The OSGi Platform: A promising Approach for building secure Java-based Applications
|
|
- Maurice Holt
- 8 years ago
- Views:
Transcription
1 The OSGi Platform: A promising Approach for building secure Java-based Applications Pierre Parrend Pierre.parrend@insa-lyon.fr Lab. CITI, 21, Avenue J. Capelle Vileurbanne Cedex
2 Introduction Context MUSE European Project 'Multi-Service Everywhere' Multi-Provider Home Gateway Gateway operator Service providers internet last mile Home Gateway Home Equipments Home Network 10/04/2008 Secure OSGi Applications 2
3 Introduction Context Lise ANR Project 'Liability in Software Engineering' Secure Log inside an application platform Isolation between Applications Secure Logs App. 1 Log App. App. 2 10/04/2008 Secure OSGi Applications 3
4 Introduction Target System Java/OSGi Extensible Component Platform Component Support Extensible at Runtime OSGi Platform JVM Bundle Repository 10/04/2008 Secure OSGi Applications 4
5 Introduction What is Security? In strict sense Integrity Confidentiality Availability for the authorized users In a broader sense: Dependability Availability Reliability Safety Confidentiality Integrity Maintainability 10/04/2008 Secure OSGi Applications 5
6 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 6
7 The Java Security Model What is Java? Applications A Programming Interface (API) A Virtual Machine Java Applications Java API Vendor Specific Packages JVM Operating System Hardware 10/04/2008 Secure OSGi Applications 7 from [Cotroneo2006failures]
8 The Java Security Model Applets and Full Sandboxing For untrusted Web Applets Cannot Access the local System JVM can be killed if the Applet is consuming resources from [Gong1997sbac] 10/04/2008 Secure OSGi Applications 8
9 The Java Security Model Relaxed Sandboxing Security according to code trust level Enables selective access Each Code has specific rights Ex: Network Access, File System Pb: calls with various origins 10/04/2008 Secure OSGi Applications 9 from [Gong1997sbac]
10 The Java Security Model Secure Component Platforms: Protection Domains Secure Component-based Systems SBAC (Stack Based Access Control) Ex: each Component has its own Protection Domain Limitations SBAC System Structure Install Time A B A B C C c1 c2 D Security Policy Policy(A)=D.d2 Policy(B)=D.d1,D.d2 D d1 d2 Dependencies Protection Domain Runtime A B C c1 c2 d1 d2 D Aborted Call Succesfull Call 10/04/2008 Secure OSGi Applications 10
11 The Java Security Model Why is the Java Security Model actually flawed? No strict security analysis has been performed recently Java Permissions are not suitable High Performance overhead Programmative approach Methods have to bid for their own execution right Low level Policy Not bound with a proper High Level Access Control Model No control on Interactions between Components Applications with Multi-Provider Model Permissions guarantee Access Control. What about Security? No ressource Isolation CPU, memory, disk space MVM (Multi-user Virtual Machine) is not yet a production tool 10/04/2008 Secure OSGi Applications 11
12 The Java Security Model Can the Java Security Model be saved? We have to re-think everything 10/04/2008 Secure OSGi Applications 12
13 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 13
14 The OSGi Security Model What is OSGi? Java-based Extensible Component Platform Bundle Lifecycle Management Service Oriented Programming deploy Component Repository Service Management Life-Cycle Management Dependency Resolver Execution Component Downloader Local interactions 10/04/2008 Local executon Secure OSGi Applications 14
15 The OSGi Security Model Secure Deployment Overview [parrend06secuanalysis] Problem: no supporting tools (2005) Register Certification Authority (CA) Check Identity Sign Bundles with JarSigner Validate Bundle with Security Layer Issuer PublicationRepository A Signed bundle Installation SFeli x Client 10/04/2008 Secure OSGi Applications 15
16 The OSGi Security Model Secure Deployment Bundle Signature and Publication [parrend2007sfelix] 10/04/2008 Secure OSGi Applications 16
17 The OSGi Security Model Secure Deployment Bundle Signature and Publication [parrend2007sfelix] 10/04/2008 Secure OSGi Applications 17
18 The OSGi Security Model Secure Deployment Bundle Verification Signed Bundle Structure [parrend06deployment] HelloWorld Manifest File (1) META-INF MANIFEST.M F SHA-1 fr.insa_lyon.ares.helloworld HelloWorld Activator Signature File (2) Signature Block File (3) SHA-1 PIERREP.S F DSA SHA-1 SHA-1 pub HelloWorldInterfac e PIERREP.DS A HelloWorld mpl 10/04/2008 Secure OSGi Applications 18
19 The OSGi Security Model Secure Deployment Bundle Verification Algorithm [parrend06deployment] Check Identity Of the Signer 5. Identify Signer 1. checkresourceordervalid Check Coherence Of the Signed File 2. checksignatureblockvalid 3. checksignaturefilevalid 4. checkmanifestvalid 10/04/2008 Secure OSGi Applications 19
20 The OSGi Security Model Secure Deployment Bundle Verification OSGi vs. Java specs. [parrend2007sfelix] 10/04/2008 Secure OSGi Applications 20
21 The OSGi Security Model Secure Execution ClassLoader Hierarchy Proper namespace isolation between bundles Enables controlled class sharing through package export/import System Classloader Felix Classloader Bundle Classloaders 10/04/2008 Secure OSGi Applications 21
