Advances in Computer Science – ASIAN 2007. Computer and Network Security

A software birthmark is a unique characteristic of a program that can be used as a software theft detection. In this paper we suggest and empirically evaluate a static birthmark of binary executables based on API call structure. The program properties employed in this birthmark are functions and standard API calls when the functions are executed. The API calls from a function includes the API calls explicitly found from the function and its descendants within limited depth in the call graph. To statically identify functions, call graphs and API calls, we utilizes IDAPro disassembler and its plug-ins. We define the similarity between two functions as the proportion of the number of all API calls to the number of the common API calls. The similarity between two programs is obtained by the maximum weight bipartite matching between two programs using the function similarity matrix. To show the credibility of the proposed techniques, we compare the same applications with different versions and the various types of applications which include text editors, picture viewers, multimedia players, P2P applications and ftp clients. To show the resilience, we compare binary executables compiled from various compilers. The empirical result shows that the similarities obtained using our birthmark sufficiently indicates the functional and structural similarities among programs.

C is one of the most popular languages in system programming, though its unsafe nature often causes security vulnerabilities. In the face of this situation, many tools are developed to ensure safety properties of C programs. However, most of them work at the source code level, and conventional compilers lose safety guarantee as they translate source code into assembly code. In this paper, we present CTAL₀, a strongly typed assembly language that is aimed at certifying the memory safety of assembly code compiled from C programs. CTAL₀ is expressive enough to implement potentially unsafe ANSI C features including pointer arithmetics and casts. We have also implemented a type-checker and an experimental C compiler that produces safe CTAL₀ assembly code by performing several transformations on given programs to avoid dangerous operations.

Noninterference, which is an information flow property, is typically used as a baseline security policy to formalize confidentiality of secret information manipulated by a program. Noninterference verification mechanisms are usually based on static analyses and, to a lesser extent, on dynamic analyses. In contrast to those works, this paper proposes an information flow testing mechanism. This mechanism is sound from the point of view of noninterference. It is based on standard testing techniques and on a combination of dynamic and static analyses. Concretely, a semantics integrating a dynamic information flow analysis is proposed. This analysis makes use of static analyses results. This special semantics is built such that, once a path coverage property has been achieved on a program, a sound conclusion regarding the noninterfering behavior of the program can be established.

Implementing global passive adversary attacks on currently deployed low latency anonymous networks is not feasible. This paper describes the implementation of a large scale, discrete event based simulation of Tor, using the SSFNet simulator. Several global passive adversary attacks are implemented on a simulated Tor network comprised of approximately 6000 nodes. The attacks prove to be highly accurate (80 percent stream correlation rate) for low traffic conditions but significantly less effective on denser, multiplexed links (18 percent success rate).

Using pairing techniques, we propose an anonymous authenticated key exchange scheme based on credentials issued by a trusted third party. The protocol satisfies several security properties related to user privacy such as unforgeability, limitability, non-transferability, and unlinkability.

In the recent past, in spite of several real world implementations available for Internet [browser-based] e-voting, there seems to be a pattern emerging, one of apathy towards improving voter convenience / participation. The goal of the proposed system evolves from the premise that, there should be a priority shift towards addressing the needs of the Voter, hence, most of the other requirements of this system, such as Security, Anonymity, Universal Verifiability, Individual Verifiability, Receipt-Freeness and Fairness are a direct by-product of this goal. In order to secure a higher voter participation, the proposed system considers the trade-offs between strict adherence to essential properties and practicality / user-convenience. To further secure the voter confidence/trust, a practical approach to Individual Verifiability has been implemented, without compromising the Receipt-Freeness property. So, with such flexibility and consumer-oriented approach, it is but evident that Agility is the hallmark of this project.

We study the behaviour of rational agents in exchange protocols which rely on trustees. We allow malicious parties to compromise the trustee by paying a cost and, thereby, present a game analysis that advocates exchange protocols which induce balanced risks on the participants. We also present a risk-balanced protocol for fair confidential secret comparison.

We present a new digital rights management (DRM) system for media portability using dynamic multimedia adaptation. For a user to share multimedia resources over home network, several DRM technologies based on the domain have been introduced. Domain-based approaches enable users to access contents on multiple devices within the same domain. However, most of current DRM systems were only designed for a homogeneous environment where common AV profiles are supported. It is a challenge to share the domain contents between domain members with diverse capabilities while ensuring the protection of the intellectual property rights for the legally obtained contents. In this paper, we propose an architecture that enables DRM contents to be securely shared between various home devices in a seamless manner.

This paper relates formal and computational models of cryptography in case of active adversaries when formal security analysis is done with first order logic. Instead of the way Datta et al. defined computational semantics to their Protocol Composition Logic, we introduce a new, fully probabilistic method to assign computational semantics to the syntax. We present this via considering a simple example of such a formal model, the Basic Protocol Logic by K. Hasebe and M. Okada [7] , but the technique is suitable for extensions to more complex situations such as PCL. We make use of the usual mathematical treatment of stochastic processes, hence are able to treat arbitrary probability distributions, non-negligible probability of collision, causal dependence or independence.

