Parker Umd 0117E 21086.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Parker Umd 0117E 21086.Pdf ABSTRACT Title of Dissertation: Advanced Language-based Techniques for Correct, Secure Networked Systems James Parker Doctor of Philosophy, 2020 Dissertation Directed by: Professor Michael Hicks Department of Computer Science Developing correct and secure software is an important task that impacts many areas including finance, transportation, health, and defense. In order to develop se- cure programs, it is critical to understand the factors that influence the introduction of vulnerable code. To investigate, we developed and ran the Build-it, Break-it, Fix- it (BIBIFI) security-oriented programming contest as a quasi-controlled experiment. BIBIFI aims to assess the ability to securely build software, not just break it. In BIBIFI, teams build specified software with the goal of maximizing correctness, performance, and security. The latter is tested when teams attempt to break other teams' submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended—teams can use any language, tool, process, etc. that they like. As such, contest outcomes shed light on fac- tors that correlate with successfully building secure software and breaking insecure software. We ran three contests involving a total of 156 teams and three differ- ent programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used C/C++, but submissions coded in a statically-typed language were less likely to have a security flaw. Break-it teams that were also successful build-it teams were significantly better at finding security bugs. The contest results showed that programmers make mistakes in both the de- sign and implementation of their programs in ways that make it vulnerable. To mitigate these issues, we advanced the state of the art in language-integrated tech- niques for security enforcement, including formal methods. First we created LWeb, a tool for enforcing label-based, information flow policies in database-using web ap- plications. In a nutshell, LWeb marries the LIO Haskell IFC enforcement library with the Yesod web programming framework. The implementation has two parts. First, we extract the core of LIO into a monad transformer (LMonad) and then apply it to Yesod's core monad. Second, we extend Yesod's table definition DSL and query functionality to permit defining and enforcing label-based policies on tables and enforcing them during query processing. LWeb's policy language is expressive, per- mitting dynamic per-table and per-row policies. We formalize the essence of LWeb in the λLWeb calculus and mechanize the proof of noninterference in Liquid Haskell, an extension of Haskell that adds refinement types to the language. This mecha- nization constitutes the first metatheoretic proof carried out in Liquid Haskell. We also used LWeb to build the web site hosting BIBIFI. The site involves 40 data tables and sophisticated policies. Compared to manually checking security policies, LWeb imposes a modest runtime overhead of between 2% to 21%. It reduces the trusted code base from the whole application to just 1% of the application code, and 21% of the code overall (when counting LWeb too). Finally, we further advance the capabilities of Liquid Haskell by using it to verify the correctness of distributed applications based on conflict-free replicated data types (CRDTs). To do so, we add an extension to Liquid Haskell that facilitates stating and semi-automatically proving properties of typeclasses. Our work allows refinement types to be attached to typeclass method declarations, and ensures that instance implementations respect these types. The engineering of this extension is a modular interaction between GHC, the Glasgow Haskell Compiler, and Liquid Haskell's core proof infrastructure. To verify CRDTs, we define them as a typeclass with refinement types that capture the mathematical properties CRDTs must satisfy, prove that these properties are sufficient to ensure that replicas' states converge despite out-of-order delivery, implement (and prove correct) several instances of our CRDT typeclass, and use them to build two realistic applications, a multi-user calendar event planner and a collaborative text editor. In addition, we demonstrate the utility of our typeclass extension by using Liquid Haskell to modularly verify that 34 instances satisfy the laws of five standard typeclasses. Advanced Language-based Techniques for Correct, Secure Networked Systems by James Parker Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in partial fulfillment of the requirements for the degree of Doctor of Philosophy 2020 Advisory Committee: Professor Michael Hicks, Chair/Advisor Dr. Niki Vazou Professor Michelle Mazurek Professor David Mount Professor Lawrence Washington c Copyright by James Parker 2020 Acknowledgments There are numerous people in my life who have helped make this dissertation possible. First, I would like to thank my advisor, Michael Hicks who has been an invaluable mentor and supporter of my research. In addition to everything he's taught me academically, he has served as a role model. It is obvious how much he cares for his students, and he always aims to do what is best. During her time as a postdoctoral researcher at the University of Maryland, Niki Vazou exposed me to the wonderful world of Liquid Haskell. I believe it has the potential to become a tool that is used to formally verify programs on a larger scale outside of academia. With her guidance, we have taken some of the first steps towards this goal. I have enjoyed working on many interesting problems with all of my collaborators including Yiyun Liu, Andrew Ruef, Michelle Mazurek, Daniel Votipka, Kelsey Fulton, Phúc Nguy¹n, Piotr Mardziel, Dave Levin, Patrick Red- mond, Lindsey Kuper, and Matthew Hou. I hope that we continue to work together in the future. Finally, I would not be here without the love and support of my family. My parents built a strong foundation for me growing up. My brother and I foster a competitive environment that drives us to constantly improve. My wife has stood by my side and encouraged me throughout my journey through graduate school. ii Table of Contents Acknowledgements ii Table of Contents iii List of Tables vi List of Figures vii List of Abbreviations ix Chapter 1:Introduction1 1.1 Background on Liquid Haskell...................... 