Showing papers presented at "International Conference on Emerging Security Information, Systems and Technologies in 2014"

Current Issues in Cloud Computing Security and Management

Abstract: Cloud computing is becoming increasingly more popular and telecommunications companies perceive the cloud as an alternative to their service deployment models, one that brings them new possibilities. But to ensure the successful use of this new model there are security and management challenges that still need to be faced. There are numerous threats and vulnerabilities that become more and more important as the use of the cloud increases, as well as concerns with stored data and its availability, confidentiality and integrity. This situation creates the need for monitoring tools and services, which provide a way for administrators to define and evaluate security metrics for their systems. In this paper, we propose a cloud computing security monitoring tool based on our previous works on both security and management for cloud computing. Keywords–cloud computing; security management; monitoring;

Enhancing Privacy on Identity Providers

Abstract: Cloud computing is widely used to provide on demand services as a consequence of its benefits such as reduced costs, structure flexibility and agility on resource provisioning. However, there are still people that are not comfortable with the idea of sending their sensitive data to the cloud such as the personally identifiable information (PII) that could be used to identify someone in the real world. Moreover, there have been cases of data leaks, which resulted in huge losses both for companies and its clients. Therefore, this article addresses the security and privacy aspects of identity management. We present a model that tackles privacy issues within the PII that is stored on identity providers (IdPs). Thus, our proposal supports users and improves theirs awareness when disseminating PIIs. Keywords–Cloud Computing; Security; Privacy; Federation; Identity providers;

Evaluation of Vehicle Diagnostics Security – Implementation of a Reproducible Security Access

Abstract: Modern cars typically possess a network of numerous Electronic Control Units (ECUs) which are connected with each other by several bus systems. In addition to the necessary on-board communication by means of which the ECUs exchange information without any influence from outside, there is a strong need for interaction with off-board systems. In this context, the vehicle diagnostics can be mentioned as a significant example. It is highly important that the connection between diagnostic testers and the car is secured against unauthorized access. This paper examines the development of a procedure as well as a software tool for granting a reproducible access to individual car ECUs without any professional testers. If this access can be achieved by self-developed tools, a possible security danger exists as malicious diagnostic routines (not existing in professional car testers) can be activated by using this access. If the ways to achieve this access are known, it is possible to work on improving the defence. Keywords–security access; safety; diagnostics security; data busses; communication standard.

A New Property Coding in Text Steganography of Microsoft Word Documents

Abstract: Electronic documents, similarly as printed documents, need to be secured by adding some specific features that allow efficient copyright protection, authentication, document tracking or investigation of counterfeiting and forgeries. Microsoft Word is one of the most popular word processors, and several methods exist for embedding data specially in documents produced by it. We present a new type of methods for hiding data in Microsoft Word documents, named as Property coding, which deploys properties of different document objects (e.g., characters, paragraphs, and sentences) for embedding data. We give four different ways of Property coding, which are resistant to save actions, introduce very small overhead on the document size (about 1%), can embed up to 8 bits per character, and of course, are unnoticed by readers. Property coding belongs to format based methods of text steganography. Keywords-Data Hiding; Microsoft Word. I. INTRODUCTION

N-Gram-Based User Behavioral Model for Continuous User Authentication

Abstract: We posit that each of us is unique in our use of computer systems. It is this uniqueness that we leverage in this paper to “continuously authenticate users” while they use web software. We build an n-gram model of each user’s interactions with software. This probabilistic model essentially captures the sequences and sub-sequences of user actions, their orderings, and temporal relationships that make them unique. We therefore have a model of how each user typically behaves. We then continuously monitor each user during software operation; large deviations from “normal behavior” can indicate malicious behavior. We have implemented our approach in a system called Intruder Detector (ID) that models user actions as embodied in the web logs generated in response to the actions. Our experiments on a large fielded system with web logs of approximately 320 users show that (1) our model is indeed able to discriminate between different user types and (2) we are able to successfully identify deviations from normal behavior. Keywords–behavioral modeling; continuous authentication; software security; n-grams.

