The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
Integer errors in C/C++ are caused by arithmetic operations yielding results which are unrepresentable in certain type. They can lead to serious safety and security issues. Due to the complicated semantics of C/C++ integers, integer errors are widely harbored in real-world programs and it is error-prone to repair them even for experts. An automatic tool is desired to 1) automatically generate fixes...
This paper presents a semantics-aware rule recommendation and enforcement (SARRE) system for taming information leakage on Android. SARRE leverages statistical analysis and a novel application of minimum path cover algorithm to identify system event paths from dynamic runtime monitoring. Then, an online recommendation system is developed to automatically assign a fine-grained security rule to each...
Malicious software poses a major threat to network security. The sheer volume of it is growing at an exponential pace. Researches have shown that the majority of new malicious samples are just variations of encountered malicious software. Therefore, similarity analysis has been put forward as an effective way to counteract the enormous new instances. Through measuring the similarity degree among instances,...
Fine grained information flow monitoring can in principle address a wide range of security and privacy goals, for example in web applications. But it is very difficult to achieve sound monitoring with acceptable runtime cost and sufficient precision to avoid impractical restrictions on programs and policies. We present a systematic technique for design of monitors that are correct by construction...
A number of systems have been developed for dynamic information flow control (IFC). In such systems, the security policy is expressed by labeling input and output channels, it is enforced by tracking and checking labels on data. Systems have been proven to enforce some form of noninterference (NI), formalized as a property of two runs of the program. In practice, NI is too strong and it is desirable...
Programming languages have long incorporated type safety, increasing their level of abstraction and thus aiding programmers. Type safety eliminates whole classes of security-sensitive bugs, replacing the tedious and error-prone search for such bugs in each application with verifying the correctness of the type system. Despite their benefits, these protections often end at the process boundary, that...
A prerequisite to implementing virtualization-aware security solutions is to solve the "semantic gap" problem. Current approaches require a deep knowledge of the kernel data to manually solve the semantic gap. However, kernel data is very complex; an Operating System (OS) kernel contains thousands of data structures that have direct and indirect (pointer) relations between each other with...
Database systems are an important element of any web based systems. As such, it is very important to test database systems adequately because if any defects go undetected in the design and/or implementation of database systems, it may jeopardize dependability of web based systems. Web-based systems are examples of systems that heavily relay on databases, they are expected to be highly available and...
Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. This paper presents the As-if Infinitely Ranged (AIR) Integer model for eliminating vulnerabilities resulting from integer overflow, truncation, and unanticipated wrapping. The AIR Integer model either produces a value equivalent to that obtained using infinitely ranged integers or results in a runtime-constraint...
Services are successful for applications with high levels of dynamicity and interoperability. Ironically the actual Service-Oriented Computing (SOC) technologies are such that interoperability is problematic if different platforms are used simultaneously, and dedicated tools for the support of most engineering tasks are essentially missing. We address the interoperability issue through the definition...
In recent years it has been shown that dynamic monitoring can be used to soundly enforce information flow policies. For programs distributed in source or bytecode form, the use of just-in-time (JIT) compilation makes it difficult to implement monitoring by modifying the language runtime system. An inliner avoids this problem and also serves to provide monitoring for more than one runtime. We show...
We present VeTo a language to specify protection rules for VoIP systems, supported by the SecSip prevention framework. VeTo offers a unique way to specify both vulnerabilities and countermeasures to protect SIP services against known vulnerabilities. We illustrate the applicability of the language through the specification of several known attacks and assess its efficiency through a target testbed.
Program security enforcement is designed to ensure that a program respects a given security policy, which generally specifies the acceptable executions of that. In general, the enforcement is achieved by adding some controls (tests) inside the target program or process. The major drawback of existing techniques is either their lack of precision or their inefficiency, especially those dedicated for...
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.