30 research outputs found

    Just-in-Time Detection of Protection-Impacting Changes on Wordpress and Mediawiki

    Get PDF
    Les mĂ©canismes de contrĂŽle d’accĂšs basĂ©s sur les rĂŽles accordĂ©s et les privilĂšges prĂ©dĂ©finis limitent l’accĂšs des utilisateurs aux ressources sensibles Ă  la sĂ©curitĂ© dans un systĂšme logiciel multi-utilisateurs. Des modifications non intentionnelles des privilĂšges protĂ©gĂ©s peuvent survenir lors de l’évolution d’un systĂšme, ce qui peut entraĂźner des vulnĂ©rabilitĂ©s de sĂ©curitĂ© et par la suite menacer les donnĂ©es confidentielles des utilisateurs et causer d’autres graves problĂšmes. Dans ce mĂ©moire, nous avons utilisĂ© la technique “Pattern Traversal Flow Analysis” pour identifier les diffĂ©rences de protection introduite dans les systĂšmes WordPress et MediaWiki. Nous avons analysĂ© l’évolution des privilĂšges protĂ©gĂ©s dans 211 et 193 versions respectivement de WordPress et Mediawiki, et nous avons constatĂ© qu’environ 60% des commits affectent les privilĂšges protĂ©gĂ©s dans les deux projets Ă©tudiĂ©s. Nous nous rĂ©fĂ©rons au commits causant un changement protĂ©gĂ© comme commits (PIC). Pour aider les dĂ©veloppeurs Ă  identifier les commits PIC en temps rĂ©el, c’est Ă  dire dĂšs leur soumission dans le rĂ©pertoire de code, nous extrayons une sĂ©rie de mĂ©triques Ă  partir des logs de commits et du code source, ensuite, nous construisons des modĂšles statistiques. L’évaluation de ces modĂšles a rĂ©vĂ©lĂ© qu’ils pouvaient atteindre une prĂ©cision allant jusqu’à 73,8 % et un rappel de 98,8 % dans WordPress, et pour MediaWiki, une prĂ©cision de 77,2 % et un rappel allant jusqu’à 97,8 %. Parmi les mĂ©triques examinĂ©s, changement de lignes de code, correction de bogues, expĂ©rience des auteurs, et complexitĂ© du code entre deux versions sont les facteurs prĂ©dictifs les plus importants de ces modĂšles. Nous avons effectuĂ© une analyse qualitative des faux positifs et des faux nĂ©gatifs et avons observĂ© que le dĂ©tecteur des commits PIC doit ignorer les commits de documentation uniquement et les modifications de code non accompagnĂ©es de commentaires. Les entreprises de dĂ©veloppement logiciel peuvent utiliser notre approche et les modĂšles proposĂ©s dans ce mĂ©moire, pour identifier les modifications non intentionnelles des privilĂšges protĂ©gĂ©s dĂšs leur apparition, afin d’empĂȘcher l’introduction de vulnĂ©rabilitĂ©s dans leurs systĂšmes. ----------ABSTRACT: Access control mechanisms based on roles and privileges restrict the access of users to security sensitive resources in a multi-user software system. Unintentional privilege protection changes may occur during the evolution of a system, which may introduce security vulnerabilities, threatening user’s confidential data, and causing other severe problems. In this thesis, we use the Pattern Traversal Flow Analysis technique to identify definite protection differences in WordPress and MediaWiki systems. We analyse the evolution of privilege protections across 211 and 193 releases from respectively WordPress and Mediawiki, and observe that around 60% of commits affect privileges protections in both projects. We refer to these commits as protection-impacting change (PIC) commits. To help developers identify PIC commits justin-time, i.e., as soon as they are introduced in the code base, we extract a series of metrics from commit logs and source code, and build statistical models. The evaluation of these models revealed that they can achieve a precision up to 73.8% and a recall up to 98.8% in WordPress and for MediaWiki, a precision up to 77.2% and recall up to 97.8%. Among the metrics examined, commit churn, bug fixing, author experiences and code complexity between two releases are the most important predictors in the models. We performed a qualitative analysis of false positives and false negatives and observe that PIC commits detectors should ignore documentation-only commits and process code changes without the comments. Software organizations can use our proposed approach and models, to identify unintentional privilege protection changes as soon as they are introduced, in order to prevent the introduction of vulnerabilities in their systems

