Just-in-Time Detection of Protection-Impacting Changes on Wordpress and Mediawiki

Les mécanismes de contrôle d’accès basés sur les rôles accordés et les privilèges prédéfinis limitent l’accès des utilisateurs aux ressources sensibles à la sécurité dans un système logiciel multi-utilisateurs. Des modifications non intentionnelles des privilèges protégés peuvent survenir lors de l’évolution d’un système, ce qui peut entraîner des vulnérabilités de sécurité et par la suite menacer les données confidentielles des utilisateurs et causer d’autres graves problèmes. Dans ce mémoire, nous avons utilisé la technique “Pattern Traversal Flow Analysis” pour identifier les différences de protection introduite dans les systèmes WordPress et MediaWiki. Nous avons analysé l’évolution des privilèges protégés dans 211 et 193 versions respectivement de WordPress et Mediawiki, et nous avons constaté qu’environ 60% des commits affectent les privilèges protégés dans les deux projets étudiés. Nous nous référons au commits causant un changement protégé comme commits (PIC). Pour aider les développeurs à identifier les commits PIC en temps réel, c’est à dire dès leur soumission dans le répertoire de code, nous extrayons une série de métriques à partir des logs de commits et du code source, ensuite, nous construisons des modèles statistiques. L’évaluation de ces modèles a révélé qu’ils pouvaient atteindre une précision allant jusqu’à 73,8 % et un rappel de 98,8 % dans WordPress, et pour MediaWiki, une précision de 77,2 % et un rappel allant jusqu’à 97,8 %. Parmi les métriques examinés, changement de lignes de code, correction de bogues, expérience des auteurs, et complexité du code entre deux versions sont les facteurs prédictifs les plus importants de ces modèles. Nous avons effectué une analyse qualitative des faux positifs et des faux négatifs et avons observé que le détecteur des commits PIC doit ignorer les commits de documentation uniquement et les modifications de code non accompagnées de commentaires. Les entreprises de développement logiciel peuvent utiliser notre approche et les modèles proposés dans ce mémoire, pour identifier les modifications non intentionnelles des privilèges protégés dès leur apparition, afin d’empêcher l’introduction de vulnérabilités dans leurs systèmes. ----------ABSTRACT: Access control mechanisms based on roles and privileges restrict the access of users to security sensitive resources in a multi-user software system. Unintentional privilege protection changes may occur during the evolution of a system, which may introduce security vulnerabilities, threatening user’s confidential data, and causing other severe problems. In this thesis, we use the Pattern Traversal Flow Analysis technique to identify definite protection differences in WordPress and MediaWiki systems. We analyse the evolution of privilege protections across 211 and 193 releases from respectively WordPress and Mediawiki, and observe that around 60% of commits affect privileges protections in both projects. We refer to these commits as protection-impacting change (PIC) commits. To help developers identify PIC commits justin-time, i.e., as soon as they are introduced in the code base, we extract a series of metrics from commit logs and source code, and build statistical models. The evaluation of these models revealed that they can achieve a precision up to 73.8% and a recall up to 98.8% in WordPress and for MediaWiki, a precision up to 77.2% and recall up to 97.8%. Among the metrics examined, commit churn, bug fixing, author experiences and code complexity between two releases are the most important predictors in the models. We performed a qualitative analysis of false positives and false negatives and observe that PIC commits detectors should ignore documentation-only commits and process code changes without the comments. Software organizations can use our proposed approach and models, to identify unintentional privilege protection changes as soon as they are introduced, in order to prevent the introduction of vulnerabilities in their systems

Finding Differences in Privilege Protection and their Origin in Role-Based Access Control Implementations

