DOCSLIB.ORG

UC Berkeley UC Berkeley Electronic Theses and Dissertations

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

UC Berkeley UC Berkeley Electronic Theses and Dissertations Title Towards High Assurance HTML5 Applications Permalink https://escholarship.org/uc/item/3ps5g7k4 Author Akhawe, Devdatta Madhav Publication Date 2014 Peer reviewed|Thesis/dissertation eScholarship.org Powered by the California Digital Library University of California Towards High Assurance HTML5 Applications by Devdatta Madhav Akhawe A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor Dawn Song, Chair Professor David Wagner Professor Brian Carver Spring 2014 Towards High Assurance HTML5 Applications Copyright 2014 by Devdatta Madhav Akhawe 1 Abstract Towards High Assurance HTML5 Applications by Devdatta Madhav Akhawe Doctor of Philosophy in Computer Science University of California, Berkeley Professor Dawn Song, Chair Rich client-side applications written in HTML5 proliferate diverse platforms such as mobile devices, commodity PCs, and the web platform. These client-side HTML5 applications are increasingly accessing sensitive data, including users' personal and social data, sensor data, and capability-bearing tokens. Instead of the classic client/server model of web applications, modern HTML5 applications are complex client-side applications that may call some web services, and run with ambient privileges to access sensitive data or sensors. The goal of this work is to enable the creation of higher-assurance HTML5 applications. We propose two major directions: first, we present the use of formal methods to analyze web protocols for errors. Second, we use existing primitives to enable practical privilege separation for HTML5 applications. We also propose a new primitive for complete mediation of HTML5 applications. Our proposed designs considerably ease analysis and improve auditability. i To my parents. ii Contents Contents ii List of Figures iv List of Tables v 1 Introduction 1 1.1 Towards a Formal Foundation for Web Protocols . 1 1.2 Privilege Separation for HTML5 Applications . 2 1.3 Data Confined HTML5 Applications . 3 2 Towards A Formal Foundation for Web Protocols 4 2.1 Introduction . 4 2.2 General Model . 7 2.3 Implementation in Alloy . 13 2.4 Case Studies . 19 2.5 Measurement . 28 2.6 Summary of Results . 28 3 Privilege Separation for HTML5 Applications 31 3.1 Introduction . 31 3.2 Problem and Approach Overview . 33 3.3 Design . 36 3.4 Implementation . 41 3.5 Case Studies . 47 3.6 Performance Benchmarks . 54 3.7 Summary of Results . 54 4 Data-Confined HTML5 Applications 56 4.1 Introduction . 56 4.2 Data Confinement in HTML5 applications . 57 4.3 Problem Formulation . 60 4.4 The Data Confined Sandbox . 63 iii 4.5 Implementation . 68 4.6 Case Studies . 68 4.7 Summary of Results . 77 5 Related Work 79 5.1 Formal Verification of Security Protocols . 79 5.2 Privilege Separation for Web Applications . 80 5.3 Data-confined HTML5 Applications . 82 6 Conclusion 83 Bibliography 84 iv List of Figures 2.1 The metamodel of our formalization of web security. Red unmarked edges represent the `extends' relationship. 16 2.2 Vulnerability in Referer Validation. This figure is adapted from [85], with the attack (dashed line) added. 23 2.3 Counterexample generated by Alloy for the HTML5 form vulnerability. 24 2.4 The WebAuth protocol . 25 2.5 Log-scale graph of analysis time for increasing scopes. The SAT solver ran out of memory for scopes greater than eight after the fix. 29 3.1 CDF of percentage of functions in an extension that make privileged calls (X axis) vs. the fraction of extensions studied (in percentage) (Y axis). The lines for 50% and 20% of extensions as well as for 5% and 20% of functions are marked. 35 3.2 High-level design of our proposed architecture. 37 3.3 Sequence of events to run application in sandbox. Note that only the bootstrap code is sent to the browser to execute. Application code is sent directly to the parent, which then creates a child with it. 42 3.4 Typical events for proxying a privileged API call. The numbered boxes outline the events. The event boxes span the components involved. For example, event 4 involves the parent shim calling the policy code. 44 3.5 Frequency distribution of event listeners and API calls used by the top 42 extensions requiring the tabs permission. 53 4.1 High-level design of an application running in a DCS. The only component that runs privileged is the parent. The children run in data-confined sandboxes, with no ambient privileges and all communication channels monitored by the parent. 64 v List of Tables 2.1 Statistics for each case study . 28 3.1 Overview of case studies. The TCB sizes are in KB. The lines changed column only counts changes to application code, and not application independent shims and parent code. 48 4.1 Comparison of current solutions for data confinement . 61 4.2 List of our case studies, as well as the individual components and policies in our redesign. 70 4.3 Confidentiality Invariants in the Top 20 Google Chrome Extensions . 78 vi Acknowledgments First, I want to thank my advisor Dawn for being such a fantastic advisor and guide through my graduate career. Also, thanks to David Wagner whose advice and guidance I have always sought and received during my graduate career. Thanks also to my committee members Brian Carver and George Necula for their help and guidance. The research presented in this thesis is a joint effort. A special thanks goes to all my co-authors: Adam Barth, Warren He, Eric Lam, Frank Li, John Mitchell, Prateek Saxena, Dawn Song. Over the course of my graduate life I have co-authored papers with nearly 30 different co-authors. These collaborators, all my friends in the Security group, and all my teachers at Berkeley have directly impacted my research, my work, and my evolution as a researcher and I remain thankful to them all. I am extremely lucky to have been surrounded by and worked with such a tremendously talented group of people over the past five years. Pursuing graduate studies was in a large part due to all the great mentors and teachers I have had over the years. I would like to particularly thank my undergraduate advisor, Sundar Balasubramaniam, as well as Helen Wang and Xiaofeng Fan for their fantastic mentoring and advice. Without their help and support, it is unlikely I would have even applied to graduate school. Thanks also to all my friends, from Pilani to Berkeley, who made the stress of graduate life easy to manage. You know who you are and I feel blessed to call such an amazing group of people my friends. Finally, and most importantly, I want to thank my extended family: my brother, my cousins, my uncles and aunts, and their respective families for their amazing love, care, and guidance over the years. I would like to particularly thank all my four aunts: they ensured I got an education and never lost focus. 1 Chapter 1 Introduction Rich client-side HTML5 applications|including packaged browser applications (Chrome Apps) [57], browser extensions [56], Windows 8 Metro applications [98], and applications in new browser operating systems (B2G [105], Tizen [134])|are fast proliferating on diverse computing platforms. These applications run with access to sensitive data such as the user's browsing history, personal and social data, financial documents, and capability-bearing tokens that grant access to these data. A recent study reveals that 58% of the 5,943 Google Chrome browser extensions studied require access to the user's browsing history, and 35% request permissions to the user's data on all websites [34]. In addition, the study found that 67% of 34,370 third-party Facebook applications analyzed have access to the user's personal data [34].1 HTML5 applications also form a significant chunk of mobile applications; Chin et al. recently found that 70% of smartphone applications they surveyed on Google Play rely on HTML5 code in some form [35]. These HTML5 applications often execute with access to the same sensors available to native mobile applications, including private data from GPS receivers, accelerometers, and cameras. These trends indicate the evolution of the client-side web from a front-end for servers to a complex application platform running privileged applications. Despite immense prior research on detection and mitigation techniques [7, 45, 66, 82, 122], web vulnerabilities are still pervasive in HTML5 applications on emerging platforms such as browser extensions [30]. As the HTML5 platform achieves wider adoption, enabling higher-assurance in the HMTL5 applications is critical to its success. In this thesis, we address this need. 1.1 Towards a Formal Foundation for Web Protocols First, we present initial work on formal modeling and verification of web protocols. As we discussed above, HTML5 applications on emerging platforms are moving away from the client/server paradigm to a new paradigm of standalone HTML5 applications that 1 The study measured install-time permissions, which are a lower bound for Facebook applications, since they can request further permissions at runtime. CHAPTER 1. INTRODUCTION 2 call diverse web services. The security of protocols used by HTML5 applications to communicate with diverse cloud-based services is just as critical to the security of the platform as the security of the HTML5 application itself. We propose a formal model of web security mechanisms based on an abstraction of the web platform and use this model to analyze the security of five sample web mechanisms and applications. Web protocols are distinct from network protocols due to the nature of the web: attacker code often runs as part of the user's browser and the attacker can initiate cookie bearing requests.
Recommended publications
  • X3DOM – Declarative (X)3D in HTML5

