Technology, and software technology in particular, is one of the main drivers of progress in human society. It allows us to solve existing tasks more efficiently and find solutions for problems that were previously too complex to deal with. The outreach and importance of its influence on everyday life is hard to overstate. To be able to satisfy ever-growing demand software solutions become more complex and sophisticated, reaching millions users and solving numerous day to day tasks. But as a result new challenges appear, especially related to cybersecurity. And it is not only about integrity, availability and confidentiality aspects, but also – equally important – about control and observability. As the scale of software systems grows more and more, tracking their state and behavior becomes more challenging. This research takes a closer look at observability aspect of cybersecurity, in particular at adaptive logging method for software systems and its dynamic message variant which introduced the ability to have dynamic computations executed before outputting observational information about the system. The flexibility it introduces also makes possible for undesirable side effects to occur as the dynamic nature of such messages allows for execution of virtually any valid code samples. The main purpose of this work is to demonstrate a solution that would allow validation and prevent unwanted code execution. To achieve this an approach that uses analysis of abstract syntax trees with JSON-based validation logic is demonstrated. The natural tree-like structure of ASTs, as well as close resemblance between generated representation and JSON-schemas, allows for precise and easily configurable processing that reduces the possibility of unexpected behaviors. The integration into an existing formal basis of adaptive logging method is also demonstrated with provided justification for required additions and their specifics.
Read full abstract