be the highlighted common themes are integration IoT application based on private Blockchain network, and given trust evaluation between IoT devices and Blockchain node during the blockcahin transaction processes Conclusion The IoT application based on blockchain technology is highly credible and developed Due to cooperative evaluation method is getting more and more important requirement in developing the system with an integration IoT application based on Blockchain technology Therefore, the cooperative evaluation approach proposed in this paper, it will improve the value of trustworthiness among the blockchain agent nodes to increase the degree of a successful transaction in the Blockchain network In addition, the blockchain is typically managed by a peer-to-peer network collectively adhering to a protocol for validating new blocks Once recorded, the data in any given block cannot be altered retroactively without the alteration of all subsequent blocks, which requires collusion of the network majority Thus, the sink node in this paper acts as a blockchain agent node which could evaluate the behaviours of the managed and monitored IoT devices It could also evaluate another blockchain agent node based on the transaction history or events logged in private blockchain network Finally, the cooperative evaluation method proposed in this paper has an impact on enhancing security in IoT application based on blockchain technology Acknowledgments This work was supported by the Ministry of Science and Technology (MOST), Taiwan, Republic of China, under Grant MOST 106-2632-E-468-003 References Swan, M.: Blockchain: Blueprint for a New Economy 1st Edition O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol (2015) Cag, D https://richtopia.com/emerging-technologies/review-6-major-blockchainprotocols Accessed 20 Apr 2018 Voshmgir, S., Kalinov V https://blockchainhub.net/blockchains-and-distributed-ledgertechnologies-ingeneral/ Accessed 20 Apr 2018 A Cooperative Evaluation Approach Based on Blockchain Technology 921 Polyzos, G.C., Fotiou, N.: Blockchain-assisted information distribution for the internet of things In: IEEE International Conference on Information Reuse and Integration, San Diego, pp 75–78 (2017) Nakamoto, S.: Bitcoin : A Peer-to-Peer Electronic Cash System, pp 1–9 (2008) Ammar, M., Russello, G., Crispo, B.: Internet of Things: a survey on the security of IoT framework J Inf Secur Appl 38, 8–27 (2018) de Kruijff, J., Weigand, H.: Understanding the blockchain using enterprise ontology In: Dubois, E., Pohl, K (eds.) CAiSE 2017 LNCS, vol 10253, pp 29–43 Springer, Cham (2017) https://doi.org/10.1007/978-3-319-59536-8_3 Sun, Y., Song, H., Jara, A.J., Bie, R.F.: Internet of things and big data analytics for smart and connected communities IEEE Access 4, 766–773 (2016) Dorri, A., Kanhere, S.S., Jurdak, R.: Blockchain in Internet of Things: Challenges and Solutions eprint arXiv:1608.05187 (2016) 10 Lin, Y.P., Petway, J.R., Anthony, J., Mukhtar, H., Liao, S.W., Chou, C.F., Ho, Y.F.: Blockchain: the evolutionary next step for ICT E-agriculture Environments 4, 1–13 (2017) 11 Wang, Y., Varadharajan, V.: Interaction trust evaluation in decentralized environments In: Bauknecht, K., Bichler, M., Pröll, B (eds.) EC-Web 2004 LNCS, vol 3182, pp 144–153 Springer, Heidelberg (2004) https://doi.org/10.1007/978-3-540-30077-9_15 12 Bahga, A., Madisetti, V.K.: Blockchain platform for industrial internet of things J Softw Eng Appl 9, 533–546 (2016) 13 Yinbiao, S., et al.: Internet of Things: Wireless Sensor Network International Electrotechnical Commission, Switzerland Geneva (2014) 14 Chen, H.C.: TCABRP: a trust-based cooperation authentication bit-map routing protocol against insider security threats in wireless ad hoc networks IEEE Syst J 11(02), 449–459 (2017) 15 Chen, H.C.: A negotiation-based cooperative RBAC scheme Int J Web Grid Serv 13(1), 94–111 (2017) 16 Chen, H.C.: A cooperative RBAC-based IoTs server with hierarchical trust evaluation mechanism In: The 3rd EAI International Conference on IoT as a Service (IoTaaS 2017), Taiwan, Taichung City (2017) The Study and Realization of Vulnerability-Oriented Fuzzing Technology for ActiveX Plug-Ins Baojiang Cui1,2 and Pin Mao1,2(&) School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, China cuibj@bupt.edu.cn, pinkomeo@gmail.com National Engineering Laboratory for Mobile Network, Beijing, China Abstract With the development of internet technology, more and more browsers have introduced third-party plug-ins to add additional features to attract users, which bring more potential risks to browsers This paper presents a vulnerability-oriented