    X3DOM – Declarative (X)3D in HTML5

    X3DOM – Declarative (X)3D in HTML5 Introduction and Tutorial Yvonne Jung Fraunhofer IGD Darmstadt, Germany [email protected] www.igd.fraunhofer.de/vcst © Fraunhofer IGD 3D Information inside the Web n Websites (have) become Web applications n Increasing interest in 3D for n Product presentation n Visualization of abstract information (e.g. time lines) n Enriching experience of Cultural Heritage data n Enhancing user experience with more Example Coform3D: line-up of sophisticated visualizations scanned historic 3D objects n Today: Adobe Flash-based site with videos n Tomorrow: Immersive 3D inside browsers © Fraunhofer IGD OpenGL and GLSL in the Web: WebGL n JavaScript Binding for OpenGL ES 2.0 in Web Browser n à Firefox, Chrome, Safari, Opera n Only GLSL shader based, no fixed function pipeline mehr n No variables from GL state n No Matrix stack, etc. n HTML5 <canvas> element provides 3D rendering context n gl = canvas.getContext(’webgl’); n API calls via GL object n X3D via X3DOM framework n http://www.x3dom.org © Fraunhofer IGD X3DOM – Declarative (X)3D in HTML5 n Allows utilizing well-known JavaScript and DOM infrastructure for 3D n Brings together both n declarative content design as known from web design n “old-school” imperative approaches known from game engine development <html> <body> <h1>Hello X3DOM World</h1> <x3d> <scene> <shape> <box></box> </shape> </scene> </x3d> </body> </html> © Fraunhofer IGD X3DOM – Declarative (X)3D in HTML5 • X3DOM := X3D + DOM • DOM-based integration framework for declarative 3D graphics
  • Rootkit- Rootkits.For.Dummies 2007.Pdf

    Rootkit- Rootkits.For.Dummies 2007.Pdf

    01_917106 ffirs.qxp 12/21/06 12:04 AM Page i Rootkits FOR DUMmIES‰ 01_917106 ffirs.qxp 12/21/06 12:04 AM Page ii 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iii Rootkits FOR DUMmIES‰ by Larry Stevenson and Nancy Altholz 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iv Rootkits For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit- ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission.
  • Aplicaciones Enriquecidas Para Internet: Estado Actual Y Tendencias

