混合式的Java網頁應用程式分析工具 / A hybrid security analyzer for Java web applications

江尚倫

Unknown Date

近年來網路應用蓬勃的發展，經由網頁應用程式提供服務或從事商業行為已經成為趨勢，因此網頁應用程式自然而然成為網路攻擊者的目標，攻擊手法也隨著時間不斷的翻新。已經有許多的方法被提出用來防範這些攻擊，增加網頁應用程式的安全性，如防火牆的機制以及加密連線，但是這些方法所帶來的效果有限，最根本的方法應為回歸原始的網頁應用程式設計，確實的找出應用程式本身的弱點，才能杜絕不斷變化的攻擊手法。以程式分析的技術來發現這些弱點是常見的方法之一，程式分析又分為靜態分析和動態分析，兩種分析技術都能有效的找出這些弱點。我們整理了近幾年的網頁應用程式分析技術，多採用靜態分析，然而比較後發現靜態分析的技術對於Java的網頁應用程式的分析，無法達到精確的分析結果，原因在於Java語言所具有的特性，如：變數的多型、反射機制的應用等。靜態分析在處理這些問題具有先天上的缺陷，由於並沒有實際的去執行程式，所以無法獲得這些執行時期才有的資訊。 本研究的重點將放在動態的程式分析技術上，也就是於程式執行期間所進行的分析，來解決分析Java網頁應用程式的上述問題。為了在程式執行期間得到可利用的分析資訊，我們運用了AspectJ的插碼技術。我們的工具會先將負責收集資訊的模組插入應用程式的源碼，並以單元測試的方式執行程式，於程式執行的過程中將分析資訊傳遞給分析模組，利用Java 語言的特性進行汙染資料的追蹤 。另外，我們考慮到以動態分析的方式偵測弱點會因為執行的路徑，導致一些潛在的弱點無法被發現，所以我們利用了線上分析的概念，設計出了線上的污染資料流分析模組，我們的工具結合了上述兩個分析模組所產生的分析結果，提供開網頁應用程式弱點資訊。 / In recent years, development of web application is flourishing and the increasing population of using internet, providing customer service and making business through network has been a prevalent trend. Consequently, the web applications have become the targets of the web hackers. With the progress of information technology, the technique of web attack becomes timeless and widespread. Some approaches have been taken to prevent from web attacks, such as firewall and encrypted connection. But these approaches have a limited effect against these attack techniques. The basic method should be taken is to eliminate the vulnerabilities inside the web application. Program analysis is common technique for detecting these vulnerabilities. There are two major program analysis approaches: static analysis and dynamic analysis. Both these approaches can detect vulnerabilities effectively. We reviewed several program analysis tools. Most of them are static analysis tool. However, we noticed that it is insufficient to analysis Java program in a static way due to the characteristic of Java language, e.g., polymorphism, reflection and more. Static has its congenital defects in examining these features, because static analysis happens when the program is not executing and lacks of runtime information. In this thesis, we focus on dynamic analysis of programs, where the analysis occurs when the program is executing, to solve the problems mentioned above in Java web application. In order to retrieving the runtime analysis information, we utilize the instrumentation mechanism provided by AspectJ. We instrument designed module in to the program and gather the needed information and execute the program in a unit testing approach. Our dynamic analysis module retrieves the information from instrumented executing program and utilizes the characteristic of Java to perform the tainted data tracking. We considered the dynamic tracking mechanism will leave some vulnerabilities undiscovered when the program is not completely executed. Hence we adopt the online analysis concept and design an online analysis module to find out the potential vulnerabilities which cannot be detected by dynamically tracking the tainted data. Our analysis tool finally integrates these two analysis results and provides the most soundness analysis result for developers.

動態分析

線上分析

資料流分析

網頁應用程式

安全性弱點

Dynamic Analysis

Online Analysis

Dataflow Analysis

Web Application

Security Vulnerabilities

Educação em contextos familiares para o desenvolvimento humano e social: transições e heranças geracionais

Santos, Tatiana de Souza Pinheiro dos

14 December 2015

Submitted by Ana Carla Almeida (ana.almeida@ucsal.br) on 2016-09-26T15:29:02Z No. of bitstreams: 1 DISSERTACAO TATI 11 DE FEVEREIRO escola.pdf: 2076712 bytes, checksum: 8099b98ad4010a6936ef89912cbf5db8 (MD5) / Approved for entry into archive by Maria Emília Carvalho Ribeiro (maria.ribeiro@ucsal.br) on 2016-09-28T19:04:30Z (GMT) No. of bitstreams: 1 DISSERTACAO TATI 11 DE FEVEREIRO escola.pdf: 2076712 bytes, checksum: 8099b98ad4010a6936ef89912cbf5db8 (MD5) / Made available in DSpace on 2016-09-28T19:04:30Z (GMT). No. of bitstreams: 1 DISSERTACAO TATI 11 DE FEVEREIRO escola.pdf: 2076712 bytes, checksum: 8099b98ad4010a6936ef89912cbf5db8 (MD5) Previous issue date: 2015-12-14 / Essa investigação analisou os significados e valores, as expectativas, as experiências e práticas educativas de gerações sucessivas (três mulheres e suas mães) na relação entre escola e família, levando em conta as aspirações de ascensão social dos investigados, através da análise do curso de vida individual de cada uma delas. Traz a discussão sobre a educação na perspectiva de desenvolvimento humano, caracterizada pela multidimensionalidade atribuída ao processo de emancipação do ser humano para superação das condições de vulnerabilidades presentes na pobreza. Discute os eventos de cursos de vida com ênfase na escolaridade, conjugalidade, maternidade e trabalho: os ingressos, as descontinuidades e os reingressos das mulheres entrevistadas nas escolas, bem como o papel assumido nas famílias e na sociedade. A pesquisa foi aplicada em uma escola pública municipal de Ensino Fundamental I, na periferia de Salvador, no ano de 2015, tendo como critério a seleção de três famílias em cujo seio no mínimo duas gerações de mulheres tenham estudado e, atualmente, cujos filhos (terceira geração) estejam efetivamente matriculados. A abordagem metodológica utilizada foi a qualitativa, através do estudo de casos, com base na técnica das histórias de vida, utilizando como instrumento para coleta de dados o diário de campo e entrevistas, além das observações in loco. Esta investigação longitudinal envolveu pesquisadora e pesquisados em local e tempo específicos e pôde observar variações e características desenvolvidas nesses sujeitos através do processo de escolarização, bem como as mudanças nas famílias e na sociedade que emergiram nesse processo. Os principais resultados revelam o reconhecimento da chefia feminina para estes três casos, mesmo havendo em dois deles a presença do homem. A gravidez adolescente destas mães foi identificada como o mais importante fator para o abandono escolar, apesar dos incentivos e apoio aos estudos por parte de suas genitoras. Entretanto, seus filhos atualmente frequentam a escola, vivendo um contexto de erradicação do trabalho infantil, tiveram o ingresso na escola na idade correta e lá permanecem, com poucas interrupções. Essas famílias reconhecem a aquisição dos livros, dos materiais didáticos e do fardamento, hoje assegurados por políticas educacionais, como grandes avanços. São evidentes a valorização e o investimento das mães no estudo dos filhos, o que se contrapõe à concepção de que famílias pobres não valorizam a educação. Ao contrário, a pesquisa concluiu que as famílias utilizam os estudos como base para investir seus recursos e constroem altas expectativas de ascensão e acesso a novas oportunidades no trabalho e vida social, apesar da necessidade de subsistência e vulnerabilidades observadas. Entretanto, alguns aspectos relacionados à flexibilidade e à comunicação entre os agentes escolares e as famílias, diretamente relacionados às normas do regimento interno escolar, surgem como fatos questionados pelas entrevistadas que se tornaram obstáculos à participação da família na comunidade educativa, por meio da qual as oportunidades de realização de projetos futuros de ascensão social poderiam se concretizar. / This research analyzed the meanings and values, expectations, experiences and educational practices of successive generations (three women and their mothers) concerning about the relationship between school and family, taking into account the social mobility aspirations of the researched people, through each individual’s life course analysis. This study discusses education in human development perspective, characterized by multidimensionality attributed to human emancipation process in order to overcome the conditions of vulnerabilities present in poverty. This research also discusses some life course events with an emphasis on education, marital, maternity and work: the admissions, discontinuities and readmissions of the women interviewed in schools, as well as the role played in families and in society. The survey was conducted in a municipal public school of Ensino Fundamental I, on the outskirts of Salvador, in 2015, taking as criteria the selection of three families within which at least two generations of women have studied and, currently, whose children (third generation) are effectively enrolled. The methodological approach used was qualitative, based on case studies, by means of the technique of life stories, using as a tool for data collection a field diary and interviews, in addition to observations in loco. This longitudinal study brought together researcher and researched in specific place and time and could notice variations and characteristics developed in these subjects through the education process, as well as the changes in families and in society that emerged in this process. The main results show the recognition of female leadership in these three cases, even with a presence of a man in two of them. Teen pregnancy of these mothers was identified as the most important factor for school leavers, despite all support given by their mothers. However, their children are currently attending school, living in a context of eradication of child labor and was admitted in school at the right and stay there, despite of a few periods of absence. These families recognize as major advances the acquisition of books in general, schoolbooks and uniforms, today provided by educational policies. It’s evident how much mothers valorize and invest in children’s study, which goes against the idea that poor families do not value education. Instead, the research concludes that families use the studies as a basis for investing their resources and build high expectations of rise and access to new opportunities in work and social life, despite the need for subsistence and observed vulnerabilities. However, some aspects related to the flexibility and communication between school officials and families, directly related to the school bylaws standards, emerge as complains by the respondents, who argue they have become obstacles to family participation in the educational community, through which opportunities realization of future projects for social mobility could be realized.

