Hao Chen Benjamin Davis. University of California, Davis. HELIX Project Review Meeting, August 6,2010
|
|
- Brent Watkins
- 5 years ago
- Views:
Transcription
1 Hao Chen Benjamin Davis University of California, Davis HELIX Project Review Meeting, August 6,2010
2 Goal: protect systems at high level Web services are highly attractive targets Over 60% of attacks target Web applications Over 80% of vulnerabilities are in Web apps Noncespaces: Randomize XML tags of untrusted content Defeat XSS attacks (From SANS 2009 Top Cyber Security Risks) 2
3 <h1>latest Comment</h1> <p> {User Content} </p> 3
4 <h1>latest Comment</h1> <p> This is <b>great!</b> </p> 4
5 <h1>latest Comment</h1> <p> <script> steal(document.cookie); </script> </p> 5
6 6
7 Information Flow Tracking System!! Input Application 7
8 Information Flow Tracking System Application!! 8
9 Information Flow Tracking System!! Application!! 9
10 Information Flow Tracking System Application Output!!!! 10
11 Information Flow Tracking System Application X!! Output!! 11
12 Language-based taint mode Perl Ruby Adding support to language structures Java [Chin, Wagner 09] PHP [Venema] 12
13 Information Flow Tracking System Database Interface Input Web Application Database Output 13
14 Information Flow Tracking System Database Interface!! Input Web Application Database Output 14
15 Information Flow Tracking System Database Interface Input Web Application Database Output!! 15
16 Information Flow Tracking System Database!! Interface Input Web Application Database Output 16
17 Information Flow Tracking System Database Interface!! Input Web Application Database Output 17
18 Information Flow Tracking System Database Interface? Input Web Application Database Output 18
19 Information Flow Tracking System Database Interface Input Web Application? Database Output 19
20 Information Flow Tracking System Database Interface? Input Web Application Database Output 20
21 What if you have multiple applications? How to treat data from the database? All tainted -> false positives All untainted -> false negatives Require manual annotation? Application-specific decisions? 21
22 Taint tracking through the entire system [Asbestos, 05] [HiStar, 06] Implemented in Hardware OS VMM/emulator 22
23 Database Interface!! Input Web Application Database Output 23
24 Database Interface Input Web Application Database Output 24
25 Database Interface!! Input Web Application Database Output 25
26 Database Interface Input Web Application Database Output 26
27 Low level/fine granularity Hardware mechanism [Suh, Lee, Devadas 04] Minos [Crandall, Chong, 04] Lacks high-level database semantics Aggregate functions Comparisons, SELECT DISTINCT 27
28 End-to-end taint tracking Across Web applications and databases Leverage existing single-application information flow tracking engines Compatible with existing Web services Require no changes to Web applications Taint propagation through database functions 28
29 DB Interface SQL Database Engine Web Application 29
30 DBTaint DB Interface SQL Database Engine Web Application Single-application information flow 30
31 Store taint data in database composite types Tuple of form: (<value>, <taint_value>) Store/retrieve taint values via SQL No additional mechanisms needed in the database No change to underlying database data structures Id Status Id Status 19 closed 27 open 32 pending Without DBTaint (19, 0) ( closed, 1) (27, 0) ( open, 1) (32, 0) ( pending, 1) With DBTaint 31
32 Create functions that operate on composite types Comparison operators (=,!=, <, ) Arithmetic operations (+, -, ) Text operations (upper, lower, ) Aggregate functions (MAX, MIN, SUM, ) Functions implemented in SQL CREATE FUNCTION CREATE OPERATOR CREATE AGGREGATE 32
33 Arithmetic operations (4, 0) + (5, 1) = (9,?) 33
34 Arithmetic operations (4, 0) + (5, 1) = (9,?) untainted tainted 34
35 Arithmetic operations (4, 0) + (5, 1) = (9, 1) untainted tainted tainted 35
36 MAX {(2, 0), (3, 1), (5, 0)} = (5,?) 36
37 MAX {(2, 0), (3, 1), (5, 0)} = (5,?) untainted tainted untainted 37
38 Untainted: trusted source Web application defaults Values generated entirely by the Web application Tainted: from untrusted source, or unknown User input Explicit information flow Database returns untainted value only if database has received that value untainted 38
