Dissertations / Theses on the topic 'Software and application security'
To see the other types of publications on this topic, follow the link: Software and application security.
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Software and application security.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Söderquist, Mårten. "Tiny Security : Evaluating energy use for security in an IoT application." Thesis, Mittuniversitetet, Institutionen för data- och systemvetenskap, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-36860.
Full textAbstract:
IoT devices are increasingly used in the process of gathering scientific data. In environmental monitoring IoT devices can be used as remote sensing devices to collect information about e.g. temperature. To keep data reliable, various security aspects have to be considered. Constrained devices are limited by memory size and battery life, a security solution has to be developed with this in mind. In this study an IoT security solution was developed in collaboration with a research group in environmental science at Umeå University. We selected commonly used algorithms and compared them with the goal to provide authentication and integrity for an IoT application, while minimizing energy use running on an Atmega 1284P. The results showed that the encryption algorithm AES-256-GCM is a good choice for a total security solution. AES-256-GCM provides authenticated encryption with additional data while, in relation to the other tested algorithms, using energy at a low level and leaving a small program size footprint.
2
Dell'Aguzzo, Paolo. "The secret life of software applications." Bachelor's thesis, Alma Mater Studiorum - Università di Bologna, 2014. http://amslaurea.unibo.it/7405/.
Full textAbstract:
One of the most undervalued problems by smartphone users is the security of data on their mobile devices. Today smartphones and tablets are used to send messages and photos and especially to stay connected with social networks, forums and other platforms. These devices contain a lot of private information like passwords, phone numbers, private photos, emails, etc. and an attacker may choose to steal or destroy this information.
The main topic of this thesis is the security of the applications present on the most popular stores (App Store for iOS and Play Store for Android) and of their mechanisms for the management of security.
The analysis is focused on how the architecture of the two systems protects users from threats and highlights the real presence of malware and spyware in their respective application stores. The work described in subsequent chapters explains the study of the behavior of 50 Android applications and 50 iOS applications performed using network analysis software. Furthermore, this thesis presents some statistics about malware and spyware present on the respective stores and the permissions they require. At the end the reader will be able to understand how to recognize malicious applications and which of the two systems is more suitable for him. This is how this thesis is structured. The first chapter introduces the security mechanisms of the Android and iOS platform architectures and the security mechanisms of their respective application stores. The Second chapter explains the work done, what, why and how we have chosen the tools needed to complete our analysis. The third chapter discusses about the execution of tests, the protocol followed and the approach to assess the “level of danger” of each application that has been checked. The fourth chapter explains the results of the tests and introduces some statistics on the presence of malicious applications on Play Store and App Store. The fifth chapter is devoted to the study of the users, what they think about and how they might avoid malicious applications. The sixth chapter seeks to establish, following our methodology, what application store is safer. In the end, the seventh chapter concludes the thesis.
3
Wanderydz, Kristoffer. "WEB APPLICATION SECURITY IN THE JAVA ENVIRONMENT." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-2370.
Full textAbstract:
This project focuses on web security. Some of the most famous vulnerabilities, known troubling web applications. Has been collected and analyzed. Each vulnerability collected in this project, was exploited and secured. Demon- strations from a web application prototype, developed for this project. Brings real examples for each vulnerability, both secured, and insecured. The proto- type ran on a Tomcat web server, and was developed with frameworks such as Web, Spring and Hibernate. Connected to one PostgreSQL data source. All vulnerabilities was successfully implemented in Spring framework, and they were all exploited. Every vulnerability was also secured, with different tools and methods from earlier mentioned frameworks. As a result, real examples from the prototype is used for demonstration in the project, both in a secure and an insecure state. The result views Spring as a framework with good security potential. Most of the Spring specific vulnerabilities, are logical design flaws from developers that can be avoided. Vulnerabilities not related to Spring, such as the one collected for this project. Could be prevented by using methods from the Spring framework or intelligent programming. Which leads to conclusions. Web applications are always exposed to attacks, no matter the framework in use. Creative hackers search to discover new vul- nerabilities, and update old ones all the time. Developers has a responsibility, towards the web applications users. Web applications can not just developed for normal use, but also against possible misuse. Frameworks with good reputation and well processed models, is a good ground for developing a secure application.
4
Foster, Nathalie Louise. "The application of software and safety engineering techniques to security protocol development." Thesis, University of York, 2002. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.412617.
Full text
5
Srilatha, Rondla, and Gande Someshwar. "Security Testing for Web Applications in SDLC." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-2903.
Full textAbstract:
Context: In Web applications, the Software vulnerability can be reduced by applying security testing in all phases of the software development life cycle (SDLC). Lot of vulnerabilities might occur if the security testing is applied in the last phase of SDLC. In order to mitigate these vulnerabilities, a lot of rework is required that involves reverse engineering in the development and design phases. To overcome this situation, organizations are shifting from security testing (performed in last phase) towards security testing in the early phases of SDLC. Objectives: The main objectives of this thesis are to gather the benefits and challenges of security testing in the last phase versus security testing in every phase of the SDLC. After gathering, authors want to compare both implementations because these days most organizations are shifting from last phase to every phase of SDLC. Justification to the reason can be achieved by this comparison. Methods: In order to satisfy the objectives of this thesis, a literature review and interviews were conducted. The literature review was conducted by gathering benefits and challenges of last phase and every phase of SDLC. Authors have applied coding technique to the data gathered from literature review. By using the results from literature review, a set of questions were framed. Based on these questions, interviews in various organizations were performed. To analyze the practitioner’s data we used Sorting and Coding technique. Then, we conducted a comparative analysis to compare both results. Results: Application of security testing in the last phase of the SDLC results in a lot of rework which in turn leads to instability in managing the cost, time and resources in an organisation. In order to overcome this, more and more organisations are introducing security testing at each and every phase of SDLC. Conclusions: It can be concluded that every phase of security testing in SDLC has more benefits than applying in last phase of SDLC. To evaluate this process more research is needed to acquire more knowledge of security testing in all phases of SDLC. Through literature review and interviews conducted, it is evident that security testing at early phases causes a reduction in rework which in turn leads to more efficient management of cost, time and resources of a project.+91 8977404640
6
Mayo, Quentin R. "Detection of Generalizable Clone Security Coding Bugs Using Graphs and Learning Algorithms." Thesis, University of North Texas, 2018. https://digital.library.unt.edu/ark:/67531/metadc1404548/.
Full textAbstract:
This research methodology isolates coding properties and identifies the probability of security vulnerabilities using machine learning and historical data. Several approaches characterize the effectiveness of detecting security-related bugs that manifest as vulnerabilities, but none utilize vulnerability patch information. The main contribution of this research is a framework to analyze LLVM Intermediate Representation Code and merging core source code representations using source code properties. This research is beneficial because it allows source programs to be transformed into a graphical form and users can extract specific code properties related to vulnerable functions. The result is an improved approach to detect, identify, and track software system vulnerabilities based on a performance evaluation. The methodology uses historical function level vulnerability information, unique feature extraction techniques, a novel code property graph, and learning algorithms to minimize the amount of end user domain knowledge necessary to detect vulnerabilities in applications. The analysis shows approximately 99% precision and recall to detect known vulnerabilities in the National Institute of Standards and Technology (NIST) Software Assurance Metrics and Tool Evaluation (SAMATE) project. Furthermore, 72% percent of the historical vulnerabilities in the OpenSSL testing environment were detected using a linear support vector classifier (SVC) model.
7
Backman, Lars. "Why is security still an issue? : A study comparing developers’ software security awareness to existing vulnerabilities in software applications." Thesis, Linköpings universitet, Programvara och system, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-153438.
Full textAbstract:
The need for secure web applications grows ever stronger the more sensitive, personal data makes its’ way onto the Internet. During the last decade, hackers have stolen enormous amounts of data from high profile companies and social institutions. In this paper, we answer the question of why security breaches still occur; Why do programmers write vulnerable code? To answer this question, we conducted a case study on a smaller software development company. By performing penetration tests, surveys and interviews we successfully identified several weaknesses in their product and their way of working, that could lead to security breaches in their application. We also conducted a security awareness assessment and found multiple contributing factors to why these weaknesses occur. Insufficient knowledge, misplaced trust, and inadequate testing policies are some of the reasons why these vulnerabilities appeared in the studied application.
8
Ur-Rehman, Wasi. "Maintaining Web Applications Integrity Running on RADIUM." Thesis, University of North Texas, 2015. https://digital.library.unt.edu/ark:/67531/metadc804975/.
Full textAbstract:
Computer security attacks take place due to the presence of vulnerabilities and bugs in software applications. Bugs and vulnerabilities are the result of weak software architecture and lack of standard software development practices. Despite the fact that software companies are investing millions of dollars in the research and development of software designs security risks are still at large. In some cases software applications are found to carry vulnerabilities for many years before being identified. A recent such example is the popular Heart Bleed Bug in the Open SSL/TSL. In today’s world, where new software application are continuously being developed for a varied community of users; it’s highly unlikely to have software applications running without flaws. Attackers on computer system securities exploit these vulnerabilities and bugs and cause threat to privacy without leaving any trace. The most critical vulnerabilities are those which are related to the integrity of the software applications. Because integrity is directly linked to the credibility of software application and data it contains. Here I am giving solution of maintaining web applications integrity running on RADIUM by using daikon. Daikon generates invariants, these invariants are used to maintain the integrity of the web application and also check the correct behavior of web application at run time on RADIUM architecture in case of any attack or malware. I used data invariants and program flow invariants in my solution to maintain the integrity of web-application against such attack or malware. I check the behavior of my proposed invariants at run-time using Lib-VMI/Volatility memory introspection tool. This is a novel approach and proof of concept toward maintaining web application integrity on RADIUM.
