2012 IEEE Sixth International Conference on Software Security and Reliability最新文献

筛选
英文 中文
A New Non-Intrusive Authentication Method Based on the Orientation Sensor for Smartphone Users 一种基于方向传感器的智能手机用户非侵入式身份认证新方法
Chien-Cheng Lin, Chin-Chun Chang, Deron Liang, Ching-Han Yang
{"title":"A New Non-Intrusive Authentication Method Based on the Orientation Sensor for Smartphone Users","authors":"Chien-Cheng Lin, Chin-Chun Chang, Deron Liang, Ching-Han Yang","doi":"10.1109/SERE.2012.37","DOIUrl":"https://doi.org/10.1109/SERE.2012.37","url":null,"abstract":"With more advanced features loaded, smart phones nowadays are used not only for telecommunication but also for many emerging applications, such as m-banking. In this paper, we propose a novel non-intrusive authentication mechanism using the information collected from the orientation sensor of the smart phone. This new approach is based on the hypothesis that a user has a unique way to hold and operate his/her smart phone while working on some apps, and such behavioral biometrics can be captured from the readings of the orientation sensor. We design an authentication mechanism that adopts 53 new features transformed from those readings. To validate this hypothesis, we have developed an application to collect user's behavioral biometrics of up-down flicks and left-right flicks from the orientation sensor. The experimental results show that the proposed approach has an equal error rate about 6.85%. We find that the feature subset selected to build an authentication model with satisfactory performance is generally small, varying 3 to 8 for different users. We also find that the feature subsets are significantly different among different users. Finally, we show that the proposed non-intrusive mechanism can be used together with existing intrusive mechanisms, such as password and/or fingerprints, to build a more robust authentication framework for smart phone users.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"94 7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126059508","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 42
Specification-guided Golden Run for Analysis of Robustness Testing Results 规范指导的稳健性测试结果分析的黄金运行
G. S. Lemos, E. Martins
{"title":"Specification-guided Golden Run for Analysis of Robustness Testing Results","authors":"G. S. Lemos, E. Martins","doi":"10.1109/SERE.2012.28","DOIUrl":"https://doi.org/10.1109/SERE.2012.28","url":null,"abstract":"Comparison with a golden run is commonly used as an oracle in robustness testing based on fault injection. However, traditional comparison algorithms present, among other limitations, requires the system under test to present, for the same workload, the same behavior, either in presence or in absence of faults. We present an approach that uses a pair wise sequence alignment algorithm in the comparison allowing faulty traces to have some regions of dissimilarity regarding the golden run. This is possible because the algorithm is based on inexact matching and aggregates to the search semantic aspects based on SUT specification. The approach can obtain the degree of similarity with the golden run, and visually presents similarities and differences, which helps in diagnosing. This paper illustrates the application of the approach on traces collected during robustness testing of the Wireless Transaction Protocol (WTP).","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114918511","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 8
An Autonomic Framework for Integrating Security and Quality of Service Support in Databases 集成数据库安全性和服务质量支持的自治框架
Firas B. Alomari, D. Menascé
{"title":"An Autonomic Framework for Integrating Security and Quality of Service Support in Databases","authors":"Firas B. Alomari, D. Menascé","doi":"10.1109/SERE.2012.15","DOIUrl":"https://doi.org/10.1109/SERE.2012.15","url":null,"abstract":"The back-end databases of multi-tiered applications are a major data security concern for enterprises. The problem becomes more critical with the proliferation of enterprise hosted web applications in the cloud. At the same time, an e-business application needs to process requests with a certain service quality to maintain current customers and attract new ones. While prior work has concentrated on securing applications and providing quality of service (QoS) independently, little work has focused on integrating security and QoS support for business applications, in which the system can manage the security and QoS requirements automatically in a way that preserves the security and QoS goals. This paper focuses on designing an autonomic controller for databases that integrates the security requirements with QoS requirements in order to ease the management burden of system administrators by automatically varying security configurations that meet the system performance and security objectives.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128408278","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 15
DESERVE: A Framework for Detecting Program Security Vulnerability Exploitations 值得:一个检测程序安全漏洞利用的框架
Amatul Mohosina, Mohammad Zulkernine
{"title":"DESERVE: A Framework for Detecting Program Security Vulnerability Exploitations","authors":"Amatul Mohosina, Mohammad Zulkernine","doi":"10.1109/SERE.2012.22","DOIUrl":"https://doi.org/10.1109/SERE.2012.22","url":null,"abstract":"It is difficult to develop a program that is completely free from vulnerabilities. Despite the application of many approaches to secure programs, vulnerability exploitations occur in real-world in large numbers. Exploitations of vulnerabilities may corrupt memory spaces and program states, lead to denial of services and authorization bypassing, and leak sensitive information. Monitoring at the program code level can be a way of vulnerability exploitation detection at runtime. In this work, we propose a monitor embedding framework DESERVE (a framework for Detecting program Security Vulnerability Exploitations). DESERVE identifies exploitable statements from source code based on static backward slicing and embeds necessary code to detect attacks. During the deployment stage, the enhanced programs execute exploitable statements in a separate test environment. Unlike traditional monitors that extract and store program state information to compare with vulnerable free program states to detect exploitation, our approach does not need to save state information. Moreover, the slicing technique allows us avoid the tracking of fine grained level of information about runtime program environments such as input flow and memory state. We implement DESERVE for detecting buffer overflow, SQL injection, and cross-site scripting attacks. We evaluate our approach for real-world programs implemented in C and PHP languages. The results show that the approach can detect some of the well-known attacks. Moreover, the approach imposes negligible runtime overhead.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"124 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134062205","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Finding Buffer Overflow Inducing Loops in Binary Executables 在二进制可执行文件中查找缓冲区溢出诱导循环
Sanjay Rawat, L. Mounier
{"title":"Finding Buffer Overflow Inducing Loops in Binary Executables","authors":"Sanjay Rawat, L. Mounier","doi":"10.1109/SERE.2012.30","DOIUrl":"https://doi.org/10.1109/SERE.2012.30","url":null,"abstract":"Vulnerability analysis is one among the important components of overall software assurance practice. Buffer overflow (BoF) is one example of the such vulnerabilities and it is still the root cause of many effective attacks. A general practice to find BoF is to look for the presence of certain functions that manipulate string buffers, like the strcpy family. In these functions, data is moved from one buffer to another, within a loop, without considering destination buffer size. We argue that similar behaviour may also be present in many other functions that are coded separately, and therefore are equally vulnerable. In the present work, we investigate the detection of such functions by finding loops that exhibit similar behaviour. We call such loops Buffer Overflow Inducing Loops (BOIL). We implemented a lightweight static analysis to detect BOILs, and evaluated it on real-world x86 binary executables. The results obtained show that this (simple but yet efficient) vulnerability pattern happens to be very effective in practice to retrieve real vulnerabilities, providing a drastic reduction of the part of the code to be analysed.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"100 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132021125","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 29
Mitigating Insider Threat without Limiting the Availability in Concurrent Undeclared Tasks 在不限制并发未声明任务可用性的情况下减轻内部威胁
Qussai M. Yaseen, B. Panda
{"title":"Mitigating Insider Threat without Limiting the Availability in Concurrent Undeclared Tasks","authors":"Qussai M. Yaseen, B. Panda","doi":"10.1109/SERE.2012.36","DOIUrl":"https://doi.org/10.1109/SERE.2012.36","url":null,"abstract":"Insider threat is a critical problem due to the immense harm that it poses to organizations. This paper investigates this problem in relational database systems. Generally, defending systems against insider threat may require rejecting insiders' requests to access some data items. The paper focuses on preventing unauthorized knowledge acquisition by insiders in concurrent undeclared tasks, where a task is executed as one operation at a time instead of a batch of operations, without affecting the availability of data items. It proposes approaches to predict the complete operations of undeclared tasks, and then, to organize the operations in a safe sequence that prevents the possible threat of insiders without rejecting any request. Theorems, proofs and simulations are provided to show the effectiveness of the proposed approaches.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127428995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Semi-Automatic Security Testing of Web Applications from a Secure Model 基于安全模型的Web应用程序半自动安全测试
Matthias Büchler, Johan Oudinet, A. Pretschner
{"title":"Semi-Automatic Security Testing of Web Applications from a Secure Model","authors":"Matthias Büchler, Johan Oudinet, A. Pretschner","doi":"10.1109/SERE.2012.38","DOIUrl":"https://doi.org/10.1109/SERE.2012.38","url":null,"abstract":"Web applications are a major target of attackers. The increasing complexity of such applications and the subtlety of today's attacks make it very hard for developers to manually secure their web applications. Penetration testing is considered an art, the success of a penetration tester in detecting vulnerabilities mainly depends on his skills. Recently, model-checkers dedicated to security analysis have proved their ability to identify complex attacks on web-based security protocols. However, bridging the gap between an abstract attack trace output by a model-checker and a penetration test on the real web application is still an open issue. We present here a methodology for testing web applications starting from a secure model. First, we mutate the model to introduce specific vulnerabilities present in web applications. Then, a model-checker outputs attack traces that exploit those vulnerabilities. Next, the attack traces are translated into concrete test cases by using a 2-step mapping. Finally, the tests are executed on the real system using an automatic procedure that may request the help of a test expert from time to time. A prototype has been implemented and evaluated on Web Goat, an insecure web application maintained by OWASP. It successfully reproduced Role-Based Access Control (RBAC) and Cross-Site Scripting (XSS) attacks.