Pub Date : 2020-06-01DOI: 10.1109/dsn-s50200.2020.00025
Mariusz Mazurek, T. Rymarczyk, G. Kłosowski, Michał Maj, P. Adamkiewicz
The paper presents the results of research on the use of tomographic sensors to analyze industrial processes using dedicated measuring devices, image reconstruction algorithms and cyber-physical system (CPS). The work mainly focuses on ultrasound tomography and image reconstruction using determi-nistic methods and machine learning. The tests were carried out for synthetic data and laboratory measurements. The main advantage of the proposed system is the ability to analyze spatial data and their high processing speed. The presented research results indicate that ultrasonic process tomography gives the opportunity to analyze processes occurring inside the facility without disrupting production. The presented method enables the analysis and detection of obstacles, defects and various anomalies. Knowing the characteristics of the problem, the application allows you to choose the right method of image reconstruction.
{"title":"Tomographic Measuring Sensors System for Analysis and Visualization of Technological Processes","authors":"Mariusz Mazurek, T. Rymarczyk, G. Kłosowski, Michał Maj, P. Adamkiewicz","doi":"10.1109/dsn-s50200.2020.00025","DOIUrl":"https://doi.org/10.1109/dsn-s50200.2020.00025","url":null,"abstract":"The paper presents the results of research on the use of tomographic sensors to analyze industrial processes using dedicated measuring devices, image reconstruction algorithms and cyber-physical system (CPS). The work mainly focuses on ultrasound tomography and image reconstruction using determi-nistic methods and machine learning. The tests were carried out for synthetic data and laboratory measurements. The main advantage of the proposed system is the ability to analyze spatial data and their high processing speed. The presented research results indicate that ultrasonic process tomography gives the opportunity to analyze processes occurring inside the facility without disrupting production. The presented method enables the analysis and detection of obstacles, defects and various anomalies. Knowing the characteristics of the problem, the application allows you to choose the right method of image reconstruction.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128545853","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/dsn-s50200.2020.00036
Gargi Mitra
The new multi-threaded server operation feature in HTTP/2 results in multiplexed object transmission. This obfuscates the sizes of the encrypted objects, based on which passive network eavesdroppers inferred sensitive information. Therefore, recent works speculate that HTTP/2 can have an unanticipated positive effect on communication privacy in addition to the privacy provided by TLS/SSL. Orthogonal to these works, we show that it is possible for an on-path passive eavesdropper to completely break the privacy offered by the schemes that leverage HTTP/2 multiplexing. Our adversary works based on the following intuition: restricting only one HTTP/2 object to be in the server queue at any point of time will eliminate multiplexing of that object and any privacy benefit thereof. Our adversary achieves this by altering network parameters such as jitter, bandwidth and packet drop rate to ensure that no new client request reaches the server while it is serving a previously requested object. Our adversary was able to break the privacy of a real-world HTTP/2 website 90% of the time. To the best of our knowledge, this is the first privacy attack on HTTP/2.
