15,166 research outputs found
Extensible Technology-Agnostic Runtime Verification
With numerous specialised technologies available to industry, it has become
increasingly frequent for computer systems to be composed of heterogeneous
components built over, and using, different technologies and languages. While
this enables developers to use the appropriate technologies for specific
contexts, it becomes more challenging to ensure the correctness of the overall
system. In this paper we propose a framework to enable extensible technology
agnostic runtime verification and we present an extension of polyLarva, a
runtime-verification tool able to handle the monitoring of
heterogeneous-component systems. The approach is then applied to a case study
of a component-based artefact using different technologies, namely C and Java.Comment: In Proceedings FESCA 2013, arXiv:1302.478
Formal Verification of Security Protocol Implementations: A Survey
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac
AndroShield:automated Android applications vulnerability detection, a hybrid static and dynamic analysis approach
The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution
Wireless aquatic navigator for detection and analysis (WANDA)
The cost of monitoring and detecting pollutants in natural waters is of major concern. Current and forthcoming bodies of legislation will continue to drive demand for spatial and selective monitoring of our environment, as the focus increasingly moves towards effective enforcement of legislation through detection of events, and unambiguous identification of perpetrators. However, these monitoring demands are not being met due to the infrastructure and maintenance costs of conventional sensing models. Advanced autonomous platforms capable of performing complex analytical measurements at remote locations still require individual power, wireless communication, processor and electronic transducer units, along with regular maintenance visits. Hence the cost base for these systems is prohibitively high, and the spatial density and frequency of measurements are insufficient to meet requirements. In this paper we present a more cost effective approach for water quality monitoring using a low cost mobile sensing/communications platform together with very low cost stand-alone ‘satellite’ indicator stations that have an integrated colorimetric sensing material. The mobile platform is equipped with a wireless video camera that is used to interrogate each station to harvest information about the water quality. In simulation experiments, the first cycle of measurements is carried out to identify a ‘normal’ condition followed by a second cycle during which the platform successfully detected and communicated the presence of a chemical contaminant that had been localised at one of the satellite stations
Setting-up early computer programs: D. H. Lehmer's ENIAC computation
A complete reconstruction of Lehmer's ENIAC set-up for computing the exponents of p modulo two is given. This program served as an early test program for the ENIAC (1946). The reconstruction illustrates the difficulties of early programmers to find a way between a man operated and a machine operated computation. These difficulties concern both the content level (the algorithm) and the formal level (the logic of sequencing operations)
The Transitivity of Trust Problem in the Interaction of Android Applications
Mobile phones have developed into complex platforms with large numbers of
installed applications and a wide range of sensitive data. Application security
policies limit the permissions of each installed application. As applications
may interact, restricting single applications may create a false sense of
security for the end users while data may still leave the mobile phone through
other applications. Instead, the information flow needs to be policed for the
composite system of applications in a transparent and usable manner. In this
paper, we propose to employ static analysis based on the software architecture
and focused data flow analysis to scalably detect information flows between
components. Specifically, we aim to reveal transitivity of trust problems in
multi-component mobile platforms. We demonstrate the feasibility of our
approach with Android applications, although the generalization of the analysis
to similar composition-based architectures, such as Service-oriented
Architecture, can also be explored in the future
Heap Abstractions for Static Analysis
Heap data is potentially unbounded and seemingly arbitrary. As a consequence,
unlike stack and static memory, heap memory cannot be abstracted directly in
terms of a fixed set of source variable names appearing in the program being
analysed. This makes it an interesting topic of study and there is an abundance
of literature employing heap abstractions. Although most studies have addressed
similar concerns, their formulations and formalisms often seem dissimilar and
some times even unrelated. Thus, the insights gained in one description of heap
abstraction may not directly carry over to some other description. This survey
is a result of our quest for a unifying theme in the existing descriptions of
heap abstractions. In particular, our interest lies in the abstractions and not
in the algorithms that construct them.
In our search of a unified theme, we view a heap abstraction as consisting of
two features: a heap model to represent the heap memory and a summarization
technique for bounding the heap representation. We classify the models as
storeless, store based, and hybrid. We describe various summarization
techniques based on k-limiting, allocation sites, patterns, variables, other
generic instrumentation predicates, and higher-order logics. This approach
allows us to compare the insights of a large number of seemingly dissimilar
heap abstractions and also paves way for creating new abstractions by
mix-and-match of models and summarization techniques.Comment: 49 pages, 20 figure
- …