Università degli studi di Modena e Reggio Emilia

Proper testing of hardware and software infrastructure and applications has become mandatory. To this purpose, security researchers and software companies have released a plethora of domain specific tools, libraries and frameworks that assist human operators (penetration testers, red teamers, bug hunters) in finding and exploiting specific vulnerabilities, and orchestrating the activities of a security assessment. Most tools also require minor reconfigurations in order to operate properly with isomorphic systems, characterized by the same exploitation path even in presence of different configurations. In this paper we present a human-assisted framework that tries to overcome the aforementioned limitations. Our proposal is based on a Prolog-based expert system with facts and deductive rules that allow to infer new facts from existing ones. Rules are bound to actions whose results are fed back into the knowledge base as further facts. In this way, a security assessment is treated like a theorem that has to be proven. We have built an initial prototype and evaluated it in different security assessments of increasing complexity (jeopardy and boot-to-root machines). Our preliminary results show that the proposed approach can address the following challenges; (a) reaching non-standard goals (which would be missed by most tools and frameworks); (b) solving isomorphic systems without the need for reconfiguration; (c) identifying vulnerabilities from chained weaknesses and exposures.

Ubiquitous and pervasive applications record a large amount of data about users, to provide context-aware and tailored services. Although this enables more personalized applications, it also poses several questions concerning the possible misuse of such data by a malicious entity, which may discover private and sensitive information about the users themselves. In this paper we propose an attack on ubiquitous applications pseudo-anonymized datasets which can be leaked or accessed by the attacker. We enrich the data with true information which the attacker can obtain from a multitude of sources, which will eventually spark a chain reaction on the records of the dataset, possibly re-identifying users. Our results indicate that through this attack, and with few hints added to the dataset, the possibility of re-identification are considerable, achieving more than 70% re-identified users on a public available dataset. We compare our proposal with the state of the art, showing the improved performance figures obtained thanks to the graph-modeling of the dataset records and the novel hint structure.