Enviar pesquisa
Carregar
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States
•
0 gostou
•
230 visualizações
Asuka Nakajima
Seguir
https://dl.acm.org/doi/10.1145/3321705.3329849
Leia menos
Leia mais
Engenharia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 34
Baixar agora
Baixar para ler offline
Recomendados
Android device driver structure introduction
Android device driver structure introduction
William Liang
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
Kuniyasu Suzaki
An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...
William Liang
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
Kuniyasu Suzaki
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
TDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux Embarcado
tdc-globalcode
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Priyanka Aash
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
Kuniyasu Suzaki
Recomendados
Android device driver structure introduction
Android device driver structure introduction
William Liang
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by Suzaki
Kuniyasu Suzaki
An Introduction to the Android Framework -- a core architecture view from app...
An Introduction to the Android Framework -- a core architecture view from app...
William Liang
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
Kuniyasu Suzaki
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
TDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux Embarcado
tdc-globalcode
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Priyanka Aash
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
Kuniyasu Suzaki
Zerovm backgroud
Zerovm backgroud
UT, San Antonio
Linux Kernel , BSP, Boot Loader, ARM Engineer - Satish profile
Linux Kernel , BSP, Boot Loader, ARM Engineer - Satish profile
Satish Kumar
Using Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure Systems
Yoshitake Kobayashi
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
Reverse Engineering 101
Reverse Engineering 101
ysurer
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
The Linux Foundation
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CODE BLUE
IPv6 Security Potpourri
IPv6 Security Potpourri
_xhr_
Progressive Deployment & NoDeploy
Progressive Deployment & NoDeploy
Yi-Feng Tzeng
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and Compliance
Yi-Feng Tzeng
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
APNIC
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
Arik Weinstein
What is Software Engineering Research Good For?
What is Software Engineering Research Good For?
Andrzej Wasowski
Ch15,secu..
Ch15,secu..
eman37aseb
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
Shakacon
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
DFIR Training: RDP Triage
DFIR Training: RDP Triage
Christopher Gerritz
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
TI Safe
Mk epn seminar-panel-for-public
Mk epn seminar-panel-for-public
Miya Kohno
Mais conteúdo relacionado
Mais procurados
Zerovm backgroud
Zerovm backgroud
UT, San Antonio
Linux Kernel , BSP, Boot Loader, ARM Engineer - Satish profile
Linux Kernel , BSP, Boot Loader, ARM Engineer - Satish profile
Satish Kumar
Using Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure Systems
Yoshitake Kobayashi
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
Reverse Engineering 101
Reverse Engineering 101
ysurer
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
The Linux Foundation
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CODE BLUE
IPv6 Security Potpourri
IPv6 Security Potpourri
_xhr_
Progressive Deployment & NoDeploy
Progressive Deployment & NoDeploy
Yi-Feng Tzeng
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and Compliance
Yi-Feng Tzeng
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
APNIC
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
Arik Weinstein
What is Software Engineering Research Good For?
What is Software Engineering Research Good For?
Andrzej Wasowski
Ch15,secu..
Ch15,secu..
eman37aseb
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
Shakacon
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
DFIR Training: RDP Triage
DFIR Training: RDP Triage
Christopher Gerritz
Mais procurados
(20)
Zerovm backgroud
Zerovm backgroud
Linux Kernel , BSP, Boot Loader, ARM Engineer - Satish profile
Linux Kernel , BSP, Boot Loader, ARM Engineer - Satish profile
Using Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure Systems
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
Reverse Engineering 101
Reverse Engineering 101
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
IPv6 Security Potpourri
IPv6 Security Potpourri
Progressive Deployment & NoDeploy
Progressive Deployment & NoDeploy
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and Compliance
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
C:\Alon Tech\New Tech\Embedded Conf Tlv\Prez\Sightsys Embedded Day
What is Software Engineering Research Good For?
What is Software Engineering Research Good For?
Ch15,secu..
Ch15,secu..
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
DFIR Training: RDP Triage
DFIR Training: RDP Triage
Semelhante a [AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
TI Safe
Mk epn seminar-panel-for-public
Mk epn seminar-panel-for-public
Miya Kohno
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
Patch Tuesday for January 2020
Patch Tuesday for January 2020
Ivanti
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal
Penetration testing using metasploit framework
Penetration testing using metasploit framework
PawanKesharwani
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
Ivanti Patch Tuesday for March 2020
Ivanti Patch Tuesday for March 2020
Ivanti
OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.