This paper investigates the advantages of enabling object classification in role-based access control (RBAC). First, it is shown how the merits of the RBAC models can be ascribed to its using of abstraction and state of dependencies. Following same arguments, it is shown how inclusion of object classification will ameliorate dependencies and abstractions in the model. The discussion contains examining seven criteria to compare object-classification-enabled RBAC with plain RBAC and trivial-permission-assignment models, in order to show the advantages of object classification in a more formal manner. The criteria are: number and complexity of decisions, change management cost, risk of errors, policy portability and reuse, enforcement and compliance, support for traditional information classification policies, and object grouping and management support.

Current information systems are more and more complex. They require more interactions between different components and users. So, ensuring system security must not be limited to using an access control model but also, it is primordial to deal with information flows in a system. Thus, an important function of a security policy is to enforce access to different system elements and supervise information flows simultaneously. Several works have been undertaken to join together models of access control and information flow. Unfortunately, beyond the fact that the reference model they use is BLP which is quite rigid, these research works suggest a non integrated models which do nothing but juxtapose access control and information flow controls or are based on a misuse of a mapping between MLS and RBAC models. In this paper, we suggest to formalize DTE model in order to use it as a solution for a flexible information flow control. Then, we integrate it into an unique access control model expressive enough to handle access and flow control security rules. The expressivity of the OrBAC model makes this integration possible and quite natural.

This paper focuses on the problem of preventing the illegal copying of digital content whilst allowing content mobility within a single user domain. This paper proposes a novel solution for binding a domain to a single owner. Domain owners are authenticated using two-factor authentication, which involves “something the domain owner has”, i.e. a Master Control device that controls and manages consumers domains, and binds devices joining a domain to itself, and “something the domain owner is or knows”, i.e. a biometric or password/PIN authentication mechanism that is implemented by the Master Control device . These measures establish a one-to-many relationship between the Master Control device and domain devices, and a one-to-one relationship between domain owners and their Master Control Devices, ensuring that a single consumer owns each domain. This stops illicit content proliferation. Finally, the pros and cons of two possible approaches to user authentication, i.e. the use of a password/PIN and biometric authentication mechanisms, and possible countermeasures to the identified vulnerabilities are discussed.

Using depth(k) abstract domain, we present an abstraction and refinement framework for verifying security protocols based on logic programming. The solved-form fixpoint of the logic program model is abstracted by depth(k) abstract domain, which guarantees termination of the verification algorithm; If the result of the verification algorithm with the abstract solved-form fixpoint shows there exists counterexamples, but the result of the verification algorithm with the logic rules in abstract solved-form fixpoint which are not abstracted shows there exists no counterexamples, then the abstracted solved-form fixpoint is refined by increasing the value of term depth bound k. With this framework, all of the verification, constructing counterexamples and refinement can be implemented in a mechanized way.

For several years, various projects have collected traces of malicious activities thanks to honeypots, darknets and other Internet Telescopes. In this paper, we use the accumulated four years of data of one such system, the Leurré.com project, to assess quantitatively the influence, in these traces, of a very popular attack tool, the Metasploit Framework. We identify activities clearly related to the aforementioned exploitation tool and show the fraction of attacks this tool accounts for with respect to all other ones. Despite our initial thinking, the findings do not seem to support the assumption that such tool is only used by, so called, script kiddies. As described below, this analysis highlights the fact that a limited, yet determined, number of people are trying new exploits almost immediately when they are released. More importantly, such activity does not last for more than one or two days, as if it was all the time required to take advantage of these new exploits in a systematic way. It is worth noting that this observation is made on a worldwide scale and that the origins of the attacks are also very diverse. Intuitively, one would expect to see a kind of a Gaussian curve in the representation of the usage of these attacks by script kiddies over time, with a peak after one or two days when word of mouth has spread the rumor about the existence of a new exploit. The striking difference between this idea and the curves we obtain is an element to take into account when thinking about responsible publication of information about new exploits over the Internet.

We present a logic-based framework to evaluate the resilience of computer networks in the face of incidents, i.e., attacks from malicious intruders as well as random faults. Our model uses a two-layered presentation of dependencies between files and services, and of timed games to represent not just incidents, but also the dynamic responses from administrators and their respective delays. We demonstrate that a variant TATL\(\Diamond\) of timed alternating-time temporal logic is a convenient language to express several desirable properties of networks, including several forms of survivability. We illustrate this on a simple redundant Web service architecture, and show that checking such timed games against the so-called TATL\(\Diamond\) variant of the timed alternating time temporal logic TATL is EXPTIME-complete.