39 MAX {(2, 0), (3, 1), (5, 0)} = (5,?) untainted tainted untainted 39
40 MAX {(2, 0), (3, 1), (5, 0)} = (5, 0) untainted tainted untainted untainted 40
41 Equality? (3, 0) = (3, 1) untainted tainted 41
42 Equality 3 == 3 42
43 Equality (3, 0) == (3, 1) untainted tainted Adopt notion of backwards-compatibility [Chin, Wagner 09] 43
44 MAX {(5, 1), (5, 0)} = (5,?) tainted untainted 44
45 MAX {5, 5} = 5 45
46 MAX {5, 5} = 5 OR 46
47 MAX {(5, 1), (5, 0)} = (5,?) OR 47
48 MAX {(5, 1), (5, 0)} = (5, 0) tainted untainted untainted When possible, prefer to return untainted values 48
49 DB Interface Database Table Id Status 19 closed 27 open 32 pending WebApp 49
50 DB Interface x = DB.get(id=27) Database Table Id Status 19 closed 27 open 32 pending WebApp 50
51 DB Interface x = DB.get(id=27) Database Table Id Status 19 closed 27 open 32 pending WebApp 51
52 DB Interface x = DB.get(id=27) Database Table Id Status 19 closed 27 open 32 pending WebApp 52
53 DB Interface Database Table x = open Id Status 19 closed 27 open 32 pending WebApp 53
54 DBTaint DB Interface Database Table Id Status (19, 0) ( closed, 1) (27, 0) ( open, 1) (32, 0) ( pending, 1) WebApp 54
55 DBTaint DB Interface x = DB.get(id=27) Database Table Id Status (19, 0) ( closed, 1) (27, 0) ( open, 1) (32, 0) ( pending, 1) WebApp 55
56 DBTaint DB Interface Rewritten query Database Table Id Status (19, 0) ( closed, 1) (27, 0) ( open, 1) (32, 0) ( pending, 1) WebApp 56
57 DBTaint DB Interface Result tuples Database Table Id Status (19, 0) ( closed, 1) (27, 0) ( open, 1) (32, 0) ( pending, 1) WebApp 57
58 DBTaint DB Interface Database Table Collapse tuples and taint appropriately Id Status (19, 0) ( closed, 1) (27, 0) ( open, 1) (32, 0) ( pending, 1) WebApp 58
59 DBTaint DB Interface Database Table x = open // x is tainted Id Status (19, 0) ( closed, 1) (27, 0) ( open, 1) (32, 0) ( pending, 1) WebApp 59
60 Account for composite types in SQL queries Collapse and taint result tuples as needed These changes are: Transparent to web application High-level, portable DBTaint DB Interface DB unchanged 60
61 Parameterized queries Prepare: INSERT (id, status) VALUES (?,?) Execute (27, open ) 61
62 Parameterized queries Prepare: INSERT (id, status) VALUES (?,?) // with DBTaint: INSERT (id, status) VALUES (ROW(?,?), ROW(?,?)) 62
63 Parameterized queries Prepare: INSERT (id, status) VALUES (?,?) // with DBTaint: INSERT (id, status) VALUES (ROW(?,?), ROW(?,?)) Execute (27, open ) // 27 is untainted, open is tainted // with DBTaint: (27, 0, open, 1) 63
64 Prepare phase: Queries are passed with placeholders for data Execute phase: Data values are passed separately, independently Taint tracking engine requirement: Only need to track taint values per variable We handle non-parameterized queries too See paper for details 64
65 Leverage existing single-application information flow tracking systems No changes to Web application DBTaint DB Interface Web Application Single-application information flow 65
66 Languages Perl Java Database Interfaces Perl DataBase Interface (DBI) Java Database Connectivity (JDBC) Database PostgreSQL 66
67 RT: Request Tracker (ticket tracking system) 60,000+ lines of Perl Perl DBI (DataBase Interface) API Perl taint mode JForum (discussion board system) 30,000+ lines of Java Java Database Connectivity (JDBC) API Character-level taint engine [Chin, Wagner 09] 67
68 68
69 End-to-end information flow through Web services Compatible with existing Web services Requires no changes to Web applications Taint propagation through database functions For detail, see our paper at USENIX WebApps. June Boston, MA. 69
Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE)
IBM Zurich Research Laboratory Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE) Tadeusz Pietraszek Chris Vanden Berghe RAID
More informationAn UML-XML-RDB Model Mapping Solution for Facilitating Information Standardization and Sharing in Construction Industry
An UML-XML-RDB Model Mapping Solution for Facilitating Information Standardization and Sharing in Construction Industry I-Chen Wu 1 and Shang-Hsien Hsieh 2 Department of Civil Engineering, National Taiwan
