Foundations and Practice of Security

Logging systems are an essential component of security systems and their security has been widely studied. Recently (2017) it was shown that existing secure logging protocols are vulnerable to crash attack in which the adversary modifies the log file and then crashes the system to make it indistinguishable from a normal system crash. The attacker was assumed to be non-adaptive and not be able to see the file content before modifying and crashing it (which will be immediately after modifying the file). The authors also proposed a system called SLiC that protects against this attacker. In this paper, we consider an (insider) adaptive adversary who can see the file content as new log operations are performed. This is a powerful adversary who can attempt to rewind the system to a past state. We formalize security against this adversary and introduce a scheme with provable security. We show that security against this attacker requires some (small) protected memory that can become accessible to the attacker after the system compromise. We show that existing secure logging schemes are insecure in this setting, even if the system provides some protected memory as above. We propose a novel mechanism that, in its basic form, uses a pair of keys that evolve at different rates, and employ this mechanism in an existing logging scheme that has forward integrity to obtain a system with provable security against adaptive (and hence non-adaptive) crash attack. We implemented our scheme on a desktop computer and a Raspberry Pi, and showed in addition to higher security, a significant efficiency gain over SLiC.

The principle merits of access control models lie in the ability to precisely reason about their security properties in lineage of the safety problem. It formalizes the question if future changes in a model’s protection state may eventually violate a security requirement, thereby falsifying model correctness. One fundamental problem of safety analysis is that, as proven in the seminal HRU model calculus, this property is undecidable for the most expressive class of models. To tackle this problem in practical security engineering, a heuristic approach has proven useful that exploits the fact that model commands share dependencies, which are assumed to be (1) one-dimensional and (2) static. In complex models for modern application domains, such as type enforcement in operating systems, both assumptions cannot be made. This paper studies both problems and provides a heuristic solution approach for the problem of dynamic dependencies. Based on our heuristic, we demonstrate the practical impact of this analysis problem and discuss the general implications on model design and analysis strategies.

Despite the growing interest in Attribute-Based Access Control (ABAC) and the large amount of research devoted to the specification and evaluation of ABAC policies, to date only little work has addressed the issue of attribute management and retrieval. In many modern systems, the attributes needed for policy evaluation are often retrieved from external sources (e.g., sensors, access points). This poses concerns on the correctness of policy evaluation as the policy decision point can be provided with incorrect attribute values, which can potentially yield incorrect decisions. In this paper, we investigate the problem of selecting mechanisms for attribute retrieval and its relation with the accuracy of policy evaluation. We first introduce the notion of policy evaluation under error rate and use this notion to compute the evaluation accuracy of a policy. We formulate the Attribute Retrieval Mechanism Selection Problem (ARMSP) in terms of evaluation accuracy and show that ARMSP is exponential in the number of attribute values. To overcome this computation limitation, we investigate approaches to estimate the evaluation accuracy of a policy while maintaining the computation feasible.

Efforts towards incorporating user-to-user delegation into Attribute-Based Access Control (ABAC) is an emerging new direction in ABAC research. A number of potential strategies for integrating delegation have been proposed in recent literature but few have been realized as full ABAC delegation models. This work formalizes one such strategy, entitled User-To-User Attribute Delegation, into a working delegation model by extending the Hierarchical Group and Attribute-Based Access Control (HGABAC) model to support dynamic and “off-line” attribute delegation. A framework to support the proposed delegation model is also presented and gives implementation details including an updated Attribute Certificate format and service protocol based on the Hierarchical Group Attribute Architecture (HGAA).

Auctions are widely used to sell products between different users. In this paper, we present Auctionity, an English e-auction based on blockchain. We describe the different protocols used in Auctionity. We also define the security models and the associated properties. We formally prove some security properties of this protocol using ProVerif.

Large vessels are safety-critical systems where operations, performance and component availability are continuously monitored by means of multiple sensors producing large amount of data. Relevant information is preserved in Event Data Recorders that are fundamental for the reconstruction of scenarios related to serious malfunctions and incidents in technical and legal terms. By considering the state-of-the-art and two important naval accidents we evidence some issues related to the exploitation of recorded data in reconstructing the events timeline and the semantics of the scenarios. These studies motivate our proposal that aims to guarantee strong data integrity and availability of all information registered in Event Data Recorders. Our results are fundamental for the precise identification of the sequences of events and for the correct attribution of human and/or machine responsibilities.