检索结果-南通市图书馆

Mitigating ROP Attacks via ARM-Specific In-Place Instruction Randomization

在线全文

维普期刊数据库

学校读者我要写书评

暂无评论

China Communications 2016年第9期13卷 208-226页

作者： Yu Liang Key Laboratory of Aerospace Information security and Trust Computing of Ministry of Education Wuhan 430079China Computer School of Wuhan University Wuhan 430079China

Defending against return-oriented programing(ROP) attacks is extremely challenging for modern operating *** the most popular mobile OS running on ARM,Android is even more vulnerable to ROP attacks due to its weak implementation of ASLR and the absence of effective control-flow integrity *** this paper,leveraging specific ARM features,an instruction randomization strategy to mitigate ROP attacks in Android even with the threat of single pointer leakage vulnerabilities is *** popping out more registers in functions' epilogue instructions and reallocating registers in function scopes,branch targets in all(direct and indirect) branch instructions potential to be ROP gadgets are changed *** the knowledge of binaries' runtime instructions layout,adversary's repeated control flow transfer in ROP exploits will be ***,this instruction randomization idea has been implemented in both Android Dalvik runtime and *** evaluations proved it is capable to introduce enough randomness for more than 99% discovered functions and thwart about 95% ROP gadgets in application's shared libraries and oat file compiled from Dalvik ***,evaluations on real-world exploits also confirmed its effectiveness on mitigating ROP attacks within acceptable performance overhead.

关键词： software security ROP mitigation instruction randomization ARM architecture

Evaluating the Impacts of security-Durability Characteristic:Data Science Perspective

在线全文

学校读者我要写书评

暂无评论

Computer Systems Science & Engineering 2022年第5期41卷 557-567页

作者： Abdullah Alharbi Masood Ahmad Wael Alosaimi Hashem Alyami Alka Agrawal Rajeev Kumar Abdul Wahid Raees Ahmad Khan Department of Information Technology College of Computers and Information TechnologyTaif UniversityTaif21944Saudi Arabia Department of Information Technology Babasaheb Bhimrao Ambedkar UniversityLucknow226025India Department of Computer Science College of Computers and Information TechnologyTaif UniversityTaif21944Saudi Arabia Department of Computer Applications Shri Ramswaroop Memorial UniversityBarabanki225003India Department of Computer Science and Information Technology Maulana Azad National Urdu UniversityHyderabad500032India

Since the beginning of web applications,security has been a critical study *** has been a lot of research done to figure out how to define and identify security goals or ***,high-security web apps have been found to be less durable in recent years;thus reducing their business *** security features of a web application are worthless unless they provide effective services to the user and meet the standards of commercial ***,there is a necessity to link in the gap between durability and security of the web ***,security mechanisms must be used to enhance durability as well as the security of the web *** durability and security are not related directly,some of their factors influence each other *** play an important role in reducing the void between durability and *** this respect,the present study identifies key characteristics of security and durability that affect each other indirectly and directly,including confidentiality,integrity availability,human trust and *** importance of all the attributes in terms of their weight is essential for their influence on the whole security during the development procedure of web *** estimate the efficacy of present study,authors employed the Hesitant Fuzzy Analytic Hierarchy Process(H-Fuzzy AHP).The outcomes of our investigations and conclusions will be a useful reference for the web application developers in achieving a more secure and durable web application.

关键词： software security durability durability of security services web application development process

Control Flow Obfuscation Based Protection Method for Android Applications

在线全文

维普期刊数据库

学校读者我要写书评

暂无评论

China Communications 2017年第11期14卷 247-259页

作者： Yong Peng Guanyu Su Bin Tian Maohua Sun Qi Li Beijing University of Posts and Telecommunications No 10 Xitucheng Road Haidian District Beijing 100876 China Beijing KeyLaboratory of Space-ground Interconnection and Convergence No 10 Xitucheng Road Haidian District Beijing 100876 China China Information Technology security Evaluation Center No 1 Building No 8 Shangdixi Road Haidian District Beijing 100085 China Information School Capital University of Economics and Business No 121 Zhangjia Road Fengtai District Beijing 100070 China

With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.

关键词： control flow obfuscation control flow obfuscation software security

An empirical study on the complexity, security and maintainability of Ethereum-based decentralized applications (DApps)

在线全文

学校读者我要写书评

暂无评论

Blockchain(Research and Applications) 2023年第2期4卷 28-40页

作者： Noama Fatima Samreen Manar H.Alalfi Department of Computer Science Toronto Metropolitan UniversityTorontoON M5B 2K3Canada

The Ethereum blockchain’s smart contract is a programmable transaction that performs general-purpose computations and can be executed automatically on the *** this component,blockchain technology(BT)has grown beyond the scope of cryptocurrencies and can now be applicable in various industries other than *** this paper,we investigated the current trends in Ethereum-based decentralized applications(DApps)to be able to categorize and analyze the DApps to measure the complexity of smart contracts behind them,their level of security and their correlation to the maintainability of the *** leveraged the source code analysis,security analysis,and the developmental metadata of the DApps to infer this *** on our findings,we concluded that the maintainability of Ethereum DApps is proportional to the code size,number of functions,and,most importantly,the number of outgoing invocations and statements in the smart contracts.

