Security in the MIDAS Middleware

Pronstad, Thomas, Westerlund, Vegar

January 2008

Security in Mobile ad-hoc networks (MANETs) is difficult because of its operating environment and its lack of a central control unit, making classical security measures inapplicable. MIDAS is a project funded by the European Commission which creates a "Middleware platform for developing and deploying advanced mobile services". It is important for MIDAS to find a middle ground where it provides reasonable security, while using little extra processing power and battery and remains easy to use. In this thesis we identify the vulnerabilities and security measures needed to secure MIDAS, while preserving usability. We approach this problem by analysing the MIDAS design and find similarities to other known systems. From the analysis we identify threats and ethical issues, and suggest security mechanisms that solve MIDAS specific problems. The resulting security mechanisms are described in detail and tied together to create four main configurations with increasing levels of security. The configurations can then be used by MIDAS developers to implement security in a consistent way. The results are specific to MIDAS, but issues, requirements and security building blocks can be used by other projects for applicable MANET problems.

ntnudaim

SIF2 datateknikk

Data- og informasjonsforvaltning

Program- og informasjonssystemer

Introducing New Technologies to Users in User-Centered Design Projects: : An Experimental Study

Klingsheim, Tuva Foldøy, Raae, Benedicte

January 2009

In user-centered design the users play an important role in the development process. The users are included in near every step of the process and it is often a problem that they do not have the necessary overview of a technology intended used in the end system. They do not need to know all the technical details, but they do need to know what possibilities the technology makes available. To do this one needs to introduce the users to the technical possibilities, but how does one do this? We had two suggestions as to how this could be done. We proposed introducing the possibilities through abstract concepts not tied to the users' domain. The reason being we did not want to lock the users to concrete ideas given by us, but let them use the abstract concepts to come up with ideas in their own domain. The other suggestion was giving the users hands-on experience with the concepts. Human knowledge is usually derived from experience, and we believe touching and trying out the possibilities of a technology would also be helpful in this kind of setting. To test whether hands-on experience and abstract concepts is valuable in an introduction of new technologies we conducted an experiment involving two workshops. Both workshops got a theoretical presentation of the abstract concepts, while one workshop let the participants explore a demonstrator made by us giving them hands-on experience. These workshops were then analyzed both qualitatively and quantitatively. The quantitative analysis showed that the workshop incorporating hands-on experience generated more unique ideas and also ideas in more categories than the other workshop. However due to low comparability between the groups due to factors such as prior experience with the technologies and current work situation, we do not give these findings much significance. Through the qualitative analysis we see that hands-on experience can be valuable. For one participant in particular, the hands-on experience was very valuable. In addition we found it valuable as a motivational exercise in a user-centered design process. The abstract concepts were analyzed qualitatively, and these were not as valuable as hoped. The users found it hard to map the abstract concepts to their domain. We now see the value of examples closer to the users' domain, but they should be kept as small building blocks for the users to combine to solve larger problems. We end this paper with a suggested approach to introducing new technological possibilities. We still recommend using the abstract concepts, but taking care to exemplify them through many small domain-specific examples. Hands-on experience is recommended if it is feasible to do this within the domain. We also recommend for time to mature and revisiting the participant after they've been back in their domain for a while.

ntnudaim

SIF2 datateknikk

Data- og informasjonsforvaltning

Program- og informasjonssystemer

Inputvalideringsbibliotek med integrering mot Eclipse / Input Validation Library with Eclipse Integration

Moghal, Sahdia Fayyaz, Surnflødt, Torunn

January 2009

Validering av input er et sentralt emne innenfor sikker programvareutvikling. Det er spesielt viktig å validere inputfelter i applikasjoner som bruker input for å prosessere. En ondsinnet bruker kan fort utnytte slike felter. Det viktigste tiltaket for å sikre applikasjoner er tilstrekkelig kunnskap, da mangel på dette ofte resulterer i dårlig sikrede applikasjoner. Det ble i fordypningsprosjektet[33] kommet fram til at det eksisterer for dårlige rutiner blant IT-bedrifter når det kommer til sikkerhet. Utviklere har ikke nok kunnskap om området, og Internett blir stadig mer brukt til tjenester som innebærer sensitiv eller kritisk informasjon. Dette prosjektet tar for seg en rekke inputangrep og faren ved disse, og presenterer en rekke Security Patterner man kan bruke for å beskytte seg mot disse angrepene. Security Patternene beskriver problemet, setter det i en kontekst og gir forslag til løsninger som kan brukes i valideringen. I dette prosjektet er det fokusert på løsninger i form av regex, siden det er en effektiv metode for dette formålet. Alle Security Patternene er presentert i et bibliotek på en webside utviklet i dette prosjektet. Hensikten har vært å gi utviklere en felles kilde hvor de kan søke etter inputangrep, finne løsninger for å beskytte seg mot de og legge til egne forslag til løsninger hvis de ønsker det. Det er også laget en funksjon for at brukere skal kunne gi en positiv eller negativ tilbakemelding på bidragene. Dette vil gi en form for kvalitetssikring, og på sikt bidra til at biblioteket blir mer komplett. Biblioteket er utviklet med tanke på utviklere som ikke har mye kjennskap til inputangrep og regex, men er også egnet for mer erfarne brukere. Det er i tillegg til websiden utviklet en plugin for utviklingsverktøyet Eclipse, hvor man finner igjen Security Patternene fra websiden og en regexgenerator for å få hjelp til å generere egne regex. En appletversjon av generatoren er tilgjengelig på websiden for de som ikke benytter Eclipse. Prosjektet er testet både internt, eksternt av potensielle brukere og det er også sendt ut til bedrifter og mottatt tilbakemeldinger fra dem. Produktene ble sett på som nyttige og brukervennlige av testerne, men de ga også konstruktive tilbakemeldinger på hva som kunne forbedres både på brukervennlighet og funksjonalitet. Testresultatene ble analysert og det er blitt gjort en rekke forbedringer av systemet basert på analysen. I evalueringen er det blitt sett på positive og negative sider ved produktene, basert på egne erfaringer og synspunkter og testpersonenes tilbakemeldinger. Evalueringen har gitt en oversikt over en rekke områder som kan forbedres, både på websiden og i pluginen, og dette er beskrevet i kapittelet "videre arbeid" . Nøkkelord: Programvaresikkerhet, Inputvalidering, Regex, Plugin, Security Pattern.

