Enhancing Trust –A Unified Meta-Model for Software Security Vulnerability Analysis

Over the last decade, a globalization of the software industry has taken place which has facilitated the sharing and reuse of code across existing project boundaries. At the same time, such global reuse also introduces new challenges to the Software Engineering community, with not only code implementation being shared across systems but also any vulnerabilities it is exposed to as well. Hence, vulnerabilities found in APIs no longer affect only individual projects but instead might spread across projects and even global software ecosystem borders. Tracing such vulnerabilities on a global scale becomes an inherently difficult task, with many of the resources required for the analysis not only growing at unprecedented rates but also being spread across heterogeneous resources. Software developers are struggling to identify and locate the required data to take full advantage of these resources. The Semantic Web and its supporting technology stack have been widely promoted to model, integrate, and support interoperability among heterogeneous data sources. This dissertation introduces four major contributions to address these challenges: (1) It provides a literature review of the use of software vulnerabilities databases (SVDBs) in the Software Engineering community. (2) Based on findings from this literature review, we present SEVONT, a Semantic Web based modeling approach to support a formal and semi-automated approach for unifying vulnerability information resources. SEVONT introduces a multi-layer knowledge model which not only provides a unified knowledge representation, but also captures software vulnerability information at different abstract levels to allow for seamless integration, analysis, and reuse of the modeled knowledge. The modeling approach takes advantage of Formal Concept Analysis (FCA) to guide knowledge engineers in identifying reusable knowledge concepts and modeling them. (3) A Security Vulnerability Analysis Framework (SV-AF) is introduced, which is an instantiation of the SEVONT knowledge model to support evidence-based vulnerability detection. The framework integrates vulnerability ontologies (and data) with existing Software Engineering ontologies allowing for the use of Semantic Web reasoning services to trace and assess the impact of security vulnerabilities across project boundaries. Several case studies are presented to illustrate the applicability and flexibility of our modelling approach, demonstrating that the presented knowledge modeling approach cannot only unify heterogeneous vulnerability data sources but also enables new types of vulnerability analysis

Temporary labour migration for victims of natural disasters: the Columbia-Spain model

Environmental degradation is increasingly causing large-scale migration. This paper looks into international labour migration as a strategy to adapt to a changing environment. Facilitating legal migration for persons affected by environmental degradation can prevent them from being forcibly displaced, can reduce their vulnerability to future environmental disruptions, and can contribute to the development of vulnerable communities. This paper analyses how ‘environmental migration’ could be facilitated, through a case study of the Colombian Temporary and Circular Labour Migration project. Through this innovative migration model, based on an agreement between Colombia and Spain, Colombians facing recurring natural disasters, are offered a livelihood alternative through temporary work abroad, while affected zones can recuperate. This programme, supported by the IOM, illustrates how a European member State can enable vulnerable people to migrate overseas by providing labour migration opportunities for selected beneficiaries. By supporting migrants in maximizing the impact of remittances on the recovery of their place of origin, the TCLM programme increases their resilience to natural disasters, and offers them an alternative to permanent and/or urban migration. The paper discusses the normative framework supporting the TCLM programme, and identifies some conditions for the replication of the programme in other states. The potential of the project for both development and adaptation to environmental changes is being considered