9
Chan, Ping-fai, and 陳秉暉. "Data flow and heap analysis with application to privilege escalation vulnerability scanning and software theft detection." Thesis, The University of Hong Kong (Pokfulam, Hong Kong), 2013. http://hub.hku.hk/bib/B50899569.
Full textAbstract:
Static and dynamic program analysis techniques are important research areas in software security. Static analysis helps us locate vulnerabilities in a software by looking at the source code. Dynamic analysis helps us reason about the behavior of the software from information gathered at run-time. In this thesis, we are focusing on data flow analysis and heap analysis which are key static and dynamic program analysis techniques respectively.
In the first part of this thesis, we aim at detecting vulnerabilities in Android applications which have capability leaks. The security of the Android platform relies mainly on sandboxing applications and restricting their capabilities such that no application, by default, can perform any operations that would adversely impact other applications, the operating system, or the user. However, a recent research reported that a genuine but vulnerable application may leak its capabilities. When being leveraged, other applications can gain extra capabilities which they are not granted originally. We present DroidChecker, an Android application analyzing tool which searches for the aforementioned vulnerability in Android applications. DroidChecker uses interprocedural control flow graph searching and static taint checking to detect exploitable data paths in an Android application. We analyzed more than 1100 Android applications using DroidChecker and found 6 previously unknown vulnerable applications including the renowned Adobe Photoshop Express application. We also developed a malicious application that exploits the previously unknown vulnerability found in the Adobe Photoshop Express application. We showed that the malicious application, which is not granted any permissions, can access contacts on the phone with just a few lines of code.
In the second part of this thesis, we explore the use of heap analysis to extract software birthmarks. There are techniques like code obfuscation and watermarking which can make the source code of a program difficult to understand by humans and prove the ownership of the program. However, code obfuscation cannot avoid the source code being copied and a watermark can be defaced. A birthmark is a group of unique characteristics a program possesses that can be used to identify the program. We propose two novel dynamic birthmark systems based on the run-time heap. A dynamic birthmark is one that is extracted when the program is executing. Since it is based on the run-time behavior of the program, semantics-preserving transformations of the code like obfuscation cannot defeat dynamic birthmarks. In this regard, dynamic birthmarks are more robust compared with static birthmarks.
To the best of our knowledge, these are the first birthmark systems using heap analysis as the underlying technique. The basic idea is to take snapshots of the heap while the program is running. From the snapshots, heap graphs are constructed to model the referencing structure between objects. After going through some filtering and referencing processes, they become the birthmarks. The two birthmark systems have been devised to extract birthmarks for Java programs and JavaScript programs respectively. While the underlying ideas of the two birthmark systems are similar, the differences in nature of the two programming languages led to different implementation designs.published_or_final_version
Computer Science
Doctoral
Doctor of Philosophy
10
Shaffer, Alan B. "An application of Alloy to static analysis for secure information flow and verification of software systems." Monterey, Calif. : Naval Postgraduate School, 2008. http://edocs.nps.edu/npspubs/scholarly/dissert/2008/Dec/08Dec%5FShaffer_PhD.pdf.
Full textAbstract:
Dissertation (Ph.D. in Computer Science)--Naval Postgraduate School, December 2008.Dissertation Supervisor: Auguston, Mikhail. "December 2008." Description based on title screen as viewed on January 29, 2009. Includes bibliographical references (p. 87-93). Also available in print.
11
Konstantaras, Dimitrios, and Mustafa Tahir. "Securing Network Connected Applications with Proposed Security Models." Thesis, Växjö University, School of Mathematics and Systems Engineering, 2008. http://urn.kb.se/resolve?urn=urn:nbn:se:vxu:diva-2022.
Full textAbstract:
In today’s society, serious organizations need protection against both internal and external attacks. There are many different technologies available that organizations can incorporate into their organization in order to enhance security for their networking applications. Unfortunately, security is way to often considered as an afterthought and therefore implemented as an external part of the applications. This is usually performed by introducing general security models and technologies.
However, an already developed, well structured and considered security approach – with proper implementation of security services and mechanisms – different security models can be used to apply security
within the security perimeter of an organization. It can range from built into the application to the edge of a private network, e.g. an appliance. No matter the choice, the involved people must possess security expertise to deploy the proposed security models in this paper, that have the soul purpose to secure applications.
By using the Recommendation X.800 as a comparison framework, the proposed models will be analyzed in detail and evaluated of how they provide the security services concerned in X.800. By reasoning about what security services that ought to be implemented in order to prevent or detect diverse security attacks, the organization needs to carry out a security plan and have a common understanding of the defined security policies.
An interesting finding during our work was that, using a methodology that leads to low KLOC-values results in high security, though low KLOC-values and high security go hand-in-hand.
12
Kalibjian, Jeffrey R. "APPLICATION OF INTRUSION DETECTION SOFTWARE TO PROTECT TELEMETRY DATA IN OPEN NETWORKED COMPUTER ENVIRONMENTS." International Foundation for Telemetering, 2000. http://hdl.handle.net/10150/606817.
Full textAbstract:
International Telemetering Conference Proceedings / October 23-26, 2000 / Town & Country Hotel and Conference Center, San Diego, CaliforniaOver the past few years models for Internet based sharing and selling of telemetry data have been presented [1] [2] [3] at ITC conferences. A key element of these sharing/selling architectures was security. This element was needed to insure that information was not compromised while in transit or to insure particular parties had a legitimate right to access the telemetry data. While the software managing the telemetry data needs to be security conscious, the networked computer hosting the telemetry data to be shared or sold also needs to be resistant to compromise. Intrusion Detection Systems (IDS) may be used to help identify and protect computers from malicious attacks in which data can be compromised.
13
Hecker, Martin [Verfasser], and G. [Akademischer Betreuer] Snelting. "Timing Sensitive Dependency Analysis and its Application to Software Security / Martin Hecker ; Betreuer: G. Snelting." Karlsruhe : KIT-Bibliothek, 2020. http://d-nb.info/1218599766/34.
Full text
14
Tseng, Yuchia. "Securing network applications in software defined networking." Electronic Thesis or Diss., Sorbonne Paris Cité, 2018. http://www.theses.fr/2018USPCB036.
Full textAbstract:
Suite à l'introduction de divers services Internet, les réseaux informatiques ont été reconnus comme ayant joué un rôle essentiel dans la vie moderne au cours du dernier demi-siècle. Le développement rapide et la convergence des technologies informatiques et de communication créent le besoin de connecter divers périphériques avec différents systèmes d'exploitation et protocoles. Il en résulte de nombreux défis pour fournir une intégration transparente d'une grande quantité de dispositifs physiques ou d'entités hétérogènes. Ainsi, les réseaux définis par logiciel (Software Defined Networks, SDN) en tant que paradigme émergent ont le potentiel de révolutionner la gestion des réseaux en centralisant le contrôle et la visibilité globale sur l'ensemble du réseau. Cependant, les problèmes de sécurité demeurent une préoccupation importante et empêchent l'adoption généralisée du SDN. Pour identifier les menaces, nous avons effectué une analyse en 3 dimensions pour évaluer la sécurité de SDN. Dans cette analyse, nous avons repris 9 principes de sécurité pour le contrôleur SDN et vérifié la sécurité des contrôleurs SDN actuels avec ces principes. Nous avons constaté que les contrôleurs SDN, ONOS et OpenContrail sont relativement plus sécurisés que les autres selon notre méthodologie d'analyse. Nous avons également trouvé le besoin urgent d'atténuer le problème d'injection d'applications malveillantes. Par conséquent, nous avons proposé une couche d'amélioration de la sécurité (Security-enhancing layer, couche SE) pour protéger l'interaction entre le plan de contrôle et le plan d’application. Cette couche SE est indépendante du contrôleur et peut fonctionner avec OpenDaylight, ONOS, Floodlight, Ryu et POX, avec une faible complexité de déploiement. Aucune modification de leurs codes sources n'est requise dans leur mise en œuvre alors que la sécurité globale du contrôleur SDN est améliorée. Le prototype I, Controller SEPA, protège le contrôleur SDN avec l'authentification de l'application réseau, l'autorisation, l'isolation des applications et le blindage de l'information avec un coût additionnel négligeable de moins de 0,1% à 0,3%. Nous avons développé le prototype II de la couche SE, appelé Controller DAC, qui rend dynamique le contrôle d'accès. Le controller DAC peut détecter l'utilisation abusive de l'API en comptabilisant les opérations de l'application réseau avec un coût additionnel inférieure à 0,5%. Grâce à cette couche SE, la sécurité globale du contrôleur SDN est améliorée mais avec un coût additionnel inférieure à 0,5%. De plus, nous avons tenté de fournir un framework de déploiement d'application réseau sécurisé pour le contrôleur SDN avec un orchestrateur. Tout d'abord, nous avons sécurisé le contrôleur SDN en utilisant la file d'attente de messages pour remplacer les interfaces populaires actuelles, y compris les RESTful APIs et les APIs internes, à l'aide d'une interface orientée événement décomposable. Avec cette nouvelle interface northbound, l'orchestrateur peut déployer les applications réseau dans le bac à sable(sanbox) avec contrôle des ressources et contrôle d'accès. Cette approche peut efficacement protéger contre les menaces, qui incluent les attaques d'épuisement des ressources (Resource exhaustion attacks) et le traitement des données sur le contrôleur SDN actuel. Nous avons également implémenté une application réseau déployée par l'orchestrateur pour détecter une attaque spécifique à OpenFlow, appelée attaque par contournement de priorité, pour évaluer l'utilité de l'interface norttbound. À long terme, le temps de traitement d'un message packet_in dans cette interface est inférieur à cinq millisecondes mais l'application réseau peut être complètement découplée et isolée du contrôleur SDN.The rapid development and convergence of computing technologies and communications create the need to connect diverse devices with different operating systems and protocols. This resulted in numerous challenges to provide seamless integration of a large amount of heterogeneous physical devices or entities. Hence, Software-defined Networks (SDN), as an emerging paradigm, has the potential to revolutionize the legacy network management and accelerate the network innovation by centralizing the control and visibility over the network. However, security issues remain a significant concern and impede SDN from being widely adopted.To identity the threats that inherent to SDN, we conducted a deep analysis in 3 dimensions to evaluate the security of the proposed architecture. In this analysis, we summarized 9security principles for the SDN controller and checked the security of the current well-known SDN controllers with those principles. We found that the SDN controllers, namely ONOS and OpenContrail, are relatively two more secure controllers according to our conducted methodology. We also found the urgent need to integrate the mechanisms such as connection verification, application-based access control, and data-to-control traffic control for securely implementing a SDN controller. In this thesis, we focus on the app-to-control threats, which could be partially mitigated by the application-based access control. As the malicious network application can be injected to the SDN controller through external APIs, i.e., RESTful APIs, or internal APIs, including OSGi bundles, Java APIs, Python APIs etc. In this thesis, we discuss how to protect the SDN controller against the malicious operations caused by the network application injection both through the external APIs and the internal APIs. We proposed a security-enhancing layer (SE-layer) to protect the interaction between the control plane and the application plane in an efficient way with the fine-grained access control, especially hardening the SDN controller against the attacks from the external APIs. This SE-layer is implemented in the RESTful-based northbound interfaces in the SDN controller and hence it is controller-independent for working with most popular controllers, such as OpenDaylight, ONOS, Floodlight, Ryu and POX, with low deployment complexity. No modifications of the source codes are required in their implementations while the overall security of the SDN controller is enhanced. Our developed prototype I, Controller SEPA, protects well the SDN controller with network application authentication, authorization, application isolation, and information shielding with negligible latency from less than 0.1% to 0.3% for protecting SDN controller against the attacks via external APIs, i.e, RESTful APIs. We developed also the SE-layer prototype II, called Controller DAC, which makes dynamic the access control. Controller DAC can detect the API abuse from the external APIs by accounting the network application operation with latency less than 0.5%. Thanks to this SE-layer, the overall security of the SDN controller is improved but with a latency of less than 0.5%. However, the SE-layer can isolate the network application to communicate the controller only through the RESTful APIs. However, the RESTful APIs is insufficient in the use cases which needs the real-time service to deliver the OpenFlow messages. Therefore, we proposed a security-enhancing architecture for securing the network application deployment through the internal APIs in SDN, with a new SDN architecture dubbed SENAD. In SENAD, we split the SDN controller in: (1) a data plane controller (DPC), and (2) an application plane controller (APC) and adopt the message bus system as the northbound interface instead of the RESTful APIs for providing the service to deliver the OpenFlow messages in real-time. (...)
15
Frazier, Edward Snead. "Assessing Security Vulnerabilities: An Application of Partial and End-Game Verification and Validation." Thesis, Virginia Tech, 2010. http://hdl.handle.net/10919/31849.
Full textAbstract:
Modern software applications are becoming increasingly complex, prompting a need for expandable software security assessment tools. Violable constraints/assumptions presented by Bazaz [1] are expandable and can be modified to fit the changing landscape of software systems. Partial and End-Game Verification, Validation, and Testing (VV&T) strategies utilize the violable constraints/assumptions and are established by this research as viable software security assessment tools.
The application of Partial VV&T to the Horticulture Club Sales Assistant is documented in this work. Development artifacts relevant to Partial VV&T review are identified. Each artifact is reviewed for the presence of constraints/assumptions by translating the constraints/assumptions to target the specific artifact and software system. A constraint/assumption review table and accompanying status nomenclature are presented that support the application of Partial VV&T. Both the constraint/assumption review table and status nomenclature are generic, allowing them to be used in applying Partial VV&T to any software system. Partial VV&T, using the constraint/assumption review table and associated status nomenclature, is able to effectively identify software vulnerabilities.
End-Game VV&T is also applied to the Horticulture Club Sales Assistant. Base test strategies presented by Bazaz [1] are refined to target system specific resources such as user input, database interaction, and network connections. Refined test strategies are used to detect violations of the constraints/assumptions within the Horticulture Club Sales Assistant. End-Game VV&T is able to identify violation of constraints/assumptions, indicating vulnerabilities within the Horticulture Club Sales Assistant. Addressing vulnerabilities identified by Partial and End-Game VV&T will enhance the overall security of a software system.Master of Science
16
Fießler, Andreas Christoph Kurt. "Hybrid Hardware/Software Architectures for Network Packet Processing in Security Applications." Doctoral thesis, Humboldt-Universität zu Berlin, 2019. http://dx.doi.org/10.18452/20023.
Full textAbstract:
Die Menge an in Computernetzwerken verarbeiteten Daten steigt stetig, was Netzwerkgeräte wie Switches, Bridges, Router und Firewalls vor Herausfordungen stellt.
Die Performance der verbreiteten, CPU/softwarebasierten Ansätze für die Implementierung dieser Aufgaben ist durch den inhärenten Overhead in der sequentiellen Datenverarbeitung limitiert, weshalb solche Funktionalitäten vermehrt auf dedizierten Hardwarebausteinen realisiert werden.
Diese bieten eine schnelle, parallele Verarbeitung mit niedriger Latenz, sind allerdings aufwendiger in der Entwicklung und weniger flexibel.
Nicht jede Anwendung kann zudem für parallele Verarbeitung optimiert werden.
Diese Arbeit befasst sich mit hybriden Ansätzen, um eine bessere Ausnutzung der jeweiligen Stärken von Soft- und Hardwaresystemen zu ermöglichen, mit Schwerpunkt auf der Paketklassifikation.
Es wird eine Firewall realisiert, die sowohl Flexibilität und Analysetiefe einer Software-Firewall als auch Durchsatz und Latenz einer Hardware-Firewall erreicht.
Der Ansatz wird auf einem Standard-Rechnersystem, welches für die Hardware-Klassifikation mit einem rekonfigurierbaren Logikbaustein (FPGA) ergänzt wird, evaluiert.
Eine wesentliche Herausforderung einer hybriden Firewall ist die Identifikation von Abhängigkeiten im Regelsatz.
Es werden Ansätze vorgestellt, welche den redundanten Klassifikationsaufwand auf ein Minimum reduzieren, wie etwa die Wiederverwendung von Teilergebnissen der hybriden Klassifikatoren oder eine exakte Abhängigkeitsanalyse mittels Header Space Analysis.
Für weitere Problemstellungen im Bereich der hardwarebasierten Paketklassifikation, wie dynamisch konfigurierbare Filterungsschaltkreise und schnelle, sichere Hashfunktionen für Lookups, werden Machbarkeit und Optimierungen evaluiert.
Der hybride Ansatz wird im Weiteren auf ein System mit einer SDN-Komponente statt einer FPGA-Erweiterung übertragen. Auch hiermit können signifikante Performancegewinne erreicht werden.Network devices like switches, bridges, routers, and firewalls are subject to a continuous development to keep up with ever-rising requirements. As the overhead of software network processing already became the performance-limiting factor for a variety of applications, also former software functions are shifted towards dedicated network processing hardware. Although such application-specific circuits allow fast, parallel, and low latency processing, they require expensive and time-consuming development with minimal possibilities for adaptions. Security can also be a major concern, as these circuits are virtually a black box for the user. Moreover, the highly parallel processing capabilities of specialized hardware are not necessarily an advantage for all kinds of tasks in network processing, where sometimes a classical CPU is better suited. This work introduces and evaluates concepts for building hybrid hardware-software-systems that exploit the advantages of both hardware and software approaches in order to achieve performant, flexible, and versatile network processing and packet classification systems. The approaches are evaluated on standard software systems, extended by a programmable hardware circuit (FPGA) to provide full control and flexibility. One key achievement of this work is the identification and mitigation of challenges inherent when a hybrid combination of multiple packet classification circuits with different characteristics is used. We introduce approaches to reduce redundant classification effort to a minimum, like re-usage of intermediate classification results and determination of dependencies by header space analysis. In addition, for some further challenges in hardware based packet classification like filtering circuits with dynamic updates and fast hash functions for lookups, we describe feasibility and optimizations. At last, the hybrid approach is evaluated using a standard SDN switch instead of the FPGA accelerator to prove portability.
