Global ETD Search

41	Proposta de uma metodologia de medição e priorização de segurança de acesso para aplicações WEB. / Proposal of a methodology for measuring and prioritization access security for WEB applications. Colombo, Regina Maria Thienne 26 March 2014 (has links) Em um mundo tecnológico e globalmente interconectado, em que indivíduos e organizações executam transações na web com frequência, a questão da segurança de software é imprescindível, ela é necessária em diversos nichos: segurança das redes de computadores, dos computadores e dos softwares. A implantação de um sistema de segurança que abrange todos os aspectos é extensa e complexa, ao mesmo tempo em que a exploração de vulnerabilidades e ataques é exponencialmente crescente. Por causa da natureza do software e de sua disponibilidade na web, a garantia de segurança nunca será total, porém é possível planejar, implementar, medir e avaliar o sistema de segurança e finalmente melhorá-la. Atualmente, o conhecimento específico em segurança é detalhado e fragmentado em seus diversos nichos, a visão entre os especialistas de segurança é sempre muito ligada ao ambiente interno da computação. A medição de atributos de segurança é um meio de conhecer e acompanhar o estado da segurança de um software. Esta pesquisa tem como objetivo apresentar uma abordagem top-down para medição da segurança de acesso de aplicações web. A partir de um conjunto de propriedades de segurança reconhecidas mundialmente, porém propriedades estas intangíveis, é proposta uma metodologia de medição e priorização de atributos de segurança para conhecer o nível de segurança de aplicações web e tomar as ações necessárias para sua melhoria. Define-se um modelo de referência para segurança de acesso e o método processo de análise hierárquica apoia a obtenção de atributos mensuráveis e visualização do estado da segurança de acesso de uma aplicação web. / In a technological world and globally interconnected, in which individuals and organizations perform transactions on the web often, the issue of software security is essential, it is needed in several niches: security of computer networks, computers and software. The implementation of a security system that covers all aspects is extensive and complex, while the exploitation of vulnerabilities and attacks are increasing exponentially. Because of the nature of software and its availability on the web, ensure security will never be complete, but it is possible to plan, implement, measure and evaluate the security system and ultimately improve it. Currently, the specific knowledge in security is detailed and fragmented into its various niches; the view among security experts is always connected to the internal environment of computing. The measurement of security attributes is a way to know and monitor the state of software security. This research aims to present a top-down approach for measuring the access security of web applications. From a set of security properties globally recognized, however these intangible properties, I propose a measurement methodology and prioritization of security attributes to meet the security level of web applications and take necessary actions for improvement. It is defined a reference model for access security and a method of analytic hierarchy process to support the achievement of measurable attributes and status of the access security of a web application. Access security model AHP AHP Aplicação WEB Medição de segurança Modelo de segurança de acesso Security measurement Segurança de software Software security WEB application
42	Embedded System Security: A Software-based Approach Cui, Ang January 2015 (has links) We present a body of work aimed at understanding and improving the security posture of embedded devices. We present results from several large-scale studies that measured the quantity and distribution of exploitable vulnerabilities within embedded devices in the world. We propose two host-based software defense techniques, Symbiote and Autotomic Binary Structure Randomization, that can be practically deployed to a wide spectrum of embedded devices in use today. These defenses are designed to overcome major challenges of securing legacy embedded devices. To be specific, our proposed algorithms are software- based solutions that operate at the firmware binary level. They do not require source-code, are agnostic to the operating-system environment of the devices they protect, and can work on all major ISAs like MIPS, ARM, PowerPC and X86. More importantly, our proposed defenses are capable of augmenting the functionality of embedded devices with a plethora of host-based defenses like dynamic firmware integrity attestation, binary structure randomization of code and data, and anomaly-based malcode detection. Furthermore, we demonstrate the safety and efficacy of the proposed defenses by applying them to a wide range of real- time embedded devices like enterprise networking equipment, telecommunication appliances and other commercial devices like network-based printers and IP phones. Lastly, we present a survey of promising directions for future research in the area of embedded security. Embedded computer systems Computer software--Security measures Embedded computer systems--Programming Computer security Computer science
