OMPC: an Open-Source MATLAB®-to-Python Compiler

Free access to scientific information facilitates scientific progress. Open-access scientific journals are a first step in this direction; a further step is to make auxiliary and supplementary materials that accompany scientific publications, such as methodological procedures and data-analysis tools, open and accessible to the scientific community. To this purpose it is instrumental to establish a software base, which will grow toward a comprehensive free and open-source language of technical and scientific computing. Endeavors in this direction are met with an important obstacle. MATLAB®, the predominant computation tool in many fields of research, is a closed-source commercial product. To facilitate the transition to an open computation platform, we propose Open-source MATLAB®-to-Python Compiler (OMPC), a platform that uses syntax adaptation and emulation to allow transparent import of existing MATLAB® functions into Python programs. The imported MATLAB® modules will run independently of MATLAB®, relying on Python's numerical and scientific libraries. Python offers a stable and mature open source platform that, in many respects, surpasses commonly used, expensive commercial closed source packages. The proposed software will therefore facilitate the transparent transition towards a free and general open-source lingua franca for scientific computation, while enabling access to the existing methods and algorithms of technical computing already available in MATLAB®. OMPC is available at http://ompc.juricap.com

A Dynamic Access Control Model Using Authorising Workfow and Task Role-based Access Control

Access control is fundamental and prerequisite to govern and safeguard information assets within an organisation. Organisations generally use Web enabled remote access coupled with applications access distributed across various networks. These networks face various challenges including increase operational burden and monitoring issues due to the dynamic and complex nature of security policies for access control. The increasingly dynamic nature of collaborations means that in one context a user should have access to sensitive information, whilst not being allowed access in other contexts. The current access control models are static and lack Dynamic Segregation of Duties (SoD), Task instance level of Segregation, and decision making in real time. This thesis addresses these limitations describes tools to support access management in borderless network environments with dynamic SoD capability and real time access control decision making and policy enforcement. This thesis makes three contributions: i) Defining an Authorising Workflow Task Role Based Access Control (AW-TRBAC) using existing task and workflow concepts. This new workflow integrates dynamic SoD, whilst considering task instance restriction to ensure overall access governance and accountability. It enhances existing access control models such as Role Based Access Control (RBAC) by dynamically granting users access rights and providing access governance. ii) Extension of the OASIS standard of XACML policy language to support dynamic access control requirements and enforce access control rules for real time decision making. This mitigates risks relating to access control, such as escalation of privilege in broken access control, and insucient logging and monitoring. iii) The AW-TRBAC model is implemented by extending the open source XACML (Balana) policy engine to demonstrate its applicability to a real industrial use case from a financial institution. The results show that AW-TRBAC is scalable, can process relatively large numbers of complex requests, and meets the requirements of real time access control decision making, governance and mitigating broken access control risk

