Propostas Submetidas

DEI - FCTUC
Gerado a 2024-12-04 18:54:30 (Europe/Lisbon).
Voltar

Titulo Estágio

Assessing NoSQL Services Security Using Malicious Data Injection

Áreas de especialidade

Engenharia de Software

Engenharia de Software

Local do Estágio

DEI-FCTUC

Enquadramento

NoSQL databases are increasingly being used as back-end storage to support many business and safety-critical services (e.g., social networks, air traffic controlling systems). In these environments, a service failure can result in disastrous consequences for clients and providers, including financial and reputation losses. Research shows that services are many times built expecting that the data being manipulated is secure to use, which is not always the case. In fact, insecure data can easily arise from unintentional software bugs in the code, can be stored by other malicious applications, or can simply be part of a security attack being carried out. The presence of such data can lead to severe failures, when services assume that the data being handled is valid. Although this issue has received vast attention from the community in the relational databases, there is still no practical way to test the security of services supported by NoSQL storages.

Objetivo

The goal of this work is to define an approach and implement a tool that is able to assess how vulnerable a NoSQL service can be to malicious data. In practice, the expected outcome of this internship is:
– A tool that can be used to test the security of NoSQL services.
– A research paper, to be submitted and presented at a top international conference, describing the approach and main results obtained from the experiments.

Plano de Trabalhos - Semestre 1

[Some tasks might overlap; M=Month]
T1 (M1 – M3): Knowledge transfer and state of the art literature review on services security (e.g., command injection vulnerabilities).
T2 (M3) Design of an attack model (e.g., malicious data), using the information gathered in task T1 as basis.
T3 (M3 – M4): State of the practice review on practical (programming) fault-injection and wrapping techniques. Implementation of a proof-of-concept prototype over a selected database driver.
T4 (M4) Identification / adaptation of target systems to be used in the experiments.
(M5): Writing the Intermediate report.

Plano de Trabalhos - Semestre 2

[Some tasks might overlap; M=Month]
T1 (M6): Integration of the intermediate defense comments and completion of the attack model.
T2 (M6 – M7): Implementation of the attack-injection tool, including all attacks previously defined, and execution of tests (functional).
T3 (M8): Execution of experiments and analysis of results.
T4 (M9): Write a research paper and submission to a top international conference on the Dependability or Services areas (IEEE/IFIP Dependable Systems and Networks, IEEE Services Computing Conference, International Conference on Service Oriented Computing, etc.).
(M10): Writing the thesis.

Condições

The selected student will be integrated in the Software and Systems Engineering group of CISUC and the work will be carried out in the facilities of the Department of Informatics Engineering at the University of Coimbra (CISUC - Software and Systems Engineering Group), where a work place and necessary computer resources will be provided.

Observações

Please contact the advisor for any question or clarification needed.

Orientador

Nuno Laranjeiro; Jorge Bernardino
cnl@dei.uc.pt 📩