Mobile Ajax

Al Tayr, Hydar, Al Hakim, Mahmud

January 2008

This report describes a master thesis performed at SICS (Swedish Institute of Computer Science) and KTH (The Royal Institute of Technology) in Stockholm. Ajax stands for "Asynchronous JavaScript and XML" and it's not a programming language, but a suite of technologies used to develop web applications with more interactivity than the traditional web pages. Ajax applications can be adapted for mobile and constrained devices. This has been called Mobile Ajax. While the technique is the same, Mobile Ajax generally is considered to be a special case of Ajax, because it deals with problems specific to the mobile market. The purpose of this thesis has been to examine which possibilities and disadvantages has the Mobile Ajax from developers and users perspective. In addition we compare Mobile Ajax with Java Micro Edition (Java ME) and Flash Lite. This has been done through literature studies and development of a databased chat client (MAIM -Mobile Ajax Instant Messenger). The application sends and receives direct messages in real time between differently mobile devices. Then MAIM application has been compared with our own developed Java ME and Flash Lite chat clients. We have tested all three applications with different models of mobile devices and on different web browsers. The results have shown that mobile Ajax makes possible the creation of sophisticated and dynamic mobile web applications and is better than the classic web application model, but this requires that the mobile device has a modern and compatible web browser like Opera mobile. / Denna rapport beskriver ett examensarbete utfört på SICS (Swedish Institute of Computer Science) och KTH (Kungliga Tekniska Högskolan) i Stockholm. Ajax står för "Asynchronous JavaScript and XML" och är inte något programmeringsspråk, utan ett samlingsnamn för några tekniker som kan användas för att utveckla webbtillämpningar med mer interaktivitet än traditionella webbsidor. Ajax-tillämpningar kan anpassas till mobila och begränsade enheter. Detta har fått namnet Mobile Ajax . Medan tekniken är det samma, ses Mobile Ajax som ett specialfall av Ajax, för att den behandlar problem som är specifika till den mobila marknaden. Syftet med denna uppsats har varit att undersöka vilka möjligheter och nackdelar som Mobile Ajax har utifrån ett utvecklar- och användarperspektiv. Dessutom jämför vi Mobile Ajax med Java Micro Edition (Java ME) och Flash Lite. Detta har gjorts genom litteraturstudier och utveckling av en databasbaserad chattklient (MAIM -Mobile Ajax Instant Messenger). Applikationen skickar och tar emot direkt meddelanden i realtid mellan olika mobila enheter. MAIM har sedan jämförts med egenutvecklade Java ME och Flash Lite chattklienter. Vi har testat alla tre applikationer med olika modeller av mobila enheter och på olika webbläsare. Resultaten har visat att Mobile Ajax möjliggör skapandet av sofistikerade och dynamiska mobila webbapplikationer och är mycket bättre än den klassiska webbapplikationsmodellen. Men detta förutsätter att den mobila enheten har en "modern" och kompatibel webbläsare t.ex. Opera Mobile.

Mobile Ajax

Asynkron kommunikation

Blog DOM SAJAX

Frost Ajax

Library Gadgets

innerHTML

Mobile Ajax

Asynkron kommunikation

Blog DOM SAJAX

innerHTML

Software Engineering

Programvaruteknik

Quantitative Metrics and Measurement Methodologies for System Security Assurance

Ahmed, Md Salman

11 January 2022

Proactive approaches for preventing attacks through security measurements are crucial for preventing sophisticated attacks. However, proactive measures must employ qualitative security metrics and systemic measurement methodologies to assess security guarantees, as some metrics (e.g., entropy) used for evaluating security guarantees may not capture the capabilities of advanced attackers. Also, many proactive measures (e.g., data pointer protection or data flow integrity) suffer performance bottlenecks. This dissertation identifies and represents attack vectors as metrics using the knowledge from advanced exploits and demonstrates the effectiveness of the metrics by quantifying attack surface and enabling ways to tune performance vs. security of existing defenses by identifying and prioritizing key attack vectors for protection. We measure attack surface by quantifying the impact of fine-grained Address Space Layout Randomization (ASLR) on code reuse attacks under the Just-In-Time Return-Oriented Programming (JITROP) threat model. We conduct a comprehensive measurement study with five fine-grained ASLR tools, 20 applications including six browsers, one browser engine, and 25 dynamic libraries. Experiments show that attackers only need several seconds (1.5-3.5) to find various code reuse gadgets such as the Turing Complete gadget set. Experiments also suggest that some code pointer leaks allow attackers to find gadgets more quickly than others. Besides, the instruction-level single-round randomization can restrict Turing Complete operations by preventing up to 90% of gadgets. This dissertation also identifies and prioritizes critical data pointers for protection to enable the capability to tune between performance vs. security. We apply seven rule-based heuristics to prioritize externally manipulatable sensitive data objects/pointers. Our evaluations using 33 ground truths vulnerable data objects/pointers show the successful detection of 32 ground truths with a 42% performance overhead reduction compared to AddressSanitizer. Our results also suggest that sensitive data objects are as low as 3%, and on average, 82% of data objects do not need protection for real-world applications. / Doctor of Philosophy / Proactive approaches for preventing attacks through security measurements are crucial to prevent advanced attacks because reactive measures can become challenging, especially when attackers enter sophisticated attack phases. A key challenge for the proactive measures is the identification of representative metrics and measurement methodologies to assess security guarantees, as some metrics used for evaluating security guarantees may not capture the capabilities of advanced attackers. Also, many proactive measures suffer performance bottlenecks. This dissertation identifies and represents attack elements as metrics using the knowledge from advanced exploits and demonstrates the effectiveness of the metrics by quantifying attack surface and enabling the capability to tune performance vs. security of existing defenses by identifying and prioritizing key attack elements. We measure the attack surface of various software applications by quantifying the available attack elements of code reuse attacks in the presence of fine-grained Address Space Layout Randomization (ASLR), a defense in modern operating systems. ASLR makes code reuse attacks difficult by making the attack components unavailable. We perform a comprehensive measurement study with five fine-grained ASLR tools, real-world applications, and libraries under an influential code reuse attack model. Experiments show that attackers only need several seconds (1.5-3.5) to find various code reuse elements. Results also show the influence of one attack element over another and one defense strategy over another strategy. This dissertation also applies seven rule-based heuristics to prioritize externally manipulatable sensitive data objects/pointers – a type of attack element – to enable the capability to tune between performance vs. security. Our evaluations using 33 ground truths vulnerable data objects/pointers show the successful identification of 32 ground truths with a 42% performance overhead reduction compared to AddressSanitizer, a memory error detector. Our results also suggest that sensitive data objects are as low as 3% of all objects, and on average, 82% of objects do not need protection for real-world applications.

Security Measurement

Attack Surface Quantification

Metrics

Methodologies

Attack Vectors

Data Pointers

Taint Analysis

LLVM

ROP

JITROP

Data-Oriented Attacks

Gadgets

ASLR

Pointer Authentication

Memory Tagging

A service orientated architecture and wireless sensor network approach applied to the measurement and visualisation of a micro injection moulding process : design, development and testing of an ESB based micro injection moulding platform using Google Gadgets and business processes for the integration of disparate hardware systems on the factory shop floor

Raza, Umar

January 2014

Factory shop floors of the future will see a significant increase in interconnected devices for monitoring and control. However, if a Service Orientated Architecture (SOA) is implemented on all such devices then this will result in a large number of permutations of services and composite services. These services combined with other business level components can pose a huge challenge to manage as it is often difficult to keep an overview of all the devices, equipment and services. This thesis proposes an SOA based novel assimilation architecture for integrating disparate industrial hardware based processes and business processes of an enterprise in particular the plastics machinery environment. The key benefits of the proposed architecture are the reduction of complexity when integrating disparate hardware platforms; managing the associated services as well as allowing the Micro Injection Moulding (µIM) process to be monitored on the web through service and data integration. An Enterprise Service Bus (ESB) based middleware layer integrates the Wireless Sensor Network (WSN) based environmental and simulated machine process systems with frontend Google Gadgets (GGs) based web visualisation applications. A business process framework is proposed to manage and orchestrate the resulting services from the architecture. Results from the analysis of the WSN kits in terms of their usability and reliability showed that the Jennic WSN was easy to setup and had a reliable communication link in the polymer industrial environment with the PER being below 0.5%. The prototype Jennic WSN based µIM process monitoring system had limitations when monitoring high-resolution machine data, therefore a novel hybrid integration architecture was proposed. The assimilation architecture was implemented on a distributed server based test bed. Results from test scenarios showed that the architecture was highly scalable and could potentially allow a large number of disparate sensor based hardware systems and services to be hosted, managed, visualised and linked to form a cohesive business process.

621.382