security detection methods for IE browser ActiveX plug-ins By using technologies such as dynamic binary instrumentation and vulnerability-oriented reverse analysis, the framework can assign different risk factors to each function and parameter inside the ActiveX plug-ins In this way, this paper build an automated fuzz framework which can quickly generate fuzzing samples focusing on the fragile functions and fragile parameters The experimental results show that our framework makes the efficiency of ActiveX plug-ins vulnerability detection significantly improved Introduction The browser is our window to access the Internet With the continuous advancement of technology, browsers play a pivotal role in our daily life and work Due to the use of more and more users, a large number of hackers begin to pay attention to browser vulnerabilities And IE browser, as Windows’s own browser, has become the main target for most attackers and therefore the security of ActiveX [1] plug-ins has been receiving great attention ActiveX technology is based on the Component Object Model (COM) [2] and is an independent and complete code unit It provides external services through a set of well-defined interfaces The external application can call functions to achieve code reuse and function Extensions While ActiveX technology has been widely used, it has become a large attack surface for IE browsers due to the support of IE browsers for plug-ins and scripting languages In the case where the vulnerability of the ActiveX plug-in gradually becomes serious, many fuzzing tools for ActiveX plug-ins such as COMRaider [3], Dranzer [4], Axman [5], have begun to appear at home and abroad Although these tools can be targeted to test the code in the ActiveX plug-in, but when there are too many functions in the ActiveX plug-in, the tool can only sort the function names in alphabetical order and then test the functions in turn In addition, when one function contains multiple © Springer International Publishing AG, part of Springer Nature 2019 L Barolli et al (Eds.): IMIS 2018, AISC 773, pp 922–931, 2019 https://doi.org/10.1007/978-3-319-93554-6_93 The Study and Realization of Vulnerability-Oriented Fuzzing Technology 923 parameters, these tools will perform many “blind” tests because it cannot determine the priority of different parameters, which will undoubtedly reduce the efficiency of the fuzzing framework For the reasons mentioned above, this paper proposes a vulnerability-oriented security detection methods for IE browser ActiveX plug-ins which mainly focusing on solving two problems: In the process of fuzzing plug-ins, since there are many interface functions exist in the plug-in, how to find potentially vulnerable interfaces efficiently and prioritize them In the process of fuzzing functions, since there are many parameters, how to assign different risk factors to each parameter and fuzz certain parameter specifically to improve the efficiency of the framework Architecture By studying the related principles and techniques of fuzzing [7, 8], this paper proposes a more efficient fuzzing framework for ActiveX plug-ins This framework first preprocesses the entire fuzzing object, then put the priority information obtained during the preprocessing into the fuzzing loop The flow chart of the overall fuzzing framework is shown in Fig Fig The flow chart of the whole fuzzing framework Through static analysis, this framework can identify fragile instructions and functions from assembly instruction level and set different risk factors for each interface function inside the ActiveX plug-in Then through dynamic taint analysis, this framework can identify which parameter of the function directly reached the path where the fragile instruction is located, and set different risk factors for each parameter 924 B Cui and P Mao After preprocessing, the framework will set different fuzzing priorities for each interface function and parameter by the result of the risk factor obtained in the previous step Due to the priority-driven fuzzing algorithm, the framework can more effectively and quickly discover the security vulnerability of ActiveX plug-ins and therefore reduce security events and accidents caused by the vulnerability of ActiveX plug-ins This paper will then detail the framework of the construction ideas, algorithm model and application technology Technical Details This paper uses static analysis and dynamic taint analysis to construct a vulnerability-oriented ActiveX plug-in fuzzing framework And this framework is divided into two parts: the preprocessing and the fuzzing loop In this section, we will introduce