Les applications Web sont très courantes, et ont des besoins de sécurité. L’un d’eux est le contrôle d’accès. Le contrôle d’accès s’assure que la politique de sécurité est respectée. Cette politique définit l’accès légitime aux données et aux opérations de l’application. Les applications Web utilisent régulièrement le contrôle d’accès à base de rôles (en anglais, « Role-Based Access Control » ou RBAC). Les politiques de sécurité RBAC permettent aux développeurs de définir des rôles et d’assigner des utilisateurs à ces rôles. De plus, l’assignation des privilèges d’accès se fait au niveau des rôles. Les applications Web évoluent durant leur maintenance et des changements du code source peuvent affecter leur sécurité de manière inattendue. Pour éviter que ces changements engendrent des régressions et des vulnérabilités, les développeurs doivent revalider l’implémentation RBAC de leur application. Ces revalidations peuvent exiger des ressources considérables. De plus, la tâche est compliquée par l’éloignement possible entre le changement et son impact sur la sécurité (e.g. dans des procédures ou fichiers différents). Pour s’attaquer à cette problématique, nous proposons des analyses statiques de programmes autour de la protection garantie des privilèges. Nous générons automatiquement des modèles de protection des privilèges. Pour ce faire, nous utilisons l’analyse de flux par traversement de patron (en anglais, « Pattern Traversal Flow Analysis » ou PTFA) à partir du code source de l’application. En comparant les modèles PTFA de différentes versions, nous déterminons les impacts des changements de code sur la protection des privilèges. Nous appelons ces impacts de sécurité des différences de protection garantie (en anglais, « Definite Protection Difference » ou DPD). En plus de trouver les DPD entre deux versions, nous établissons une classification des différences reposant sur la théorie des ensembles.----------ABSTRACT : Web applications are commonplace, and have security needs. One of these is access control. Access control enforces a security policy that allows and restricts access to information and operations. Web applications often use Role-Based Access Control (RBAC) to restrict operations and protect security-sensitive information and resources. RBAC allows developers to assign users to various roles, and assign privileges to the roles. Web applications undergo maintenance and evolution. Their security may be affected by source code changes between releases. Because these changes may impact security in unexpected ways, developers need to revalidate their RBAC implementation to prevent regressions and vulnerabilities. This may be resource-intensive. This task is complicated by the fact that the code change and its security impact may be distant (e.g. in different functions or files). To address this issue, we propose static program analyses of definite privilege protection. We automatically generate privilege protection models from the source code using Pattern Traversal Flow Analysis (PTFA). Using differences between versions and PTFA models, we determine privilege-level security impacts of code changes using definite protection differences (DPDs) and apply a set-theoretic classification to them. We also compute explanatory counter-examples for DPDs in PTFA models. In addition, we shorten them using graph transformations in order to facilitate their understanding. We define protection-impacting changes (PICs), changed code during evolution that impact privilege protection. We do so using graph reachability and differencing of two versions’ PTFA models. We also identify a superset of source code changes that contain root causes of DPDs by reverting these changes. We survey the distribution of DPDs and their classification over 147 release pairs of Word-Press, spanning from 2.0 to 4.5.1. We found that code changes caused no DPDs in 82 (56%) release pairs. The remaining 65 (44%) release pairs are security-affected. For these release pairs, only 0.30% of code is affected by DPDs on average. We also found that the most common change categories are complete gains (� 41%), complete losses (� 18%) and substitution (� 20%)

Différences de protection entre les versions d’un logiciel : étude de cas des changements, liens causaux et perspectives pour la réparation automatique des défaillances

Les applications Web mettent en place des politiques de contrôle d’accès pour protéger leurs utilisateurs en restreignant les accès aux actions et aux données. Lors de l’évolution de l’application, en introduisant des nouvelles fonctionnalités ou en corrigeant des erreurs, les développeurs peuvent accidentellement briser la politique de contrôle d’accès et injecter des vulnérabilités dans l’application. L’une des techniques applicables pour prévenir et réparer l’injection de ces vulnérabilités est l’utilisation d’analyses statiques afin d’étudier les propriétés du programme, et de comparer les propriétés de deux versions successives. Si les propriétés sont différentes, il est possible qu’une vulnérabilité ait été injectée. Pour aborder ce problème, nous extrayons donc les propriétés de protection des instructions d’un programme par Analyse de Flux de Traversement de Motif (PTFA), et nous considérons les différences de protection entre deux versions d’un projet comme un ensemble de vulnérabilités à corriger. Après avoir revu l’antériorité de l’étude du problème de réparation automatique de logiciel, nous étudions les cas de différence de protection afin de proposer deux modèles de réparation de ces différences, en recherchant des patchs dans deux espaces différents. Le premier consiste à réverser les changements faits entre les deux versions que l’on soupçonne comme responsables des différences de protection. Cette solution s’appuie sur l’étude des Changements Impactant la Protection (PIC), et est précédée d’une étude des limites de ceux-ci. Nous définissons un cadre pour ce modèle et nous démontrons formellement qu’il permet de générer un patch corrigeant les vulnérabilités ciblées. Nous le mettons ensuite en application afin de mesurer ses performances sur trois jeux de données, comportant au total 148 paires de versions issues de deux applications php différentes, WordPress et MediaWiki, et à deux niveaux de granularité de versionnage différents. Le deuxième consiste à insérer des motifs de sécurité aux emplacements adéquats du programme. Nous définissons un cadre pour ce modèle et nous montrons formellement qu’il permet de générer un patch corrigeant les vulnérabilités ciblées.----------ABSTRACT: Web applications need access control policies to restrict the access to data and actions in order to protect their users. During the evolution of the application, while adding functionalities and correcting bugs, developers can unintentionally break the access control policy and introduce vulnerabilities into the application. A possible approach to prevent and repair the introduction of these vulnerabilities is the application of static analysis in order to extract the properties of the application, and to compare the properties between two successive versions. When the properties are different, a vulnerability has possibly been introduced. To study this problem, we extract protection properties of the statement of the program with a Pattern Traversal Flow Analysis (PTFA), and we take the protection differences between two versions as a set of vulnerabilities to correct. After having reviewed the state-of-the-art of software automatic repair and patch generation, we study the protections difference in order to introduce two models to repair those differences, using two distinct research spaces. The first model uses a partial reversion of the changes suspected to be the cause of the protection differences. This approach is based on the Protection Impacting Changes (PIC) analysis, and is deduced from a study of the limits of this analysis. We define a scope for this model and we prove that it successfully produces patch correcting the targetted vulnerabilities. In order to measure its performance, we apply this model on three data sets, adding up to 148 version pairs, from two distinct php applications, WordPress and MediaWiki, and two granularity levels of versioning. The second model uses the insertion of security patterns at the appropriate places. We define a scope for this model, and we prove that it successfully produces patch correcting the targetted vulnerabilities

Memory region: a system abstraction for managing the complex memory structures of multicore platforms

The performance of modern many-core systems depends on the effective use of their complex cache and memory structures, and this will likely become more pronounced with the impending arrival of on-chip 3D stacked and non-volatile off-chip byte-addressable memory. Yet to date, operating systems have not treated memory as a first class schedulable resource, embracing memory heterogeneity. This dissertation presents a new software abstraction, called ‘memory region’, which denotes the current set of physical memory pages actively used by workloads. Using this abstraction, memory resources can be scheduled for applications to fully exploit a platform's underlying cache and memory system, thereby gaining improved performance and predictability in execution, particularly for the consolidated workloads seen in virtualized and cloud computing infrastructures. The abstraction's implementation in the Xen hypervisor involves the run-time detection of memory regions, the scheduled mapping of these regions to caches to match performance goals, and maintaining region-to-cache mappings using per-cache page tables. This dissertation makes the following specific contributions. First, its region scheduling method proposes that the location of memory blocks rather than CPU utilization is the principal determinant where workloads are run. It proposes a new scheduling method, the region scheduling that the location of memory blocks determines where the workloads are run. Second, treating memory blocks as first-class resources, new methods for efficient cache management are shown to improve application performance as well as the performance of certain operating system functions. Third, explicit memory scheduling makes it possible to disaggregate operating systems, without the need to change OS sources and with only small markups of target guest OS functionality. With this method, OS functions can be mapped to specific desired platform components, such as file system confined to running on specific cores and using only certain memory resources designated for its use. This can improve performance for applications heavily dependent on certain OS functions, by dynamically providing those functions with the resources needed for their current use, and it can prevent performance-critical application functionality from being needlessly perturbed by OS functions used for other purposes or by other jobs. Fourth, extensions of region scheduling can also help applications deal with the heterogeneous memory resources present in future systems, including on-chip stacked DRAM and NUMA or even NVRAM memory modules. More generally, regions scheduling is shown to apply to memory structures with well-defined differences in memory access latencies.Ph.D

Addressing the new generation of spam (Spam 2.0) through Web usage models

New Internet collaborative media introduce new ways of communicating that are not immune to abuse. A fake eye-catching profile in social networking websites, a promotional review, a response to a thread in online forums with unsolicited content or a manipulated Wiki page, are examples of new the generation of spam on the web, referred to as Web 2.0 Spam or Spam 2.0. Spam 2.0 is defined as the propagation of unsolicited, anonymous, mass content to infiltrate legitimate Web 2.0 applications.The current literature does not address Spam 2.0 in depth and the outcome of efforts to date are inadequate. The aim of this research is to formalise a definition for Spam 2.0 and provide Spam 2.0 filtering solutions. Early-detection, extendibility, robustness and adaptability are key factors in the design of the proposed method.This dissertation provides a comprehensive survey of the state-of-the-art web spam and Spam 2.0 filtering methods to highlight the unresolved issues and open problems, while at the same time effectively capturing the knowledge in the domain of spam filtering.This dissertation proposes three solutions in the area of Spam 2.0 filtering including: (1) characterising and profiling Spam 2.0, (2) Early-Detection based Spam 2.0 Filtering (EDSF) approach, and (3) On-the-Fly Spam 2.0 Filtering (OFSF) approach. All the proposed solutions are tested against real-world datasets and their performance is compared with that of existing Spam 2.0 filtering methods.This work has coined the term ‘Spam 2.0’, provided insight into the nature of Spam 2.0, and proposed filtering mechanisms to address this new and rapidly evolving problem