Sociais e Humanidades

Multidisciplinar

Desenvolvimento Humano

Relação entre Escola

Família

Condições de Vulnerabilidades

Gerações Mães

Mães

Investigação Longitudinal

Human Development

Conditions of Vulnerabilities

Generations

Mothers

Longitudinal Research

Courses of Life

Adolescentes institucionalizados(as) em situação de exclusão na cidade de Salvador: uma investigação social e étnica sob o prisma dos direitos humanos

Santana, Gilton Carlos da Silva

20 October 2016

Submitted by Ana Carla Almeida (ana.almeida@ucsal.br) on 2017-01-11T13:10:12Z No. of bitstreams: 1 GiltonSantana-27-12.pdf: 3057035 bytes, checksum: 9a7d6c98c263754a1f89f7455953156b (MD5) / Approved for entry into archive by Rosemary Magalhães (rosemary.magalhaes@ucsal.br) on 2017-01-16T13:19:35Z (GMT) No. of bitstreams: 1 GiltonSantana-27-12.pdf: 3057035 bytes, checksum: 9a7d6c98c263754a1f89f7455953156b (MD5) / Made available in DSpace on 2017-01-16T13:19:35Z (GMT). No. of bitstreams: 1 GiltonSantana-27-12.pdf: 3057035 bytes, checksum: 9a7d6c98c263754a1f89f7455953156b (MD5) Previous issue date: 2016-10-20 / A contextualizar a situação das(os) adolescentes (pessoas de 12 a 17 anos) institucionalizadas(os) na cidade do Salvador – Bahia é objetivo dessa investigação, inscrita na linha de pesquisa de Família e Sociedade. Valendo-se de interfaces entre categorias analíticas, aliou-se viés étnico-regional e procedimentos para coleta de dados que pudesse demonstrar aspectos sociais, familiares e individuais dessas pessoas em situação de acolhimento, e, portanto, de vulnerabilidade social. Objetivou-se mapear a realidade local diante de reflexões epistemológicas marcadas pela Teoria Crítica e discursos, com base legal-institucional, de Direitos Humanos. Em relação aos objetivos específicos, estabeleceu-se como metas: executar um levantamento de acordo com os dados oficiais estabelecendo possíveis categorias de cor-etnia-raça e faixa etária na cidade do Salvador; analisar a legislação especializada para confrontar os dados institucionais; fundamentar teoricamente as relações entre políticas públicas e Direitos Humanos; identificar qual a rede existente para assistência, proteção e oferta de assistência consoante o princípio da proteção integral (ECA, 1990). Foi estabelecido como marco temporal o período compreendido entre 2013 e 2016, utilizando a metodologia de técnicas qualitativas para representações do Poder Publico através de pesquisa documental institucional, legislativa, agendas e políticas públicas, bem como realização de entrevistas com responsáveis sobre a dinâmica, o fluxo e a proteção (consentidas e garantindo a confidencialidade-sigilo). Assim como foi utilizada abordagem demográfica, estatísticas, relatórios técnicos e banco de dados do Ministério Público do Estado da Bahia, Conselho Nacional de Justiça e Tribunal de Justiça do Estado da Bahia, coletadas e referenciadas como dados secundários. Os resultados indicaram que, embora houvesse aumento da oferta de unidades que integram o Serviço de Acolhimento Institucional (51,79%), não há distribuição uniforme em todo o território nacional e local, além de, no período de três anos ter ocorrido um aumento de 19,53% no número total de acolhidos(as). Em relação ao estado da Bahia ocorreu a inauguração de 46 unidades, em que pese o crescimento de 48,30% das medidas protetivas. Sobre o território específico da pesquisa detectou-se a existência de 324 pessoas, representando 0,70% da estatística nacional (45.893). A categorização dos motivos revelou que as principais causas do deferimento ao acolhimento são as situações de risco e vulnerabilidades decorrentes de problemas de saúde. / The purpose of this dissertation is to analyze the situation of children (people aged between 12 to 17 years old) institutionalized in the city of Salvador - Bahia. The intention was to combine ethnic and regional bias focusing on collecting data to show the reality of this socially vulnerable population. The idea of this study was to analyze the local reality using epistemological reflections marked by critical theory and laws of Human Rights. Considering the specific objectives, the following goals were established: Proceed a survey data collection based on official statistics establishing possible categories of color-ethnicity, race and age group above mentioned; Point theoretically the possible connection between the public policy and Human Rights; identify the existing network for assistance, protection and support for these public according to the principle of full protection (ECA,1990); and analyze the specialized legislation host for this age group in the city of Salvador. It was established as timeframe the period between 2013 and 2016, where was applied the qualitative methods to examine the interviews showing the representations of the public power (with consent and guarantee of confidentiality and secrecy). Also were conducted statistics analysis of technical reports collected from the Public Ministry of Bahia, National Council of Justice and the Court of the State of Bahia database as secondary sources. The results shows that even though it was possible to identify a significant increase in volume of Institutional Foster Care Service (51.79%), there is no homogeneous distribution throughout the national territory. In the same timeframe was possible to verify an increase of 19,53% in the total number of vulnerable people demanding institutional help. From 2013 to 2016 46 new units were created in Bahia, despite the growth of 48.30% of protective measures in addition to this situation in the specific research area 324 people were detected which represents 0.70% of the national statistics (45.893).In conclusion this study revealed that variables as health problems and physical vulnerabilities are the most relevant ones in the process of institutionalization.

Sociais e Humanidades

Multidisciplinar

Famílias

Famílias - Vulnerabilidades

Direitos Humanos

Teoria Crítica

Poder Público

Instituições – Salvador – Bahia

Teenagers

Families

Vulnerabilities

Human Rights

Critical Theory

Public Power

Institutions

Graybox-baserade säkerhetstest : Att kostnadseffektivt simulera illasinnade angrepp