    Aplicaciones Enriquecidas Para Internet: Estado Actual Y Tendencias

    Universidad de San Carlos de Guatemala Facultad de Ingeniería Escuela de Ciencias y Sistemas APLICACIONES ENRIQUECIDAS PARA INTERNET: ESTADO ACTUAL Y TENDENCIAS Miguel Alejandro Catalán López Asesorado por la Inga. Erika Yesenia Corado Castellanos de Lima Guatemala, enero de 2012 UNIVERSIDAD DE SAN CARLOS DE GUATEMALA FACULTAD DE INGENIERÍA APLICACIONES ENRIQUECIDAS PARA INTERNET: ESTADO ACTUAL Y TENDENCIAS TRABAJO DE GRADUACIÓN PRESENTADO A JUNTA DIRECTIVA DE LA FACULTAD DE INGENIERÍA POR MIGUEL ALEJANDRO CATALÁN LÓPEZ ASESORADO POR LA INGA. YESENIA CORADO CASTELLANOS DE LIMA AL CONFERÍRSELE EL TÍTULO DE INGENIERO EN CIENCIAS Y SISTEMAS GUATEMALA, ENERO DE 2012 UNIVERSIDAD DE SAN CARLOS DE GUATEMALA FACULTAD DE INGENIERÍA NÓMINA DE JUNTA DIRECTIVA DECANO Ing. Murphy Olympo Paiz Recinos VOCAL I Ing. Enrique Alfredo Beber Aceituno VOCAL II Ing. Pedro Antonio Aguilar Polanco VOCAL III Ing. Miguel Ángel Dávila Calderón VOCAL IV Br. Juan Carlos Molina Jiménez VOCAL V Br. Mario Maldonado Muralles SECRETARIO Ing. Hugo Humberto Rivera Pérez TRIBUNAL QUE PRACTICÓ EL EXAMEN GENERAL PRIVADO DECANO Ing. Murphy Olympo Paiz Recinos EXAMINADOR Ing. Juan Álvaro Díaz Ardavin EXAMINADOR Ing. Edgar Josué González Constanza EXAMINADOR Ing. José Ricardo Morales Prado SECRETARIO Ing. Hugo Humberto Rivera Pérez HONORABLE TRIBUNAL EXAMINADOR En cumplimiento con los preceptos que establece la ley de la Universidad de San Carlos de Guatemala, presento a su consideración mi trabajo de graduación titulado: APLICACIONES ENRIQUECIDAS PARA INTERNET: ESTADO ACTUAL
  • Understanding Javascript Event-Based Interactions

    Understanding Javascript Event-Based Interactions

    Understanding JavaScript Event-Based Interactions Saba Alimadadi Sheldon Sequeira Ali Mesbah Karthik Pattabiraman Motivation • JavaScript – Event driven, dynamic, asynchronous • Difficult to understand the dynamic behavior and the control flow – Lower level events – Their interactions 1 Challenge 1: Event Propagation html Handler head body Triggered P div a div Handler p Triggered h1 table p Handler Triggered caption tr Handler User td Triggered Click label input table textarea button Handler 2 Triggered Challenge 2: Asynchronous Events Timeout for page expiry Server request for login Server response for login User logs in 3 Challenge 2: Asynchronous Events Timeout for page expiry Server request for login View Server response for login gallery Server request Server request Server response Server response 3 Challenge 2: Asynchronous Events Timeout for page expiry Server request for login Server response for login View Server request slideshow Server request Server response Server response Timeout for next image 3 Challenge 2: Asynchronous Events Timeout for page expiry Server request for login Server response for login Server request Server request Server response Server response Timeout for next image Server request image Server response Timeout callback Timeout callback page expiry 3 Challenge 3: DOM State function submissionHandler(e) { $('#regMsg').html("Submitted!"); var email = $('#email').val(); html if (isEmailValid(email)) { informServer(email); head Body $('#submitBtn').attr("disabled", true); } } P div a srvrMsg . function informServer(email)
  • Practical Initialization Race Detection for Javascript Web Applications

    Practical Initialization Race Detection for Javascript Web Applications

    Practical Initialization Race Detection for JavaScript Web Applications CHRISTOFFER QUIST ADAMSEN, Aarhus University, Denmark 66 ANDERS MØLLER, Aarhus University, Denmark FRANK TIP, Northeastern University, USA Event races are a common source of subtle errors in JavaScript web applications. Several automated tools for detecting event races have been developed, but experiments show that their accuracy is generally quite low. We present a new approach that focuses on three categories of event race errors that often appear during the initialization phase of web applications: form-input-overwritten errors, late-event-handler-registration errors, and access-before-definition errors. The approach is based on a dynamic analysis that uses a combination of adverse and approximate execution. Among the strengths of the approach are that it does not require browser modifications, expensive model checking, or static analysis. In an evaluation on 100 widely used websites, our tool InitRacer reports 1 085 initialization races, while providing informative explanations of their causes and effects. A manual study of 218 of these reports shows that 111 of them lead to uncaught exceptions and at least 47 indicate errors that affect the functionality of the websites. CCS Concepts: • Software and its engineering → Software testing and debugging; Additional Key Words and Phrases: event race detection, JavaScript, dynamic analysis ACM Reference Format: Christoffer Quist Adamsen, Anders Møller, and Frank Tip. 2017. Practical Initialization Race Detection for JavaScript Web Applications. Proc. ACM Program. Lang. 1, OOPSLA, Article 66 (October 2017), 22 pages. https://doi.org/10.1145/3133890 1 INTRODUCTION It is well known that event races are the cause of many errors in JavaScript web applications [Steen 2009].
  • Web Components in Action MEAP

