3,581 research outputs found
Enhancing Trust –A Unified Meta-Model for Software Security Vulnerability Analysis
Over the last decade, a globalization of the software industry has taken place which has facilitated the sharing and reuse of code across existing project boundaries. At the same time, such global reuse also introduces new challenges to the Software Engineering community, with not only code implementation being shared across systems but also any vulnerabilities it is exposed to as well. Hence, vulnerabilities found in APIs no longer affect only individual projects but instead might spread across projects and even global software ecosystem borders. Tracing such vulnerabilities on a global scale becomes an inherently difficult task, with many of the resources required for the analysis not only growing at unprecedented rates but also being spread across heterogeneous resources. Software developers are struggling to identify and locate the required data to take full advantage of these resources. The Semantic Web and its supporting technology stack have been widely promoted to model, integrate, and support interoperability among heterogeneous data sources.
This dissertation introduces four major contributions to address these challenges: (1) It provides a literature review of the use of software vulnerabilities databases (SVDBs) in the Software Engineering community. (2) Based on findings from this literature review, we present SEVONT, a Semantic Web based modeling approach to support a formal and semi-automated approach for unifying vulnerability information resources. SEVONT introduces a multi-layer knowledge model which not only provides a unified knowledge representation, but also captures software vulnerability information at different abstract levels to allow for seamless integration, analysis, and reuse of the modeled knowledge. The modeling approach takes advantage of Formal Concept Analysis (FCA) to guide knowledge engineers in identifying reusable knowledge concepts and modeling them. (3) A Security Vulnerability Analysis Framework (SV-AF) is introduced, which is an instantiation of the SEVONT knowledge model to support evidence-based vulnerability detection. The framework integrates vulnerability ontologies (and data) with existing Software Engineering ontologies allowing for the use of Semantic Web reasoning services to trace and assess the impact of security vulnerabilities across project boundaries.
Several case studies are presented to illustrate the applicability and flexibility of our modelling approach, demonstrating that the presented knowledge modeling approach cannot only unify heterogeneous vulnerability data sources but also enables new types of vulnerability analysis
Temporary labour migration for victims of natural disasters: the Columbia-Spain model
Environmental degradation is increasingly causing large-scale migration. This paper looks into international labour migration as a strategy to adapt to a changing environment. Facilitating legal migration for persons affected by environmental degradation can prevent them from being forcibly displaced, can reduce their vulnerability to future environmental disruptions, and can contribute to the development of vulnerable communities. This paper analyses how ‘environmental migration’ could be facilitated, through a case study of the Colombian Temporary and Circular Labour Migration project. Through this innovative migration model, based on an agreement between Colombia and Spain, Colombians facing recurring natural disasters, are offered a livelihood alternative through temporary work abroad, while affected zones can recuperate. This programme, supported by the IOM, illustrates how a European member State can enable vulnerable people to migrate overseas by providing labour migration opportunities for selected beneficiaries. By supporting migrants in maximizing the impact of remittances on the recovery of their place of origin, the TCLM programme increases their resilience to natural disasters, and offers them an alternative to permanent and/or urban migration. The paper discusses the normative framework supporting the TCLM programme, and identifies some conditions for the replication of the programme in other states. The potential of the project for both development and adaptation to environmental changes is being considered
Carbon Free Boston: Social equity report 2019
OVERVIEW:
In January 2019, the Boston Green Ribbon Commission released its Carbon Free Boston: Summary Report, identifying potential
options for the City of Boston to meet its goal of becoming carbon neutral by 2050. The report found that reaching carbon neutrality by 2050 requires three mutually-reinforcing strategies in key sectors: 1) deepen energy efficiency while reducing energy
demand, 2) electrify activity to the fullest practical extent, and 3) use fuels and electricity that are 100 percent free of greenhouse gases (GHGs). The Summary Report detailed the ways in which these technical strategies will transform Boston’s physical
infrastructure, including its buildings, energy supply, transportation, and waste management systems. The Summary Report also
highlighted that it is how these strategies are designed and implemented that matter most in ensuring an effective and equitable transition to carbon neutrality.
Equity concerns exist for every option the City has to reduce GHG emissions. The services provided by each sector are not
experienced equally across Boston’s communities. Low-income families and families of color are more likely to live in residences that are in poor physical condition, leading to high utility bills, unsafe and unhealthy indoor environments, and high GHG
emissions.1
Those same families face greater exposure to harmful outdoor air pollution compared to others. The access and
reliability of public transportation is disproportionately worse in neighborhoods with large populations of people of color, and
large swaths of vulnerable neighborhoods, from East Boston to Mattapan, do not have ready access to the city’s bike network.