Kazuki Omo
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weapons
IRJET Journal
Real-life patch test - vulnerabilities found in one simple server in 6 months
Real-life patch test - vulnerabilities found in one simple server in 6 months
Trend Micro (EMEA) Limited
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Bob Radvanovsky
March 2019 Patch Tuesday Analysis
March 2019 Patch Tuesday Analysis
Ivanti
IRJET- Secure Distributed Data Mining
IRJET- Secure Distributed Data Mining
IRJET Journal
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Honeywell
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
Tick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publish
Minseok(Jacky) Cha
December Patch Tuesday 2020
December Patch Tuesday 2020
Ivanti
Semelhante a [AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States
(20)
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
Mk epn seminar-panel-for-public
Mk epn seminar-panel-for-public
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
Patch Tuesday for January 2020
Patch Tuesday for January 2020
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
Penetration testing using metasploit framework
Penetration testing using metasploit framework
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
Ivanti Patch Tuesday for March 2020
Ivanti Patch Tuesday for March 2020
OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weapons
Real-life patch test - vulnerabilities found in one simple server in 6 months
Real-life patch test - vulnerabilities found in one simple server in 6 months
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
Project RUGGEDTRAX Findings Report (28-Nov-2015)
Project RUGGEDTRAX Findings Report (28-Nov-2015)
March 2019 Patch Tuesday Analysis
March 2019 Patch Tuesday Analysis
IRJET- Secure Distributed Data Mining
IRJET- Secure Distributed Data Mining
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Tick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publish
December Patch Tuesday 2020
December Patch Tuesday 2020
Mais de Asuka Nakajima
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Asuka Nakajima
[Dagstuhl Seminar 17281] Similarity Calculation Method for Binary Executables
[Dagstuhl Seminar 17281] Similarity Calculation Method for Binary Executables
Asuka Nakajima
技術紹介: S2E: Selective Symbolic Execution Engine
技術紹介: S2E: Selective Symbolic Execution Engine
Asuka Nakajima
[JPCERT/CC POC Meeting] 研究紹介 + DLLハイジャックの脆弱性
[JPCERT/CC POC Meeting] 研究紹介 + DLLハイジャックの脆弱性
Asuka Nakajima
第二回CTF勉強会資料
第二回CTF勉強会資料
Asuka Nakajima
[CSS×2.0 2014] Polyglotシェルコードの最高記録に挑戦しよう☆
[CSS×2.0 2014] Polyglotシェルコードの最高記録に挑戦しよう☆
Asuka Nakajima
[セキュリティ・キャンプフォーラム 2014] 卒業生プレゼンテーション 『私とセキュリティと過去と未来』
[セキュリティ・キャンプフォーラム 2014] 卒業生プレゼンテーション 『私とセキュリティと過去と未来』
Asuka Nakajima
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
Asuka Nakajima
Mais de Asuka Nakajima
(9)
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
[Dagstuhl Seminar 17281] Similarity Calculation Method for Binary Executables
[Dagstuhl Seminar 17281] Similarity Calculation Method for Binary Executables
技術紹介: S2E: Selective Symbolic Execution Engine
技術紹介: S2E: Selective Symbolic Execution Engine
[JPCERT/CC POC Meeting] 研究紹介 + DLLハイジャックの脆弱性
[JPCERT/CC POC Meeting] 研究紹介 + DLLハイジャックの脆弱性
第二回CTF勉強会資料
第二回CTF勉強会資料
[CSS×2.0 2014] Polyglotシェルコードの最高記録に挑戦しよう☆
[CSS×2.0 2014] Polyglotシェルコードの最高記録に挑戦しよう☆
[セキュリティ・キャンプフォーラム 2014] 卒業生プレゼンテーション 『私とセキュリティと過去と未来』
[セキュリティ・キャンプフォーラム 2014] 卒業生プレゼンテーション 『私とセキュリティと過去と未来』
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
2014年10月江戸前セキュリティ勉強会資料 -セキュリティ技術者になるには-
Último
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
slot gacor bisa pakai pulsa
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
upamatechverse
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
Asutosh Ranjan
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Dr.Costas Sachpazis
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
simmis5
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
ranjana rawat
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
Asst.prof M.Gokilavani
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
sivaprakash250
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur High Profile
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
rknatarajan
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
SIVASHANKAR N
University management System project report..pdf
University management System project report..pdf
Kamal Acharya
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
pranjaldaimarysona
Extrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
120cr0395
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
fenichawla
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
ranjana rawat
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
rakeshbaidya232001
Último
(20)
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
University management System project report..pdf
University management System project report..pdf
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
Extrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States
1.