Social Computing: Study on the Use and Impacts of Collaborative Content

Collaborative content, created with web2.0 technologies, is part of the social computing phenomenon. The key feature of collaborative content is that it is created, reviewed, refined, enhanced and shared by interactions and contributions of a number of people. The report provides an assessment of the use, adoption and impact of collaborative content applications, giving an in-depth description of YouTube, Wikipedia and blogging, and discussing the socio-economic impacts and challenges of collaborative content phenomenon. The great variety of collaborative content applications is providing people with access to a great diversity of content and information, new relations to other people based on common interests, and a new tool for collaboration. Organizations can not avoid responding to the challenges rising, but there are various ways in which they can also benefit from the opportunities available. A major challenge is how to nurture a responsible digital culture, where users adopt a critical attitude in both creating and using the content, and where the collaborative communities have sustainable models for participation and content quality management.JRC.J.4-Information Societ

Wikipedia @ 20

Wikipedia’s first twenty years: how what began as an experiment in collaboration became the world’s most popular reference work. We have been looking things up in Wikipedia for twenty years. What began almost by accident—a wiki attached to a nascent online encyclopedia—has become the world’s most popular reference work. Regarded at first as the scholarly equivalent of a Big Mac, Wikipedia is now known for its reliable sourcing and as a bastion of (mostly) reasoned interaction. How has Wikipedia, built on a model of radical collaboration, remained true to its original mission of “free access to the sum of all human knowledge” when other tech phenomena have devolved into advertising platforms? In this book, scholars, activists, and volunteers reflect on Wikipedia’s first twenty years, revealing connections across disciplines and borders, languages and data, the professional and personal. The contributors consider Wikipedia’s history, the richness of the connections that underpin it, and its founding vision. Their essays look at, among other things, the shift from bewilderment to respect in press coverage of Wikipedia; Wikipedia as “the most important laboratory for social scientific and computing research in history”; and the acknowledgment that “free access” includes not just access to the material but freedom to contribute—that the summation of all human knowledge is biased by who documents it. Contributors Phoebe Ayers, Omer Benjakob, Yochai Benkler, William Beutler, Siko Bouterse, Rebecca Thorndike-Breeze, Amy Carleton, Robert Cummings, LiAnna L. Davis, Siân Evans, Heather Ford, Stephen Harrison, Heather Hart, Benjamin Mako Hill, Dariusz Jemielniak, Brian Keegan, Jackie Koerner, Alexandria Lockett, Jacqueline Mabey, Katherine Maher, Michael Mandiberg, Stephane Coillet-Matillon, Cecelia A. Musselman, Eliza Myrie, Jake Orlowitz, Ian A. Ramjohn, Joseph Reagle, Anasuya Sengupta, Aaron Shaw, Melissa Tamani, Jina Valentine, Matthew Vetter, Adele Vrana, Denny Vrandeči

The global vulnerability discovery and disclosure system: a thematic system dynamics approach

Vulnerabilities within software are the fundamental issue that provide both the means, and opportunity for malicious threat actors to compromise critical IT systems (Younis et al., 2016). Consequentially, the reduction of vulnerabilities within software should be of paramount importance, however, it is argued that software development practitioners have historically failed in reducing the risks associated with software vulnerabilities. This failure is illustrated in, and by the growth of software vulnerabilities over the past 20 years. This increase which is both unprecedented and unwelcome has led to an acknowledgement that novel and radical approaches to both understand the vulnerability discovery and disclosure system (VDDS) and to mitigate the risks associate with software vulnerability centred risk is needed (Bradbury, 2015; Marconato et al., 2012). The findings from this research show that whilst technological mitigations are vital, the social and economic features of the VDDS are of critical importance. For example, hitherto unknown systemic themes identified by this research are of key and include; Perception of Punishment; Vendor Interactions; Disclosure Stance; Ethical Considerations; Economic factors for Discovery and Disclosure and Emergence of New Vulnerability Markets. Each theme uniquely impacts the system, and ultimately the scale of vulnerability based risks. Within the research each theme within the VDDS is represented by several key variables which interact and shape the system. Specifically: Vender Sentiment; Vulnerability Removal Rate; Time to fix; Market Share; Participants within VDDS, Full and Coordinated Disclosure Ratio and Participant Activity. Each variable is quantified and explored, defining both the parameter space and progression over time. These variables are utilised within a system dynamic model to simulate differing policy strategies and assess the impact of these policies upon the VDDS. Three simulated vulnerability disclosure futures are hypothesised and are presented, characterised as depletion, steady and exponential with each scenario dependent upon the parameter space within the key variables