Serviços multimédia multicast de próxima geração

Mestrado em Engenharia Electrónica e TelecomunicaçõesUma das mais recentes conquistas na evolução móvel foi o 3G, permitindo o acesso a serviços multimédia com qualidade de serviço assegurada. No entanto, a tecnologia UMTS, tal como definida na sua Release ’99, é apenas capaz de transmitir em modo unicast, sendo manifestamente ineficiente para comunicações multimédia almejando grupos de utilizadores. A tecnologia IMS surge na Release 5 do 3GPP que começou a responder já a algumas necessidades, permitindo comunicações sobre IP oferecendo serviços Internet a qualquer momento e em qualquer lugar sobre tecnologias de comunicação móveis fornecendo pela primeira vez sessões multimédia satisfatórias. A Release 6 por sua vez trouxe a tecnologia MBMS que permite transmissões em broadcast e multicast para redes móveis. O MBMS fornece os serviços de aplicações multimédia que todos estavam à espera, tanto para os utilizadores como para os prestadores de serviços. O operador pode agora fazer uso da tecnologia existente aumentando todo o tipo de benefícios no serviço prestado ao cliente. Com a possível integração destas duas tecnologias passa a ser possível desenvolver serviços assentes em redes convergentes em que os conteúdos são entregues usando tecnologias unicast, multicast ou broadcast. Neste contexto, o principal motivo deste trabalho consiste essencialmente em fazer uso dos recursos da rede terminando com o desperdício dos mesmos e aumentando a eficiência dos serviços através da integração das tecnologias IMS e MBMS. O trabalho realizado começa com o estudo do estado da arte das telecomunicações móveis com referência às tecnologias referidas, seguindo-se a apresentação da possível integração IMS-MBMS e terminando com o projecto de uma plataforma de demonstração que no futuro possa ser uma implementação de serviço multimédia multicast. O objectivo principal é mostrar os benefícios de um serviço que era normalmente executado em unicast relativamente ao modo multicast, fazendo uso da nova convergência de tecnologias IMS e MBMS. Na conclusão do trabalho são referidas as vantagens do uso de portadoras multicast e broadcast, tendo como perspectiva de que este trabalho possa ser um ponto de partida para um novo conjunto de serviços poupando recursos de rede e permitindo uma eficiência considerável em serviços inovadores.3G is bang up to date in the mobile phone industry. It allows access to multimedia services and gives a guarantee of quality of service. The UMTS technology, defined in 3GPP Release ’99, provides an unicast transmission, but it is completely inefficient when it comes to multimedia group communications. The IMS technology first appeared in Release 5 that has already started to consider the interests of the clients. It provides communications over IP, offering Internet services anytime, anywhere on mobile communication technologies. Also, it offers for the first time satisfactory multimedia sessions. On the other hand, Release 6 gave rise to the MBMS technology that provides broadcast and multicast transmissions for mobile networks. The MBMS provides multimedia applications services that everyone was waiting, including users and service providers. Now the operator makes use of existing technology in order to provide better costumer services. The possible integration of these two technologies will contribute to develop services based on converged networks in which contents are delivered through the unicast, multicast or broadcast technologies. Therefore, the objective of this work is basically to make use of network resources avoiding wastes and improving customer services through the integration of the IMS and the MBMS technologies. The executed work starts with the mobile telecommunications state of the art with reference to the referred technologies, followed by the IMS-MBMS convergence presentation and finishing with the proposal for implementation of a service platform that can be used for a multimedia multicast service. The main point is to show the benefits of a service that has been normally executed in unicast mode over the multicast mode, making use of the new IMS and MBMS technologies integration. To closure the work it is referred the advantages to use multicast and broadcast bearers, with the perspective that this work could be a starting point to a new set of services, saving network resources and allowing for innovate services a considerable efficency

Retrofitting privacy controls to stock Android

Android ist nicht nur das beliebteste Betriebssystem für mobile Endgeräte, sondern auch ein ein attraktives Ziel für Angreifer. Um diesen zu begegnen, nutzt Androids Sicherheitskonzept App-Isolation und Zugangskontrolle zu kritischen Systemressourcen. Nutzer haben dabei aber nur wenige Optionen, App-Berechtigungen gemäß ihrer Bedürfnisse einzuschränken, sondern die Entwickler entscheiden über zu gewährende Berechtigungen. Androids Sicherheitsmodell kann zudem nicht durch Dritte angepasst werden, so dass Nutzer zum Schutz ihrer Privatsphäre auf die Gerätehersteller angewiesen sind. Diese Dissertation präsentiert einen Ansatz, Android mit umfassenden Privatsphäreeinstellungen nachzurüsten. Dabei geht es konkret um Techniken, die ohne Modifikationen des Betriebssystems oder Zugriff auf Root-Rechte auf regulären Android-Geräten eingesetzt werden können. Der erste Teil dieser Arbeit etabliert Techniken zur Durchsetzung von Sicherheitsrichtlinien für Apps mithilfe von inlined reference monitors. Dieser Ansatz wird durch eine neue Technik für dynamic method hook injection in Androids Java VM erweitert. Schließlich wird ein System eingeführt, das prozessbasierte privilege separation nutzt, um eine virtualisierte App-Umgebung zu schaffen, um auch komplexe Sicherheitsrichtlinien durchzusetzen. Eine systematische Evaluation unseres Ansatzes konnte seine praktische Anwendbarkeit nachweisen und mehr als eine Million Downloads unserer Lösung zeigen den Bedarf an praxisgerechten Werkzeugen zum Schutz der Privatsphäre.Android is the most popular operating system for mobile devices, making it a prime target for attackers. To counter these, Android’s security concept uses app isolation and access control to critical system resources. However, Android gives users only limited options to restrict app permissions according to their privacy preferences but instead lets developers dictate the permissions users must grant. Moreover, Android’s security model is not designed to be customizable by third-party developers, forcing users to rely on device manufacturers to address their privacy concerns. This thesis presents a line of work that retrofits comprehensive privacy controls to the Android OS to put the user back in charge of their device. It focuses on developing techniques that can be deployed to stock Android devices without firmware modifications or root privileges. The first part of this dissertation establishes fundamental policy enforcement on thirdparty apps using inlined reference monitors to enhance Android’s permission system. This approach is then refined by introducing a novel technique for dynamic method hook injection on Android’s Java VM. Finally, we present a system that leverages process-based privilege separation to provide a virtualized application environment that supports the enforcement of complex security policies. A systematic evaluation of our approach demonstrates its practical applicability, and over one million downloads of our solution confirm user demand for privacy-enhancing tools