17
Gade, Praveen Kumar, and Manjit Osuri. "Evaluation of Multi Criteria Decision Making Methods for Potential Use in Application Security." Thesis, Blekinge Tekniska Högskola, Institutionen för kommunikationssystem, 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-3713.
Full textAbstract:
With an upsurge in number of available smart phones, tablet PCs etc. most users find it easy to access Internet services using mobile applications. It has been a challenging task for mobile application developers to choose suitable security types (types of authentication, authorization, security protocols, cryptographic algorithms etc.) for mobile applications. Choosing an inappropriate security type for a mobile application may lead to performance degradation and vulnerable issues in applications. The choice of the security type can be done by decision making. Decision making is a challenging task for humans. When choosing a single alternative among a set of alternatives with multiple criteria, it is hard to know which one is the better decision. Mobile application developers need to incorporate Multi-Criteria Decision Making (MCDM) Models to choose a suitable security type for mobile application. A decision model for application security enhances decision making for mobile application developers to decide and set the required security types for the application. In this thesis, we discuss different types of MCDM models that have been applied in an IT security area and scope of applying MCDM models in application security area. Literature review and evaluation of the selected decision models gives a detailed overview on how to use them to provide application security.The first chapter introduces the thesis work. The second chapter presents the background of decision making models, their process, and the classification of decision making models. The third chapter presents the research methodology we have used in different phases which aims to answer the research questions. The fourth chapter gives a detailed literature study of how decision models can be used in application security. The fifth chapter evaluates selected decision models. The sixth chapter concludes the thesis and presents future work.
18
Lieberman, Gary. "Securely Handling Inter-Application Connection Credentials." NSUWorks, 2012. http://nsuworks.nova.edu/gscis_etd/215.
Full textAbstract:
The utilization of application-to-application (A2A) credentials within interpretive language scripts and application code has long been a security risk. The quandaries being how to protect and secure the credentials handled in the main body of code and avoid exploitation from rogue programmers, system administrators and other users with
authorized high levels of privilege.
Researchers report that A2A credentials cannot be protected and that there is no way to reduce the risk of the inevitable successful attack and subsequent exploit. Therefore, research efforts to date have primarily been focused on mitigating the impact of the attack rather than finding ways to reduce the attack surface.
The work contained herein successfully addresses this serious cross-cutting concern and proves that it is in fact possible to significantly reduce the risk of attack. This reduction of risk was accomplished through implementing a method of credential obfuscation which applied advice with concerns utilizing a composition filter. The filter modified messages containing the credentials as they were sent from the interpretive language script to the remote data store.
The modification extracted credentials from a secure password vault and inserted them into the message being sent to the remote data store. This modification moved the handling of the credentials from the main body of code to a secure library and out of the reach of attackers with authorized high levels of privilege. The relocation of the credential handling code lines significantly reduced the attack surface and the overall risk of attack.
19
Schumacher, Markus. "Security engineering with patterns : origins, theoretical models, and new applications /." Berlin [u.a.] : Springer, 2003. http://www.loc.gov/catdir/enhancements/fy0813/2003058151-d.html.
Full text
20
Nguyen, Huy Manh. "MABIC: Mobile Application Builder for Interactive Communication." TopSCHOLAR®, 2016. http://digitalcommons.wku.edu/theses/1747.
Full textAbstract:
Nowadays, the web services and mobile technology advance to a whole new level. These technologies make the modern communication faster and more convenient than the traditional way. People can also easily share data, picture, image and video instantly. It also saves time and money. For example: sending an email or text message is cheaper and faster than a letter. Interactive communication allows the instant exchange of feedback and enables two-way communication between people and people, or people and computer. It increases the engagement of sender and receiver in communication.
Although many systems such as REDCap and Taverna are built for improving the interactive communication between the servers and clients, there are still common drawbacks existing in these systems. These systems lack the support of the branching logic and two-way communication. They also require administrator’s programming skills to function the system adequately. These issues are the motivation of the project. The goal is to build a framework to speed up the prototype development of mobile application. The MABIC support the complex workflow by providing conditional logic, instantaneous interactivity between the administrators and participants and the mobility. These supported features of MABIC improve the interaction because it engages the participants to communicate more with the system. MABIC system provides the mobile electronic communication via sending a text message or pushing a notification to mobile’s device. Moreover, MABIC application also supports multiple mobile platforms. It helps to reduce the time and cost of development. In this thesis, the overview of MABIC system, its implementation, and related application is described.
21
Leao, Ruth Pastora Saraiva. "A study of automatic contingency selection algorithms for steady-state security assessment of power systems and the application of parallel processing." Thesis, Loughborough University, 1995. https://dspace.lboro.ac.uk/2134/32911.
Full textAbstract:
The performance of various Contingency Selection methods has been investigated within the framework of accuracy for application to steady-state power system security assessment and suitability for execution in a real-time environment. In the study the following requirements have been considered: (a) Effectiveness: in identifying contingencies which may cause limit violations and discarding all others; (b) Adaptability: to model both permanent and temporary changes in the system; (c) Flexibility: to model any number and type of contingencies; (d) Computational efficiency: in terms of speed in selecting the sub-set of contingencies as well as in terms of storage requirements; (e) Ability: to update and augment on-line the list of contingencies given the actual system operating data.
22
Colombo, Regina Maria Thienne. "Proposta de uma metodologia de medição e priorização de segurança de acesso para aplicações WEB." Universidade de São Paulo, 2014. http://www.teses.usp.br/teses/disponiveis/3/3136/tde-23122014-142055/.
Full textAbstract:
Em um mundo tecnológico e globalmente interconectado, em que indivíduos e organizações executam transações na web com frequência, a questão da segurança de software é imprescindível, ela é necessária em diversos nichos: segurança das redes de computadores, dos computadores e dos softwares. A implantação de um sistema de segurança que abrange todos os aspectos é extensa e complexa, ao mesmo tempo em que a exploração de vulnerabilidades e ataques é exponencialmente crescente. Por causa da natureza do software e de sua disponibilidade na web, a garantia de segurança nunca será total, porém é possível planejar, implementar, medir e avaliar o sistema de segurança e finalmente melhorá-la. Atualmente, o conhecimento específico em segurança é detalhado e fragmentado em seus diversos nichos, a visão entre os especialistas de segurança é sempre muito ligada ao ambiente interno da computação. A medição de atributos de segurança é um meio de conhecer e acompanhar o estado da segurança de um software. Esta pesquisa tem como objetivo apresentar uma abordagem top-down para medição da segurança de acesso de aplicações web. A partir de um conjunto de propriedades de segurança reconhecidas mundialmente, porém propriedades estas intangíveis, é proposta uma metodologia de medição e priorização de atributos de segurança para conhecer o nível de segurança de aplicações web e tomar as ações necessárias para sua melhoria. Define-se um modelo de referência para segurança de acesso e o método processo de análise hierárquica apoia a obtenção de atributos mensuráveis e visualização do estado da segurança de acesso de uma aplicação web.In a technological world and globally interconnected, in which individuals and organizations perform transactions on the web often, the issue of software security is essential, it is needed in several niches: security of computer networks, computers and software. The implementation of a security system that covers all aspects is extensive and complex, while the exploitation of vulnerabilities and attacks are increasing exponentially. Because of the nature of software and its availability on the web, ensure security will never be complete, but it is possible to plan, implement, measure and evaluate the security system and ultimately improve it. Currently, the specific knowledge in security is detailed and fragmented into its various niches; the view among security experts is always connected to the internal environment of computing. The measurement of security attributes is a way to know and monitor the state of software security. This research aims to present a top-down approach for measuring the access security of web applications. From a set of security properties globally recognized, however these intangible properties, I propose a measurement methodology and prioritization of security attributes to meet the security level of web applications and take necessary actions for improvement. It is defined a reference model for access security and a method of analytic hierarchy process to support the achievement of measurable attributes and status of the access security of a web application.
23
Holmberg, Daniel, and Victor Nyberg. "Functional and Security Testing of a Mobile Client-Server Application." Thesis, Linköpings universitet, Institutionen för datavetenskap, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-148710.
Full textAbstract:
Today’s massive usage of smartphones has put a high demand on all application developers in the matter of security. For us to be able to keep using all existing and new applications, a process that removes significant security vulnerabilities is essential. To remove these vulnerabilities, the applications have to be tested. In this thesis, we identify six methods for functional and security testing of client-server applications running Android and Python Flask. Regarding functional testing, we implement Espresso testing and RESTful API testing. In regards to the security testing of the system, we do not only implement fuzz testing, sniffing, reverse engineering and SQL injection testing on a system developed by a student group in a parallel project, but also discover a significant security vulnerability that directly affects the integrity and reliability of this system. Out of the six identified testing techniques, reverse engineering exposed the vulnerability. In conjunction with this, we verified that the system’s functionality works as it is supposed to.