43	Proposta de uma metodologia de medição e priorização de segurança de acesso para aplicações WEB. / Proposal of a methodology for measuring and prioritization access security for WEB applications. Regina Maria Thienne Colombo 26 March 2014 (has links) Em um mundo tecnológico e globalmente interconectado, em que indivíduos e organizações executam transações na web com frequência, a questão da segurança de software é imprescindível, ela é necessária em diversos nichos: segurança das redes de computadores, dos computadores e dos softwares. A implantação de um sistema de segurança que abrange todos os aspectos é extensa e complexa, ao mesmo tempo em que a exploração de vulnerabilidades e ataques é exponencialmente crescente. Por causa da natureza do software e de sua disponibilidade na web, a garantia de segurança nunca será total, porém é possível planejar, implementar, medir e avaliar o sistema de segurança e finalmente melhorá-la. Atualmente, o conhecimento específico em segurança é detalhado e fragmentado em seus diversos nichos, a visão entre os especialistas de segurança é sempre muito ligada ao ambiente interno da computação. A medição de atributos de segurança é um meio de conhecer e acompanhar o estado da segurança de um software. Esta pesquisa tem como objetivo apresentar uma abordagem top-down para medição da segurança de acesso de aplicações web. A partir de um conjunto de propriedades de segurança reconhecidas mundialmente, porém propriedades estas intangíveis, é proposta uma metodologia de medição e priorização de atributos de segurança para conhecer o nível de segurança de aplicações web e tomar as ações necessárias para sua melhoria. Define-se um modelo de referência para segurança de acesso e o método processo de análise hierárquica apoia a obtenção de atributos mensuráveis e visualização do estado da segurança de acesso de uma aplicação web. / In a technological world and globally interconnected, in which individuals and organizations perform transactions on the web often, the issue of software security is essential, it is needed in several niches: security of computer networks, computers and software. The implementation of a security system that covers all aspects is extensive and complex, while the exploitation of vulnerabilities and attacks are increasing exponentially. Because of the nature of software and its availability on the web, ensure security will never be complete, but it is possible to plan, implement, measure and evaluate the security system and ultimately improve it. Currently, the specific knowledge in security is detailed and fragmented into its various niches; the view among security experts is always connected to the internal environment of computing. The measurement of security attributes is a way to know and monitor the state of software security. This research aims to present a top-down approach for measuring the access security of web applications. From a set of security properties globally recognized, however these intangible properties, I propose a measurement methodology and prioritization of security attributes to meet the security level of web applications and take necessary actions for improvement. It is defined a reference model for access security and a method of analytic hierarchy process to support the achievement of measurable attributes and status of the access security of a web application. AHP Aplicação WEB Medição de segurança Modelo de segurança de acesso Segurança de software Access security model AHP Security measurement Software security WEB application
44	Software Security Analysis : Managing source code audit Persson, Daniel, Baca, Dejan January 2004 (has links) Software users have become more conscious of security. More people have access to Internet and huge databases of security exploits. To make secure products, software developers must acknowledge this threat and take action. A first step is to perform a software security analysis. The software security analysis was performed using automatic auditing tools. An experimental environment was constructed to check if the findings were exploitable or not. Open source projects were used as reference to learn what patterns to search for. The results of the investigation show the differences in the automatic auditing tools used. Common types of security threats found in the product have been presented. Four different types of software security exploits have also been presented. The discussion presents the effectiveness of the automatic tools for auditing software. A comparison between the security in the examined product and the open source project Apache is presented. Furthermore, the incorporation of the software security analysis into the development process, and the results and cost of the security analysis is discussed. Finally some conclusions were drawn. Software security audit exploit closed source open source buffer overflow Computer Sciences Datavetenskap (datalogi) Software Engineering Programvaruteknik
