Blocking Java Applets at the Firewall

This paper explores the problem of protecting a site on the Internet against hostile external Java applets while allowing trusted internal applets to run. With careful implementation, a site can be made resistant to current Java security weaknesses as well as those yet to be discovered. In addition, we describe a new attack on certain sophisticated firewalls that is most effectively realized as a Java applet

Minimal TCP/IP implementation with proxy support

Over the last years, interest for connecting small devices such as sensors to an existing network infrastructure such as the global Internet has steadily increased. Such devices often has very limited CPU and memory resources and may not be able to run an instance of the TCP/IP protocol suite. In this thesis, techniques for reducing the resource usage in a TCP/IP implementation is presented. A generic mechanism for offloading the TCP/IP stack in a small device is described. The principle the mechanism is to move much of the resource demanding tasks from the client to an intermediate agent known as a proxy. In particular, this pertains to the buffering needed by TCP. The proxy does not require any modifications to TCP and may be used with any TCP/IP implementation. The proxy works at the transport level and keeps some of the end to end semantics of TCP. Apart from the proxy mechanism, a TCP/IP stack that is small enough in terms of dynamic memory usage and code footprint to be used in a minimal system has been developed. The TCP/IP stack does not require help from a proxy, but may be configured to take advantage of a supporting proxy

A Scalable Cluster-based Infrastructure for Edge-computing Services

In this paper we present a scalable and dynamic intermediary infrastruc- ture, SEcS (acronym of BScalable Edge computing Services’’), for developing and deploying advanced Edge computing services, by using a cluster of heterogeneous machines. Our goal is to address the challenges of the next-generation Internet services: scalability, high availability, fault-tolerance and robustness, as well as programmability and quick prototyping. The system is written in Java and is based on IBM’s Web Based Intermediaries (WBI) [71] developed at IBM Almaden Research Center

Enabling DTN-based web access : the server side

Verkkoympäristö, jossa modernit protokollat joutuvat toimimaan ei ole enää vain staattinen ja yhtenäinen Internet. Verkkopalvelujen kysynnän kasvaessa Internet levittäytyy entistä monimuotoisempiin ympäristöihin, kuten mobiileihin ad-hoc-verkkoihin. Näissä ympäristöissä toimivat verkot eivät välttämättä täytä tiettyjä ehtoja, jotka ovat edellytyksenä nykyisten Internet-protokollien käytölle. Tällöin näiden protokollien käyttö voi olla vaikeaa tai jopa mahdotonta. Delay-tolerant Networking (DTN) on eräs lähestymistapa, jolla voidaan ratkaista haastavien verkkoympäristöjen aiheuttamia ongelmia. Tämän diplomityön ensimmäinen tavoite on mahdollistaa WWW:n käyttö DTN-verkoissa. Käytännössä tämä tarkoittaa HTTP-protokollan sovittamista DTN:n kuljetuskerrosprotokollan ("bundle protocol") päälle. DTN-ympäristössä yhteydet voivat olla katkonaisia ja tiedonsiirtoviiveet pitkiä, minkä vuoksi on tärkeää välttää turhaa edestakaista viestiliikennettä kommunikoivien noodien välillä. Normaalisti HTTP toimii siten, että se hakee WWW-sivuun liittyvät resurssit yksitellen. Tämä aiheuttaa turhaa liikennettä, joten HTTP ei suoraan sovellu DTN-ympäristöön. Työssä määritellään käsite "resource bundling", jonka avulla HTTP voidaan sovittaa paremmin DTN-yhteensopivaksi. Perusidea on koota WWW-sivun resurssit yhteen pakettiin, jolloin sivun noutamiseen tarvittavien edestakaisten protokollaviestien määrä saadaan minimoitua. Työn toinen tavoite on toteuttaa WWW-palvelinohjelma, joka tukee työssä määriteltyä "resource bundling"-konseptia. Palvelin pohjautuu kahteen vapaan lähdekoodin ohjelmakomponenttiin, jotka ovat vastuussa alemman tason protokollaoperaatioista sekä HTTP-palvelimen perustoiminnoista. Integroimalla nämä komponentit ja kehittämällä resurssien käsittelyyn liittyvä korkeamman tason logiikka, työssä toteutetaan natiivi DTN-pohjainen WWW-palvelin. Työssä myös suoritetaan mittauksia, joilla varmistetaan palvelimen soveltuvuus sen todelliseen käyttöympäristöön ja lisäksi todetaan, että suunniteltu järjestelmä todella parantaa WWW:n käyttömahdollisuuksia haastavissa verkko-olosuhteissa.The networking landscape in which modern protocols must operate is no longer just the static, homogeneous Internet. As the demand for ubiquitous connectivity grows, the Internet stretches out to increasingly diverse environments, such as mobile ad-hoc networks. In these environments, certain assumptions that current Internet protocols rely on may not hold, thus making these protocols inefficient or even useless. Delay-tolerant Networking (DTN) is one approach to solving the problems that arise in such settings. In this thesis, our first objective is to conceptualize the mechanisms needed to enable web access in a DTN environment. More specifically, the goal is to run the Hypertext Transfer Protocol (HTTP) on top of the DTN transport protocol (i.e., the bundle protocol). In a DTN environment, where connectivity may be intermittent and transmission delays long, it is important to avoid unnecessary round-trips between the communicating nodes. Consequently, HTTP is not directly applicable to DTN due to its conversational style of operation in which the resources of a web page are fetched one at a time. We adapt HTTP to the DTN environment by introducing the concept of resource bundling, which means that web resources are grouped together into larger aggregates in order to minimize the number of round-trips required to retrieve a web page. The second objective of the thesis is to implement the resource bundling concept in a web server application. The server builds on two major open source software components that handle the low-level bundle protocol operations and form the basis of the HTTP server logic. We integrate these pieces and extend them with the high-level resource bundling logic to produce a native DTN web server. We also perform measurements on the server, verifying its adeptness for real-world deployment and proving that the resource bundling concept truly has a positive impact on the web browsing experience in challenged network environments

Towards secure message systems

Message systems, which transfer information from sender to recipient via communication networks, are indispensable to our modern society. The enormous user base of message systems and their critical role in information delivery make it the top priority to secure message systems. This dissertation focuses on securing the two most representative and dominant messages systems---e-mail and instant messaging (IM)---from two complementary aspects: defending against unwanted messages and ensuring reliable delivery of wanted messages.;To curtail unwanted messages and protect e-mail and instant messaging users, this dissertation proposes two mechanisms DBSpam and HoneyIM, which can effectively thwart e-mail spam laundering and foil malicious instant message spreading, respectively. DBSpam exploits the distinct characteristics of connection correlation and packet symmetry embedded in the behavior of spam laundering and utilizes a simple statistical method, Sequential Probability Ratio Test, to detect and break spam laundering activities inside a customer network in a timely manner. The experimental results demonstrate that DBSpam is effective in quickly and accurately capturing and suppressing e-mail spam laundering activities and is capable of coping with high speed network traffic. HoneyIM leverages the inherent characteristic of spreading of IM malware and applies the honey-pot technology to the detection of malicious instant messages. More specifically, HoneyIM uses decoy accounts in normal users\u27 contact lists as honey-pots to capture malicious messages sent by IM malware and suppresses the spread of malicious instant messages by performing network-wide blocking. The efficacy of HoneyIM has been validated through both simulations and real experiments.;To improve e-mail reliability, that is, prevent losses of wanted e-mail, this dissertation proposes a collaboration-based autonomous e-mail reputation system called CARE. CARE introduces inter-domain collaboration without central authority or third party and enables each e-mail service provider to independently build its reputation database, including frequently contacted and unacquainted sending domains, based on the local e-mail history and the information exchanged with other collaborating domains. The effectiveness of CARE on improving e-mail reliability has been validated through a number of experiments, including a comparison of two large e-mail log traces from two universities, a real experiment of DNS snooping on more than 36,000 domains, and extensive simulation experiments in a large-scale environment

HDMM: deploying client and network-based distributed mobility management

Mobile operators are now facing the challenges posed by a huge data demand from users, mainly due to the introduction of modern portable devices and the success of mobile applications. Moreover, users are now capable to connect from different access networks and establish several active sessions simultaneously, while being mobile. This triggered the introduction of a new paradigm: the distributed mobility management (DMM) which aims at flattening the network and distributing the entities in charge of managing users' mobility. In this article, we review existing DMM proposals and describe a hybrid solution which benefits from combining a network-based and a client-based approach. We analyze the signaling cost and the handover latency of our proposal, comparing them with their centralized alternatives. We also include validation and performance results from experiments conducted with a Linux-based prototype, which show that achievable enhancements depend on the underlying network topology. We argue that the proposed hybrid DMM solution provides additional flexibility to the mobile network operators, which can decide when and how to combine these two approaches.The research leading to these results has received funding from the European Community’s Seventh Framework Programme (FP7-ICT-2009-5) under Grant agreement n. 258053 (MEDIEVAL project) and from the Spanish Government, MICINN, under research grant TIN2010-20136-C0

Actors that Unify Threads and Events

There is an impedance mismatch between message-passing concurrency and virtual machines, such as the JVM. VMs usually map their threads to heavyweight OS processes. Without a lightweight process abstraction, users are often forced to write parts of concurrent applications in an event-driven style which obscures control flow, and increases the burden on the programmer. In this paper we show how thread-based and event-based programming can be unified under a single actor abstraction. Using advanced abstraction mechanisms of the Scala programming language, we implemented our approach on unmodified JVMs. Our programming model integrates well with the threading model of the underlying VM