More informationWebapps Vulnerability Report
Webapps Vulnerability Report Tuesday, January 12, 2010 Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE IMPACT during this
More informationNoncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks
Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network & Distributed
More informationTaint Propagation in Database Systems
Taint Propagation in Database Systems Anandarup Sarkar, Kartik Pandit, Sven Koehler Introduction Abstract: The goal of our project is to develop a rule set to describe the propagation of taintness through
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationSecuring Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation
Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationTransform your data estate with cloud, data and AI
Transform your data estate with cloud, data and AI The world is changing Data will grow to 44 ZB in 2020 Today, 80% of organizations adopt cloud-first strategies AI investment increased by 300% in 2017
More informationFinding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
More informationCSCE 548 Building Secure Software SQL Injection Attack
CSCE 548 Building Secure Software SQL Injection Attack Professor Lisa Luo Spring 2018 Previous class DirtyCOW is a special type of race condition problem It is related to memory mapping We learned how
More informationNemesis: Preventing Web Authentication & Access Control Vulnerabilities. Michael Dalton, Christos Kozyrakis Stanford University
Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton, Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview
More informationA hybrid analysis framework for detecting web application vulnerabilities
Università degli Studi di Milano Facoltà di Scienze Matematiche, Fisiche e Naturali Dipartimento di Informatica e Comunicazione A hybrid analysis framework for detecting web application vulnerabilities
More informationSHIFTLEFT OCULAR THE CODE PROPERTY GRAPH
SHIFTLEFT OCULAR INTRODUCTION ShiftLeft Ocular offers code auditors the full range of capabilities of ShiftLeft s best-in-class static code analysis 1, ShiftLeft Inspect. Ocular enables code auditors to
More informationOVERVIEW OF RELATIONAL DATABASES: KEYS
OVERVIEW OF RELATIONAL DATABASES: KEYS Keys (typically called ID s in the Sierra Database) come in two varieties, and they define the relationship between tables. Primary Key Foreign Key OVERVIEW OF DATABASE
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationUtilizing Databases in Grid Engine 6.0
Utilizing Databases in Grid Engine 6.0 Joachim Gabler Software Engineer Sun Microsystems http://sun.com/grid Current status flat file spooling binary format for jobs ASCII format for other objects accounting
More informationMySQL Introduction. By Prof. B.A.Khivsara
MySQL Introduction By Prof. B.A.Khivsara Note: The material to prepare this presentation has been taken from internet and are generated only for students reference and not for commercial use. Introduction
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationKE IMu API Technical Overview
IMu Documentation KE IMu API Technical Overview Document Version 1.1 IMu Version 1.0.03 Page 1 Contents SECTION 1 Introduction 1 SECTION 2 IMu architecture 3 IMu Server 3 IMu Handlers 3 Schematic 4 SECTION
More information6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014
6.858 Quiz 2 Review Android Security Haogang Chen Nov 24, 2014 1 Security layers Layer Role Reference Monitor Mandatory Access Control (MAC) for RPC: enforce access control policy for shared resources
More informationPractical DIFC Enforcement on Android
Practical DIFC Enforcement on Android Adwait Nadkarni 1, Benjamin Andow 1, William Enck 1, Somesh Jha 2 1 North Carolina State University 2 University of Wisconsin-Madison The new Modern Operating Systems
More informationCoding for Penetration
Coding for Penetration Testers Building Better Tools Jason Andress Ryan Linn ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is
More informationDatabase Systems: Design, Implementation, and Management Tenth Edition. Chapter 14 Database Connectivity and Web Technologies