Income inequality is a growing national issue and is particularly acute in Boston, which consistently ranks among the highest US
cities in regards to income disparities. With the release of Imagine Boston 2030, Mayor Walsh committed to make Boston more
equitable, affordable, connected, and resilient. The Summary Report outlined the broad strokes of how action to reach carbon
neutrality intersects with equity. A just transition to carbon neutrality improves environmental quality for all Bostonians, prioritizes socially vulnerable populations, seeks to redress current and past injustice, and creates economic and social opportunities
for all.
This Carbon Free Boston: Social Equity Report provides a deeper equity context for Carbon Free Boston as a whole, and for
each strategy area, by demonstrating how inequitable and unjust the playing field is for socially vulnerable Bostonians and why
equity must be integrated into policy design and implementation. This report summarizes the current landscape of climate
action work for each strategy area and evaluates how it currently impacts inequity. Finally, this report provides guidance to the
City and partners on how to do better; it lays out the attributes of an equitable approach to carbon neutrality, framed around
three guiding principles: 1) plan carefully to avoid unintended consequences, 2) be intentional in design through a clear equity
lens, and 3) practice inclusivity from start to finish
CEDIM Research Report 2015-2016
The Center for Disaster Management and Risk Reduction Technology (CEDIM) is an interdisciplinary research institution in the field of disaster management. This report provides an overview of the research work and activities of CEDIM during 2015 and 2016 at the Karlsruhe Institute of Technology (KIT)
Finding Software Vulnerabilities in Open-Source C Projects via Bounded Model Checking
Computer-based systems have solved several domain problems, including
industrial, military, education, and wearable. Nevertheless, such arrangements
need high-quality software to guarantee security and safety as both are
mandatory for modern software products. We advocate that bounded model-checking
techniques can efficiently detect vulnerabilities in general software systems.
However, such an approach struggles to scale up and verify extensive code
bases. Consequently, we have developed and evaluated a methodology to verify
large software systems using a state-of-the-art bounded model checker. In
particular, we pre-process input source-code files and guide the respective
model checker to explore them systematically. Moreover, the proposed scheme
includes a function-wise prioritization strategy, which readily provides
results for code entities according to a scale of importance. Experimental
results using a real implementation of the proposed methodology show that it
can efficiently verify large software systems. Besides, it presented low peak
memory allocation when executed. We have evaluated our approach by verifying
twelve popular open-source C projects, where we have found real software
vulnerabilities that their developers confirmed.Comment: 27 pages, submitted to STTT journa
Assessing the Threat Level of Software Supply Chains with the Log Model
The use of free and open source software (FOSS) components in all software
systems is estimated to be above 90%. With such high usage and because of the
heterogeneity of FOSS tools, repositories, developers and ecosystem, the level
of complexity of managing software development has also increased. This has
amplified both the attack surface for malicious actors and the difficulty of
making sure that the software products are free from threats. The rise of
security incidents involving high profile attacks is evidence that there is
still much to be done to safeguard software products and the FOSS supply chain.
Software Composition Analysis (SCA) tools and the study of attack trees help
with improving security. However, they still lack the ability to
comprehensively address how interactions within the software supply chain may
impact security. This work presents a novel approach of assessing threat levels
in FOSS supply chains with the log model. This model provides information
capture and threat propagation analysis that not only account for security
risks that may be caused by attacks and the usage of vulnerable software, but
also how they interact with the other elements to affect the threat level for
any element in the model
Security Analysis of Vehicle to Vehicle Arada Locomate On Board Unit
Arada Locomate On-Board Unit is a vehicle-to-vehicle communication device that supports the WAVE protocol, which is the standard for vehicle to vehicle communication. Successful attacks on the device could be used to control the behavior of the connected vehicle. This creative component assesses the security of the device and discusses the vulnerabilities of the applications installed on the device. It reports about our results to exploit the known vulnerabilities of Dropbear ssh, Busybox telnet, and the Linux kernel, which are installed on the device and discusses how to obtain the private keys of the device to use them for attacks. In addition, it describes our investigation of the existence of exploitable buer over ow in the usbd program, which accepts messages through port 6666 (IRC port). The results are: the exploitation of Dropbear ssh, Busybox telnet failed, the exploitation of the vmsplice vulnerability in the Linux kernel required adapting the exploit to the MIPS architecture, there is no exploitable buer over ow in the usbd; however, the private keys of the device are easily accessible and the user password of the device could be changed without authentication. The current results are not that useful to stage attacks but further work may lead to exploit the device and use it to inject messages to the connected vehicle, e.g., develop an exploit for vmsplice vulnerability for MIPS Linux
- …