Avoiding Security Pitfalls with Functional Programming: A Report on the Development of a Secure XML Validator.

By contrast, the average overhead of PECAN is 5%, which is low enough for practical deployment. We evaluate PECAN on four representative realworld attacks from security vulnerability reports. ... As a result, semantic vulnerabilities-omitted security checks, misconfigured security policies, and other software design errors-are supplanting memory-corruption exploits as the primary cause of security ... PCC to Jikes RVM 2.9.2; Chris Ryder for PCC bug fixes; Sam Guyer for helpful discussions; and Bert Maher, Wei Le, and the anonymous reviewers for valuable feedback on the text. ...

doi:10.1145/1814217.1814218 dblp:conf/pldi/BondSMS10 fatcat:zytihjnfcfbddiaeejuajurb3a

Our analyzer works by constructing a formal model of a set of SOAP processors, together with the security checks they perform, in the TulaFale scripting language, a dialect of the pi calculus. ... WS-SecurityPolicy [18], with WS-Policy [16] and WS-PolicyAssertion [17] , is a declarative XML format for programming how web services implementations construct and check WS-Security headers. ... Riccardo Pucella prototyped a first compiler from policies to TulaFale during an internship. Tuomas Aura, Daniel Stieger, and anonymous reviewers made useful comments on earlier versions of the paper. ...

doi:10.1145/1391956.1391957 fatcat:kppjkov2ajfhdbiv2baxjsuz6a

We have designed the language around the needs of network filter developers, with a focus on correctness: our language can statically verify several properties of filter programs, such as well-formedness ... of the outcome, confluence, and termination, with the help of an off-the-shelf SMT solver. ... Acknowledgments We thank Advenica AB and especially the anonymous test subject for support and feedback, and Per Runeson for advice on experimental setup. ...

doi:10.1145/3425898.3426955 fatcat:kfgvwmtuxnek5nn6ohwexfkc5i

However, the content of a SOAP message, protected with XML Digital Signature, can be changed without invalidating the signature. ... In this paper, we present a study on detection techniques of XML Rewriting attacks in Web Services. We first explore the XML Rewriting Attack that can take place in Web Service communication. ... Acknowledgement This work was supported by the IT R&D program of MKE/KEIT. [10041854, Development of a smart home service platform with real-time danger prediction and prevention for safety residential ...

doi:10.14257/ijca.2014.7.1.35 fatcat:7dtctpbp4jfxlf6rydvtl36jne

We point out the advantage of a low-time-cost tool both to teach better secure coding and to improve app security. ... with both students and professional developers, we identify key UI requirements and demonstrate that code delivered with such a tool by developers previously inexperienced in security contains significantly ... This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0656). ...

doi:10.1145/3133956.3133977 dblp:conf/ccs/NguyenWA0WF17 fatcat:iwbo4j2imbb67navyqqtx6w3j4

To support the developers and security teams of eID services,we implemented a Burp Suite extension to execute fully-automated or semi-automated tests. ... Our security analysis shows that 7 of the 15 European eID services were vulnerable to XML-based attacks which enabled efficient Denial-of-Service (DoS) and Server Side Request Forgery (SSRF) attacks. ... The authors want to thank the FutureTrust consortium for the valuable input and helpful discussions provided. ...

doi:10.5281/zenodo.3610139 fatcat:a7kpl7evfjf5rpauzodqladbti

Open Access

First we conduct an experimental repetition, repetition is only partially successful, but it does validate one of the key claims of the original work about the association of ten programming languages ... This paper is a reproduction of work by Ray et al. which claimed to have uncovered a statistically significant association between eleven programming languages and software defects in projects hosted on ... We thank Baishakhi Ray and Vladimir Filkov for sharing the data and code of their FSE paper. ...

arXiv:1901.10220v2 fatcat:zi4obm7m4bfwti5cddbsp2engu

Multiple Versions

These notes include a compiled book of primarily related articles from the Wikipedia, the Free Encyclopedia, as well as Comparative Programming Languages book and other resources, including our own. ... Lecture notes for the Comparative Studies of Programming Languages course, COMP6411, taught at the Department of Computer Science and Software Engineering, Faculty of Engineering and Computer Science, ... One of the early versions, Smalltalk-76, was one of the first programming languages to be implemented along with a development environment featuring most of the now familiar tools, including a class library ...

arXiv:1007.2123v6 fatcat:4vwgbvr4xbhzjoubgv7d52mrke

Open Access Multiple Versions

We argue that these patterns are artifacts of avoidable weaknesses in the development process and explore these patterns both in general and via recent CVE instances. ... We break ground on defining the input-handling code weaknesses that should be actionable findings and propose a refactoring of existing CWEs to accommodate them. ... To give a concrete example, it is acceptable to have XML tags with meaning and validity dependent on the structure in which they are contained-but not on structures elsewhere about the document, since ...

doi:10.1109/secdev.2016.019 dblp:conf/secdev/MomotBHP16 fatcat:wnm5zfljfvbarpy45gapana5cm

Current developments show that tomorrow's information systems and applications will no longer be based on monolithic architectures that encompass all the functionality. ... The resource consumption of operators is monitored and limited with reasonable supplementary costs to avoid resource monopolization. ... Only recently, with the development of Java as a secure programming language, some new considerations have been taken into account. ...

doi:10.1007/3-540-44809-8_11 fatcat:oxdkfaao5bgipcfyfuybcsz7zq

Acknowledgement The author would like to thank anonymous reviewers for their constructive and useful comments on the previous version of the paper. ... Acknowledgments We thank the reviewers for their feedback. ... Software Transactional Memory (STM) has the promise to avoid the common pitfalls of locks when writing thread-based concurrent programs. ...

doi:10.1007/978-3-642-00515-2_7 fatcat:r3xkzawlibfcpluopvlz7ukp4y

Capture and representation of the data to reflect growing scientific standards and techniques have required continual refinement of our rigorous curation and query and reporting processes beginning with ... This review provides a description of the IEDB database infrastructure, curation and recuration processes, query and reporting capabilities, the Analysis Resource, and our Community Outreach efforts, including ... Immunogenetics (2020) 72:57-76 Open Access This article is distributed under the terms of the Creative Comm ons Attribution 4.0 International License (http:// creativecommons.org/licenses/by/4.0/), ...

doi:10.1007/s00251-019-01137-6 pmid:31761977 fatcat:gtzcjaqdg5crxl2pgwbohbyyse

This paper discusses some of the pitfalls of the data collection and maintenance process in Excel. ... It then suggests service-oriented architecture (SOA) based information gathering and control techniques to ameliorate the pitfalls of this scratch pad while improving the integrity of data, boosting the ... As Excel is here to stay for a long time within businesses, it is important to mitigate some of the pitfalls without sacrificing its ease-of-use. ...

arXiv:0803.2527v1 fatcat:bheefvk5ljbulhz5pgg26tg5vm

to vulnerability detection mechanisms, especially with a focus on the reduction of false positives. ... The results of this study can be used in the domain of software development, to enhance the security of produced software, as well as in the domain of automated software testing, targeting improvements ... The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results. ...

doi:10.3390/en14102818 fatcat:tgpbzjsntnbsffqhbwqdb264eu

DOAJ

Although only the native HTML engine is studied so far, we have already discovered five new vulnerabilities and reported them to IE developers (one of the vulnerabilities has been patched in a Microsoft ... A complex software system typically has a large number of objects in the memory, holding references to each other to implement an object model. ... We have found five new vulnerabilities and reported them to the IE team (one of them was patched in Microsoft February 2009 security update). ...

doi:10.1145/1755913.1755942 dblp:conf/eurosys/ChenCC10 fatcat:344hqgejwjbl7fz6o3ps5oc7xu

Efficient, context-sensitive detection of real-world semantic attacks

Preserved Fulltext

Verifying policy-based web services security

Preserved Fulltext

A domain-specific language for filtering in application-level gateways

Preserved Fulltext

A Study on Detection Techniques of XML Rewriting Attacks in Web Services

Preserved Fulltext

A Stitch in Time

Preserved Fulltext

Security Analysis of eIDAS – The Cross-CountryAuthentication Scheme in Europe

Preserved Fulltext

On the Impact of Programming Languages on Code Quality [article]

Preserved Fulltext

Other Versions

Comparative Studies of Programming Languages; Course Lecture Notes [article]

Preserved Fulltext

Other Versions

The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them

Preserved Fulltext

Security for Distributed E-Service Composition [chapter]

Preserved Fulltext

Analytical Inductive Functional Programming [chapter]

Preserved Fulltext

The Immune Epitope Database and Analysis Resource Program 2003–2018: reflections and outlook

Preserved Fulltext

Controlling the Information Flow in Spreadsheets

Preserved Fulltext

On the Design of IoT Security: Analysis of Software Vulnerabilities for Smart Grids

Preserved Fulltext

Residue objects

Preserved Fulltext