24
Monteiro, Valter. "How intrusion detection can improve software decoy applications." Thesis, Monterey, Calif. : Springfield, Va. : Naval Postgraduate School ; Available from National Technical Information Service, 2003. http://library.nps.navy.mil/uhtbin/hyperion-image/03Mar%5FMonteiro.pdf.
Full text
25
Mahadevan, Karthikeyan. "Estimating reliability impact of biometric devices in large scale applications." Morgantown, W. Va. : [West Virginia University Libraries], 2003. http://etd.wvu.edu/templates/showETD.cfm?recnum=3096.
Full textAbstract:
Thesis (M.S.)--West Virginia University, 2003.Title from document title page. Document formatted into pages; contains vii, 66 p. : ill. (some col.). Vita. Includes abstract. Includes bibliographical references (p. 62-64).
26
Chen, Tang-Li. "Designing secure, JAVA based online registration systems to meet peak load performance targets." CSUSB ScholarWorks, 2004. https://scholarworks.lib.csusb.edu/etd-project/2767.
Full textAbstract:
This project "Designing Secure, Java Based Online Registration Systems to Meet Peak Load Performance Targets" is a simulation of a Web-based exposition management system plus a performance testing procedure to examine this web application.
27
Třeštíková, Lenka. "Bezpečnostní metriky platformy SAP." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2017. http://www.nusl.cz/ntk/nusl-363799.
Full textAbstract:
Main goal of this thesis is analyzing potential security risks of the SAP NetWeaver platform and identifying various vulnerabilities, that are results of poor system configuration, incorrect segregation of duties or insufficient patch management. Methodology for platform evaluation is defined by vulnerabilities, security requirements and controls will be created.
28
Lundberg, Axel, and Lukas Jidell. "Utveckling av en krypterad chattapplikation : Analysering av användarbehov och säkerhet." Thesis, Mittuniversitetet, Institutionen för informationssystem och –teknologi, 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-39357.
Full textAbstract:
Today, it appears that information leaks and security breaches are common occurrences. The authors of this project consider security and privacy to be a very vital part regarding technical concepts, something that is being looked past way too much. The authors have in earlier courses during their studies at Mid Sweden University taken part of studies that shows that the average users want to protect their information, but at the same time, has trouble understanding how products handle said information. This led the authors of this report to develop an encrypted application with a user's privacy and ease of understanding in mind. The user should understand that their information is safe and why it is safe. The purpose of the project was to build a chat application with security of sent messages, minimal data collection and ease of use as top priorities. The goals of the project include together with the principles mentioned earlier that users with an interest should have security information easily available, messages should be cryptographically secure and that replacement of a user’s keys should be an easy process. During the project two iterations of user tests were done to ensure that the application was as easy to use as possible. The results of these tests are used to get insight into users' understanding and interest in information related to message encryption. The results are also used to reach a conclusion to whether the goals of the project have been reached. The results of the user tests point to users not caring a lot about the availability of information about used encryption methods, however the users that had an interest for this found the available information relatively easy to understand. After changes based on the feedback from the first iteration of user tests, most users found the application easy to use and intuitive. To compare security of sent messages comparisons are done with leading applications in encrypted communication, these applications include WhatsApp, Viber and Facebook Messenger.Idag tycks informationsläckor i olika former ske frekvent med jämna mellanrum. Författarna av detta projekt anser att integritet och säkerhet är två väldigt vitala koncept inom tekniska sammanhang, något som tummas på allt för mycket. Författarna har under tidigare utbildning på Mittuniversitetet tagit del av undersökningar som pekar på att den genomsnittliga användaren vill skydda sin information, men samtidigt, har svårigheter att förstå hur produkterna hanterar nämnd formation. Därför ville författarna utveckla en krypterad tjänst som samtidigt värnar om användarens integritet. Användaren skall förstå att dennes information är i säkra händer, användarens händer. Projektet gick ut på att bygga en chattapplikation med säkerhet av skickade meddelanden, minimalt insamlande av data från användare och användarvänlighet som högsta prioriteter. Projektets mål inkluderar att intresserade användare ska ha säkerhetsinformation tillgänglig, att applikationen ska vara lättanvänd, meddelanden ska vara kryptografiskt säkra och ersättning av en användares nycklar ska vara en simpel process. Under projektets gång gjordes två iterationer av användartester för att se till att applikationen är så användarvänlig som möjligt. Resultaten av användartesterna pekar på att många användare inte är intresserade av att ha tillgänglig information om kryptering men att de användare som hade ett intresse för detta fann den tillgängliga informationen relativt lätt att förstå. Efter ändringar från första iterationen av användartester så fann majoriteten av användare applikationen intuitiv. För att jämföra säkerheten av skickade meddelanden så görs säkerhetsjämförelser med ledande applikationer inom krypterad kommunikation, dessa applikationer inkluderar WhatsApp, Viber och Facebook Messenger.
29
Kaiser, Edward Leo. "Addressing Automated Adversaries of Network Applications." PDXScholar, 2010. https://pdxscholar.library.pdx.edu/open_access_etds/4.
Full textAbstract:
The Internet supports a perpetually evolving patchwork of network services and applications. Popular applications include the World Wide Web, online commerce, online banking, email, instant messaging, multimedia streaming, and online video games. Practically all networked applications have a common objective: to directly or indirectly process requests generated by humans. Some users employ automation to establish an unfair advantage over non-automated users. The perceived and substantive damages that automated, adversarial users inflict on an application degrade its enjoyment and usability by legitimate users, and result in reputation and revenue loss for the application's service provider. This dissertation examines three challenges critical to addressing the undesirable automation of networked applications. The first challenge explores individual methods that detect various automated behaviors. Detection methods range from observing unusual network-level request traffic to sensing anomalous client operation at the application-level. Since many detection methods are not individually conclusive, the second challenge investigates how to combine detection methods to accurately identify automated adversaries. The third challenge considers how to leverage the available knowledge to disincentivize adversary automation by nullifying their advantage over legitimate users. The thesis of this dissertation is that: there exist methods to detect automated behaviors with which an application's service provider can identify and then systematically disincentivize automated adversaries. This dissertation evaluates this thesis using research performed on two network applications that have different access to the client software: Web-based services and multiplayer online games.
30
Irwin, Barry Vivian William. "A framework for the application of network telescope sensors in a global IP network." Thesis, Rhodes University, 2011. http://hdl.handle.net/10962/d1004835.
Full textAbstract:
The use of Network Telescope systems has become increasingly popular amongst security researchers in recent years. This study provides a framework for the utilisation of this data. The research is based on a primary dataset of 40 million events spanning 50 months collected using a small (/24) passive network telescope located in African IP space. This research presents a number of differing ways in which the data can be analysed ranging from low level protocol based analysis to higher level analysis at the geopolitical and network topology level. Anomalous traffic and illustrative anecdotes are explored in detail and highlighted. A discussion relating to bogon traffic observed is also presented. Two novel visualisation tools are presented, which were developed to aid in the analysis of large network telescope datasets. The first is a three-dimensional visualisation tool which allows for live, near-realtime analysis, and the second is a two-dimensional fractal based plotting scheme which allows for plots of the entire IPv4 address space to be produced, and manipulated. Using the techniques and tools developed for the analysis of this dataset, a detailed analysis of traffic recorded as destined for port 445/tcp is presented. This includes the evaluation of traffic surrounding the outbreak of the Conficker worm in November 2008. A number of metrics relating to the description and quantification of network telescope configuration and the resultant traffic captures are described, the use of which it is hoped will facilitate greater and easier collaboration among researchers utilising this network security technology. The research concludes with suggestions relating to other applications of the data and intelligence that can be extracted from network telescopes, and their use as part of an organisation’s integrated network security systems
31
Atkison, Travis Levestis. "Using random projections for dimensionality reduction in identifying rogue applications." Diss., Mississippi State : Mississippi State University, 2009. http://library.msstate.edu/etd/show.asp?etd=etd-04032009-133701.
Full text
32
Aryal, Dhiraj, and Anup Shakya. "A Taxonomy of SQL Injection Defense Techniques." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-3076.
Full textAbstract:
Context: SQL injection attack (SQLIA) poses a serious defense threat to web applications by allowing attackers to gain unhindered access to the underlying databases containing potentially sensitive information. A lot of methods and techniques have been proposed by different researchers and practitioners to mitigate SQL injection problem. However, deploying those methods and techniques without a clear understanding can induce a false sense of security. Classification of such techniques would provide a great assistance to get rid of such false sense of security. Objectives: This paper is focused on classification of such techniques by building taxonomy of SQL injection defense techniques. Methods: Systematic literature review (SLR) is conducted using five reputed and familiar e-databases; IEEE, ACM, Engineering Village (Inspec/Compendex), ISI web of science and Scopus. Results: 61 defense techniques are found and based on these techniques, a taxonomy of SQL injection defense techniques is built. Our taxonomy consists of various dimensions which can be grouped under two higher order terms; detection method and evaluation criteria. Conclusion: The taxonomy provides a basis for comparison among different defense techniques. Organization(s) can use our taxonomy to choose suitable owns depending on their available resources and environments. Moreover, this classification can lead towards a number of future research directions in the field of SQL injection.0760880470, 0700183408
33
Singaravelu, Lenin. "End-to-End Security of Information Flow in Web-based Applications." Diss., Georgia Institute of Technology, 2007. http://hdl.handle.net/1853/16142.
