Real World Software Assurance Test Suite: STONESOUP

Size: px
Start display at page:

Download "Real World Software Assurance Test Suite: STONESOUP"

Transcription

1 Real World Software Assurance Test Suite: STONESOUP Charles Oliveira/SAMATE Guest Researcher at Software and Systems Division, IT Laboratory NIST

2 Outline - Introduction STONESOUP program Test suite Test case sample TEXAS usage Documents and reports 2

3 Introduction - SOUP 3rd party software Open source libs libssl libxml libpq... Is this Software Of Unknown Provenance (SOUP) safe? Frameworks Java/ Spring C++/ Boost PHP/ Zend... Standalone apps Apache Postgres Drivers... Application 3

4 STONESOUP program Securely Taking On New Executable Software Of Uncertain Provenance (STONESOUP) 4

5 STONESOUP program The goal of STONESOUP program was to eliminate the effects of vulnerabilities in software applications by: - extending the scope and capability of approaches for analysis, confinement, and diversification; - addressing a wide range of security vulnerabilities within the same framework; - integrating approaches to leverage the strengths and weaknesses of each; - adding no more than 10% running time slowdown. 5

6 STONESOUP program Phase 1 Neutralize 75% of vulnerabilities of 2 weakness types in 10k SLOC programs Phase 2 Neutralize 80%+ of vulnerabilities of 4 weakness types in 100k SLOC programs Phase 3 Phase 3 performers were those that made significant progress in Phase 2 as measured by the program metrics. The three teams and the names of their developmental tools are: Kestrel Institute - VIBRANCE (video) Columbia University - Minestrone Grammatech - PEASOUP Neutralize 90%+ of vulnerabilities of 6 weakness types in 500k SLOC programs 6

7 STONESOUP program - Performers STONESOUP performers neutralize vulnerabilities in: 7

8 STONESOUP program - Test & Evaluation System - Test & Evaluation execution and Analysis System (TEXAS) was designed and developed to test Performer technology - Developed by STONESOUP team - Command Line Interface (CLI) to run and evaluate tests cases - Communication API to interact to Performer s tools 8

9 Test suite - Base programs GNU Tree GNU Grep JTree Number of test cases per base program in 9 red circles

10 Test suite - CWEs for C programs Weakness type CWEs (56) Concurrency handling(765) Injection(701) Number handling(725) Resource drains(733) Memory corruption(965) Null pointer(693)

11 Test suite - CWEs for C programs Weakness type CWEs (56) Concurrency handling(765) CWE-363: Race Condition Enabling Link Following (2.8) 078(TOCTOU) Race Condition (2.8) Injection(701) CWE-367: Time-of-check Time-of-use CWE-412: Unrestricted Externally Accessible Lock (2.8) Number Missing handling(725) CWE-414: Lock Check (2.8) CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context (2.8) CWE-609: Double-Checked (2.8) Resource drains(733) Locking CWE-663: Use of a Non-reentrant Function in a Concurrent Context (2.8) CWE-764: Multiple Locks of a Critical 120Resource (2.8) Memory corruption(965) CWE-765: Multiple Unlocks of a Critical Resource (2.8) CWE-820: Missing Synchronization (2.8) CWE-821: Incorrect Synchronization (2.8) 476 Null pointer(693) CWE-833: Deadlock (2.8) CWE-831: Signal Handler Function Associated with Multiple Signals (2.8) CWE-828: Signal Handler with Functionality that is not Asynchronous-Safe (2.8) CWE-479: Signal Handler Use of a Non-reentrant Function (2.8) 11

12 Test suite - CWEs for C programs Weakness type CWEs (56) Concurrency handling(765) Injection(701) OS Number handling(725) CWE-078: Command Injection (2.8) CWE-088: Argument Injection or Modification (2.8) 400SQL 459Injection (2.8) Resource drains(733) CWE-089: Memory corruption(965) Null pointer(693)

13 Test suite - CWEs for C programs Weakness type CWEs (56) Concurrency handling(765) Injection(701) Number handling(725) CWE-190: Integer Overflow Wraparound (2.8) or Resource drains(733) CWE-191: Integer Underflow (Wrap or Wraparound) (2.8) CWE-194: Unexpected (2.8) 120Sign 124 Extension Memory corruption(965) CWE-195: Signed to806 Unsigned Conversion Error (2.8) CWE-196: Unsigned to Signed Conversion Error (2.8) 476 Null pointer(693) CWE-197: Numeric Truncation Error (2.8) CWE-369: Divide By Zero (2.8) CWE-682: Incorrect Calculation (2.8) CWE-839: Numeric Range Comparison Without Minimum Check (2.8) 13