7 Chapter 2:Build It, Break It, Fix It: Contesting Secure Development 11 2.1 Introduction................................ 11 2.1.1 Acknowledgements ........................ 14 2.2 Build-it, Break-it, Fix-it ......................... 15 2.2.1 Competition phases........................ 16 2.2.2 Competition scoring ....................... 18 2.2.3 Discussion............................. 23 2.2.4 Implementation.......................... 26 2.3 Contest Problems............................. 29 2.3.1 Secure Log............................. 29 2.3.2 ATM................................ 33 2.3.3 Multiuser DB........................... 37 2.4 Build-it Submissions: Successes and Failures.............. 42 2.4.1 Failure Stories........................... 43 2.4.2 Success Stories .......................... 46 2.5 Quantitative Analysis........................... 47 2.5.1 Data collection .......................... 48 2.5.2 Analysis approach ........................ 49 2.5.3 Contestants............................ 50 2.5.4 Ship scores ............................ 51 2.5.5 Resilience ............................. 57 2.5.6 Presence of security bugs..................... 61 2.5.7 Breaking success ......................... 65 iii 2.5.8 Model differences......................... 72 2.5.9 Summary ............................. 73 2.6 Related work ............................... 74 2.7 Conclusion................................. 78 Chapter 3:LWeb: Information Flow Security for Multi-tier Web Ap- plications 80 3.1 Introduction................................ 80 3.1.1 Acknowledgements ........................ 84 3.2 Overview.................................. 84 3.2.1 Label-Based Information Flow Control with LIO . 85 3.2.2 Yesod ............................... 87 3.2.3 LWeb: Yesod with LIO ...................... 89 3.3 Mechanizing Noninterference of LIO in Liquid Haskell......... 93 3.3.1 Security Lattice as a Type Class................. 93 3.3.2 λLIO : Syntax and Semantics................... 95 3.3.3 Noninterference.......................... 99 3.4 Label-based Security for Database Operations . 104 3.4.1 Database Definition........................104 3.4.2 Querying the Database......................106 3.4.3 Monadic Database Queries....................108 3.4.4 Noninterference..........................113 3.5 Liquid Haskell for Metatheory......................115 3.5.1 Advantages ............................116 3.5.2 Disadvantages...........................118 3.6 Implementation..............................119 3.6.1 Extensions.............................119 3.6.2 Trusted Computing Base.....................122 3.7 The BIBIFI Case Study .........................123 3.7.1 BIBIFI Labels...........................123 3.7.2 Users and Authentication ....................124 3.7.3 Opening the Contest.......................125 3.7.4 Teams and Declassification....................126 3.7.5 Breaks and Advanced Queries..................128 3.8 Experimental Evaluation.........................129 3.8.1 Trusted Computing Base of BIBIFI . 129 3.8.2 Running Time Overhead.....................129 3.9 Quantifying
Recommended publications
  • ROADS and BRIDGES: the UNSEEN LABOR BEHIND OUR DIGITAL INFRASTRUCTURE Preface
    Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure WRITTEN BY Nadia Eghbal 2 Open up your phone. Your social media, your news, your medical records, your bank: they are all using free and public code. Contents 3 Table of Contents 4 Preface 58 Challenges Facing Digital Infrastructure 5 Foreword 59 Open source’s complicated relationship with money 8 Executive Summary 66 Why digital infrastructure support 11 Introduction problems are accelerating 77 The hidden costs of ignoring infrastructure 18 History and Background of Digital Infrastructure 89 Sustaining Digital Infrastructure 19 How software gets built 90 Business models for digital infrastructure 23 How not charging for software transformed society 97 Finding a sponsor or donor for an infrastructure project 29 A brief history of free and public software and the people who made it 106 Why is it so hard to fund these projects? 109 Institutional efforts to support digital infrastructure 37 How The Current System Works 38 What is digital infrastructure, and how 124 Opportunities Ahead does it get built? 125 Developing effective support strategies 46 How are digital infrastructure projects managed and supported? 127 Priming the landscape 136 The crossroads we face 53 Why do people keep contributing to these projects, when they’re not getting paid for it? 139 Appendix 140 Glossary 142 Acknowledgements ROADS AND BRIDGES: THE UNSEEN LABOR BEHIND OUR DIGITAL INFRASTRUCTURE Preface Our modern society—everything from hospitals to stock markets to newspapers to social media—runs on software. But take a closer look, and you’ll find that the tools we use to build software are buckling under demand.