Full textAbstract:
Web-based applications and services are increasingly being used in security-sensitive tasks. Current security protocols rely on two crucial assumptions to protect the confidentiality and integrity of information: First, they assume that end-point software used to handle security-sensitive information is free from vulnerabilities. Secondly, these protocols assume point-to-point communication between a client and a service provider. However, these assumptions do not hold true with large and complex vulnerable end point software such as the Internet browser or web services middleware or in web service compositions where there can be multiple value-adding service providers interposed between a client and the original service provider.
To address the problem of large and complex end-point software, we present the AppCore approach which uses manual analysis of information flow, as opposed to purely automated approaches, to split existing software into two parts: a simplified trusted part that handles security-sensitive information and a legacy, untrusted part that handles non-sensitive information without access to sensitive information. Not only does this approach avoid many common and well-known vulnerabilities in the legacy software that compromised sensitive information, it also greatly reduces the size and complexity of the trusted code, thereby making exhaustive testing or formal analysis more feasible. We demonstrate the feasibility of the AppCore approach by constructing AppCores for two real-world applications: a client-side AppCore for https-based applications and an AppCore for web service platforms. Our evaluation shows that security improvements and complexity reductions (over a factor of five) can be attained with minimal modifications to existing software (a few tens of lines of code, and proxy settings of a browser) and an acceptable performance overhead (a few percent).
To protect the communication of sensitive information between the clients and service providers in web service compositions, we present an end-to-end security framework called WS-FESec that provides end-to-end security properties even in the presence of misbehaving intermediate services. We show that WS-FESec is flexible enough to support the lattice model of secure information flow and it guarantees precise security properties for each component service at a modest cost of a few milliseconds per signature or encrypted field.
34
Holford, John William. "The concept of self-defending objects and the development of security aware applications." Thesis, Queensland University of Technology, 2006. https://eprints.qut.edu.au/16227/1/John_Holford_Thesis.pdf.
Full textAbstract:
The self-defending object (SDO) concept is an extension to the object-oriented programming paradigm, whereby those objects that encapsulate the protected resources of a security aware application (SAA), are made aware of, and responsible for, the defence of those resources. That defence takes two forms, the enforcement of mandatory access control on protected resources and the generation of the corresponding portion of the SAA's audit trail. The SDO concept acts as the philosophy that guides the application level mandatory access control within SAAs which ensures that the provided access control is both complete and non bypassable. Although SDOs accept responsibility for controlling access to the protected data and functionality that they encapsulate, an SDO delegates the responsibility for making authorisation decisions to an associated authorisation object. Thus, SDOs fulfill their access control obligations by initiating the authorisation check and then enforcing the decision made on their behalf. A simple, yet effective mechanism for enforcing that access control at the object level involves controlling the ability to invoke those SDO methods that access protected resources. In the absence of previous research on this approach to the enforcement of application level access control, the primary aim of this research was to demonstrate that the SDO concept is a viable paradigm for developing SAAs. That aim was achieved in two stages. The first stage targeted the provision of a 'proof of concept', that demonstrated that the SDO concept could be applied to the development of non-distributed SAAs. The second stage demonstrated its applicability to the development of distributed SAAs. In the second stage, two versions of a distributed prototype were developed, one based on a traditional (proprietary) distributed computing model, (Java RMI), and the second using the currently popular Web services model, to demonstrate the general applicability of the SDO concept. Having already demonstrated that the SDO concept could be applied to SAAs executing on a single machine, the major focus of that research was to devise a mechanism by which SDOs could be transferred between machines.
The research then concentrated on determining what impacts the adoption of the SDO concept would have on SAA development. Experimentation carried out using the distributed prototypes demonstrated that (1) the adoption of the SDO does not restrict the use of inheritance hierarchies that include SDOs, (2) the restriction of the lifetime of SDOs can be supported, (3) usage rights enforcement can be employed, and (4) the use of cryptographic techniques to provide additional security guarantees is not affected. A key feature of the SDO concept, is that no major changes need to be made to current development tools or methodologies, so its adoption is not hampered by significant financial or training impediments. This research demonstrated that the SDO concept is practical and constitutes a valuable extension to the object oriented paradigm that will help address the current lack of security in information systems. The SDO approach warrants additional research and adoption.
35
Holford, John William. "The concept of self-defending objects and the development of security aware applications." Queensland University of Technology, 2006. http://eprints.qut.edu.au/16227/.
Full textAbstract:
The self-defending object (SDO) concept is an extension to the object-oriented programming paradigm, whereby those objects that encapsulate the protected resources of a security aware application (SAA), are made aware of, and responsible for, the defence of those resources. That defence takes two forms, the enforcement of mandatory access control on protected resources and the generation of the corresponding portion of the SAA's audit trail. The SDO concept acts as the philosophy that guides the application level mandatory access control within SAAs which ensures that the provided access control is both complete and non bypassable. Although SDOs accept responsibility for controlling access to the protected data and functionality that they encapsulate, an SDO delegates the responsibility for making authorisation decisions to an associated authorisation object. Thus, SDOs fulfill their access control obligations by initiating the authorisation check and then enforcing the decision made on their behalf. A simple, yet effective mechanism for enforcing that access control at the object level involves controlling the ability to invoke those SDO methods that access protected resources. In the absence of previous research on this approach to the enforcement of application level access control, the primary aim of this research was to demonstrate that the SDO concept is a viable paradigm for developing SAAs. That aim was achieved in two stages. The first stage targeted the provision of a 'proof of concept', that demonstrated that the SDO concept could be applied to the development of non-distributed SAAs. The second stage demonstrated its applicability to the development of distributed SAAs. In the second stage, two versions of a distributed prototype were developed, one based on a traditional (proprietary) distributed computing model, (Java RMI), and the second using the currently popular Web services model, to demonstrate the general applicability of the SDO concept. Having already demonstrated that the SDO concept could be applied to SAAs executing on a single machine, the major focus of that research was to devise a mechanism by which SDOs could be transferred between machines. The research then concentrated on determining what impacts the adoption of the SDO concept would have on SAA development. Experimentation carried out using the distributed prototypes demonstrated that (1) the adoption of the SDO does not restrict the use of inheritance hierarchies that include SDOs, (2) the restriction of the lifetime of SDOs can be supported, (3) usage rights enforcement can be employed, and (4) the use of cryptographic techniques to provide additional security guarantees is not affected. A key feature of the SDO concept, is that no major changes need to be made to current development tools or methodologies, so its adoption is not hampered by significant financial or training impediments. This research demonstrated that the SDO concept is practical and constitutes a valuable extension to the object oriented paradigm that will help address the current lack of security in information systems. The SDO approach warrants additional research and adoption.
36
Schuster, Felix [Verfasser], Thorsten [Akademischer Betreuer] Holz, and Ahmad-Reza [Akademischer Betreuer] Sadeghi. "Securing application software in modern adversarial settings / Felix Schuster. Gutachter: Thorsten Holz ; Ahmad-Reza Sadeghi." Bochum : Ruhr-Universität Bochum, 2016. http://d-nb.info/1082425443/34.
Full text
37
Lunyov, Phillip. "Detecting changes in web applications." Thesis, Linnéuniversitetet, Institutionen för datavetenskap och medieteknik (DM), 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-97021.
Full textAbstract:
As the availability and popularity of the Internet continues to grow, the trend ofproviding global access to business resources and services online is an efficient andprofitable way for organizations to acquire a new share of the market. Due to the flexibilityand scalability of modern web technologies, web-based applications processand store personal or critical information in enormous amounts. Hence, the overallapplication’s functionality and secure data processing are the main key factors ofeach web application. For ensuring those key factors, the web page code must be regularlymonitored to retain the overall quality of the code. This project is devoted tochange identification and classification in modern web-based applications, based onthe comparison of two versions of web page code, acquired in different time periods.The foundation of the development is described as a detection algorithm in one of theacademic papers. The algorithm was supplemented by a more extensive classificationof changes that was originally proposed by the author. The result of the researchis a semi-automatic tool, developed in Python. The tool compares two versions ofthe web page code to find changes and classify those changes. The result of the tool’sexecution is a report file that contains statistics of the overall algorithm’s executionand type-clustered information about the detected changes between two versions ofthe web page code. The analysis of results showed that the implemented diff-toolprovides reliable results and allocates all types of possible changes in the web pagecodes, which are acknowledged by statistical analysis. The comparative analysis ofthe results of the developed diff-tool with the results of other similar technical solutionsrevealed serious shortcomings of other solutions, due to their data processingimplementation, classification of the changes and resulting report file.
38
Hu, Daning. "Analysis and Applications of Social Network Formation." Diss., The University of Arizona, 2009. http://hdl.handle.net/10150/145710.
Full textAbstract:
Nowadays people and organizations are more and more interconnected in the forms of social networks: the nodes are social entities and the links are various relationships among them. The social network theory and the methods of social network analysis (SNA) are being increasingly used to study such real-world networks in order to support knowledge management and decision making in organizations. However, most existing social network studies focus on the static topologies of networks. The dynamic network link formation process is largely ignored. This dissertation is devoted to study such dynamic network formation process to support knowledge management and decision making in networked environments. Three challenges remain to be addressed in modeling and analyzing the dynamic network link formation processes. The first challenge is about modeling the network topological changes using longitudinal network data. The second challenge is concerned with examining factors that influence formation of links among individuals in networks. The third challenge is regarding link prediction in evolving social networks. This dissertation presents four essays that address these challenges in various knowledge management domains. The first essay studies the topological changes of a major international terrorist network over a 14-year period. In addition, this paper used a simulation approach to examine this network's vulnerability to random failures, targeted attacks, and real world authorities' counterattacks. The second essay and third essay focuses on examining determinants that significantly influence the link formation processes in social networks. The second essay found that mutual acquaintance and vehicle affiliations facilitate future co-offending link formation in a real-world criminal network. The third essay found that homophily in programming language preference, and mutual are determinants for forming participation links in an online Open Source social network. The fourth essay focuses on the link prediction in evolving social networks. It proposes a novel infrastructure for describing and utilizing the discovered determinants of link formation process (i.e. semantics of social networks) in link prediction to support expert recommendation application in an Open Source developer community. It is found that the integrated mechanism outperforms either user-based or Top-N most recognized mechanism.
39
Jia, Hao. "A web application for Medasolution Healthcare Company customer service system." CSUSB ScholarWorks, 2005. https://scholarworks.lib.csusb.edu/etd-project/2612.
Full textAbstract:
Medasolution is a virtual company designed by the author to handle Medicare insurance business. The web application (which uses ASP.net and SQL Server 2000) facilitates communication between Medasolution and all its clients: members, employers, brokers, and medicare providers through separate web pages based on their category levels. The program incorporates security so that it follows government privacy rules regarding client information.
40
Armstrong, Janell. "State of Secure Application Development for 802.15.4." BYU ScholarsArchive, 2009. https://scholarsarchive.byu.edu/etd/1776.
Full textAbstract:
A wireless sensor network consists of small, limited-resource embedded systems exchanging environment data and activating controls. These networks can be deployed in hostile environments to monitor wildlife habitats, implemented in factories to locate mobile equipment, and installed in home environments to optimize the use of utilities. Each of these scenarios requires network security to protect the network data. The IEEE 802.15.4 standard is designed for WSN communication, yet the standard states that it is not responsible for defining the initialization, distribution, updating, or management of network public keys. Individuals seeking to research security topics will find that there are many 802.15.4-compliant development hardware kits available to purchase. However, these kits are not easily compared to each other without first-hand experience. Further, not all available kits are suitable for research in WSN security. This thesis evaluates a broad spectrum of 802.15.4 development kits for security studies. Three promising kits are examined in detail: Crossbow MICAz, Freescale MC1321x, and the Sun SPOT. These kits are evaluated based on their hardware, software, development environment, additional libraries, additional tools, and cost. Recommendations are made to security researchers advising which kits to use depending on their design needs and priorities. Suggestions are made to each company on how to further improve their kits for security research.
41
Ndakunda, Shange-Ishiwa Tangeni. "A mobile toolkit and customised location server for the creation of cross-referencing location-based services." Thesis, Rhodes University, 2013. http://hdl.handle.net/10962/d1013604.
Full textAbstract:
Although there are several Software Development kits and Application Programming Interfaces for client-side location-based services development, they mostly involve the creation of self-referencing location-based services. Self-referencing location-based services include services such as geocoding, reverse geocoding, route management and navigation which focus on satisfying the location-based requirements of a single mobile device. There is a lack of open-source Software Development Kits for the development of client-side location-based services that are cross-referencing. Cross-referencing location-based services are designed for the sharing of location information amongst different entities on a given network. This project was undertaken to assemble, through incremental prototyping, a client-side Java Micro Edition location-based services Software Development Kit and a Mobicents location server to aid mobile network operators and developers alike in the quick creation of the transport and privacy protection of cross-referencing location-based applications on Session Initiation Protocol bearer networks. The privacy of the location information is protected using geolocation policies. Developers do not need to have an understanding of Session Initiation Protocol event signaling specifications or of the XML Configuration Access Protocol to use the tools that we put together. The developed tools are later consolidated using two sample applications, the friend-finder and child-tracker services. Developer guidelines are also provided, to aid in using the provided tools.
42
Fießler, Andreas Christoph Kurt [Verfasser], Björn [Gutachter] Scheuermann, Andrew W. [Gutachter] Moore, and Georg [Gutachter] Carle. "Hybrid Hardware/Software Architectures for Network Packet Processing in Security Applications / Andreas Christoph Kurt Fießler ; Gutachter: Björn Scheuermann, Andrew W. Moore, Georg Carle." Berlin : Humboldt-Universität zu Berlin, 2019. http://d-nb.info/1189213710/34.
Full text
43
Fießler, Andreas [Verfasser], Björn [Gutachter] Scheuermann, Andrew W. [Gutachter] Moore, and Georg [Gutachter] Carle. "Hybrid Hardware/Software Architectures for Network Packet Processing in Security Applications / Andreas Christoph Kurt Fießler ; Gutachter: Björn Scheuermann, Andrew W. Moore, Georg Carle." Berlin : Humboldt-Universität zu Berlin, 2019. http://d-nb.info/1189213710/34.
Full text
44
Regateiro, Diogo José Domingues. "A secure, distributed and dynamic RBAC for relational applications." Master's thesis, Universidade de Aveiro, 2014. http://hdl.handle.net/10773/14045.
Full textAbstract:
Mestrado em Engenharia de Computadores e TelemáticaNowadays, database application use tools like Java Database Connectivity, Hibernate or ADO.NET to access data stored in databases. These tools are designed to bring together the relational database and object-oriented programming paradigms, forsaking applied access control policies. Hence, the application developers must master the established policies as a means to develop software that is conformant with the established access control policies. Furthermore, there are situations where these policies can evolve dynamically. In these cases it becomes hard to adjust the access control mechanisms. This challenge has led to the development of an extension to the role based access control (RBAC) model where permissions are defined as a sequence of create, read, update and delete (CRUD) expressions that can be executed and the interfaces to access them. From these permissions it's possible to generate security artefacts on the client side, i.e. in a distributed manner, which allows the clients to access the stored data while satisfying the security policies defined. On top of this model extension, a security layer has also been created in order to make the access control secure and obligatory. For the RBAC model extension this work leverages a previous work that created a dynamic access control architecture for relational applications, here referred to as DACA (Dynamic Access Control Architecture). DACA uses business logic information and the defined access control policies to build dynamically the security artefacts for the applications. In situations where the access control policies can evolve dynamically, the security artefacts are adjusted automatically. This base work, however, defines as permissions CRUD expressions, which can be executed in any order, and needs an adequate security layer to authenticate users and protect the system form intruders. Hence, this work aims to create a new architecture, called “S-DRACA” (Secure, Dynamic and Distributed Role-based Access Control Architecture), which extends the work done with DACA so that it is capable of enforcing sequences of CRUD expressions that the applications can execute if the sequences are associated with their roles and the development of a security layer to make it secure. We discuss as well the performance of this system and its applicability to other environments outside of relational databases.
Atualmente, aplicações que acedem a bases de dados utilizam ferramentas como o Java Database Connectivity, Hibernate ou ADO.NET para aceder aos dados nelas armazenados. Estas ferramentas estão desenhadas para unir os paradigmas das bases de dados relacionais e da programação orientada a objetos, mas não estão preocupados com as políticas de controlo de acesso a aplicar. Portanto, os programadores de aplicações têm de dominar as políticas estabelecidas a fim de desenvolver aplicações em conformidade com as políticas de controlo de acesso estabelecidas.. Além disso, existem situações em que as políticas de controlo de acesso podem evoluir dinamicamente. Nestes casos, torna-se difícil adequar os mecanismos de controlo de acesso. Este desafio motivou o desenvolvimento de uma extensão ao modelo de controlo de acesso baseado em papeis (RBAC) que define como permissões sequências de expressões para criar, ler, atualizar e apagar (CRUD) informação e as interfaces de acesso a cada uma delas. A partir destas permissões podem ser gerados artefactos de segurança do lado dos clientes, i.e. de uma forma distribuída, que lhes permitem aceder à informação armazenada na base de dados segundo as políticas definidas. Por cima desta extenção também foi criada uma camada de segurança para tornar o controlo de acesso seguro e obrigatório. Para a extensão do modelo RBAC este trabalho baseou-se num trabalho anterior que criou uma arquitectura dinâmica de controlo de acesso para aplicações de bases de dados relacionais, aqui referida como DACA (Dynamic Access Control Architecture). DACA utiliza informação da lógica de negócio e as políticas de controlo de acesso que foram definidos para criar dinamicamente os artefactos de segurança para as aplicações. Em situações onde as políticas de controle de acesso evoluem de forma dinâmica, os artefactos de segurança são ajustados automaticamente. Este trabalho base, no entanto, define como permissões as expressões CRUD, podendo estas ser executadas em qualquer ordem, e necessita de uma camada de segurança adequada para autenticar utilizadores e proteger os dados sensíveis de intrusos. Portanto, neste trabalho, pretende-se criar uma nova arquitectura, chamada “S-DRACA” (Secure, Dynamic and Distributed Role-based Access Control Architecture), que estende o trabalho feito no âmbito do DACA para que este seja capaz de garantir que sejam cumpridas sequência de expressões CRUD que as aplicações podem executar e que estão associados aos seus papéis nas políticas RBAC e desenvolver uma camada de segurança adequada para a tornar segura. Discutimos, também, o seu desempenho e aplicabilidade em outros ambientes sem ser em bases de dados relacionais.
45
Thakur, Neha S. "Forensic Analysis of WhatsApp on Android Smartphones." ScholarWorks@UNO, 2013. http://scholarworks.uno.edu/td/1706.
Full textAbstract:
Android forensics has evolved over time offering significant opportunities and exciting challenges. On one hand, being an open source platform Android is giving developers the freedom to contribute to the rapid growth of the Android market whereas on the other hand Android users may not be aware of the security and privacy implications of installing these applications on their phones. Users may assume that a password-locked device protects their personal information, but applications may retain private information on devices, in ways that users might not anticipate. In this thesis we will be concentrating on one such application called 'WhatsApp', a popular social networking application. We will be forming an outline on how forensic investigators can extract useful information from WhatsApp and from similar applications installed on an Android platform. Our area of focus is extraction and analysis of application user data from non-volatile external storage and the volatile memory (RAM) of an Android device.
46
Dua, Akshay. "Trust-but-Verify: Guaranteeing the Integrity of User-generated Content in Online Applications." PDXScholar, 2013. https://pdxscholar.library.pdx.edu/open_access_etds/1425.
Full textAbstract:
Online applications that are open to participation lack reliable methods to establish the integrity of user-generated information. Users may unknowingly own compromised devices, or intentionally publish forged information. In these scenarios, applications need some way to determine the "correctness" of autonomously generated information. Towards that end, this thesis presents a "trust-but-verify" approach that enables open online applications to independently verify the information generated by each participant. In addition to enabling independent verification, our framework allows an application to verify less information from more trustworthy users and verify more information from less trustworthy ones. Thus, an application can trade-off performance for more integrity, or vice versa. We apply the trust-but-verify approach to three different classes of online applications and show how it can enable 1) high-integrity, privacy-preserving, crowd-sourced sensing 2) non-intrusive cheat detection in online games, and 3) effective spam prevention in online messaging applications.
47
Denys, Paul. "Security of Personal Information in Cloud Computing : Identifying and mitigating against risks to privacy in the deployment of Enterprise Systems Applications on the Software as a Service platform." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-5726.
Full textAbstract:
The emergence and subsequent growth of Cloud computing has brought with it a great deal of change in the manner in which the world undertakes to compute and store information. This new technology has brought with it immense possibilities as far as processing of information and the pooling of resources is concerned. This potential has also been noticed by the public sector, as Governments all over the world have undertaken to introduce what has come to be known as e-Government, the provisioning of Government services and communications via Web based applications, rather than the traditional means of in person contact and paper based collection of personal information. While the move to Web based Government has been occurring for the last 20 or so years, a new development in this area is the introduction of Cloud computing and Cloud-based computing platforms, most notably Software-as-a-Service (SaaS) in the provisioning of these services. The computing and efficiency potential of this technology cannot be disputed, yet it’s important to recognize that taking advantage of this computing power does come at a price. That price being significant threats to personal privacy and security of personally identifiable information. This thesis will make it easier for government agencies to make informed decisions about whether or not to migrate data and applications into the cloud. The identification and analysis of potential risks to data security and personal information has drawn together key information from a multitude of both academic and industry sources to make such a decision plausible.
48
Hsiao, Chih-Wen, David Turner, and Keith Ross. "A secure lightweight currency service provider." CSUSB ScholarWorks, 2004. https://scholarworks.lib.csusb.edu/etd-project/2594.
Full textAbstract:
The main purpose of this project is to build a bank system that offers a friendly and simple interface to let users easily manage their lightweight currencies. The Lightweight Currency Protocol (LCP) was originally proposed to solve the problem of fairness in resource cooperatives. However, there are other possible applications of the protocol, including the control of spam and as a general purpose medium of exchange for low value transactions. This project investigates the implementation issues of the LCP, and also investigates LCP bank services to provide human interface to currency operations.
49
Viriyasitavat, Wattana. "A framework of trust in service workflows." Thesis, University of Oxford, 2013. http://ora.ox.ac.uk/objects/uuid:a894bd9c-eaf2-4ebd-91c1-35012cd0a527.
Full textAbstract:
The everything as a service concept enables dynamic resource provisions to be seen and delivered as services. Their proliferation nowadays leads to the creation of new value-added services composed of several sub-services in a pre-specified manner, known as service workflows. The use of service workflow appears in various domains, ranging from the basic interactions found in several e-commerce and several online interactions to the complex ones such as Virtual Organizations, Grids, and Cloud Computing. However, the dynamic nature in open environments makes a workflow constantly changing, to be adaptable to the change of new circumstances. How to determine suitable services has becomes a very important challenge. Requirements from both workflow owners and service providers play a significant role in the process of service acquisition, composition, and interoperations. From the workflow owner viewpoint, requirements can specify properties of services to be acquired for tasks in a workflow. On the other hand, requirements from service providers affect trust-based decision in workflow participation. The lack of formal languages to specify these requirements poses difficulties in the success of service collaborations in a workflow. It impedes: (1) workflow scalability that tends to be limited within a certain set of trusted domains; (2) dynamicity when each service acts in an autonomous and unpredictable manner where any change might affect existing requirements; and (3) inconsistency in dealing with the disparate representations of requirements, causing high overhead for compliance checking. This thesis focuses on developing a framework to overcome, or at least alleviate, these problems. It situates in inter-disciplinary areas including logics, workflow modelling, specification languages, trust management, decision support system, and compliance checking. Two core elements are proposed: (1) a formal logic-based requirement specification language, namely Trust Specification (TS), such that the requirements can be formally and uniformly expressed; and (2) compliance checking algorithms to automatically check for the compliance of requirements in service workflows. It is worth noting that this thesis contains some proofs of logic extension, workflow modelling, specification language, and compliance checking algorithms. These might raise a concern to people focusing deep on one particular area such as logics, or workflow modelling who might overlook the essence of the work, for example (1) the application of a formal specification language to the exclusive characteristics of service workflows, and (2) bridging the gap of the high level languages such as trust management down to the lower logic-based ones. The first contribution of the framework is to allow requirements to be independently and consistently expressed by each party where the workflow participation decision and acquisition are subject to the compliance of requirements. To increase scalability in large-scale interoperations, the second contribution centres on automatic compliance checking where TS language and compliance checking algorithms are two key components. The last contribution focuses on dynamicity. The framework allows each party to modify existing requirements and the compliance checking would be automatically activated to check for further compliance. As a result, it is anticipated that the solution will encourage the proliferation of service provisions and consumption over the Internet.
50
BATISTA, CARLOS FREUD ALVES. "SOFTWARE SECURITY METRICS." PONTIFÍCIA UNIVERSIDADE CATÓLICA DO RIO DE JANEIRO, 2007. http://www.maxwell.vrac.puc-rio.br/Busca_etds.php?strSecao=resultado&nrSeq=10990@1.
Full textAbstract:
PETRÓLEO BRASILEIRO S. A.A dependência cada vez maior da tecnologia de informação (TI) torna software seguro um elemento chave para a continuidade dos serviços de nossa sociedade atual. Nos últimos anos, instituições públicas e privadas aumentaram seus investimentos em segurança da informação, mas a quantidade de ataques vem crescendo mais rapidamente do que a nossa capacidade de poder enfrentálos, colocando em risco a propriedade intelectual, a relação de confiança de clientes e a operação de serviços e negócios apoiados pelos serviços de TI. Especialistas em segurança afirmam que atualmente boa parte dos incidentes de segurança da informação ocorrem a partir de vulnerabilidades encontradas no software, componente presente em boa parte dos sistemas de informação. Para tornar o software fidedigno em relação à segurança, a criação e o uso de métricas de segurança serão fundamentais para gerenciar e entender o impacto dos programas de segurança nas empresas. Porém, métricas de segurança são cobertas de mistério e consideradas bastante difíceis de serem implementadas. Este trabalho pretende mostrar que hoje ainda não é possível termos métricas quantitativas capazes de indicar o nível de segurança que o software em desenvolvimento virá a ter. Necessitam-se, então, outras práticas para assegurar níveis de segurança a priori, ou seja, antes de se por o software em uso.
Today`s growing dependency on information technology (IT) makes software security a key element of IT services. In recent years public and private institutions raised the investment on information security, however the number of attacks is growing faster than our power to face them, putting at risk intellectual property, customer`s confidence and businesses that rely on IT services. Experts say that most information security incidents occur due to the vulnerabilities that exist in software systems in first place. Security metrics are essential to assess software dependability with respect to security, and also to understand and manage impacts of security initiatives in organizations. However, security metrics are shrouded in mystery and very hard to implement. This work intends to show that there are no adequate metrics capable of indicating the security level that a software will achieve. Hence, we need other practices to assess the security of software while developing it and before deploying it.