Copyright©2019 NTT corp.
All Rights Reserved. A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States Asuka Nakajima1, Takuya Watanabe1, Eitaro Shioji1, Mitsuaki Akiyama1, Maverick Woo2 1 NTT R&D, Tokyo, Japan 2 Carnegie Mellon University, Pittsburgh, United States AsiaCCS 2019
2.
1Copyright©2019 NTT corp.
All Rights Reserved. Background [1/2] -1- Our Society Continues to Increase Its Reliance on Computers Vulnerabilities and Their Lifecycle Management are Gradually Becoming a Matter of Public Safety Vulnerability Disclosure & Patch Release
3.
2Copyright©2019 NTT corp.
All Rights Reserved. Background [2/2] -2- Finder (BugHunter) Coordinator (e.g.CERT/CC) Publicly Accessible Resources (e.g.Blog) Deployer (User) Attacker Vendor Vulnerability Disclosures & Patch Release No prior work that focused on Consumer IoT Devices Previous Research Patch Release Behaviors Characteristics of Patches Provides Patch Vulnerability
4.
3Copyright©2019 NTT corp.
All Rights Reserved. Background [2/2] ✔ ✔& Trends and findings of the study might differ in different markets Purchase Decisions of IoT Devices are Heavily Localized….! Selected Japan United States -3- NTT(JP) and CMU(US) Market Size Have two oldest national CSIRTs✔ Finder (BugHunter) Coordinator (e.g.CERT/CC) Publicly Accessible Resources (e.g.Blog) Deployer (User) Attacker Vendor No prior work that focused on Consumer IoT Devices Previous Research Patch Release Behaviors Characteristics of Patches Provides Patch Vulnerability Vulnerability Disclosures & Patch Release
5.
Data Collection Method -4-
6.
5Copyright©2019 NTT corp.
All Rights Reserved. Data Collection Method [1/3] ・CVE-IDs Vendor List Identify Target Vulnerabilities NVD Identify Relevant Vulnerabilities Related to Included Vendors STEP1 STEP 2 STEP 3 STEP1 -5- Vendor List Country Vendor Japan Buffalo IO-DATA NEC (Aterm*1) United States Netgear Linksys D-Link *1: “Aterm” is a brand name for the router products released from NEC.
7.
6Copyright©2019 NTT corp.
All Rights Reserved. Data Collection Method [2/3] Collect Vulnerability Information NVD Internet ArchiveEDB JVN External Reference STEP1 STEP 2 STEP 3 CVE-IDs1) Affected Products 2) Affected Versions 3) Patched Versions 4) Public Disclosure Date 5) Exploit Release Date ・(1)~(5) STEP2 Collect Vulnerability Info Vulnerability Info (1)~(5) Source Name Details NVD NVD Data Feed(+External Reverences) EDB Exploit-DB Metasploit JVN Japan Vulnerability Notes iPedia Vendor’s website Official website of each vendor (Security Advisories) Vendor's Website -6-
8.
7Copyright©2019 NTT corp.
All Rights Reserved. Data Collection Method [3/3] Collect Patch Release Information Vendor's Website Released Software STEP1 STEP 3STEP 2 STEP3 Collect Patch Info ・(6) Vuln Info Release note Internet Archive (6)Patch Release Date Extract the date from release note -7-
9.
8Copyright©2019 NTT corp.
