HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications"

Transcription

1 HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications Christof Fetzer, Zhen Xiao AT&T Labs Research 180 Park Avenue Florham Park, N.J christof, Abstract HEALERS is a practical, high-performance toolkit that can enhance the robustness and security of existing applications. For any shared library, it can find all functions defined in that library and automatically derives properties for those functions. Through automated faultinjection experiments, it can detect arguments that cause the library to crash and derive safe argument types for each function. The toolkit can prevent heap and stack buffer overflows that are a common cause of security breaches. The nice feature of the HEALERS approach is that it can protect existing applications without access to the source code. Keywords: reliability, robustness, security, wrapper, fault tolerance 1 Introduction Software reliability is becoming increasingly important as our daily lives become more and more computerized. Many financial transactions nowadays are conducted using computers through the Internet. Big companies (such as AT&T) employ on-line billing to reduce their operational costs. Both ACM and IEEE offer free on-line courses as a flexible way to let people acquire new knowledge during their spare time. Virtual office environment allows people to work comfortably at their homes. We expect this trend to continue in the years to come. At the same time, there is a growing concern on the correct functioning of computer software under exceptional or stressful settings. If a computer crashes, hangs, or gives erroneous output, it may lead to severe disrup- This paper appears in the Proceedings of the IEEE International Conference on Dependable Systems and Networks (DSN), June, tion of service or loss of productivity. The consequences may be costly due to the increasing reliance on computer technology in our society. Unfortunately, previous studies have found that many existing softwares are not very reliable. The Ballista project, for example, found that many implementations of operating systems and C libraries are brittle with respect to invalid inputs [6]. The authors of [2] studied the bug reports of three open source softwares (Apache, Gnome, and MySQL) and found that many deterministic bugs exist long after their initial releases. One reason for this is that new features are constantly added to these softwares without thorough testing. We believe that such phenomena are common for commercial softwares as well: while many applications desire reliability, they cannot afford to sacrifice functionalities in the current competitive market. Given the limited development budget in today s economy, it may be prohibitively expensive to test all boundary conditions before the official release of the software. A good protection method for Commercial Off-theshelf software should satisfy the following requirements: transparency: The method should provide transparent protection for existing software without requiring recompilation or relinking. Since the source code of commercial software is generally not available, any method that requires modification of the source code is undesirable. adaptivity: Due to the fast software update cycle in today s society, the protection method should be able to adapt quickly to new software releases. cost-effectiveness: The method should be able to eliminate a large class of software failures in a costeffective manner. Note that a significant portion 1

2 of the cost involved in hardening software is operational cost: the cost of a computer programmer is usually much higher than the cost of a group of high-end PCs. Any method that is labor-intensive will not scale well in a production environment where many pieces of software need to be protected. flexibility: Different applications may have different reliability and security requirements and need different levels of protection. An one size fits all approach would not work. Hence, a good protection method should be flexible so that it can be configured to provide only the specific features an application needs. low overhead: The method should have low overhead during normal operations. In addition, an application should only pay the overhead for the protection it actually needs. Any method that provides excessive or overly restrictive protection may not work well in practice. In this paper, we describe a software toolkit called HEALERS (HEALers Enhanced Robustness and Security) that demonstrably satisfies the above requirements. HEALERS can provide effective protection for existing software without source code access. It has a flexible architecture and can be configured to suit the needs of individual applications. It is highly-automated and can easily adapt to new software releases. Its run time overhead is small for most applications. The rest of the paper is organized as follows. Section 2 describes the technology used in HEALERS. Section 3 gives an outline of our software demonstration. Section 4 concludes this paper. 2 Technology HEALERS is designed to protect applications from a large class of software errors related to C library functions. Its protection method has the following key components: interception: Our software intercepts function calls into the C library. This allows it to provide transparent protection for software that is dynamically linked. Previous studies indicate that a major category of software failures related to C library functions are API failures: function calls with invalid arguments may cause the calling process to terminate abnormally [6]. Intercepting such function calls gives us a convenient way to check the validity of their arguments and hence avoid such failures. automation: HEALERS uses automated faultinjection experiments to discover robustness and security problems in software from third-party vendors [4]. Based on the knowledge gathered from these experiments, it automatically generates a set of fault-containment wrappers to correct a large set of such problems. This proves to be a cost-effective approach for protecting a wide variety of software products and for adapting to new software releases. flexible generation: The HEALERS toolkit is highly configurable and can be tuned to satisfy the individual needs of different applications. It generates a variety of fault-containment wrappers through a set of micro-generators. Such an architecture facilitates code reuse and makes it easy to introduce new functionalities into the existing system [5]. In the rest of the section, we will describe each of these components in detail. 2.1 Interception Our software is implemented as a dynamically loadable C library wrapper. The wrapper sits between an application and the C library. It intercepts every C library function call from the application. On most Unix systems a user interested in using a wrapper can preload it by defining the LD PRELOAD environment variable. This is useful for protecting certain network services. In addition, a system administrator can enable a wrapper on a system wide basis through a dynamic link loader. Since different applications may have different security or reliability requirements, they can use different types of wrappers to satisfy their needs. This is illustrated in Figure 1. For example, a process with root privilege may use a security wrapper that can prevent buffer overflow attacks [3]. Previous studies indicate that such kind of attacks are a major cause of security breaches in operating systems [1]. A user application that desires high availability can use a robustness wrapper that prevents a large class of software failures (e.g. crashes, hangs, or aborts). Some application may want to log the errors that occurred during its operation for later failure diagnosis. In this case, they can use a profiling wrapper that gives a detailed report on what kind of errors occurred, how frequently they occurred, and what were the causes of errors (based on errno). The figure also shows that different applications may share the same wrapper, or may use different wrappers. A nice feature of wrapping dynamic link libraries is that it can protect existing software without source code access. Note that it only works for applications that are 2

