The Dark Side of the Code

Pieczul, Olgierd; Foley, Simon N.

doi:10.1007/978-3-319-26096-9_1

Cited by 3 publications

(2 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We argue that is more appropriate to obtain the baseline and corresponding behavioral model during the software testing phase. In [16] it is suggested that unit tests might be used to generate the necessary system logs. Such a baseline is useful if the required scope and level of abstraction is consistent with the unit tests.…”

Section: Generating Baseline Activitymentioning

confidence: 99%

“…Flaws can also occur within the components themselves, for similar reasons; the component developer may not have anticipated all possible use-cases. A consequence of what can be described as "dark code" [11] or "the dark side of the code" [16], is that while the programmer expects certain program execution paths, other, unexpected paths may be possible and give rise to a security vulnerability.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Runtime Detection of Zero-Day Vulnerability Exploits in Contemporary Software Systems

Pieczul

Foley

2016

Data and Applications Security and Privacy XXX

Self Cite

View full text Add to dashboard Cite

It is argued that runtime verification techniques can be used to identify unknown application security vulnerabilities that are a consequence of unexpected execution paths in software. A methodology is proposed that can be used to build a model of expected application execution paths during the software development cycle. This model is used at runtime to detect exploitation of unknown security vulnerabilities using anomaly detection style techniques. The approach is evaluated by considering its effectiveness in identifying 19 vulnerabilities across 26 versions of Apache Struts over a 5 year period. Contemporary software developmentContemporary software is implemented using a variety of high-level programming languages, software frameworks and third party components. While applicationlevel code may appear straightforward, enabling rapid and low-cost application development, its underlying system is a complex arrangement of inter-dependent class PostAction extends ApiAction { private String message; public void setMessage(String msg) { this.message = msg; } public void execute(){ String userId = getUser().getId(); datastore.add(userId, message); } public User getUser() { return getSession().get(USER); } } StrutsActionProxy: PostAction.

show abstract

Section: Generating Baseline Activitymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%