{"title":"Depending on HTTP/2 for Privacy? Good Luck!","authors":"Gargi Mitra","doi":"10.1109/dsn-s50200.2020.00036","DOIUrl":"https://doi.org/10.1109/dsn-s50200.2020.00036","url":null,"abstract":"The new multi-threaded server operation feature in HTTP/2 results in multiplexed object transmission. This obfuscates the sizes of the encrypted objects, based on which passive network eavesdroppers inferred sensitive information. Therefore, recent works speculate that HTTP/2 can have an unanticipated positive effect on communication privacy in addition to the privacy provided by TLS/SSL. Orthogonal to these works, we show that it is possible for an on-path passive eavesdropper to completely break the privacy offered by the schemes that leverage HTTP/2 multiplexing. Our adversary works based on the following intuition: restricting only one HTTP/2 object to be in the server queue at any point of time will eliminate multiplexing of that object and any privacy benefit thereof. Our adversary achieves this by altering network parameters such as jitter, bandwidth and packet drop rate to ensure that no new client request reaches the server while it is serving a previously requested object. Our adversary was able to break the privacy of a real-world HTTP/2 website 90% of the time. To the best of our knowledge, this is the first privacy attack on HTTP/2.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127513691","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/dsn-s50200.2020.00007
J. López, Jianwen Xiang, Kenichi Kourai, Regina Moraes, X. Défago, Dong Seong Kim, Kok Onn Chee, Mengmeng Ge
A DSN Fast Abstract paper is a lightly reviewed, two-page technical article on new ideas, work in progress, or opinions relevant to dependable and secure systems and networks. Contributions are particularly solicited from project teams, industrial practitioners, and academics who may not have been able to prepare and see full papers accepted for DSN, but nevertheless seek an opportunity to engage with, or get feedback from, the DSN community. Fast Abstract papers enable their authors to:
{"title":"Message from the Fast Abstracts and Posters Chairs","authors":"J. López, Jianwen Xiang, Kenichi Kourai, Regina Moraes, X. Défago, Dong Seong Kim, Kok Onn Chee, Mengmeng Ge","doi":"10.1109/dsn-s50200.2020.00007","DOIUrl":"https://doi.org/10.1109/dsn-s50200.2020.00007","url":null,"abstract":"A DSN Fast Abstract paper is a lightly reviewed, two-page technical article on new ideas, work in progress, or opinions relevant to dependable and secure systems and networks. Contributions are particularly solicited from project teams, industrial practitioners, and academics who may not have been able to prepare and see full papers accepted for DSN, but nevertheless seek an opportunity to engage with, or get feedback from, the DSN community. Fast Abstract papers enable their authors to:","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128206587","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/DSN-S50200.2020.00027
Philipp Jeitner, Haya Shulman, M. Waidner
The critical role that Network Time Protocol (NTP) plays in the Internet led to multiple efforts to secure it against time-shifting attacks. A recent proposal for enhancing the security of NTP with Chronos against on-path attackers seems the most promising one and is on a standardisation track of the IETF. In this work we demonstrate off-path attacks against Chronos enhanced NTP clients. The weak link is a central security feature of Chronos: The server pool generation mechanism using DNS. We show that the insecurity of DNS allows to subvert the security of Chronos making the time-shifting attacks against Chronos-NTP even easier than attacks against plain NTP.
{"title":"Pitfalls of Provably Secure Systems in Internet the Case of Chronos-NTP","authors":"Philipp Jeitner, Haya Shulman, M. Waidner","doi":"10.1109/DSN-S50200.2020.00027","DOIUrl":"https://doi.org/10.1109/DSN-S50200.2020.00027","url":null,"abstract":"The critical role that Network Time Protocol (NTP) plays in the Internet led to multiple efforts to secure it against time-shifting attacks. A recent proposal for enhancing the security of NTP with Chronos against on-path attackers seems the most promising one and is on a standardisation track of the IETF. In this work we demonstrate off-path attacks against Chronos enhanced NTP clients. The weak link is a central security feature of Chronos: The server pool generation mechanism using DNS. We show that the insecurity of DNS allows to subvert the security of Chronos making the time-shifting attacks against Chronos-NTP even easier than attacks against plain NTP.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117173739","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/dsn-s50200.2020.00035
Cláudio Correia
We propose to design and implement a secure edge storage system. Edge computing is a paradigm that extends cloud computing with storage and processing capacity close to the edge of the network, supporting new applications that require low latency. It assumes the availability of fog nodes that are located close to the edge. However, fog nodes are likely to be vulnerable to tampering. A malicious fog node can manipulate, create or delete data from edge applications, leading this application into a fail state, impacting the quality of service. Therefore, it is important to secure the functions fog nodes provide. To achieve our goal we plan to leverage the use of secure hardware (e.g., Intel SGX) as a means to harden the implementation. However, as we discuss here, SGX alone is not enough to achieve the qualities we consider necessary to support edge applications, such as low latency, scalability, and multiple models of data consistency. In this work, we present the main challenges in the design of a secure edge storage system and point to the research directions that we plan to follow to address these challenges.