the specific technical details of each part according to the framework structure Besides, we will explain some keywords proposed in the framework, such as vulnerability-oriented fuzzing and risk factors At the same time, we will carry out a detailed description according to the implementation steps of the framework, and use some mathematical expressions to better illustrate the accuracy and effectiveness of the framework 3.1 Vulnerability-Oriented Fuzzing Generally speaking, there are two types of fuzzing: White-box fuzzing and Black-box fuzzing White-box fuzzing means that researchers can get the entire source code of the test object, while the Black-box fuzzing means researchers not consider the internal structure and characteristics of the test object This paper presents a vulnerabilityoriented framework model, meaning that a framework should make different fuzzing strategies based on different vulnerability characteristics Following this paper will use the buffer overflow vulnerability as an example Buffer overflow vulnerability is the most common type of vulnerability in binary programs Through buffer overflow vulnerability, an attacker can arrange his well-written instruction code on the stack to achieve his own attack Through the exploration of the principle of the buffer overflow vulnerability, we found that the program developers used non-standard fragile functions during development Therefore, when we analyze the buffer overflow vulnerability in ActiveX plug-ins, the first thing we need to pay attention to is a set of functions which are prone to cross boundaries such as: In the actual analysis of reverse analysis, we found that in most of the plug-ins, because of the optimization options during development, IDA cannot identify this type The Study and Realization of Vulnerability-Oriented Fuzzing Technology 925 of fragile function calls without a symbol table So the framework also needs to be able to analyze from the instruction level, focusing on the core instructions of the fragile function, such as String Instruction, etc This paper will take buffer overflow vulnerability in ActiveX plug-ins as an example, so as a vulnerability-oriented fuzzing framework, it will focus more on functions or instructions that are vulnerable to buffer overflow vulnerability 3.2 Risk Factor The risk factor is a quantified value Every time a fragile function is called in an interface function, the framework will increase the risk factor of this interface function The more fragile points (fragile functions or instructions) found during the preprocessing, the greater the risk factor of this interface function will have Assuming that there are x functions in the ActiveX plug-in, and the risk factor for each function is rx Through the value of the risk factor, the framework will assign different fuzzing priorities to each interface function according to the algorithm The higher priority interface functions will be tested by the framework first and give more fuzzing time 3.3 Assign Risk Factors to Interface Functions in Preprocessing The ActiveX plug-in is a set of independent code units which can provide external services through internal interface functions Inside an ActiveX plug-in, there are usually many different interface functions When the total number of the interface functions is small, the fuzzing sequence of the interface functions hardly affects the efficiency of the fuzzing test But when the total number of interface functions reaches a certain level, if these interface functions have no priority characteristics, blind fuzzing tests will bring not only unnecessary computational overhead but also unnecessary time overhead This paper mainly uses dynamic binary instrumentation technology and IDA Python script to analyze the interface functions of the target plug-in First, find all the interface functions’ entry points, and then give the IDA Python script the address range of the function Then, recursively collect all the assembly instruction of the interface function, and record all fragile points as the basis for generating the risk factor of the interface function Without loss of generality, assuming that the probability that a vulnerable function is distributed in x positions constitute a vector P ¼ ðP1 ; P2 ; ; Px ÞT , and the number of functions processed before each position constitute a vector K ¼ ðK1 ; K2 ; ; Kx ÞT So the average number of function processed by the framework to find the vulnerability is: KT P ð1Þ And because the framework in this paper maintains a priority sequence according to the risk factor of the interface functions, all probabilities in P