3 root process user application user application user application security wrapper robustness wrapper profiling wrapper Shared Libraries Figure 1. A wrapper sits between an application and its shared libraries. Different applications can use different wrappers, or can share wrappers. dynamically linked. In practice, we found that this is not a problem because the overwhelming majority of applications are dynamically linked. Another limitation of our approach is that it can only protect errors due to C library function calls. However, such errors consist of a large percentage of software errors observed in deployed applications. Hence, we believe it is important to reduce such errors. 2.2 Automation One way to increase the security and robustness of software is by visually examining the source code to detect any loopholes. For example, we can examine the control flow of the program to see whether it ever accesses an invalid pointer or whether it performs boundary checks when performing a string copy operation. This approach, however, is labor-intensive: the human cost for examining a large software product can be huge. Moreover, whenever there is a new software release or update, it has to be examined again. With the price of computer hardware decreasing rapidly, the key to providing cost-effective protection to computer software is automation: let the computers do the work. Our HEALERS system discovers the robustness problems in C libraries through automated faultinjection experiments as illustrated in Figure 2. The system parses the header files and manual pages from C libraries to generate the prototype information for all global functions. Note that the API defined by the prototype of a function is not always robust. For example, the prototype of the strcpy function specifies its first argument to be char *. However, it actually has to be a pointer to a writable buffer with enough space to accommodate the source string. Our system searches for the weakest robust argument types for a function by repeatedly probing the function with a hierarchy of function types until it finds one that does not result in robustness failures. By doing so, it generates the robust API for a shared library. Although some manual editing may be needed, this process is largely automated. 2.3 Flexible Wrapper Generation One challenge in our system design is how to generate a large number of wrappers to suit the needs of different applications. Apparently, it is undesirable to write every wrapper from scratch. Our system provides a flexible framework for a wide variety of wrapper types. This is achieved through a modular approach where the functionality of a wrapper generator is decomposed into a number of features, each supported by a microgenerator. Each micro-generator generates a fragment of the prefix and postfix code of a function. The microgenerators can be combined in a variety of ways to generate new wrapper types. Figure 3 depicts the wrapper function wctrans. This code is generated by combining six microgenerators: prototype, function exectime, collect errors, func errors, call counter, and caller. The prototype and caller are standard micro-generators that generate the prototype of the wrapper function and the call to the original function, respectively. The rest microgenerators generate code to collect various statistics during the program execution. The micro-generator also generates code for collecting the results. Just before the 3

4 searching robust argument types Shared Library Function Prototypes Automated Fault Injection Experiments Robust API Figure 2. HEALERS discovers robust API for shared libraries through automated fault-injection experiments. application terminates, the collection code is called to send the gathered information to a central server. Since different types of wrappers can be used in a distributed environment, the gathered information sent to the server is in form of a self-describing XML document. The server can extract from the document which functions were wrapped and what kind of information was collected. Such information is then stored for later processing. Figure 5 shows an example of collected data. 3 Demonstration We will demonstrate the following features of our software. 3.1 Wrapping Libraries Our toolkit can list all libraries in the system. A user can select one of the libraries. Our system will then generate a list of all functions defined in the library. In addition, our system will create a XML-style declaration file that describes the prototype of each function in the library. The results of such experiments can be used to generate various wrappers as described in [5]. 3.2 Wrapping Applications Figure 4. HEALERS automatically extracts the list of libraries linked to an application and the list of undefined functions. The previous demo is library-centric. In contrast, this demo is application-centric. It allows a user to browse through the list of files in the current system and select an application program (i.e. an executable file). Our toolkit can automatically extract the list of libraries linked to this application as well as the list of undefined functions in the application. The Web interface for this demo is illustrated in Figure Profiling In this demo, we show that our profiling wrapper can gather statistics related to the execution of a program and automatically generate graphics to display the result as shown in Figure 5. A user executes a program in the system with our profiling wrapper. Upon termi- 4

5 /* Prefix code by micro-gen prototype */ wctrans_t wctrans(const char* a1) wctrans_t ret; /* Prefix code by micro-gen function exectime */ unsigned long long exectime_start; unsigned long long exectime_end; rdtsc(exectime_start); /* Prefix code by micro-gen collect errors */ int collect_errors_err = errno; /* Prefix code by micro-gen func error */ int func_error_err = errno; /* Prefix code by micro-gen call counter */ ++call_counter_num_calls[1206]; /* Postfix code by micro-gen caller */ ret = (*addr_wctrans)(a1); /* Postfix code by micro-gen func error */ if (func_error_err!= errno) if (errno < 0 errno >= MAX_ERRNO) ++func_error_cnter[1206][max_errno]; else ++func error_cnter[1206][errno]; /* Postfix code by micro-gen collect errors */ if (collect errors err!= errno) if (errno < 0 errno >= MAX ERRNO) ++collect errors cnter[max ERRNO]; else ++collect errors cnter[errno]; /* Postfix code by micro-gen function exectime */ rdtsc(exectime end); exectime[no FUNCTION] += exectime end-exectime start; /* Postfix code by micro-gen prototype */ return ret; Figure 3. Wrapped function for abs. 5

