Skip to main content

Über dieses Buch

This book constitutes the refereed proceedings of the 4th International Symposium on Engineering Secure Software and Systems, ESSoS 2012, held in Eindhoven, The Netherlands, in February 2012. The 7 revised full papers presented together with 7 idea papers were carefully reviewed and selected from 53 submissions. The full papers present new research results in the field of engineering secure software and systems, whereas the idea papers give crisp expositions of interesting, novel ideas in the early stages of development.



Application-Replay Attack on Java Cards: When the Garbage Collector Gets Confused

Java Card 3.0 specifications have brought many new features in the Java Card world, amongst which a true garbage collection mechanism. In this paper, we show how one could use this specific feature to predict the references that will be assigned to object instances to be created. We also exploit this reference prediction process in a combined attack. This attack stands as a kind of ”application replay” attack, taking advantage of an unspecified behavior of the Java Card Runtime Environment (JCRE) on application instance deletion. It reveals quite powerful, since it potentially permits the attacker to circumvent the application firewall: a fundamental and historical Java Card security mechanism. Finally, we point out that this breach comes from the latest specification update and more precisely from the introduction of the automatic garbage collection mechanism, which leads to a straightforward countermeasure to the exposed attack.
Guillaume Barbu, Philippe Hoogvorst, Guillaume Duc

Supporting the Development and Documentation of ISO 27001 Information Security Management Systems through Security Requirements Engineering Approaches

Assembling an information security management system according to the ISO 27001 standard is difficult, because the standard provides only sparse support for system development and documentation.
We analyse the ISO 27001 standard to determine what techniques and documentation are necessary and instrumental to develop and document systems according to this standard. Based on these insights, we inspect a number of current security requirements engineering approaches to evaluate whether and to what extent these approaches support ISO 27001 system development and documentation. We re-use a conceptual framework originally developed for comparing security requirements engineering methods to relate important terms, techniques, and documentation artifacts of the security requirements engineering methods to the ISO 27001.
Kristian Beckers, Stephan Faßbender, Maritta Heisel, Jan-Christoph Küster, Holger Schmidt

Typed Assembler for a RISC Crypto-Processor

Our general purpose crypto-processor runs RISC machine code in an encrypted environment, reading encrypted inputs and generating encrypted outputs while maintaining data encrypted in memory. Its intended use is secure remote processing. However, program addresses are processed unencrypted, resulting in a mix of encrypted and unencrypted data in memory and registers at any time. An aspect of compiling for it is typing the assembler code to make sure that those instructions that expect encrypted data always get encrypted data at execution time, and those that expect unencrypted data get unencrypted data. A type inference system is specified here and transformed into an executable typing algorithm, such that a type-checked asembler program is guaranteed type-safe.
Peter T. Breuer, Jonathan P. Bowen

Transversal Policy Conflict Detection

Declarative policies are a common means to manage the security of complex IT environments and they belong to different, heterogeneous classes (access control, filtering, data protection, etc.). Their enforcement requires the selection and configuration of appropriate enforcement mechanisms whose dependencies in a given environment may result in conflicts typically not foreseeable at policy design time. Such conflicts may cause security vulnerabilities and non compliance; their identification and correction is costly. Detecting transversal policy conflicts, i.e., conflicts happening across different policy classes, constitutes a challenging problem, and this work makes a step forward towards its formalization.
Matteo Maria Casalino, Henrik Plate, Slim Trabelsi

Challenges in Implementing an End-to-End Secure Protocol for Java ME-Based Mobile Data Collection in Low-Budget Settings

Mobile devices are having a profound impact on how services can be delivered and how information can be shared. Sensitive information collected in remote communities can be relayed to local health care centers and from there to the decision makers who are thus empowered to make timely decisions. However, many of these systems do not systematically address very important security issues which are critical when dealing with such sensitive and private information.
In this paper we analyze implementation challenges of a proposed security protocol based on the Java ME platform. The protocol presents a flexible secure solution that encapsulates data for storage and transmission without requiring significant changes in the existing mobile client application. The secure solution offers a cost-effective way for ensuring data confidentiality, both when stored on the mobile device and when transmitted to the server. In addition, it offers data integrity, off-line and on-line authentication, account and data recovery mechanisms, multi-user management and flexible secure configuration. A prototype of our secure solution has been integrated with openXdata.
Samson Gejibo, Federico Mancini, Khalid A. Mughal, Remi Valvik, Jørn Klungsøyr

Runtime Enforcement of Information Flow Security in Tree Manipulating Processes

We consider the problem of enforcing information flow policies in Xml manipulating programs such as Web services and business processes implemented in current workflow languages. We propose a runtime monitor that can enforce the secrecy of freely chosen subtrees of the data throughout the execution. The key idea is to apply a generalized constant propagation for computing the public effect of branching constructs whose conditions may depend on the secret. This allows for a better precision than runtime monitors which rely on tainting of variables or nodes alone. We demonstrate our approach for a minimalistic tree manipulating programming language and prove its correctness w.r.t. the concrete semantics of programs.
Máté Kovács, Helmut Seidl

Formalisation and Implementation of the XACML Access Control Mechanism

We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development.
Massimiliano Masi, Rosario Pugliese, Francesco Tiezzi

A Task Ordering Approach for Automatic Trust Establishment

Trust has become essential in computer science as a way of assisting the process of decision-making, such as access control. In any system, several tasks may be performed, and each of these tasks might pose different associated trust values between the entities of the system. For instance, in a file system, reading and overwriting a file are two tasks that pose different trust values between the users who can carry out them. In this paper, we propose a model for automatically establishing trust relationships between entities considering an established order among tasks.
Francisco Moyano, Carmen Fernandez-Gago, Isaac Agudo, Javier Lopez

An Idea of an Independent Validation of Vulnerability Discovery Models

Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software security. Thus far, several models have been proposed with some evidence supporting their goodness-of-fit. In this work we describe an independent validation of the applicability of these models to the vulnerabilities of the popular browsers Firefox, Google Chrome and Internet Explorer. The result shows that some VMDs do not simply fit the data, while for others there are both positive and negative evidences.
Viet Hung Nguyen, Fabio Massacci

A Sound Decision Procedure for the Compositionality of Secrecy

The composition of processes is in general not secrecy preserving under the Dolev-Yao attacker model. In this paper, we describe an algorithmic decision procedure which determines whether the composition of secrecy preserving processes is still secrecy preserving. As a case-study we consider a variant of the TLS protocol where, even though the client and server considered separately would be viewed as preserving the secrecy of the data to be communicated, its composition to the complete protocol does not preserve that secrecy. We also show results on tool support that allows one to validate the efficiency of our algorithm for multiple compositions.
Martín Ochoa, Jan Jürjens, Daniel Warzecha

Plagiarizing Smartphone Applications: Attack Strategies and Defense Techniques

In this paper, we show how an attacker can launch malware onto a large number of smartphone users by plagiarizing Android applications and by using elements of social engineering to increase infection rate. Our analysis of a dataset of 158,000 smartphone applications meta-information indicates that 29.4% of the applications are more likely to be plagiarized. We propose three detection schemes that rely on syntactic fingerprinting to detect plagiarized applications under different levels of obfuscation used by the attacker. Our analysis of 7,600 smartphone application binaries shows that our schemes detect all instances of plagiarism from a set of real-world malware incidents with 0.5% false positives and scale to millions of applications using only commodity servers.
Rahul Potharaju, Andrew Newell, Cristina Nita-Rotaru, Xiangyu Zhang

Design of Adaptive Security Mechanisms for Real-Time Embedded Systems

Introducing security features in a system is not free and brings along its costs and impacts. Considering this fact is essential in the design of real-time embedded systems which have limited resources. To ensure correct design of these systems, it is important to also take into account impacts of security features on other non-functional requirements, such as performance and energy consumption. Therefore, it is necessary to perform trade-off analysis among non-functional requirements to establish balance among them. In this paper, we target the timing requirements of real-time embedded systems, and introduce an approach for choosing appropriate encryption algorithms at runtime, to achieve satisfaction of timing requirements in an adaptive way, by monitoring and keeping a log of their behaviors. The approach enables the system to adopt a less or more time consuming (but presumably stronger) encryption algorithm, based on the feedback on previous executions of encryption processes. This is particularly important for systems with high degree of complexity which are hard to analyze statistically.
Mehrdad Saadatmand, Antonio Cicchetti, Mikael Sjödin

Hunting Application-Level Logical Errors

Business applications are complex artefacts implementing custom business logic. While much research effort has been put in the identification of technical vulnerabilities (such as buffer overflows and SQL injections), application-level logic vulnerabilities have drawn relatively limited attention, thus putting the application’s mission at risk. In this paper, we design, implement, and evaluate a novel heuristic application-independent framework, which combines static and dynamic analysis, input vector, and information extraction analysis, along with a fuzzy logic system, so as to detect and assert the criticality of application-level logic vulnerabilities in Java stand-alone GUI applications.
George Stergiopoulos, Bill Tsoumas, Dimitris Gritzalis

Optimal Trust Mining and Computing on Keyed MapReduce

This paper studies trust mining in the framework of keyed MapReduce and trust computing in the context of the Bayesian inferences and makes the following two-fold contributions:
In the first fold, a general method for trust mining is introduced and formalized in the context of keyed MapReduce functions. A keyed MapReduce function is a classic MapReduce function associated with a common reference keyword set so that a document is projected on the specified common reference set rather the whole dictionary as that defined in the classic MapReduce function. As a result, keyed MapReduce functions allow one to define flexible trust mining procedures: a look-up table which records the comments of neighbors can be constructed from the inverted index of the keyed MapReduce function;
In the second fold, a new method for trust computing is introduced and formalized in the context of maximum likelihood distribution. A look-up table generated in the trust mining stage is now viewed as the current state of the target server and then the maximum likelihood distribution over the look-up table is deduced. We show that the proposed trust computing mechanism is optimal (an upper bound of trust values).
Huafei Zhu, Hong Xiao


Weitere Informationen

Premium Partner