satisfy a descending order relationship, so the result of K T P is a reverse order sum 926 B Cui and P Mao However, the traditional fuzzing algorithm does not perform the test in descending order, which is equivalent to making an out-of-order processing of K So the average number of function processing of the traditional fuzzing strategy is K 0T P, which is an out-of-order sum and is greater than or equal to the reverse sum all the time In order to implement the vulnerability-oriented strategy, this paper decided to prioritize all the interface functions inside an ActiveX plug-in before fuzzing The priority is determined by the risk factor introduced in the previous section This paper defines n different fragile points for the same vulnerability, and assign different weights to each fragile point This results in an n-column weight vector W ¼ ðw1 ; w2 ; ; wn ÞT For each function Fx in the plug-in, a count vector Cx ¼ ðc1 ; c2 ; ; cn ÞT is set, where cn represents the number of the nth fragile point in function Fx Let Y ¼ ðC1 ; C2 ; ; Cx Þ, then the risk vector R for all interface functions can be expressed as: R ¼ W T Y ¼ ðr1 ; r2 ; ; rx ÞT ð2Þ The framework arranges the priority information of all the interface functions according to the descending order of the risk factor of each function 3.4 Dynamic Taint Analysis This paper chooses to use Intel’s Pin binary platform [9] to analyze the entire ActiveX plug-in The framework use Dynamic Taint Analysis mainly to solve these problems: When there are a large number of parameters in an interface function, the framework can connect the input parameters and the fragile point in the function When the input parameter and the fragile point are in one execution path, the framework will give this parameter a greater Risk Factor In the preprocessing, the framework collects all the interface functions and function parameters’ information about the plug-in, and then generates the initial test sample and a corresponding file for each parameter Then the initial test sample will read the content of the file as an input to the interface function In this way, the dynamic taint analysis module can mark the content of the file as a taint by monitoring the file read system call There are three kinds of data flows related to the transmission of taint data: the first type is direct data flow, that is, the taint data itself and its copy move between memory and registers; the second type is taint data pointer spread; the third type is control flow, that is, conditional jumps and calls affected by the taint data By recording the direct taint data, it can be judged whether the internal access address is taint data when the pointer differences the access, so the second type of data stream does not need to be tracked The tracking of the control flow will introduce wrong taint data, so it will not be tracked either Therefore, all the taint data flow in this paper is the direct taint data transmission During the taint analysis process, all taint data and its taint attribute labels need to be recorded and updated Taint data is divided into two parts, register taint and memory taint The Study and Realization of Vulnerability-Oriented Fuzzing Technology 927 Taint Register The framework maintains a collection of taint registers to indicate the status of registers In the instruction sequences with register participation, the framework tracks the spread of taint data by looking for registers’ states in the collection Taint Memory Because of the large memory space and the characteristics of data continuity, the framework maintains a structure that represents a collection of tainted memory areas, and performs addition, and elimination of taint memory according to the operations of search, add, and delete of collections 3.5 Assign Risk Factors to Parameters in Preprocessing After the priorities of the ActiveX plug-in interface functions are determined, the framework need to preprocess all the parameters of the interface function In the previous step, we obtained fragile instructions in the interface function through static analysis In order to get to the potentially vulnerable path faster, this paper uses the taint tracking technology of binary instrumentation to monitor the path of parameter spread and bind parameters to vulnerable locations With this binding relationship, we can set a priority for each parameter too In this way, in the final fuzzing, these parameters will be given different weight according to the priority to achieve better fuzzing results The priority is also determined by the risk factor The risk factor depends on whether the parameters have