    Finding Differences in Privilege Protection and their Origin in Role-Based Access Control Implementations

    Get PDF
    Les applications Web sont trĂšs courantes, et ont des besoins de sĂ©curitĂ©. L’un d’eux est le contrĂŽle d’accĂšs. Le contrĂŽle d’accĂšs s’assure que la politique de sĂ©curitĂ© est respectĂ©e. Cette politique dĂ©finit l’accĂšs lĂ©gitime aux donnĂ©es et aux opĂ©rations de l’application. Les applications Web utilisent rĂ©guliĂšrement le contrĂŽle d’accĂšs Ă  base de rĂŽles (en anglais, « Role-Based Access Control » ou RBAC). Les politiques de sĂ©curitĂ© RBAC permettent aux dĂ©veloppeurs de dĂ©finir des rĂŽles et d’assigner des utilisateurs Ă  ces rĂŽles. De plus, l’assignation des privilĂšges d’accĂšs se fait au niveau des rĂŽles. Les applications Web Ă©voluent durant leur maintenance et des changements du code source peuvent affecter leur sĂ©curitĂ© de maniĂšre inattendue. Pour Ă©viter que ces changements engendrent des rĂ©gressions et des vulnĂ©rabilitĂ©s, les dĂ©veloppeurs doivent revalider l’implĂ©mentation RBAC de leur application. Ces revalidations peuvent exiger des ressources considĂ©rables. De plus, la tĂąche est compliquĂ©e par l’éloignement possible entre le changement et son impact sur la sĂ©curitĂ© (e.g. dans des procĂ©dures ou fichiers diffĂ©rents). Pour s’attaquer Ă  cette problĂ©matique, nous proposons des analyses statiques de programmes autour de la protection garantie des privilĂšges. Nous gĂ©nĂ©rons automatiquement des modĂšles de protection des privilĂšges. Pour ce faire, nous utilisons l’analyse de flux par traversement de patron (en anglais, « Pattern Traversal Flow Analysis » ou PTFA) Ă  partir du code source de l’application. En comparant les modĂšles PTFA de diffĂ©rentes versions, nous dĂ©terminons les impacts des changements de code sur la protection des privilĂšges. Nous appelons ces impacts de sĂ©curitĂ© des diffĂ©rences de protection garantie (en anglais, « Definite Protection Difference » ou DPD). En plus de trouver les DPD entre deux versions, nous Ă©tablissons une classification des diffĂ©rences reposant sur la thĂ©orie des ensembles.----------ABSTRACT : Web applications are commonplace, and have security needs. One of these is access control. Access control enforces a security policy that allows and restricts access to information and operations. Web applications often use Role-Based Access Control (RBAC) to restrict operations and protect security-sensitive information and resources. RBAC allows developers to assign users to various roles, and assign privileges to the roles. Web applications undergo maintenance and evolution. Their security may be affected by source code changes between releases. Because these changes may impact security in unexpected ways, developers need to revalidate their RBAC implementation to prevent regressions and vulnerabilities. This may be resource-intensive. This task is complicated by the fact that the code change and its security impact may be distant (e.g. in different functions or files). To address this issue, we propose static program analyses of definite privilege protection. We automatically generate privilege protection models from the source code using Pattern Traversal Flow Analysis (PTFA). Using differences between versions and PTFA models, we determine privilege-level security impacts of code changes using definite protection differences (DPDs) and apply a set-theoretic classification to them. We also compute explanatory counter-examples for DPDs in PTFA models. In addition, we shorten them using graph transformations in order to facilitate their understanding. We define protection-impacting changes (PICs), changed code during evolution that impact privilege protection. We do so using graph reachability and differencing of two versions’ PTFA models. We also identify a superset of source code changes that contain root causes of DPDs by reverting these changes. We survey the distribution of DPDs and their classification over 147 release pairs of Word-Press, spanning from 2.0 to 4.5.1. We found that code changes caused no DPDs in 82 (56%) release pairs. The remaining 65 (44%) release pairs are security-affected. For these release pairs, only 0.30% of code is affected by DPDs on average. We also found that the most common change categories are complete gains (ïżœ 41%), complete losses (ïżœ 18%) and substitution (ïżœ 20%)