{"title":"Safeguarding Data Consistency at the Edge","authors":"Cláudio Correia","doi":"10.1109/dsn-s50200.2020.00035","DOIUrl":"https://doi.org/10.1109/dsn-s50200.2020.00035","url":null,"abstract":"We propose to design and implement a secure edge storage system. Edge computing is a paradigm that extends cloud computing with storage and processing capacity close to the edge of the network, supporting new applications that require low latency. It assumes the availability of fog nodes that are located close to the edge. However, fog nodes are likely to be vulnerable to tampering. A malicious fog node can manipulate, create or delete data from edge applications, leading this application into a fail state, impacting the quality of service. Therefore, it is important to secure the functions fog nodes provide. To achieve our goal we plan to leverage the use of secure hardware (e.g., Intel SGX) as a means to harden the implementation. However, as we discuss here, SGX alone is not enough to achieve the qualities we consider necessary to support edge applications, such as low latency, scalability, and multiple models of data consistency. In this work, we present the main challenges in the design of a secure edge storage system and point to the research directions that we plan to follow to address these challenges.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133978642","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/dsn-s50200.2020.00026
Kris Shrishak, Haya Shulman
Secure multiparty computation (MPC) allows multiple entities to perform joint computation over their private inputs, revealing only the output. Although it was considered to be "not efficient enough" for many years, recent advances have shown that secure computation can be practical for specific applications. These applications have ranged from privacy-preserving auctions to private machine learning. In this work we explore the use of MPC for securing Internet infrastructure. We show that basic Internet systems, such as routing and DNS, rely on centralised authorities. Nevertheless, vulnerabilities as well as conflicting interests often make this requirement for trust not suitable for practical purposes. In this work, we set forth to explore replacement of trust in centralised authorities in Internet infrastructure with secure MPC.
{"title":"MPC for Securing Internet Infrastructure","authors":"Kris Shrishak, Haya Shulman","doi":"10.1109/dsn-s50200.2020.00026","DOIUrl":"https://doi.org/10.1109/dsn-s50200.2020.00026","url":null,"abstract":"Secure multiparty computation (MPC) allows multiple entities to perform joint computation over their private inputs, revealing only the output. Although it was considered to be \"not efficient enough\" for many years, recent advances have shown that secure computation can be practical for specific applications. These applications have ranged from privacy-preserving auctions to private machine learning. In this work we explore the use of MPC for securing Internet infrastructure. We show that basic Internet systems, such as routing and DNS, rely on centralised authorities. Nevertheless, vulnerabilities as well as conflicting interests often make this requirement for trust not suitable for practical purposes. In this work, we set forth to explore replacement of trust in centralised authorities in Internet infrastructure with secure MPC.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129849850","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/DSN-S50200.2020.00043
Yiannis Psaras, David Dias
The InterPlanetary File System (IPFS) is a peer-to-peer content-addressable distributed file system that seeks to connect all computing devices with the same system of files. It is an open-source community-driven project, with reference implementations in Go and Javascript, and a global community of millions of users. IPFS and libp2p, which is the modular network stack of IPFS, are based on name-resolution based routing. The resolution system is based on Kademlia DHT and content is addressed by flat hash-based names. IPFS sees significant real-world usage, with over 250,000 daily active network nodes, millions of end users and wide adoption by several other projects in the Decentralised Web space, but not only. An adjacent project to IPFS, which was also masterminded and is also being developed within Protocol Labs (the umbrella company of IPFS and libp2p) is filecoin. Filecoin is a token protocol that supports a decentralised storage network. Storage miners are rewarded according to their contribution to the network and the mechanics of filecoin secure the network against malicious activity. The objective of this half-day tutorial is to make the audience familiar with IPFS and filecoin and able to use the tools provided by the project for research and development. The tutorial targets both developers and researchers, who may contribute to the project or use it as a tool.
{"title":"The InterPlanetary File System and the Filecoin Network","authors":"Yiannis Psaras, David Dias","doi":"10.1109/DSN-S50200.2020.00043","DOIUrl":"https://doi.org/10.1109/DSN-S50200.2020.00043","url":null,"abstract":"The InterPlanetary File System (IPFS) is a peer-to-peer content-addressable distributed file system that seeks to connect all computing devices with the same system of files. It is an open-source community-driven project, with reference implementations in Go and Javascript, and a global community of millions of users. IPFS and libp2p, which is the modular network stack of IPFS, are based on name-resolution based routing. The resolution system is based on Kademlia DHT and content is addressed by flat hash-based names. IPFS sees significant real-world usage, with over 250,000 daily active network nodes, millions of end users and wide adoption by several other projects in the Decentralised Web space, but not only. An adjacent project to IPFS, which was also masterminded and is also being developed within Protocol Labs (the umbrella company of IPFS and libp2p) is filecoin. Filecoin is a token protocol that supports a decentralised storage network. Storage miners are rewarded according to their contribution to the network and the mechanics of filecoin secure the network against malicious activity. The objective of this half-day tutorial is to make the audience familiar with IPFS and filecoin and able to use the tools provided by the project for research and development. The tutorial targets both developers and researchers, who may contribute to the project or use it as a tool.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132355426","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/dsn-s50200.2020.00024
Dong Seong Kim, Minjune Kim, Jin-Hee Cho, Hyuk Lim, T. Moore, Frederica Free-Nelson
Moving Target Defense (MTD) has been emerged as a promising countermeasure to defend systems against cyberattacks asymmetrically while working well with legacy security and defense mechanisms. MTD provides proactive security services by dynamically altering attack surfaces and increasing attack cost or complexity to prevent further escalation of the attack. However, one of the non-trivial hurdles in deploying MTD techniques is how to handle potential performance degradation (e.g., interruptions of service availability) and maintain acceptable quality-of-service (QoS) in an MTD-enabled system. In this paper, we derive the service performance metrics (e.g., an extent of failed jobs) to measure how much performance degradation is introduced due to MTD operations, and propose QoS-aware service strategies (i.e., drop and wait) to manage ongoing jobs with the minimum performance degradation even under MTD operations running. We evaluate the service performance of software-defined networking (SDN)-based web services (i.e., Apache web servers). Our experimental results prove that the MTD-enabled system can minimize performance degradation by using the proposed job management strategies. The proposed strategies aim to optimize a specific service configuration (e.g., types of jobs and request rates) and effectively minimize the adverse impact of deploying MTD in the system with acceptable QoS while retaining the security effect of IP shuffling-based MTD.
{"title":"Design and Performance Analysis of Software Defined Networking Based Web Services Adopting Moving Target Defense","authors":"Dong Seong Kim, Minjune Kim, Jin-Hee Cho, Hyuk Lim, T. Moore, Frederica Free-Nelson","doi":"10.1109/dsn-s50200.2020.00024","DOIUrl":"https://doi.org/10.1109/dsn-s50200.2020.00024","url":null,"abstract":"Moving Target Defense (MTD) has been emerged as a promising countermeasure to defend systems against cyberattacks asymmetrically while working well with legacy security and defense mechanisms. MTD provides proactive security services by dynamically altering attack surfaces and increasing attack cost or complexity to prevent further escalation of the attack. However, one of the non-trivial hurdles in deploying MTD techniques is how to handle potential performance degradation (e.g., interruptions of service availability) and maintain acceptable quality-of-service (QoS) in an MTD-enabled system. In this paper, we derive the service performance metrics (e.g., an extent of failed jobs) to measure how much performance degradation is introduced due to MTD operations, and propose QoS-aware service strategies (i.e., drop and wait) to manage ongoing jobs with the minimum performance degradation even under MTD operations running. We evaluate the service performance of software-defined networking (SDN)-based web services (i.e., Apache web servers). Our experimental results prove that the MTD-enabled system can minimize performance degradation by using the proposed job management strategies. The proposed strategies aim to optimize a specific service configuration (e.g., types of jobs and request rates) and effectively minimize the adverse impact of deploying MTD in the system with acceptable QoS while retaining the security effect of IP shuffling-based MTD.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"198 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133800381","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/dsn-s50200.2020.00008
S. Bouchenak, S. Zonouz
DSN 2020 Doctoral Forum would not have been possible without the help and dedication of a large team of volunteers. First, we would like to thank the authors who submitted their work. We also would like to thank all the Doctoral Forum Program Committee members who worked hard to set up this program, namely Azzam Alsudais, Amy Babay, Sophie Cerf, Maria Fernandes, Mohamad Gharib, Pierre-François Gimenez, Matthias Hille, Georgios Mappouras, Isabelly Rocha, Rania Talbi, Hui Xu. Finally, we are very grateful to the Steering Committee and the Local Organizing Committee whose action and help have been instrumental in setting up DSN 2020 Doctoral Forum.