passed our custom fragile functions or instructions Assuming that the È É interface function Fx in the plug-in has a set of parameters called Ox ¼ o1 ; o2 ; ; oy , and the risk factor of the parameter is defined as ry If the function parameter passes the fragile point, ry will be set to a positive integer So the framework will use the indicative variable I to represent the risk factor of the parameter: È É ry ¼ Ioy oy Ox ð3Þ By ranking the risk factors of each parameter in descending order, priority information of function parameters is obtained 3.6 Sample Generation Algorithm in Fuzzing Loop After getting all the priority information, this article uses the priority information to sort the interface functions and function parameters to implement the following test sample generation algorithm In the process of sorting, the framework will maintain a priority queue Q ¼ ðF1 ; F2 ; ; Fx Þ; fr1 ! r2 ! ! rx g for interface functions Each interface À function in Á Èthe queue also Écorresponds to a parameter priority queue Q0x ¼ o1 ; o2 ; ; oy ; r1 ! r2 ! ! ry (1) For each fuzzing test, take the front interface function from the priority queue to generate the test sample (2) During the generation process, follow the priority queue of the parameter and set different test weight for different parameters 928 B Cui and P Mao (3) After the sample is generated, the framework mounts and debugs the entire running process The debugger module and variant character set used by the framework are stripped from the Peach Fuzzer [10] Once the crash information is found, the crash and test samples are immediately recorded The time of how long this interface function has been fuzzed will also be recorded as Tx (4) The framework will send this time to the test sample generation algorithm as a feedback The time threshold is proportional to the priority of the function If the proportion is S, the time threshold of the interface function Fx with priority Rx will be: Tthreshold ẳ S Rx R 4ị S is an observation that can be adjusted based on resources and experimental results, so then the time Tx of fuzzing the interface function Fx should satisfy: Tx Tthreshold ð5Þ The algorithm will decide whether the interface function should be queued to the priority queue according to the priority of the interface function and the tested time, and assign the next interface function as the new fuzzing object Implementation and Evaluation In order to verify the efficiency of the vulnerability-oriented fuzzing framework for ActiveX plug-ins and the efficiency of the fuzzing algorithm in which risk factor determines different priorities of different testing objects, research selected three main ActiveX plug-in fuzzing tools named COMRaider, Dranzer, and Axman Experiments compare the tools in terms of function and operating efficiency Here are the results of comparing the tools with VoFuzzer (Vulnerability-oriented Fuzzer, the framework in this paper): (1) Fuzzing tools comparison This study focuses on comparing several major features of the ActiveX Fuzz tool Its main features are: (a) Fuzzing Order Use what kind of order to fuzz all the functions in the plug-in (b) Output Ability to support crash output and fuzz record output (c) User Interaction The Study and Realization of Vulnerability-Oriented Fuzzing Technology 929 Ability to close the window during the test automatically and if a large amount of manual clicks are required during use (d) Mutation Mutation strategy used during fuzzing (Table 1) Table Fuzzing tools comparison Tool name Fuzzing order Output Axman Dranzer COMRaider VoFuzzer Order read from the interface Order read from the interface Alphabetical order Vulnerability-oriented priority order None Text Database Text User interaction High Medium Medium Low Mutation Random Fixed Fixed Boundary value (2) Effectiveness comparison In order to evaluate the effectiveness of the framework, this paper selected a common dynamic link library SkinCrafter.dll as a test object for testing The experiment focuses on the following two aspects: the time from the beginning of the obfuscation to the discovery of the vulnerability and the total number of samples already running (Table 2) Table Average crash time and total samples run for a published vulnerability Tool name Average crash time (100 fuzzing tests) Axman 85.6 s Dranzer none COMRaider 799.4 s VoFuzzer 4.3 s Total samples 9688 none 167 From the test results, we can see that our framework found a crash in the plug-in with fewer test cases and a shorter time After later verification, this crash is an exploitable N-day buffer overflow vulnerability that has been disclosed