All Rights Reserved. Country Vendor # CVE-IDs # Products # Patches # ExploitTotal CVSS:Low CVSS:Med CVSS:High JP Buffalo 20 1 15 4 71 105 0 IO-DATA 24 3 11 10 57 88 0 NEC(Aterm) 3 0 3 0 26 35 0 JP Total 47 4 29 14 154 228 0 US Netgear 25 1 12 12 107 106 21 Linksys 17 2 3 12 31 40 12 D-Link 61 6 27 28 158 177 35 US Total 103 9 42 52 296 323 68 Total 150 13 71 66 450 551 68 Dataset Summary Collected 150 CVE-IDs spanning 2006 – 2017, involving 450 products, 551 patches, and 68 published exploits*2 Start from 298 CVEs and dropped non-IoT CVEs. (15 CVEs) (298->283) Dropped total 133 CVEs that we could not find the patch release date(->150) Classified collected patches based on CVSSv2 (Low/Medium/High) Dataset Dataset -8- Router 70% Network Camera 16% NAS 9% *2 All the data in our dataset is collected before Jan/2019
10.
1) Patch Availability
Delay 2) Minimum Exploit Windows 3) Incremental Patch Release 4) Patch Release Timeliness Over Time 5) Overall Patch Release Timing 6) Fix Prioritization Characterization of Patch Releases -9-
11.
10Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [1/6] 1) Tends to Release Patches Before the Disclosure Date 2) Tends to Release Patches Around the Disclosure Date 3) Tends to Release Patches After the Disclosure Date Patch Availability Delay【 tp – td 】 Based on the median patch availability delay, we can classify the vendor into three categories td Public Disclosure Date tp Patch Release Date te Exploit Release Date -10-
12.
11Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [1/6] 1) Tends to Release Patches Before the Disclosure Date 2) Tends to Release Patches Around the Disclosure Date 3) Tends to Release Patches After the Disclosure Date Patch Availability Delay【 tp – td 】 Based on the median patch availability delay, we can classify the vendor into three categories Box-plots of Patch Availability Delay for Each Included Vendor Netgear Buffalo NEC(Aterm) IO-DATA D-Link Linksys Before Around After Summary td Public Disclosure Date tp Patch Release Date te Exploit Release Date (±5 days) (+23 days) (around-100 days) -11-
13.
12Copyright©2019 NTT corp.
All Rights Reserved. Minimum Exploit Windows【 tp – te 】 Measures the time between patch availability and the release of the first known exploit known to us Characterization of Patch Releases [2/6] Exploit-DB Metasploit -12-
14.
13Copyright©2019 NTT corp.
All Rights Reserved. Minimum Exploit Windows【 tp – te 】 Measures the time between patch availability and the release of the first known exploit known to us Characterization of Patch Releases [2/6] Vendor CVE-ID First Patch Release Date Exploit Release Date tp – te D-Link 2015/Mar/02 2015/Feb/26 4 days Netgear 2017/Jan/16 2016/Dec/26 21 days 2017/Jan/16 2016/Dec/28 21 days 2017/Jan/16 2016/Dec/28 21 days 2016/Dec/22 2016/Dec/07 15 days 2016/Dec/26 2013/Aug/22 1222 days 2009/Mar/03 2008/Nov/13 110 days CVE-2015-1187 CVE-2016-10176 CVE-2016-10175 CVE-2016-6277 CVE-2016-10174 CVE-2008-6122 CVE-2013-4775 Summary 7 exploits were released before their corresponding patches are released All exploits are in the US dataset (Database Bias?) Exploit-DB Metasploit -13-
15.
14Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [3/6] -14- Incremental Patch Release Releasing a series of patches to the same vulnerability but for different devices over time Patch Release Timeline Example: CVE-2016-10175 WNR2000v5 2017/Jan/12 R6020/R6080 2018/May/18 WNR2000v3 2017/Jan/16 WNR2000v4 2017/Jan/17 491 Days Vendor: Netgear, Product: Wireless Router
16.
15Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [3/6] In our dataset, 62.4% of the patches were released incrementally which are associated with 40 CVE IDs All 6 vendors practiced incremental patch release Summary -15- Incremental Patch Release Releasing a series of patches to the same vulnerability but for different devices over time Patch Release Timeline Example: CVE-2016-10175 WNR2000v5 2017/Jan/12 R6020/R6080 2018/May/18 WNR2000v3 2017/Jan/16 WNR2000v4 2017/Jan/17 491 Days Vendor: Netgear, Product: Wireless Router
17.
