This document discusses security aspects of Java modules and compares them to OSGi bundles. It explains that the Java module system brings improved security while fitting into the existing security architecture. Modules introduce another layer of access control and stronger encapsulation for application code. Both modules and bundles define protection domains and can be signed, but modules lack OSGi's notion of local bundle permissions. The new module system enhances security while modularizing the Java platform.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
Alex Matrosov, Cylance
This presentation is meant to serve as an alarum for hardware vendors; BIOS-level security researchers and defenders; and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.
Hardware vendors such as Intel have introduced new protection technologies like Intel Boot Guard (since Haswell) and BIOS Guard (since Skylake). Boot Guard protects Secure Boot's "Root of Trust" from firmware-based attacks by verifying that a trusted UEFI firmware is booting the platform. When BIOS Guard is active, only guarded modules can modify SPI flash memory; this can protect from persistent implants. Both technologies run on a separate CPU known as the "Authenticated Code Module" (ACM), which isolates them from attackers and also protects from race condition attacks. Those "Guard" technologies are sometimes referred to as UEFI rootkit killers.
Not many details are publicly available regarding these technologies. In this presentation, I will discuss particular implementations on hardware with the most recent Intel CPUs such as Skylake and Kaby Lake. Most of the information has been extracted from UEFI firmware modules by reverse engineering. This DXE and PEI modules cooperated with ACM-code for enabling, configuration and initialization. This talk will also cover some weaknesses of those guards. Where are the BIOS guardians failing? How difficult is it to bypass these protections and install a persistent rootkit from the operating system?
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.
About the Presenter:
Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.
Experience Level: Intermediate
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
Alex Matrosov, Cylance
This presentation is meant to serve as an alarum for hardware vendors; BIOS-level security researchers and defenders; and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.
Hardware vendors such as Intel have introduced new protection technologies like Intel Boot Guard (since Haswell) and BIOS Guard (since Skylake). Boot Guard protects Secure Boot's "Root of Trust" from firmware-based attacks by verifying that a trusted UEFI firmware is booting the platform. When BIOS Guard is active, only guarded modules can modify SPI flash memory; this can protect from persistent implants. Both technologies run on a separate CPU known as the "Authenticated Code Module" (ACM), which isolates them from attackers and also protects from race condition attacks. Those "Guard" technologies are sometimes referred to as UEFI rootkit killers.
Not many details are publicly available regarding these technologies. In this presentation, I will discuss particular implementations on hardware with the most recent Intel CPUs such as Skylake and Kaby Lake. Most of the information has been extracted from UEFI firmware modules by reverse engineering. This DXE and PEI modules cooperated with ACM-code for enabling, configuration and initialization. This talk will also cover some weaknesses of those guards. Where are the BIOS guardians failing? How difficult is it to bypass these protections and install a persistent rootkit from the operating system?
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.
About the Presenter:
Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.
Experience Level: Intermediate
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
The session provides an overview of the security architecture of the Java platform in terms of its evolution throughout the versions of the JDK up to JDK 11 and beyond. The security utilities that fullfill the security portfolio of the JDK will be discussed briefly along with several guidelines in designing and implementing secure applications by following security best practices.
Presentation was created after OSGi conference in Ludwigsburg : http://www.osgi.org/CommunityEvent2012/HomePage
Source code is available : https://stash-test.hybris.com/projects/PLAY/repos/osgi-presentation/browse
OSGi is on the core+ roadmap. This presentation introduces architecture, tools and design patterns used by OSGi.
It also shows the way how to refactor application to be really modular. Region cache will be example.
Security is important for Devs. You need to add in depth capability to secure Apps, and for this, this presentation give you simply principles to add it to a Java App.
This slides come from the Java User Group Summer Camp 2015 in France
Modern applications and software solutions increasingly center around loosely coupled and extensible architectures. Component or Service orientation is applied in almost all areas of application development including distributed systems, ubiquitous computing, embedded systems, and client-side applications.
The Java based OSGi framework specification lends itself well as a platform for loosely coupled and extensible applications and is rapidly gaining ground as the de-facto plugin solution for Java based applications. It allows for lightweight implementations that limit themselves to the CDC profile and are ideally suited as embedded plugin frameworks.
One of the main drawbacks of dynamically extensible applications, however, are the potential security issues that arise due to executing untrusted code without appropriated safety-measures in place. Secure sandboxes and their restrictions are difficult to get right and often hard to deal with in the development of applications. The OSGi specifications have an extensive and very powerful security model that eases this difficult task.