on Exploit-Database [11] As for the experimental results, the reason why Dranzer didn’t participate in the comparison is because, first of all, Dranzer doesn’t support loop fuzzing, and all functions only test once Second, the Dranzer uses only a fixed string as mutated parameters The published vulnerability in the evaluation section cannot crash with only a very long string input This also explains the importance of the mutation strategy and the importance of the structure of the fuzzing framework on the other hand 930 B Cui and P Mao Related Work The framework of this article was developed due to the limitations of other publicly available ActiveX fuzzing tools The following is a brief description of other ActiveX tools COMRaider COMRaider is a plug-in fuzzing tool written in VB language COMRaider can display a good list of the interface functions in the plug-in with a graphical interface, but in the actual fuzzing process, COMRaider just test all the functions in alphabetical order, and requires a high level of user interaction In addition, COMRaider does not well recognize the presence of multiple classes in one plug-in When the ActiveX plug-in contains multiple classes, each class should use different ‘CLSID’ [6] to distinguish when called Dranzer Dranzer is a plug-in fuzzing tool written in C++ language This tool can collect crashes caused by functions’ parameters and crashes when the plug-in loads into Internet Explorer for the first time However, this tool does not make much breakthrough in parameter mutation algorithms Dranzer uses only a simple 10 k string of lowercase ‘x’ characters or a-1 integer for different parameter types when fuzzing ActiveX plug-ins Axman Axman is a fuzzing tool developed by JS Because Axman is a web-based testing tool, it also requires a high level of user interaction For example, a debugger must be attached manually to Internet Explorer to retrieve the result of a crash, and when a crash occurs, the test process must be restarted manually too Conclusion This paper presents a vulnerability-oriented Fuzzing technology for ActiveX plug-ins, and completes an automated ActiveX plug-in security detection framework based on this vulnerability-oriented technology Vulnerability-oriented fuzzing technology solves two efficient problems when fuzzing ActiveX plug-ins, and gives different priorities to interface functions and function parameters in plug-ins base on different risk factors The experimental results show that the framework can well detect security holes in some ActiveX plug-ins and is more efficient and effective than the mainstream vulnerability detection tools This paper will keep focusing on how to detect plug-ins’ vulnerabilities in the future and try to explore the relationship between the crash and the integrity of the exception handling in the plug-in [13] We will also use new ideas to explore the permissions rules and access control policies that the plug-ins give to different users and roles [14, 15] to make our framework an intelligent and evolutionary [12] fuzzing tool for ActiveX plug-ins Acknowledgments This work is supported by National Natural Science Foundation of China (No U1536122, No 61502536) The Study and Realization of Vulnerability-Oriented Fuzzing Technology 931 References Wikipedia ActiveX-Wikipedia, the Free Encyclopedia (2010-0815) http://en.wikipedia.org/ wiki/ActiveX Mircosoft Corporation Micrsoft Component Object Model (COM); A Technical Overview of COM http://www.cs.umd.edu/pugh/com iDefense Labs COMRaider: A tool designed to fuzz COM object Interfaces http://labs idefense.com/software/fuzzing.php Dormann, W., Plakosh, D.: Vulnerability Detection in ActiveX Controls Through Automated Fuzz Testing (2008) http://www.cert.org/vuls/discovery/dranzer.html Moore, H.: AxMan ActiveX Fuzzer (2006) http://digitaloffense.net/tools/axman CLSID Key http://msdn2.microsoft.com/en-us/library/aa908849.aspx Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware Evolutionary Fuzzing In: NDSS (2017) Li, Y., Chen, B., Chandramohan, M., Lin, S.W., Liu, Y., Tiu, A.: Steelix: program-state based binary fuzzing In: Joint Meeting on Foundations of Software Engineering, pp 627– 637 ACM (2017) Pin - A Dynamic Binary Instrumentation Tool https://software.intel.com/en-us/articles/pina-dynamic-binary-instrumentation-tool 10 Peach Fuzzer http://www.peachfuzzer.com/ 11 The Exploit Database – ultimate archive of Exploits, Shellcode, and Security Papers https:// www.exploit-db.com/ 12 American fuzzy lop A security-oriented fuzzer http://lcamtuf.coredump.cx/afl/ 13 Zhai, X., Hu, X., Jia, X., et al.: Verifying integrity of exception