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"55 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126355827","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 48
Applying Microreboot to System Software 将微重启应用于系统软件
Michael V. Le, Y. Tamir
{"title":"Applying Microreboot to System Software","authors":"Michael V. Le, Y. Tamir","doi":"10.1109/SERE.2012.11","DOIUrl":"https://doi.org/10.1109/SERE.2012.11","url":null,"abstract":"Availability is increased with recovery based on component micro reboot instead of whole system reboot. There are unique challenges that must be overcome in order to apply micro reboot to low-level system software. These challenges arise from the need to interact with immutable hardware components on one hand and, on the other hand, with a wide variety of higher level workloads whose characteristics may be unknown. As an example, we describe our experience with applying micro reboot to system-level virtualization software. Specifically, implementing micro reboot for all the components of the widely-used Xen virtualization infrastructure. We identify the unique difficulties with applying micro reboot for such low-level software and present our solutions. We present measures of the complexity of different classes of solutions and experimental results, based on extensive fault injection, showing the effectiveness of the solutions.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130402600","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 13
Flexible Data-Driven Security for Android Android灵活的数据驱动安全性
Denis Feth, A. Pretschner
{"title":"Flexible Data-Driven Security for Android","authors":"Denis Feth, A. Pretschner","doi":"10.1109/SERE.2012.14","DOIUrl":"https://doi.org/10.1109/SERE.2012.14","url":null,"abstract":"Android allows users to cancel the installation of apps whenever requested permissions to resources seem inappropriate from their point of view. Since permissions can neither be granted individually nor changed after installation, this results in rather coarse, and often too liberal, access rules. We propose a more fine-grained security system beyond the standard permission system. With our system, it is possible to enforce complex policies that are built on temporal, cardinality, and spatial conditions (\"notify if data is used after thirty days'', \"blur data outside company's premises'', etc.). Enforcement can be done by means of modification or inhibition of certain events and the execution of additional actions. Leveraging recent advances in information flow tracking technology, our policies can also pertain to data rather than single representations of that data. For instance, we can prohibit a movie from being played more than twice even if several copies have been created. We present design and implementation of the system and provide a security and performance analysis.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132636089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 37
On the Effective Use of Security Test Patterns 浅谈安全测试模式的有效利用
Benjamin H. Smith, L. Williams
{"title":"On the Effective Use of Security Test Patterns","authors":"Benjamin H. Smith, L. Williams","doi":"10.1109/SERE.2012.23","DOIUrl":"https://doi.org/10.1109/SERE.2012.23","url":null,"abstract":"Capturing attacker behavior in a security test plan allows the systematic, repeated assessment of a system's defenses against attacks. To address the lack of security experts capable of developing effective black box security test plans, we have empirically developed an initial set of six black box security test patterns. These patterns capture the expertise involved in creating a black box security test plan in the same way that software design patterns capture design expertise. Security test patterns can enable software testers lacking security expertise (in this paper, \"novices\") to develop a test plan the way experts could. The goal of this paper is to evaluate the ability of novices to effectively generate black box security tests by accessing security expertise contained within security test patterns. We conducted a user study of 47 student novices, who used our six initial patterns to develop black box security test plans for six requirements from a publicly available specification for electronic health records systems. We created an oracle for the security test plan by forming a panel of researchers who manually completed the same task as the novices. We found that novices will generate a similar black box test plan to the oracle when aided by the six black box security test patterns.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"105 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124217714","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 18
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信