TreatJS: Higher-Order Contracts for JavaScript

TreatJS is a language embedded, higher-order contract system for JavaScript which enforces contracts by run-time monitoring. Beyond providing the standard abstractions for building higher-order contracts (base, function, and object contracts), TreatJS's novel contributions are its guarantee of non-interfering contract execution, its systematic approach to blame assignment, its support for contracts in the style of union and intersection types, and its notion of a parameterized contract scope, which is the building block for composable run-time generated contracts that generalize dependent function contracts. TreatJS is implemented as a library so that all aspects of a contract can be specified using the full JavaScript language. The library relies on JavaScript proxies to guarantee full interposition for contracts. It further exploits JavaScript's reflective features to run contracts in a sandbox environment, which guarantees that the execution of contract code does not modify the application state. No source code transformation or change in the JavaScript run-time system is required. The impact of contracts on execution speed is evaluated using the Google Octane benchmark.Comment: Technical Repor

Assured information sharing for ad-hoc collaboration

Collaborative information sharing tends to be highly dynamic and often ad hoc among organizations. The dynamic natures and sharing patterns in ad-hoc collaboration impose a need for a comprehensive and flexible approach to reflecting and coping with the unique access control requirements associated with the environment. This dissertation outlines a Role-based Access Management for Ad-hoc Resource Shar- ing framework (RAMARS) to enable secure and selective information sharing in the het- erogeneous ad-hoc collaborative environment. Our framework incorporates a role-based approach to addressing originator control, delegation and dissemination control. A special trust-aware feature is incorporated to deal with dynamic user and trust management, and a novel resource modeling scheme is proposed to support fine-grained selective sharing of composite data. As a policy-driven approach, we formally specify the necessary pol- icy components in our framework and develop access control policies using standardized eXtensible Access Control Markup Language (XACML). The feasibility of our approach is evaluated in two emerging collaborative information sharing infrastructures: peer-to- peer networking (P2P) and Grid computing. As a potential application domain, RAMARS framework is further extended and adopted in secure healthcare services, with a unified patient-centric access control scheme being proposed to enable selective and authorized sharing of Electronic Health Records (EHRs), accommodating various privacy protection requirements at different levels of granularity

Policy-based management of medical devices and applications

Die Arbeit präsentiert einen erweiterten Ansatz zum autonomen technischen Management, der das innovative Modell-basierte Management mit dem etablierten Policy-basierten Management kombiniert. Zur Planung des Systems wird ein umfassendes Modell des Management- und des zu verwaltenden Systems entworfen. Beide Systeme werden auf drei Abstraktionsschichten („Use Cases“, „Services“, „Components“) modelliert. Auf Basis der vorgestellten Ableitungsmuster (Evaluierungs-, Kontroll- und Verfeinerungsmuster) und der Zwischenschichtassoziationen wird der Prozess der Ableitung der Management-Policies automatisiert mit Hilfe eines Modellierungstools durchgeführt. Am Ende werden die zur Laufzeit vom Management ausführbaren Policies generiert. Der Ansatz wird im Rahmen des medizinischen Anwendungsfeldes erprobt. Es wird gezeigt, dass der Ansatz die Entwicklung und Verlässlichkeit sowie den Betrieb des medizinischen Geräte- und Anwendungsensembles unterstützt.This work presents an extended approach to the autonomous technical management, which combines the innovative model-based management with the established policy-based management technique. A comprehensive model of the managed and the management system is created. Both systems are modeled on three abstraction layers („Use Cases“, „Services“, „Components“). On the basis of the introduced policy derivation patterns (evaluation, control and refinement patterns) and intra-layer associations the policy derivation process is conducted automated by means of a modeling tool. Finally, runnable policies are generated which are enforced by the management at runtime. The approach is applied within the medical application field. It is demonstrated, that the presented technical management supports the development and dependable behavior of medical devices and applications