handling in service-oriented software Int J Grid Util Comput 8(1), (2017) 14 Nakamura, S., Duolikun, D., Enokido, T., et al.: A read-write abortion protocol to prevent illegal information flow in role-based access control systems J Intell Inf Syst 22(1), 89– 109 (2004) 15 Xu, L., Liu, Z., Luo, J.: A fine-grained attribute-based authentication for sensitive data stored in cloud computing Int J Grid Util Comput 7(4), 237 (2016) An Open Source Software Defect Detection Technique Based on Homology Detection and Pre-identification Vulnerabilitys Jun Yang(&), Xuyan Song, Yu Xiong, and Yu Meng Beijing University of Posts and Telecommunications, Beijing, China {junyang,bearsmall}@bupt.edu.cn, song_xuyan@163.com, mengyu7183@sina.com Abstract Homology detection technology plays a very important role in the copyright protection of computer software Homology detection technology mainly includes text based technology token, based technology and abstract syntax tree based technology This paper introduces a method of defect detection based on homology detection technology for open source software This detection method will collect the code fragments with vulnerabilities and the source code in open source software to compare, through three levels of comparison, to find because of plagiarism code introduced by the vulnerability fragment After that, the vulnerability fragment is compared with the trigger condition of the vulnerability, and the judgment result is obtained Finally, the superiority of this technique is verified by experiments Introduction Open source software (OSS) is software that runs under open source tags Its source code should be available and can be modified In an OOS, a software suite must contain freely accessible source code that allows users to modify and redistribute Some OOS may retain permission to republish, but in other cases it may be free Distributors or developers may charge for services, including special training, installation, programming, and technical support In general, the term open source software refers to software that is freely available, widely accessible and reusable [1] With the development of the Internet, there are more and more resources that can be shared, and more and more resources are available to people However, as the threshold for software development becomes lower and lower, a large number of junior developers often release code to the open source community without checking the security of the code, which is often a security concern [2] The code in open source software becomes a resource for developers to plagiarize For reasons of intellectual property rights, developers usually not specify the part of the code they use, and make changes to the source code that not affect the function of the code, such as changing the function name or variable name, disrupting the order of statements, Type redefinition, etc [3, 4] If there are some security vulnerabilities in the source code of open source software, when developers use the code, the vulnerabilities spread to the new software along with the code Hackers’ sense of smell is © Springer International Publishing AG, part of Springer Nature 2019 L Barolli et al (Eds.): IMIS 2018, AISC 773, pp 932–940, 2019 https://doi.org/10.1007/978-3-319-93554-6_94 An Open Source Software Defect Detection Technique 933 extremely sensitive, and the response is extremely fast When a vulnerability is discovered, there will be an attack on that day, there will be tools developed against the vulnerability on that day, and a large-scale attack will soon reach a peak, leaving the security community with a very short response time [5] The innovation of this paper is to apply the idea of plagiarism detection to the defect detection of source code In the course of the experiment, we collected vulnerabilities with code fragments, and used homology detection technology to match them with the source code To find a vulnerability caused by plagiarism code Materials and Methods In this section, we will show how to obtain preidentity vulnerabilities, how to construct lexical parsers and syntax parsers through JavaCC, and how to use parsers to construct homology matching tools And how to use the homology ratio tool for vulnerability detection 2.1 Vulnerability Pre-identification We use Common Vulnerabilities & Exposures (CVE) to obtain a sample of the vulnerability CVE is like a dictionary table, giving a common name for widely accepted information security vulnerabilities or vulnerabilities that have been exposed If a vulnerability is specified in a vulnerability report, if there is a CVE name, You can quickly find patched