Users have begun downloading an increasingly large number of mobile phone applications in response to advancements in handsets and wireless networks. The increased number of applications results in a greater chance of installing Trojans and similar malware. In this paper, we propose the Kirin security service for Android, which performs lightweight certification of applications to mitigate malware at install time. Kirin certification uses security rules, which are templates designed to conservatively match undesirable properties in security configuration bundled with applications. We use a variant of security requirements engineering techniques to perform an in-depth security analysis of Android to produce a set of rules that match malware characteristics. In a sample of 311 of the most popular applications downloaded from the official Android Market, Kirin and our rules found 5 applications that implement dangerous functionality and therefore should be installed with extreme caution. Upon close inspection, another five applications asserted dangerous rights, but were within the scope of reasonable functional needs. These results indicate that security configuration bundled with Android applications provides practical means of detecting malware.

/pdf/on-lightweight-mobile-phone-application-certification-1y8lgavj4k.pdf

On lightweight mobile phone application certification

Scanning the Industry 4.0: A Literature Review on Technologies for Manufacturing Systems

We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel.We discuss the kernel design we used to make its verification tractable. We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this result into a comprehensive formal verification of the kernel: a formally verified IPC fastpath, a proof that the binary code of the kernel correctly implements the C semantics, a proof of correct access-control enforcement, a proof of information-flow noninterference, a sound worst-case execution time analysis of the binary, and an automatic initialiser for user-level systems that connects kernel-level access-control enforcement with reasoning about system behaviour. We summarise these results and show how they integrate to form a coherent overall analysis, backed by machine-checked, end-to-end theorems.The seL4 microkernel is currently not just the only general-purpose operating system kernel that is fully formally verified to this degree. It is also the only example of formal proof of this scale that is kept current as the requirements, design and implementation of the system evolve over almost a decade. We report on our experience in maintaining this evolving formally verified code base.

Comprehensive formal verification of an OS microkernel

Distributed denial-of-service (DDoS) attacks have become a weapon of choice for hackers, cyber extortionists, and cyber terrorists. These attacks can swiftly incapacitate a victim, causing huge revenue losses. Despite the large number of traditional mitigation solutions that exists today, DDoS attacks continue to grow in frequency, volume, and severity. This calls for a new network paradigm to address the requirements of today’s challenging security threats. Software-defined networking (SDN) is an emerging network paradigm which has gained significant traction by many researchers to address the requirement of today’s data centers. Inspired by the capabilities of SDN, we present a comprehensive survey of existing SDN-based DDoS attack detection and mitigation solutions. We classify solutions based on DDoS attack detection techniques and identify requirements of an effective solution. Based on our findings, we propose a novel framework for detection and mitigation of DDoS attacks in a large-scale network which comprises a smart city built on SDN infrastructure. Our proposed framework is capable of meeting application-specific DDoS attack detection and mitigation requirements. The primary contribution of this paper is twofold. First, we provide an in-depth survey and discussion of SDN-based DDoS attack detection and mitigation mechanisms, and we classify them with respect to the detection techniques. Second, leveraging the characteristics of SDN for network security, we propose and present an SDN-based proactive DDoS Defense Framework (ProDefense). We show how this framework can be utilized to secure applications built for smart cities. Moreover, the paper highlights open research challenges, future research directions, and recommendations related to SDN-based DDoS detection and mitigation.

DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions

Cloud computing is expected to become a common solution for deploying applications thanks to its capacity to leverage developers from infrastructure management tasks, thus reducing the overall costs and services’ time to market. Several concerns prevent players’ entry in the cloud; security is arguably the most relevant one. Many factors have an impact on cloud security, but it is its multitenant nature that brings the newest and more challenging problems to cloud settings. Here, we analyze the security risks that multitenancy induces to the most established clouds, Infrastructure as a service clouds, and review the literature available to present the most relevant threats, state of the art of solutions that address some of the associated risks. A major conclusion of our analysis is that most reported systems employ access control and encryption techniques to secure the different elements present in a virtualized (multitenant) datacenter. Also, we analyze which are the open issues and challenges to be addressed by cloud systems in the security field.

http://msjavan.persiangig.com/document/Researches/Locking%20the%20sky-%20a%20survey%20on%20IaaS%20cloud%20security.pdf

Locking the sky: a survey on IaaS cloud security

The SELinux mandatory access control (MAC) policy has recently added a multi-level security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of this policy makes it impractical to verify, by hand, that a given policy has certain important information flow properties or is compliant with another policy. To address this, we have modeled the SELinux MLS policy using a logical specification and implemented that specification in the Prolog language. Furthermore, we have developed some analyses for testing the properties of a given policy as well an algorithm to determine whether one policy is compliant with another. We have implemented these analyses in Prolog and compiled our implementation into a tool for SELinux MLS policy analysis, called PALMS. Using PALMS, we verified some important properties of the SELinux MLS reference policy, namely that it satisfies the simple security condition and *-property defined by Bell and LaPadula [2].

