383 research outputs found
Jalapa: Securing Java with Local Policies Tool Demonstration
AbstractWe present Jalapa, a tool for securing Java bytecode programs with history-based usage policies. Policies are defined by usage automata, that recognize the forbidden execution histories. Usage automata are expressive enough to allow programmers specify of many real-world usage policies; yet, they are simple enough to permit formal reasoning. Programmers can sandbox untrusted pieces of code with usage policies. The Jalapa tool rewrites the Java bytecode by adding the hooks for the mechanism that enforces the given policies at run-time
12th International Workshop on Termination (WST 2012) : WST 2012, February 19–23, 2012, Obergurgl, Austria / ed. by Georg Moser
This volume contains the proceedings of the 12th International Workshop on Termination (WST 2012), to be held February 19–23, 2012 in Obergurgl, Austria. The goal of the Workshop on Termination is to be a venue for presentation and discussion of all topics in and around termination. In this way, the workshop tries to bridge the gaps between different communities interested and active in research in and around termination. The 12th International Workshop on Termination in Obergurgl continues the successful workshops held in St. Andrews (1993), La Bresse (1995), Ede (1997), Dagstuhl (1999), Utrecht (2001), Valencia (2003), Aachen (2004), Seattle (2006), Paris (2007), Leipzig (2009), and Edinburgh (2010). The 12th International Workshop on Termination did welcome contributions on all aspects of termination and complexity analysis. Contributions from the imperative, constraint, functional, and logic programming communities, and papers investigating applications of complexity or termination (for example in program transformation or theorem proving) were particularly welcome. We did receive 18 submissions which all were accepted. Each paper was assigned two reviewers. In addition to these 18 contributed talks, WST 2012, hosts three invited talks by Alexander Krauss, Martin Hofmann, and Fausto Spoto
AppGuard — fine-grained policy enforcement for untrusted android applications
Android’s success makes it a prominent target for malicious software. However, the user has very limited control over security-relevant operations. This work presents AppGuard, a powerful and flexible security system that overcomes these deficiencies. It enforces user-defined security policies on untrusted Android applications without requiring any changes to a smartphone’s firmware, root access, or the like. Finegrained and stateful security policies are expressed in a formal specification language, which also supports secrecy requirements. Our system offers complete mediation of security-relevant methods based on calleesite inline reference monitoring and supports widespread deployment. In the experimental analysis we demonstrate the removal of permissions for overly curious apps as well as how to defend against several recent real-world attacks on Android phones. Our technique exhibits very little space and runtime overhead. The utility of AppGuard has already been demonstrated by more than 1,000,000 downloads
Preventing Supply Chain Vulnerabilities in Java with a Fine-Grained Permission Manager
Integrating third-party packages accelerates modern software engineering, but
introduces the risk of software supply chain vulnerabilities. Vulnerabilities
in applications' dependencies are being exploited worldwide. Often, these
exploits leverage features that are present in a package, yet unneeded by an
application. Unfortunately, the current generation of permission managers, such
as SELinux, Docker containers, and the Java Security Manager, are too
coarse-grained to usefully support engineers and operators in mitigating these
vulnerabilities. Current approaches offer permissions only at the application's
granularity, lumping legitimate operations made by safe packages with
illegitimate operations made by exploited packages. This strategy does not
reflect modern engineering practice. we need a permission manager capable of
distinguishing between actions taken by different packages in an application's
supply chain.