ntnudaim

SIF2 datateknikk

Program- og informasjonssystemer

Data- og informasjonsforvaltning

The Amazing City Game

Bjerkhaug, Sondre Wigmostad, Mathisen, Runar Os, Valtola, Lawrence Alexander

January 2011

Smartphones with capabilities for wireless Internet and GPS have become increasinglycommon in recent years, and a consequence of this is that pervasivegames have become more interesting from both an academical and a commercialpoint of view. Another area of interest is lifelong learning, which offers amore modern take on education compared to the traditional learning model. Inthis thesis we aim to discover whether or not pervasive gaming can help achievelifelong learning. This is done by creating a prototype of a pervasive game ina lifelong learning context for Android, analyzing the effectiveness of the prototype,and using the experiences drawn from it to design a platform to runknowledge competitions.We achieved this by conducting a prestudy on the Android mobile phone operatingsystem (including extension applications), the history of Trondheim, lifelonglearning, pervasive games, and the use of pervasive games in a lifelong learningcontext. During the prestudy we found out that there are several externalapplications and features of Android that can be utilized to expand the social,spatial, and temporal expansions of pervasive games. We also found that, intheory, pervasive games proved to be a suitable platform to support lifelonglearning.We then designed and developed a prototype on Android to run a puzzle racecalled ”The Amazing City Game”. The race consisted of completing differenttasks related to the history of Trondheim, while traveling between many of thehistorical sites in the city. A demonstration race was conducted in early May withfour groups of two students each, using the authors and supervisors of this thesisas group observers. At the end of the race, the participants filled out a survey.Using the observations from the race and the results from the survey we foundthat the prototype was perceived as fun and educational. However, constructionof the race was challenging with many pitfalls concerning ambiguous tasks, useof language, and game balance.Finally, we have provided a possible design for a platform for running knowledgecompetitions. We used the experiences from the development of the prototype,and the results from the demonstration race to design a cleaner and more completeframework. This includes a refinement of the existing functionality anduser interface, adding requirements, and providing an extended discussion ontopics such as having an online community, possible server solutions, and securitymeasures against cheating. We believe that the concept of puzzle races in alifelong learning context is an interesting concept that could have positive effectsif utilized in the real world.

ntnudaim:6156

MTDT datateknikk

Data- og informasjonsforvaltning

Program- og informasjonssystemer

Temporal Opinion Mining

Bjørkelund, Eivind, Burnett, Thomas Hoberg

January 2012

This project explores the possibilities in detecting changes in opinion over time. For this purpose, different techniques and algorithms in opinion mining have been studied and used as a theoretic foundation when developing strategies towards detecting changes in opinions.Different approaches to a system that detects and visualises changes in opinions have been proposed. These approaches include using machine learning techniques like the naiveBayes algorithm and opinion mining techniques based on SentiWordNet. Additionally,feature extraction techniques and the impact of burst detection have been studied.During this project, experiments have been carried out in order to test some of the techniques and algorithms. A data set containing hotel reviews and a prototype have beenbuilt for this purpose, allowing easy support for testing and validation. Results found high accuracy in opinion mining with the lexicon SentiWordNet, and the prototype can detect hotel features and possible reasons for changes in opinion. It can also show "good" and "bad" geographical areas based on hotel reviews.For commercial use, the prototype can help analyse the massive amount of hotel informa-tion published each day by customers, and can help hotel managers analyse their products. It can also be used as a more advanced hotel search engine where users can find extra information in a map user interface.

ntnudaim:8041

MTDT datateknikk

Data- og informasjonsforvaltning

Program- og informasjonssystemer