6 We have described the HEALERS toolkit for increasing the robustness and security of existing software without source code access. The toolkit intercepts C library function calls and can provide transparent protection to many software systems. It uses automated fault injection experiments to detect robustness and security problems in a given software. Based on the knowledge gathered from such experiments, it automatically generates software wrappers to fix a large percentage of such problems. The architecture of our system is flexible in that it can be configured to generate a variety of wrappers to satisfy the needs of different applications. References [1] Arash Baratloo, Navjot Singh, and Timothy Tsai. Transparent run-time defense against stack smashing attacks. In Proceedings of USENIX Annual Technical Conference, June [2] Subhachandra Chandra and Peter M. Chen. Whither generic recovery from application faults? A fault study using open-source software. In Proceedings of the 2000 International Conference on Dependable Systems and Networks, Figure 5. The profiling wrapper can collect various runtime information. nation, the wrapper generate a XML-style log file that shows the frequency of function calls in this program, the percentage of execution time in each function, the distribution of function errors, the causes of such errors (classified by errnos), etc Buffer Overflow Prevention In this demo, we show that our security wrapper can prevent buffer overflow attacks. It first shows that an attacker can hijack the control flow of a root privileged program by overflowing a buffer allocated on the heap. This results in a root shell for the attacker. An example of such a program was previously published in [3]. Then we show that our security wrapper can detect such buffer overflows and terminate the attacker s program. [3] Christof Fetzer and Zhen Xiao. Detecting heap smashing attacks through fault containment wrappers. In Proceedings of the 20th IEEE Symposium on Reliable Distributed Systems, October [4] Christof Fetzer and Zhen Xiao. An automated approach to increasing the robustness of C libraries. In Proceedings of the International Conference on Dependable Systems and Networks, June [5] Christof Fetzer and Zhen Xiao. A flexible generator architecture for improving software dependability. In Proceedings of the International Symposium on Software Reliability Engineering,, November [6] Philip Koopman and John DeVale. The exception handling effectiveness of POSIX operating systems. IEEE Transactions on Software Engineering, 26(9): , Sep Conclusion 6

Keywords: 2013, IJARCSSE All Rights Reserved Page 451

Keywords: 2013, IJARCSSE All Rights Reserved Page 451 Volume 3, Issue 9, September 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Vulnerability

More information

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont. Objectives To describe the services an operating system provides to users, processes, and other systems To discuss the various ways of structuring an operating system Chapter 2: Operating-System Structures

More information

Chapter 2: Operating-System Structures

Chapter 2: Operating-System Structures Chapter 2: Operating-System Structures Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls Types of System Calls System Programs Operating System

More information

Techniques for Evaluating the Robustness of Windows NT Software *

Techniques for Evaluating the Robustness of Windows NT Software * Techniques for Evaluating the Robustness of Windows NT Software * Matthew Schmid, Anup Ghosh, Frank Hill Reliable Software Technologies 21351 Ridgetop Circle, Suite 400, Dulles VA 20166 {mschmid, aghosh,

More information

CS3600 SYSTEMS AND NETWORKS

CS3600 SYSTEMS AND NETWORKS CS3600 SYSTEMS AND NETWORKS NORTHEASTERN UNIVERSITY Lecture 2: Operating System Structures Prof. Alan Mislove (amislove@ccs.neu.edu) Operating System Services Operating systems provide an environment for

More information

Real-Time Analytics on Large Datasets: Predictive Models for Online Targeted Advertising

Real-Time Analytics on Large Datasets: Predictive Models for Online Targeted Advertising Real-Time Analytics on Large Datasets: Predictive Models for Online Targeted Advertising Open Data Partners and AdReady April 2012 1 Executive Summary AdReady is working to develop and deploy sophisticated

More information

Example of Standard API

Example of Standard API 16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface

More information

Robustness Testing of the Microsoft Win32 API http://ballista.org

Robustness Testing of the Microsoft Win32 API http://ballista.org Robustness Testing of the Microsoft Win32 API http://ballista.org Charles P. Shelton cshelton@cmu.edu Philip Koopman koopman@cmu.edu - (412) 268-5225 - http://www.ices.cmu.edu/koopman Kobey DeVale,QVWLWXWH

More information

A Practical Method to Diagnose Memory Leaks in Java Application Alan Yu

A Practical Method to Diagnose Memory Leaks in Java Application Alan Yu A Practical Method to Diagnose Memory Leaks in Java Application Alan Yu 1. Introduction The Java virtual machine s heap stores all objects created by a running Java application. Objects are created by