An AMI threat detection mechanism based on SDN networks

Abstract: The security of Advanced Metering Infrastructure (AMI) systems draws more and more attention nowadays. Intrusion detection systems are often deployed on the backhaul network to protect the AMI head-end system. In this paper, we proposed an efficient way to build threat detecting mechanism in AMI systems with the help of software defined networks (SDN). Moreover, we also enhance the OpenFlow architecture to provide more powerful detection mechanism to secure the AMI system. The proposed solution not only enhances the security of AMI systems, but also preserves the traffic quality of this structure. Keywords–AMI; SDN; Specification-based detection

Resisting Flooding Attacks on AODV

Abstract: AODV is a reactive MANET routing protocol that is vulnerable to a dramatic collapse of throughput when malicious intruders flood the network with bogus route requests. We introduce a simple mechanism to resist such attacks that can be incorporated into any reactive routing protocol. It does not require expensive cryptography or authentication mechanisms, but relies on locally applied timers and thresholds to classify nodes as malicious. No modifications to the packet formats are needed, so the overhead is a small amount of calculation at nodes, and no extra communication. Using NS2 simulation, we compare the performance of networks using AODV under flooding attacks with and without our mechanism, showing that it significantly reduces the effect of a flooding attack. Keywords–MANET, Routing, AODV, Security, Attack, Flooding

Ghost Map: Proving Software Correctness using Games

Abstract: A large amount of intellectual effort is expended every day in the play of on-line games. It would be extremely valuable if one could create a system to harness this intellectual effort for practical purposes. In this paper, we discuss a new crowd-sourced, on-line game, called Ghost Map that presents players with arcade-style puzzles to solve. The puzzles in Ghost Map are generated from a formal analysis of the correctness of a software program. In our approach, a puzzle is generated for each potential flaw in the software and the crowd can produce a formal proof of the software’s correctness by solving all the corresponding puzzles. Creating a crowdsourced game entails many challenges, and we introduce some of the lessons we learned in designing and deploying our game, with an emphasis on the challenges in producing real-time client gameplay that interacts with a server-based verification engine. Finally, we discuss our planned next steps, including extending Ghost Map’s ability to handle more complex software and improving the game mechanics to enable players to bring additional skills and intuitions to bear on those more complex problems. Keywords-games; static analyses; formal verification; crowd souring; games; model checking.

Attack Surface Reduction for Web Services based on Authorization Patterns

Abstract: During the design of a security architecture for a web application, the usage of security patterns can assist with fulfilling quality attributes, such as increasing reusability or safety. The attack surface is a common indicator for the safety of a web application, thus, reducing it is a problem during design. Today’s methods for attack surface reduction are not connected to security patterns and have an unknown impact on quality attributes, e.g., come with an undesirable trade-off in functionality. This paper introduces a systematic and deterministic method to reduce the attack surface of web services by deriving service interface methods from authorization patterns. We applied the method to the Participation Service that is part of the KIT Smart Campus system. The resulting RESTful web services of the application are presented and validated. Keywords-security pattern, attack surface, authorization, web

DeadDrop-in-a-Flash: Information Hiding at SSD NAND Flash Memory Physical Layer

Abstract: The research presented in this paper, to the best of our knowledge, is the first attempt at information hiding (IH) at the physical layer of a Solid State Drive (SSD) NAND flash memory. SSDs, like HDDs, require a mapping between the Logical Block Addressing (LB) and physical media. However, the mapping on SSDs is significantly more complex and is handled by the Flash Translation Layer (FTL). FTL is implemented via a proprietary firmware and serves to both protect the NAND chips from physical access as well as mediate the data exchange between the logical and the physical disk. On the other hand, the Operating System (OS), as well as the users of the SSD have just the logical view and cannot bypass the FTL implemented by a proprietary firmware. Our proposed IH framework, which requires physical access to NAND registers, can withstand any modifications to the logical drive, which is accessible by the OS as well as users. Our framework can also withstand firmware updates and is 100% imperceptible in the overt-channels. Most importantly, security applications such as anti-virus, cannot detect information hidden using our framework since they lack physical access to the NAND registers. We have evaluated the performance of our framework through implementation of a working prototype, by leveraging the OpenSSD project, on a reference SSD. Keywords—Anti-forensics; Covert Communication; Information Hiding; Security; Solid State Drives.

Security of Vehicular Networks: Static and Dynamic Control of Cyber-Physical Objects

Abstract: The modern vehicle has long ceased to be a pure mechanical device. Each year data-processing component of the car is becoming more important. Considering the vehicle as the dynamic cyber-physical object in non-deterministic environment, we propose to use the methods of cloud services information security to solve the problem of access control to the cars telematics network. We propose to use a real-time control for each of these aspects, which is a complex technical challenge with static and dynamic interactions. The paper proposes a solution for implementing access control for vehicular networks. It is done by firewalls using dynamic access approach, based on virtual connections management, and algebra of filtering rules with mechanism of traffic filtering in ”stealth” mode. The proposed security monitor architecture allows to enforce dynamic access policy depending on static set of firewall filtering rules and current condition of virtual connections and network environment. Keywords–Security; Vehicular network; Cyber-physics objects; Dynamic access control; Virtual connections.

Linearity Measures for Multivariate Public Key Cryptography

Abstract: Conference Paper SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies

Implementation Issues in the Construction of Standard and Non-Standard Cryptography on Android Devices

Abstract: This paper describes both the design decisions and implementation issues concerning the construction of a cryptographic library for Android Devices. Four aspects of the implementation were discussed in this paper: selection of cryptographic primitives, architecture of components, performance evaluation, and the implementation of nonstandard cryptographic algorithms. The motivation behind the special attention given to the selection of alternative cryptographic algorithms was the recently revealed weakness found in international encryption standards, which may be intentionally included by foreign intelligence agencies. Keywords-Cryptography; Surveillance; Security; Android.

A Backtracking Symbolic Execution Engine with Sound Path Merging

Abstract: Software vulnerabilities are a major security threat and can often be exploited by an attacker to intrude into systems. One approach to mitigation is to automatically analyze software source code in order to find and remove software bugs before release. A method for context-sensitive static bug detection is symbolic execution. If applied with approximate path coverage, it faces the state explosion problem. The number of paths in the program execution tree grows exponentially with the number of decision nodes in the program for which both branches are satisfiable. In combination with the standard approach using the worklist algorithm with state cloning, this also leads to exponential memory consumption during analysis. This paper considers a source-level symbolic execution engine which uses backtracking of symbolic states instead of state cloning, and extends it with a sound method for merging redundant program paths, based on live variable analysis. An implementation as plugin extension of the Eclipse C/C++ development tools (CDT) is described. The resulting analysis speedup through path merging is evaluated on the buffer overflow test cases from the Juliet test suite for static analyzers on which the original engine had been evaluated. Keywords–Static analysis; Symbolic execution.

Saving Privacy in Trust-Based User-Centric Distributed Systems

Abstract: User-centricity is a design philosophy subsuming new models of Internet connectivity and resource sharing, whose development is mainly driven by what users offer and require. To promote user-centric services and collaborative behaviors, incentives are needed that are typically based on trust relations and remuneration. In this paper, we show that privacy-preserving mechanisms can favor user’s involvement if privacy can be traded with trust and cost. In particular, we present and evaluate formally a model ensuring an adequate level of flexibility among privacy, trust, and cost in the setting of distributed systems. Keywords–Cooperation incentives; trust; privacy; remuneration; user-centric networks; model checking.

Challenges for Evolving Large-Scale Security Architectures

Abstract: In this paper, we conduct an informal analysis of challenges that face evolving large-scale security architectures. The 3rd generation partner project (3GPP) mobile systems is our example case and we shall investigate how these systems have evolved and how the security architecture has evolved with the system(s). The 3GPP systems not only represent a truly long-lived system family, but are also a massively successful system family, serving billions of subscribers. What once was an auxiliary voice-based infrastructure has evolved to become a main (and thereby critical) information and communications technology (ICT) infrastructure for billions of people. The 25+ years of system evolution has not all been a linearly planned progression and the overall system is now clearly also a product of its history. Our ultimate goal is to capture some of the essence of security architecture evolution for critical ICT system. Keywords–Evolving Security; System Security; Security Architecture; Long-term security planning.

Performance Impacts in Database Privacy-Preserving Biometric Authentication

Abstract: Nowadays, biometric data are more and more used within authentication processes. These data are often stored in databases. However, these data underlie inherent privacy concerns. Therefore, special attention should be paid for handling of these data. We propose an extension of a similarity verification system with the help of the Paillier cryptosystem. In this paper, we use this system for signal processing in the encrypted domain for privacy-preserving biometric authentication. We adapt a biometric authentication system for enhancing privacy. We focus on performance issues with respect to database response time for our authentication process. Although encryption implicates computational effort, we show that only small computational overhead is required. Furthermore, we evaluate our implementation with respect to performance. However, the concept of verification of encrypted biometric data comes at the cost of increased computational effort in contrast to already available biometric systems. Nevertheless, currently available systems lack privacy enhancing technologies. Our findings emphasize that a focus on privacy in the context of user authentication is available. This solution leads to user-centric applications regarding authentication. As an additional benefit, results using data mining are more difficult to be obtained in the domain of user tracking.

Data Quality and Security Evaluation Tool for Nanoscale Sensors

Abstract: The paper proposes a novel approach to data and information management in multi-stream data collection systems with heterogeneous data sources. Data may be produced by novel nanoscale photonic, optoelectronic and electronic devices. Poor quality characteristics are expected. In the proposed approach, we use a set of data quality indicators with each data entity, and, develop the calculus that integrates various data quality (DQ) indicators ranging from traditional data accuracy metrics to network security and business performance measures. The integral indicator will calculate the DQ characteristics at the point of data use instead of conventional point of origin. The DQ metrics composition and calculus are discussed. The tools are developed to automate the metrics selection and calculus procedures for the DQ integration is presented. The user-friendly interactive capabilities are illustrated.

Security Extensions for Mobile Commerce Objects

Abstract: Electronic commerce and its variance mobile commerce have tremendously increased their popularity in the last several years. As mobile devices have become the most popular mean to access and use the Internet, mobile commerce and its security are timely and very hot topics. Yet, today there is still no consistent model of various m–commerce applications and transactions, even less clear specification of their security. In order to address and solve those issues, in this paper, we first establish the concept of mobile commerce objects, an equivalent of virtual currencies, used for m–commerce transactions. We describe functionalities and unique characteristics of these objects; we follow with security requirements, and then offer some solutions – security extensions of these objects. All solutions are treated within the complete lifecycle of creation and use of the m–commerce objects.

Threshold proxy signature based on position

Abstract: Position-based cryptography has attracted lots of researchers’ attention. In the mobile Internet, there are many position-based security applications. For the first time, one new conception, threshold proxy signature based on positions is proposed. Based on one secure positioning protocol, one model of threshold proxy signature based on positions is proposed. In the model, positioning protocols are bound to threshold proxy signature tightly, not loosely. Further, one position-based threshold proxy signature scheme is designed, its correctness is proved, and its security is analyzed. As far as we know, it is the first threshold proxy signature scheme based on positions. Keywords-position; threshold proxy signature; proxy signature; UC security; model; scheme.

Embedded Web Device Security

Abstract: Due to the increasing networking of devices and services to the Internet of Things, security requirements are rising. Systems that were previously operated in isolation can be attacked over the Internet today. Industrial control systems often form the core of critical infrastructures. Their vulnerabilities and too lax security management can have fatal consequences. With the help of vulnerability databases and search engines, hackers can get instructions and targets to exploit. Routers, printers, cameras and other devices can be the gateway to the home or corporate network. Cyber criminals can enter sensitive areas through inadequately protected remote access. In a case study of a central water supply control system, we present typical security problems. We show that security vulnerabilities are wide-spread in current embedded web devices and demonstrate that appropriate countermeasures can reduce the attack surface significantly. Keywords-web; embedded devices; web security; industrial