22 The OSGi Security Model Secure Execution Exploiting Permissions Signer specific permissions Our Felix extension: Bundlepermission keystore "file:/bundlepermissions-1.0.0/main-1.0.0/keystore/keystore.ks"; grant codebase "file:/bundlepermissions-1.0.0/main-1.0.0/bin/felix.jar" { permission java.security.securitypermission "createpolicy.javapolicy"; permission java.util.propertypermission "*", "read,write"; permission java.io.filepermission "/code/osgi-projects/sfelix/felixflavours/bundlepermissions-1.0.0/main-1.0.0/bundle/*", "read";... }; grant signedby "alice" { permission java.io.filepermission "/tmp/*", "read,write"; permission org.osgi.framework.packagepermission "*", "export"; permission org.osgi.framework.servicepermission "*", "register"; }; grant signedby "bob" { permission org.osgi.framework.servicepermission "fr.inria.ares.testservice.myservice", "register"; permission org.osgi.framework.packagepermission "*", "export"; }; 10/04/2008 Secure OSGi Applications 22
23 The OSGi Security Model Secure Execution Conditional Permissions Finer Conditions Important overhead!!! //permissions for all bundles { (..ServicePermission "..LogService" "get" ) (..PackagePermission "..log "import" ) (..PackagePermission "..framework" "import" ) } //conditional permissions { [..BundleSignerCondition "* ; o=acme" ] (..AdminPermission "(signer=\* ; o=acme)" "*" ) (..ServicePermission "..ManagedService" "register" ) (..ServicePermission "..ManagedServiceFactory" "register" ) (..PackagePermission "..cm" "import" ) } 10/04/2008 Secure OSGi Applications 23
24 The OSGi Security Model OSGi Security Lack of implementations Promissing features No criticism of the Java Security Model OSGi Security Documentation Center 10/04/2008 Secure OSGi Applications 24
25 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 25
26 Summary Vulnerabilities in OSGi-based Applications Security Analysis of OSGi-based Applications required Platform Vulnerabilities Security Analysis of the Execution Environment Bundle Vulnerabilities 10/04/2008 Secure OSGi Applications 26
27 Vulnerabilities in OSGibased Applications Platform Vulnerabilities [Parrend2007osgiVulnerabilities] Java Virtual Machine + OSGi Platform Properties Taxonomies for describing the Platform and the Bundles Definition of Benchmarking Techniques Vulnerability Catalog Benchmarking Results 10/04/2008 Secure OSGi Applications 27
28 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Taxonomies for describing the Platform Extensible Component Platform - The OSGi Framework Operating System JVM OSGi Platform Runtime Classpath Module Layer Life-Cycle Layer Service Layer OSGi Specifications 10/04/2008 Secure OSGi Applications 28
29 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Taxonomies for describing the Bundles Component - OSGi Bundle Intra-bundle Structure Inter-bundle Interactions Bundle Archive J Manifest O Activator O Native Code J Java standard API calls J Java J Language O OSGi API calls OSGi O Services Bundle O Fragments J O Java Component Entity OSGi bundle entity Application Code 10/04/2008 Secure OSGi Applications 29
30 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Benchmarking: Vulnerability Pattern Vulnerability Reference Name, Inheritance, Identifier, Origin, Location of Exploit Code, Source, Target, Consequence Type, Introduction Time, Exploit Time Vulnerability Description Description, Preconditions, Attack Process, Consequence Description, See Also Vulnerability Protection Existing Mechanisms, Enforcement Point, Potential Mechanisms, Attack Prevention, Reaction Vulnerability Implementation Code Reference, OSGi Profile, Date, Test Coverage, Known Vulnerable Platforms, Known Robust Platforms 10/04/2008 Secure OSGi Applications 30
31 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Benchmarking: Protection Rate Attack Surface: number of known attacks against the system [Howard2005attack_surface] Protection Rate: Protection Provided by a given security mechanism 10/04/2008 Secure OSGi Applications 31
32 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Tests Bundles are available in the Malicious-Bundle project Example 1/3: Freezing infinite Loop in Bundle Activator public class InfiniteStartupLoopActivator implements BundleActivator{ public void start(bundlecontext context){ System.out.println("Bundle InfiniteStartupLoop started"); while(1==1){} } } public void stop(bundlecontext context){ System.out.println("Bundle InfiniteStartupLoop stopped"); } 10/04/2008 Secure OSGi Applications 32
33 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Example 2/3: Recursive Thread Creation public class Stopper extends Thread{ Stopper(int id, byte[] payload) { this.id=id; this.payload = payload; } public void run() { Stopper tt = new Stopper(++id, payload); } } tt.start(); Stopper tt2 = new Stopper(++id, payload); tt2.start(); Stopper tt3 = new Stopper(++id, payload); tt3.start(); 10/04/2008 Secure OSGi Applications 33
34 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Example 3/3: Memory Load Injection private void stressmem(int size) { System.out.println("Eating " + size + " bytes of memory"); this.memeater = new byte[size]; for (int i=0 ; i<size ; i++) { this.memeater[i] = 0; } } 10/04/2008 Secure OSGi Applications 34
35 Vulnerabilities in OSGibased Applications Platform Vulnerabilities The Vulnerability Catalog Bundle Archive 3 occurrences Bundle Manifest 3 occurrences Bundle Activator 2 occurrences Bundle Code - Native 2 occurrences Bundle Code - Java 13 occurrences Bundle Code OSGi API 6 occurrences Bundle Fragment 3 occurrences 10/04/2008 Secure OSGi Applications 35
36 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Benchmarking results: Consequences of attacks Consequence Type Consequence type for Components Unavailabilty Performance Breakdown Undue Access 13 (40%) 11 (34%) 9 (28%) Lindqvist's classification Denial of Service Exposure Erroneous Output 23 (72%) 8 (25%) 8 (25%) 10/04/2008 Secure OSGi Applications 36