More information

Get the Better of Memory Leaks with Valgrind Whitepaper

Get the Better of Memory Leaks with Valgrind Whitepaper WHITE PAPER Get the Better of Memory Leaks with Valgrind Whitepaper Memory leaks can cause problems and bugs in software which can be hard to detect. In this article we will discuss techniques and tools

More information

Buffer Overflow Vulnerability Detection in the Binary Code

Buffer Overflow Vulnerability Detection in the Binary Code Buffer Overflow Vulnerability Detection in the Binary Code Shehab Gamal El-Dien, Reda Salama, Ahmed Eshak shehab@ispofegypt.com, redasalama@hotmail.com, a_issac@sakhr.com Al-Azhar University, Faculty of

More information

Chapter 2 System Structures

Chapter 2 System Structures Chapter 2 System Structures Operating-System Structures Goals: Provide a way to understand an operating systems Services Interface System Components The type of system desired is the basis for choices

More information

A Tool for Mining Defect-Tracking Systems to Predict Fault-Prone Files

A Tool for Mining Defect-Tracking Systems to Predict Fault-Prone Files A Tool for Mining Defect-Tracking Systems to Predict Fault-Prone Files Thomas J. Ostrand AT&T Labs - Research 180 Park Avenue Florham Park, NJ 07932 ostrand@research.att.com Elaine J. Weyuker AT&T Labs

More information

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1 Auditing a Web Application Brad Ruppert SANS Technology Institute GWAS Presentation 1 Objectives Define why application vulnerabilities exist Address Auditing Approach Discuss Information Interfaces Walk

More information

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself How do Users and Processes interact with the Operating System? Users interact indirectly through a collection of system programs that make up the operating system interface. The interface could be: A GUI,

More information

Testing Web Services for Robustness: A Tool Demo

Testing Web Services for Robustness: A Tool Demo Testing Web Services for Robustness: A Tool Demo Nuno Laranjeiro, Marco Vieira To cite this version: Nuno Laranjeiro, Marco Vieira. Testing Web Services for Robustness: A Tool Demo. Hélène WAESELYNCK.

More information

Building Applications Using Micro Focus COBOL

Building Applications Using Micro Focus COBOL Building Applications Using Micro Focus COBOL Abstract If you look through the Micro Focus COBOL documentation, you will see many different executable file types referenced: int, gnt, exe, dll and others.

More information

Reduces development time by 90%

Reduces development time by 90% Symphonia. Symphonia Messaging Toolkit A developer s productivity tool that Reduces development time by 90% Message Definition Huge Message Libraries Message Testing - Explorer Symphonia Engine (processes

More information

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES By Michael Crouse Dr. Errin W. Fulp, Ph.D., Advisor Abstract The increasingly high volume of users on the web and their use of web

More information

Computer System Structure

Computer System Structure Computer System Structure Reading: Silberschatz chapter 3 Additional Reading: Stallings chapter 2 EEL 602 1 Outline OS Services User Interfaces System Call OS Design OS Implementation System Structure

More information

A system is a set of integrated components interacting with each other to serve a common purpose.

A system is a set of integrated components interacting with each other to serve a common purpose. SYSTEM DEVELOPMENT AND THE WATERFALL MODEL What is a System? (Ch. 18) A system is a set of integrated components interacting with each other to serve a common purpose. A computer-based system is a system

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

unless the manufacturer upgrades the firmware, whereas the effort is repeated.

unless the manufacturer upgrades the firmware, whereas the effort is repeated. Software Validation in Accredited Laboratories A Practical Guide Gregory D. Gogates Fasor Inc., 3101 Skippack Pike, Lansdale, Pennsylvania 19446-5864 USA g.gogates@ieee.org www.fasor.com Abstract Software

More information

MITRE Baseline Configuration System Implementation Plan

MITRE Baseline Configuration System Implementation Plan MITRE Baseline Configuration System Implementation Plan FINAL REVISION, October 8, 2008 Purdue University, CS 307, Fall 2008 Team MITRE: Catherine Brown Michael Dunn Mark Nowicki David Tittle TABLE OF

More information

Last Updated: July 2011. STATISTICA Enterprise Server Security

Last Updated: July 2011. STATISTICA Enterprise Server Security Last Updated: July 2011 STATISTICA Enterprise Server Security STATISTICA Enterprise Server Security Page 2 of 10 Table of Contents Executive Summary... 3 Introduction to STATISTICA Enterprise Server...

More information

Keyword: Cloud computing, service model, deployment model, network layer security.

Keyword: Cloud computing, service model, deployment model, network layer security. Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging

More information

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts

More information

Performance and Load Testing. >>>>>>>>>>>>>>>>>>>>>> www.softwaretestinggenius.com <<<<<<<<<<<<<<<<<<<<<<

Performance and Load Testing. >>>>>>>>>>>>>>>>>>>>>> www.softwaretestinggenius.com <<<<<<<<<<<<<<<<<<<<<< Performance and Load Testing Part 1 Performance & Load Testing Basics Performance & Load Testing Basics Introduction to Performance Testing Difference between Performance, Load and Stress Testing Why Performance

More information

Performance Management Platform

Performance Management Platform Open EMS Suite by Nokia Performance Management Platform Functional Overview Version 1.4 Nokia Siemens Networks 1 (16) Performance Management Platform The information in this document is subject to change

More information

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Payment Card Industry (PCI) Terminal Software Security. Best Practices Payment Card Industry (PCI) Terminal Software Security Best Version 1.0 December 2014 Document Changes Date Version Description June 2014 Draft Initial July 23, 2014 Core Redesign for core and other August

More information

Operating System Structures

Operating System Structures COP 4610: Introduction to Operating Systems (Spring 2015) Operating System Structures Zhi Wang Florida State University Content Operating system services User interface System calls System programs Operating

More information

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849 WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore

More information

Hadoop Technology for Flow Analysis of the Internet Traffic

Hadoop Technology for Flow Analysis of the Internet Traffic Hadoop Technology for Flow Analysis of the Internet Traffic Rakshitha Kiran P PG Scholar, Dept. of C.S, Shree Devi Institute of Technology, Mangalore, Karnataka, India ABSTRACT: Flow analysis of the internet

More information

Operating Systems and Networks

Operating Systems and Networks recap Operating Systems and Networks How OS manages multiple tasks Virtual memory Brief Linux demo Lecture 04: Introduction to OS-part 3 Behzad Bordbar 47 48 Contents Dual mode API to wrap system calls

More information

Discovering passwords in the memory

Discovering passwords in the memory Discovering passwords in the memory Abhishek Kumar (abhishek.kumar@paladion.net) November 2003 Escalation of privileges is a common method of attack where a low privileged user exploits a vulnerability

More information

Writing Portable Programs COS 217

Writing Portable Programs COS 217 Writing Portable Programs COS 217 1 Goals of Today s Class Writing portable programs in C Sources of heterogeneity Data types, evaluation order, byte order, char set, Reading period and final exam Important

More information

Software Requirements Specification

Software Requirements Specification METU DEPARTMENT OF COMPUTER ENGINEERING Software Requirements Specification SNMP Agent & Network Simulator Mustafa İlhan Osman Tahsin Berktaş Mehmet Elgin Akpınar 05.12.2010 Table of Contents 1. Introduction...

More information

A prototype infrastructure for D Spin Services based on a flexible multilayer architecture

A prototype infrastructure for D Spin Services based on a flexible multilayer architecture A prototype infrastructure for D Spin Services based on a flexible multilayer architecture Volker Boehlke 1,, 1 NLP Group, Department of Computer Science, University of Leipzig, Johanisgasse 26, 04103

More information

Optimization tools. 1) Improving Overall I/O

Optimization tools. 1) Improving Overall I/O Optimization tools After your code is compiled, debugged, and capable of running to completion or planned termination, you can begin looking for ways in which to improve execution speed. In general, the

More information

Achilles Assurance Platform. Dr. Nate Kube Founder / CTO Wurldtech

Achilles Assurance Platform. Dr. Nate Kube Founder / CTO Wurldtech Achilles Assurance Platform Dr. Nate Kube Founder / CTO Wurldtech Presentation Outline Statement of the Problem 3 rd Generation Achilles Assurance Platform Questions and Answers Achilles Certification

More information

VIRTUAL INSTRUMENTATION

VIRTUAL INSTRUMENTATION VIRTUAL INSTRUMENTATION João Paiva dos Santos joao.santos@ipbeja.pt Lab SPEPSI Instituto Politécnico de Beja Beja, 15th May, 2014 Overview What and why Hardware Software Some standards Remote use Example

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

Instrumentation Software Profiling

Instrumentation Software Profiling Instrumentation Software Profiling Software Profiling Instrumentation of a program so that data related to runtime performance (e.g execution time, memory usage) is gathered for one or more pieces of the

More information

A FRAMEWORK FOR MANAGING RUNTIME ENVIRONMENT OF JAVA APPLICATIONS

A FRAMEWORK FOR MANAGING RUNTIME ENVIRONMENT OF JAVA APPLICATIONS A FRAMEWORK FOR MANAGING RUNTIME ENVIRONMENT OF JAVA APPLICATIONS Abstract T.VENGATTARAMAN * Department of Computer Science, Pondicherry University, Puducherry, India. A.RAMALINGAM Department of MCA, Sri

More information

USE OF OPEN SOURCE SOFTWARE AT THE NATIONAL LIBRARY OF AUSTRALIA

USE OF OPEN SOURCE SOFTWARE AT THE NATIONAL LIBRARY OF AUSTRALIA USE OF OPEN SOURCE SOFTWARE AT THE NATIONAL LIBRARY OF AUSTRALIA Reports on Special Subjects ABSTRACT The National Library of Australia has been a long-term user of open source software to support generic

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

Software Tracing of Embedded Linux Systems using LTTng and Tracealyzer. Dr. Johan Kraft, Percepio AB

Software Tracing of Embedded Linux Systems using LTTng and Tracealyzer. Dr. Johan Kraft, Percepio AB Software Tracing of Embedded Linux Systems using LTTng and Tracealyzer Dr. Johan Kraft, Percepio AB Debugging embedded software can be a challenging, time-consuming and unpredictable factor in development

More information

Component visualization methods for large legacy software in C/C++

Component visualization methods for large legacy software in C/C++ Annales Mathematicae et Informaticae 44 (2015) pp. 23 33 http://ami.ektf.hu Component visualization methods for large legacy software in C/C++ Máté Cserép a, Dániel Krupp b a Eötvös Loránd University mcserep@caesar.elte.hu

More information

Operating System Structure

Operating System Structure Operating System Structure Lecture 3 Disclaimer: some slides are adopted from the book authors slides with permission Recap Computer architecture CPU, memory, disk, I/O devices Memory hierarchy Architectural

More information

The EMSX Platform. A Modular, Scalable, Efficient, Adaptable Platform to Manage Multi-technology Networks. A White Paper.

