68,288 research outputs found
Access-rights Analysis in the Presence of Subjects
Modern software development and run-time environments, such as Java and the Microsoft .NET Common Language Runtime (CLR), have adopted a declarative form of access control. Permissions are granted to code providers, and during execution, the platform verifies compatibility between the permissions required by a security-sensitive operation and those granted to the executing code. While convenient, configuring the access-control policy of a program is not easy. If a code component is not granted sufficient permissions, authorization failures may occur. Thus, security administrators tend to define overly permissive policies, which violate the Principle of Least Privilege (PLP).
A considerable body of research has been devoted to building program-analysis tools for computing the optimal policy for a program. However, Java and the CLR also allow executing code under the authority of a subject (user or service), and no program-analysis solution has addressed the challenges of determining the policy of a program in the presence of subjects.
This paper introduces Subject Access Rights Analysis (SARA), a novel analysis algorithm for statically computing the permissions required by subjects at run time. We have applied SARA to 348 libraries in IBM WebSphere Application Server - a commercial enterprise application server written in Java that consists of >2 million lines of code and is required to support the Java permission- and subject-based security model. SARA detected 263 PLP violations, 219 cases of policies with missing permissions, and 29 bugs that led code to be unnecessarily executed under the authority of a subject. SARA corrected all these vulnerabilities automatically, and additionally synthesized fresh policies for all the libraries, with a false-positive rate of 5% and an average running time of 103 seconds per library. SARA also implements mechanisms for mitigating the risk of false negatives due to reflection and native code; according to a thorough result evaluation based on testing, no false negative was detected. SARA enabled IBM WebSphere Application Server to receive the Common Criteria for Information Technology Security Evaluation Assurance Level 4 certification
Identifying Vulnerable Third-Party Java Libraries from Textual Descriptions of Vulnerabilities and Libraries
To address security vulnerabilities arising from third-party libraries,
security researchers maintain databases monitoring and curating vulnerability
reports. Application developers can identify vulnerable libraries by directly
querying the databases with their used libraries. However, the querying results
of vulnerable libraries are not reliable due to the incompleteness of
vulnerability reports. Thus, current approaches model the task of identifying
vulnerable libraries as a named-entity-recognition (NER) task or an extreme
multi-label learning (XML) task. These approaches suffer from highly inaccurate
results in identifying vulnerable libraries with complex and similar names,
e.g., Java libraries. To address these limitations, in this paper, we propose
VulLibMiner, the first to identify vulnerable libraries from textual
descriptions of both vulnerabilities and libraries, together with VulLib, a
Java vulnerability dataset with their affected libraries. VulLibMiner consists
of a TF-IDF matcher to efficiently screen out a small set of candidate
libraries and a BERT-FNN model to identify vulnerable libraries from these
candidates effectively. We evaluate VulLibMiner using four
state-of-the-art/practice approaches of identifying vulnerable libraries on
both their dataset named VeraJava and our VulLib dataset. Our evaluation
results show that VulLibMiner can effectively identify vulnerable libraries
with an average F1 score of 0.657 while the state-of-the-art/practice
approaches achieve only 0.521
Symmetric and Asymmetric Based Encryption Model for Mobile Commerce
Secure information exchange in a mobile commerce environment has become a difficult task due to the involvement of sensitive financial information and the tremendous development in information technology in recent years. This poses a great threat while conducting transaction in a mobile commerce environment. Cryptography has been employed to eliminate this using symmetric and asymmetric cryptography. However, in symmetric cryptography, secret key distribution can create a performance bottleneck, while asymmetric ciphers consume significant computational resources. This paper proposed symmetric and asymmetric based encryption model so as to achieve robust security and faster processing speed, by employing Advanced Encryption Standard (AES) as symmetric algorithm and Rivest-Shamir-Adleman (RSA) as asymmetric algorithm. In this model, RSA was used to encrypt AES secret key in order to secure the exchange of the key, while the rest of the sensitive data was encrypted using AES. The proposed model was implemented using Java programming language. Performance evaluation of the proposed model was carried out in terms of encryption/decryption time and the results show that the proposed model takes a little longer time than the RSA algorithm. This is as a result of the AES key encryption being introduced into the model. It is therefore recommended that the model be implemented in mobile commerce applications as an added layer of security in order to strengthen the applications against numerous security threats due to the robust security and faster processing speed provided by the proposed model
Privacy-Preserving Reengineering of Model-View-Controller Application Architectures Using Linked Data
When a legacy system’s software architecture cannot be redesigned, implementing
additional privacy requirements is often complex, unreliable and
costly to maintain. This paper presents a privacy-by-design approach to
reengineer web applications as linked data-enabled and implement access
control and privacy preservation properties. The method is based on the
knowledge of the application architecture, which for the Web of data is
commonly designed on the basis of a model-view-controller pattern. Whereas
wrapping techniques commonly used to link data of web applications duplicate
the security source code, the new approach allows for the controlled
disclosure of an application’s data, while preserving non-functional properties
such as privacy preservation. The solution has been implemented
and compared with existing linked data frameworks in terms of reliability,
maintainability and complexity
Towards Model-Driven Development of Access Control Policies for Web Applications
We introduce a UML-based notation for graphically modeling
systems’ security aspects in a simple and intuitive
way and a model-driven process that transforms graphical
specifications of access control policies in XACML. These
XACML policies are then translated in FACPL, a policy
language with a formal semantics, and the resulting policies
are evaluated by means of a Java-based software tool
- …