关键词： Blockchain technology Ethereum smart contracts Code metrics software complexity software security software maintainability Decentralized applications

在线全文

维普期刊数据库

学校读者我要写书评

暂无评论

Fuzzing:a survey

Cybersecurity 2018年第1期1卷 80-92页

作者： Jun Li Bodong Zhao Chao Zhang Tsinghua University Beijing 100084China

security vulnerability is one of the root causes of cyber-security *** discover vulnerabilities and fix them in advance,researchers have proposed several techniques,among which fuzzing is the most widely used *** recent years,fuzzing solutions,like AFL,have made great improvements in vulnerability *** paper presents a summary of the recent advances,analyzes how they improve the fuzzing process,and sheds light on future work in ***,we discuss the reason why fuzzing is popular,by comparing different commonly used vulnerability discovery *** we present an overview of fuzzing solutions,and discuss in detail one of the most popular type of fuzzing,i.e.,coverage-based *** we present other techniques that could make fuzzing process smarter and more ***,we show some applications of fuzzing,and discuss new trends of fuzzing and potential future directions.

关键词： Vulnerability discovery software security Fuzzing Coverage-based fuzzing

Structured Query Language Injection Penetration Test Case Generation Based on Formal Description

在线全文

维普期刊数据库

学校读者我要写书评

暂无评论

Journal of Donghua University(English Edition) 2015年第3期32卷 446-452页

作者：韩明苗长云 School of Mechanical Engineering Tianjin Polytechnic University Tianjin 300387 China School of Electronics and Information Engineering Tianjin Polytechnic University Tianjin 300387 China

Aiming to improve the Structured Query Language( SQL) injection penetration test accuracy through the formalismguided test case generation,an attack purpose based attack tree model of SQL injection is proposed,and then under the guidance of this model, the formal descriptions for the SQL injection vulnerability feature and SQL injection attack inputs are established. Moreover,according to new coverage criteria,these models are instantiated and the executable test cases are *** show that compared with the random enumerated test case used in other works,the test case generated by our method can detect the SQL injection vulnerability more effectively. Therefore,the false negative is reduced and the test accuracy is improved.

关键词： software security penetration test web application structured query language(SQL) injection test case

A Novel Vulnerability Prediction Model to Predict Vulnerability Loss Based on Probit Regression

在线全文

学校读者我要写书评

暂无评论

Wuhan University Journal of Natural Sciences 2016年第3期21卷 214-220页

作者： GENG Jinkun LUO Ping Institute of Computer Networks Tsinghua University School of software Tsinghua University

software vulnerability is always an enormous threat to software security. Quantitative analysis of software vulnerabilities is necessary to the evaluation and improvement of software security. Current vulnerability prediction models mainly focus on predicting the number of vulnerabilities regardless of the seriousness of vulnerabilities, therefore these models are unable to reflect the security level of software accurately. Starting from this, we propose a vulnerability prediction model based on probit regression in this paper. Unlike traditional ones, we measure the seriousness of vulnerability by the loss it causes and aim at predicting the accumulative vulnerability loss rather than the number of vulnerabilities. To validate our model, experiment is carried out on two soft- ware -- OpenSSL and Xpdf, and the experimental result shows a good performance of our model.

关键词： software vulnerability prediction software security vulnerability loss probit regression

MSMAM:Testing Resources Allocation,Obtaining Non-Functional Indexes Based on Functional Testing Results,and Evaluating security

在线全文

学校读者我要写书评

暂无评论

Wuhan University Journal of Natural Sciences 2012年第6期17卷 504-510页

作者： CAO Hui ZHANG Huanguo YAN Fei School of Computer Wuhan UniversityWuhan 430072HubeiChina Key Laboratory of Aerospace Information security and Trust Computing Ministry of EducationWuhan 430072HubeiChina

security testing is a key technology for software *** testing results can reflect the relationship between software testing and software security,and they can help program designers for evaluating and improving software ***,it is difficult to describe by mathematics the relationship between the results of software functional testing and software nonfunctional security *** this paper,we propose a mathematics model（MSMAM） based on principal component analysis and multiattribute utility *** model can get nonfunctional security indexes by analyzing quantized results of functional *** can also evaluate software security and guide the effective allocation of testing resources in the process of software *** feasibility and effectiveness of MSMAM is verified by experiments.

关键词： software testing software security principal component analysis multi-attribute theory security evaluation

Memory Safety Based on Probabilistic Memory Allocation

在线全文

学校读者我要写书评

暂无评论

China Communications 2012年第4期9卷 115-122页

作者： Xue Jingfeng Hu Changzhen Guo Xiaojing Leng Bingxing Ma Rui School of software Beijing Institute of Technology Beijing 100081 P. R. China School of Computer Beijing Uniwrsity of Posts and Telecommunications Beijing 100876 P. R. China

Some unsafe languages,like C and C++,let programmers maximize performance but are vulnerable to memory errors which can lead to program crashes and unpredictable *** to solve the problem,traditional memory allocating strategy is improved and a new probabilistic memory allocation technology is *** combining random memory allocating algorithm and virtual memory,memory errors are avoided in all probability during software *** replacing default memory allocator to manage allocation of heap memory,buffer overflows and dangling pointers are *** show it is better than Diehard of the following aspects:memory errors prevention,performance in memory allocation set and ability of controlling working *** probabilistic memory allocation is a valid memory errors prevention technology and it can tolerate memory errors and provide probabilistic memory safety effectively.

关键词： software security probabilistic memory errors memory allocation