Source code is compiled to byte-code, like Java. In addition to this, it encrypts the code with encryption key which is separated from source code and byte code. The final result would be the encrypted byte-code. When the program or the service is executed, it decrypts the code and executes it. The whole process is done in cloud so nobody could exploit the niche vulnerability. If an attacker tries to crack it, he or she should get the encryption key first. If the encryption key is stored in the deepest layer of the cloud, the attacker should try to break the cloud system first. It’s a good application of cyclic authentication which I mentioned in other posting here.

This model would be applied to the cloud database solution Cloudbean, which offers new DML(Data Manipulating Language) named C2QL as the security concern is one of the most highlighted issues in cloud system. The challenge is how to make the complexity of encryption higher not to be breached.

Common graph algorithms in computer science mostly assume that there’s no cycle in graph structure. On the other hand, the cyclic authentication proves to be a great tool for security enhancement indeed. A cycle means eternity. When a program meets the cycle, it never ends. We can apply the mechanism to ameliorate encryption algorithm. For instance, suppose that there are three individual services A, B and C. Service A has the password to access B, B has that of C and C has that of A. It’s a cyclic password lock. No one can break the cycle unless every service is completely exploited by attackers. Excluding social engineering cases, the countermeasure proves no way to break up. It’s a very subject worthy to consider.

Validation of Web Standard (W3C Validation)
The main reason of this phase is that many browser vendors have made their programs so differently. Keeping web standard may help your service shown identically regardless of browser environment. W3C, who enacts the web standard offers a service to validate online. (http://validator.w3.org) Insert your site address and click Check button to conduct validation. If you meet some errors or warnings, you’d better remove them all.

Optimization
Optimization is important to improve the performance of the service. According to the statistics from Amazon.com, 0.1 second speed-up brings 1% revenue increment. There are some issues about the method so you can consider them. Here is a list of optimizing stuffs.

- Locating inline script and stylesheet(CSS) properly.
- Deferred script.
- Gzip compression.
- Seeing how CSS selector operates in browser.
- Optimization of images (GIF, JPEG, PNG, etc)

Security Manners
It is essential to sanitize user’s input. You’ll get a big trouble by hackers who targets at the core information in your site unless missing security managing process. That is, the personal data and information could be divulged or manipulated. The range of security is broad but you can see the following issues primarily.

- XSS (Cross-site script) attack.
- SQL injection.
- Intercepting user session.
- Exploiting vulnerabilities of browser.

Most people think that it just increases cost. That’s right if your application or service is only for your company. But how about commercial product? Actually a bunch of companies don’t think of the next while developing applications. They don’t think maintenance, backup, risk of rebuked by customers, and even SECURITY. They just focus on what to make or what to develop.

What is the value of security? It resembles health insurance. If you’re healthy, it would not be needed. Otherwise, the cost would be serious. By a statistics, the cost for maintaining or restoring from latter problems is about three times more than the cost for developing. Considering security issue is one of the most significant matters in desigining process I think.

I introduce a security issue for web developers as I’m a web developer too. If you’ve researched about web security, you may have heard about XSS. What is XSS? XSS is acronym for cross-side script. You may ask, “Why not CSS but XSS?” Yes. That’s because CSS means Cascading Style Sheets which is used to dispose HTML document and its components. To avoid confusion with duplicated terms, we often call cross-side script XSS. The document, CERT Adversory CA-2000-02, is talking about XSS. And I’ll abridge the report and explain how to avoid malicious script insertion.

In the beginning, let’s define a key term. What is script? Script includes javascript, VBScript, etc. It would be dangerous if someone seeds his script for malicious intention in your site. By the reference, its impact can be huge enough even to expose SSL-encrypted connections. Attackers are able to steal your cookies. They can modify the behavior of forms, including how results are submitted. Javascript rules domain based security policies but it would be broken with XSS attack.

Then how can we escape? Users can do nothing for this problem. Oh, there’s one. Disabling scripting languages would work. But, I think nobody want to do it. The real solution is in the hand of developers. They should recode dynamically generated pages to validate output. That means whenever user’s input text is revealed, replace original one by safe one. Now, I show you characters which can be a risky factor.

• In the content of the block-level elements, special characters like “<”, “>” and “&” operates as a tag.
• In attribute values, quotation marks should be checked.
• In URLs, non-ASCII characters (especially “%”) should be filtered.

These facts can be solved with the following solutions.
http://www.cert.org/tech_tips/malicious_code_mitigation.html

C++ Example

BYTE IsBadChar[] = {
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0xFF,0xFF,0×00,0×00,0xFF,0xFF,0xFF,0xFF,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0xFF,0xFF,0×00,0xFF,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00
};

DWORD FilterBuffer(BYTE * pString,DWORD cChLen) {
    BYTE * pBad = pString;
    BYTE * pGood = pString;
    DWORD i=0;
    if (!pString) return 0;
    for (i=0;pBad[i];i++) {
        if (!IsBadChar[pBad[i]]) *pGood++ = pBad[i];
    };
    return pGood-pString;
}

JavaScript Example

function RemoveBad(InStr) {
    InStr = InStr.replace(/\</g,”").replace(/\>/g,”");
    InStr = InStr.replace(/\”/g,”")replace(/\’/g,”");
    InStr = InStr.replace(/\%/g,”").replace(/\;/g,”");
    InStr = InStr.replace(/\(/g,”").replace(/\)/g,”");
    InStr = InStr.replace(/\&/g,”").replace(/\+/g,”");
    return InStr;
}

Host-based IDS
Host-base IDS focuses on sole computer so that it can check event logs in detail. This type of IDS can detect anomalies which couldn’t be detected by Network-based IDS, but it cannot detect attacks from network or other systems. It consumes resources for monitoring and reduces performance.

Network-based IDS
Network-based IDS detects attacks and exceptions by capturing network packets and auditing them. It can detect continuous attempt to attack but can’t supply any log which records how the attack affects the system.

Knowledge-based detection
Knowledge-based detection is also called pattern-matching detection. It checks whether each monitored event matches signature DB. If it matches, IDS will decide that attack occurs. It can only find attacks which signature DB know.

Behavior-based detection
Behavior-based detection is also called statistical intrusion detection, anomaly detection, and heuristic-based detection. It explores normal activities and events by auditing and learning. Once it accumulates enough data for normal actions, it can judge anomalies. The weak point is that it alerts wrong alarms far more frequently than other IDSs.

Identification

It’s the stage for subjects to open their identity and get accountability. Once they open themselves to the public, they are responsible for their behaviors. It begins with showing their ID, or private identifying number.

Authentication

It’s the stage to check the identification is correct. Authentication requests additional information to audit whether presented identity corresponds with the subject. Three types of information is usually used for authentication.

• Type 1: Something you know. (ex: password)
• Type 2: Something you have. (ex: smart card)
• Type 3: Something you are. (ex: fingerprint, iris)

Authorization

It’s the stage to grant rights and privileges to the authenticated subject. Authenticated subjects are able to do something which is allowed with their authority.