37 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Benchmarking results: Protection Rate for various OSGi implementations 10/04/2008 Secure OSGi Applications 37
38 Summary Vulnerabilities in OSGi-based Applications Platform Vulnerabilities Bundle Vulnerabilities Security Analysis of the Applications 10/04/2008 Secure OSGi Applications 38
39 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities Java Languages Properties Component Model Vulnerabilities in Public Code only [Parnas1989modularTraces] Bundle A Bundle B Schema Parnas and Wang Model Module OSGi Specifications bundle program function Access program Public Code (exported packages and registered services) 10/04/2008 Secure OSGi Applications 39
40 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities Tests Bundles are available in the Malicious-Bundle project Known Vulnerabilities: Findbugs [Hovemeyer2004findbugs] Make mutable data available for third party code Excessive visibility and modifiers (non final, non private, etc.) Known Vulnerabilities: Sun Secure Coding Guidelines [lai2008javainsecurity] Make safe copies of objects Bypass security checks, through cloning, inheritance, serialization Data leaks through exceptions, privileged execution 10/04/2008 Secure OSGi Applications 40
41 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities New Vulnerability: attack against synchronized method Launcher Alice Malory File Management NFSManager Every 20 s starts() getfilefromnetwork(file1,neta) getfilefromnetwork(file1,neta) starts( ) getfilefromnetwork(file1,n etb) Perform Action getfilefromnetwork(file1,n etb) if(netb) {while(true)} Synchronized Method 10/04/2008 Secure OSGi Applications 41
42 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities New Vulnerability: malicious Inversion of Control Exploit non final parameter in public method ClientClass FileWriterArrayList c(filewriterarraylist) A B a() b(string) c(list) Client Bundle Servant Bundle 10/04/2008 Secure OSGi Applications 42
43 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities Attack Trees: Denial of Service, Undue Access to Code Undue Access to Bundle Code Exploiting Fragments Exploiting public code (services and packages) AND OR Fragments Substitution Access to Host through Fragments Flaws in Parameter Validation Expose Internal Representation By-passing Security Checks Access to Hidden Class Split Package Private Field of Private Nested Class At instanciation In method Call Deserialization Clone Call OverwriteFinalize Privileged overridable Method MethodExecution of Method callerprovided code 10/04/2008 Secure OSGi Applications Security Checks that 43 depends on Class-
44 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities The Vulnerability Catalog Undue Access Exploiting Fragments 1 occurence Undue Access Exploiting Public Code Flaws in Parameters Validation 10 occurences Undue Access Exploiting Public Code Expose Internal Representation 11 occurences Undue Access Exploiting Public Code Bypassing Security Check 9 occurences Undue Access Exploiting Public Code Synchronization 2 occurences 10/04/2008 Secure OSGi Applications 44
45 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 45
46 Summary Security Solutions for the OSGi Platform Hardened OSGi Component Based Access Control Weak Bundle Analysis Summary 10/04/2008 Secure OSGi Applications 46
47 Security Solutions for the OSGi Platform Hardened OSGi Recommendations [Parrend2007osgiVulnerabilities] Goal: Enhance OSGi Specifications to patch OSGi-related Platform vulnerabilities Do not rely on the embedded Java Archive verifier Bundle Resolution Process should be robust Ignore duplicate imports Handle large manifests without radical performance breakdown Bundle Start Process Start the Bundle Activator in a separate process OSGi Service Registration Explicit limitation of the number of registered services Absolute Maximum could be 50? 10/04/2008 Secure OSGi Applications 47
48 Security Solutions for the OSGi Platform Hardened OSGi - Recommendations Bundle Installation process Maximum storage size of bundle archive (for embedded devices) Should be performed before download when relevant Bundle Uninstallation process Remove Bundle data on the local file system 10/04/2008 Secure OSGi Applications 48
49 Security Solutions for the OSGi Platform Hardened OSGi Protection Rates Relative to OSGi-specific Vulnerabilities # of protected Flaws # of known Flaws PR Hardened OSGi (HO) % Java Permissions % HO + Perms % Relative to all Vulnerabilities in an OSGi Platform 10/04/2008 Secure OSGi Applications 49
50 Summary Security Solutions for the OSGi Platform Hardened OSGi Component Based Access Control Weak Bundle Analysis Summary 10/04/2008 Secure OSGi Applications 50
51 Security Solutions for the OSGi Platform CBAC Component Based Access Control [parrend08cbac] Goal: provide an alternative to Java Permissions Declarative Policies No runtime performance overhead Principles Install time analysis of the Execution Rights of Components Calls that are Sensitive must be explicitly granted Take Composition into account Hypotheses The Component Platform is not modified Each Component contains a valid digital signature 10/04/2008 Secure OSGi Applications 51
52 Security Solutions for the OSGi Platform CBAC Component Based Access Control CBAC System Structure Install Time A B A B PSC PSC c1 c2 PSC PSC C D PSC: Performed Sensitive Call, for each bundle Policy(A)=D.d2 => D.d1 not Allowed PSC = D.d1, D.d2 C d1 d2 Security Policy Policy(A)=D.d2 Policy(B)=D.d1,D.d2 D Forbidden Dependency Authorized Dependency Runtime B c1 c2 C d1 d2 D Method Call 10/04/2008 Secure OSGi Applications 52
