Skip to main content
SpringerLink
Log in

Toward Third-Party Immune Applications

  • Conference paper
  • First Online:
Computer Network Security (MMM-ACNS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10446))

Abstract

Component reuse has become a trend in software engineering. However, third-party components have the potential to introduce vulnerabilities into software applications and become the weakest link in the security chain. In this paper, we discuss the limitations of traditional security practices and controls against vulnerable components. As a solution, we present a software design and development approach, combined with a collaborative, cloud-based vulnerability and threat management system. This combination aims at enabling applications to gain “artificial immunity” to third-party components by dynamically identifying and controlling related security risks. It also strives to promote the automatic discovery of, and near real-time information dissemination about emerging threats and zero-day vulnerabilities. At the heart of our solution, we use application-level API sandboxing, as well as adaptive signature-based and anomaly-based API intrusion detection and prevention. The need-to-know, cost-effectiveness, and user acceptance through separation of concerns have been our guiding security engineering principles.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Information Security Breaches Survey (2015). pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-03.pdf

  2. Forbes & IBM. The Reputational Impact of IT Risk (2014). www-935.ibm.com/services/multimedia/RLL12363USEN_2014_Forbes_Insights.pdf

  3. Kaspersky Security Bulletin 2015, Overall statistics for 2015. securelist.com/files/2015/12/KSB_2015_Statistics_FINAL_EN.pdf

  4. OWASP 2013 Top 10 Application Security Report. owasptop10.googlecode.com/files/OWASP_Top_10-2013.pdf

  5. The Heartbleed Bug. heartbleed.com

  6. Microsoft Security Development Lifecycle. microsoft.com/en-us/sdl/

  7. OWASP Software Assurance Maturity Model. owasp.org/index.php/Category:Software_Assurance_Maturity_Model

  8. Swanson, M., Guttman, B.: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996)

    Google Scholar 

  9. Stoneburner, G., Hayden, C., Feringa, A.: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) (2001)

    Google Scholar 

  10. Chang, J., Venkatasubramanian, K.K., West, A.G., Lee, I.: Analyzing and defending against web-based malware. ACM Comput. Surv. 45, 49:1–49:35 (2013)

    Article  Google Scholar 

  11. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 23–43. Springer, Berlin Heidelberg (2008)

    Chapter  Google Scholar 

  12. Foreman, P.: Vulnerability Management. CRC Press, Boca Raton (2009)

    Book  Google Scholar 

  13. Kilpatrick, D.: Privman: a library for partitioning applications. In: USENIX Annual Technical Conference, FREENIX Track, pp. 273–284 (2003)

    Google Scholar 

  14. Sun, M., Tan, G.: NativeGuard: protecting android applications from third-party native libraries. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, pp. 165–176. ACM, New York (2014)

    Google Scholar 

  15. Zhou, Y., Patel, K., Wu, L., Wang, Z., Jiang, X.: Hybrid user-level sandboxing of third-party android apps. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 19–30. ACM, New York (2015)

    Google Scholar 

  16. Hong, Y.-Y., Wang, Y.-P., Yin, J.: NativeProtector: protecting android applications by isolating and intercepting third-party native libraries. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 337–351. Springer, Cham (2016). doi:10.1007/978-3-319-33630-5_23

    Chapter  Google Scholar 

  17. Backes, M., Bugiel, S., Hammer, C., Schranz, O., von Styp-Rekowsky, P.: Boxify: full-fledged app sandboxing for stock android. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 691–706. USENIX Association, Washington, D.C. (2015)

    Google Scholar 

  18. Wang, F., Zhang, Y., Wang, K., Liu, P., Wang, W.: Stay in your cage! A sound sandbox for third-party libraries on android. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 458–476. Springer, Cham (2016). doi:10.1007/978-3-319-45744-4_23

    Chapter  Google Scholar 

  19. IBM X-Force Research. www-03.ibm.com/security/xforce/

  20. Weka 3: Data Mining Software in Java. cs.waikato.ac.nz/ml/weka/

  21. Apache JMeter. jmeter.apache.org

  22. Zed Attack Proxy. owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Download references

Author information

Authors and Affiliations

  1. Information Security Research Team, ENSIAS, Mohammed V University, Rabat, Morocco

    Omar Iraqi & Hanan El Bakkali

  2. School of Science and Engineering, Al Akhawayn University, Ifrane, Morocco

    Omar Iraqi

Authors
  1. Omar Iraqi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hanan El Bakkali
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Omar Iraqi .

Editor information

Editors and Affiliations

  1. Gdansk University of Technology , Gdansk, Poland

    Jacek Rak

  2. Binghamton University , Binghamton, New York, USA

    John Bay

  3. St. Petersburg Institute for Informatics and Automation, St. Petersburg, Russia

    Igor Kotenko

  4. Utica College , Utica, New York, USA

    Leonard Popyack

  5. Binghamton University , Binghamton, New York, USA

    Victor Skormin

  6. Warsaw University of Technology , Warsaw, Poland

    Krzysztof Szczypiorski

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Iraqi, O., El Bakkali, H. (2017). Toward Third-Party Immune Applications. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds) Computer Network Security. MMM-ACNS 2017. Lecture Notes in Computer Science(), vol 10446. Springer, Cham. https://doi.org/10.1007/978-3-319-65127-9_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-65127-9_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-65126-2

  • Online ISBN: 978-3-319-65127-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation