Abstract
Conventional enterprise application design methodologies emphasize performance, scalability, and development/maintenance costs. Often such applications deal with access to confidential data (e-commerce, health, etc.). A single flaw in the application may lead to a compromise, exposing computational resources and sensitive data, such as private information, trade secrets, etc. Traditionally, security for enterprise applications focused on prevention; however, recent experience demonstrates that exploitation of infrastructure, operating systems, libraries, frameworks, personnel, etc. are almost unavoidable. While prevention should certainly remain the first line of defense, system architects must also incorporate designs to enable breach containment and response. In this paper, we survey related research on software application design that targets isolation, where the compromise of a single module presents a knowable and scope-limited worst-case impact.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Ukraine cyber-attack: Servers seized, 2017, http://www.bbc.com/news/technology-40497026.
References
Larman C (2004) Applying UML and patterns: an introduction to object-oriented analysis and design and iterative development, 3rd edn. Prentice Hall PTR, Upper Saddle River
Cerny T, Donahoo MJ, Trnka M (2018) Contextual understanding of microservice architecture: current and future directions. SIGAPP Appl Comput Rev 17(4):29–45
Spring T (2017) 3.2 million servers vulnerable to jboss attack (2017). https://threatpost.com/3-2-million-servers-vulnerable-to-jboss-attack/117465/
Petersen K, Vakkalanka S, Kuzniarz L (2015) Guidelines for conducting systematic mapping studies in software engineering. Inf Softw Technol 64(C):1–18
Back G, Hsieh WC (2005) The kaffeos java runtime system. ACM Trans Program Lang Syst 27(4):583–630
Mardan AAA, Kono K (2016) Containers or hypervisors: which is better for database consolidation? In: 2016 IEEE international conference on cloud computing technology and science (CloudCom), pp 564–571
Samo JA, Ahmed Z, Shaikh A (2017) Advocating isolation of resources among multi-tenants by containerization in IaaS cloud model. In: Innovations in electrical engineering and computational technologies (ICIEECT), pp 1–17
Moshchuk A, Wang HJ, Liu Y (2013) Content-based isolation: rethinking isolation policy design on client systems. In ACM SIGSAC conference on computer & communications security. CCS ’13, NY, USA, ACM, pp 1167–1180
Gonzalez-Herrera I, Bourcier J, Daubert E, Rudametkin W, Barais O, Fouquet F, Jzquel J (2014) Scapegoat: an adaptive monitoring framework for component-based systems. In: IEEE/IFIP conference on software architecture, pp 67–76
Shan Z, Wang X, Chiueh Tc, Meng X (2012) Facilitating inter-application interactions for os-level virtualization. SIGPLAN Not 47(7):75–86
Richter L, G ̈otzfried J, Muller T (2016) Isolating operating system components with intel SGX. In: Proceedings of the 1st workshop on system software for trusted execution. SysTEX ’16, New York, NY, USA, ACM, pp 8:1–8:6
Taheri MA, Jaatun MG (20112) Handling compromised components in an IaaS cloud installation. J Cloud Comput: Adv Syst Appl 1(1):16
Popa RA, Redfield CMS, Zeldovich N, Balakrishnan H (2011) Cryptdb: protecting confidentiality with encrypted query processing. In: Proceedings of the twenty-third ACM symposium on operating systems principles. SOSP ’11, New York, NY, USA, ACM, pp 85–100
Mundada Y, Ramachandran A, Feamster N (2013) Silverline: preventing data leaks from compromised web applications. In: The 29th annual computer security applications conference. ACSAC ’13, New York, NY, USA, ACM, pp 329–338
Cox RS, Gribble SD, Levy HM, Hansen JG (2006) A safety-oriented platform for web applications. In: Proceedings of the 2006 IEEE symposium on security and privacy. SP ’06, Washington, DC, USA, IEEE Computer Society, pp 350–364
Hosek P, Migliavacca M, Papagiannis I, Eyers DM, Evans D, Shand B, Bacon J, Pietzuch P (2011) SafeWeb: a middleware for securing ruby-based web applications. Springer, Berlin, pp 491–511
Krishnamurthy A, Mettler A, Wagner D (2010) Fine-grained privilege separation for web applications. In: Proceedings of the 19th international conference on World Wide Web. WWW ’10, New York, NY, USA, ACM, pp 551–560
Jain S, Shafique F, Djeric V, Goel A (2008) Application-level isolation and recovery with solitude. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European conference on computer systems 2008. Eurosys ’08, NY, USA, ACM, pp 95–107
Burdonov I, Kosachev A, Iakovenko P (2009) Virtualization-based separation of privilege: Working with sensitive data in untrusted environment. In: Proceedings of the 1st EuroSys workshop on virtualization technology for dependable systems. VDTS ’09, New York, NY, USA, ACM, pp 1–6
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Cerny, T., Donahoo, M.J. (2019). Survey on Compromise-Defensive System Design. In: Kim, K., Baek, N. (eds) Information Science and Applications 2018. ICISA 2018. Lecture Notes in Electrical Engineering, vol 514. Springer, Singapore. https://doi.org/10.1007/978-981-13-1056-0_51
Download citation
DOI: https://doi.org/10.1007/978-981-13-1056-0_51
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-1055-3
Online ISBN: 978-981-13-1056-0
eBook Packages: EngineeringEngineering (R0)