With the popular use of network application services and the growing number of users, web services have become the main target of hackers. Traditional single software has insufficient security protection against unkno...
With the popular use of network application services and the growing number of users, web services have become the main target of hackers. Traditional single software has insufficient security protection against unknown threats and is prone to various vulnerabilities. In this paper, we adopt a new type of active defense strategy in java web services. At different application layers, we use existing components based on the natural software diversity to form different software stacks, and use dynamic scheduling mechanisms to change the attack surface at all times to obtain security protection. Our analysis shows that the flexibility of java web services using this defense strategy is enhanced, and the exploitability of its vulnerabilities is effectively reduced.
Programmable Logic Controller (PLC) programs are vulnerable to tampering attacks with addition of malware, which can substantially cause severe physical destructions. In order to solve the problems, We propose a stati...
详细信息
Cyberspace mimic defense has been proven to be a revolutionary defense technology that 'changes the rules of the game' to ensure the security of cyberspace. However, the software diversity inherent in mimic de...
Cyberspace mimic defense has been proven to be a revolutionary defense technology that 'changes the rules of the game' to ensure the security of cyberspace. However, the software diversity inherent in mimic defense technology may increase the difficulty in managing software executable binaries, especially when updating or debugging a software. In this paper, we study the problem of software assignment in a networked system to minimise the number of binaries generated by mimic compilers. Mimic compilers can help to generate functional equivelant software executables which exhibits diverse characteristics such as binary size etc. Theoretically the software assignment problem is equal to the traditional graph coloring problem. To guarantee network severity, we apply a Welsh-Powell-based Software Assignment (WPSA) algorithm to determine the number of binaries needed and the assignment of these binaries to hosts in a network. We conduct experiments on real world network topologies. Experimental results show that our algorithm can effectively reduce the number of binaries needed in networked systems.
Software diversity has been proven to be an effective approach to enhance system security. To make the best of the advantage brought by software diversity, a multi-variant execution environment is needed. However, alt...
Software diversity has been proven to be an effective approach to enhance system security. To make the best of the advantage brought by software diversity, a multi-variant execution environment is needed. However, although some MVEEs have been proposed, most of them are either too simple or only focusing one aspect which limits their widely adoption in industry. In this paper we propose a framework for multi-variant execution environment to enhance the security of software systems. The framework addresses different aspects when implementing a MVEE and can help to make the best of software diversity to enhance the system's security.
The Unified Extensible Firmware Interface (UEFI) is a software interface between an operating system and platform firmware designed to replace a traditional BIOS. In this paper, we evaluated the security mechanisms us...
The Unified Extensible Firmware Interface (UEFI) is a software interface between an operating system and platform firmware designed to replace a traditional BIOS. In this paper, we evaluated the security mechanisms used to protected SPI Flash, and then analyzed the attack surface presented by those security mechanisms. Intel provides several registers in its chipset relevant to locking down the SPI Flash chip that contains the UEFI in order to prevent arbitrary writes. Since these registers implement their functions through the system management mode, the main attack surface is concentrated in the system management mode. In this paper, we propose an attack vector for the system management mode, which uses the method of cache poisoning to attack the system management mode and destroy the protection mechanism of SPI Flash. This method can overcome the limitations for the traditional attacks. Experimental results proved that this kind of attack can arbitrarily write to the UEFI.
The topological band theory predicts that bulk materials with nontrivial topological phases support topological edge states. This phenomenon is universal for various wave systems and has been widely observed for elect...
详细信息
This paper addresses detecting taint-style Thisvulnerabilities in PHP code. It extends classical taint-style model with an element called "cleans", which is used to specify sanitation routines. Based on the ...
详细信息
ISBN:
(纸本)9781509038237;9781509038220
This paper addresses detecting taint-style Thisvulnerabilities in PHP code. It extends classical taint-style model with an element called "cleans", which is used to specify sanitation routines. Based on the new model, a static backward taint data analysis method is proposed to detecting taint-style vulnerabilities. This method includes four key steps, first of which is collecting sinks and constructing contexts, the second is backward tracing variables during a basic block, the third is tracing variables between blocks, and the last is tracing variables crossing function call. A tool called POSE implements this method and testing results show that the method is valid for detecting taint-style web application vulnerabilities.
With the convergence of computer technology and industrial networks, attackers are not limited to attacking only individual users' computers, turning to attack industrial control systems that can cause major infra...
With the convergence of computer technology and industrial networks, attackers are not limited to attacking only individual users' computers, turning to attack industrial control systems that can cause major infrastructure problems. Programmable Logic Controllers (PLC) are the core components of industrial control systems. Its safety has a profound impact on the safety of the entire industrial system. This paper firstly classifies the security research of PLC according to the structure and function, and expounds the existing security defects of PLC from the aspects of firmware security, operation security and program security. Then it summarizes and analyzes four types of security protection measures: the integrity of verification firmware, protocol security encryption, code formal verification, and program security defence detection. Finally, according to the overall safety of the industrial system and the actual development of the current PLC, we discuss the development trend of safety research.
User-based attribute information, such as age and gender, is usually considered as user privacy information. It is difficult for enterprises to obtain user-based privacy attribute information. However, user-based priv...
详细信息
Infrastructure as a service (IaaS) which is one of the cloud computing's service modes provides virtual machines to clients via shared physical machines. This Service provides convenience for many enterprises, but...
详细信息
ISBN:
(纸本)9789811136719
Infrastructure as a service (IaaS) which is one of the cloud computing's service modes provides virtual machines to clients via shared physical machines. This Service provides convenience for many enterprises, but also introduces new security threats. Many studies have shown that the co-residency side-channel can be used to extract sensitive information by malicious users. Remarkably, Soo-Jin has present a migration-based system called Nomad to mitigating known and future side-channel which is more universal than the traditional method. However, large scale migration will lead to huge network overheads. To solve the above problems, the characteristics of co-residency side-channel on the single physical server is analyzed, based on which two virtual machine schedule algorithms according the leakage model in Nomad were proposed. The simulation results show that the algorithm can mitigate the threats effectively.
暂无评论