    DiffĂ©rences de protection entre les versions d’un logiciel : Ă©tude de cas des changements, liens causaux et perspectives pour la rĂ©paration automatique des dĂ©faillances

    Get PDF
    Les applications Web mettent en place des politiques de contrĂŽle d’accĂšs pour protĂ©ger leurs utilisateurs en restreignant les accĂšs aux actions et aux donnĂ©es. Lors de l’évolution de l’application, en introduisant des nouvelles fonctionnalitĂ©s ou en corrigeant des erreurs, les dĂ©veloppeurs peuvent accidentellement briser la politique de contrĂŽle d’accĂšs et injecter des vulnĂ©rabilitĂ©s dans l’application. L’une des techniques applicables pour prĂ©venir et rĂ©parer l’injection de ces vulnĂ©rabilitĂ©s est l’utilisation d’analyses statiques afin d’étudier les propriĂ©tĂ©s du programme, et de comparer les propriĂ©tĂ©s de deux versions successives. Si les propriĂ©tĂ©s sont diffĂ©rentes, il est possible qu’une vulnĂ©rabilitĂ© ait Ă©tĂ© injectĂ©e. Pour aborder ce problĂšme, nous extrayons donc les propriĂ©tĂ©s de protection des instructions d’un programme par Analyse de Flux de Traversement de Motif (PTFA), et nous considĂ©rons les diffĂ©rences de protection entre deux versions d’un projet comme un ensemble de vulnĂ©rabilitĂ©s Ă  corriger. AprĂšs avoir revu l’antĂ©rioritĂ© de l’étude du problĂšme de rĂ©paration automatique de logiciel, nous Ă©tudions les cas de diffĂ©rence de protection afin de proposer deux modĂšles de rĂ©paration de ces diffĂ©rences, en recherchant des patchs dans deux espaces diffĂ©rents. Le premier consiste Ă  rĂ©verser les changements faits entre les deux versions que l’on soupçonne comme responsables des diffĂ©rences de protection. Cette solution s’appuie sur l’étude des Changements Impactant la Protection (PIC), et est prĂ©cĂ©dĂ©e d’une Ă©tude des limites de ceux-ci. Nous dĂ©finissons un cadre pour ce modĂšle et nous dĂ©montrons formellement qu’il permet de gĂ©nĂ©rer un patch corrigeant les vulnĂ©rabilitĂ©s ciblĂ©es. Nous le mettons ensuite en application afin de mesurer ses performances sur trois jeux de donnĂ©es, comportant au total 148 paires de versions issues de deux applications php diffĂ©rentes, WordPress et MediaWiki, et Ă  deux niveaux de granularitĂ© de versionnage diffĂ©rents. Le deuxiĂšme consiste Ă  insĂ©rer des motifs de sĂ©curitĂ© aux emplacements adĂ©quats du programme. Nous dĂ©finissons un cadre pour ce modĂšle et nous montrons formellement qu’il permet de gĂ©nĂ©rer un patch corrigeant les vulnĂ©rabilitĂ©s ciblĂ©es.----------ABSTRACT: Web applications need access control policies to restrict the access to data and actions in order to protect their users. During the evolution of the application, while adding functionalities and correcting bugs, developers can unintentionally break the access control policy and introduce vulnerabilities into the application. A possible approach to prevent and repair the introduction of these vulnerabilities is the application of static analysis in order to extract the properties of the application, and to compare the properties between two successive versions. When the properties are different, a vulnerability has possibly been introduced. To study this problem, we extract protection properties of the statement of the program with a Pattern Traversal Flow Analysis (PTFA), and we take the protection differences between two versions as a set of vulnerabilities to correct. After having reviewed the state-of-the-art of software automatic repair and patch generation, we study the protections difference in order to introduce two models to repair those differences, using two distinct research spaces. The first model uses a partial reversion of the changes suspected to be the cause of the protection differences. This approach is based on the Protection Impacting Changes (PIC) analysis, and is deduced from a study of the limits of this analysis. We define a scope for this model and we prove that it successfully produces patch correcting the targetted vulnerabilities. In order to measure its performance, we apply this model on three data sets, adding up to 148 version pairs, from two distinct php applications, WordPress and MediaWiki, and two granularity levels of versioning. The second model uses the insertion of security patterns at the appropriate places. We define a scope for this model, and we prove that it successfully produces patch correcting the targetted vulnerabilities