Database Systems: Design, Implementation, and Management Tenth Edition Chapter 14 Database Connectivity and Web Technologies Database Connectivity Mechanisms by which application programs connect and communicate
More informationOWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis
Static Analysis (SA) Track Session 1: Intro to Static Analysis Eric Dalci Cigital edalci at cigital dot com 5/07/09 Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationApplying AI in Application Security
FEATURE Applying AI in Application Security Do you have something to say about this article? Visit the Journal pages of the ISACA website (www.isaca. org/journal), find the article and click on the Comments
More informationEfficient patch-based auditing for web application vulnerabilities
Efficient patch-based auditing for web application vulnerabilities Taesoo Kim, Ramesh Chandra, and Nickolai Zeldovich MIT CSAIL Abstract POIROT is a system that, given a patch for a newly discovered security
More informationRaksha: A Flexible Information Flow Architecture for Software Security
Raksha: A Flexible Information Flow Architecture for Software Security Michael Dalton, Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University {mwdalton, hkannan, kozyraki}@stanford.edu
More informationHIBERNATE MOCK TEST HIBERNATE MOCK TEST I
http://www.tutorialspoint.com HIBERNATE MOCK TEST Copyright tutorialspoint.com This section presents you various set of Mock Tests related to Hibernate Framework. You can download these sample mock tests
More informationNemesis: Preventing Authentication & [and] Access Control Vulnerabilities in Web Applications
Nemesis: Preventing Authentication & [and] Access Control Vulnerabilities in Web Applications The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan
CRAXweb: Web Testing and Attacks through QEMU in S2E Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan skhuang@cs.nctu.edu.tw Motivation Symbolic Execution is effective to crash applications
More informationReal-World Buffer Overflow Protection in User & Kernel Space
Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton, Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University http://raksha.stanford.edu 1 Motivation Buffer
More informationEECS 647: Introduction to Database Systems
EECS 647: Introduction to Database Systems Instructor: Luke Huan Spring 2009 Stating Points A database A database management system A miniworld A data model Conceptual model Relational model 2/24/2009
More informationLet's Play... Try to name the databases described on the following slides...
Database Software Let's Play... Try to name the databases described on the following slides... "World's most popular" Free relational database system (RDBMS) that... the "M" in "LAMP" and "XAMP" stacks
More informationSecurity Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016
Security Engineering by Ross Andersson Chapter 18 API Security Presented by: Uri Ariel Nepomniashchy 31/5/216 Content What is API API developing risks Attacks on APIs Summary What is API? Interface for
More informationIntroduction to Relational Databases. Introduction to Relational Databases cont: Introduction to Relational Databases cont: Relational Data structure
Databases databases Terminology of relational model Properties of database relations. Relational Keys. Meaning of entity integrity and referential integrity. Purpose and advantages of views. The relational
More informationCSE 127 Computer Security
CSE 127 Computer Security Fall 2015 Web Security I: SQL injection Stefan Savage The Web creates new problems Web sites are programs Partially implemented in browser» Javascript, Java, Flash Partially implemented
More informationRanking Vulnerability for Web Application based on Severity Ratings Analysis
Ranking Vulnerability for Web Application based on Severity Ratings Analysis Nitish Kumar #1, Kumar Rajnish #2 Anil Kumar #3 1,2,3 Department of Computer Science & Engineering, Birla Institute of Technology,
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side
More informationSQL and Incomp?ete Data
SQL and Incomp?ete Data A not so happy marriage Dr Paolo Guagliardo Applied Databases, Guest Lecture 31 March 2016 SQL is efficient, correct and reliable 1 / 25 SQL is efficient, correct and reliable...
More informationGenerating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi
Generating String Attack Inputs Using Constrained Symbolic Execution presented by Kinga Dobolyi What is a String Attack? Web applications are 3 tiered Vulnerabilities in the application layer Buffer overruns,
More informationSecurity Analyses For The Lazy Superhero
#1 Security Analyses For The Lazy Superhero #2 One-Slide Summary We can statically detect buffer overruns in programs by modeling the space allocated for a buffer and the space used for a buffer. We cannot
More informationClient/Server-Architecture
Client/Server-Architecture Content Client/Server Beginnings 2-Tier, 3-Tier, and N-Tier Architectures Communication between Tiers The Power of Distributed Objects Managing Distributed Systems The State
More informationActian Hybrid Data Conference 2018 London
Disclaimer This document is for informational purposes only and is subject to change at any time without notice. The information in this document is proprietary to Actian and no part of this document may
More informationCSC Web Programming. Introduction to SQL
CSC 242 - Web Programming Introduction to SQL SQL Statements Data Definition Language CREATE ALTER DROP Data Manipulation Language INSERT UPDATE DELETE Data Query Language SELECT SQL statements end with
More informationSQL Injection. EECS Introduction to Database Management Systems
SQL Injection EECS3421 - Introduction to Database Management Systems Credit "Foundations of Security: What Every Programmer Needs To Know" (Chapter 8) by Neil Daswani, Christoph Kern, and Anita Kesavan
More informationAxway API Portal Release Notes DRAFT
Axway API Portal 7.5.4 Release Notes DRAFT Document version: 13 October 2017 New features and enhancements on page 1 Fixed issues on page 3 Known issues on page 3 Documentation on page 4 Support services
More informationOWASP Top David Caissy OWASP Los Angeles Chapter July 2017
OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers
More informationWeb 2.0 Attacks Explained
Web 2.0 Attacks Explained Kiran Maraju, CISSP, CEH, ITIL, ISO27001, SCJP Email: Kiran_maraju@yahoo.com Abstract This paper details various security concerns and risks associated with web 2.0 technologies
More informationCOMP102: Introduction to Databases, 23
COMP102: Introduction to Databases, 23 Dr Muhammad Sulaiman Khan Department of Computer Science University of Liverpool U.K. 04 April, 2011 Programming with SQL Specific topics for today: Client/Server
More informationData 101 Which DB, When. Joe Yong Azure SQL Data Warehouse, Program Management Microsoft Corp.
Data 101 Which DB, When Joe Yong (joeyong@microsoft.com) Azure SQL Data Warehouse, Program Management Microsoft Corp. The world is changing AI increased by 300% in 2017 Data will grow to 44 ZB in 2020
More informationThis slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
More informationAn Introduction to Runtime Application Self-Protection (RASP)
Product Analysis June 2016 An Introduction to Runtime Application Self-Protection (RASP) The Transformational Application Security Technology that Improves Protection and Operations Highly accurate. Easy
More informationMy Query Builder Function
My Query Builder Function The My Query Builder function is used to build custom SQL queries for reporting information out of the TEAMS system. Query results can be exported to a comma-separated value file,
More informationCHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS
180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),
More information1. Data Model, Categories, Schemas and Instances. Outline
Chapter 2: Database System Concepts and Architecture Outline Ramez Elmasri, Shamkant B. Navathe(2016) Fundamentals of Database Systems (7th Edition),pearson, isbn 10: 0-13-397077-9;isbn-13:978-0-13-397077-7.
More informationManual Trigger Sql Server 2008 Examples Insert Update
Manual Trigger Sql Server 2008 Examples Insert Update blog.sqlauthority.com/2011/03/31/sql-server-denali-a-simple-example-of you need to manually delete this trigger or else you can't get into master too
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationSpring & Hibernate. Knowledge of database. And basic Knowledge of web application development. Module 1: Spring Basics
Spring & Hibernate Overview: The spring framework is an application framework that provides a lightweight container that supports the creation of simple-to-complex components in a non-invasive fashion.
