From holding worldwide companies' information hostage to keeping several distributed systems down for hours, the last years were marked by several security attacks which are the result of complex... Show More

From holding worldwide companies' information hostage to keeping several distributed systems down for hours, the last years were marked by several security attacks which are the result of complex software and its fast production. There are already tools which can be used to help companies detect vulnerabilities responsible for such attacks. However, their reliability is still not the best and well discriminated. In software testing, researchers tend to use hand-seeded test cases or mutations due to the challenges involved in the extraction or reproduction of real test cases which might not be suitable for testing techniques, since both approaches can create samples that inadvertently differ from the real vulnerabilities and thus might lead to misleading assessments of the tools' capabilities. The lack of databases of real security vulnerabilities is an issue since it hampers the tools' evaluation and categorization. To study these tools, the researchers created a database of 682 real test cases which is the outcome of mining 248 repositories for 16 different vulnerability patterns.

This article describes how code obfuscation techniques aim to conceal the functionality of a program by mystifying the code so that it is unreadable or in an incomprehensible format. Since the... Show More

This article describes how code obfuscation techniques aim to conceal the functionality of a program by mystifying the code so that it is unreadable or in an incomprehensible format. Since the objective of this article is to make a program obfuscated, the source code shall appear like normal native code and should be perfectly readable. As nobody can guess that the code is an obfuscated one, obviously it will be very tough to analyze. Nowadays, a lot of programs protect themselves from being analyzed by hiding their behaviors or compressing their semantics by using obfuscation techniques. On the contrary, self-modifying code (SMC) can challenge one's intellect to discover the real intrinsic meaning of the source code as it is difficult and strenuous to analyze, since the code gets modified dynamically during runtime. Hence, this article brings into play the underlying concepts of self-modifying codes for obfuscating the programs to construct a much better code protection model. Some techniques like indirect memory addressing, register renaming, direction-changing of instructions, segment ignoring, modification of registry content and many more are expounded in this article by using Assembly-level language, which is binary obfuscation.

This article describes how earlier detection of security problems and the implementation of solutions would be a cost-effective approach for developing secure software systems. Developing, gathering... Show More

This article describes how earlier detection of security problems and the implementation of solutions would be a cost-effective approach for developing secure software systems. Developing, gathering and sharing similar repeatable programming knowledge and solutions has led to the introduction of Patterns in the 90's. The same concept has been adopted to realise reoccurring security knowledge and hence security patterns. Detecting a security problem using the patterns in requirements models may lead to its early prevention. In this article, the authors have provided an overview of security patterns in the past two decades, followed by a summary of i*/Tropos goal modelling framework. Section 2 outlines model-driven development, meta-models and model transformation, within the context of requirements engineering. They have summarised security access control types, and formally described role-based access control (RBAC) in particular as a pattern that may occur in the stakeholder requirements models. Then the authors used the i* modelling language and some elements from its constructs - model-driven queries and transformations - to describe the pattern enforcement. This is applied to a number of requirements models within the literature, and the pattern-based transformation tool they designed has automated the detection and resolution of this security pattern in several goal-oriented stakeholder requirements. Finally, the article also reflects on a variety of existing applications and future work.