    Memory region: a system abstraction for managing the complex memory structures of multicore platforms

    Get PDF
    The performance of modern many-core systems depends on the effective use of their complex cache and memory structures, and this will likely become more pronounced with the impending arrival of on-chip 3D stacked and non-volatile off-chip byte-addressable memory. Yet to date, operating systems have not treated memory as a first class schedulable resource, embracing memory heterogeneity. This dissertation presents a new software abstraction, called ‘memory region’, which denotes the current set of physical memory pages actively used by workloads. Using this abstraction, memory resources can be scheduled for applications to fully exploit a platform's underlying cache and memory system, thereby gaining improved performance and predictability in execution, particularly for the consolidated workloads seen in virtualized and cloud computing infrastructures. The abstraction's implementation in the Xen hypervisor involves the run-time detection of memory regions, the scheduled mapping of these regions to caches to match performance goals, and maintaining region-to-cache mappings using per-cache page tables. This dissertation makes the following specific contributions. First, its region scheduling method proposes that the location of memory blocks rather than CPU utilization is the principal determinant where workloads are run. It proposes a new scheduling method, the region scheduling that the location of memory blocks determines where the workloads are run. Second, treating memory blocks as first-class resources, new methods for efficient cache management are shown to improve application performance as well as the performance of certain operating system functions. Third, explicit memory scheduling makes it possible to disaggregate operating systems, without the need to change OS sources and with only small markups of target guest OS functionality. With this method, OS functions can be mapped to specific desired platform components, such as file system confined to running on specific cores and using only certain memory resources designated for its use. This can improve performance for applications heavily dependent on certain OS functions, by dynamically providing those functions with the resources needed for their current use, and it can prevent performance-critical application functionality from being needlessly perturbed by OS functions used for other purposes or by other jobs. Fourth, extensions of region scheduling can also help applications deal with the heterogeneous memory resources present in future systems, including on-chip stacked DRAM and NUMA or even NVRAM memory modules. More generally, regions scheduling is shown to apply to memory structures with well-defined differences in memory access latencies.Ph.D

    Addressing the new generation of spam (Spam 2.0) through Web usage models

    Get PDF
    New Internet collaborative media introduce new ways of communicating that are not immune to abuse. A fake eye-catching profile in social networking websites, a promotional review, a response to a thread in online forums with unsolicited content or a manipulated Wiki page, are examples of new the generation of spam on the web, referred to as Web 2.0 Spam or Spam 2.0. Spam 2.0 is defined as the propagation of unsolicited, anonymous, mass content to infiltrate legitimate Web 2.0 applications.The current literature does not address Spam 2.0 in depth and the outcome of efforts to date are inadequate. The aim of this research is to formalise a definition for Spam 2.0 and provide Spam 2.0 filtering solutions. Early-detection, extendibility, robustness and adaptability are key factors in the design of the proposed method.This dissertation provides a comprehensive survey of the state-of-the-art web spam and Spam 2.0 filtering methods to highlight the unresolved issues and open problems, while at the same time effectively capturing the knowledge in the domain of spam filtering.This dissertation proposes three solutions in the area of Spam 2.0 filtering including: (1) characterising and profiling Spam 2.0, (2) Early-Detection based Spam 2.0 Filtering (EDSF) approach, and (3) On-the-Fly Spam 2.0 Filtering (OFSF) approach. All the proposed solutions are tested against real-world datasets and their performance is compared with that of existing Spam 2.0 filtering methods.This work has coined the term ‘Spam 2.0’, provided insight into the nature of Spam 2.0, and proposed filtering mechanisms to address this new and rapidly evolving problem

