Skip to main content
SpringerLink
Log in

The Dark Side of the Code

  • Conference paper
  • First Online:
Security Protocols XXIII (Security Protocols 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9379))

Included in the following conference series:

Abstract

The literature is rife with examples of attackers exploiting unexpected system behaviours that arise from program bugs. This problem is particularly widespread in contemporary application programs, owing to the complexity of their many interconnected parts. We consider this problem, and consider how runtime verification could be used to check an executing program against a model of expected behaviour generated during unit testing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bash Code Injection Vulnerability via Specially Crafted Environment Variables. https://access.redhat.com/articles/1200223

  2. The Heartbleed Bug. http://heartbleed.com/

  3. Hibernate. http://hibernate.org

  4. The Spring Framework. https://spring.io

  5. Accorsi, R., Stocker, T.: Automated privacy audits based on pruning of log data. In: EDOCW, pp. 175–182 (2008)

    Google Scholar 

  6. Agrawal, R., Gunopulos, D., Leymann, F.: Mining process models from workflow logs. In: Schek, H.-J., Saltor, F., Ramos, I., Alonso, G. (eds.) EDBT 1998. LNCS, vol. 1377, pp. 469–483. Springer, Heidelberg (1998)

    Google Scholar 

  7. Barringer, H., Goldberg, A., Havelund, K., Sen, K.: Rule-based runtime verification. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 44–57. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  8. Barth, A.: The web origin concept. Request for Comments 6454, Internet Engineering Task Force, December 2011. http://www.ietf.org/rfc/rfc6454.txt

  9. Berners-Lee, T., Fielding, R., Masinter, L.: Uniform resource identifier (URI): generic syntax. Request for Comments 3986, Internet Engineering Task Force, January 2005. http://www.ietf.org/rfc/rfc3986.txt

  10. Carnegie Mellon University: CERT secure coding standards - VOID 2 MET21-J. Do not invoke equals() or hashCode() on URLs. https://www.securecoding.cert.org/confluence/x/5wHEAw

  11. Davis, D.: Compliance defects in public-key cryptography. In: Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography, SSYM 1996, vol. 6, p. 17. USENIX Association, Berkeley (1996). http://dl.acm.org/citation.cfm?id=1267569.1267586

  12. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol - HTTP/1.1. Request for Comments 2616, Internet Engineering Task Force, June 1999. http://www.ietf.org/rfc/rfc2616.txt

  13. Foley, S.: A non-functional approach to system integrity. IEEE J. Sel. Areas Commun. 21(1), 36–43 (2003)

    Article  MathSciNet  Google Scholar 

  14. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)

    Google Scholar 

  15. Frank, M., Buhmann, J., Basin, D.: On the definition of role mining. In: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, SACMAT 2010, pp. 35–44. ACM, New York (2010). http://doi.acm.org/10.1145/1809842.1809851

  16. Gollmann, D.: Software security – the dangers of abstraction. In: Matyáš, V., Fischer-Hübner, S., Cvrček, D., Švenda, P. (eds.) The Future of Identity. IFIP AICT, vol. 298, pp. 1–12. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  17. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from DNS rebinding attacks. In: Proceedings of ACM CCS 07 (2007). http://crypto.stanford.edu/dns/dns-rebinding.pdf

  18. Jiang, G., Chen, H., Ungureanu, C., Yoshihira, K.: Multi-resolution abnormal trace detection using varied-length N-grams and automata. In: Second International Conference on Autonomic Computing, ICAC 2005, Proceedings, pp. 111–122 (2005)

    Google Scholar 

  19. Jin, D., Meredith, P.O., Lee, C., Roşu, G.: JavaMOP: efficient parametric runtime monitoring framework. In: Proceedings of the 34th International Conference on Software Engineering, ICSE 2012, pp. 1427–1430. IEEE Press, Piscataway (2012). http://dl.acm.org/citation.cfm?id=2337223.2337436

  20. Kuhlmann, M., Shohat, D., Schimpf, G.: Role mining - revealing business roles for security administration using data mining technology. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, SACMAT 2003, pp. 179–186. ACM, New York (2003). http://doi.acm.org/10.1145/775412.775435

  21. Meyer, B.: Applying “Design by Contract”. IEEE Comput. 25(10), 40–51 (1992). http://doi.ieeecomputersociety.org/10.1109/2.161279

    Article  Google Scholar 

  22. Mockapetris, P.: Domain names - concepts and facilities. Request for Comments 1034, Internet Engineering Task Force, November 1987. http://www.ietf.org/rfc/rfc1034.txt

  23. Oliveira, D., Rosenthal, M., Morin, N., Yeh, K.C., Cappos, J., Zhuang, Y.: It’s the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer’s blind spots. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 296–305. ACM, New York (2014). http://doi.acm.org/10.1145/2664243.2664254

  24. Oracle: Java Platform API Specification - URL (2014). http://docs.oracle.com/javase/7/docs/api/java/net/URL.html

  25. Oracle: Java Platform API Specification - URL Connection (2014). http://docs.oracle.com/javase/7/docs/api/java/net/URLConnection.html

  26. OWASP Foundation: OWASP Top 10 2013. https://www.owasp.org/index.php/Top_10_2013

  27. The PHP Group: PHP Manual – file\_get\_contents. http://php.net/manual/en/function.file-get-contents.php

  28. Pieczul, O., Foley, S.: Discovering emergent norms in security logs. In: 2013 IEEE Conference on Communications and Network Security (CNS - SafeConfig), pp. 438–445 (2013)

    Google Scholar 

  29. Pieczul, O., Foley, S.: Collaborating as normal: detecting systemic anomalies in your partner. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 18–27. Springer, Heidelberg (2014)

    Google Scholar 

  30. Ryan, P.: Mathematical models of computer security. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 1–62. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

Download references

Acknowledgements

This work was supported, in part, by Science Foundation Ireland under grant SFI/12/RC/2289 and the Irish Centre for Cloud Computing and Commerce, an Irish national Technology Centre funded by Enterprise Ireland and the Irish Industrial Development Authority.

Author information

Authors and Affiliations

  1. Ireland Lab, IBM Software Group, Dublin, Ireland

    Olgierd Pieczul

  2. Department of Computer Science, University College Cork, Cork, Ireland

    Olgierd Pieczul & Simon N. Foley

Authors
  1. Olgierd Pieczul
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon N. Foley
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Simon N. Foley .

Editor information

Editors and Affiliations

  1. University of Hertfordshire, Hatfield, United Kingdom

    Bruce Christianson

  2. Faculty of Informatics, Masaryk University, Brno, Czech Republic

    Petr Švenda

  3. Faculty of Informatics, Masaryk University, Brno, Czech Republic

    Vashek Matyáš

  4. University of Hertfordshire, Hatfield, United Kingdom

    James Malcolm

  5. University of Cambridge, Cambridge, United Kingdom

    Frank Stajano

  6. Memorial University of Newfoundland, St. John's, Newfoundland and Labrador, Canada

    Jonathan Anderson

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Pieczul, O., Foley, S.N. (2015). The Dark Side of the Code. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds) Security Protocols XXIII. Security Protocols 2015. Lecture Notes in Computer Science(), vol 9379. Springer, Cham. https://doi.org/10.1007/978-3-319-26096-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26096-9_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26095-2

  • Online ISBN: 978-3-319-26096-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation