Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for Analyzing Android

A common security architecture is based on the protection of certain resources by permission checks (used e.g., in Android and Blackberry). It has some limitations, for instance, when applications are granted more permissions than they actually need, which facilitates all kinds of malicious usage (e.g., through code injection). The analysis of permission-based framework requires a precise mapping between API methods of the framework and the permissions they require. In this paper, we show that naive static analysis fails miserably when applied with off-the-shelf components on the Android framework. We then present an advanced class-hierarchy and field-sensitive set of analyses to extract this mapping. Those static analyses are capable of analyzing the Android framework. They use novel domain specific optimizations dedicated to Android.Comment: IEEE Transactions on Software Engineering (2014). arXiv admin note: substantial text overlap with arXiv:1206.582

IT-enabled Process Innovation: A Literature Review

The importance of Information Technology (IT) is growing, and in a hypercompetitive market IT must be used as a strategic asset for companies to succeed. In order to gain strategic benefits from IT, companies need to be innovative when deploying IT. This can be achieved by reengineering business processes to take advantage of the possibilities IT provides. In 1993 Thomas H. Davenport presented a framework describing the role of IT in process innovation . Based on this framework, the purpose of this paper is to conduct a literature review to answer the following research question: What kind of opportunities does IT provide for process innovation? . Davenport\u27s framework is used as an analytical lens to review articles from the top 20 IS and management journals. The paper provides an overview and an in-depth analysis of the literature on IT-enabled process innovation and suggests avenues for future research as well as recommendations for practitioners. Our analyses reveal five distinct themes related to opportunities for IT-enabled process innovation, all of which offer guidance to practitioners and highlight gaps in our current knowledge about how to leverage IT for innovation purposes

Information Flow Control in Spring Web Applications

Companies rely extensively on frameworks and APIs when developing their systems, as these mechanisms are quite advantageous. Two of the most conspicuous benefits are their ease of use and workload reduction, allowing for shorter and more responsive development cycles. However, most frameworks do not provide security properties such as data confidentiality as other tools do. A prime example is a Spring. It is the most heavily used Java web development framework, hosting a vast array of functionalities, ranging from data layer functionalities (c.f. hibernate and JPA), security providers, and metrics providers to provide statistical data on the application itself as well as a layer for REST communication. However, to achieve such advanced functionalities, Spring resorts to bytecode manipulation and generation during its startup period, hindering the use of other formal analysis tools that use similar processes in their execution. In a broader sense, we provide a comprehensive approach for the static analysis of spring-based web applications. We introduce hooks in the Spring pipeline, making feasible the formal analysis and manipulation of the complete, run-time-generated appli- cation bytecode through a well-defined interface. The hooks provide not only access to the entire web application’s bytecode but also allow for the replacement of the applica- tion’s component, enabling more complex analysis requiring the instrumentation of the application. To address data confidentiality-related issues in web applications developed with this framework, we propose integrating information flow control tools in the framework’s pipeline. Namely, we combine Spring with Snitch, a tool for hybrid information flow control in Java bytecode that will be used as a case-study.As empresas apoiam-se cada vez mais em frameworks e APIs quando desenvolvem os seus sistemas, pois estas ferramentas fornecem grandes vantagens. Duas das maiores vantages destes sistemas são a sua fácil utilização/integração nos sistemas bem como a quantidade de trabalho que reduzem ao desenvolvedor, permitindo assim períodos de desenvolvimento mais curtos e responsivos. Ainda assim, a mrioria das frameworks não têm como lidar com propriedades de segurança fundamentais como confidencialidade dos dados. Um dos exemplos mais conhecidos é o Spring. É a framework mais usada em Java para desenvolvimento web, oferecendo um vasto leque de funcionalidades, variando entre uma camada que lida com dados (eg: hibernate e JPA), uma camada gestora de segurança nas aplicações, uma camada estatística que permite analisar a performance do sistema e também uma camada para comunicação REST. Para alcançar estas funcionalidades, que não são triviais, o Spring recorre a mecanismos de manipulação de bytecode e geração de código durante o seu período de inicialização, perturbando o uso de ferramentas de análise formais que recorrem a processos semelhantes na sua execução. Em geral, nós fornecemos uma nova forma de lidar com análise formal em aplicações web Spring. Aqui introduzimos hooks no processo de inicialização do Spring, tornando possível que a análise formal e a manipulação de todo o bytecode gerado da aplicação a partir duma interface cuidadosamente definida. Os hooks fornecidos fornecem acesso ao bytecode da aplicação na sua totalidade bem como permitem a substituição do componente da aplicação, permitindo assim a análise complexa e formal por parte da ferramenta que pode requerer instrumentação da aplicação. Para lidar com problemas relacionados com confidencialidade dos dados em aplicações web desenvolvidas com a framework, propomos a integração de ferramentas de controlo do fluxo de informação na prórpia framework. Assim, juntamos Spring e Snitch, uma ferramenta que analisa bytecode para verificar a segurança do fluxo de informação híbrida