    Social Computing: Study on the Use and Impacts of Collaborative Content

    Get PDF
    Collaborative content, created with web2.0 technologies, is part of the social computing phenomenon. The key feature of collaborative content is that it is created, reviewed, refined, enhanced and shared by interactions and contributions of a number of people. The report provides an assessment of the use, adoption and impact of collaborative content applications, giving an in-depth description of YouTube, Wikipedia and blogging, and discussing the socio-economic impacts and challenges of collaborative content phenomenon. The great variety of collaborative content applications is providing people with access to a great diversity of content and information, new relations to other people based on common interests, and a new tool for collaboration. Organizations can not avoid responding to the challenges rising, but there are various ways in which they can also benefit from the opportunities available. A major challenge is how to nurture a responsible digital culture, where users adopt a critical attitude in both creating and using the content, and where the collaborative communities have sustainable models for participation and content quality management.JRC.J.4-Information Societ

    Wikipedia @ 20

    Get PDF
    Wikipedia’s first twenty years: how what began as an experiment in collaboration became the world’s most popular reference work. We have been looking things up in Wikipedia for twenty years. What began almost by accident—a wiki attached to a nascent online encyclopedia—has become the world’s most popular reference work. Regarded at first as the scholarly equivalent of a Big Mac, Wikipedia is now known for its reliable sourcing and as a bastion of (mostly) reasoned interaction. How has Wikipedia, built on a model of radical collaboration, remained true to its original mission of “free access to the sum of all human knowledge” when other tech phenomena have devolved into advertising platforms? In this book, scholars, activists, and volunteers reflect on Wikipedia’s first twenty years, revealing connections across disciplines and borders, languages and data, the professional and personal. The contributors consider Wikipedia’s history, the richness of the connections that underpin it, and its founding vision. Their essays look at, among other things, the shift from bewilderment to respect in press coverage of Wikipedia; Wikipedia as “the most important laboratory for social scientific and computing research in history”; and the acknowledgment that “free access” includes not just access to the material but freedom to contribute—that the summation of all human knowledge is biased by who documents it. Contributors Phoebe Ayers, Omer Benjakob, Yochai Benkler, William Beutler, Siko Bouterse, Rebecca Thorndike-Breeze, Amy Carleton, Robert Cummings, LiAnna L. Davis, Siñn Evans, Heather Ford, Stephen Harrison, Heather Hart, Benjamin Mako Hill, Dariusz Jemielniak, Brian Keegan, Jackie Koerner, Alexandria Lockett, Jacqueline Mabey, Katherine Maher, Michael Mandiberg, Stephane Coillet-Matillon, Cecelia A. Musselman, Eliza Myrie, Jake Orlowitz, Ian A. Ramjohn, Joseph Reagle, Anasuya Sengupta, Aaron Shaw, Melissa Tamani, Jina Valentine, Matthew Vetter, Adele Vrana, Denny Vrandeči

    The global vulnerability discovery and disclosure system: a thematic system dynamics approach

    Get PDF
    Vulnerabilities within software are the fundamental issue that provide both the means, and opportunity for malicious threat actors to compromise critical IT systems (Younis et al., 2016). Consequentially, the reduction of vulnerabilities within software should be of paramount importance, however, it is argued that software development practitioners have historically failed in reducing the risks associated with software vulnerabilities. This failure is illustrated in, and by the growth of software vulnerabilities over the past 20 years. This increase which is both unprecedented and unwelcome has led to an acknowledgement that novel and radical approaches to both understand the vulnerability discovery and disclosure system (VDDS) and to mitigate the risks associate with software vulnerability centred risk is needed (Bradbury, 2015; Marconato et al., 2012). The findings from this research show that whilst technological mitigations are vital, the social and economic features of the VDDS are of critical importance. For example, hitherto unknown systemic themes identified by this research are of key and include; Perception of Punishment; Vendor Interactions; Disclosure Stance; Ethical Considerations; Economic factors for Discovery and Disclosure and Emergence of New Vulnerability Markets. Each theme uniquely impacts the system, and ultimately the scale of vulnerability based risks. Within the research each theme within the VDDS is represented by several key variables which interact and shape the system. Specifically: Vender Sentiment; Vulnerability Removal Rate; Time to fix; Market Share; Participants within VDDS, Full and Coordinated Disclosure Ratio and Participant Activity. Each variable is quantified and explored, defining both the parameter space and progression over time. These variables are utilised within a system dynamic model to simulate differing policy strategies and assess the impact of these policies upon the VDDS. Three simulated vulnerability disclosure futures are hypothesised and are presented, characterised as depletion, steady and exponential with each scenario dependent upon the parameter space within the key variables
    corecore