    Web Components in Action MEAP

    MEAP Edition Manning Early Access Program Web Components in Action Version 2 Copyright 2018 Manning Publications For more information on this and other Manning titles go to www.manning.com ©Manning Publications Co. We welcome reader comments about anything in the manuscript - other than typos and other simple mistakes. These will be cleaned up during production of the book by copyeditors and proofreaders. https://forums.manning.com/forums/web-components-in-action welcome Thank you very much for purchasing the MEAP for Web Components in Action. I’ve been speaking and blogging for over a decade now, and the common thread throughout has been that there hasn’t really been a common thread. I get excited about new technologies and techniques, but ultimately move to the next new thing. Web Components have been a bit different for me. I spoke at a few conferences and wrote some blog posts about them, and I did move on to other new and exciting things, but the difference here is that I never stopped building with Web Components. They’ve been a staple of my web development workflow for four years now. Like many web developers, I too have cycled through many frameworks and libraries that help with application development. Most we really good! It’s easy to laugh at a three or four year old framework years later, but it’s been very interesting to see how we as web developers progress as we try to make better and better applications with better and better tools. I’ve also been fortunate enough to use many other programming languages and platforms as well.
  • Chapter 10 Document Object Model and Dynamic HTML

    Chapter 10 Document Object Model and Dynamic HTML

    Chapter 10 Document Object Model and Dynamic HTML The term Dynamic HTML, often abbreviated as DHTML, refers to the technique of making Web pages dynamic by client-side scripting to manipulate the document content and presen- tation. Web pages can be made more lively, dynamic, or interactive by DHTML techniques. With DHTML you can prescribe actions triggered by browser events to make the page more lively and responsive. Such actions may alter the content and appearance of any parts of the page. The changes are fast and e±cient because they are made by the browser without having to network with any servers. Typically the client-side scripting is written in Javascript which is being standardized. Chapter 9 already introduced Javascript and basic techniques for making Web pages dynamic. Contrary to what the name may suggest, DHTML is not a markup language or a software tool. It is a technique to make dynamic Web pages via client-side programming. In the past, DHTML relies on browser/vendor speci¯c features to work. Making such pages work for all browsers requires much e®ort, testing, and unnecessarily long programs. Standardization e®orts at W3C and elsewhere are making it possible to write standard- based DHTML that work for all compliant browsers. Standard-based DHTML involves three aspects: 447 448 CHAPTER 10. DOCUMENT OBJECT MODEL AND DYNAMIC HTML Figure 10.1: DOM Compliant Browser Browser Javascript DOM API XHTML Document 1. Javascript|for cross-browser scripting (Chapter 9) 2. Cascading Style Sheets (CSS)|for style and presentation control (Chapter 6) 3. Document Object Model (DOM)|for a uniform programming interface to access and manipulate the Web page as a document When these three aspects are combined, you get the ability to program changes in Web pages in reaction to user or browser generated events, and therefore to make HTML pages more dynamic.
  • A Trusted Infrastructure for Symbolic Analysis of Event-Driven Web

    A Trusted Infrastructure for Symbolic Analysis of Event-Driven Web

    A Trusted Infrastructure for Symbolic Analysis of Event-Driven Web Applications Gabriela Sampaio Imperial College London, UK [email protected] José Fragoso Santos INESC-ID/Instituto Superior Técnico, Universidade de Lisboa, Portugal Imperial College London, UK [email protected] Petar Maksimović Imperial College London, UK [email protected] Philippa Gardner Imperial College London, UK [email protected] Abstract We introduce a trusted infrastructure for the symbolic analysis of modern event-driven Web applica- tions. This infrastructure consists of reference implementations of the DOM Core Level 1, DOM UI Events, JavaScript Promises and the JavaScript async/await APIs, all underpinned by a simple Core Event Semantics which is sufficiently expressive to describe the event models underlying these APIs. Our reference implementations are trustworthy in that three follow the appropriate standards line-by-line and all are thoroughly tested against the official test-suites, passing all the applicable tests. Using the Core Event Semantics and the reference implementations, we develop JaVerT.Click, a symbolic execution tool for JavaScript that, for the first time, supports reasoning about JavaScript programs that use multiple event-related APIs. We demonstrate the viability of JaVerT.Click by proving both the presence and absence of bugs in real-world JavaScript code. 2012 ACM Subject Classification Software and its engineering → Formal software verification; Software and its engineering → Software testing and debugging Keywords and phrases Events, DOM, JavaScript, promises, symbolic execution, bug-finding Digital Object Identifier 10.4230/LIPIcs.ECOOP.2020.28 Acknowledgements Fragoso Santos, Gardner, and Maksimović were partially supported by the EPSRC Programme Grant ‘REMS: Rigorous Engineering for Mainstream Systems’ (EP/K008528/1) and the EPSRC Fellowship ‘VetSpec: Verified Trustworthy Software Specification’ (EP/R034567/1).
  • EMERGING TECHNOLOGIES Making the Web Dynamic: DOM and DAV

    EMERGING TECHNOLOGIES Making the Web Dynamic: DOM and DAV

    Language Learning & Technology January 2004, Volume 8, Number 1 http://llt.msu.edu/vol8num1/emerging/ pp. 8-12 EMERGING TECHNOLOGIES Making the Web Dynamic: DOM and DAV Robert Godwin-Jones Virginia Comonwealth University Five years ago, in the January, 1998, issue of LLT, I wrote a column on Dynamic Web Page Creation, discussing options for Web interactivity and bemoaning incompatibilities among browsers. In the current column we will explore what has changed since 1998, new options that have arrived, and where we are with standards implementation. Scripting Transformations: CSS and the DOM Five years ago, "Cascading Style Sheets" (CSS) were just beginning to be used in designing Web pages; the specifications for CSS 1 were at that point about a year old. Since then, CSS Level 2 (May, 1998) is an approved recommendation (by the W3C), and CSS Level 3 modules have been issued as working drafts or candidate recommendations. More significant than the W3C activity is the fact that CSS has become the most widely used method for formatting Web pages. This development has only been possible because of CSS support in Web browsers. Beginning with the 5th generation browsers (Internet Explorer 5, Netscape 6, Opera 5), support for CSS 1 has been sufficiently robust and consistent to encourage developers of HTML authoring tools to incorporate CSS support. A helpful development that has served to encourage more wide-spread deployment of CSS has been the push to provide more accessible Web pages. Accessibility to users with special needs is much easier to code in a consistent and machine-readable fashion using CSS than in traditional HTML formatting, often built around the use of tables for formatting.
  • Web Browser Access to Cryptographic Hardware

    Web Browser Access to Cryptographic Hardware

    Universidade do Minho Escola de Engenharia Leonel João Fernandes Braga Web Browser Access to Cryptographic Hardware Outubro de 2012 Universidade do Minho Escola de Engenharia Leonel João Fernandes Braga Web Browser Access to Cryptographic Harware Tese de Mestrado Mestrado em Engenharia Informática Trabalho realizado sob orientação de Doutor Vítor Francisco Fonte Supervisão na empresa de Engenheiro Renato Portela Outubro de 2012 Acknowledgments I could not conclude this work without acknowledge all the support, time, and understanding of all the people who have been around me during this phase and during my journey of life. I am sure that without them everything would be much more difficult, and the success would be harder to achieve. First of all, I want to thank to my supervisor Professor Victor Fonte for being so helpful and supportive. His guidance certainly improved my work and my knowledge as well. I want also to thank to Engenheiro Renato Portela from MULTICERT for enlightening me when I was more doubtful. A special thanks to MULTICERT for letting me enrol in this project: it made me grow professionally and enhanced my knowledge. I want also to thank the Firebreath community for clarifying all the doubts I had. Congrat- ulations for your great work as well. In this context, there is one person to whom I could not be more grateful: Pedro, thank you for your help and patience, even when I had lots of questions. I am also grateful for the discussions I had with Pedro and Ulisses: they gave me lots of ideas of how I could improve my work.
  • High Performance, Federated, Service-Oriented Geographic Information Systems

    High Performance, Federated, Service-Oriented Geographic Information Systems

    High Performance, Federated, Service-Oriented Geographic Information Systems Ahmet Sayar Submitted to the faculty of the University Graduate School in partial fulfillment of the requirements for the degree Doctor of Philosophy in the Department of Computer Science, Indiana University February 2009 Accepted by the Graduate Faculty, Indiana University, in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Doctoral Committee ________________________________ Prof. Geoffrey C. Fox (Principal Advisor) ________________________________ Prof. Randall Bramley ________________________________ Prof. Kay Connelly ________________________________ Prof. Yuqing (Melanie) Wu February 2, 2009 ii © 2009 AHMET SAYAR ALL RIGHTS RESERVED iii Acknowledgements This dissertation has been achieved with the encouragement, support, and assistance I received from many remarkable people. I would like to offer my sincere gratitude to them. First of all, I would like to thank my advisor Prof. Geoffrey C. Fox for his support, guidance and an exceptional research environment provided by him along the way of this endeavor. I deeply appreciate how much he contributed with his keen insight and extensive experience. His advice was always invaluable contribution to my academic life. I would also like to thank the members of the research committee for generously offering time, support, guidance and good will throughout the preparation and review of this dissertation. I am very thankful to Prof. Randall Bramley for his suggestions and remarkable inspiration, Prof. Kay Connelly and Prof. Yuqing (Melanie) Wu for their constructive comments, kindnesses and keen intellects. I want to thank all members of Community Grids Lab for the priceless moments that we shared together. I have had great pleasure of working with these wonderful people.
  • Comparative Studies of 10 Programming Languages Within 10 Diverse Criteria Revision 1.0

    Comparative Studies of 10 Programming Languages Within 10 Diverse Criteria Revision 1.0

    Comparative Studies of 10 Programming Languages within 10 Diverse Criteria Revision 1.0 Rana Naim∗ Mohammad Fahim Nizam† Concordia University Montreal, Concordia University Montreal, Quebec, Canada Quebec, Canada [email protected] [email protected] Sheetal Hanamasagar‡ Jalal Noureddine§ Concordia University Montreal, Concordia University Montreal, Quebec, Canada Quebec, Canada [email protected] [email protected] Marinela Miladinova¶ Concordia University Montreal, Quebec, Canada [email protected] Abstract This is a survey on the programming languages: C++, JavaScript, AspectJ, C#, Haskell, Java, PHP, Scala, Scheme, and BPEL. Our survey work involves a comparative study of these ten programming languages with respect to the following criteria: secure programming practices, web application development, web service composition, OOP-based abstractions, reflection, aspect orientation, functional programming, declarative programming, batch scripting, and UI prototyping. We study these languages in the context of the above mentioned criteria and the level of support they provide for each one of them. Keywords: programming languages, programming paradigms, language features, language design and implementation 1 Introduction Choosing the best language that would satisfy all requirements for the given problem domain can be a difficult task. Some languages are better suited for specific applications than others. In order to select the proper one for the specific problem domain, one has to know what features it provides to support the requirements. Different languages support different paradigms, provide different abstractions, and have different levels of expressive power. Some are better suited to express algorithms and others are targeting the non-technical users. The question is then what is the best tool for a particular problem.