14 Test suite - CWEs for C programs CWE-400: Resource Exhaustion (2.8) CWE-459: Incomplete Cleanup (2.8) Weakness type Recursion (2.8) CWEs (56) CWE-674: Uncontrolled CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling (2.8) (2.8) CWE-789: Uncontrolled Memory Allocation Concurrency handling(765) CWE-834: Excessive Iteration (2.8) CWE-835: Infinite Loop (2.8) CWE-401: Memory Leak (2.8) Injection(701) CWE-771: Missing Reference to Active Allocated Resource (2.8) CWE-773: Missing Reference to Active File Descriptor or Handle (2.8) Number handling(725) CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime (2.8) Resource drains(733) Memory corruption(965) Null pointer(693)

15 Test suite - CWEs for C programs Weakness type CWEs (56) CWE-120: Classic Buffer Overflow (2.8) CWE-590: Free of Memory not on the Heap (2.8) Free 543of not of (2.8) CWE-124: Buffer Underflow (2.8) CWE-761: Pointer at Start Buffer Concurrency handling(765) CWE-126: Buffer Over-read (2.8) CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer (2.8) CWE-127: Buffer Under-read (2.8) CWE-805: Buffer Access with Incorrect Length Value (2.8) CWE-129: Improper Validation of Array Index CWE-806: Buffer Access Using Size of Source Buffer (2.8) Injection(701) CWE-134: Uncontrolled Format String (2.8) CWE-822: Untrusted Pointer Dereference (2.8) CWE-170: Improper Null Termination (2.8) CWE-824: of Uninitialized Pointer (2.8) Access Number handling(725) CWE-415: Double Free (2.8) CWE-843: Type Confusion (2.8) CWE-416: Use Afterdrains(733) Free (2.8) Resource Memory corruption(965) Null pointer(693)

16 Test suite - CWEs for C programs Weakness type CWEs (56) Concurrency handling(765) Injection(701) Number handling(725) Resource drains(733) Memory corruption(965) CWE-476: NULL (2.8) 806Pointer Dereference 843 Null pointer(693)

17 Test suite - CWEs for Java programs Weakness type CWEs (50) Concurrency handling(568) Injection(526) Number handling(532) Resource drains(532) Error handling(532) Tainted data(498)

18 Test suite - CWEs for Java programs Weakness type CWEs (50) Concurrency handling(568) CWE-363: Race Condition Enabling Link Following (2.8) (TOCTOU) Race Condition (2.8) Injection(526) CWE-367: Time-of-check Time-of-use CWE-412: Unrestricted Externally Accessible Lock (2.8) 190(2.8) Number handling(532) CWE-414: Missing Lock Check CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context (2.8) CWE-609: Double-Checked Locking (2.8) Resource drains(532) CWE-663: Use of a Non-reentrant Function in a Concurrent Context (2.8) CWE-764: Multiple Locks of a Critical Resource (2.8) Error handling(532) CWE-765: Multiple Unlocks of a Critical Resource (2.8) CWE-820: Missing Synchronization (2.8) Tainted data(498) CWE-821: Incorrect Synchronization (2.8) CWE-833: Deadlock (2.8) CWE-832: Unlock of a Resource that is not Locked (2.8) CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context (2.8) CWE-572: Call to Thread run() instead of start() (2.8) 18

19 Test suite - CWEs for Java programs Weakness type CWEs (50) Concurrency handling(568) Injection(526) CWE-078: OS Command Injection (2.8) Number handling(532) CWE-088: Argument Injection or Modification (2.8) Resource drains(532) CWE-089: SQL400 Injection (2.8) CWE-564: SQL Injection: Hibernate (2.8) Error handling(532) Tainted data(498)

20 Test suite - CWEs for Java programs Weakness type CWEs (50) Concurrency handling(568) Injection(526) Number handling(532) Integer Overflow or Wraparound (2.8) 835 ResourceCWE-190: drains(532) CWE-191: Integer Underflow (Wrap or Wraparound) (2.8) CWE-194: Unexpected Sign252 Extension (2.8) Error handling(532) CWE-195: Signed to Unsigned Conversion Error (2.8) to 036 Signed Error (2.8) Conversion 606 TaintedCWE-196: data(498)unsigned CWE-197: Numeric Truncation Error (2.8) CWE-369: Divide By Zero (2.8) CWE-839: Numeric Range Comparison Without Minimum Check (2.8) 20

21 Test suite - CWEs for Java programs Weakness type CWEs (50) CWE-400: Resource Exhaustion (2.8) CWE-459: Incomplete Cleanup363 (2.8) Concurrency handling(568) CWE-674: Uncontrolled Recursion (2.8) CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling (2.8) (2.8) 564 Injection(526) CWE-789: Uncontrolled Memory Allocation CWE-834: Excessive Iteration (2.8) Number handling(532) CWE-835: Infinite Loop (2.8) Resource drains(532) Error handling(532) Tainted data(498)

