@NetSys '25 Enhancing client security in zero trust architectures: A device-agent policy enforcement point for compartmentalized network management
Janek Schoffit; Lukas Pietzschmann; Paul Prechtel; Dennis Eisermann; Steffen Wendzel; Frank Kargl
Link
Abstract
Zero Trust Architectures have recently attracted a lot of interest in the network community. However, access control is often not extending into client devices. In this paper, we propose an extension of Zero Trust Policy Enforcement Points that integrates a device agent to expand the zero trust security model to client devices. We have developed a generalized framework that integrates with multiple compartmentalization technologies, ensuring the isolation of processes and enforcement of network policies while maintaining application and user authentication. This approach minimizes the attack surface of malicious processes, as our Zero Trust Device Agent manages compartment lifecycles based on their behaviour within the network and integrates into the global access control framework, thereby improving the overall security of zero trust architectures.
@Msr '24 On the anatomy of real-world R code for static analysis
Florian Sihler; Lukas Pietzschmann; Raphael Straub; Matthias Tichy; Andor Diera; Abdelhalim Dahou
Link
Abstract
Context The R programming language has a huge and active community, especially in the area of statistical computing. Its interpreted nature allows for several interesting constructs, like the manipulation of functions at run-time, that hinder the static analysis of R programs. At the same time, there is a lack of existing research regarding how these features, or even the R language as a whole are used in practice. Objective In this paper, we conduct a large-scale, static analysis of more than 50 million lines of real-world R programs and packages to identify their characteristics and the features that are actually used. Moreover, we compare the similarities and differences between the scripts of R users and the implementations of package authors. We provide insights for static analysis tools like the lintr package as well as potential interpreter optimizations and uncover areas for future research. Method We analyze 4 230 R scripts submitted alongside publications and the sources of 19 450 CRAN packages for over 350 000 R files, collecting and summarizing quantitative information for features of interest. Results We find a high frequency of name-based indexing operations, assignments, and loops, but a low frequency for most of R's reflective functions. Furthermore, we find neither testing functions nor many calls to R's foreign function interface (FFI) in the publication submissions. Conclusion R scripts and package sources differ, for example, in their size, the way they include other packages, and their usage of R's reflective capabilities. We provide features that are used frequently and should be prioritized by static analysis tools, like operator assignments, function calls, and certain reflective functions like load.