Linnér, Samuel

January 2008

Att genomföra ett penetrationstest av en nätverksarkitektur är komplicerat, riskfyllt och omfattande. Denna rapport utforskar hur en konsult bäst genomför ett internt penetrationstest tidseffektivt, utan att utelämna viktiga delar. I ett internt penetrationstest får konsulten ofta ta del av systemdokumentation för att skaffa sig en bild av nätverksarkitekturen, på så sätt elimineras den tid det tar att kartlägga hela nätverket manuellt. Detta medför även att eventuella anomalier i systemdokumentationen kan identifieras. Kommunikation med driftansvariga under testets gång minskar risken för missförstånd och systemkrascher. Om allvarliga sårbarheter identifieras meddelas driftpersonalen omgå-ende. Ett annat sätt att effektivisera testet är att skippa tidskrävande uppgifter som kommer att lyckas förr eller senare, t.ex. lösenordsknäckning, och istället påpeka att orsaken till sårbarheten är att angriparen har möjlighet att testa lösenord obegränsat antal gånger. Därutöver är det lämpligt att simulera vissa attacker som annars kan störa produktionen om testet genomförs i en driftsatt miljö. Resultatet av rapporten är en checklista som kan tolkas som en generell metodik för hur ett internt penetrationstest kan genomföras. Checklistans syfte är att underlätta vid genomförande av ett test. Processen består av sju steg: förberedelse och planering, in-formationsinsamling, sårbarhetsdetektering och analys, rättighetseskalering, penetrationstest samt summering och rapportering. / A network architecture penetration test is complicated, full of risks and extensive. This report explores how a consultant carries it out in the most time effective way, without overlook important parts. In an internal penetration test the consultant are often allowed to view the system documentation of the network architecture, which saves a lot of time since no total host discovery is needed. This is also good for discovering anomalies in the system documentation. Communication with system administrators during the test minimizes the risk of misunderstanding and system crashes. If serious vulnerabilities are discovered, the system administrators have to be informed immediately. Another way to make the test more effective is to skip time consuming tasks which will succeed sooner or later, e.g. password cracking, instead; point out that the reason of the vulnerability is the ability to brute force the password. It is also appropriate to simulate attacks which otherwise could infect the production of the organization. The result of the report is a checklist by means of a general methodology of how in-ternal penetration tests could be implemented. The purpose of the checklist is to make it easier to do internal penetration tests. The process is divided in seven steps: Planning, information gathering, vulnerability detection and analysis, privilege escalation, pene-tration test and final reporting.

Penetration test

black box

gray box

white box

vulnerabilities

exploit

methodology

checklist

nmap

metasploit

xss

sql-injection

security

Penetrationstest

internt

blackbox

graybox

whitebox

sårbarheter

exploit

metodik

checklista

nmap

metasploit

xss

sql-injection

säkerhet

Computer Sciences

Datavetenskap (datalogi)

Rámec pro řízení bezpečnostních rizik on-line služeb / Framework for on-line service security risk management

Mészáros, Jan

January 2010

This dissertation thesis is dedicated to on-line services security management from service provider's and service consumer's viewpoints. The main goal is to propose a framework for on-line services security risk management, to develop a supporting software tool prototype and to validate them through a case study performed in a real-world environment. The key components of the proposed framework are a threat model and a risk model. These models are designed to fit specific features of on-line services and the surrounding environment. A risk management process is an integral part of the framework. The process is suitable for frequent and recurrent risk assessments. The process comprises of eight steps, related roles and responsibilities are defined for each step. The process execution results in identification and execution of proper tasks which contribute to treatment of identified security risks and deficiencies. Documentation and reporting of an overall level of on-line services security over time is possible if the process is executed on a regular basis. The proposed framework was validated through a case study performed in a large enterprise environment.

Influence des vulnérabilités des personnes sur l’appréciation de l’expérience de soins de première ligne