In this paper, we describe Next-JSM, the first fine-grained ("supply chain
aware") permission manager for Java applications. Next-JSM supports permission
management at package-level granularity. Next-JSM faces three key challenges:
operating on existing JVMs and without access to application or package source
code, minimizing performance overhead in applications with many packages, and
helping operators manage finer-grained permissions. We show that these
challenges can be addressed through bytecode rewriting; appropriate data
structures and algorithms; and an expressive permission notation plus automated
tooling to establish default permission. In our evaluation, we report that
Next-JSM mitigates 11 of the 12 package vulnerabilities we evaluated and incurs
an average 2.72% overhead on the Dacapobench benchmark. Qualitatively, we argue
that Next-JSM addresses the shortcomings of the (recently deprecated) Java
Security Manager (JSM).Comment: 15 pages, 5 figures, 5 table
Shortening Time-to-Discovery with Dynamic Software Updates for Parallel High Performance Applications
Despite using multiple concurrent processors, a typical high performance parallel application is long-running, taking hours, even days to arrive at a solution. To modify a running high performance parallel application, the programmer has to stop the computation, change the code, redeploy, and enqueue the updated version to be scheduled to run, thus wasting not only the programmer’s time, but also expensive computing resources. To address these inefficiencies, this article describes how dynamic software updates can be used to modify a parallel application on the fly, thus saving the programmer’s time and using expensive computing resources more productively. The net effect of updating parallel applications dynamically reduces their time-to-discovery metrics, the total time it takes from posing a problem to arriving at a solution. To explore the benefits of dynamic updates for high performance applications, this article takes a two-pronged approach. First, we describe our experience in building and evaluating a system for dynamically updating applications running on a parallel cluster. We then review a large body of literature describing the existing state of the art in dynamic software updates and point out how this research can be applied to high performance applications. Our experimental results indicate that dynamic software updates have the potential to become a powerful tool in reducing the time-to-discovery metrics for high performance parallel applications
Size-Change Termination as a Contract
Termination is an important but undecidable program property, which has led
to a large body of work on static methods for conservatively predicting or
enforcing termination. One such method is the size-change termination approach
of Lee, Jones, and Ben-Amram, which operates in two phases: (1) abstract
programs into "size-change graphs," and (2) check these graphs for the
size-change property: the existence of paths that lead to infinite decreasing
sequences.
We transpose these two phases with an operational semantics that accounts for
the run-time enforcement of the size-change property, postponing (or entirely
avoiding) program abstraction. This choice has two key consequences: (1)
size-change termination can be checked at run-time and (2) termination can be
rephrased as a safety property analyzed using existing methods for systematic
abstraction.
We formulate run-time size-change checks as contracts in the style of Findler
and Felleisen. The result compliments existing contracts that enforce partial
correctness specifications to obtain contracts for total correctness. Our
approach combines the robustness of the size-change principle for termination
with the precise information available at run-time. It has tunable overhead and
can check for nontermination without the conservativeness necessary in static
checking. To obtain a sound and computable termination analysis, we apply
existing abstract interpretation techniques directly to the operational
semantics, avoiding the need for custom abstractions for termination. The
resulting analyzer is competitive with with existing, purpose-built analyzers
Recommended from our members
Towards an aspect weaving BPEL engine
This position paper proposes the use of dynamic aspects and
the visitor design pattern to obtain a highly configurable and
extensible BPEL engine. Using these two techniques, the
core of this infrastructural software can be customised to
meet new requirements and add features such as debugging,
execution monitoring, or changing to another Web Service
selection policy. Additionally, it can easily be extended to
cope with customer-specific BPEL extensions. We propose
the use of dynamic aspects not only on the engine itself
but also on the workflow in order to tackle the problems of
Web Service hot deployment and hot fixes to long running
processes. In this way, composing aWeb Service "on-the-fly"
means weaving its choreography interface into the workflow
Information Flow Control in Spring Web Applications
Companies rely extensively on frameworks and APIs when developing their systems,
as these mechanisms are quite advantageous. Two of the most conspicuous benefits
are their ease of use and workload reduction, allowing for shorter and more responsive
development cycles. However, most frameworks do not provide security properties such
as data confidentiality as other tools do. A prime example is a Spring. It is the most
heavily used Java web development framework, hosting a vast array of functionalities,
ranging from data layer functionalities (c.f. hibernate and JPA), security providers, and
metrics providers to provide statistical data on the application itself as well as a layer for
REST communication. However, to achieve such advanced functionalities, Spring resorts
to bytecode manipulation and generation during its startup period, hindering the use of
other formal analysis tools that use similar processes in their execution.
