Improperly validated user input is the underlying root cause for a wide variety of attacks on web-based applications. Static approaches for detecting this problem help at the time of development, but require source code and report a number of false positives. Hence, they are of little use for securing fully deployed and rapidly evolving applications. We propose a dynamic solution that tags and tracks user input at runtime and prevents its improper use to maliciously afSect the execution of the program. Our implementation can be transparently applied to Java classjles, and does not require source code. Benchmarks show that the overhead of this runtime enforcement is negligible and can prevent a number of attacks. 1 Motivation "The impact of using unvalidated input should not be underestimated. A huge number of attacks would become dificult or impossible if developers would simply validate input before using it. Unless a web application has a strong centralized mechanism for validating all input ... vulnerabilities based on malicious input are very likely to exist." -The Ten Most Critical Web Application Security Vulnerabilities, 2004, Open Web Application Security Project.In the old internet, machines and services communicated with each other using a variety of protocols that were processed largely by programs written in C. The full range of common UNIX remote services falls in this category mail servers, finger daemons, scheduled job execution services etc. The most common way to attack these services was to exploit buffer-overrun vulnerabilities that stemmed from the fundamental lack of memory safety in the underlying implementation language, C.The trend now is towards a model of web-based applications that communicate using the HTTP protocol, that are implemented in a type-and memory-safe language such as Java, and executed in a safe runtime such as the Java Virtual Machine or the .NET Common Language Runtime.Such code platforms offer several advantages over native code. The virtual machine performs a number of static and dynamic checks to ensure a basic level of code safetytypesafety, and control flow safety. Type safety ensures that operators and functions are applied only to operands and arguments of the correct types. A special case of type safety is memory safety, which prevents reading and writing to illegal memory locationsfor example, beyond the bounds of an arrayand thereby also provides separation between different processes without the need for hardware-based memory management. Control flow safety prevents arbitrary jumps in code (say, into the middle of a procedure, or to an unauthorized routine). These basic properties of safe code are enforced by a combination of static (e.g. bytecode verification) and dynamic (e.g. array bounds checks) techniques. Thus, safe code does away with a major source of errors and vulnerabilities in current systems that stem from unsafe memory operations in Csuch as buffer overruns and format string attacks.Despite the fact that the safe execution environments in which w...
We present a large-scale study exploring the capability of temporal deep neural networks to interpret natural human kinematics and introduce the first method for active biometric authentication with mobile inertial sensors. At Google, we have created a first-of-its-kind data set of human movements, passively collected by 1500 volunteers using their smartphones daily over several months. We compare several neural architectures for efficient learning of temporal multi-modal data representations, propose an optimized shift-invariant dense convolutional mechanism, and incorporate the discriminatively trained dynamic features in a probabilistic generative framework taking into account temporal characteristics. Our results demonstrate that human kinematics convey important information about user identity and can serve as a valuable component of multi-modal authentication systems. Finally, we demonstrate that the proposed model can also be successfully applied in a visual context.
In this paper, a part-based technique for real time detection of users' faces on mobile devices is proposed. This method is specifically designed for detecting partially cropped and occluded faces captured using a smartphone's front-facing camera for continuous authentication. The key idea is to detect facial segments in the frame and cluster the results to obtain the region which is most likely to contain a face. Extensive experimentation on a mobile dataset of 50 users shows that our method performs better than many state-of-the-art face detection methods in terms of accuracy and processing speed.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.