Finding Differences in Privilege Protection and their Origin in Role-Based Access Control Implementations

Les applications Web sont très courantes, et ont des besoins de sécurité. L’un d’eux est le contrôle d’accès. Le contrôle d’accès s’assure que la politique de sécurité est respectée. Cette politique définit l’accès légitime aux données et aux opérations de l’application. Les applications Web utilisent régulièrement le contrôle d’accès à base de rôles (en anglais, « Role-Based Access Control » ou RBAC). Les politiques de sécurité RBAC permettent aux développeurs de définir des rôles et d’assigner des utilisateurs à ces rôles. De plus, l’assignation des privilèges d’accès se fait au niveau des rôles. Les applications Web évoluent durant leur maintenance et des changements du code source peuvent affecter leur sécurité de manière inattendue. Pour éviter que ces changements engendrent des régressions et des vulnérabilités, les développeurs doivent revalider l’implémentation RBAC de leur application. Ces revalidations peuvent exiger des ressources considérables. De plus, la tâche est compliquée par l’éloignement possible entre le changement et son impact sur la sécurité (e.g. dans des procédures ou fichiers différents). Pour s’attaquer à cette problématique, nous proposons des analyses statiques de programmes autour de la protection garantie des privilèges. Nous générons automatiquement des modèles de protection des privilèges. Pour ce faire, nous utilisons l’analyse de flux par traversement de patron (en anglais, « Pattern Traversal Flow Analysis » ou PTFA) à partir du code source de l’application. En comparant les modèles PTFA de différentes versions, nous déterminons les impacts des changements de code sur la protection des privilèges. Nous appelons ces impacts de sécurité des différences de protection garantie (en anglais, « Definite Protection Difference » ou DPD). En plus de trouver les DPD entre deux versions, nous établissons une classification des différences reposant sur la théorie des ensembles.----------ABSTRACT : Web applications are commonplace, and have security needs. One of these is access control. Access control enforces a security policy that allows and restricts access to information and operations. Web applications often use Role-Based Access Control (RBAC) to restrict operations and protect security-sensitive information and resources. RBAC allows developers to assign users to various roles, and assign privileges to the roles. Web applications undergo maintenance and evolution. Their security may be affected by source code changes between releases. Because these changes may impact security in unexpected ways, developers need to revalidate their RBAC implementation to prevent regressions and vulnerabilities. This may be resource-intensive. This task is complicated by the fact that the code change and its security impact may be distant (e.g. in different functions or files). To address this issue, we propose static program analyses of definite privilege protection. We automatically generate privilege protection models from the source code using Pattern Traversal Flow Analysis (PTFA). Using differences between versions and PTFA models, we determine privilege-level security impacts of code changes using definite protection differences (DPDs) and apply a set-theoretic classification to them. We also compute explanatory counter-examples for DPDs in PTFA models. In addition, we shorten them using graph transformations in order to facilitate their understanding. We define protection-impacting changes (PICs), changed code during evolution that impact privilege protection. We do so using graph reachability and differencing of two versions’ PTFA models. We also identify a superset of source code changes that contain root causes of DPDs by reverting these changes. We survey the distribution of DPDs and their classification over 147 release pairs of Word-Press, spanning from 2.0 to 4.5.1. We found that code changes caused no DPDs in 82 (56%) release pairs. The remaining 65 (44%) release pairs are security-affected. For these release pairs, only 0.30% of code is affected by DPDs on average. We also found that the most common change categories are complete gains (� 41%), complete losses (� 18%) and substitution (� 20%)

Sexy Technical Communication

Sexy technical writing…we’ve got to be kidding, right? But no, we aren’t. Good technical writing is powerful and clear and gets the job done. It brings people together and solves problems. Good technical writing purrs and hums like that BMW you plan to be driving someday.What’s not sexy about that? On the other hand, poor technical writing skills may lead to a lifetime of asking people if they want fries with that…or worse, selling vacuum cleaners door to door. There’s no need to ask what’s not sexy about that! WE – your textbook authors – are a team of dedicated writers, tech writing teachers, designers, artists and professionals who are absolutely passionate about technical writing. That’s why we decided to create a text for you that we all loved, a text that would be free and always available to you. Now, that’s sexy. We hope you love what we have done as much as we have loved doing it…and notice…we haven’t even asked for a donation!https://digitalcommons.kennesaw.edu/facbooks2016/1005/thumbnail.jp

Sustainable agriculture and rural development in terms of the republic of Serbia strategic goals realization within the Danube region. Rural development and (un)limited resources

International Scientific Conference „SUSTAINABLE AGRICULTURE AND RURAL DEVELOPMENT IN TERMS OF THE REPUBLIC OF SERBIA STRATEGIC GOALS REALIZATION WITHIN THE DANUBE REGION - rural development and (un)limited resources“, which was held in period 5-6th June 2014 in Belgrade, the Republic of Serbia, through number of presented papers mainly provides an overview of results of scientific research on the integrated and interdisciplinary project No. III 46006 „SUSTAINABLE AGRICULTURE AND RURAL DEVELOPMENT IN TERMS OF THE REPUBLIC OF SERBIA STRATEGIC GOALS REALIZATION WITHIN THE DANUBE REGION“. Besides the authors from Serbia in Thematic Proceedings are also presented the papers of authors from Bosnia and Herzegovina, Macedonia, Albania, Romania, Russia, Belarus, Poland, Austria and USA. The papers are systematized in 3 thematic sections: I RURAL ECONOMY IN THE FUNCTION OF INTEGRAL LOCAL DEVELOPMENT (section was represented by 30 papers); II ALLOCATION AND VALORIZATION OF RESOURCE POTENTIALS OF RURAL AREAS (section was represented by 26 papers); III THE REFORM OF THE EU COMMON AGRICULTURAL POLICY – A NEW DEVELOPMENT FRAMEWORK FOR THE PERIOD 2014-2020 (section was represented by 7 papers)