    [Show full text]
  • Security Now! #731 - 09-10-19 Deepfakes
    Security Now! #731 - 09-10-19 DeepFakes This week on Security Now! This week we look at a forced two-day recess of all schools in Flagstaff, Arizona, the case of a Ransomware operator being too greedy, Apple's controversial response to Google's posting last week about the watering hole attacks, Zerodium's new payout schedule and what it might mean, the final full public disclosure of BlueKeep exploitation code, some potentially serious flaws found and fixed in PHP that may require our listener's attention, some SQRL news, miscellany, and closing-the-loop feedback from a listener. Then we take our first look on this podcast into the growing problem and threat of "DeepFake" media content. All Flagstaff Arizona Schools Cancelled Thursday, August 5th And not surprisingly, recess is extended through Friday: https://www.fusd1.org/facts https://www.facebook.com/FUSD1/ ​ ​ And Saturday... Security Now! #730 1 And Sunday... Security News A lesson for greedy ransomware: Ask for too much… and you get nothing! After two months of silence, last Wednesday Mayor Jon Mitchell of New Bedford, Massachusetts held their first press conference to tell the interesting story of their ransomware attack... The city's IT network was hit with the Ryuk (ree-ook) ransomware which, by the way, Malwarebytes now places at the top of the list of file-encrypting malware targeting businesses. It'll be interesting to see whether So-Dino-Kee-Bee's affiliate marketing model is able to displace Ryuk. But, in any event, very fortunately for the city of New Bedford, hackers breached the city's IT network and got Ryuk running in the wee hours of the morning following the annual 4th of July holiday.
    [Show full text]
  • Functional Programming at Facebook
    Functional Programming at Facebook Chris Piro, Eugene Letuchy Commercial Users of Functional Programming (CUFP) Edinburgh, Scotland ! September "##$ Agenda ! Facebook and Chat " Chat architecture # Erlang strengths $ Setbacks % What has worked Facebook The Facebook Environment The Facebook Environment ▪ The web site ▪ More than 250 million active users ▪ More than 3.5 billion minutes are spent on Facebook each day The Facebook Environment ▪ The web site ▪ More than 250 million active users ▪ More than 3.5 billion minutes are spent on Facebook each day ▪ The engineering team ▪ Fast iteration: code gets out to production within a week ▪ Polyglot programming: interoperability with Thrift ▪ Practical: high-leverage tools win Using FP at Facebook Using FP at Facebook ▪ Erlang ▪ Chat backend (channel servers) ▪ Chat Jabber interface (ejabberd) ▪ AIM presence: a JSONP validator Using FP at Facebook ▪ Erlang ▪ Chat backend (channel servers) ▪ Chat Jabber interface (ejabberd) ▪ AIM presence: a JSONP validator ▪ Haskell ▪ lex-pass: PHP parse transforms ▪ Lambdabot ▪ textbook: command line Facebook API client ▪ Thrift binding Thrift Thrift ▪ An efficient, cross-language serialization and RPC framework Thrift ▪ An efficient, cross-language serialization and RPC framework ▪ Write interoperable servers and clients Thrift ▪ An efficient, cross-language serialization and RPC framework ▪ Write interoperable servers and clients ▪ Includes library and code generator for each language Thrift ▪ An efficient, cross-language serialization and RPC framework ▪ Write
    [Show full text]
  • The Quality Attribute Design Strategy for a Social Network Data Analysis System
    Rochester Institute of Technology RIT Scholar Works Theses 5-2016 The Quality Attribute Design Strategy for a Social Network Data Analysis System Ziyi Bai [email protected] Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Bai, Ziyi, "The Quality Attribute Design Strategy for a Social Network Data Analysis System" (2016). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. The Quality Attribute Design Strategy for a Social Network Data Analysis System by Ziyi Bai A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in Software Engineering Supervised by Dr. Scott Hawker Department of Software Engineering B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of Technology Rochester, New York May 2016 ii The thesis “The Quality Attribute Design Strategy for a Social Network Data Analy- sis System” by Ziyi Bai has been examined and approved by the following Examination Committee: Dr. Scott Hawker Associate Professor Thesis Committee Chair Dr. Christopher Homan Associate Professor Dr. Stephanie Ludi Professor iii Acknowledgments Dr.Scott Hawker, I can confidently state that without your guidance I would not have accomplished my achievement. Your support has impacted my future for the better. Thank you for everything. Dr. Chris Homan, I am so thankful that you reached out to me and provided the requirements for this thesis.
