Results 181-200 of 249.
Bookmark and Share    
Full Text
Peer Reviewed
See detailDetecting privacy leaks in Android Apps
Li, Li UL; Bartel, Alexandre UL; Klein, Jacques UL et al

Scientific Conference (2014, February 26)

The number of Android apps have grown explosively in recent years and the number of apps leaking private data have also grown. It is necessary to make sure all the apps are not leaking private data before ... [more ▼]

The number of Android apps have grown explosively in recent years and the number of apps leaking private data have also grown. It is necessary to make sure all the apps are not leaking private data before putting them to the app markets and thereby a privacy leaks detection tool is needed. We propose a static taint analysis approach which leverages the control-flow graph (CFG) of apps to detect privacy leaks among Android apps. We tackle three problems related to inter- component communication (ICC), lifecycle of components and callback mechanism making the CFG imprecision. To bridge this gap, we ex- plicitly connect the discontinuities of the CFG to provide a precise CFG. Based on the precise CFG, we aim at providing a taint analysis approach to detect intra-component privacy leaks, inter-component privacy leaks and also inter-app privacy leaks. [less ▲]

Detailed reference viewed: 511 (32 UL)
Full Text
Peer Reviewed
See detailModeling, composing, and testing of security concerns in a Model-Driven Security approach
Nguyen, Phu Hong UL; Klein, Jacques UL; Le Traon, Yves UL

in Joosen, Wouter; Martinelli, Fabio; Heyman, Thomas (Eds.) Proceedings of the 2014 ESSoS Doctoral Symposium co-located with the International Symposium on Engineering Secure Software and Systems (ESSoS 2014) (2014, February 26)

Model-Driven Security (MDS) has emerged as a promising sound methodology for supporting the development of secure systems nowadays. Following the advances in MDS, this research work aims at 1) developing ... [more ▼]

Model-Driven Security (MDS) has emerged as a promising sound methodology for supporting the development of secure systems nowadays. Following the advances in MDS, this research work aims at 1) developing new modeling techniques to represent multiple security concerns, 2) (automatically) composing security models with the business logic model (called target model), and 3) testing the security model composition and the resulting secure system against security requirements. These three objectives converge to an integrated MDS framework (and tool chain) which 1) allows a target system model to embed various security concerns, 2) enables the generation of implementation code including configured security infrastructures, and 3) makes these security properties testable by construction. This paper presents the main research modules, the results we have achieved so far, and the main points for future work. [less ▲]

Detailed reference viewed: 181 (13 UL)
Full Text
Peer Reviewed
See detailEffective Fault Localization via Mutation Analysis: A Selective Mutation Approach
Papadakis, Mike UL; Le Traon, Yves UL

in ACM Symposium On Applied Computing (SAC'14) (2014)

Detailed reference viewed: 100 (5 UL)
Full Text
Peer Reviewed
See detailA Flexible MDE approach to Enforce Fine- grained Security Policies
Elrakaiby, Yehia UL; Amrani, Moussa UL; Le Traon, Yves UL

in Proceedings of the International Symposium on Engineering Secure Software and Systems (2014)

In this paper, we present a policy-based approach for au- tomating the integration of security mechanisms into Java-based business applications. In particular, we introduce an expressive Domain Specific ... [more ▼]

In this paper, we present a policy-based approach for au- tomating the integration of security mechanisms into Java-based business applications. In particular, we introduce an expressive Domain Specific modeling Language (Dsl), called Security@Runtime, for the specification of security configurations of targeted systems. The Security@Runtime Dsl supports the expression of authorization, obligation and reaction policies, covering many of the security requirements of modern applica- tions. Security requirements specified in security configurations are en- forced using an application-independent Policy Enforcement Point (Pep)- Policy Decision Point (Pdp) architecture, which enables the runtime up- date of security requirements. Our work is evaluated using two systems and its advantages and limitations are discussed [less ▲]

Detailed reference viewed: 103 (9 UL)
Full Text
Peer Reviewed
See detailA state machine for database non-functional testing
Meira, Jorge Augusto UL; Almeida, Eduardo; Le Traon, Yves UL

Poster (2014)

Over the last decade, large amounts of concurrent transactions have been generated from different sources, such as, Internet-based systems, mobile applications, smart- homes and cars. High-throughput ... [more ▼]

Over the last decade, large amounts of concurrent transactions have been generated from different sources, such as, Internet-based systems, mobile applications, smart- homes and cars. High-throughput transaction processing is becoming commonplace, however there is no testing technique for validating non functional aspects of DBMS under transaction flooding workloads. In this paper we propose a database state machine to represent the states of DBMS when processing concurrent trans- actions. The state transitions are forced by increasing concurrency of the testing workload. Preliminary results show the effectiveness of our approach to drive the system among different performance states and to find related defects. [less ▲]