information in any other CVE compatible database to solve security problems [6] Based on the patch information, we can find the source code of the vulnerability, and pre-identify the trigger condition of the code After analyzing the data in CVE, we find that, the trigger conditions of the vulnerability are divided into three categories In the first case, a single fragment of vulnerability code can be triggered, such as CVE-2016-0705 and CVE-2016-1901 The second case is where there are multiple pieces of vulnerability code that can be triggered at the same time, such as CVE-2015-2692 The third scenario is where there are multiple pieces of vulnerability code, but one of them triggers a vulnerability, such as CVE-2016-2175 We finally found 62 qualifying vulnerabilities after 2015 2.2 Application of JavaCC Java Compiler Compiler (JavaCC) is the most popular parser generator for Java applications A parser generator is a tool that reads the syntax specification and converts it into an Java program that recognizes syntax matching In addition to the parser generator itself, JavaCC provides other standard functions related to parser generation, such as tree building (via the JJTree tool that ships with JavaCC), operations, debugging, etc [7, 8] JavaCC provides three tools to complete the unload of programs The complete JavaCC tool consists of three parts: javacc, JJTree, and JJDoc Javacc is one of the 934 J Yang et al Table JavaCC tool composition Tool name JJTree javacc JJDoc Tool function Process the jjt file, generate the JJ file, and generate the code for the tree node Process JJ files generated by JJTree, generate syntax parser files Generating BNF normal form files based on JJ files main JJTree tools used to help generate abstract syntax trees and JJDoc tools to generate BNF paradigms for source programs [9] (Table 1) To complete the lexical analysis and syntax analysis of the input target language, we need to write a jjt file according to the structural characteristics of the target language In this file, you define the name of the parser class, lexical rules, and jj files with lexical and syntax rules Next, the JJ file is processed with javacc, generating seven Java source files, which contain the main parsing file [10] This paper uses JavaCC to generate lexical parsers and syntax parsers for C/C+ + and Java 2.3 Create Homology Matching Tools The homology detection tool used in this paper consists of three parts: text based homology detection, Token based homology detection and abstract syntax tree based detection Each of the three technologies has different priorities At the same time, the accuracy of detection can be improved by using three detection techniques Three techniques are described below Text Based Detection Technology Text based homology alignment is a rapid detection and detection technology, which can efficiently realize the source code homology alignment under massive data Compared with the comparison technology based on file hash, which is used by some testing tools at this stage, this technology has been put forward in comparison accuracy In this paper, Simhash algorithm is used for text alignment The approximate detection algorithm based on Simhash is widely used by Google to detect the re-checking of web files Text detection and image detection The algorithm can convert a piece of document into n-bit signature We can regard this process as the operation of dimensionality for high-dimensional data, that is, the high-dimensional vector is transformed into a signature with fewer digits [11] (Fig 1) The implementation process of the algorithm is as follows: (a) The input text is processed with corresponding features This is mainly to extract the keywords of the text, then calculate the weight of the feature words according to the word frequency measured by the feature, and finally get n binary groups, which are recorded as feature_weight = (fi, wi), i = 1, 2, … n (b) By calculating the hash value of the feature words, n feature_weight were transformed into (hash, weiight), which was recorded as hash_weight = (hash(fi), wi), i = 1, 2, … n ... Editors Innovative Mobile and Internet Services in Ubiquitous Computing Proceedings of the 12th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS -2018) ... Advances in Information Security (WAIS -2018) The workshop is held in conjunction with 12th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS -2018) ... workshop on Future Internet and Next Generation Networks (FINGNet -2018) The 7th International Workshop on Frontiers in Innovative Mobile and Internet Services (FIMIS -2018) The 7th International Workshop