Munawar Hafiz
University of Illinois at Urbana–Champaign
Network
Latest external collaboration on country level. Dive into details by clicking on the dots.
Publication
Featured researches published by Munawar Hafiz.
Proceedings of the 2006 conference on Pattern languages of programs | 2006
Munawar Hafiz
The growth in computing power has enabled the storage and analysis of large volumes of data. Monitoring the Internet access profiles of millions of users has become feasible and also economically lucrative. The interesting thing here is that it is not only the crooks who are interested in privacy intrusion, but government agencies also have vested interest in profiling the population mass. This paper describes 4 design patterns that can aide the decision making process for the designers of privacy protecting systems. These design patterns are applicable to the design of anonymity systems for various types of online communication, online data sharing, location monitoring, voting and electronic cash management.
REST: From Research to Practice | 2011
Paul Adamczyk; Patrick H. Smith; Ralph E. Johnson; Munawar Hafiz
There are two competing architectural styles employed for building Web services: RESTful services and services based on the WS– ∗ standards (also known as “SOAP Web services”). These two styles have separate follower bases, but many differences between them are ideological rather than factual. In order to promote the healthy growth of Web services research and practice, it is important to distinguish arguments for implementation practices over abstract concepts represented by these styles, carefully evaluating the respective advantages of RESTful and WS– ∗ Web services. Understanding these distinctions is especially critical for the development of enterprise systems, because in this domain, tool vendors have preferred WS– ∗ services to the neglect of RESTful solutions. This chapter evaluates some of the key questions regarding the real and perceived distinctions between these two styles of Web services. It analyzes how the current tools for building RESTful Web services embody the principles of REST. Finally, it presents select open research questions to further the growth of RESTful Web services.
international performance computing and communications conference | 2006
Zahid Anwar; William Yurcik; Ralph E. Johnson; Munawar Hafiz; Roy H. Campbell
Design patterns capture software solutions to specific problems that have evolved over time and reflect many iterations of work. Documenting such patterns promotes proven design and software reuse. There has been a growing amount of work documenting design patterns for security, however, little work specific to VoIP security. In 2005 NIST released a report on recommendations and best practices for securing VoIP, however it lacks the structure, terminology, and ease-of-understanding needed for both technical and non-technical audiences that is an inherent feature of design patterns. In this paper, we document three design patterns for VoIP implementations related to specific security problems: (1) secure traversal of firewalls and NATs; (2) detecting and mitigating DDoS attacks; and (3) securing against eavesdropping. With many VoIP vendors rushing products to market with overlapping functionality and requirements for interoperability, documenting design patterns is poised to become an important part of secure programming processes for VoIP
engineering secure software and systems | 2009
Munawar Hafiz; Paul Adamczyk; Ralph E. Johnson
Injection attacks and their defense require a lot of creativity from attackers and secure system developers. Unfortunately, as attackers rely increasingly on systematic approaches to find and exploit a vulnerability, developers follow the traditional way of writing ad hoc checks in source code. This paper shows that security engineering to prevent injection attacks need not be ad hoc. It shows that protection can be introduced at different layers of a system by systematically applying general purpose security-oriented program transformations. These program transformations are automated so that they can be applied to new systems at design and implementation stages, and to existing ones during maintenance.
Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems | 2009
Munawar Hafiz; Ralph E. Johnson
A security-oriented program transformation maps programs to security-augmented programs, i.e. it introduces a protection mechanism to make programs more secure. Our previous work defined security-oriented program transformations [6], introduced a catalog of transformations [8], and showed how program transformations could be applied to systematically eradicate various types of data injection attacks [9]. This paper shows how security-oriented program transformations could be used to improve the security of a systems perimeter by introducing authentication, authorization and input validation components. The program transformation examples in this paper are JAVA specific, but the transformations could be implemented to use other authentication and authorization frameworks.
conference on object-oriented programming systems, languages, and applications | 2008
Munawar Hafiz
Security requirements change. Many systems fail to cope with the changing requirements because it is hard to redesign. I show that security can be added by applying program transformations. This improves traditional security engineering approaches and keeps software secure in the face of new security threats.
conference on object-oriented programming systems, languages, and applications | 2005
Munawar Hafiz
In this paper, we describe the evolution of architecture of Mail Transfer Agents(MTA). We consider the design of MTA as a sequence of design decisions [10]. Many of the design decisions are examples of security patterns. Thus, this paper is another example of how patterns generate architecture [5].
Proceedings of the 16th Conference on Pattern Languages of Programs | 2009
Karthick Jayaraman; Paul G. Talaga; Grzegorz Lewandowski; Steve J. Chapin; Munawar Hafiz
The goal of a web-request forgery attacker is to manipulate the intended workflow of a web application. Applications that fail to enforce the designer-intended interactions are vulnerable to this type of attack. This paper proposes a systematic methodology for designing web applications to strictly enforce the designer-intended interactions. Our approach captures workflow using the Web DFA model and applies four design patterns to strictly enforce the intended interactions. We argue that using patterns in conjunction with a Web DFA model produces web applications that are secure from request forgery attacks by construction; more-over, our mechanism could be useful in designing workflow-based applications in other domains.
conference on object oriented programming systems languages and applications | 2008
Munawar Hafiz; Ralph E. Johnson
Topping the list of the most prominent attacks on applications [6] are various types of injection attacks. Malicious inputs that cause injection attacks are numerous; programmers fail to write checks for all attack patterns. We define a program transformation that allows a programmer to think in terms of rectification policies and automatically add these policies to convert unsafe data inputs to safe inputs. The security oriented program transformation applies to all classes of injection attacks, easing the burden of programmers who would otherwise have to manually write checks.
european conference on web services | 2006
Jianqing Zhang; Munawar Hafiz; Carl A. Gunter
Interoperability in a large-scale distributed system is challenged by the diversity of node policies. We introduce AMPol (adaptive messaging policy), a service-oriented architecture that facilitates policy-aware, end-to-end adaptive messaging between multiple parties. AMPol provides services for expressing non-functional QoS policies, finding them, and carrying out system extensions to adapt to them. We implement this approach with a Web service middleware that allows parties to use policies for features like attachments, payment, encryption, and signatures. Our implementation demonstrates how AMPol can enhance the function of email messaging by enabling automatic deployment and use of features like cycle exhaustion puzzles, reverse Turing tests and identity based encryption without the need for global deployment or changes to the baseline messaging system