Haidar, Ola

12 1900

L’objectif de cette thèse est d’analyser les variations dans l’appréciation de l’expérience de soins de première ligne des personnes selon leurs vulnérabilités, compte tenu des sources habituelles de soins et des contextes locaux dans le contexte d’un système universel de soins médicaux et hospitaliers. L’étude apprécie l’expérience de soins de 9 206 personnes. Leurs vulnérabilités sanitaire, biologique, matérielle, relationnelle et culturelle sont prises en compte. Les sources habituelles de soins sont divisées en trois classes : 1) n’avoir aucune source habituelle de soins; 2) avoir une source habituelle de soins de première ligne représentée par cinq modèles organisationnels des services (quatre modèles de type professionnel : à prestataire unique, de contact, de coordination et de coordination intégré, et un modèle de type communautaire); et finalement 3) avoir une source habituelle de soins autre que de première ligne. Les contextes locaux sont divisés en quatre groupes : le pourvu-indépendant, l’équilibré-coordonné, le dépourvu-dépendant et l’affluent-commerçant. La régression logistique multiple est utilisée comme stratégie d’analyse. Le premier article de la thèse permet de comprendre l’influence des vulnérabilités et de leurs interactions sur l’appréciation de l’expérience de soins. Les vulnérabilités sont généralement associées à une appréciation positive de l’expérience de soins sauf pour les personnes vulnérables culturellement. Cet effet de la vulnérabilité s’accroît souvent en présence d’une deuxième vulnérabilité, soit la vulnérabilité sanitaire. Les personnes vulnérables culturellement ont une appréciation positive plus fréquente de leur expérience de soins lorsqu’elles sont aussi vulnérables sanitairement. Le second article permet, quant à lui, de comprendre l’effet modérateur des sources habituelles de soins sur la relation entre les vulnérabilités et l’appréciation de l’expérience de soins. Les personnes vulnérables matériellement et relationnellement ont une appréciation positive plus fréquente de leur expérience de soins surtout lorsqu’elles utilisent une source habituelle de soins de première ligne. Cette appréciation est la plus fréquente pour le modèle professionnel de prestataire unique et la moins fréquente pour le modèle professionnel de contact. C’est dans le troisième article que nous nous intéressons à l’effet modérateur des contextes locaux sur la relation entre les vulnérabilités et l’appréciation de l’expérience de soins. Les contextes locaux sont généralement associés à une appréciation positive plus fréquente de l’expérience de soins des personnes vulnérables, sauf les personnes vulnérables culturellement. Cette appréciation est la plus fréquente pour le contexte équilibré-coordonné et la moins fréquente pour les contextes dépourvu-dépendant et affluent-commerçant. Le quatrième et dernier article analyse l’effet modérateur de l’interaction entre la source habituelle de soins et le contexte local sur la relation entre les vulnérabilités et l’appréciation de l’expérience de soins. Les personnes vulnérables culturellement ont une appréciation positive plus fréquente de l’expérience de soins lorsque la source habituelle de soins est du type professionnel de prestataire unique dans deux contextes locaux : le pourvu-indépendant et le dépourvu-dépendant. Cette appréciation est moins fréquemment positive lorsqu’elle est du type professionnel de contact et de coordination intégré et du type communautaire dans l’un ou l’autre des contextes locaux : le dépourvu-dépendant et l’affluent-commerçant. L’étude démontre que les personnes vulnérables favorisent la pratique solo et que l’abondance des ressources au niveau local n’est pas garant d’une meilleure appréciation de l’expérience de soins. Il faut considérer l’interdépendance entre les facteurs individuels, organisationnels