16Copyright©2019 NTT corp.
All Rights Reserved. Patch Release Timeliness Over Time Measured the timeliness of patch release with a break down on CVSS severity(Low/Medium/High) over 2006~2017 Categorized the patch releasing timing: • 1.Before Disclosure 2.Concurrent with Disclosure 3.After Disclosure Characterization of Patch Releases [4/6] -16-
18.
17Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [4/6] Timeliness of patch release (Partitioned by vulnerability severity) Summary Patches which released after the public disclosure (black colored part) account for a large portion across all CVSS severities. Unfortunately, no sign of reduction over time -17- Patch Release Timeliness Over Time Measured the timeliness of patch release with a break down on CVSS severity(Low/Medium/High) over 2006~2017 Categorized the patch releasing timing: • 1.Before Disclosure 2.Concurrent with Disclosure 3.After Disclosure
19.
18Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [5/6] Overall Patch Release Timing Count the number of included patches based on their timeliness • 1.Before Disclosure 2.Concurrent with Disclosure 3.After Disclosure -18-
20.
19Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [5/6] Overall Patch Release Timing Count the number of included patches based on their timeliness • 1.Before Disclosure 2.Concurrent with Disclosure 3.After Disclosure Number of Patches Released Before / Concurrent with / After Disclosure Summary Over 1/2 of the included patches (total 551) were released pre-disclosure Details will be shown at JP vs. US analysis section 320 41 190 + About 1/3 were released post-disclosure We see a stark contrast, when we break down the dataset by market -19-
21.
20Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [6/6] Fix Prioritization Q. Do high severity vulnerabilities get patched more quickly? Plot a cumulative distribution function (CDF) graph of patch availability delay (tp – td) for each CVSSv2 severity category (Low/Medium/High) to visualize the fix speed -20-
22.
21Copyright©2019 NTT corp.
All Rights Reserved. Characterization of Patch Releases [6/6] CDF of the patch availability delay [tp – td]Summary A. No CDF of the high severity vulnerabilities remains around 0.9 well into 1 year post-disclosure In contrast, low/medium severity vulnerabilities are all fixed -21- Fix Prioritization Q. Do high severity vulnerabilities get patched more quickly? Plot a cumulative distribution function (CDF) graph of patch availability delay (tp – td) for each CVSSv2 severity category (Low/Medium/High) to visualize the fix speed
23.
Japan vs. the
United States -22-
24.
23Copyright©2019 NTT corp.
All Rights Reserved. Japan vs. the United States [1/2] Significant Difference Shown in Patch Release Timing Behavior Most of the patches in JP dataset were released either concurrently or before public disclosures Number of Patches Released Before / Concurrent with / After Disclosure 184 6 + 190 Japanese Vendors/Finders tend to perform Coordinated Disclosure… ? -23-
25.
24Copyright©2019 NTT corp.
All Rights Reserved. Japan vs. the United States [2/2] Disclosure Process Classification Classified the disclosure process of each vulnerability • 1. Coordinated Disclosure 2. Full Disclosure 3. Unknown [Source] JVN, NVD(+External References) Security Advisories, Blog Posts/ML -24-
26.
25Copyright©2019 NTT corp.
All Rights Reserved. Japan vs. the United States [2/2] Summary % of Each Disclosure Process [JP vs. US] Over 97% of the vulnerabilities in the JP dataset where disclosed via Coordinated Disclosure Over 37% of the included vulnerabilities in the US dataset where disclosed via Full Disclosure 97.9% Finders of the 30 of the 53 CVE entries in the JP dataset was from local security company named “Mitsui Bussan Secure Directions, Inc.” -25- 37.5% Disclosure Process Classification Classified the disclosure process of each vulnerability • 1. Coordinated Disclosure 2. Full Disclosure 3. Unknown [Source] JVN, NVD(+External References) Security Advisories, Blog Posts/ML
27.
1) Incremental Patch
Release (Shown in page 17-18) 2) Unsynchronized Patch Release 3) Implicit End-of-Support (EoS) Significant 1-Day Risk Uncovered -26-
28.
27Copyright©2019 NTT corp.
