The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
Provides an abstract for each of the tutorial presentations and a brief professional biography of each presenter. The complete presentations were not made available for publication as part of the conference proceedings.
Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any vulnerabilities. The latter phase is known as the security oracle problem. In this work, we present SOFIA, a Security Oracle for SQL-Injection Vulnerabilities. SOFIA is programming-language and source-code independent,...
There is no doubt that agile methods have become mainstream and with their increased use unanswered questions start to appear: How do we address cross-cutting concerns when software is developed vertically? Does value prioritization lead to increases in technical debt by promoting feature development over refactoring? Isn’t the reticence to write initial specifications on the premise of change an...
Concolic testing is a powerful technique for vulnerability detection. Current concolic testing tools usually randomly select one well-formed concrete input to start their workflow, then employ different path selection methods to explore the execution space. However, experiments have shown that concolic testing tools have different vulnerability detection performance when starting with different well-formed...
The widespread use of wireless communications, Internet, and mobile technology offers the opportunity of supplying new generation of decision support commonly known as Mobile Decision Support Systems (MDSS). This paper describes research towards evaluation of such systems. Our view is that the end user will benefit if provided with a better Quality of MDSS. We propose a quality model taking into account...
The US Department of Transportation's (USDOT) Southeast Michigan Connected Vehicle Test Bed originally hosted USDOT Proof of Concept Testing (POC), starting in 2007. Following the success of the POC, the USDOT initiated the development of a Connected Vehicle Reference Implementation Architecture (CVRIA), and in 2013 began the final design and trial implementation of the CVRIA at the USDOT's Southeast...
This paper compares and contrasts the most widely used network security datasets, evaluating their efficacy in providing a benchmark for intrusion and anomaly detection systems. The antiquated nature of some of the most widely used datasets along with their inadequacies is examined and used as a basis for discussion of a new approach to analyzing network traffic data. Live network traffic is collected...
Efficient Wi-Fi probing has been demonstrated to leak sensitive user information. During the probing process, Wi-Fi clients transmit the names of previously known Wi-Fi access points (APs) in plaintext. An eavesdropper can easily collect the information leaked by this Wi-Fi probing process to mount numerous attacks, such as fake AP or revealing hidden APs, or to breach users' privacy. Since APs are...
Vulnerability analysis is an important component of software assurance practices. One of its most challenging issues is to find software flaws that could be exploited by malicious users. A necessary condition is the existence of some tainted information flow between tainted input sources and vulnerable functions. Finding the existence of such a taint flow dynamically is an expensive and nondeterministic...
Security requirements engineering ideally combines expertise in software security with proficiency in requirements engineering to provide a foundation for developing secure systems. However, security requirements are often inadequately understood and improperly specified, often due to lack of security expertise and a lack of emphasis on security during early stages of system development. Software...
MMT (Mont image Monitoring Tool) is a monitoring solution that combines: data capture, filtering and storage, events extraction, statistics collection, traffic analysis and reporting. In the context of the PIMI and DIAMONDS projects, Mont image is developing MMT-Security: a security analysis solution (part of MMT) that inspects network traffic against a set of security properties denoting both security...
This paper presents a systematic approach for a context-based evaluation of SOA testing tools, with an emphasis on security. An evaluation framework is used to structure a case study with a selection of SOA testing tools. The evaluation data are analyzed and discussed to show the tools' strengths and weaknesses. This research reveals three main results. The first result highlights the gap between...
The interaction between business communities becomes a crucial requirement due to the need of exchanging and sharing resources and services. In general, each system defines its own security policy to manage access control to its resources. In this case, we may have security interoperability problems due to the variety and complexity of secured systems implementations. In this paper, we provide a formal...
Sufficient test coverage for Software Agents that operate in an open and dynamic environment is unlikely to be achieved during the agents' development. Especially when agents exhibit self properties and are constantly adapting to changes in their environment it is important to limit their autonomy to ensure that their behaviour lies within safe boundaries. To increase the trust in the agents, once...
The number of application areas where security of resources, whether this is people, information or physical property, is ever increasing as our world culture changes and the potential threats to individuals rises. The threats that security systems need to mitigate against are becoming both more complex and also asymmetric. In association with this the number of emerging technologies that can be applied...
This paper proposes a method for detecting vulnerability defects caused by tainted data based on state machine. It first uses state machine to define various defect patterns. If the states of state machine is considered as the value propagated in dataflow analysis and the union operation of the state sets as the aggregation operation of dataflow analysis, the defect detection can be treated as a forward...
This paper presents a methodology to perform passive testing of behavioural conformance for the web services based on the security rule. The proposed methodology can be used either to check a trace (offline checking) or to runtime verification (online checking) with timing constraints, including future and past time. In order to perform this: firstly, we use the Nomad language to define the security...
Reusability of resources is a challenge for the development of e-assessment. We have analyzed the existing frameworks reported in surveys and literature in e-assessment and complementary domains. It turns out that they insufficiently address issues such as security, accessibility, quality, and context. We suggest overcoming these barriers by integrating metadata into a multidimensional framework,...
In recent years Web-based systems have become extremely popular and, nowadays, they are used in critical environments such as financial, medical, and military systems. As the use of Web applications for security-critical services has increased, the number and sophistication of attacks against these applications have grown as well. For this reason it is essential to be able to prove that the target...
Testing network-based security tools such as intrusion detection and prevention systems (IDS/IPS) differs from testing ordinary network tools (e.g., routers and switches). Basically, in addition to the parameters (such as bandwidth utilization, routing information and packets timing) that are important for network tools, security tools are more sensitive to issues like traffic composition, contents,...
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.