22 Test suite - CWEs for Java programs Weakness type CWEs (50) Exposure CWE-209: 363 Information Through an Error Message (2.8) Concurrency handling(568) 572 Exception (2.8) CWE-248: 567 Uncaught CWE-252: Unchecked Return Value (2.8) of Function Return Value (2.8) Injection(526)CWE-253: 078 Incorrect Check CWE-390: Detection of Error Condition Without Action (2.8) Error Number handling(532) CWE-391: 190 Unchecked Condition (2.8) CWE-460: Improper Cleanup on Thrown Exception (2.8) Resource drains(532) CWE-584: Return Inside Finally Block (2.8) Error handling(532) Tainted data(498)

23 Test suite - CWEs for Java programs Weakness type CWEs (50) Concurrency handling(568) Injection(526) Number handling(532) Resource drains(532) Error handling(532) Tainted data(498) CWE-023: Relative Path Traversal (2.8) CWE-036: Absolute Path (2.8) Traversal 835 CWE-041: Improper Resolution of Path Equivalence (2.8) CWE-606: Unchecked Input460 for 584 Loop Condition (2.8)

24 Test suite - Base programs - Total of 7770 test cases which generates ~240GB compressed!!! - The STONESOUP Test and Evaluation team (T&E) used 277 independent virtual machines simultaneously on Amazon Web Services between April and December 2014 for performers to run the test cases. - The NIST VM is 22GB and contains test cases patched from the base program - The strategy was to patch the test cases, distributing.diff files instead of whole copies of each base program 24

25 Test suite - Virtual Machine (VMware) - Download (11x2GB) at - OS: Ubuntu CPU: 4 VCPU recommended Memory: 4GB (8GB recommended) Storage: 59GB Total / 41GB Used / 16GB Available - Inside NIST_TT_VM folder there is a document with login and password for the VM - Important directories: - /opt/stonesoup: contains the entire NIST STONESOUP package including scripts and documents /opt/share: contains a TEXAS installation, test cases (diffs), base programs all their dependencies - Performers tools are not in the VM 25

26 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF

27 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 C or Java 27

28 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 CWE-476: NULL Pointer Dereference 28

29 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 Algorithmic variant: refined CWEs mapped to a code snippet previously defined by T&E team 29

30 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 Base program: CMUD Coffee MUD CTRE GNU Tree FFMP FFMpeg GIMP Gimp GREP GNU Grep OSSL OpenSSL PSQL Postgres SUBV Apache Subversion WIRE Wireshark ELAS Elastic Search JMET Apache JMeter JENA Apache Jena JTRE Java Tree LENY Apache Lenya LUCE Apache Lucene POIX Apache POI 30

31 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 Injection point: represent specific locations in the base program that are guaranteed to be executed given the defined I/O pairs. Identifiers reference different injection points in each base program. 31

32 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 Taint source: 01 ENVIRONMENT_VARIABLE 02 FILE_CONTENTS 03 SOCKET 04 SHARED_MEMORY 32

33 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 Data type: 01 ARRAY 05 STRUCT 02 SIMPLE 06 TYPEDEF 03 VOID_POINTER 07 UNION 04 HEAP_POINTER 33

34 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 Data flow: 01 ADDRESS_ALIAS_1 11 BASIC 05 ADDRESS_AS_CONSTANT 12 VAR_ARG_LIST 06 ADDRESS_AS_FUNCTION_RETURN_VALUE 17 BUFFER_ADDRESS_POINTER 10 INDEX_ALIAS_50 18 JAVA_GENERICS 34

35 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 Control flow: 01 INTERCLASS_1 18 POINTER_TO_FUNCTION 08 INTERFILE_1 19 RECURSIVE 12 INTERPROCEDURAL_1 22 MACROS 16 INTERRUPT 26 FUNCT_INVOC_OVERLOAD 35

36 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01 Unique increment: increment in case of multiple test cases are sharing the same parameters aforementioned. 36

37 Test case sample (from the virtual machine) - Pick a test case in /opt/share/testcases/ - Chosen: C-C476C-SUBV-03-ST01-DT05-DF10-CF Browsing the test case - install/: this test case installation files scripts/: specific scripts to manage running process src/: the entire base program + files seeded with intentional weaknesses testdata/: input data which will [and won t] trigger the seeded weakness testoutput/: matching output data for each input data C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01.xml: TEXAS makefile C-C476C-SUBV-03-ST01-DT05-DF10-CF22-01.yaml: benign and exploiting inputs 37

38 TEXAS usage Stage 1: standard compilation Stage 2: compilation with performer technology Analysis/ Compilation Execution Scoring I/O Pairs Analysis/ Compilation The source code or binary of a program is scanned looking for CWE code patterns and applying diversification techniques to harden the resulting binary. The output of the Analysis phase is a binary executable. Execution The Execution step is run for each I/O, and involves actually invoking the binary created in the Analyze step with known inputs. Performer technology may also monitor the execution of the binary to look for execution patterns indicative of an attack in progress or software vulnerability. Scoring Scoring executed immediately after the Execution step and looks at the environment for the known outputs defined in the metadata for the given I/O pair that was executed. 38

