|
The Design and Evaluation of a Defense System
|
|
Hits: 4 |
|
Date added: 11/30/2007 |
|
The Design and Evaluation of a Defense System
for Internet Worms
Many areas of society have become heavily dependent on services such as transportation facilities, utilities
and so on that are implemented in part by large numbers of computers and communications links. Both past
incidents and research studies show that a well-engineered Internet worm can disable such systems in a fairly
simple way and, most notably, in a matter of a few minutes. This indicates the need for defenses against
worms but their speed rules out the possibility of manually countering worm outbreaks. We present a
platform that emulates the epidemic behavior of Internet active worms. For purposes of experimentation, the
platform has been deployed on a cluster of computers to emulate worm outbreaks in very large networks. A
wide variety of worm properties can be studied and network topologies of interest constructed. A reactive
control system, based on the Willow architecture and the OOPS policy framework, operates on top of the
platform and provides a monitor/analyze/respond approach to deal with infections automatically. The logic
driving the control system is synthesized from a formal specification, which is based on control rules
correlating sensor events. Details of our highly configurable platform, the theory of operation of the Willow
architecture, the features of the specification language, and various experimental performance results are
presented. |
|
|
|
|
|
|
Automatically Hardenning Web Applications Using Pr
|
|
Hits: 6 |
|
Date added: 12/01/2007 |
|
Automatically Hardenning Web Applications Using Precise Tainting
Most web applications contain security vulnerabilities. The simple and natural
ways of creating a web application are prone to SQL injection attacks and
cross-site scripting attacks as well as other less common vulnerabilities. In
response, many tools have been developed for detecting or mitigating common
web application vulnerabilities. Existing techniques either require effort from
the site developer or are prone to false positives. This paper presents a fully
automated approach to securely hardening web applications. It is based on
precisely tracking taintedness of data and checking specifically for dangerous
content only in parts of commands and output that came from untrustworthy
sources. Unlike previous work in which everything that is derived from tainted
input is tainted, our approach precisely tracks taintedness within data values. |
|
|
|
|
|
|
TestingWeb Services by XML Perturbation
|
|
Hits: 1 |
|
Date added: 12/01/2007 |
|
The eXtensible Markup Language (XML) is widely used
to transmit data across the Internet. XML schemas are used
to define the syntax of XML messages. XML-based applications
can receive messages from arbitrary applications, as
long as they follow the protocol defined by the schema. A
receiving application must either validate XML messages,
process the data in the XML message without validation,
or modify the XML message to ensure that it conforms to
the XML schema. A problem for developers is how well the
application performs the validation, data processing, and,
when necessary, transformation. This paper describes and
gives examples of a method to generate tests for XML-based
communication by modifying and then instantiating XML
schemas. The modified schemas are based on precisely defined
schema primitive perturbation operators. |
|
|
|
|
|
|
Bypass Testing of Web Applications
|
|
Hits: 37 |
|
Date added: 12/05/2007 |
|
Web software applications are increasingly being deployed
in sensitive situations. Web applications are used
to transmit, accept and store data that is personal, company
confidential and sensitive. Input validation testing
(IVT) checks user inputs to ensure that they conform to
the program’s requirements, which is particularly important
for software that relies on user inputs, including
Web applications. A common technique in Web applications
is to perform input validation on the client
with scripting languages such as JavaScript. An insidious
problem with client-side input validation is that end
users can bypass this validation. Bypassing validation
can reveal faults in the software, and can also break the
security on Web applications, leading to unauthorized
access to data, system failures, invalid purchases and
entry of bogus data. We are developing a strategy called
bypass testing to create IVT tests. This paper describes
the strategy, defines specific rules and adequacy criteria
for tests, describes a proof-of-concept automated tool,
and presents initial empirical results from applying bypass
testing. |
|
|
|
|
|
|
Common Security Problems in the Code of Dynamic We
|
|
Hits: 9 |
|
Date added: 12/06/2007 |
|
Common Security Problems in the Code of Dynamic Web Applications
The majority of occurring software security holes in web applications may be sorted into just two categories: Failure to deal with metacharacters, and authorization problems due to giving too much trust in input. This article gives several examples from both categories, and then adds some from other categories as well. |
|
|
|