More informationStatic Vulnerability Analysis
Static Vulnerability Analysis Static Vulnerability Detection helps in finding vulnerabilities in code that can be extracted by malicious input. There are different static analysis tools for different kinds
More informationAn Empirical Study of PHP Security Mechanism Usage. Experience Report: Johannes Dahse and Thorsten Holz Ruhr-University Bochum, Germany
Johannes Dahse and Thorsten Holz Ruhr-University Bochum, Germany ISSTA 2015, July 13-17, Baltimore, Maryland, USA 2 1.1 Web Application State 82% of all websites run PHP as server-side language Weakly-typed
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More information@InfluxDB. David Norton 1 / 69
@InfluxDB David Norton (@dgnorton) david@influxdb.com 1 / 69 Instrumenting a Data Center 2 / 69 3 / 69 4 / 69 The problem: Efficiently monitor hundreds or thousands of servers 5 / 69 The solution: Automate
More informationFrom sif to SOFA. Andrew Simpson (and David Power, Douglas Russell and Mark Slaymaker) June 18th, Oxford University Computing Laboratory
From to (and David Power, Douglas Russell and Mark Slaymaker) Oxford University Computing Laboratory June 18th, 2010 From to 1 Motivation 2 3 4 5 6 From to Motivation Increasingly, there is a drive in
More informationIntrusion Recovery for Database-backed Web Applications
Intrusion Recovery for Database-backed Web Applications Ramesh Chandra, Taesoo Kim, Meelap Shah, Neha Narula, Nickolai Zeldovich MIT CSAIL Web applications routinely compromised Web applications routinely
More informationFortify Software Security Content 2017 Update 4 December 15, 2017
Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research
More informationModule: Future of Secure Programming
Module: Future of Secure Programming Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Programmer s Little Survey Problem What does program for
More informationDecisionCAMP 2016: Solving the last mile in model based development
DecisionCAMP 2016: Solving the last mile in model based development Larry Goldberg July 2016 www.sapiensdecision.com The Problem We are seeing very significant improvement in development Cost/Time/Quality.
More informationProbabilistic Attack Planning in Network + WebApps Scenarios
Probabilistic Attack Planning in Network + WebApps Scenarios Carlos Sarraute Core Security Technologies and Ph.D. program in Informatics Engineering, ITBA H2HC Nov 28/29, 2009 Brief presentation My company:
More informationDB Fundamentals Exam.
IBM 000-610 DB2 10.1 Fundamentals Exam TYPE: DEMO http://www.examskey.com/000-610.html Examskey IBM 000-610 exam demo product is here for you to test the quality of the product. This IBM 000-610 demo also
More informationWeb Applications. Software Engineering 2017 Alessio Gambi - Saarland University
Web Applications Software Engineering 2017 Alessio Gambi - Saarland University Based on the work of Cesare Pautasso, Christoph Dorn, Andrea Arcuri, and others ReCap Software Architecture A software system
More informationAN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers
More informationComputer Security CS 426 Lecture 41
Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general
More informationHome-grown CASE tools with XML and XSLT
Home-grown CASE tools with XML and XSLT Rick van Rein Richard Brinkman University of Twente, the Netherlands {vanrein,brinkman}@cs.utwente.nl March 13, 2000 Abstract This paper demonstrates an approach
More informationWeb System and Technologies (Objective + Subjective)
1. What four components are needed to create a fully dynamic web page. A web server (such as Apache), a server-side scripting language (PHP), a database (MySQL), and a client-side scripting language (JavaScript)
More informationBonus Content. Glossary
Bonus Content Glossary ActiveX control: A reusable software component that can be added to an application, reducing development time in the process. ActiveX is a Microsoft technology; ActiveX components
More informationOracle Compare Two Database Tables Sql Query List All
Oracle Compare Two Database Tables Sql Query List All We won't show you that ad again. I need to implement comparing 2 tables by set of keys (columns of compared tables). This pl/sql stored procedure works
More informationCMP-3440 Database Systems
CMP-3440 Database Systems Relational DB Languages Relational Algebra, Calculus, SQL Lecture 05 zain 1 Introduction Relational algebra & relational calculus are formal languages associated with the relational
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationApplication Links. Chapter 7.1 V3.0. Napier University Dr Gordon Russell
Application Links Chapter 7.1 V3.0 Copyright @ Napier University Dr Gordon Russell Introduction Up till now we have controlled our databases using an interactive tutorial window In reality we will be writing
More informationKyle Brown Knowledge Systems Corporation by Kyle Brown and Knowledge Systems Corporation
Kyle Brown Knowledge Systems Corporation 1 What is the JDBC? What other persistence mechanisms are available? What facilities does it offer? How is it used? 2 JDBC is the Java DataBase Connectivity specification
More informationRED HAT'S CONTAINER STRATEGY. Lars Herrmann General Manager, RHEL, RHEV and Containers June 24, 2015
RED HAT'S CONTAINER STRATEGY Lars Herrmann General Manager, RHEL, RHEV and Containers June 24, 2015 1 DEVELOPMENT VS I.T. OPERATIONS DEVELOPER IT OPERATIONS 2 DEVELOPERS WANT TO GO FAST DEVELOPER 3 HOW
More informationXPath. by Klaus Lüthje Lauri Pitkänen
XPath by Klaus Lüthje Lauri Pitkänen Agenda Introduction History Syntax Additional example and demo Applications Xpath 2.0 Future Introduction Expression language for Addressing portions of an XML document
More informationNULLs Make Things Easier?