et contextuels pour mieux comprendre l’appréciation de l’expérience de soins. / The objective of this thesis is to analyze variations in persons’ appreciation of their experience of primary care based on their vulnerabilities when the usual sources of care used and local contexts within which the care is obtained are considered, all within the frame of a universal system of hospital and physician services. We appreciated the experience of primary care of 9 206 persons. At the same time, the health related, biological, material, relational and cultural vulnerabilities of the users of the services are evaluated. Also, a classification into three categories of usual sources of care is used : 1) no usual source of care, 2) a usual source of primary care identified in a taxonomy of five organizational models (four models of professional types, the unique provider, the contact, the coordination and the integrated coordination, and a fifth model of community type), and finally 3) a usual source of care not of the primary level. In addition, a taxonomy of four groups of local contexts is used : the provided-independent, the balanced-coordinated, the deprived-dependent and the affluent-trader. Multiple logistic regression analyses were carried out. The first article of the thesis elaborates on the influence of the vulnerabilities of persons and their interactions on the appreciation of the experience of care. It reveals that persons’ vulnerabilities are generally associated with a positive appreciation of the experience of care, except for the culturally vulnerable persons. This positive effect of vulnerability on appreciation increases in the presence of a second vulnerability, especially the health-related vulnerability. Culturally vulnerable persons have a more frequent positive appreciation of their experience of care if they are also vulnerable in their health. The second article features an analysis of the moderating effect of the usual sources of care on the relationship between different vulnerabilities and the appreciation of the experience of care. The main finding is that materially and relationally vulnerable persons have a more frequent positive appreciation of their experience of care when they use a usual source of primary care. This positive appreciation is the most frequent for the professional unique provider model and the least frequent for the professional contact model. In the third article, we focus on the moderating effect of the local contexts on the relationship between the vulnerabilities and the appreciation of the experience of care. The positive appreciation of the experience of care by the vulnerable persons is the highest, when care is obtained in the balanced-coordinated context except for the culturally vulnerable persons. Meanwhile, the positive appreciation is the least for care obtained in the affluent-trader or provided-independent context. The fourth and last article focuses on the analysis of the moderating effect of the interaction between the usual sources of care and the local contexts on the appreciation of the experience of care based on vulnerabilities. The main finding is that usual sources of care are not associated with the same appreciation of the experience of care in all the local contexts for culturally vulnerable persons. However, they have a less frequent positive appreciation when they use the professional contact and integrated coordination models or the community model in the deprived-dependent or affluent-trader context. This study shows that vulnerable people favor solo practice and that the abundance of resources at the local level does not guarantee a better appreciation of the experience of care. The interdependence of individual, organizational, and contextual factors must be considered to better understand the appreciation of the experience of care.