This presentation focuses on embedding various OSGi framework implementations namely, Eclipse Equinox and Apache Felix, into applications as a means of plugin mechanism while taking advantage of the often overlooked benefits of this solution: security.
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
CDI (Contexts and Dependency Injection) for Java, aka JSR-299 has given us a new playing field for developing Java EE applications, by providing a standardised dependency injection framework and contextual component model. The CDI specification defines a feature for "portable extensions", which allow framework developers to extend the default behaviour of the Java EE container. By providing a number of useful portable extensions, Seam 3 increases developer productivity by solving the problems common to many enterprise projects. In this talk we will look at a number of features that Seam provides, dealing with transactions and persistence, security, internationalisation, bean validation and tooling, and how you can use them to improve your productivity in the real-world to develop rich internet applications. We'll also look at some of the cool upcoming features of Seam such as social network integration, and more.
Securing Microservices using Play and Akka HTTPRafal Gancarz
Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
The session provides an overview of the security architecture of the Java platform in terms of its evolution throughout the versions of the JDK up to JDK 11 and beyond. The security utilities that fullfill the security portfolio of the JDK will be discussed briefly along with several guidelines in designing and implementing secure applications by following security best practices.
Presentation was created after OSGi conference in Ludwigsburg : http://www.osgi.org/CommunityEvent2012/HomePage
Source code is available : https://stash-test.hybris.com/projects/PLAY/repos/osgi-presentation/browse
OSGi is on the core+ roadmap. This presentation introduces architecture, tools and design patterns used by OSGi.
It also shows the way how to refactor application to be really modular. Region cache will be example.
Security is important for Devs. You need to add in depth capability to secure Apps, and for this, this presentation give you simply principles to add it to a Java App.
This slides come from the Java User Group Summer Camp 2015 in France
Modern applications and software solutions increasingly center around loosely coupled and extensible architectures. Component or Service orientation is applied in almost all areas of application development including distributed systems, ubiquitous computing, embedded systems, and client-side applications.
The Java based OSGi framework specification lends itself well as a platform for loosely coupled and extensible applications and is rapidly gaining ground as the de-facto plugin solution for Java based applications. It allows for lightweight implementations that limit themselves to the CDC profile and are ideally suited as embedded plugin frameworks.
One of the main drawbacks of dynamically extensible applications, however, are the potential security issues that arise due to executing untrusted code without appropriated safety-measures in place. Secure sandboxes and their restrictions are difficult to get right and often hard to deal with in the development of applications. The OSGi specifications have an extensive and very powerful security model that eases this difficult task.
This presentation focuses on embedding various OSGi framework implementations namely, Eclipse Equinox and Apache Felix, into applications as a means of plugin mechanism while taking advantage of the often overlooked benefits of this solution: security.
CDI and Seam 3: an Exciting New Landscape for Java EE DevelopmentSaltmarch Media
CDI (Contexts and Dependency Injection) for Java, aka JSR-299 has given us a new playing field for developing Java EE applications, by providing a standardised dependency injection framework and contextual component model. The CDI specification defines a feature for "portable extensions", which allow framework developers to extend the default behaviour of the Java EE container. By providing a number of useful portable extensions, Seam 3 increases developer productivity by solving the problems common to many enterprise projects. In this talk we will look at a number of features that Seam provides, dealing with transactions and persistence, security, internationalisation, bean validation and tooling, and how you can use them to improve your productivity in the real-world to develop rich internet applications. We'll also look at some of the cool upcoming features of Seam such as social network integration, and more.
Securing Microservices using Play and Akka HTTPRafal Gancarz
Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
Introductory presentation for the Clash of Technologies: RxJS vs RxJava event organized by SoftServe @ betahouse (17.01.2015). Comparison document with questions & answers available here: https://docs.google.com/document/d/1VhuXJUcILsMSP4_6pCCXBP0X5lEVTsmLivKHcUkFvFY/edit#.
The session presents in the details the RabbitMQ message broker along with demonstrations using the Java client, the Spring integration for RabbitMQ and the administration tools provided as part of the RabbitMQ installation.
Writing Java Stored Procedures in Oracle 12cMartin Toshev
The session discusses the innerworkings ot the Oracle Aurora JVM, the process of writing and maintaining Java stored procedures and the new features in Oracle database 12c.
Eclipse plug-in development seminar held by the Bulgarian Java User group covering basic aspects of Eclipse plug-in development and the new stuff in e4
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
5. @martin_fmi
The big picture
5
applet/war/bundle
System code
JVM
Browser/Java EE server/OSGI server
grant codeBase http://javaday.ua/demoapplet {
permission java.io.FilePermisions “C:Windows” “delete”
}
java.policy
SecurityManager.checkPermission(…)
AccessController.checkPermission(…)
6. @martin_fmi
Permission checking
• Typical flow for permission checking:
1) upon system startup a security policy is set and a security manager
is installed:
6
Policy.setPolicy(…)
System.setSecurityManager(…)
7. @martin_fmi
Permission checking
• Typical flow for permission checking:
2) during classloading (e.g. of a remote applet) bytecode verification is
done and the protection domain is set for the current classloader
(along with the code source, the set of permissions and the set of
JAAS principals)
7
8. @martin_fmi
Protection Domain
• The protection domain is set during classloading and
contains the code source, the list of principals and the list
of permissions for the class
• Two types of protection domain: system and application
8
object.getClass().getProtectionDomain();
9. @martin_fmi
Permission checking
• Typical flow for permission checking:
3) when system code is invoked from the remote code the
SecurityManager is used to check against the intersection of
protection domains based on the chain of threads and their call
stacks
9
10. @martin_fmi
Permission checking
• Typical flow for permission checking:
10
SocketPermission permission = new
SocketPermission(“javaday.ua:8000-9000","connect,accept");
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(permission);
}
11. @martin_fmi
Permission checking
• Typical flow for permission checking:
4) application code can also do permission checking against remote
code using a SecurityManager or an AccessController
11
12. @martin_fmi
Permission checking
• Typical flow for permission checking:
12
SocketPermission permission = new
SocketPermission(“javaday.ua:8000-9000", "connect,accept");
AccessController.checkPermission(permission)
13. @martin_fmi
Permission checking
• Typical flow for permission checking:
5) application code can also do permission checking with all
permissions of the calling domain or a particular JAAS subject
13
AccessController.doPrivileged(…)
Subject.doAs(…)
Subject.doAsPrivileged(…)
14. @martin_fmi
Example: banking app server
14
FIX protocol integration
Banking server (plain Java)
Alpha protocol integration
Demo application
…
17. @martin_fmi
The big picture
17
JVM
Application
grant codeBase http://javaday.ua/demoapplet {
permission java.io.FilePermisions “C:Windows” “delete”
}
java.policy
SecurityManager.checkPermission(…)
AccessController.checkPermission(…)
java.base
java.logging
other module
18. @martin_fmi
Security implications
• The security model remains the same with Java modules
• System code is split into modules and applications can
use a stripped down VM => improved security
• Application code can be split into modules with stronger
encapsulation at runtime => improved security
18
19. @martin_fmi
Access control
• Access control is governed not by the class loader(s) of
the module’s classes but by the module itself
• Access modifiers are fulfilled by another layer of
encapsulation: exported/opened packages
19
20. @martin_fmi
Runtime modules
• Modules can also be defined at runtime with multiple
classloaders and grouped into module layers for that
purpose:
20
obj.getClass().getModule().getLayer().defineModulesXXX(…)
23. @martin_fmi
OSGi security model
• An extension of the Java security model
• The OSGi spec provides a set of custom permissions such
as PackagePermission (in order to specify whether a
bundle exports/imports a package) or ServicePermission
(to get or register an OSGI service)
23
24. @martin_fmi
OSGi security model
• The PermissionAdmin and ConditionalPermissionAdmin
classes provide additional permission management on
top of SecurityManager
• Local permissions can be specified for each bundle in
OSGI-INF/permissions.perm and are useful for bundle
security auditing
24
25. @martin_fmi
OSGi vs Jigsaw
• Both a Jigsaw module and an OSGi bundle have a distinct
protection domain that defines the set of permissions for
the Jigsaw module/OSGi bundle
• Both a Jigsaw module and an OSGi bundle can be signed
and the set of permissions can be defined on the signer
of the Jigsaw module/OSGi bundle
25
26. @martin_fmi
OSGi vs Jigsaw
• A Jigsaw module doesn’t have the notion of “local
permissions” as an OSGi bundle
• A runtime Jigsaw module can have classes from multiple
classloaders that have different protection domains
26
27. @martin_fmi
Summary
• The new module system in Java brings better security
while still fitting in platform’s security architecture
• The new module systems introduces yet another layer of
access control for applications
27