The EMSX Platform. A Modular, Scalable, Efficient, Adaptable Platform to Manage Multi-technology Networks. A White Paper. The EMSX Platform A Modular, Scalable, Efficient, Adaptable Platform to Manage Multi-technology Networks A White Paper November 2002 Abstract: The EMSX Platform is a set of components that together provide

More information

DB2 Connect for NT and the Microsoft Windows NT Load Balancing Service

DB2 Connect for NT and the Microsoft Windows NT Load Balancing Service DB2 Connect for NT and the Microsoft Windows NT Load Balancing Service Achieving Scalability and High Availability Abstract DB2 Connect Enterprise Edition for Windows NT provides fast and robust connectivity

More information

Integrated System Monitoring and Recovering Tool for T-24 Core Banking Applications in Ethiopia

Integrated System Monitoring and Recovering Tool for T-24 Core Banking Applications in Ethiopia Integrated System Monitoring and Recovering Tool for T-24 Core Banking Applications in Ethiopia Anteneh Tadesse HiLCoE, Computer Science Programme, Ethiopia anteneht82@gmail.com Mesfin Kifle HiLCoE, Ethiopia

More information

Software Tender for Voice over IP Telephony SuperTel Incorporated

Software Tender for Voice over IP Telephony SuperTel Incorporated Software Tender for Voice over IP Telephony SuperTel Incorporated 1 Introduction The following sections together with an accompanying hardware interface description (HID) for SuperTel s new IP phone comprise

More information

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle

More information

zen Platform technical white paper

zen Platform technical white paper zen Platform technical white paper The zen Platform as Strategic Business Platform The increasing use of application servers as standard paradigm for the development of business critical applications meant

More information

Confining the Apache Web Server with Security-Enhanced Linux

Confining the Apache Web Server with Security-Enhanced Linux Confining the Apache Web Server with Security-Enhanced Linux Michelle J. Gosselin, Jennifer Schommer mgoss@mitre.org, jschommer@mitre.org Keywords: Operating System Security, Web Server Security, Access

More information

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application

More information

Performance Monitoring API for Java Enterprise Applications

Performance Monitoring API for Java Enterprise Applications Performance Monitoring API for Java Enterprise Applications Purpose Perfmon4j has been successfully deployed in hundreds of production java systems over the last 5 years. It has proven to be a highly successful

More information

Chapter 3 Operating-System Structures

Chapter 3 Operating-System Structures Contents 1. Introduction 2. Computer-System Structures 3. Operating-System Structures 4. Processes 5. Threads 6. CPU Scheduling 7. Process Synchronization 8. Deadlocks 9. Memory Management 10. Virtual

More information

Chapter Outline. Chapter 2 Distributed Information Systems Architecture. Middleware for Heterogeneous and Distributed Information Systems

Chapter Outline. Chapter 2 Distributed Information Systems Architecture. Middleware for Heterogeneous and Distributed Information Systems Prof. Dr.-Ing. Stefan Deßloch AG Heterogene Informationssysteme Geb. 36, Raum 329 Tel. 0631/205 3275 dessloch@informatik.uni-kl.de Chapter 2 Architecture Chapter Outline Distributed transactions (quick

More information

TN203. Porting a Program to Dynamic C. Introduction

TN203. Porting a Program to Dynamic C. Introduction TN203 Porting a Program to Dynamic C Introduction Dynamic C has a number of improvements and differences compared to many other C compiler systems. This application note gives instructions and suggestions

More information

Course: Introduction to Java Using Eclipse Training

Course: Introduction to Java Using Eclipse Training Course: Introduction to Java Using Eclipse Training Course Length: Duration: 5 days Course Code: WA1278 DESCRIPTION: This course introduces the Java programming language and how to develop Java applications

More information

The Advantages of Block-Based Protocol Analysis for Security Testing

The Advantages of Block-Based Protocol Analysis for Security Testing The Advantages of Block-Based Protocol Analysis for Security Testing Dave Aitel Immunity,Inc. 111 E. 7 th St. Suite 64, NY NY 10009, USA dave@immunitysec.com February, 4 2002 Abstract. This paper describes

More information

N-Variant Systems. Slides extracted from talk by David Evans. (provenance in footer) http://www.cs.virginia.edu/evans/sdwest

N-Variant Systems. Slides extracted from talk by David Evans. (provenance in footer) http://www.cs.virginia.edu/evans/sdwest 1 N-Variant Systems Slides extracted from talk by David Evans (provenance in footer) 2 Inevitability of Failure Despite all the best efforts to build secure software, we will still fail (or have to run