45	FUZZING HARD-TO-COVER CODE Hui Peng (10746420) 06 May 2021 (has links) <div>Fuzzing is a simple yet effect approach to discover bugs by repeatedly testing the target system using randomly generated inputs. In this thesis, we identify several limitations in state-of-the-art fuzzing techniques: (1) the coverage wall issue , fuzzer-generated inputs cannot bypass complex sanity checks in the target programs and are unable to cover code paths protected by such checks; (2) inability to adapt to interfaces to inject fuzzer-generated inputs, one important example of such interface is the software/hardware interface between drivers and their devices; (3) dependency on code coverage feedback, this dependency makes it hard to apply fuzzing to targets where code coverage collection is challenging (due to proprietary components or special software design).</div><div><br></div><div><div>To address the coverage wall issue, we propose T-Fuzz, a novel approach to overcome the issue from a different angle: by removing sanity checks in the target program. T-Fuzz leverages a coverage-guided fuzzer to generate inputs. Whenever the coverage wall is reached, a light-weight, dynamic tracing based technique detects the input checks that the fuzzer-generated inputs fail. These checks are then removed from the target program. Fuzzing then continues on the transformed program, allowing the code protected by the removed checks to be triggered and potential bugs discovered. Fuzzing transformed programs to find bugs poses two challenges: (1) removal of checks leads to over-approximation and false positives, and (2) even for true bugs, the crashing input on the transformed program may not trigger the bug in the original program. As an auxiliary post-processing step, T-Fuzz leverages a symbolic execution-based approach to filter out false positives and reproduce true bugs in the original program.</div></div><div><br></div><div><div>By transforming the program as well as mutating the input, T-Fuzz covers more code and finds more true bugs than any existing technique. We have evaluated T-Fuzz on the DARPA Cyber Grand Challenge dataset, LAVA-M dataset and 4 real-world programs (pngfix, tiffinfo, magick and pdftohtml). For the CGC dataset, T-Fuzz finds bugs in 166 binaries, Driller in 121, and AFL in 105. In addition, we found 4 new bugs in previously-fuzzed programs and libraries.</div></div><div><br></div><div><div>To address the inability to adapt to inferfaces, we propose USBFuzz. We target the USB interface, fuzzing the software/hardware barrier. USBFuzz uses device emulation</div><div>to inject fuzzer-generated input to drivers under test, and applies coverage-guided fuzzing to device drivers if code coverage collection is supported from the kernel. In its core, USBFuzz emulates an special USB device that provides data to the device driver (when it performs IO operations). This allows us to fuzz the input space of drivers from the device’s perspective, an angle that is difficult to achieve with real hardware. USBFuzz discovered 53 bugs in Linux (out of which 37 are new, and 36 are memory bugs of high security impact, potentially allowing arbitrary read or write in the kernel address space), one bug in FreeBSD, four bugs (resulting in Blue Screens of Death) in Windows and three bugs (two causing an unplanned restart, one freezing the system) in MacOS.</div></div><div><br></div><div><div>To break the dependency on code coverage feedback, we propose WebGLFuzzer. To fuzz the WebGL interface (a set of JavaScript APIs in browsers allowing high performance graphics rendering taking advantage of GPU acceleration on the device), where code coverage collection is challenging, we introduce WebGLFuzzer, which internally uses a log guided fuzzing technique. WebGLFuzzer is not dependent on code coverage feedback, but instead, makes use of the log messages emitted by browsers to guide its input mutation. Compared with coverage guided fuzzing, our log guided fuzzing technique is able to perform more meaningful mutation under the guidance of the log message. To this end, WebGLFuzzer uses static analysis to identify which argument to mutate or which API call to insert to the current program to fix the internal WebGL program state given a log message emitted by the browser. WebGLFuzzer is under evaluation and so far, it has found 6 bugs, one of which is able to freeze the X-Server.</div></div> Computer Software Computer System Security Fuzzing Testing Software security USB GPU WebGL Program Analysis Virtualization Symbolic Execution