53 Security Solutions for the OSGi Platform CBAC Component Based Access Control Required Data pf the Platform Configuration Each Component is identified in the Platform: i p i, the provider (and signer) of component i A pi, the Authorized calls for p i b i, the bundle (or Component) C s pf, bi, the Sensible Calls performed directly by the bundle C I pf, bi, the Innocuous Calls Stored Data PSC {b}i : Performed Sensitive Calls for the Bundle b i directly or through dependencies 10/04/2008 Secure OSGi Applications 53
54 Security Solutions for the OSGi Platform CBAC Component Based Access Control Condition of validity of a Bundle b i Formal proof is available on the web as appendix of the paper: 10/04/2008 Secure OSGi Applications 54
55 Security Solutions for the OSGi Platform CBAC Component Based Access Control Performances 2500 CBAC Check Only Signature Check 2000 Time (ms) ,32 6,49 7,62 9,2 11,74 12,53 13,48 14,28 19,78 33,1 38, ,34 131,48 602,33 5,51 6,33 7,49 7,92 10,97 12,16 13,42 13,88 16,15 24,92 37,09 41,56 76,94 102,14 350,07 10/04/2008 Secure OSGi Applications 55 Size (KBytes)
56 Security Solutions for the OSGi Platform CBAC Component Based Access Control Protection Rates # of protected Flaws # of known Flaws PR Hardened OSGi % Java Permissions % CBAC % HO + Java Perms % HO + CBAC % Review Only % 10/04/2008 Secure OSGi Applications 56
57 Security Solutions for the OSGi Platform CBAC Component Based Access Control No runtime Overhead Reduced Install Time Overhead No Application interruption At the cost of false positive No dangerous Pop-up windows 'This code may be malicious, Cancel or Allow?' Here, administrator only Arbitrary methods and meta-data can be set as sensitive Declarative Security Enables to protect against vulnerabitilies that are discovered after design 10/04/2008 Secure OSGi Applications 57
58 Summary Security Solutions for the OSGi Platform Hardened OSGi Component Based Access Control Weak Bundle Analysis Summary 10/04/2008 Secure OSGi Applications 58
59 Security Solutions for the OSGi Platform WBA Weak Bundle Analysis Goal: Guarantee secure Interaction between Components 10/04/2008 Secure OSGi Applications 59
60 Security Solutions for the OSGi Platform WBA Weak Bundle Analysis Protection Rate # of protected Flaws # of known Flaws PR Java Permissions % CBAC % WBA % WBA+ Perms % WBA + CBAC % Review only % Review % 10/04/2008 Secure OSGi Applications 60
61 Summary Security Solutions for the OSGi Platform Hardened OSGi Component Based Access Control Weak Bundle Analysis Summary 10/04/2008 Secure OSGi Applications 61
62 Security Solutions for the OSGi Platform Summary Vertical validation: validation of the successive layers Hypothesis: bootstrap mechanism can not be tampered with Digital signature for Alice gamecomponent Bundle Validation (Install time) Bootstrap Check (platform start) OSGi Security Bootstrap layer Security Policies 10/04/2008 Secure OSGi Applications 62
63 Security Solutions for the OSGi Platform Summary Horizontal validation: validation of the behavior of each bundle Hypothesis: Tests validate all specification features OSGi Digital Signature CBAC WBA Public Key of trusted Providers Execution Grants WBA Policy INSTALLATION gamecomponent Dig. Sig Junit Tests OSGi R4 CBAC Junit Tests 1 Comp N Comp CBAC Spec WBA Junit Tests WBA Spec. 10/04/2008 Secure OSGi Applications 63
64 Security Solutions for the OSGi Platform Summary Virtual Machine Language Execution Engine Modular Support Extensible Component Platform System Entity Type Formal Safety Proof SupportVerification Bytecode Host Protection Collection Garbage Bugfree J Code J J J W Properties That are: Low Perf. overhead C Language Property Conservation J Isolation J Security Component Management Metadata Validation J C O C Program Behavior Validation C W Access Control C Property J O Supported by Java Supported by OSGi J O Partially supported by Java Partially supported by OSGi C W Supported by CBAC Supported by WBA C W Partially supported by CBAC Partially supported by WBA 10/04/2008 Secure OSGi Applications 64
65 Security Solutions for the OSGi Platform Summary # of protected Flaws # of known Flaws PR Felix + Perms % HO + CBAC + WBA % Review Only % HO + CBAC + WBA + Review % 10/04/2008 Secure OSGi Applications 65
66 Security Solutions for the OSGi Platform Summary Security Challenges Infinite loop in method call/hanging Thread Method does not return (Java) Memory Load Injection If Pointers to object are kept, GC does not help (Java) Decompression Bomb (Java) Exponential Thread Number Crashes the JVM (Java) Service Short Circuit SOP-level vulnerability (OSGi) 10/04/2008 Secure OSGi Applications 66
67 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 67
68 Secure Management of OSGi Platforms A cryptographic Alternative Identity-based Cryptography [parrend07ibcrypto] Architecture 10/04/2008 Secure OSGi Applications 68
69 Secure Management of OSGi Platforms A cryptographic Alternative Identity-based Cryptography Limitation: PKG as Single Point of Failure Key Management Key Revocation Cryptograph ic Operations CA Trust Level Number of Coms with the CA PKI IB-PKI Ratio Signature Speed High Public Key Dissemination Heyvyweight Public Key is Identifier Transparent, through regular Key Update Key Size, Signature Verification Speed Key escrow Risk if untrusted N+M N 1/M 10/04/2008 Secure OSGi Applications 69
70 Secure Management of OSGi Platforms Secure Remote Management of OSGi Platforms Extension of the bundle life cycle REJECTED State 10/04/2008 Secure OSGi Applications 70
71 Secure Management of OSGi Platforms Secure Remote Management of OSGi Platforms Extension of the bundle life cycle [royon2007bbeuope] 10/04/2008 Secure OSGi Applications 71
72 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 72
73 Perspectives Around Vulnerabilities CBAC WBA Secure Bundle Life-Cycle Development Requirements 10/04/2008 Secure OSGi Applications 73
74 References References: [Parnas1989modularTraces] Parnas, D. & Wang, Y. The Trace Assertion Method of Module Interface Specification Dept. of Computing and Information Science, Queen's Univ. at Kingston, Ontario, Canada, [Gong1997sbac] Gong, L.; Mueller, M.; Prafullchandra, H. & Schemers, R. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 Proceedings of the USENIX Symposium on Internet Technologies and Systems, [Hovemeyer2004findbugs] Hovemeyer, D. & Pugh, W. Finding bugs is easy ACM SIGPLAN Notices, 2004, 39, [Howard2005attack_surface] Howard, M.; Pincus, J. & Wing, J. Lee, D.; Shieh, S. & Tygar, J. (ed.) Computer Security in the 21st Century Measuring Relative Attack Surfaces Springer, 2005, [Cotroneo2006failures] Cotroneo, D.; Orlando, S. & Russo, S. Failures classification and analysis of the Java Virtual Machine 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06), [lai2008javainsecurity] Lai, C. Java Insecurity: Accounting for Subtleties That Can Compromise Code IEEE Software, IEEE Computer Society, 2008, 25, /04/2008 Secure OSGi Applications 74
75 References Own publications: [parrend06secuanalysis] Parrend, P. & Frenot, S. A Security Analysis for Home Gateway Architectures International Conference on Cryptography, Coding & Information Security, CCIS 2006, November 24-26, Venice, Italy, 2006 [parrend06deployment] Parrend, P. & Frenot, S. Secure Component Deployment in the OSGi(tm), RT-0323, Release 4 Platform INRIA, [parrend2007sfelix] Parrend, P. & Frenot, S. Supporting the Secure Deployment of OSGi Bundles First IEEE WoWMoM Workshop on Adaptive and DependAble Mission- and businesscritical mobile Systems, Helsinki, Finland, 2007 [parrend2007osgivulnerabilities] Parrend, P. & Frenot, S. Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform INRIA RR-6231, 2007, 84 p. [parrend07ibcrypto] Parrend, P.; Galice, S.; Frenot, S. & Ubeda, S. Identity-Based Cryptosystems for Enhanced Deployment of OSGi Bundles International Conference on Emerging Security Information, Systems and Technologies, IARIA SecurWare, [royon2007bbeuope] Royon, Y.; Parrend, P.; Frenot, S.; Papastefano, S.; Abdelnur, H. & de Poel, D.V. Multi-service, Multi-protocol Management for Residential Gateways BroadBand Europe, Antwerp, Belgium, 3-6 December, [parrend08cbac] Parrend, P. & Frenot, S. Tanter, E. & Pautasso, C. (ed.) Component-based Access Control: Secure Software Composition through Static Analysis Software Composition, Springer Berlin / Heidelberg, 2008, LNCS 4954/2008, p /04/2008 Secure OSGi Applications 75
76 Questions? 10/04/2008 Secure OSGi Applications 76
Software Security Models for Service-Oriented Programming (SOP) Platforms
Software Security Models for Service-Oriented Programming (SOP) Platforms Soutenance de Thèse de doctorat de: Pierre Parrend Equipe INRIA-Amazones, Laboratoire Citi INSA-Lyon Directeurs de Thèse: Stéphane
More informationComponent-based Access Control: Secure Software Composition through Static Analysis
Component-based Access Control: Secure Software Composition through Static Analysis Pierre Parrend, Stéphane Frénot To cite this version: Pierre Parrend, Stéphane Frénot. Component-based Access Control:
More informationCS52600: Information Security
CS18000: Programming I CS52600: Information Security Vulnerability Analysis 15 November 2010 Prof. Chris Clifton Vulnerability Analysis Vulnerability: Lapse in enforcement enabling violation of security
More informationCSCI E 98: Managed Environments for the Execution of Programs
CSCI E 98: Managed Environments for the Execution of Programs Draft Syllabus Instructor Phil McGachey, PhD Class Time: Mondays beginning Sept. 8, 5:30-7:30 pm Location: 1 Story Street, Room 304. Office
More informationHomeland Security Red Teaming
Homeland Security Red Teaming Directs intergovernmental coordination Specifies Red Teaming Viewing systems from the perspective of a potential adversary Target hardening Looking for weakness in existing
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer Systems Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany {hans.loehr,ahmad.sadeghi,marcel.winandy}@trust.rub.de
More informationProtecting Database Centric Web Services against SQL/XPath Injection Attacks
Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal
More informationRE-TRUST Design Alternatives on JVM
RE-TRUST Design Alternatives on JVM ( - Italy) paolo.falcarin@polito.it http://softeng.polito.it/falcarin Trento, December, 19 th 2006 Tamper-Detection Tamper-detection goals Detect malicious modifications
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationReplication on Virtual Machines
Replication on Virtual Machines Siggi Cherem CS 717 November 23rd, 2004 Outline 1 Introduction The Java Virtual Machine 2 Napper, Alvisi, Vin - DSN 2003 Introduction JVM as state machine Addressing non-determinism
More informationApache Sling A REST-based Web Application Framework Carsten Ziegeler cziegeler@apache.org ApacheCon NA 2014
Apache Sling A REST-based Web Application Framework Carsten Ziegeler cziegeler@apache.org ApacheCon NA 2014 About cziegeler@apache.org @cziegeler RnD Team at Adobe Research Switzerland Member of the Apache
More information2 Introduction to Java. Introduction to Programming 1 1
2 Introduction to Java Introduction to Programming 1 1 Objectives At the end of the lesson, the student should be able to: Describe the features of Java technology such as the Java virtual machine, garbage
More informationC#5.0 IN A NUTSHELL. Joseph O'REILLY. Albahari and Ben Albahari. Fifth Edition. Tokyo. Sebastopol. Beijing. Cambridge. Koln.
