Ernst Denert Award for Software Engineering 2019

This open access book provides an overview of the dissertations of the five nominees for the Ernst Denert Award for Software Engineering in 2019. The prize, kindly sponsored by the Gerlind & Ernst Denert Stiftung, is awarded for excellent work within the discipline of Software Engineering, which includes methods, tools and procedures for better and efficient development of high quality software. An essential requirement for the nominated work is its applicability and usability in industrial practice. The book contains five papers describing the works by Sebastian Baltes (U Trier) on Software Developers’Work Habits and Expertise, Timo Greifenberg’s thesis on Artefaktbasierte Analyse modellgetriebener Softwareentwicklungsprojekte, Marco Konersmann’s (U Duisburg-Essen) work on Explicitly Integrated Architecture, Marija Selakovic’s (TU Darmstadt) research about Actionable Program Analyses for Improving Software Performance, and Johannes Späth’s (Paderborn U) thesis on Synchronized Pushdown Systems for Pointer and Data-Flow Analysis – which actually won the award. The chapters describe key findings of the respective works, show their relevance and applicability to practice and industrial software engineering projects, and provide additional information and findings that have only been discovered afterwards, e.g. when applying the results in industry. This way, the book is not only interesting to other researchers, but also to industrial software professionals who would like to learn about the application of state-of-the-art methods in their daily work

Extended Substitution Cipher Chaining mode (ESCC)

In this paper, we present a new tweakable narrow-block mode of operation, the Extended Substitution Cipher Chaining mode (ESCC), that can be efficiently deployed in disk encryption applications. ESCC is an extention of Substitution Cipher Chaining mode (SCC)~\cite{scc}. Unlike SCC, ESCC is resistant to the attacks in~\cite{scc_attack,scc_attack2}

The M3dcrypt Password Hashing Function

M3dcrypt is a password hashing function built around the Advanced Encryption Standard (AES) algorithm and the arcfour pseudorandom function. It uses up to 256-bit pseudorandom salt values and supports 48-byte passwords

Countering Code Injection Attacks With Instruction Set Randomization

We describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that randomized processor, causing a runtime exception. To determine the difficulty of integrating support for the proposed mechanism in the operating system, we modified the Linux kernel, the GNU binutils tools, and the bochs-x86 emulator. Although the performance penalty is significant, our prototype demonstrates the feasibility of the approach, and should be directly usable on a suitable-modified processor (e.g., the Transmeta Crusoe).Our approach is equally applicable against code-injecting attacks in scripting and interpreted languages, e.g., web-based SQL injection. We demonstrate this by modifying the Perl interpreter to permit randomized script execution. The performance penalty in this case is minimal. Where our proposed approach is feasible (i.e., in an emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a low-overhead protection mechanism, and can easily complement other mechanisms

