| dc.contributor.advisor | Ronald R. Rivest. | en_US |
| dc.contributor.author | Lin, Amerson H | en_US |
| dc.contributor.other | Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. | en_US |
| dc.date.accessioned | 2006-07-13T15:13:15Z | |
| dc.date.available | 2006-07-13T15:13:15Z | |
| dc.date.copyright | 2005 | en_US |
| dc.date.issued | 2005 | en_US |
| dc.identifier.uri | http://hdl.handle.net/1721.1/33295 | |
| dc.description | Thesis (M. Eng. and S.B.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2005. | en_US |
| dc.description | Includes bibliographical references (p. 123-124). | en_US |
| dc.description.abstract | Attacks on security systems within the past decade have revealed that security Application Programming Interfaces (APIs) expose a large and real attack surface but remain to be a relatively unexplored problem. In 2000, Bond et al. discovered API- chaining and type-confusion attacks on hardware security modules used in large banking systems. While these first attacks were found through human inspection of the API specifications, we take the approach of modeling these APIs formally and using an automated-reasoning tool to discover attacks. In particular, we discuss the techniques we used to model the Trusted Platform Module (TPM) v1.2 API and how we used OTTER, a theorem-prover, and ALLOY, a model-finder, to find both API- chaining attacks and to manage API complexity. Using ALLOY, we also developed techniques to capture attacks that weaken, but not fully compromise, a system's security. Finally, we demonstrate a number of real and "near-miss" vulnerabilities that were discovered against the TPM. | en_US |
| dc.description.statementofresponsibility | by Amerson H. Lin. | en_US |
| dc.format.extent | 124 p. | en_US |
| dc.format.extent | 5465732 bytes | |
| dc.format.extent | 5471913 bytes | |
| dc.format.mimetype | application/pdf | |
| dc.format.mimetype | application/pdf | |
| dc.language.iso | eng | en_US |
| dc.publisher | Massachusetts Institute of Technology | en_US |
| dc.rights | M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. | en_US |
| dc.rights.uri | http://dspace.mit.edu/handle/1721.1/7582 | |
| dc.subject | Electrical Engineering and Computer Science. | en_US |
| dc.title | Automated analysis of security APIs | en_US |
| dc.title.alternative | Automated analysis of security Application Programming Interfaces | en_US |
| dc.type | Thesis | en_US |
| dc.description.degree | M.Eng.and S.B. | en_US |
| dc.contributor.department | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science | |
| dc.identifier.oclc | 62278941 | en_US |