46	A Method for Recommending Computer-Security Training for Software Developers Nadeem, Muhammad 12 August 2016 (has links) Vulnerable code may cause security breaches in software systems resulting in financial and reputation losses for the organizations in addition to loss of their customers’ confidential data. Delivering proper software security training to software developers is key to prevent such breaches. Conventional training methods do not take the code written by the developers over time into account, which makes these training sessions less effective. We propose a method for recommending computer–security training to help identify focused and narrow areas in which developers need training. The proposed method leverages the power of static analysis techniques, by using the flagged vulnerabilities in the source code as basis, to suggest the most appropriate training topics to different software developers. Moreover, it utilizes public vulnerability repositories as its knowledgebase to suggest community accepted solutions to different security problems. Such mitigation strategies are platform independent, giving further strength to the utility of the system. This research discussed the proposed architecture of the recommender system, case studies to validate the system architecture, tailored algorithms to improve the performance of the system, and human subject evaluation conducted to determine the usefulness of the system. Our evaluation suggests that the proposed system successfully retrieves relevant training articles from the public vulnerability repository. The human subjects found these articles to be suitable for training. The human subjects also found the proposed recommender system as effective as a commercial tool. FindBugs Static code analysis Jaccard index tf–idf training NVD CWE software vulnerabilities software security Recommender system
47	Analyzing and Securing Software via Robust and Generalizable Learning Pei, Kexin January 2023 (has links) Software permeates every facet of our lives, improving their convenience and efficiency, and its sphere of influence continues to expand, leading to novel applications and services. However, as software grows in complexity, it increasingly exposes vulnerabilities within the intricate landscape of security threats. Program analysis emerges as a pivotal technique for constructing software that is secure, reliable, and efficient. Despite this, existing methodologies predominantly rely on rules and heuristics, which necessitate substantial manual tuning to accommodate the diverse components of software. In this dissertation, I introduce our advancements in data-driven program analysis, a novel approach in which we employ machine learning techniques to comprehend both the structures and behaviors of programs, thereby enhancing the analysis and security of software applications. Besides focusing on traditional software, I also elaborate on our work in the systematic testing and formal verification of learned software components, including neural networks. I commence by detailing a succession of studies centered on the ambitious goal of learning execution-aware program representations. This is achieved by training large language models to understand program execution semantics. I illustrate that the models equipped with execution-aware pre-training attain state-of-the-art results in a range of program analysis tasks, such as detecting semantically similar code, type inference, memory dependence analysis, debugging symbol recovery, and generating invariants. Subsequently, I outline our approach to learning program structures and dependencies for disassembly and function boundary recovery, which are building blocks for downstream reverse engineering and binary analysis tasks. In the final part of this dissertation, I delve into DeepXplore, the inaugural white-box testing framework designed for deep learning systems, and VeriVis, a pioneering verification framework capable of proving the robustness guarantee of neural networks with only black-box access, extending beyond norm-bounded input transformations. Computer science Computer software--Security measures Computer security--Computer programs Deep learning (Machine learning) Neural networks (Computer science)
48	A decentralized Git version controlsystem : A proposed architecture and evaluation of decentralized Git using DAG-based distributed ledgers Habib, Christian, Ayoub, Ilian January 2022 (has links) This thesis proposes an implementation for a decentralized version of the Git version controlsystem. This is achieved using a simple distributed DAG ledger. The thesis analyzeshow the decentralization of Git affects security. Use and misuse cases are used to compareand evaluate conventional Git web services and a decentralized version of Git. Theproposed method for managing the state of the Git project is described as a voting systemwhere participants in a Git project vote on changes to be made. The security evaluationfound that the removal of privileged roles in the Git version control system, mitigated thepossibility of malicious maintainers taking over the project. However, with the introductionof the DAG ledger and the decentralization, the possibility of a malicious actor takingover the network using Sybil attack arises, which in turn could cause the same issues as amalicious maintainer. Blockchain Distributed ledger technology Git Version control systems Software Security Web3 Misuse cases Computer Sciences Datavetenskap (datalogi)