Processamento analítico seguro

Dissertação de mestrado integrado em Engenharia InformáticaHoje em dia é cada vez mais comum recorrermos a múltiplas aplicações e serviços online para gerir o nosso quotidiano, levando à produção de grandes quantidades de informação. Simultaneamente, as empresas que fornecem estes serviços geram e analisam quantidades massivas de informação e metadados com o objetivo de melhorar os interesses dos seus utilizadores e a sua competitividade económica. Contudo, torna-se cada vez mais difícil armazenar e processar eficientemente esta enorme quantidade informação. De facto, segundo a IDC, no segundo trimestre de 2016 foram vendidos 34.7 mil milhões de gigabytes de armazenamento. Este desafio tem desencadeado diversas contribuições em campos como machine learning e processamento analítico de dados. Atualmente, existem duas opções para as empresas que querem tirar partido do armazenamento e processamento de dados: adquirir e administrar uma infraestrutura privada, assumindo a gestão interna da informação, ou recorrer a serviços de computação na nuvem. A primeira opção pode não ser a ideal devido aos elevados custos de aquisição e administração de uma infraestrutura e serviços privados. De forma a evitar este tipo de problemas, a opção de recorrer a serviços de computação na nuvem torna-se bastante atrativa devido à sua flexibilidade de armazenamento e poder computacional. Contudo, com o uso deste tipo de serviços, o controlo dos dados passa para terceiros podendo levar a falhas de segurança e de privacidade, tal como foi o caso do ataque à iCloud em que foi revelado conteúdo privado dos seus clientes. Assim, de forma a resolver estas limitações, esta dissertação tem como principal objetivo estudar e desenvolver novos mecanismos que permitam o processamento analítico seguro de informação. Em detalhe, são apresentadas as seguintes contribuições: um estudo do estado da arte dos sistemas de processamento analítico seguro, bem como as técnicas criptográficas suportadas por estes. Uma nova plataforma modular e flexível de processamento analítico seguro denominada SafeAnalytics. Um protótipo desta plataforma que integra os sistemas SafeNoSQL, um sistema que permite armazenamento e processamento seguro de informação em infraestruturas não confiáveis, e Apache Spark, um sistema de processamento analítico. E, por fim, uma avaliação do protótipo recorrendo a cargas de trabalho realistas que mostra que é possível alavancar as garantias de segurança do SafeAnalytics com um impacto no desempenho inferior a 20%, quando comparado com soluções atuais que não contemplam garantias de confidencialidade de dados.Nowadays, users resort to multiple online applications and services to improve their lives, leading to the generation and processing of a large amounts of information. Simultaneously, enterprises that provide these applications and services generate and analyze massive amounts of both structured and unstructured data in order to increase the quality of service to the end-user and improve the enterprises economic competitiveness. However, new challenges emerge with the high processing and storage demands. In fact, according to IDC, 34.7 billion gigabytes of storage were sold in the second quarter of 2016. The challenges have motivated the scientific community to focus on several research fields such as machine learning, and analytics. Currently, companies that want to leverage big data storage and analytics, can follow two different options: (i) acquire and manage a private infrastructure, being also responsible for the internal information management; (ii) resort to cloud computing services. The first option may not be sustainable, in many cases, due to the high costs that a private infrastructure imposes, from the equipment to the manpower necessary to maintain it. In order to avoid such problems, companies can instead resort to cloud computing services, which provide a elastic and pay-as-you-go model for storage and computing power. However, this computational shift causes data control to be migrated to a third party (the cloud providers), leading to several security and privacy vulnerabilities (e.g., The iCloud attack that revealed the private content of its clients). Thus, in order to solve these constraints, this dissertation main goals are to study and develop new mechanisms that allow secure analytical processing of information. In detail, the following contributions are presented: a state-of-the-art study of secure analytical systems, as well as the cryptographic techniques supported by them. A new modular and flexible platform, SafeAnalytics, that integrates SafeNoSQL, a system that allows secure storage and processing of information in untrusted infrastructures, and Apache Spark, an analytical processing system. And, finally, a prototype evaluation using realistic workloads that shows that it is possible to leverage SafeAnalytics security guarantees while having a performance impact inferior to 20% compared to current solutions that not provide data confidentiality guarantees

Computer Aided Verification

This open access two-volume set LNCS 10980 and 10981 constitutes the refereed proceedings of the 30th International Conference on Computer Aided Verification, CAV 2018, held in Oxford, UK, in July 2018. The 52 full and 13 tool papers presented together with 3 invited papers and 2 tutorials were carefully reviewed and selected from 215 submissions. The papers cover a wide range of topics and techniques, from algorithmic and logical foundations of verification to practical applications in distributed, networked, cyber-physical, and autonomous systems. They are organized in topical sections on model checking, program analysis using polyhedra, synthesis, learning, runtime verification, hybrid and timed systems, tools, probabilistic systems, static analysis, theory and security, SAT, SMT and decisions procedures, concurrency, and CPS, hardware, industrial applications

Cyber-security for embedded systems: methodologies, techniques and tools

L'abstract è presente nell'allegato / the abstract is in the attachmen

Law and Policy for the Quantum Age

Law and Policy for the Quantum Age is for readers interested in the political and business strategies underlying quantum sensing, computing, and communication. This work explains how these quantum technologies work, future national defense and legal landscapes for nations interested in strategic advantage, and paths to profit for companies