More information

A New Mechanism for Service Recovery Technology by using Recovering Service s Data

A New Mechanism for Service Recovery Technology by using Recovering Service s Data A New Mechanism for Service Recovery Technology by using Recovering Service s Data Monire Norouzi Department of Computer Engineering, Shabestar Branch, Islamic Azad University, Shabestar, Iran Monire_norouzi@yahoo.com

More information

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Exploiting nginx chunked overflow bug, the undisclosed attack vector Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked

More information

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit Bug hunting Vulnerability finding methods in Windows 32 environments compared FX of Phenoelit The goal: 0day What we are looking for: Handles network side input Runs on a remote system Is complex enough

More information

Documentum Developer Program

Documentum Developer Program Program Enabling Logging in DFC Applications Using the com.documentum.fc.common.dflogger class April 2003 Program 1/5 The Documentum DFC class, DfLogger is available with DFC 5.1 or higher and can only

More information

evm Virtualization Platform for Windows

evm Virtualization Platform for Windows B A C K G R O U N D E R evm Virtualization Platform for Windows Host your Embedded OS and Windows on a Single Hardware Platform using Intel Virtualization Technology April, 2008 TenAsys Corporation 1400

More information

A Tool for Evaluation and Optimization of Web Application Performance

A Tool for Evaluation and Optimization of Web Application Performance A Tool for Evaluation and Optimization of Web Application Performance Tomáš Černý 1 cernyto3@fel.cvut.cz Michael J. Donahoo 2 jeff_donahoo@baylor.edu Abstract: One of the main goals of web application

More information

Detection of Distributed Denial of Service Attack with Hadoop on Live Network

Detection of Distributed Denial of Service Attack with Hadoop on Live Network Detection of Distributed Denial of Service Attack with Hadoop on Live Network Suchita Korad 1, Shubhada Kadam 2, Prajakta Deore 3, Madhuri Jadhav 4, Prof.Rahul Patil 5 Students, Dept. of Computer, PCCOE,

More information

Mary E. Shacklett President Transworld Data

Mary E. Shacklett President Transworld Data Transworld Data Mary E. Shacklett President Transworld Data For twenty-five years, Transworld Data has performed technology analytics, market research and IT consulting on every world continent, including

More information

Levels of Software Testing. Functional Testing

Levels of Software Testing. Functional Testing Levels of Software Testing There are different levels during the process of Testing. In this chapter a brief description is provided about these levels. Levels of testing include the different methodologies

More information

11.1 inspectit. 11.1. inspectit

11.1 inspectit. 11.1. inspectit 11.1. inspectit Figure 11.1. Overview on the inspectit components [Siegl and Bouillet 2011] 11.1 inspectit The inspectit monitoring tool (website: http://www.inspectit.eu/) has been developed by NovaTec.

More information

TMT SOFTWARE REQUIREMENTS FOR LOW-LEVEL SUBSYSTEMS

TMT SOFTWARE REQUIREMENTS FOR LOW-LEVEL SUBSYSTEMS TMT SOFTWARE REQUIREMENTS FOR LOW-LEVEL SUBSYSTEMS TMT.SFT.DRD.12.001.REL05 October 15, 2012 TMT.SFT.DRD.12.001.REL05 PAGE 2 OF 16 TABLE OF CONTENTS 1 INTRODUCTION 4 1.1 Purpose... 4 1.2 Scope... 4 1.3

More information

DMS Performance Tuning Guide for SQL Server

DMS Performance Tuning Guide for SQL Server DMS Performance Tuning Guide for SQL Server Rev: February 13, 2014 Sitecore CMS 6.5 DMS Performance Tuning Guide for SQL Server A system administrator's guide to optimizing the performance of Sitecore

More information

Lotus Domino 8 Monitoring and Maintenance

Lotus Domino 8 Monitoring and Maintenance Lotus Domino 8 Monitoring and Maintenance Course Title Course Code Lotus Domino 8 Monitoring and Maintenance DSMM8 Duration 02 days Course Fee Call to Request Instructor Certified Lotus Instructor or Certified

More information

GUI Test Automation How-To Tips

GUI Test Automation How-To Tips www. routinebot.com AKS-Labs - Page 2 - It s often said that First Impression is the last impression and software applications are no exception to that rule. There is little doubt that the user interface

More information

Whither Generic Recovery from Application Faults? A Fault Study using Open-Source Software

Whither Generic Recovery from Application Faults? A Fault Study using Open-Source Software Proceedings of the 2000 International Conference on Dependable Systems and Networks / Symposium on Fault-Tolerant Computing (FTCS) Whither Generic Recovery from Application Faults? A Fault Study using

More information

In this Lecture you will Learn: Implementation. Software Implementation Tools. Software Implementation Tools

In this Lecture you will Learn: Implementation. Software Implementation Tools. Software Implementation Tools In this Lecture you will Learn: Implementation Chapter 19 About tools used in software implementation How to draw component diagrams How to draw deployment diagrams The tasks involved in testing a system

More information

Test Specification. Introduction

Test Specification. Introduction Test Specification Introduction Goals and Objectives GameForge is a graphical tool used to aid in the design and creation of video games. A user with little or no experience with Microsoft DirectX and/or

More information

Generic Log Analyzer Using Hadoop Mapreduce Framework

Generic Log Analyzer Using Hadoop Mapreduce Framework Generic Log Analyzer Using Hadoop Mapreduce Framework Milind Bhandare 1, Prof. Kuntal Barua 2, Vikas Nagare 3, Dynaneshwar Ekhande 4, Rahul Pawar 5 1 M.Tech(Appeare), 2 Asst. Prof., LNCT, Indore 3 ME,

More information

Fundamentals of LoadRunner 9.0 (2 Days)

Fundamentals of LoadRunner 9.0 (2 Days) Fundamentals of LoadRunner 9.0 (2 Days) Quality assurance engineers New users of LoadRunner who need to load test their applications and/or executives who will be involved in any part of load testing.