/pdf/a-logical-specification-and-analysis-for-selinux-mls-policy-3trgj7i4o5.pdf

A logical specification and analysis for SELinux MLS policy

The SELinux mandatory access control (MAC) policy has recently added a multilevel security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of the SELinux MLS model makes it impractical to manually evaluate that a given policy meets certain specific properties. To address this issue, we have modeled the SELinux MLS model, using a logical specification and implemented that specification in the Prolog language. Furthermore, we have developed some analyses for testing information flow properties of a given policy as well as an algorithm to determine whether one policy is compliant with another. We have implemented these analyses in Prolog and compiled our implementation into a tool for SELinux MLS policy analysis, called PALMS. Using PALMS, we verified some important properties of the SELinux MLS reference policy, namely that it satisfies the simple security condition and s-property defined by Bell and LaPadula. We also evaluated whether the policy associated to a given application is compliant with the policy of the SELinux system in which it would be deployed.

/pdf/a-logical-specification-and-analysis-for-selinux-mls-policy-8ehud3vmju.pdf

Most Denial of Service (DoS) attacks intend to generate a traffic pattern that is indistinguishable from legitimate traffic, making it hard to detect an attack. Conventional defenses for these attacks are not scalable, are slow to react or introduce an overhead to each routed packet. In this paper, we present FlowFence, a lightweight and fast denial of service detection and mitigation system for Software Defined Networking (SDN). The FlowFence architecture includes routers running daemons to monitor the average occupation of their interfaces to detect congestion conditions, and an SDN controller that coordinates bandwidth assignment of controlled links. The controller limits the flow transmission rate along a path to prevent users' starvation. The mitigation procedure of starvation state allocates an average bandwidth, while flows exceeding the mean are penalized. The penalization is proportional to the difference between the fair limit and the current bandwidth usage. A system prototype was implemented and evaluated in the Future Internet Testbed with Security (FITS). The results show that the proposal avoids users' starvation of network resources without adding much overhead in the network.

Flowfence: a denial of service defense system for software defined networking

Commercial operating systems have recently introduced mandatory access controls (MAC) that can be used to ensure system-wide data confidentiality and integrity. These protections rely on restricting the flow of information between processes based on security levels. The problem is, there are many applications that defy simple classification by security level, some of them essential for system operation. Surprisingly, the common practice among these operating systems is simply to mark these applications as "trusted", and thus allow them to bypass label protections. This compromise is not a limitation of MAC or the operating system services that enforce it, but simply a fundamental inability of any operating system to reason about how applications treat sensitive data internally--and thus the OS must either restrict the data that they receive or trust them to handle it correctly.

These practices were developed prior to the advent security-typed languages. These languages provide a means of reasoning about how the OS's sensitive data is handled within applications. Thus, applications can be shown to enforce system security by guaranteeing, in advance of execution, that they will adhere to the OS's MAC policy. In this paper, we provide an architecture for an operating system service, that integrate security-typed language with operating system MAC services. We have built an implementation of this service, called SIESTA, which handles applications developed in the security-typed language, Jif, running on the SELinux operating system. We also provide some sample applications to demonstrate the security, flexibility and efficiency of our approach.

/pdf/from-trusted-to-secure-building-and-executing-applications-3b0qxn9oz4.pdf

From trusted to secure: building and executing applications that enforce system security

Protecting host system integrity in the face of determined adversaries remains a major problem. Despite advances in program development and access control, attackers continue to compromise systems forcing security practitioners to regularly react to such breaches. While security practitioners may eventually learn which entry points in programs must be defended over a software's lifetime, new software and configuration options are frequently introduced, opening additional vulnerabilities to adversaries. The application developers' problem is to identify the program entry points accessible to adversaries and provide necessary defenses at these entry points before the adversaries use these to compromise the program. Unfortunately, this is a race that developers often lose. While some program vulnerable entry points are well-known (mostly network), the complexity of host systems makes it difficult to prevent local exploits should attackers gain control of any unprivileged processing. The question we explore in this paper is whether the program entry points accessible to adversaries can be found proactively, so defenses at these entry points can also be developed proactively.

http://www.cse.psu.edu/~trj1//papers/asiaccs12-vijayakumar.pdf

Sandra Rueda

Papers

A logical specification and analysis for SELinux MLS policy

A logical specification and analysis for SELinux MLS policy

Flowfence: a denial of service defense system for software defined networking

From trusted to secure: building and executing applications that enforce system security

Integrity walls: finding attack surfaces from mandatory access control policies