Nuno Laranjeiro

Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services

This paper proposes a new automatic approach for the detection of SQL Injection and XPath Injection vulnerabilities, two of the most common and most critical types of vulnerabilities in web services. Although there are tools that allow testing web applications against security vulnerabilities, previous research shows that the effectiveness of those tools in web services environments is very poor. In our approach a representative workload is used to exercise the web service and a large set of SQL/XPath Injection attacks are applied to disclose vulnerabilities. Vulnerabilities are detected by comparing the structure of the SQL/XPath commands issued in the presence of attacks to the ones previously learned when running the workload in the absence of attacks. Experimental evaluation shows that our approach performs much better than known tools (including commercial ones), achieving extremely high detection coverage while maintaining the false positives rate very low.

Assessing Robustness of Web-Services Infrastructures

Web-services are supported by a complex software infrastructure that must provide a robust service to the client applications. This practical experience report presents a practical approach for the evaluation of the robustness of Web-services infrastructures. A set of robustness tests (i.e., invalid web-services call parameters) is applied during Web-services execution in order to reveal possible robustness problems in the Web-services code and in the application server infrastructure. The approach is illustrated using two different implementations of the Web-services specified by the TPC-App performance benchmark running on top of the JBoss application server. The proposed approach is generic and can be used to evaluate the robustness of Web-services implementations (relevant for programmers) and application server infrastructures (relevant for administrators and system integrators).

Benchmarking the Robustness of Web Services

This paper proposes an approach for the evaluation of the robustness of web services, which are complex software components that must provide a robust interface to the client applications. However, although web services are becoming business-critical components, there is no practical way to assess the robustness of the code or to compare alternative implementations concerning robustness. The approach proposed is based on a set of robustness tests (i.e., invalid web services call parameters) that is applied in order to discover both programming and design errors. The web services are classified based on the failures observed during the execution of the tests. The approach is illustrated by evaluating several web services publicly available in the Internet and two different implementations of the web services specified by the standard TPC-App performance benchmark. The proposed approach is useful for both web services providers (to assess the robustness of their web services code) and consumers (to select the web services that best fit their requirements).

Towards fault tolerance in web services compositions

Many businesses are now moving towards the use of composite web services that are based on a collection of web services working together to achieve an objective. Although they are becoming business-critical elements, current development support tools do not provide a practical way to include fault tolerance characteristics in web services compositions. This paper proposes a mechanism that allows programmers to easily develop fault tolerant compositions using diverse web services. The mechanism allows programmers to specify alternative web services for each operation and offers a set of artifacts that simplify the coding process, by automatically dealing with all the aspects related to the redundant web services invocation and responses voting. The mechanism is also able to perform a continuous evaluation of the services based on their behavior during operation. The approach is illustrated using compositions based on web services publicly available in the Internet and on the web services specified by the standard TPC-App performance benchmark.

A Survey on Data Quality: Classifying Poor Data

Data is part of our everyday life and an essential asset in numerous businesses and organizations. The quality of the data, i.e., the degree to which the data characteristics fulfill requirements, can have a tremendous impact on the businesses themselves, the companies, or even in human lives. In fact, research and industry reports show that huge amounts of capital are spent to improve the quality of the data being used in many systems, sometimes even only to understand the quality of the information in use. Considering the variety of dimensions, characteristics, business views, or simply the specificities of the systems being evaluated, understanding how to measure data quality can be an extremely difficult task. In this paper we survey the state of the art in classification of poor data, including the definition of dimensions and specific data problems, we identify frequently used dimensions and map data quality problems to the identified dimensions. The huge variety of terms and definitions found suggests that further standardization efforts are required. Also, data quality research on Big Data appears to be in its initial steps, leaving open space for further research.

Testing the robustness of controllers for self-adaptive systems

Self-adaptive systems are software-intensive systems endowed with the ability to respond to a variety of changes that may occur in their environment, goals, or the system itself by adapting their structure and behaviour at run-time in an autonomous way. Controllers are complex components incorporated in self-adaptive systems, which are crucial to their function since they are in charge of adapting the target system by executing actions through effectors, based on information monitored by probes. However, although controllers are becoming critical in many application domains, so far very little has been done to assess their robustness. In this paper, we propose an approach for evaluating the robustness of controllers for self-adaptive software systems, aiming to identify faults in their design. Our proposal considers the stateful nature of the controller and identifies a set of robustness tests, which includes the provision of mutated inputs to the interfaces between the controller and the target system (i.e. probes). The feasibility of the approach is evaluated on Rainbow, a framework for architecture-based self-adaptation, and in the context of the Znn.com case study.

Experimental Robustness Evaluation of JMS Middleware

The use of Java Message Service (JMS) for enterprise applications communication and integration is increasing very quickly. However, although JMS is frequently used in business-critical environments, applications are typically developed with the assumption that the middleware being used is robust, which is not always the case. Robustness failures in such environments are particularly dangerous, as they may originate vulnerabilities that can be maliciously exploited with severe consequences for the systems subject of attack. This paper proposes an approach for the evaluation of the robustness of JMS middleware. Our approach is presented through a concrete example of evaluating the robustness of three well-known JMS solutions (JBoss MQ 3.2.8.SP1, JBoss MQ 4.2.1.GA, and Active MQ 4.1.1), in which several robustness and critical security related problems have been disclosed (including specification conformance disparities).

Improving Web Services Robustness

Developing robust web services is a difficult task. Field studies show that a large number of web services are deployed with robustness problems (i.e., presenting unexpected behaviors in the presence of invalid inputs). Several techniques for the identification of robustness problems have been proposed in the past. This paper proposes a mechanism that automatically fixes the problems detected. The approach consists of using robustness testing to detect robustness issues and then mitigate those issues by applying inputs verification based on well-defined parameter domains, including domain dependencies between different parameters. This integrated and fully automatable methodology has been used to improve three different implementations of the TPC-App web services. Results show that this tool can be easily used by developers to improve the robustness of web services implementations.

Protecting Database Centric Web Services against SQL/XPath Injection Attacks

Web services represent a powerful interface for back-end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non-vulnerable web services is still a difficult task. In fact, security-related concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC-App benchmark, showing to be 100% effective in stopping attacks, non-intrusive and very easy to use.

wsrbench: An On-Line Tool for Robustness Benchmarking

Testing Web services for robustness is a difficult task. In fact, existing development support tools do not provide any practical mean to assess Web services robustness in the presence of erroneous inputs. Previous works proposed that Web services robustness testing should be based on a set of robustness tests (i.e., invalid Web services call parameters) that are applied in order to discover both programming and design errors. Web services can be classified based on the failure modes observed. In this paper we present and discuss the architecture and use of an on-line tool that provides an easy interface for Web services robustness testing. This tool is publicly available and can be used by both web services providers (to assess the robustness of their Web services code) and consumers (to select the services that best fit their requirements). The tool is demonstrated by testing several Web services available in the Internet.