Detailed reference viewed: 163 (2 UL)
Full Text
Peer Reviewed
See detailTools for Conviviality in Multi-Context Systems
bikakis, Antonis; Caire, Patrice UL; Le Traon, Yves UL

in IfCoLog Journal of Logics and Their Applications (2014), 1(1),

A common feature of many distributed systems, including web social networks, peer-to-peer systems and Ambient Intelligence systems, is cooperation in terms of information exchange among heterogeneous ... [more ▼]

A common feature of many distributed systems, including web social networks, peer-to-peer systems and Ambient Intelligence systems, is cooperation in terms of information exchange among heterogeneous entities. In order to facilitate the exchange of information, we first need ways to evaluate it. The concept of conviviality was recently proposed for modeling and measuring cooperation among agents in multiagent systems. In this paper, we introduce conviviality as a property of Multi-Context Systems (MCS). We first present how to use conviviality to model and evaluate interactions among different contexts, which represent heterogeneous entities in a distributed system. Then, as one cause of logical conflicts in MCS is due to the exchange of information between mutually inconsistent contexts, we show how inconsistency can be resolved using the conviviality property. We illustrate our work with an example from web social networks. [less ▲]

Detailed reference viewed: 117 (3 UL)
Full Text
Peer Reviewed
See detailIntra-query Adaptivity for MapReduce Query Processing Systems
Lucas Filho, Edson Ramiro UL; Cunha De Almeida, Eduardo UL; Le Traon, Yves UL

in IDEAS 2014 : 18th International Database Engineering Applications Symposium (2014)

Detailed reference viewed: 297 (8 UL)
Full Text
Peer Reviewed
See detailSampling Program Inputs with Mutation Analysis: Going Beyond Combinatorial Interaction Testing
Papadakis, Mike UL; Henard, Christopher UL; Le Traon, Yves UL

in 7th International Conference on Software Testing, Verification and Validation (ICST 2014) (2014)

Detailed reference viewed: 150 (10 UL)
Full Text
Peer Reviewed
See detailMutation-based Generation of Software Product Line Test Configurations
Henard, Christopher UL; Papadakis, Mike UL; Le Traon, Yves UL

in Symposium on Search-Based Software Engineering (SSBSE 2014) (2014)

Detailed reference viewed: 151 (4 UL)
Full Text
Peer Reviewed
See detailMutaLog: a Tool for Mutating Logic Formulas
Henard, Christopher UL; Papadakis, Mike UL; Le Traon, Yves UL

in Testing Tools Track, 7th International Conference on Software Testing, Verification and Validation (ICST 2014) (2014)

Detailed reference viewed: 150 (8 UL)
Full Text
Peer Reviewed
See detailSecurity@Runtime: A flexible MDE approach to enforce fine-grained security policies
Elrakaiby, Yehia UL; Amrani, Moussa UL; Le Traon, Yves UL

in Lecture Notes in Computer Science (2014), 8364 LNCS

In this paper, we present a policy-based approach for automating the integration of security mechanisms into Java-based business applications. In particular, we introduce an expressive Domain Specific ... [more ▼]

In this paper, we present a policy-based approach for automating the integration of security mechanisms into Java-based business applications. In particular, we introduce an expressive Domain Specific modeling Language (Dsl), called Security@Runtime, for the specification of security configurations of targeted systems. The Security@Runtime Dsl supports the expression of authorization, obligation and reaction policies, covering many of the security requirements of modern applications. Security requirements specified in security configurations are enforced using an application-independent Policy Enforcement Point Pep)-Policy Decision Point (Pdp) architecture, which enables the runtime update of security requirements. Our work is evaluated using two systems and its advantages and limitations are discussed. © 2014 Springer International Publishing Switzerland. [less ▲]

Detailed reference viewed: 192 (5 UL)
Full Text
Peer Reviewed
See detailModularity and Dynamic Adaptation of Flexibly Secure Systems: Model-Driven Adaptive Delegation in Access Control Management
Nguyen, Phu Hong UL; Nain, Grégory UL; Klein, Jacques UL et al

in Transactions on Aspect-Oriented Software Development (2014), 11

Model-Driven Security (Mds) is a specialized Model-Driven Engineering (Mde) approach for supporting the development of secure systems. Model-Driven Security aims at improving the productivity of the ... [more ▼]

Model-Driven Security (Mds) is a specialized Model-Driven Engineering (Mde) approach for supporting the development of secure systems. Model-Driven Security aims at improving the productivity of the development process and quality of the resulting secure systems, with models as the main artifact. Among the variety of models that have been studied in a Model-Driven Security perspective, one canmention access control models that specify the access rights. So far, these models mainly focus on static definitions of access control policies, without taking into account the more complex, but essential, delegation of rights mechanism. Delegation is a meta-level mechanism for administrating access rights, which allows a user without any specific administrative privileges to delegate his/her access rights to another user. This paper gives a formalization of access control and delegation mechanisms, and analyses the main hard-points for introducing various advanced delegation semantics in Model-Driven Security. Then, we propose a modular model-driven framework for 1) specifying access control, delegation and the business logic as separate concerns; 2) dynamically enforcing/weaving access control policies with various delegation features into security-critical systems; and 3) providing a flexibly dynamic adaptation strategy.We demonstrate the feasibility and effectiveness of our proposed solution through the proof-of-concept implementations of different component-based systems running on different adaptive execution platforms, i.e. OSGi and Kevoree. [less ▲]