NULLs Make Things Easier? BRUCE MOMJIAN Nulls are a very useful but also very error-prone relational database feature. This talk is designed to help applications developers better manage their use of nulls.
More informationAn Introduction to the Waratek Application Security Platform
Product Analysis January 2017 An Introduction to the Waratek Application Security Platform The Transformational Application Security Technology that Improves Protection and Operations Highly accurate.
More information2017 Politecnico di Torino 1
SQL for the applications Call Level Interface Requests are sent to the DBMS through functions of the host language solution based on predefined interfaces API, Application Programming Interface SQL instructions
More information1. Data Definition Language.
CSC 468 DBMS Organization Spring 2016 Project, Stage 2, Part 2 FLOPPY SQL This document specifies the version of SQL that FLOPPY must support. We provide the full description of the FLOPPY SQL syntax.
More information2017 Politecnico di Torino 1
SQL for the applications Call Level Interface Requests are sent to the DBMS through functions of the host language solution based on predefined interfaces API, Application Programming Interface SQL instructions
More informationShiftLeft. OWASP SAST Benchmark
ShiftLeft OWASP SAST Benchmark Table of Contents Overview... 2 Towards a new generation of static analysis products... 2 Results on the OWASP benchmark... 3 Ingredient #1: Our data flow tracker... 4 Ingredient
More informationAssertions, Views, and Programming. CS157A Chris Pollett Oct. 31, 2005.
Assertions, Views, and Programming CS157A Chris Pollett Oct. 31, 2005. Outline Assertions Views Database Programming Assertions It is useful to be able to specify general constraints in SQL -- i.e., other
More informationEssay Question: Explain 4 different means by which constrains are represented in the Conceptual Data Model (CDM).
Question 1 Essay Question: Explain 4 different means by which constrains are represented in the Conceptual Data Model (CDM). By specifying participation conditions By specifying the degree of relationship
More informationWentworth Institute of Technology COMP570 Database Applications Fall 2014 Derbinsky. SQL Programming. Lecture 8. SQL Programming
Lecture 8 1 Outline Context General Approaches Typical Programming Sequence Examples 2 Database Design and Implementation Process Normalization 3 SQL via API Embedded SQL SQLJ General Approaches DB Programming
More informationActual4Test. Actual4test - actual test exam dumps-pass for IT exams
Actual4Test http://www.actual4test.com Actual4test - actual test exam dumps-pass for IT exams Exam : C2120-800 Title : IBM PureApplication System V1.1, System Administration Vendor : IBM Version : DEMO
More informationDefining Injection Attacks
Defining Injection Attacks RA: Donald Ray dray3@cse.usf.edu PI: Jay Ligatti ligatti@cse.usf.edu Motivation Output Program Application Inputs Motivation 123456 Application Output Program Inputs SELECT balance
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationFACULTY OF ENGINEERING B.E. 4/4 (CSE) II Semester (Old) Examination, June Subject : Information Retrieval Systems (Elective III) Estelar
B.E. 4/4 (CSE) II Semester (Old) Examination, June 2014 Subject : Information Retrieval Systems Code No. 6306 / O 1 Define Information retrieval systems. 3 2 What is precision and recall? 3 3 List the
More informationCoding for Penetration Testers Building Better Tools
Coding for Penetration Testers Building Better Tools Second Edition Jason Andress Ryan Linn Clara Hartwell, Technical Editor ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO
More information