Koln C#5.0 IN A NUTSHELL Fifth Edition Joseph Albahari and Ben Albahari O'REILLY Beijing Cambridge Farnham Sebastopol Tokyo Table of Contents Preface xi 1. Introducing C# and the.net Framework 1 Object
More informationMobile Application Languages XML, Java, J2ME and JavaCard Lesson 04 Java
Mobile Application Languages XML, Java, J2ME and JavaCard Lesson 04 Java Oxford University Press 2007. All rights reserved. 1 C and C++ C and C++ with in-line-assembly, Visual Basic, and Visual C++ the
More informationAndroid Developer Fundamental 1
Android Developer Fundamental 1 I. Why Learn Android? Technology for life. Deep interaction with our daily life. Mobile, Simple & Practical. Biggest user base (see statistics) Open Source, Control & Flexibility
More informationCPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT
26579500 CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT Version 2.0 Crown Copyright 2013 All Rights Reserved UNCLASSIFIED Page 1 About this document This document describes the features, testing and deployment
More informationJAVA 2 Network Security
JAVA 2 Network Security M A R C O PISTOIA DUANE F. RELLER DEEPAK GUPTA MILIND NAGNUR ASHOK K. RAMANI PTR, UPPER http://www.phptr.com PRENTICE HALL SADDLE RIVER, NEW JERSEY 07458 Contents Foreword Preface
More informationJava and Java Virtual Machine Security
Java and Java Virtual Machine Security Vulnerabilities and their Exploitation Techniques by Last Stage of Delirium Research Group http://lsd-pl.net Version: 1.0.0 Updated: October 2nd, 2002 Copyright c
More informationVICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui
VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui School of Engineering and Computer Science Te Kura Mātai Pūkaha, Pūrorohiko PO Box 600 Wellington New Zealand Tel: +64 4 463
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationDeveloping modular Java applications
Developing modular Java applications Julien Dubois France Regional Director SpringSource Julien Dubois France Regional Director, SpringSource Book author :«Spring par la pratique» (Eyrolles, 2006) new
More informationInfoSphere Master Data Management operational server v11.x OSGi best practices and troubleshooting guide
InfoSphere Master Data Management operational server v11.x OSGi best practices and troubleshooting guide Introduction... 2 Optimal workspace operational server configurations... 3 Bundle project build
More informationThe BSN Hardware and Software Platform: Enabling Easy Development of Body Sensor Network Applications
The BSN Hardware and Software Platform: Enabling Easy Development of Body Sensor Network Applications Joshua Ellul jellul@imperial.ac.uk Overview Brief introduction to Body Sensor Networks BSN Hardware
More informationTHE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005
THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 13 DECEMBER 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation
More informationData Protection: From PKI to Virtualization & Cloud
Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security
More information10 Secure Electronic Transactions: Overview, Capabilities, and Current Status
10 Secure Electronic Transactions: Overview, Capabilities, and Current Status Gordon Agnew A&F Consulting, and University of Waterloo, Ontario, Canada 10.1 Introduction Until recently, there were two primary
More informationSecurity Vulnerability Notice
Security Vulnerability Notice SE-2014-01-ORACLE [Security vulnerabilities in Oracle Database Java VM, Issues 1-20] DISCLAIMER INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY
More informationRestraining Execution Environments
Restraining Execution Environments Segurança em Sistemas Informáticos André Gonçalves Contents Overview Java Virtual Machine: Overview The Basic Parts Security Sandbox Mechanisms Sandbox Memory Native
More informationCertification Report
Certification Report EAL 4+ Evaluation of Entrust Authority Security Manager and Security Manager Administration v8.1 SP1 Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationSecurity in Android apps
Security in Android apps Falco Peijnenburg (3749002) August 16, 2013 Abstract Apps can be released on the Google Play store through the Google Developer Console. The Google Play store only allows apps
More informationFUSE-ESB4 An open-source OSGi based platform for EAI and SOA
FUSE-ESB4 An open-source OSGi based platform for EAI and SOA Introduction to FUSE-ESB4 It's a powerful OSGi based multi component container based on ServiceMix4 http://servicemix.apache.org/smx4/index.html
More informationStrengthen RFID Tags Security Using New Data Structure
International Journal of Control and Automation 51 Strengthen RFID Tags Security Using New Data Structure Yan Liang and Chunming Rong Department of Electrical Engineering and Computer Science, University
More information**Arizona State University Brickyard Suite 470, 699 S. Mill Avenue, Tempe, AZ 85281-8809, U.S.A. e-mail: dijiang@asu.edu
An OSGi-based Service Oriented Architecture for Android Software Development Platforms Aghiles Adjaz*, Samia Bouzefrane*, Dijiang Huang**and Pierre Paradinas* * CEDRIC Laboratory, Conservatoire National
More informationCrash Course in Java
Crash Course in Java Based on notes from D. Hollinger Based in part on notes from J.J. Johns also: Java in a Nutshell Java Network Programming and Distributed Computing Netprog 2002 Java Intro 1 What is
More informationHow To Develop An Open Play Context Framework For Android (For Android)
Dynamix: An Open Plug-and-Play Context Framework for Android Darren Carlson and Andreas Schrader Ambient Computing Group / Institute of Telematics University of Lübeck, Germany www.ambient.uni-luebeck.de
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationMalicious Code on Java Card Smartcards: Attacks and Countermeasures
Malicious Code on Java Card Smartcards: Attacks and Countermeasures Wojciech Mostowski and Erik Poll Digital Security Radboud University Nijmegen To be presented at CARDIS'2008 Erik Poll Radboud University
More informationSENSE Security overview 2014
SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2
More informationDesign by Contract beyond class modelling
Design by Contract beyond class modelling Introduction Design by Contract (DbC) or Programming by Contract is an approach to designing software. It says that designers should define precise and verifiable
More informationSecurity Testing. How security testing is different Types of security attacks Threat modelling
Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making
More informationSecurity challenges for internet technologies on mobile devices
Security challenges for internet technologies on mobile devices - Geir Olsen [geiro@microsoft.com], Senior Program Manager for Security Windows Mobile, Microsoft Corp. - Anil Dhawan [anild@microsoft.com],
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationSecurity Principles. Related to. Handset Theft
Security Principles Related to Handset Theft Table of Contents TABLE OF CONTENTS...2 GLOSSARY OF TERMS...3 1. INTRODUCTION...4 1.1 IMPORTANCE OF IMEI INTEGRITY...4 1.2 IMPROVED IMEI INTEGRITY PRINCIPLES...4
More informationExecutable Integrity Verification
Executable Integrity Verification Abstract Background Determining if a given executable has been trojaned is a tedious task. It is beyond the capabilities of the average end user and even many network
More informationResource Management and Containment for Active Services
Resource Management and Containment for Active Services M. Ranganathan, Doug Montgomery, Kevin Mills Advanced Networking Technologies Division National Inst. Of Standards and Technology Gaithersburg, MD
More informationPut a Firewall in Your JVM Securing Java Applications!
Put a Firewall in Your JVM Securing Java Applications! Prateep Bandharangshi" Waratek Director of Client Security Solutions" @prateep" Hussein Badakhchani" Deutsche Bank Ag London Vice President" @husseinb"
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationCompromise-as-a-Service
ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg 3/31/14 Compromise-as-a-Service Our PleAZURE Felix Wilhelm & Matthias Luft {fwilhelm, mluft}@ernw.de ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg Agenda
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationEfficient Monitoring of OSGi Applications
Degree project Efficient Monitoring of OSGi Applications Author: Portero Aníbal Supervisor: Abbas Nadeem Date: 2013-08-27 Course Code: 2DV00E, 15 credits Level: Bachelor Department of Computer Science
More informationJonathan Worthington Scarborough Linux User Group
Jonathan Worthington Scarborough Linux User Group Introduction What does a Virtual Machine do? Hides away the details of the hardware platform and operating system. Defines a common set of instructions.
More informationCS 392/681 - Computer Security. Module 16 Vulnerability Analysis
CS 392/681 - Computer Security Module 16 Vulnerability Analysis Course Policies and Logistics Homework 5 due tonight Homework 6 posted Read Chapter 23 11/13/2003 Module 16 - Vulnerability Analysis 2 Some
More informationEquinox Framework: A Happier OSGi R6 Implementation
Equinox Framework: A Happier OSGi R6 Implementation Tom Watson IBM March 18 th 2014 OSGi Alliance Marketing 2008-2010 Page. 1 All Rights Reserved Agenda New to OSGi R6 Core Redesign Core Equinox and Why
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationD. Best Practices D.1. Assurance The 5 th A
Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.1. Assurance The 5 th A 1 of 20 IT systems are insecure for two main reasons: People are fallible and systems are complex and
More informationGlassFish v3. Building an ex tensible modular Java EE application server. Jerome Dochez and Ludovic Champenois Sun Microsystems, Inc.
GlassFish v3 Building an ex tensible modular Java EE application server Jerome Dochez and Ludovic Champenois Sun Microsystems, Inc. Agenda Java EE 6 and GlassFish V3 Modularity, Runtime Service Based Architecture
More informationHow To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)
NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content Filtering
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationBYPASSING THE ios GATEKEEPER
BYPASSING THE ios GATEKEEPER AVI BASHAN Technology Leader Check Point Software Technologies, Ltd. OHAD BOBROV Director, Mobile Threat Prevention Check Point Software Technologies, Ltd. EXECUTIVE SUMMARY
More informationC# and Other Languages
C# and Other Languages Rob Miles Department of Computer Science Why do we have lots of Programming Languages? Different developer audiences Different application areas/target platforms Graphics, AI, List
More informationSome Research Challenges for Big Data Analytics of Intelligent Security
Some Research Challenges for Big Data Analytics of Intelligent Security Yuh-Jong Hu hu at cs.nccu.edu.tw Emerging Network Technology (ENT) Lab. Department of Computer Science National Chengchi University,
More informationA technical guide for monitoring Adobe LiveCycle ES deployments
Technical Guide A technical guide for monitoring Adobe LiveCycle ES deployments Table of contents 1 Section 1: LiveCycle ES system monitoring 4 Section 2: Internal LiveCycle ES monitoring 5 Section 3:
More informationServer-side OSGi with Apache Sling. Felix Meschberger Day Management AG 124
Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix Meschberger > Senior Developer, Day Management AG > fmeschbe@day.com > http://blog.meschberger.ch > VP Apache Sling
More informationNetDefend Firewall UTM Services
Product Highlights Intrusion Prevention System Dectects and prevents known and unknown attacks/ exploits/vulnerabilities, preventing outbreaks and keeping your network safe. Gateway Anti Virus Protection
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationOperations and Monitoring with Spring
Operations and Monitoring with Spring Eberhard Wolff Regional Director and Principal Consultant SpringSource Copyright 2009 SpringSource. Copying, publishing or distributing without express written permission
More informationANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY
ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY Suhas Holla #1, Mahima M Katti #2 # Department of Information Science & Engg, R V College of Engineering Bangalore, India Abstract In the advancing
More informationOFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES
OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES Table of contents 1.0 SOFTWARE 1 2.0 HARDWARE 2 3.0 TECHNICAL COMPONENTS 2 3.1 KEY MANAGEMENT
More informationHow to Secure Infrastructure Clouds with Trusted Computing Technologies
How to Secure Infrastructure Clouds with Trusted Computing Technologies Nicolae Paladi Swedish Institute of Computer Science 2 Contents 1. Infrastructure-as-a-Service 2. Security challenges of IaaS 3.
More informationPierre Parrend Scientific activities
Pierre Parrend, PhD Senior Research Scientist 239, Route de la Wantzenau 67000 Strasbourg France married Telephone : +33 (0) 3 69 26 29 80, +33 (0) 3 69 23 29 80 E-mail : pparrend@acm.org/pierre.p@gmx.net
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationUser. Role. Privilege. Environment. Checkpoint. System
8. Security Features Motivation Viruses, spam, trojan horses have become increasingly common in PC environment In mobile environment, new kinds of opportunities offered for malicious software Potentially
More informationAPPLETS AND NETWORK SECURITY: A MANAGEMENT OVERVIEW
84-10-25 DATA SECURITY MANAGEMENT APPLETS AND NETWORK SECURITY: A MANAGEMENT OVERVIEW Al Berg INSIDE Applets and the Web, The Security Issue, Java: Secure Applets, Java: Holes and Bugs, Denial-of-Service
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationCertification Report
Certification Report EAL 4+ Evaluation of ncipher nshield Family of Hardware Security Modules Firmware Version 2.33.60 Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationIS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS
More informationKey Management Interoperability Protocol (KMIP)
(KMIP) Addressing the Need for Standardization in Enterprise Key Management Version 1.0, May 20, 2009 Copyright 2009 by the Organization for the Advancement of Structured Information Standards (OASIS).
More informationData Mining Governance for Service Oriented Architecture
Data Mining Governance for Service Oriented Architecture Ali Beklen Software Group IBM Turkey Istanbul, TURKEY alibek@tr.ibm.com Turgay Tugay Bilgin Dept. of Computer Engineering Maltepe University Istanbul,
More informationEugene Tsyrklevich. Ozone HIPS: Unbreakable Windows
Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military
More informationJava History. Java History (cont'd)
Java History Created by James Gosling et. al. at Sun Microsystems in 1991 "The Green Team" Were to investigate "convergence" technologies Gosling created a processor-independent language for '*7', a 2-way
More informationapple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.
Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.8 Effective Date: June 11, 2012 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2.
More informationFachbereich Informatik und Elektrotechnik SunSPOT. Ubiquitous Computing. Ubiquitous Computing, Helmut Dispert
Ubiquitous Computing Ubiquitous Computing The Sensor Network System Sun SPOT: The Sun Small Programmable Object Technology Technology-Based Wireless Sensor Networks a Java Platform for Developing Applications
More informationAbsolute Backdoor Revisited. Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs
Absolute Backdoor Revisited Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs BlackHat, Las Vegas August, 2014 What is Computrace? Computrace is an Anti-Theft software
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationCarlos Villavieja, Nacho Navarro {cvillavi,nacho}@ac.upc.edu. Arati Baliga, Liviu Iftode {aratib,liviu}@cs.rutgers.edu
Continuous Monitoring using MultiCores Carlos Villavieja, Nacho Navarro {cvillavi,nacho}@ac.upc.edu Arati Baliga, Liviu Iftode {aratib,liviu}@cs.rutgers.edu Motivation Intrusion detection Intruder gets
More informationExperimental Evaluation of Distributed Middleware with a Virtualized Java Environment
Experimental Evaluation of Distributed Middleware with a Virtualized Java Environment Nuno A. Carvalho, João Bordalo, Filipe Campos and José Pereira HASLab / INESC TEC Universidade do Minho MW4SOC 11 December
More informationSecurity Issues of the Sandbox inside Java Virtual Machine (JVM) Mohammad Shouaib Hashemi
Security Issues of the Sandbox inside Java Virtual Machine (JVM) Mohammad Shouaib Hashemi Bachelor s Thesis Business Information Technology 2010 Abstract Degree Program in Business Information Technology
More informationSecurity Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2
BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution
More informationOracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data
Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data Will Fiveash presenter, Darren Moffat author Staff Engineer Solaris Kerberos Development Safe Harbor Statement The following
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationA SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1
A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1 1 Royal Holloway, University of London 2 University of Strathclyde ABSTRACT Future mobile
More informationESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows
ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows Products Details ESET Endpoint Security 6 protects company devices against most current threats. It proactively looks for suspicious activity
More informationLecture 7: Class design for security
Lecture topics Class design for security Visibility of classes, fields, and methods Implications of using inner classes Mutability Design for sending objects across JVMs (serialization) Visibility modifiers
More informationIoT Security Platform
IoT Security Platform 2 Introduction Wars begin when the costs of attack are low, the benefits for a victor are high, and there is an inability to enforce law. The same is true in cyberwars. Today there
More informationDIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES
DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES Saiprasad Dhumal * Prof. K.K. Joshi Prof Sowmiya Raksha VJTI, Mumbai. VJTI, Mumbai VJTI, Mumbai. Abstract piracy of digital content is a one of the
More informationAsymmetric cryptosystems fundamental problem: authentication of public keys
Network security Part 2: protocols and systems (a) Authentication of public keys Università degli Studi di Brescia Dipartimento di Ingegneria dell Informazione 2014/2015 Asymmetric cryptosystems fundamental
More information