    [Show full text]
  • The Third Annual ICFP Programming Contest
    The Third Annual ICFP Programming Contest August 26 – 29, 2000 (Version 1.18) 1 The problem This year’s ICFP programming challenge is to implement a ray tracer. The input to the ray tracer is a scene description written in a simple functional language, called GML. Execution of a GML program produces zero, or more, image files, which are in PPM format. A web page of sample images, along with the GML inputs that were used to produce them, is linked off of the contest home page. The feature set of GML is organized into three tiers. Submissions must implement the first tier of features and extra credit will be given to submissions that implement the second or third tiers. Submissions will be evaluated on three scales: correctness of the produced images, run-time performance, and the tier of implemented GML features. GML has primitives for defining simple geometric objects (e.g., planes, spheres, and cubes) and lighting sources. The surface properties used to render the objects are specified as functions in GML itself. In addition to supporting scene description, GML also has a render operator that renders a scene to an image file. For each pixel in the output image, the render command must compute a color. Conceptually, this color is computed by tracing the path of the light backwards from the eye of the viewer, to where it bounced off an object, and ultimately back to the light sources. This document is organized as follows. Section 2 describes the syntax and general semantics of the modeling language. It is followed by Section 3, which describes those aspects of the language that are specific to ray tracing.
    [Show full text]
  • ICFP Programming Contest 2010 International Cars and Fuels Production
    About Contest Task Running the Contest Background Winners Future ICFP Programming Contest 2010 International Cars and Fuels Production Bertram Felgenhauer, University of Innsbruck, Austria Johannes Waldmann, HTWK Leipzig, Germany June 18–21, 2010 Felgenhauer, Waldmann ICFP Programming Contest 2010 1/31 About Contest Task Running the Contest Background Winners Future About the ICFP Programming Contest programming, problem solving, fun annual contest, since 1998 sponsored by ICFP conference/ACM 2010 contest hosted by HTWK Leipzig, Germany contest format 72 hours (June 18, 12:00 – June 21, 12:00 GMT) participation online, international teams allowed no fixed programming language lightning division (first 24 hours) Felgenhauer, Waldmann ICFP Programming Contest 2010 2/31 earn money by (efficiently) solving instances, or creating instances (with solution, which is hard to find) income tax (devaluates earnings by 1/2 per day) About Contest Task Running the Contest Background Winners Future Contest Task storyline: market for cars (= problem instance) (public) fuels (= problem solution) (private) Felgenhauer, Waldmann ICFP Programming Contest 2010 3/31 About Contest Task Running the Contest Background Winners Future Contest Task storyline: market for cars (= problem instance) (public) fuels (= problem solution) (private) earn money by (efficiently) solving instances, or creating instances (with solution, which is hard to find) income tax (devaluates earnings by 1/2 per day) Felgenhauer, Waldmann ICFP Programming Contest 2010 3/31 About Contest Task
    [Show full text]
  • ICFP 2009 Final Program
    ICFP 2009 Final Program Monday, August 31, 2009 Tuesday, September 1, 2009 Wednesday, September 2, 2009 Invited Talk (Chair: Andrew Tolmach) Invited Talk (Chair: Graham Hutton) Invited Talk (Chair: Lennart Augustsson) 9:00 Organizing Functional Code for Parallel Execution; or, 9:00 Lambda, the Ultimate TA: Using a Proof Assistant to 9:00 Commutative Monads, Diagrams and Knots foldl and foldr Considered Slightly Harmful Teach Programming Language Foundations Dan Piponi; Industrial Light & Magic Guy L. Steele, Jr.; Sun Microsystems Benjamin C. Pierce; University of Pennsylvania 10:00 Break 10:00 Break 10:00 Break Session 11 (Chair: Ralf Hinze) Session 1 (Chair: Shin-Cheng Mu) Session 6 (Chair: Xavier Leroy) 10:25 Generic Programming with Fixed Points for Mutually 10:25 Functional Pearl: La Tour D’Hano¨ı 10:25 A Universe of Binding and Computation Recursive Datatypes Ralf Hinze; University of Oxford Daniel Licata and Robert Harper; Carnegie Mellon University Alexey Rodriguez Yakushev1, Stefan Holdermans2, Andres 2 3 10:50 Purely Functional Lazy Non-deterministic Program- 10:50 Non-Parametric Parametricity L¨oh , Johan Jeuring ; 1Vector Fabrics B.V., 2Utrecht University, ming Georg Neis, Derek Dreyer, Andreas Rossberg; MPI-SWS 3Utrecht University, Open University of the Netherlands Sebastian Fischer1, Oleg Kiselyov2, Chung-chieh Shan3; 11:15 Break 10:50 Attribute Grammars Fly First-Class: How to do As- 1Christian-Albrechts University, 2FNMOC, 3Rutgers University Session 7 (Chair: Robby Findler) pect Oriented Programming in Haskell 11:15 Break
    [Show full text]
  • Stephanie Weirich –
    Stephanie Weirich School of Engineering and Science, University of Pennsylvania Levine 510, 3330 Walnut St, Philadelphia, PA 19104 215-573-2821 • [email protected] July 13, 2021 Positions University of Pennsylvania Philadelphia, Pennsylvania ENIAC President’s Distinguished Professor September 2019-present Galois, Inc Portland, Oregon Visiting Scientist June 2018-August 2019 University of Pennsylvania Philadelphia, Pennsylvania Professor July 2015-August 2019 University of Pennsylvania Philadelphia, Pennsylvania Associate Professor July 2008-June 2015 University of Cambridge Cambridge, UK Visitor August 2009-July 2010 Microsoft Research Cambridge, UK Visiting Researcher September-November 2009 University of Pennsylvania Philadelphia, Pennsylvania Assistant Professor July 2002-July 2008 Cornell University Ithaca, New York Instructor, Research Assistant and Teaching AssistantAugust 1996-July 2002 Lucent Technologies Murray Hill, New Jersey Intern June-July 1999 Education Cornell University Ithaca, NY Ph.D., Computer Science 2002 Cornell University Ithaca, NY M.S., Computer Science 2000 Rice University Houston, TX B.A., Computer Science, magnum cum laude 1996 Honors ○␣ SIGPLAN Robin Milner Young Researcher award, 2016 ○␣ Most Influential ICFP 2006 Paper, awarded in 2016 ○␣ Microsoft Outstanding Collaborator, 2016 ○␣ Penn Engineering Fellow, University of Pennsylvania, 2014 ○␣ Institute for Defense Analyses Computer Science Study Panel, 2007 ○␣ National Science Foundation CAREER Award, 2003 ○␣ Intel Graduate Student Fellowship, 2000–2001
    [Show full text]
  • Download Slide (PDF Document)
    When Django is too bloated Specialized Web-Applications with Werkzeug EuroPython 2017 – Rimini, Italy Niklas Meinzer @NiklasMM Gotthard Base Tunnel Photographer: Patrick Neumann Python is amazing for web developers! ● Bottle ● BlueBream ● CherryPy ● CubicWeb ● Grok ● Nagare ● Pyjs ● Pylons ● TACTIC ● Tornado ● TurboGears ● web2py ● Webware ● Zope 2 Why would I want to use less? ● Learn how stuff works Why would I want to use less? ● Avoid over-engineering – Wastes time and resources – Makes updates harder – It’s a security risk. Why would I want to use less? ● You want to do something very specific ● Plan, manage and document chemotherapy treatments ● Built with modern web technology ● Used by hospitals in three European countries Patient Data Lab Data HL7 REST Pharmacy System Database Printers Werkzeug = German for “tool” ● Developed by pocoo team @ pocoo.org – Flask, Sphinx, Jinja2 ● A “WSGI utility” ● Very lightweight ● No ORM, No templating engine, etc ● The basis of Flask and others Werkzeug Features Overview ● WSGI – WSGI 1.0 compatible, WSGI Helpers ● Wrapping of requests and responses ● HTTP Utilities – Header processing, form data parsing, cookies ● Unicode support ● URL routing system ● Testing tools – Testclient, Environment builder ● Interactive Debugger in the Browser A simple Application A simple Application URL Routing Middlewares ● Separate parts of the Application as wsgi apps ● Combine as needed Request Static files DB Part of Application conn with DB access User Dispatcher auth Part of Application without DB access Response HTTP Utilities ● Work with HTTP dates ● Read and dump cookies ● Parse form data Using the test client Using the test client - pytest fixtures Using the test client - pytest fixtures Interactive debugger in the Browser Endless possibilities ● Connect to a database with SQLalchemy ● Use Jinja2 to render documents ● Use Celery to schedule asynchronous tasks ● Talk to 3rd party APIs with requests ● Make syscalls ● Remote control a robot to perform tasks at home Thank you! @NiklasMM NiklasMM Photographer: Patrick Neumann.
    [Show full text]
  • Boosting Public Participation in Urban Planning Through the Use of Web GIS Technology: a Case Study of Stockholm County
    DEGREE PROJECT IN REGIONAL PLANNING, SECOND LEVEL STOCKHOLM 2014 Boosting Public Participation in Urban Planning Through the Use of Web GIS Technology: A Case Study of Stockholm County MAHNAZ NAROOIE SoM EX 2014-16 ___________________________________________ KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ARCHITECTURE AND THE BUILT ENVIRONMENT Department of Urban Planning and Environment Division of Urban and Regional Studies Abstract Providing citizens with the robust and suitable tools to effectively participate in the planning process is a necessity nowadays. Also, changes in the capabilities and popularity of new technologies have dramatically raised the number of technology-based tools that are potentially available for enhancing public participation in the planning process. This study explores both the theoretical aspect of collaborative planning and the effects that Web- based Public Participatory GIS (WPPGIS) applications and Information and Communication Technologies (ICT) has on the planning process. Findings indicate that the WPPGIS applications have the potential for increasing participation. It is also found that besides the contextual elements like the attitudes of planners and decision makers, the technological features such as proper user interface, price of software, technical and literacy skills are seen as crucial hindrances to bridging the planning process and technology-based solutions. This research also attempts to combine IAP2 Public Participation Spectrum and technological functionalities into a single framework to understand the implementation of WPPGIS applications in Stockholm, the capital of Sweden. Finally, based on the given criteria and assessment of the reviewed applications, this study concludes with the design and implementation of a prototype WPPGIS application using Open-Source Technologies (OST).
    [Show full text]
  • “Talk” on Albanian Territories (1392–1402)
    Doctoral Dissertation A Model to Decode Venetian Senate Deliberations: Pregadi “Talk” on Albanian Territories (1392–1402) By: Grabiela Rojas Molina Supervisors: Gerhard Jaritz and Katalin Szende Submitted to the Medieval Studies Department Central European University, Budapest In partial fulfillment of the requirements for the degree of Doctor of Philosophy in Medieval Studies, Budapest, Hungary 2020 CEU eTD Collection To my parents CEU eTD Collection Table of Contents Acknowledgments .................................................................................................................................. 1 List of Maps, Charts and Tables .......................................................................................................... 2 Introduction ............................................................................................................................................ 3 A Survey of the Scholarship ........................................................................................................................... 8 a) The Myth of Venice ........................................................................................................................... 8 b) The Humanistic Outlook .................................................................................................................. 11 c) Chronicles, Histories and Diaries ..................................................................................................... 14 d) Albania as a Field of Study .............................................................................................................
    [Show full text]
  • Progressive Authentication in Ios
    Progressive Authentication in iOS Genghis Chau, Denis Plotnikov, Edwin Zhang December 12th, 2014 1 Overview In today's increasingly mobile-centric world, more people are beginning to use their smart- phones for important tasks. This means that many applications will need increased security in order to prevent any unauthorized access. Especially since applications are often always logged in, a careless user who leaves his or her phone unlocked is vulnerable to having po- tentially malicious users easily access sensitive information in apps like mailing or banking applications. In order to counter this on the iOS platform, we build a framework that al- lows developers to use per-app authentication. We tackle this problem from the developer's perspective, as OS-level modifications are much more difficult due to iOS source code being unavailable for analysis. Along with the framework, we complement the system with addi- tional authentication methods, including a server that allows for using one-time passcodes to log into applications. Finally, we discuss further extensions to our work, and their security implications. 2 Background 2.1 Design Our contribution is providing an iOS framework for developers to use in order to force users to reauthenticate when they browse away from the application. This prevents mali- cious attackers from having access to all applications if they are able to get past the phone lock. Currently, a number of authentication schemes are available for use in our framework, including an alphanumeric password, TouchID, Android-style lock patterns, and one-time passcodes. We also provide an Django server that will allow users to generate the one-time passcodes to log into the application.
    [Show full text]