Titulo Estágio
An Integrated Tool to Detect Vulnerabilities in Service-Based Infrastructures
Área Tecnológica
Engenharia de Software
Local do Estágio
CISUC/SSE
Enquadramento
Service-based Infrastructures are nowadays used in a wide range of organizations, including business-critical system. Although the underlying services should be secure and dependable, they are often deployed with bugs that can be maliciously exploited. Several published studies show that, in general, web applications present dangerous flaws and services are no exception. Although the problem of security testing of software services has been addressed in the past, including with work from the group, most of the existing works focus on testing a single service at a time, disregarding key characteristics of service-based environments.
The characteristics of service-based environments open the door to security challenges that must be handled properly. First, besides testing services offline, it is necessary to consider interactions with resources and other services, thus tools that take into account the architecture are needed. Second, service-oriented architectures are usually built using services that are under the control of multiple providers, creating the need for testing tools that can cope with different levels of available information (e.g. the source code may be available or not). Finally, SOAs are dynamic in nature, facing changes in the services used and in the way they interact, which brings the need for automated approaches able to continuously monitor and test the whole architecture in an automated way.
Objetivo
The goal of this work is to gather the requirements and implement the described tool. An instrumental goal of this work is to devise a reference service-based framework that will be used to evaluate the effectiveness of the tool.
A tool that is able to cope with the dynamicity and capacity to evolve of SOAs has the utmost importance. Such tool must be able to automatically monitor the infrastructure and discover the existing services, resources and interactions. The tool must be able to applying the existing testing approaches depending on the specific characteristics of each existing service. Finally, the tool must be extensible and able to integrate new testing approaches that can be developed in the future.
Plano de Trabalhos - Semestre 1
This work includes the following activities:
(a) [2013-09-01 to 2013-10-31] The review of the state-of-the-art in web-services, service-based infrastructures and techniques and tools for vulnerability detection;
(b) [2013-11-01 to 2014-01-31] Requirements analysis and architecture definition;
(c) [2013-12-01 to 2014-01-31] Write Thesis Proposal
Plano de Trabalhos - Semestre 2
(d) [2014-02-01 to 2014-04-30] Specification and implementation of a reference infrastructure for prototype evaluation;
(e) [2013-11-01 to 2013-04-30] Prototype implementation and evaluation;
(f) [2014-04-01 to 2014-05-31] Write a paper;
(g) [2014-03-01 to 2014-07-31] Write the thesis;
Condições
The work is to be executed at the laboratories of the CISUC’s Software and Systems Engineering Group. A work place will be provided as well as the required computational resources.
Observações
Co-advised by Nuno Antunes (nmsa@dei.uc.pt)
Orientador
Marco Vieira
mvieira@dei.uc.pt 📩