Detailed reference viewed: 241 (6 UL)
Peer Reviewed
See detailBUT4Reuse Feature identifier: Identifying reusable features on software variants
Martinez, Jabier UL; Ziadi, Tewfik; Klein, Jacques UL et al

Poster (2014)

Detailed reference viewed: 183 (27 UL)
Full Text
Peer Reviewed
See detailIdentifying and Visualising Commonality and Variability in Model Variants
Martinez, Jabier UL; Ziadi, Tewfik; Klein, Jacques UL et al

in ECMFA 2014 European Conference on Modelling Foundations and Applications (2014)

Detailed reference viewed: 270 (10 UL)
Full Text
See detailTowards a Full Support of Obligations In XACML
El Kateb, Donia UL; Elrakaiby, Yehia UL; Mouelhi, Tejeddine UL et al

Scientific Conference (2014)

Detailed reference viewed: 186 (3 UL)
Full Text
Peer Reviewed
See detailFeature Relations Graphs: A Visualisation Paradigm for Feature Constraints in Software Product Lines
Martinez, Jabier UL; Ziadi, Tewfik; Mazo, Raul et al

in 2nd IEEE Working Conference on Software Visualization (2014)

Detailed reference viewed: 213 (3 UL)
Full Text
Peer Reviewed
See detailModel-Based Testing of Obligations
Rubab, Iram; Ali, Shaukat; Briand, Lionel UL et al

in 14th Annual International Conference on Quality Software (QSIC) (2014)

Obligations are mandatory actions that users must perform, addressing access control requirements. To ensure that such obligations are implemented correctly, an automated and systematic testing approach ... [more ▼]

Obligations are mandatory actions that users must perform, addressing access control requirements. To ensure that such obligations are implemented correctly, an automated and systematic testing approach is often recommended. One such approach is Model-Based Testing (MBT) that allows defining cost-effective testing strategies to support rigorous testing via automation. In this paper, we present MBT for obligations by extending the Unified Modeling Language (UML) via a profile called the Obligations Profile. Based on the profile, we define a modeling methodology utilizing the concepts of Obligations Class Diagrams (OCDs) and Obligations State Machines (OSMs), which are standard UML Class Diagrams and UML State Machines with stereotypes from the Obligations Profile. Our methodology, using OCDs and OSMs, is automatically enforced by the validation of constraints defined in the profile. To assess the completeness and applicability of the profile and methodology, we modeled 47 obligations from four different systems. The results of our case study show that we successfully modeled all the obligations and used 75% of the stereotypes that we defined in the profile. In addition, using OCDs and OSMs, we automatically generate executable test cases using a standard state machine structural coverage criterion and common test data generation strategies. The effectiveness of generated test cases is assessed using mutation analysis on two systems, using mutation operators specifically designed for obligation faults. Test case execution killed 75% of the mutants and a careful analysis further suggests that more sophisticated testing strategies must be defined to further improve testing effectiveness. [less ▲]

Detailed reference viewed: 192 (1 UL)
Full Text
Peer Reviewed
See detailEmpirical Investigation of the Web Browser Attack Surface under Cross-Site Scripting: an Urgent Need for Systematic Security Regression Testing
Abgrall, Erwan UL; Le Traon, Yves UL; Gombault, Sylvain et al

in 7th IEEE International Conference on Software Testing, Verification and Validation (ICST)- Workshop SECTEST (2014)

One of the major threats against web applications is Cross-Site Scripting (XSS). The final target of XSS attacks is the client running a particular web browser. During this last decade, several competing ... [more ▼]

One of the major threats against web applications is Cross-Site Scripting (XSS). The final target of XSS attacks is the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have evolved to support new features. In this paper, we explore whether the evolution of web browsers is done using systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions. We use XSS attack vectors as unit test cases and we propose a new method supported by a tool to address this XSS vector testing issue. The analysis on a decade releases of most popular web browsers including mobile ones shows an urgent need of XSS regression testing. We advocate the use of a shared security testing benchmark as a good practice and propose a first set of publicly available XSS vectors as a basis to ensure that security is not sacrificed when a new version is delivered. [less ▲]

Detailed reference viewed: 148 (3 UL)
Full Text
Peer Reviewed
See detailTowards a Language-Independent Approach for Reverse-Engineering of Software Product Lines
Ziadi, Tewfik; Henard, Christopher UL; Papadakis, Mike UL et al

in 29th Symposium on Applied Computing (SAC 2014) (2014)

Detailed reference viewed: 148 (8 UL)