985 Hits in 6.8 sec

Efficient, context-sensitive detection of real-world semantic attacks

Michael D. Bond, Varun Srivastava, Kathryn S. McKinley, Vitaly Shmatikov
2010 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security - PLAS '10  
By contrast, the average overhead of PECAN is 5%, which is low enough for practical deployment. We evaluate PECAN on four representative realworld attacks from security vulnerability reports.  ...  As a result, semantic vulnerabilities-omitted security checks, misconfigured security policies, and other software design errors-are supplanting memory-corruption exploits as the primary cause of security  ...  PCC to Jikes RVM 2.9.2; Chris Ryder for PCC bug fixes; Sam Guyer for helpful discussions; and Bert Maher, Wei Le, and the anonymous reviewers for valuable feedback on the text.  ... 
doi:10.1145/1814217.1814218 dblp:conf/pldi/BondSMS10 fatcat:zytihjnfcfbddiaeejuajurb3a

Verifying policy-based web services security

Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon
2008 ACM Transactions on Programming Languages and Systems  
Our analyzer works by constructing a formal model of a set of SOAP processors, together with the security checks they perform, in the TulaFale scripting language, a dialect of the pi calculus.  ...  WS-SecurityPolicy [18], with WS-Policy [16] and WS-PolicyAssertion [17] , is a declarative XML format for programming how web services implementations construct and check WS-Security headers.  ...  Riccardo Pucella prototyped a first compiler from policies to TulaFale during an internship. Tuomas Aura, Daniel Stieger, and anonymous reviewers made useful comments on earlier versions of the paper.  ... 
doi:10.1145/1391956.1391957 fatcat:kppjkov2ajfhdbiv2baxjsuz6a

A domain-specific language for filtering in application-level gateways

Hampus Balldin, Christoph Reichenbach
2020 Proceedings of the 19th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences  
We have designed the language around the needs of network filter developers, with a focus on correctness: our language can statically verify several properties of filter programs, such as well-formedness  ...  of the outcome, confluence, and termination, with the help of an off-the-shelf SMT solver.  ...  Acknowledgments We thank Advenica AB and especially the anonymous test subject for support and feedback, and Per Runeson for advice on experimental setup.  ... 
doi:10.1145/3425898.3426955 fatcat:kfgvwmtuxnek5nn6ohwexfkc5i

A Study on Detection Techniques of XML Rewriting Attacks in Web Services

Aziz Nasridinov, Jeong-Yong Byun, Young-Ho Park
2014 International Journal of Control and Automation  
However, the content of a SOAP message, protected with XML Digital Signature, can be changed without invalidating the signature.  ...  In this paper, we present a study on detection techniques of XML Rewriting attacks in Web Services. We first explore the XML Rewriting Attack that can take place in Web Service communication.  ...  Acknowledgement This work was supported by the IT R&D program of MKE/KEIT. [10041854, Development of a smart home service platform with real-time danger prediction and prevention for safety residential  ... 
doi:10.14257/ijca.2014.7.1.35 fatcat:7dtctpbp4jfxlf6rydvtl36jne

A Stitch in Time

Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, Sascha Fahl
2017 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17  
We point out the advantage of a low-time-cost tool both to teach better secure coding and to improve app security.  ...  with both students and professional developers, we identify key UI requirements and demonstrate that code delivered with such a tool by developers previously inexperienced in security contains significantly  ...  This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0656).  ... 
doi:10.1145/3133956.3133977 dblp:conf/ccs/NguyenWA0WF17 fatcat:iwbo4j2imbb67navyqqtx6w3j4

Security Analysis of eIDAS – The Cross-CountryAuthentication Scheme in Europe

Nils En­Gel­Bertz, Nurullah Erinola, David Herring, Juraj Somorovsky, Vladislav Mladenov, Jörg Schwenk
2020 Zenodo  
To support the developers and security teams of eID services,we implemented a Burp Suite extension to execute fully-automated or semi-automated tests.  ...  Our security analysis shows that 7 of the 15 European eID services were vulnerable to XML-based attacks which enabled efficient Denial-of-Service (DoS) and Server Side Request Forgery (SSRF) attacks.  ...  The authors want to thank the FutureTrust consortium for the valuable input and helpful discussions provided.  ... 
doi:10.5281/zenodo.3610139 fatcat:a7kpl7evfjf5rpauzodqladbti

On the Impact of Programming Languages on Code Quality [article]

Emery D. Berger, Celeste Hollenbeck, Petr Maj, Olga Vitek, Jan Vitek
2019 arXiv   pre-print
First we conduct an experimental repetition, repetition is only partially successful, but it does validate one of the key claims of the original work about the association of ten programming languages  ...  This paper is a reproduction of work by Ray et al. which claimed to have uncovered a statistically significant association between eleven programming languages and software defects in projects hosted on  ...  We thank Baishakhi Ray and Vladimir Filkov for sharing the data and code of their FSE paper.  ... 
arXiv:1901.10220v2 fatcat:zi4obm7m4bfwti5cddbsp2engu

Comparative Studies of Programming Languages; Course Lecture Notes [article]

Joey Paquet, Serguei A. Mokhov
2010 arXiv   pre-print
These notes include a compiled book of primarily related articles from the Wikipedia, the Free Encyclopedia, as well as Comparative Programming Languages book and other resources, including our own.  ...  Lecture notes for the Comparative Studies of Programming Languages course, COMP6411, taught at the Department of Computer Science and Software Engineering, Faculty of Engineering and Computer Science,  ...  One of the early versions, Smalltalk-76, was one of the first programming languages to be implemented along with a development environment featuring most of the now familiar tools, including a class library  ... 
arXiv:1007.2123v6 fatcat:4vwgbvr4xbhzjoubgv7d52mrke

The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them

Falcon Momot, Sergey Bratus, Sven M. Hallberg, Meredith L. Patterson
2016 2016 IEEE Cybersecurity Development (SecDev)  
We argue that these patterns are artifacts of avoidable weaknesses in the development process and explore these patterns both in general and via recent CVE instances.  ...  We break ground on defining the input-handling code weaknesses that should be actionable findings and propose a refactoring of existing CWEs to accommodate them.  ...  To give a concrete example, it is acceptable to have XML tags with meaning and validity dependent on the structure in which they are contained-but not on structures elsewhere about the document, since  ... 
doi:10.1109/secdev.2016.019 dblp:conf/secdev/MomotBHP16 fatcat:wnm5zfljfvbarpy45gapana5cm

Security for Distributed E-Service Composition [chapter]

Stefan Seltzsam, Stephan Börzsönyi, Alfons Kemper
2001 Lecture Notes in Computer Science  
Current developments show that tomorrow's information systems and applications will no longer be based on monolithic architectures that encompass all the functionality.  ...  The resource consumption of operators is monitored and limited with reasonable supplementary costs to avoid resource monopolization.  ...  Only recently, with the development of Java as a secure programming language, some new considerations have been taken into account.  ... 
doi:10.1007/3-540-44809-8_11 fatcat:oxdkfaao5bgipcfyfuybcsz7zq

Analytical Inductive Functional Programming [chapter]

Emanuel Kitzelmann
2009 Lecture Notes in Computer Science  
Acknowledgement The author would like to thank anonymous reviewers for their constructive and useful comments on the previous version of the paper.  ...  Acknowledgments We thank the reviewers for their feedback.  ...  Software Transactional Memory (STM) has the promise to avoid the common pitfalls of locks when writing thread-based concurrent programs.  ... 
doi:10.1007/978-3-642-00515-2_7 fatcat:r3xkzawlibfcpluopvlz7ukp4y

The Immune Epitope Database and Analysis Resource Program 2003–2018: reflections and outlook

Sheridan Martini, Morten Nielsen, Bjoern Peters, Alessandro Sette
2019 Immunogenetics  
Capture and representation of the data to reflect growing scientific standards and techniques have required continual refinement of our rigorous curation and query and reporting processes beginning with  ...  This review provides a description of the IEDB database infrastructure, curation and recuration processes, query and reporting capabilities, the Analysis Resource, and our Community Outreach efforts, including  ...  Immunogenetics (2020) 72:57-76 Open Access This article is distributed under the terms of the Creative Comm ons Attribution 4.0 International License (http://,  ... 
doi:10.1007/s00251-019-01137-6 pmid:31761977 fatcat:gtzcjaqdg5crxl2pgwbohbyyse

Controlling the Information Flow in Spreadsheets

Vipin Samar, Sangeeta Patni
2008 arXiv   pre-print
This paper discusses some of the pitfalls of the data collection and maintenance process in Excel.  ...  It then suggests service-oriented architecture (SOA) based information gathering and control techniques to ameliorate the pitfalls of this scratch pad while improving the integrity of data, boosting the  ...  As Excel is here to stay for a long time within businesses, it is important to mitigate some of the pitfalls without sacrificing its ease-of-use.  ... 
arXiv:0803.2527v1 fatcat:bheefvk5ljbulhz5pgg26tg5vm

On the Design of IoT Security: Analysis of Software Vulnerabilities for Smart Grids

Christos-Minas Mathas, Costas Vassilakis, Nicholas Kolokotronis, Charilaos C. Zarakovitis, Michail-Alexandros Kourtis
2021 Energies  
to vulnerability detection mechanisms, especially with a focus on the reduction of false positives.  ...  The results of this study can be used in the domain of software development, to enhance the security of produced software, as well as in the domain of automated software testing, targeting improvements  ...  The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.  ... 
doi:10.3390/en14102818 fatcat:tgpbzjsntnbsffqhbwqdb264eu

Residue objects

Shuo Chen, Hong Chen, Manuel Caballero
2010 Proceedings of the 5th European conference on Computer systems - EuroSys '10  
Although only the native HTML engine is studied so far, we have already discovered five new vulnerabilities and reported them to IE developers (one of the vulnerabilities has been patched in a Microsoft  ...  A complex software system typically has a large number of objects in the memory, holding references to each other to implement an object model.  ...  We have found five new vulnerabilities and reported them to the IE team (one of them was patched in Microsoft February 2009 security update).  ... 
doi:10.1145/1755913.1755942 dblp:conf/eurosys/ChenCC10 fatcat:344hqgejwjbl7fz6o3ps5oc7xu
« Previous Showing results 1 — 15 out of 985 results