vulnérabilités des personnes

source habituelle de soins

contexte local

effet modérateur

interaction

vulnerabilities of people

usual source of care

local context

moderating effect

Webová aplikace pro testování zranitelností webového serveru / Web application for testing web server vulnerabilities

Šnajdr, Václav

January 2021

The Master’s Thesis deals with the design and implementation of a web application for testing the security of SSL/TLS protocols on a remote server. The web application is developed in the Nette framework. The theoretical part describes SSL/TLS protocols, vulnerabilities, recommendations and technologies used in the practical part. The practical part is devoted to the creation of a web application with the process of using automatic scripts to test and display the results on the website with a rating of A+~to~C. The web application also displays a list of detected vulnerabilities and their recommendations.

The Security Layer

O'Neill, Mark Thomas

01 January 2019

Transport Layer Security (TLS) is a vital component to the security ecosystem and the most popular security protocol used on the Internet today. Despite the strengths of the protocol, numerous vulnerabilities result from its improper use in practice. Some of these vulnerabilities arise from weaknesses in authentication, from the rigidity of the trusted authority system to the complexities of client certificates. Others result from the misuse of TLS by developers, who misuse complicated TLS libraries, improperly validate server certificates, employ outdated cipher suites, or deploy other features insecurely. To make matters worse, system administrators and users are powerless to fix these issues, and lack the ability to properly control how their own machines communicate securely online. In this dissertation we argue that the problems described are the result of an improper placement of security responsibilities. We show that by placing TLS services in the operating system, both new and existing applications can be automatically secured, developers can easily use TLS without intimate knowledge of security, and security settings can be controlled by administrators. This is demonstrated through three explorations that provide TLS features through the operating system. First, we describe and assess TrustBase, a service that repairs and strengthens certificate-based authentication for TLS connections. TrustBase uses traffic interception and a policy engine to provide administrators fine-tuned control over the trust decisions made by all applications on their systems. Second, we introduce and evaluate the Secure Socket API (SSA), which provides TLS as an operating system service through the native POSIX socket API. The SSA enables developers to use modern TLS securely, with as little as one line of code, and also allows custom tailoring of security settings by administrators. Finally, we further explore a modern approach to TLS client authentication, leveraging the operating system to provide a generic platform for strong authentication that supports easy deployment of client authentication features and protects user privacy. We conclude with a discussion of the reasons for the success of our efforts, and note avenues for future work that leverage the principles exhibited in this work, both in and beyond TLS.

SSL

TLS

man in the middle

certificate

OpenSSL

security

operating system

administrator control

kernel security

policy

certificates

transport layer security

secure sockets layer

developer mistakes

vulnerabilities

client authentication

DANE

OSCP

CRLSet

CRL

Convergence

notary

POSIX

socket API

API

Computer Sciences

Threat Modeling and Penetration Testing of a Yanzi IoT-system : A Survey on the Security of the system’s RF communication

Isabar, Diyala

January 2021

Internet of Thing (IoT) products have in recent years become increasingly popular with both industries and private consumers, and it has been forecasted that the number of connected devices around the world will be roughly 14 billion in the year 2022. One particular field that the booming of IoT solutions continues to create endless possibilities for is smart offices. Several different devices are connected in an office environment to create a better workplace and enable a better, faster and smarter working approach. However, while there are several advantages with IoTs, they have also introduced new security threats that can not be overlooked. In this thesis, the security of a smart office system designed by Yanzi is examined. The system consists of a gateway, 34 sensors and a cloud service embedded as a SaaS. The security analysis was performed in three steps: planning, penetration testing and reporting. Radio frequency (RF) hacking against the systems RF communication was the main focus of the work. Due to some technical issues, not all selected attacks were possible to perform. Out of three that were possible to perform, one of them revealed a security flaw. Different countermeasures for the found flaw were proposed. / ”Internet av saker” produkter har under de senaste åren blivit alltmer populära bland både industrier och privata konsumenter, och man har prognostiserat att antalet anslutna enheter runt om i världen kommer att vara ungefär 14 miljarder år 2022. Ett särskilt område som ökandet av IoT-lösningar fortsätter att skapa oändliga möjligheter för är smarta kontor. Flera olika enheter är anslutna i en kontorsmiljö för att skapa en bättre arbetsplats och möjliggöra ett bättre, snabbare och smartare arbetssätt. Även om det finns flera fördelar med IoT, har de också infört nya säkerhetshot som inte kan förbises. I denna avhandling undersöks säkerheten för ett smart kontorssystem som designats av Yanzi. Systemet består av en gateway, 34 sensorer och en molntjänst inbäddad som en SaaS. Säkerhetsanalysen utfördes i tre steg: planering, penetrationstestning och rapportering. Radiofrekvenshackning mot systemets radiokommunikation var huvudfokus för arbetet. På grund av vissa tekniska problem var det inte möjligt att utföra alla föreslagna attacker. Av de tre som var möjliga att utföra avslöjade en av dem ett säkerhetsfel. Olika motåtgärder för den funna sårbarheten föreslås.

Security

Internet of Things

penetration testing

threat assessment

threat modeling

ethical hacking

vulnerabilities

RF communication

smart office

Säkerhet

”Internet av saker”

penetrationstestning

hotbedömning

hotmodelering

etisk hacking

sårbarheter

radiokommunikation

smarta kontorN

Computer Sciences

Datavetenskap (datalogi)

A framework for higher academic institutions in the republic of South Africa to mitigate network security threats and attacks.

Mohapi, Matrinta Josephine

06 1900

M. Tech. (Department of Information and Communication Technology, Faculty of Applied and Computer Sciences), Vaal University of Technology. / The computer networks of higher academic institutions play a significant role in the academic lives of students and staff in terms of offering them an environment for teaching and learning. These institutions have introduced several educational benefits such as the use of digital libraries, cluster computing, and support for distance learning. As a result, the use of networking technologies has improved the ability of students to acquire knowledge, thereby providing a supportive environment for teaching and learning. However, academic networks are constantly being attacked by viruses, worms, and the intent of malicious users to compromise perceived secured systems. Network security threats and cyber-attacks are significant challenges faced by higher academic institutions that may cause a negative impact on systems and Information and Communications Technology (ICT) resources. For example, the infiltration of viruses and worms into academic networks can destroy or corrupt data and by causing excessive network traffic, massive delays may be experienced. This weakens the ability of the institution to function properly, and results in prolonged downtime and the unavailability of Information Technology (IT) services. This research determines challenges faced by higher academic institutions, identifies the type of security measures used at higher academic institutions, and how network security could be addressed and improved to protect against network security threats and attacks. Two research approaches were adopted, namely a survey and an experiment. Survey questionnaires were distributed to IT technical staff at higher academic institutions in Gauteng province to determine the challenges they face in terms of securing their networks. It is crucial that network security takes on a prominent role when managing higher academic institutions‘ networks. The results of the study reveal several challenges such as budget constraints, inadequate security measures, lack of enforcing network security policies, and lack of penetration testing on systems and the network. The results also reveal that the implementation of security measures can and does address network security threats and attacks. It is therefore extremely important for higher academic institutions to implement proper security measures to help mitigate network security threats and attacks. The framework proposed is based on the results from the research study to help mitigate network security threats and attacks at higher academic institutions.

Academic networks

Cyber-attacks

Higher academic institutions

Network

Network security attacks

Network security threats

Vulnerabilities

Dissertations, Academic -- South Africa

Computer networks -- Security measures

Computer security

Cyberspace -- Security measures

Computer crimes -- Prevention