Masquerading or impersonation attack refers to the act of gaining access to confidential data or greater access privileges, while pretending to be legitimate users. Detection of masquerade attacks is of great importance and is a non-trivial task of system security. Detection of these attacks is done by monitoring significant changes in user’s behavior based on his/her computer usage. Traditional detection mechanisms are based on command line system events collected using log files. In a GUI based system, most of the user activities are performed using either mouse movements and clicks or a combination of mouse movements and keystrokes. The command line data cannot capture the complete GUI event behavior of the users hence it is insufficient to detect attacks in GUI based systems. Presently, there is no frame work available to capture the GUI based user behavior in Linux systems. We are proposing a novel approach to capture the GUI based user behavior for Linux systems using our event logging tool. Our experimentation results shows that, the GUI based user behavior can be efficiently used for masquerade attack detection to achieve high detection rates with less false positives. We have applied One-class SVM on the collected data, which requires only training the user’s own legitimate sessions to build up the user’s profile. Our results on GUI data using One-class SVM gives higher detection rates with less false positives compared to a Two-class SVM approach.

Privacy is one of the most desirable properties in modern communication systems like the Internet. There are many techniques proposed to protect message contents, but it is difficult to protect message addresses because they should be clear to message router. In this paper we propose a mechanism of one-time receiver address in IPv6 for providing unlinkability against eavesdroppers. In our system, a pair of sender and receiver independently generate an identical sequence of addresses by using a secret key exchanged in advance. The sender changes the destination address every time when it initiates a transaction, and only the corresponding receiver can follow the change of the address. We have implemented the proposed mechanism on Linux systems. The prototype system hides relation between transactions with small overhead.

Intrusion detection system(IDS) has played an important role as a device to defend our networks from cyber attacks. However, since it still suffers from detecting an unknown attack, i.e., 0-day attack, the ultimate challenge in intrusion detection field is how we can exactly identify such an attack. This paper presents a novel approach that is quite different from the traditional detection models based on raw traffic data. The proposed method can extract unknown activities from IDS alerts by applying data mining technique. We evaluated our method over the log data of IDS that is deployed in Kyoto University, and our experimental results show that it can extract unknown(or under development) attacks from IDS alerts by assigning a score to them that reflects how anomalous they are, and visualizing the scored alerts.

Coalitions of autonomous domains gain constantly interest during the last years due to the various fields of their potential application. A lot of challenges of both academic as well as of practical nature are related with their deployment. Among else, the distributed nature of a coalition demands special focus in respect to security management. In this paper we argue about the necessity for adjustable security mechanisms towards the security management of multi-domain environments; we describe an approach that allows determination of preferences when defining access control permissions over the shared objects. We handle such preferences by encoding access control constraints using fuzzy relations and we describe a prototype security architecture that implements the basic principles of our approach.

Monitoring untrusted code for harmful behaviour is an important security issue. Many approaches have been proposed for restricting activities and the range of untrusted code. Among these, run-time monitoring is a promising approach for constricting run-time behaviour of programs. In this paper we describe a method of containing the effects of untrusted code with respect to a specified policy. We use a guarded command like language for specifying policies that could monitor system calls, APIs or library routines of the underlying system. We also discuss a system call monitoring architecture for an operating system like Linux. We provide semantics of the language in terms of Security Automata and also discuss how pure past temporal properties can be automatically compiled into policies in guarded command language. This allows users to specify policies in terms of logical formulae and automatically generate monitoring algorithm for the same in terms of guarded commands. We show how simple modifications allow us to specify constraints on the overall behaviour of a group of processes.

Traditional static typing systems for the pi-calculus are built around capability types that control the read/write access rights on channels and describe the type of the channels’ payload. While static typing has proved adequate for reasoning on process behavior in typed contexts, dynamic techniques have often been advocated as more effective for access control in distributed/untyped contexts.

We study the relationships between the two approaches – static versus dynamic – by contrasting two versions of the asynchronous pi-calculus. The former, aPi, comes with an entirely standard static typing system. The latter, aPi@, combines static and dynamic typing: a static type system associates channels with flat types that only express read/write capabilities and disregard the payload type, while a dynamically typed synchronization complements the static type system to guarantee type soundness.

We show that aPi@ can be encoded into aPi in a fully abstract manner, preserving the respective behavioral equivalences of the two calculi. Besides yielding an interesting expressivity result, the encoding also sheds light on the effectiveness of dynamic typing as a mechanism for access control.

We propose a sandbox system that dynamically changes its behavior according to the application’s execution context. Our system allows users to give different policies, each of which specifies permitted system calls, depending on the user functions in which the target application is executing. The target application can be given less privilege than would be possible with other single-policy sandbox systems. We implemented the sandbox by using LKM (Loadable Kernel Module) of Linux that intercepts the system call issued by the application process. We experimentally demonstrated the effectiveness of the sandbox.