Computer Science

A commonly held belief is that the friend construct in C++ is a violation of encapsulation. However, little empirical analysis of its use has taken place to provide evidence to support this claim. This paper presents a study which assesses the design implications of including friendship in a system. A number of hypotheses are investigated based on previous work in this area by Counsell and Newson, [4]. Our initial findings suggest that classes declared as friends are coupling hotspots, that the more friends a class has the more protected and private members it will contain and that friendship is not used to access inherited protected members.

This thesis presents an innovative approach to implementing a security enforcement mechanism in the contexts of untrusted software systems, where a piece of code in a base system may come from an untrusted third party. The key point of the approach is that it is lightweight in the sense that it does not need an additional policy language or extra tool. Instead, the approach uses the aspect-oriented programming paradigm-a programmatic means to modify the behaviour of an application based on aspects-to specify security policies and embed the policies into untrusted software. As a result, the policies can be fine-grained and applicationspecific, and can be inlined into the untrusted software without modifying the base system, in order to detect and prevent unintended behaviour of the software at runtime. The approach has been elaborated in two particular untrusted software contexts in this thesis. Firstly, we have developed the approach in the context of a vehicle software architecture, where a third-party application can be installed and executed in a vehicle system. We have shown that various classes of fine-grained security policies can be specified and enforced in such a system by the approach. The security assurance provided by the enforcement mechanism is promising for deployment in an existing vehicle software system. Furthermore, we have identified a number of potential threats in the vehicle software architecture and developed countermeasures in terms of security policies. We have demonstrated the deployment of countermeasures to prevent possible attacks. Secondly, we have studied web application security. We propose a novel enforcement method called lightweight self-protecting JavaScript by applying the lightweight approach in the context of web security. The method prevents or modifies inappropriate behaviour of JavaScript execution in web pages by intercepting security relevant API calls. Unlike other approaches to enforcing policies for JavaScript, the enforcement and policy code are provided as a library and therefore do not require a modified browser. Furthermore, the approach does not employ runtime parsing or transformation of code, and thus has low runtime overhead. We also present an application of the method in the context of untrusted JavaScript such as mashups by proposing a two-tier sandbox architecture in which untrusted Java-Script code can be loaded and executed dynamically. The execution of untrusted code is monitored by modular and fine-grained security policies defined via an adaptation of self-protecting JavaScript to ensure security for the hosting page.

The emerging cloud computing models for Internet-of-Things have fostered the development of lightweight applications using cloud services for monitoring and optimizing devices and equipment hosted in distributed facilities. Such applications-called bots in our work-can be composed and deployed with multiple types of governance policies from cloud platforms to distributed hosting environments and they can access not only local data and devices but also cloud data and features. Therefore, it is a great challenge to govern them. In this paper, we discuss governance issues and state-of-the-art on supporting the emerging Bot-as-a-Service in sustainability governance platforms. Based on that we outline our approaches to policy development and enforcement for the Bot-as-a-Service model.

Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad web development projects. Although Flash and JavaScript security has been examined extensively, the security of untrusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical scenarios that threaten the security of web applications. The severity of these attacks warrants the development of new techniques that address the security of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents FlashJaX, a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these web platforms.

The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for thirdparty scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor. In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular finegrained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sandbox that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, without imposing restrictions on the expressiveness of the policies. Our proposed architecture improves upon the state-of-theart as it does not depend on browser modification nor preprocessing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the EC-MAScript 5 specification, and applied it to a representative online advertisement case study to validate the feasibility and security of the proposed architecture.

Compilers perform static analysis prior to applying an optimization. The analysis results are typically not very precise, however, as a compiler operates with a strict time budget, which constrains reasoning. In this paper, we explore a new direction: using information gathered by external sound static analysis tools to augment the internal compiler reasoning, and investigate whether this leads to better optimization. One of the key problems to be solved is that of propagating the source-level information gathered by a static analyzer deeper into the optimization pipeline. We propose an approach to achieve this and demonstrate its feasibility through an implementation using the LLVM compiler infrastructure. We show how assertions obtained from the Frama-C static analysis tool are propagated through LLVM and are then used to substantially improve the effectiveness of several optimizations.

Modern malware evolves various detection avoidance techniques to bypass the state-of-the-art detection methods. An emerging trend to deal with this issue is the combination of image transformation and machine learning models to classify and detect malware. However, existing works in this field only perform simple image transformation methods. These simple transformations have not considered color encoding and pixel rendering techniques on the performance of machine learning classifiers. In this article, we propose a novel approach to encoding and arranging bytes from binary files into images. These developed images contain statistical (eg, entropy) and syntactic artifacts (eg, strings), and their pixels are filled up using space-filling curves. Thanks to these features, our encoding method surpasses existing methods demonstrated by extensive experiments. In particular, our proposed method achieved 93.01% accuracy using the combination of the entropy encoding and character class scheme on the Hilbert curve.

We introduce a novel approach to protecting the privacy of web users. We propose to monitor the behaviors of JavaScript code within a web origin based on the source of the code, i.e., code origin, to detect and prevent malicious actions that would compromise users' privacy. Our code-origin policy enforcement approach not only advances the conventional same-origin policy standard but also goes beyond the "all-or-nothing" contemporary ad-blockers and tracker-blockers. In particular, our monitoring mechanism does not rely on browsers' network request interception and blocking as in existing blockers. In contrast, we monitor the code that reads or sends user data sent out of the browser to enforce fine-grained and context-aware policies based on the origin of the code. We implement a proof-of-concept prototype and perform practical evaluations to demonstrate the effectiveness of our approach. Our experimental results evidence that the proposed method can detect and prevent data leakage channels not captured by the leading tools such as Ghostery and uBlock Origin. We show that our prototype is compatible with major browsers and popular real-world websites with promising runtime performance. Although implemented as a browser extension, our approach is browser-agnostic and can be integrated into the core of a browser as it is based on standard JavaScript.

Web-based or hybrid mobile applications (apps) are widely used and supported by various modern hybrid app development frameworks. In this architecture, any JavaScript code, local or remote, can access available APIs, including JavaScript bridges provided by the hybrid framework, to access device resources. This JavaScript inclusion capability is dangerous, since there is no mechanism to determine the origin of the code to control access, and any JavaScript code running in the mobile app can access the device resources through the exposed APIs. Previous solutions are either limited to a particular platform (e.g., Android) or a specific hybrid framework (e.g., Cordova) or only protect the device resources and disregard the sensitive elements in the web environment. Moreover, most of the solutions require the modification of the base platform. In this paper, we present HybridGuard, a novel policy enforcement framework that can enforce principal-based, stateful policies, on multiple origins without modifying the hybrid frameworks or mobile platforms. In HybridGuard, hybrid app developers can specify principal-based permissions, and define fine-grained, and stateful policies that can mitigate a significant class of attacks caused by potentially malicious JavaScript code included from third-party domains, including ads running inside the app. HybridGuard also provides a mechanism and policy patterns for app developers to specify fine-grained policies for multiple principals. HybridGuard is implemented in JavaScript; therefore, it can be easily adapted for other hybrid frameworks or mobile platforms without modification of these frameworks or platforms. We present attack scenarios and report experimental results to demonstrate how HybridGuard can thwart attacks against hybrid mobile apps.

Memory errors such as buffer overruns are notorious security vulnerabilities. There has been considerable interest in having a compiler to ensure the safety of compiled code either through static verification or through instrumented runtime checks. While certifying compilation has shown much promise, it has not been practical, leaving code instrumentation as the next best strategy for compilation. We term such compilers Memory Error Sanitization Compilers (MESCs). MESCs are available as part of GCC, LLVM and MSVC suites. Due to practical limitations, MESCs typically apply instrumentation indiscriminately to every memory access, and are consequently prohibitively expensive and practical to only small code bases. This work proposes a methodology that applies state-of-the-art static analysis techniques to eliminate unnecessary runtime checks, resulting in more efficient and scalable defenses. The methodology was implemented on LLVM's Safecode, Integer Overflow, and Address Sanitize...