More information

Adapting C++ Exception Handling to an Extended COM Exception Model

Adapting C++ Exception Handling to an Extended COM Exception Model Adapting C++ Exception Handling to an Extended COM Exception Model Bjørn Egil Hansen DNV AS, DT 990 Risk Management Software Palace House, 3 Cathedral Street, London SE1 9DE, UK Bjorn.Egil.Hansen@dnv.com

More information

Summary of the SEED Labs For Authors and Publishers

Summary of the SEED Labs For Authors and Publishers SEED Document 1 Summary of the SEED Labs For Authors and Publishers Wenliang Du, Syracuse University To help authors reference our SEED labs in their textbooks, we have created this document, which provides

More information

A generic framework for game development

A generic framework for game development A generic framework for game development Michael Haller FH Hagenberg (MTD) AUSTRIA haller@hagenberg.at Werner Hartmann FAW, University of Linz AUSTRIA werner.hartmann@faw.unilinz.ac.at Jürgen Zauner FH

More information

Additional Information: A link to the conference website is available at: http://www.curtin.edu.my/cutse2008/index.html

Additional Information: A link to the conference website is available at: http://www.curtin.edu.my/cutse2008/index.html Citation: Veeramani, S. and Gopal, Lenin. 2008. Network monitoring tool, in Curtin University of Technology (ed), Curtin University of Technology Science and Engineering International Conference CUTSE

More information

System Structures. Services Interface Structure

System Structures. Services Interface Structure System Structures Services Interface Structure Operating system services (1) Operating system services (2) Functions that are helpful to the user User interface Command line interpreter Batch interface

More information

Log Analysis Software Architecture

Log Analysis Software Architecture Log Analysis Software Architecture Contents 1 Introduction 1 2 Definitions 2 3 Software goals 2 4 Requirements 2 4.1 User interaction.......................................... 3 4.2 Log file reading..........................................

More information

Operations Manager 2012 Administration Bootcamp

Operations Manager 2012 Administration Bootcamp Operations Manager 2012 Administration Bootcamp Number of Days: Four (4) Prerequisites: Before attending this course, students should have: MCITP certification, or equivalent knowledge The course materials,

More information

Evaluation of Web Security Mechanisms Using Inline Scenario & Online Scenario

Evaluation of Web Security Mechanisms Using Inline Scenario & Online Scenario Evaluation of Web Security Mechanisms Using Inline Scenario & Online Scenario M. Durai Ganesh (Research Scholars) Information Technology, St. Peter s University, Chennai- 54, Tamil Nadu, India Dr. G.Gunasekaran,

More information

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes 1. HARDENING PHP Hardening Joomla 1.1 Installing Suhosin Suhosin is a PHP Hardening patch which aims to protect the PHP engine and runtime environment from common exploits, such as buffer overflows in

More information

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Automating Security Testing. Mark Fallon Senior Release Manager Oracle Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage

More information

Exception Handling In Web Development. 2003-2007 DevelopIntelligence LLC

Exception Handling In Web Development. 2003-2007 DevelopIntelligence LLC Exception Handling In Web Development 2003-2007 DevelopIntelligence LLC Presentation Topics What are Exceptions? How are they handled in Java development? JSP Exception Handling mechanisms What are Exceptions?

More information

A Design and Implementation of a Web Server Log File Analyzer

A Design and Implementation of a Web Server Log File Analyzer A Design and Implementation of a Web Server Log File Analyzer Yu-Hsin Cheng 1, Chien-Hung Huang 2 1 Department of Information Management, Ling Tung University No. 1, Ling tung Rd., Taichung, Taiwan 2 Department

More information

EECS 354 Network Security. Introduction

EECS 354 Network Security. Introduction EECS 354 Network Security Introduction Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how to think like an attacker Defense then becomes second-nature

More information

Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications

Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications Jun Wang, Xi Xiong, Peng Liu Penn State Cyber Security Lab 1 An inherent security limitation

More information

Globule: a Platform for Self-Replicating Web Documents

Globule: a Platform for Self-Replicating Web Documents Globule: a Platform for Self-Replicating Web Documents Guillaume Pierre Maarten van Steen Vrije Universiteit, Amsterdam Internal report IR-483 January 2001 Abstract Replicating Web documents at a worldwide

More information

Linux Overview. Amir Hossein Payberah

Linux Overview. Amir Hossein Payberah Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Testing and Source Code Auditing Secure Software Programming 2 Overview

More information