39 Documents & Reports Main STONESOUP documents provided at SARD website: - Test and evaluation phase 3 final report Performers reports Weaknesses documentation Test cases creation guide TEXAS user guides Visit: 39

40 Questions? Charles Oliveira/SAMATE 40

Source Code Security Analysis Tool Functional Specification Version 1.0

Source Code Security Analysis Tool Functional Specification Version 1.0 Special Publication 500-268 Source Code Security Analysis Tool Functional Specification Version 1.0 Paul E. Black Michael Kass Michael Koo Software Diagnostics and Conformance Testing Division Information

More information

A Test Suite for Basic CWE Effectiveness. Paul E. Black. paul.black@nist.gov. http://samate.nist.gov/

A Test Suite for Basic CWE Effectiveness. Paul E. Black. paul.black@nist.gov. http://samate.nist.gov/ A Test Suite for Basic CWE Effectiveness Paul E. Black paul.black@nist.gov http://samate.nist.gov/ Static Analysis Tool Exposition (SATE V) News l We choose test cases by end of May l Tool output uploaded

More information

More Repeatable Vulnerability Assessment An introduction

More Repeatable Vulnerability Assessment An introduction Försvarets Materielverk/CSEC 2008 Document ID CB-039 Issue 0.4 More Repeatable Vulnerability Assessment An introduction Helén Svensson 1 Section Agenda Background Introduction to the following aspects

More information

CS 356 Lecture 23 and 24 Software Security. Spring 2013

CS 356 Lecture 23 and 24 Software Security. Spring 2013 CS 356 Lecture 23 and 24 Software Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Source Code Review Using Static Analysis Tools

Source Code Review Using Static Analysis Tools Source Code Review Using Static Analysis Tools July-August 05 Author: Stavros Moiras Supervisor(s): Stefan Lüders Aimilios Tsouvelekakis CERN openlab Summer Student Report 05 Abstract Many teams at CERN,

More information

Java 7 Recipes. Freddy Guime. vk» (,\['«** g!p#« Carl Dea. Josh Juneau. John O'Conner

Java 7 Recipes. Freddy Guime. vk» (,\['«** g!p#« Carl Dea. Josh Juneau. John O'Conner 1 vk» Java 7 Recipes (,\['«** - < g!p#«josh Juneau Carl Dea Freddy Guime John O'Conner Contents J Contents at a Glance About the Authors About the Technical Reviewers Acknowledgments Introduction iv xvi

More information

(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls. (General purpose) Program security These ideas apply also to OS and DB. Read Chapter 3. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

More information

Leak Check Version 2.1 for Linux TM

Leak Check Version 2.1 for Linux TM Leak Check Version 2.1 for Linux TM User s Guide Including Leak Analyzer For x86 Servers Document Number DLC20-L-021-1 Copyright 2003-2009 Dynamic Memory Solutions LLC www.dynamic-memory.com Notices Information

More information

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which

More information

Software Vulnerabilities in Programming Languages and Applications

Software Vulnerabilities in Programming Languages and Applications Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe 2010 Stephen Michell, Maurya Software, Ottawa, Canada Security There are people out there trying to attack

More information

Windows Operating Systems. Basic Security

Windows Operating Systems. Basic Security Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools Prof. Dr. Hartmut Pohl Peter Sakal, B.Sc. M.Sc. Motivation Attacks Industrial espionage Sabotage

More information

D. Best Practices D.1. Assurance The 5 th A

D. Best Practices D.1. Assurance The 5 th A Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.1. Assurance The 5 th A 1 of 20 IT systems are insecure for two main reasons: People are fallible and systems are complex and

More information

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Automating Security Testing. Mark Fallon Senior Release Manager Oracle Automating Security Testing Mark Fallon Senior Release Manager Oracle Some Ground Rules There are no silver bullets You can not test security into a product Testing however, can help discover a large percentage

More information

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu> Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make

More information

Virtualization System Security

Virtualization System Security Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability

More information

Virtuozzo Virtualization SDK

Virtuozzo Virtualization SDK Virtuozzo Virtualization SDK Programmer's Guide February 18, 2016 Copyright 1999-2016 Parallels IP Holdings GmbH and its affiliates. All rights reserved. Parallels IP Holdings GmbH Vordergasse 59 8200

More information

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it

More information

SQL Injection Attack Lab Using Collabtive

SQL Injection Attack Lab Using Collabtive Laboratory for Computer Security Education 1 SQL Injection Attack Lab Using Collabtive (Web Application: Collabtive) Copyright c 2006-2011 Wenliang Du, Syracuse University. The development of this document

More information

Linux Kernel. Security Report

Linux Kernel. Security Report Linux Kernel Security Report September 25 Authors: Andy Chou, Bryan Fulton and Seth Hallem Coverity has combined two years of analysis work carried out in a commercial setting at Coverity with four years

More information

Operating Systems and Networks

Operating Systems and Networks recap Operating Systems and Networks How OS manages multiple tasks Virtual memory Brief Linux demo Lecture 04: Introduction to OS-part 3 Behzad Bordbar 47 48 Contents Dual mode API to wrap system calls

More information

Jorix kernel: real-time scheduling

Jorix kernel: real-time scheduling Jorix kernel: real-time scheduling Joris Huizer Kwie Min Wong May 16, 2007 1 Introduction As a specialized part of the kernel, we implemented two real-time scheduling algorithms: RM (rate monotonic) and

More information

Put a Firewall in Your JVM Securing Java Applications!

Put a Firewall in Your JVM Securing Java Applications! Put a Firewall in Your JVM Securing Java Applications! Prateep Bandharangshi" Waratek Director of Client Security Solutions" @prateep" Hussein Badakhchani" Deutsche Bank Ag London Vice President" @husseinb"

More information

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit Bug hunting Vulnerability finding methods in Windows 32 environments compared FX of Phenoelit The goal: 0day What we are looking for: Handles network side input Runs on a remote system Is complex enough

More information

Coverity Scan. Big Data Spotlight

Coverity Scan. Big Data Spotlight Coverity Scan Big Data Spotlight Coverity Scan Service The Coverity Scan service began as the largest public-private sector research project in the world focused on open source software quality and security.

More information

CISQ Specifications for Automated Quality Characteristic Measures

CISQ Specifications for Automated Quality Characteristic Measures CISQ Specifications for Automated Quality Characteristic Measures Produced by CISQ Technical Work Groups for: Reliability Performance Efficiency Security Maintainability CISQ TR 2012 01 2 of 29 Executive

More information

SQL Injection Attack Lab

SQL Injection Attack Lab Laboratory for Computer Security Education 1 SQL Injection Attack Lab Copyright c 2006-2010 Wenliang Du, Syracuse University. The development of this document is funded by the National Science Foundation

More information

IBM SDK, Java Technology Edition Version 1. IBM JVM messages IBM

IBM SDK, Java Technology Edition Version 1. IBM JVM messages IBM IBM SDK, Java Technology Edition Version 1 IBM JVM messages IBM IBM SDK, Java Technology Edition Version 1 IBM JVM messages IBM Note Before you use this information and the product it supports, read the

More information

Chapter 2: OS Overview

Chapter 2: OS Overview Chapter 2: OS Overview CmSc 335 Operating Systems 1. Operating system objectives and functions Operating systems control and support the usage of computer systems. a. usage users of a computer system:

More information

Test-driving static analysis tools in search of C code vulnerabilities

Test-driving static analysis tools in search of C code vulnerabilities Test-driving static analysis tools in search of C code vulnerabilities George Chatzieleftheriou Aristotle University of Thessaloniki Department of Informatics Thessaloniki, Greece e-mail: gchatzie@csd.auth.gr

More information

Static Analysis Tool Exposition (SATE) 2008

Static Analysis Tool Exposition (SATE) 2008 Special Publication 500-279 Static Analysis Tool Exposition (SATE) 2008 Editors: Vadim Okun Romain Gaucher Paul E. Black Software and Systems Division Information Technology Laboratory National Institute

More information

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8 Release Notes for Epilog for Windows v1.7/v1.8 InterSect Alliance International Pty Ltd Page 1 of 22 About this document This document provides release notes for Snare Enterprise Epilog for Windows release

More information

Attack Vector Detail Report Atlassian

Attack Vector Detail Report Atlassian Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability

More information

TOOL EVALUATION REPORT: FORTIFY

TOOL EVALUATION REPORT: FORTIFY TOOL EVALUATION REPORT: FORTIFY Derek D Souza, Yoon Phil Kim, Tim Kral, Tejas Ranade, Somesh Sasalatti ABOUT THE TOOL Background The tool that we have evaluated is the Fortify Source Code Analyzer (Fortify

More information

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group, Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs

More information

Operating Systems 4 th Class

Operating Systems 4 th Class Operating Systems 4 th Class Lecture 1 Operating Systems Operating systems are essential part of any computer system. Therefore, a course in operating systems is an essential part of any computer science

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Using the Juliet Test Suite to compare Static Security Scanners

Using the Juliet Test Suite to compare Static Security Scanners Using the Juliet Test Suite to compare Static Security Scanners Andreas Wagner 1, Johannes Sametinger 2 1 GAM Project, IT Solutions, Schwertberg, Austria 2 Dept. of Information Systems Software Engineering,

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Cloud Computing. Up until now

Cloud Computing. Up until now Cloud Computing Lecture 11 Virtualization 2011-2012 Up until now Introduction. Definition of Cloud Computing Grid Computing Content Distribution Networks Map Reduce Cycle-Sharing 1 Process Virtual Machines

More information

Using Nessus In Web Application Vulnerability Assessments

Using Nessus In Web Application Vulnerability Assessments Using Nessus In Web Application Vulnerability Assessments Paul Asadoorian Product Evangelist Tenable Network Security pasadoorian@tenablesecurity.com About Tenable Nessus vulnerability scanner, ProfessionalFeed

More information

SAS Data Set Encryption Options

SAS Data Set Encryption Options Technical Paper SAS Data Set Encryption Options SAS product interaction with encrypted data storage Table of Contents Introduction: What Is Encryption?... 1 Test Configuration... 1 Data... 1 Code... 2

More information

Apache Thrift and Ruby

Apache Thrift and Ruby Apache Thrift and Ruby By Randy Abernethy In this article, excerpted from The Programmer s Guide to Apache Thrift, we will install Apache Thrift support for Ruby and build a simple Ruby RPC client and

More information

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security

More information

Acronis Backup & Recovery: Events in Application Event Log of Windows http://kb.acronis.com/content/38327

Acronis Backup & Recovery: Events in Application Event Log of Windows http://kb.acronis.com/content/38327 Acronis Backup & Recovery: Events in Application Event Log of Windows http://kb.acronis.com/content/38327 Mod ule_i D Error _Cod e Error Description 1 1 PROCESSOR_NULLREF_ERROR 1 100 ERROR_PARSE_PAIR Failed

More information

SQL Server Instance-Level Benchmarks with DVDStore

SQL Server Instance-Level Benchmarks with DVDStore SQL Server Instance-Level Benchmarks with DVDStore Dell developed a synthetic benchmark tool back that can run benchmark tests against SQL Server, Oracle, MySQL, and PostgreSQL installations. It is open-sourced

More information

Basic Unix/Linux 1. Software Testing Interview Prep

Basic Unix/Linux 1. Software Testing Interview Prep Basic Unix/Linux 1 Programming Fundamentals and Concepts 2 1. What is the difference between web application and client server application? Client server application is designed typically to work in a

More information

Common Errors in C/C++ Code and Static Analysis

Common Errors in C/C++ Code and Static Analysis Common Errors in C/C++ Code and Static Analysis Red Hat Ondřej Vašík and Kamil Dudka 2011-02-17 Abstract Overview of common programming mistakes in the C/C++ code, and comparison of a few available static

More information

Java Interview Questions and Answers

Java Interview Questions and Answers 1. What is the most important feature of Java? Java is a platform independent language. 2. What do you mean by platform independence? Platform independence means that we can write and compile the java

More information

Replication on Virtual Machines

Replication on Virtual Machines Replication on Virtual Machines Siggi Cherem CS 717 November 23rd, 2004 Outline 1 Introduction The Java Virtual Machine 2 Napper, Alvisi, Vin - DSN 2003 Introduction JVM as state machine Addressing non-determinism

More information

No no-argument constructor. No default constructor found

No no-argument constructor. No default constructor found Every software developer deals with bugs. The really tough bugs aren t detected by the compiler. Nasty bugs manifest themselves only when executed at runtime. Here is a list of the top ten difficult and

More information

Testing and Inspecting to Ensure High Quality

Testing and Inspecting to Ensure High Quality Testing and Inspecting to Ensure High Quality Basic definitions A failure is an unacceptable behaviour exhibited by a system The frequency of failures measures the reliability An important design objective

More information

Visualizing Information Flow through C Programs

Visualizing Information Flow through C Programs Visualizing Information Flow through C Programs Joe Hurd, Aaron Tomb and David Burke Galois, Inc. {joe,atomb,davidb}@galois.com Systems Software Verification Workshop 7 October 2010 Joe Hurd, Aaron Tomb

More information

Gold Standard Method for Benchmarking C Source Code Static Analysis Tools

Gold Standard Method for Benchmarking C Source Code Static Analysis Tools Gold Standard Method for Benchmarking C Source Code Static Analysis Tools Cyber Security Division 2012 Principal Investigators Meeting October 11, 2012 Henny Sipma Sr. Computer Scientist Kestrel Technology,

More information

Advanced Endpoint Protection Overview

Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking

More information

General Introduction

General Introduction Managed Runtime Technology: General Introduction Xiao-Feng Li (xiaofeng.li@gmail.com) 2012-10-10 Agenda Virtual machines Managed runtime systems EE and MM (JIT and GC) Summary 10/10/2012 Managed Runtime

More information

The BackTrack Successor

The BackTrack Successor SCENARIOS Kali Linux The BackTrack Successor On March 13, Kali, a complete rebuild of BackTrack Linux, has been released. It has been constructed on Debian and is FHS (Filesystem Hierarchy Standard) complaint.

More information

Manual vs. Automated Vulnerability Assessment: ACaseStudy

Manual vs. Automated Vulnerability Assessment: ACaseStudy Manual vs. Automated Vulnerability Assessment: ACaseStudy JamesA.KupschandBartonP.Miller Computer Sciences Department, University of Wisconsin, Madison, WI, USA {kupsch,bart}@cs.wisc.edu Abstract The dream

More information

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Payment Card Industry (PCI) Terminal Software Security. Best Practices Payment Card Industry (PCI) Terminal Software Security Best Version 1.0 December 2014 Document Changes Date Version Description June 2014 Draft Initial July 23, 2014 Core Redesign for core and other August

More information

Static Checking of C Programs for Vulnerabilities. Aaron Brown

Static Checking of C Programs for Vulnerabilities. Aaron Brown Static Checking of C Programs for Vulnerabilities Aaron Brown Problems 300% increase in reported software vulnerabilities SetUID programs Run with full access to the system Required to gain access to certain

More information

Testing for Security

Testing for Security Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is

More information

The Advantages of Block-Based Protocol Analysis for Security Testing

The Advantages of Block-Based Protocol Analysis for Security Testing The Advantages of Block-Based Protocol Analysis for Security Testing Dave Aitel Immunity,Inc. 111 E. 7 th St. Suite 64, NY NY 10009, USA dave@immunitysec.com February, 4 2002 Abstract. This paper describes

More information

MA-WA1920: Enterprise iphone and ipad Programming

MA-WA1920: Enterprise iphone and ipad Programming MA-WA1920: Enterprise iphone and ipad Programming Description This 5 day iphone training course teaches application development for the ios platform. It covers iphone, ipad and ipod Touch devices. This

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

COURSE OUTLINE Survey of Operating Systems

COURSE OUTLINE Survey of Operating Systems Butler Community College Career and Technical Education Division Skyler Lovelace New Fall 2014 Implemented Spring 2015 COURSE OUTLINE Survey of Operating Systems Course Description IN 167. Survey of Operating

More information

Using Static Code Analysis Tools for Detection of Security Vulnerabilities

Using Static Code Analysis Tools for Detection of Security Vulnerabilities Using Static Code Analysis Tools for Detection of Security Vulnerabilities Katerina Goseva-Popstajanova & Andrei Perhinschi Lane Deptartment of Computer Science and Electrical Engineering West Virginia

More information

AdminStudio 2013. Release Notes. 16 July 2013. Introduction... 3. New Features... 6

AdminStudio 2013. Release Notes. 16 July 2013. Introduction... 3. New Features... 6 AdminStudio 2013 Release Notes 16 July 2013 Introduction... 3 New Features... 6 Microsoft App-V 5.0 Support... 6 Support for Conversion to App-V 5.0 Virtual Packages... 7 Automated Application Converter

More information

UForge 3.4 Release Notes

UForge 3.4 Release Notes UForge 3.4 Release Notes This document is for users using and administrating UShareSoft UForge TM Platform v3.4. This document includes the release notes for: UForge TM Factory UForge TM Builder UI UForge

More information

Software security assessment based on static analysis

Software security assessment based on static analysis Software security assessment based on static analysis Christèle Faure Séminaire SSI et méthodes formelles Réalisé dans le projet Baccarat cofinancé par l union européenne Context > 200 static tools for

More information

Java EE Web Development Course Program

Java EE Web Development Course Program Java EE Web Development Course Program Part I Introduction to Programming 1. Introduction to programming. Compilers, interpreters, virtual machines. Primitive types, variables, basic operators, expressions,

More information

Oracle Solaris Studio Code Analyzer

Oracle Solaris Studio Code Analyzer Oracle Solaris Studio Code Analyzer The Oracle Solaris Studio Code Analyzer ensures application reliability and security by detecting application vulnerabilities, including memory leaks and memory access

More information

Guidelines for Smart Grid Cyber Security: Vol. 3, Supportive Analyses and References

Guidelines for Smart Grid Cyber Security: Vol. 3, Supportive Analyses and References NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 3, Supportive Analyses and References The Smart Grid Interoperability Panel Cyber Security Working Group August 2010 NISTIR 7628 Guidelines for

More information

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access The Best First for Beginners who want to become Penetration Testers PTSv2 in pills: Self-paced, online, flexible access 900+ interactive slides and 3 hours of video material Interactive and guided learning

More information

Security Vulnerabilities in Open Source Java Libraries. Patrycja Wegrzynowicz CTO, Yonita, Inc.

Security Vulnerabilities in Open Source Java Libraries. Patrycja Wegrzynowicz CTO, Yonita, Inc. Security Vulnerabilities in Open Source Java Libraries Patrycja Wegrzynowicz CTO, Yonita, Inc. About Me Programmer at heart Researcher in mind Speaker with passion Entrepreneur by need @yonlabs Agenda

More information

Appendix. Web Command Error Codes. Web Command Error Codes

Appendix. Web Command Error Codes. Web Command Error Codes Appendix Web Command s Error codes marked with * are received in responses from the FTP server, and then returned as the result of FTP command execution. -501 Incorrect parameter type -502 Error getting

More information

Manual vs. Automated Vulnerability Assessment: A Case Study

Manual vs. Automated Vulnerability Assessment: A Case Study Manual vs. Automated Vulnerability Assessment: A Case Study James A. Kupsch and Barton P. Miller Computer Sciences Department, University of Wisconsin, Madison, WI, USA {kupsch,bart}@cs.wisc.edu Abstract.

