Titulo Estágio
Vulnerability and Attack Injection Tool in Python (VAITP)
Local do Estágio
DEI-CISUC
Enquadramento
The aim of this internship is to develop a Vulnerability and Attack Injection Tool in Python (VAITP). This tool can be used for various and different purposes: i) to test applications and systems implemented in python by using the attack injection tool (or machine learning algorithms implemented in python which is quite useful to test AI-based systems) ii) to test security tools (e.g., vulnerability detection tools) by using the vulnerability injection tool, and finally iii) to train and test security teams by making them search for the vulnerabilities injected, as these vulnerabilities are proven to be real, since they were verified by the Attack Injection component.
The main objective of this internship is to design and implement the following components:
1) A Vulnerability Injection component, which inserts known vulnerability types in the source code of an application. The vulnerabilities injected should be as similar as possible to real-world vulnerabilities.
2) An Attack Injection component, which attacks (as automatically as possible) the vulnerabilities injected by the Vulnerability Injection component. So, this Attack Injection component knows what vulnerabilities were injected and, using this knowledge, creates attacks that can exploit the vulnerabilities (one at a time).
Given the many possibilities that Python libraries provide, we consider that the development of both components may benefit from the use of Artificial Intelligence (e.g., when deciding the location where to inject the vulnerability, the selection of the attack payload to use, etc.). This project fits better for a group of two students, one for each component. However, since the Vulnerability Injection component can be used standalone as an independent tool, a single student may work on this component, and evolve to the complete VAITP tool in a follow-up project, like a PhD Thesis.
Objetivo
The main objective of this internship is to design and implement the following components:
1) A Vulnerability Injection component, which inserts known vulnerability types in the source code of an application. The vulnerabilities injected should be as similar as possible to real-world vulnerabilities.
2) An Attack Injection component, which attacks (as automatically as possible) the vulnerabilities injected by the Vulnerability Injection component. So, this Attack Injection component knows what vulnerabilities were injected and, using this knowledge, creates attacks that can exploit the vulnerabilities (one at a time).
Plano de Trabalhos - Semestre 1
Work Plan of 1º Semester
[Some tasks might overlap; M=Month]
T1 (M1): Knowledge transfer and state of the art review on python-specific vulnerabilities, and security attacks).
T2 (M2): Collect data regarding the reported vulnerabilities and attacks to python-based systems.
T3 (M3-M4): Analysis of the collected data and build fault and attack models.
T4 (M5): Writing the Intermediate report.
Plano de Trabalhos - Semestre 2
Work Plan of 2º Semester
[Some tasks might overlap; M=Month]
T5 (M6): Implementation of a vulnerability injection tool in python.
T6 (M7): Implementation (Improvement and extension of an existing prototype) of an attack injector in python.
T7 (M8-M10): Plan the experiments for testing the tools, collecting representative list of applications (ML algorithms implemented in python) or security tools, and perform the tests.
T8 (M11): Writing the thesis.
T9 Write a research paper and submission to a related international conference.
Condições
The student will be integrated in the Software and Systems Engineering (SSE) group of CISUC and the work will be carried out in the facilities of the Department of Informatics Engineering at the University of Coimbra (CISUC), where a work place and necessary computer resources will be provided. Please contact the advisors for any question or clarification needed.
Observações
Bolsa de licenciado por 6 meses no valor de 835.98 euros/mês, eventualmente renovável.
Advisors: José Fonseca (jozefonseca@gmail.com), Naghmeh Ivaki (naghmeh@dei.uc.pt)
Orientador
José Fonseca, Naghmeh Ivaki
jozefonseca@gmail.com 📩