49	Supplementing Dependabot’svulnerability scanning : A Custom Pipeline for Tracing DependencyUsage in JavaScript Projects Karlsson, Isak, Ljungberg, David January 2024 (has links) Software systems are becoming increasingly complex, with developers frequentlyutilizing numerous dependencies. In this landscape, accurate tracking and understanding of dependencies within JavaScript and TypeScript codebases are vital formaintaining software security and quality. However, there exists a gap in how existing vulnerability scanning tools, such as Dependabot, convey information aboutthe usage of these dependencies. This study addresses the problem of providing amore comprehensive dependency usage overview, a topic critical to aiding developers in securing their software systems. To bridge this gap, a custom pipeline wasimplemented to supplement Dependabot, extracting the dependencies identified asvulnerable and providing specific information about their usage within a repository.The results highlight the pros and cons of this approach, showing an improvement inthe understanding of dependency usage. The effort opens a pathway towards moresecure software systems. Vulnerability scanning Software Dependencies JavaScript TypeScript Dependabot Vulnerability Scanning Tools Software Security Pipeline GitHub Dependency Management Computer Systems Datorsystem
50	[en] AN APPROACH FOR REVIEWING SECURITY RELATED ASPECTS IN AGILE REQUIREMENTS SPECIFICATIONS OF WEB APPLICATIONS / [pt] UMA ABORDAGEM PARA REVISAR ASPECTOS RELACIONADOS À SEGURANÇA EM ESPECIFICAÇÕES DE REQUISITOS ÁGEIS DE APLICATIVOS DA WEB HUGO RICARDO GUARIN VILLAMIZAR 04 February 2021 (has links) [pt] Os defeitos nas especificações de requisitos podem ter consequências graves durante o ciclo de vida de desenvolvimento de software. Alguns deles resultam em uma falha geral do projeto devido a características de qualidade incorretas ou ausentes, como segurança. Existem várias preocupações que tornam a segurança difícil de lidar; por exemplo, (1) quando as partes interessadas discutem os requisitos gerais nas reuniões, muitas vezes não estão cientes que também devem discutir tópicos relacionados à segurança. (2) Normalmente as equipes de desenvolvimento não possuem conhecimentos de segurança suficientes. Isto geralmente leva a aspectos de segurança não especificados ou mal definidos. Essas preocupações tornam-se ainda mais desafiadoras em contextos de desenvolvimento ágil, nos quais a documentação leve geralmente está envolvida. O objetivo desta dissertação é projetar e avaliar uma abordagem para suportar a revisão de aspectos relacionados à segurança em especificações de requisitos ágeis de aplicativos web. A abordagem projetada considera estórias de usuário e especificações de segurança como entradas e relaciona essas estórias de usuário a propriedades de segurança através de técnicas de Processamento de Linguagem Natural. Com base nas propriedades de segurança relacionadas, nossa abordagem identifica os requisitos de segurança de alto nível do OWASP (Open Web Application Security Project) a serem verificados e gera uma técnica de leitura focada para dar suporte aos revisores na detecção de defeitos. Avaliamos nossa abordagem rodando dois experimentos controlados. Comparamos a eficácia e a eficiência de inspetores novatos que verificam aspectos de segurança em requisitos ágeis usando nossa técnica de leitura contra o uso da lista completa de requisitos de segurança de alto nível do OWASP. Os resultados (estatisticamente significativos) indicam que o uso da nossa abordagem tem um impacto positivo (com tamanho de efeito muito grande) no desempenho dos inspetores em termos de eficácia e eficiência. / [en] Defects in requirements specifications can have severe consequences during the software development life cycle. Some of them result in overall project failure due to incorrect or missing quality characteristics such as security. There are several concerns that make security difficult to deal with; for instance, (1) when stakeholders discuss general requirements in (review) meetings, they are often not aware that they should also discuss security-related topics, and (2) they typically do not have enough expertise in security. This often leads to unspecified or ill-defined security aspects. These concerns become even more challenging in agile development contexts, where lightweight documentation is typically involved. The goal of this dissertation is to design and evaluate an approach to support reviewing security-related aspects in agile requirements specifications of web applications. The designed approach considers user stories and security specifications as input and relates those user stories to security properties via Natural Language Processing (NLP). Based on the related security properties, our approach then identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a focused reading technique to support reviewers in detecting defects. We evaluate our approach via two controlled experiment trials. We compare the effectiveness and efficiency of novice inspectors verifying security aspects in agile requirements using our reading technique against using the complete list of OWASP high-level security requirements. The (statistically significant) results indicate that using our approach has a positive impact (with very large effect size) on the performance of inspectors in terms of effectiveness and efficiency. [pt] VERIFICACAO [pt] INSPECAO DE SOFTWARE [pt] SEGURANCA DE SOFTWARE [pt] REQUISITOS AGEIS [en] VERIFICATION [en] SOFTWARE INSPECTION [en] SOFTWARE SECURITY [en] AGILE REQUIREMENTS

Search results