More information

- Table of Contents -

- Table of Contents - - Table of Contents - 1 INTRODUCTION... 1 1.1 TARGET READERS OF THIS DOCUMENT... 1 1.2 ORGANIZATION OF THIS DOCUMENT... 2 1.3 COMMON CRITERIA STANDARDS DOCUMENTS... 3 1.4 TERMS AND DEFINITIONS... 4 2 OVERVIEW

More information

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS 66 CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS 5.1 INTRODUCTION In this research work, two new techniques have been proposed for addressing the problem of SQL injection attacks, one

More information

OWASP Web Application Penetration Checklist. Version 1.1

OWASP Web Application Penetration Checklist. Version 1.1 Version 1.1 July 14, 2004 This document is released under the GNU documentation license and is Copyrighted to the OWASP Foundation. You should read and understand that license and copyright conditions.

More information

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems

More information

ProTrack: A Simple Provenance-tracking Filesystem

ProTrack: A Simple Provenance-tracking Filesystem ProTrack: A Simple Provenance-tracking Filesystem Somak Das Department of Electrical Engineering and Computer Science Massachusetts Institute of Technology das@mit.edu Abstract Provenance describes a file

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security

More information

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to:

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to: D61830GC30 for Developers Summary Duration Vendor Audience 5 Days Oracle Database Administrators, Developers, Web Administrators Level Technology Professional Oracle 5.6 Delivery Method Instructor-led

More information

Web App Security Audit Services

Web App Security Audit Services locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System

More information

CCA CYBER SECURITY TRACK

CCA CYBER SECURITY TRACK CCA CYBER SECURITY TRACK 2013-2014 CCA Advanced Cyber Security Track A detailed description of the advanced cyber security track. Courses to be offered in the CCA Advanced Cyber Security Track 2013-2014

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES By Michael Crouse Dr. Errin W. Fulp, Ph.D., Advisor Abstract The increasingly high volume of users on the web and their use of web

More information

KITES TECHNOLOGY COURSE MODULE (C, C++, DS)

KITES TECHNOLOGY COURSE MODULE (C, C++, DS) KITES TECHNOLOGY 360 Degree Solution www.kitestechnology.com/academy.php info@kitestechnology.com technologykites@gmail.com Contact: - 8961334776 9433759247 9830639522.NET JAVA WEB DESIGN PHP SQL, PL/SQL

More information

A Comparative Study on Vega-HTTP & Popular Open-source Web-servers

A Comparative Study on Vega-HTTP & Popular Open-source Web-servers A Comparative Study on Vega-HTTP & Popular Open-source Web-servers Happiest People. Happiest Customers Contents Abstract... 3 Introduction... 3 Performance Comparison... 4 Architecture... 5 Diagram...

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Enterprise Java Applications on VMware: High Availability Guidelines. Enterprise Java Applications on VMware High Availability Guidelines

Enterprise Java Applications on VMware: High Availability Guidelines. Enterprise Java Applications on VMware High Availability Guidelines : This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents listed at http://www.vmware.com/download/patents.html. VMware

More information

1. Building Testing Environment

1. Building Testing Environment The Practice of Web Application Penetration Testing 1. Building Testing Environment Intrusion of websites is illegal in many countries, so you cannot take other s web sites as your testing target. First,

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

NVIDIA CUDA GETTING STARTED GUIDE FOR MAC OS X

NVIDIA CUDA GETTING STARTED GUIDE FOR MAC OS X NVIDIA CUDA GETTING STARTED GUIDE FOR MAC OS X DU-05348-001_v6.5 August 2014 Installation and Verification on Mac OS X TABLE OF CONTENTS Chapter 1. Introduction...1 1.1. System Requirements... 1 1.2. About

More information

Setting up PostgreSQL

Setting up PostgreSQL Setting up PostgreSQL 1 Introduction to PostgreSQL PostgreSQL is an object-relational database management system based on POSTGRES, which was developed at the University of California at Berkeley. PostgreSQL

More information

Automatic Runtime Error Repair and Containment via Recovery Shepherding

Automatic Runtime Error Repair and Containment via Recovery Shepherding Automatic Runtime Error Repair and Containment via Recovery Shepherding Fan Long Stelios Sidiroglou-Douskos Martin Rinard {fanl, stelios, rinard}@csail.mit.edu MIT EECS & CSAIL Abstract We present a system,

More information

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone Comprehensive Security for Internet-of-Things Devices With ARM TrustZone Howard Williams mentor.com/embedded Internet-of-Things Trends The world is more connected IoT devices are smarter and more complex

More information