Carbon Free Boston: Social equity report 2019

OVERVIEW: In January 2019, the Boston Green Ribbon Commission released its Carbon Free Boston: Summary Report, identifying potential options for the City of Boston to meet its goal of becoming carbon neutral by 2050. The report found that reaching carbon neutrality by 2050 requires three mutually-reinforcing strategies in key sectors: 1) deepen energy efficiency while reducing energy demand, 2) electrify activity to the fullest practical extent, and 3) use fuels and electricity that are 100 percent free of greenhouse gases (GHGs). The Summary Report detailed the ways in which these technical strategies will transform Boston’s physical infrastructure, including its buildings, energy supply, transportation, and waste management systems. The Summary Report also highlighted that it is how these strategies are designed and implemented that matter most in ensuring an effective and equitable transition to carbon neutrality. Equity concerns exist for every option the City has to reduce GHG emissions. The services provided by each sector are not experienced equally across Boston’s communities. Low-income families and families of color are more likely to live in residences that are in poor physical condition, leading to high utility bills, unsafe and unhealthy indoor environments, and high GHG emissions.1 Those same families face greater exposure to harmful outdoor air pollution compared to others. The access and reliability of public transportation is disproportionately worse in neighborhoods with large populations of people of color, and large swaths of vulnerable neighborhoods, from East Boston to Mattapan, do not have ready access to the city’s bike network. Income inequality is a growing national issue and is particularly acute in Boston, which consistently ranks among the highest US cities in regards to income disparities. With the release of Imagine Boston 2030, Mayor Walsh committed to make Boston more equitable, affordable, connected, and resilient. The Summary Report outlined the broad strokes of how action to reach carbon neutrality intersects with equity. A just transition to carbon neutrality improves environmental quality for all Bostonians, prioritizes socially vulnerable populations, seeks to redress current and past injustice, and creates economic and social opportunities for all. This Carbon Free Boston: Social Equity Report provides a deeper equity context for Carbon Free Boston as a whole, and for each strategy area, by demonstrating how inequitable and unjust the playing field is for socially vulnerable Bostonians and why equity must be integrated into policy design and implementation. This report summarizes the current landscape of climate action work for each strategy area and evaluates how it currently impacts inequity. Finally, this report provides guidance to the City and partners on how to do better; it lays out the attributes of an equitable approach to carbon neutrality, framed around three guiding principles: 1) plan carefully to avoid unintended consequences, 2) be intentional in design through a clear equity lens, and 3) practice inclusivity from start to finish

CEDIM Research Report 2015-2016

The Center for Disaster Management and Risk Reduction Technology (CEDIM) is an interdisciplinary research institution in the field of disaster management. This report provides an overview of the research work and activities of CEDIM during 2015 and 2016 at the Karlsruhe Institute of Technology (KIT)

Finding Software Vulnerabilities in Open-Source C Projects via Bounded Model Checking

Computer-based systems have solved several domain problems, including industrial, military, education, and wearable. Nevertheless, such arrangements need high-quality software to guarantee security and safety as both are mandatory for modern software products. We advocate that bounded model-checking techniques can efficiently detect vulnerabilities in general software systems. However, such an approach struggles to scale up and verify extensive code bases. Consequently, we have developed and evaluated a methodology to verify large software systems using a state-of-the-art bounded model checker. In particular, we pre-process input source-code files and guide the respective model checker to explore them systematically. Moreover, the proposed scheme includes a function-wise prioritization strategy, which readily provides results for code entities according to a scale of importance. Experimental results using a real implementation of the proposed methodology show that it can efficiently verify large software systems. Besides, it presented low peak memory allocation when executed. We have evaluated our approach by verifying twelve popular open-source C projects, where we have found real software vulnerabilities that their developers confirmed.Comment: 27 pages, submitted to STTT journa

Assessing the Threat Level of Software Supply Chains with the Log Model

The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain. Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security. This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model

Security Analysis of Vehicle to Vehicle Arada Locomate On Board Unit

Arada Locomate On-Board Unit is a vehicle-to-vehicle communication device that supports the WAVE protocol, which is the standard for vehicle to vehicle communication. Successful attacks on the device could be used to control the behavior of the connected vehicle. This creative component assesses the security of the device and discusses the vulnerabilities of the applications installed on the device. It reports about our results to exploit the known vulnerabilities of Dropbear ssh, Busybox telnet, and the Linux kernel, which are installed on the device and discusses how to obtain the private keys of the device to use them for attacks. In addition, it describes our investigation of the existence of exploitable buer over ow in the usbd program, which accepts messages through port 6666 (IRC port). The results are: the exploitation of Dropbear ssh, Busybox telnet failed, the exploitation of the vmsplice vulnerability in the Linux kernel required adapting the exploit to the MIPS architecture, there is no exploitable buer over ow in the usbd; however, the private keys of the device are easily accessible and the user password of the device could be changed without authentication. The current results are not that useful to stage attacks but further work may lead to exploit the device and use it to inject messages to the connected vehicle, e.g., develop an exploit for vmsplice vulnerability for MIPS Linux