Advanced semantics for accelerated graph processing

Large-scale graph applications are of great national, commercial, and societal importance, with direct use in fields such as counter-intelligence, proteomics, and data mining. Unfortunately, graph-based problems exhibit certain basic characteristics that make them a poor match for conventional computing systems in terms of structure, scale, and semantics. Graph processing kernels emphasize sparse data structures and computations with irregular memory access patterns that destroy the temporal and spatial locality upon which modern processors rely for performance. Furthermore, applications in this area utilize large data sets, and have been shown to be more data intensive than typical floating-point applications, two properties that lead to inefficient utilization of the hierarchical memory system. Current approaches to processing large graph data sets leverage traditional HPC systems and programming models, for shared memory and message-passing computation, and are thus limited in efficiency, scalability, and programmability. The research presented in this thesis investigates the potential of a new model of execution that is hypothesized as a promising alternative for graph-based applications to conventional practices. A new approach to graph processing is developed and presented in this thesis. The application of the experimental ParalleX execution model to graph processing balances continuation-migration style fine-grain concurrency with constraint-based synchronization through embedded futures. A collection of parallel graph application kernels provide experiment control drivers for analysis and evaluation of this innovative strategy. Finally, an experimental software library for scalable graph processing, the ParalleX Graph Library, is defined using the HPX runtime system, providing an implementation of the key concepts and a framework for development of ParalleX-based graph applications

Universal Mobile Service Execution Framework for Device-To-Device Collaborations

There are high demands of effective and high-performance of collaborations between mobile devices in the places where traditional Internet connections are unavailable, unreliable, or significantly overburdened, such as on a battlefield, disaster zones, isolated rural areas, or crowded public venues. To enable collaboration among the devices in opportunistic networks, code offloading and Remote Method Invocation are the two major mechanisms to ensure code portions of applications are successfully transmitted to and executed on the remote platforms. Although these domains are highly enjoyed in research for a decade, the limitations of multi-device connectivity, system error handling or cross platform compatibility prohibit these technologies from being broadly applied in the mobile industry. To address the above problems, we designed and developed UMSEF - an Universal Mobile Service Execution Framework, which is an innovative and radical approach for mobile computing in opportunistic networks. Our solution is built as a component-based mobile middleware architecture that is flexible and adaptive with multiple network topologies, tolerant for network errors and compatible for multiple platforms. We provided an effective algorithm to estimate the resource availability of a device for higher performance and energy consumption and a novel platform for mobile remote method invocation based on declarative annotations over multi-group device networks. The experiments in reality exposes our approach not only achieve the better performance and energy consumption, but can be extended to large-scaled ubiquitous or IoT systems

POLICY-BASED MIDDLEWARE FOR MOBILE CLOUD COMPUTING

Mobile devices are the dominant interface for interacting with online services as well as an efficient platform for cloud data consumption. Cloud computing allows the delivery of applications/functionalities as services over the internet and provides the software/hardware infrastructure to host these services in a scalable manner. In mobile cloud computing, the apps running on the mobile device use cloud hosted services to overcome resource constraints of the host device. This approach allows mobile devices to outsource the resource-consuming tasks. Furthermore, as the number of devices owned by a single user increases, there is the growing demand for cross-platform application deployment to ensure a consistent user experience. However, the mobile devices communicate through unstable wireless networks, to access the data and services hosted in the cloud. The major challenges that mobile clients face when accessing services hosted in the cloud, are network latency and synchronization of data. To address the above mentioned challenges, this research proposed an architecture which introduced a policy-based middleware that supports user to access cloud hosted digital assets and services via an application across multiple mobile devices in a seamless manner. The major contribution of this thesis is identifying different information, used to configure the behavior of the middleware towards reliable and consistent communication among mobile clients and the cloud hosted services. Finally, the advantages of the using policy-based middleware architecture are illustrated by experiments conducted on a proof-of-concept prototype

Distributed Ledger Technologies in Supply Chain Security Management: A Comprehensive Survey

Supply chains (SC) present performance bottlenecks that contribute to a high level of costs, infiltration of product quality, and impact productivity. Examples of such inhibitors include the bullwhip effect, new product lines, high inventory, and restrictive data flows. These bottlenecks can force manufacturers to source more raw materials and increase production significantly. Also, restrictive data flow in a complex global SC network generally slows down the movement of goods and services. The use of distributed ledger technologies (DLT) in SC management (SCM) demonstrates the potentials to reduce these bottlenecks through transparency, decentralization, and optimizations in data management. These technologies promise to enhance the trustworthiness of entities within the SC, ensure the accuracy of data-driven operations, and enable existing SCM processes to migrate from a linear to a fully circular economy. This article presents a comprehensive review of 111 articles published in the public domain in the use and efficacy of DLT in SC. It acts as a roadmap for current and future researchers who focus on SC security management to better understand the integration of digital technologies such as DLT. We clustered these articles using standard descriptors linked to trustworthiness, namely, immutability, transparency, traceability, and integrity

Distributed Ledger Technologies in Supply Chain Security Management: A Comprehensive Survey

This is an accepted manuscript of an article published by IEEE in IEEE Transactions on Engineering Management, available online at: https://ieeexplore.ieee.org/document/9366288 The accepted version of the publication may differ from the final published versionSupply-chains (SC) present performance bottlenecks that contribute to a high level of costs, infltration of product quality, and impact productivity. Examples of such inhibitors include the bullwhip effect, new product lines, high inventory, and restrictive data fows. These bottlenecks can force manufacturers to source more raw materials and increase production signifcantly. Also, restrictive data fow in a complex global SC network generally slows down the movement of goods and services. The use of Distributed LedgerTechnologies (DLT) in supply chain management (SCM) demonstrates the potentials to to reduce these bottlenecks through transparency, decentralization, and optimizations in data management. These technologies promise to enhance the trustworthiness of entities within the supply chain, ensure the accuracy of data-driven operations, and enable existing SCM processes to migrate from a linear to a fully circular economy. This paper presents a comprehensive review of 111 articles published in the public domain in the use and effcacyofDLTin SC.It acts asaroadmapfor current and futureresearchers whofocus onSC Security Management to better understand the integration of digital technologies such as DLT. We clustered these articles using standard descriptors linked to trustworthiness, namely, immutability, transparency, traceability, and integrity