{"title":"Message from the Doctoral Forum Chairs","authors":"S. Bouchenak, S. Zonouz","doi":"10.1109/dsn-s50200.2020.00008","DOIUrl":"https://doi.org/10.1109/dsn-s50200.2020.00008","url":null,"abstract":"DSN 2020 Doctoral Forum would not have been possible without the help and dedication of a large team of volunteers. First, we would like to thank the authors who submitted their work. We also would like to thank all the Doctoral Forum Program Committee members who worked hard to set up this program, namely Azzam Alsudais, Amy Babay, Sophie Cerf, Maria Fernandes, Mohamad Gharib, Pierre-François Gimenez, Matthias Hille, Georgios Mappouras, Isabelly Rocha, Rania Talbi, Hui Xu. Finally, we are very grateful to the Steering Committee and the Local Organizing Committee whose action and help have been instrumental in setting up DSN 2020 Doctoral Forum.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128807156","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-06-01DOI: 10.1109/DSN-S50200.2020.00030
Ibéria Medeiros, N. Neves
Web applications have become an essential resource to access the services of diverse subjects (e.g., financial, healthcare) available on the Internet. Despite the efforts that have been made on its security, namely on the investigation of better techniques to detect vulnerabilities on its source code, the number of vulnerabilities exploited has not decreased. Static analysis tools (SATs) are often used to test the security of applications since their outcomes can help developers in the correction of the bugs they found. The conducted investigation made over SATs stated they often generate errors (false positives (FP) and false negatives (FN)), whose cause is recurrently associated with very diverse coding styles, i.e., similar functionality is implemented in distinct manners, and programming practices that create ambiguity, such as the reuse and share of variables. Based on a common practice of using multiple forms in a same webpage and its processing in a single file, we defined a use case for user login and register with six coding styles scenarios for processing their data, and evaluated the behaviour of three SATs (phpSAFE, RIPS and WAP) with them to verify and understand why SATs produce FP and FN.
{"title":"Impact of Coding Styles on Behaviours of Static Analysis Tools for Web Applications","authors":"Ibéria Medeiros, N. Neves","doi":"10.1109/DSN-S50200.2020.00030","DOIUrl":"https://doi.org/10.1109/DSN-S50200.2020.00030","url":null,"abstract":"Web applications have become an essential resource to access the services of diverse subjects (e.g., financial, healthcare) available on the Internet. Despite the efforts that have been made on its security, namely on the investigation of better techniques to detect vulnerabilities on its source code, the number of vulnerabilities exploited has not decreased. Static analysis tools (SATs) are often used to test the security of applications since their outcomes can help developers in the correction of the bugs they found. The conducted investigation made over SATs stated they often generate errors (false positives (FP) and false negatives (FN)), whose cause is recurrently associated with very diverse coding styles, i.e., similar functionality is implemented in distinct manners, and programming practices that create ambiguity, such as the reuse and share of variables. Based on a common practice of using multiple forms in a same webpage and its processing in a single file, we defined a use case for user login and register with six coding styles scenarios for processing their data, and evaluated the behaviour of three SATs (phpSAFE, RIPS and WAP) with them to verify and understand why SATs produce FP and FN.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128044155","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: