Securing energy metering software with automatic source code correction

Industry is using power meters to monitor the consumption of energy and achieving cost savings. This monitoring often involves energy metering software with a web interface. However, web applications often have vulnerabilities that can be exploited by cyber-attacks. We present an approach and a tool to solve this problem by analyzing the application source code and automatically inserting fixes to remove the discovered vulnerabilities. We demonstrate the use of the tool with two open source energy metering applications in which it found and corrected 17 vulnerabilities. By looking in more detail into some of these vulnerabilities, we argue that they are very serious, leading to the following impacts: violation of user privacy, counter the benefits of energy metering, and serve as entering points for attacks on other user software.

[1]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[2]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[3]  Miguel Correia,et al.  Vulnerability Discovery with Attack Injection , 2010, IEEE Transactions on Software Engineering.

[4]  David LeBlanc,et al.  Writing Secure Code , 2001 .

[5]  George Danezis,et al.  Privacy-preserving smart metering , 2011, ISSE.

[6]  George Candea,et al.  Fast black-box testing of system recovery code , 2012, EuroSys '12.

[7]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[8]  Peter R. Pietzuch,et al.  PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks , 2011, WebApps.

[9]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[10]  Miguel Correia,et al.  WAP: Automatic Detection and Correction of Web Application Vulnerabilities , 2013 .

[11]  Terence Parr The Definitive ANTLR Reference: Building Domain-Specific Languages , 2007 .

[12]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[13]  Patrick D. McDaniel,et al.  Protecting consumer privacy from electric load monitoring , 2011, CCS '11.

[14]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[15]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[16]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000 .

[17]  Alan J. Hu,et al.  Calysto: scalable and precise extended static checking , 2008, ICSE.

[18]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[19]  Wenyuan Xu,et al.  Neighborhood watch: security and privacy analysis of automatic meter reading systems , 2012, CCS.

[20]  Stephen B. Wicker,et al.  Inferring Personal Information from Demand-Response Systems , 2010, IEEE Security & Privacy.

[21]  Alessandro Orso,et al.  WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.

[22]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.