All Rights Reserved. Significant 1-Day Risk Uncovered [1/2] Unsynchronized Patch Release Regional subsidiaries of some vendors would often release a patch against the same vulnerability on different dates. We dub this risk “Geographical Arbitrage” Example: CVE-2017-7852 Patch Release Timeline DCS-932L RevA 2015/Nov/18 DCS-932L RevA 2016/Jul/19 244 Days Vendor: D-Link, Product: Network Camera -27-
29.
28Copyright©2019 NTT corp.
All Rights Reserved. Significant 1-Day Risk Uncovered [1/2] Unsynchronized Patch Release Regional subsidiaries of some vendors would often release a patch against the same vulnerability on different dates. We dub this risk “Geographical Arbitrage” Example: CVE-2017-7852 Patch Release Timeline DCS-932L RevA 2015/Nov/18 DCS-932L RevA 2016/Jul/19 244 Days Vendor: D-Link, Product: Network Camera Summary Vendor Region # Patches Average (Days) Median (Days) Max (Days) Buffalo 12 -58 0.5 1 D-Link 103 23.7 2 366 62 2.5 -1 218 Netgear 51 31 8 346 Extended our Dataset Japan(JP) Germany(DE) Australia(AU) China(CN) -28- D-Link US is behind DE in 58.3% Patch releases by these subsidiaries are indeed often unsynchronized
30.
29Copyright©2019 NTT corp.
All Rights Reserved. Significant 1-Day Risk Uncovered [2/2] Implicit End-of-Support (EoS) Many regional subsidiaries appeared to have stopped releasing patches to products that were still being supported in at least one other region but posted no EoS announcement Example: CVE-2016-1556, WN604 Patch Release Timeline[US] Ver. 3.0.2 2012/Apr Patch Release Timeline[CN] Ver. 3.0.2 2012/Dec No firmware has been released after ver 3.0.2. & No End-of-Support Announcement Ver. 3.3.1 2015/May Ver. 3.3.3 2016/Mar Ver. 3.3.2 2015/Jul Security Update -29- Vendor: Netgear, Product: Wireless Router
31.
30Copyright©2019 NTT corp.
All Rights Reserved. Significant 1-Day Risk Uncovered [2/2] Implicit End-of-Support was found in Buffalo US/D-Link AU/Netgear CN We found total 15 patches which shows Implicit EoS ! Summary -30- Implicit End-of-Support (EoS) Many regional subsidiaries appeared to have stopped releasing patches to products that were still being supported in at least one other region but posted no EoS announcement Example: CVE-2016-1556, WN604 Patch Release Timeline[US] Ver. 3.0.2 2012/Apr Patch Release Timeline[CN] Ver. 3.0.2 2012/Dec No firmware has been released after ver 3.0.2. & No End-of-Support Announcement Ver. 3.3.1 2015/May Ver. 3.3.3 2016/Mar Ver. 3.3.2 2015/Jul Security Update Vendor: Netgear, Product: Wireless Router
32.
31Copyright©2019 NTT corp.
All Rights Reserved. Suggestions / Conclusion Suggestions -31- • Consider leveraging natural language processing techniques when parsing the release notes • Consider coordinating among subsidiaries to synchronize their patch release & publish EoS • Release notes should be in a machine readable format (JSON/XML) and distributed via RSS with security advisories • Consider requiring vendors to publicly disclose the dates of all discovered vulnerabilities To Researcher To Vendor To Policy Maker
33.
32Copyright©2019 NTT corp.
All Rights Reserved. Suggestions Acknowledgement We thank to Allen Householder for insightful discussion and his suggestion of the term “geographical arbitrage” We conducted a pilot study on consumer IoT device vulnerability disclosure and patch release in Japan and the United States Investigated 150 CVE entries and characterize the vendors behavior [JP vs. US] Significant difference shown in patch release timing behavior Our investigation has uncovered 3 significant risks of 1-day exploits Conclusion -32- • Consider leveraging natural language processing techniques when parsing the release notes • Consider coordinating among subsidiaries to synchronize their patch release & publish EoS • Release notes should be in a machine readable format (JSON/XML) and distributed via RSS with security advisories • Consider requiring vendors to publicly disclose the dates of all discovered vulnerabilities To Researcher To Vendor To Policy Maker Suggestions / Conclusion
34.
Q&A? -33-
Baixar agora