In a broader sense, we provide a comprehensive approach for the static analysis of
spring-based web applications. We introduce hooks in the Spring pipeline, making
feasible the formal analysis and manipulation of the complete, run-time-generated appli-
cation bytecode through a well-defined interface. The hooks provide not only access to
the entire web application’s bytecode but also allow for the replacement of the applica-
tion’s component, enabling more complex analysis requiring the instrumentation of the
application.
To address data confidentiality-related issues in web applications developed with this
framework, we propose integrating information flow control tools in the framework’s
pipeline. Namely, we combine Spring with Snitch, a tool for hybrid information flow
control in Java bytecode that will be used as a case-study.As empresas apoiam-se cada vez mais em frameworks e APIs quando desenvolvem
os seus sistemas, pois estas ferramentas fornecem grandes vantagens. Duas das maiores
vantages destes sistemas são a sua fácil utilização/integração nos sistemas bem como a
quantidade de trabalho que reduzem ao desenvolvedor, permitindo assim períodos de
desenvolvimento mais curtos e responsivos. Ainda assim, a mrioria das frameworks não
têm como lidar com propriedades de segurança fundamentais como confidencialidade dos
dados. Um dos exemplos mais conhecidos é o Spring. É a framework mais usada em Java
para desenvolvimento web, oferecendo um vasto leque de funcionalidades, variando entre
uma camada que lida com dados (eg: hibernate e JPA), uma camada gestora de segurança
nas aplicações, uma camada estatística que permite analisar a performance do sistema e
também uma camada para comunicação REST. Para alcançar estas funcionalidades, que
não são triviais, o Spring recorre a mecanismos de manipulação de bytecode e geração
de código durante o seu período de inicialização, perturbando o uso de ferramentas de
análise formais que recorrem a processos semelhantes na sua execução.
Em geral, nós fornecemos uma nova forma de lidar com análise formal em aplicações
web Spring. Aqui introduzimos hooks no processo de inicialização do Spring, tornando
possível que a análise formal e a manipulação de todo o bytecode gerado da aplicação a
partir duma interface cuidadosamente definida. Os hooks fornecidos fornecem acesso ao
bytecode da aplicação na sua totalidade bem como permitem a substituição do componente
da aplicação, permitindo assim a análise complexa e formal por parte da ferramenta que
pode requerer instrumentação da aplicação.
Para lidar com problemas relacionados com confidencialidade dos dados em aplicações
web desenvolvidas com a framework, propomos a integração de ferramentas de controlo
do fluxo de informação na prórpia framework. Assim, juntamos Spring e Snitch, uma
ferramenta que analisa bytecode para verificar a segurança do fluxo de informação híbrida
On the Security of Software Systems and Services
This work investigates new methods for facing the security issues and threats arising from the composition of software. This task has been carried out through the formal modelling of both the software composition scenarios and the security properties, i.e., policies, to be guaranteed.
Our research moves across three different modalities of software composition which are of main interest for some of the most sensitive aspects of the modern information society. They are mobile applications, trust-based composition and service orchestration.
Mobile applications are programs designed for being deployable on remote platforms. Basically, they are the main channel for the distribution and commercialisation of software for mobile devices, e.g., smart phones and tablets. Here we study the security threats that affect the application providers and the hosting platforms. In particular, we present a programming framework for the development of applications with a static and dynamic security support. Also, we implemented an enforcement mechanism for applying fine-grained security controls on the execution of possibly malicious applications.
In addition to security, trust represents a pragmatic and intuitive way for managing the interactions among systems. Currently, trust is one of the main factors that human beings keep into account when deciding whether to accept a transaction or not. In our work we investigate the possibility of defining a fully integrated environment for security policies and trust including a runtime monitor.
Finally, Service-Oriented Computing (SOC) is the leading technology for business applications distributed over a network. The security issues related to the service networks are many and multi-faceted. We mainly deal with the static verification of secure composition plans of web services. Moreover, we introduce the synthesis
of dynamic security checks for protecting the services against illegal invocations
- …