Formalization Of Security Properties: Enforcement For Mac
. Part of the book series (LNCS, volume 7669) Abstract Analyzing and administrating system security policies is difficult as policies become larger and more complex every day. The paper present work toward analyzing security policies and sessions in terms of security properties. Our intuition was that combining both visualization tools that could benefit from the expert’s eyes, and software analysis abilities, should lead to a new interesting way to study and manage security policies as well as users’ sessions. Rather than trying to mine large and complex policies to find possible flaws within, work may concentrate on which potential flaws are really exploited by attackers. Actually, the paper presents some methods and tools to visualize and manipulate large SELinux policies, with algorithms allowing to search for paths, such as information flows within policies.
The paper also introduces a complementary original approach to analyze and visualize real attack logs as session graphs or information flow graphs, or even aggregated multiple-sessions graphs. Our wishes is that in the future, when those tools will be mature enough, security administrator can then confront the statical security view given by the security policy analysis and the dynamical and real-world view given by the parts of attacks that most often occurred. Cite this paper as: Clemente P., Kaba B., Rouzaud-Cornabas J., Alexandre M., Aujay G.
(2012) SPTrack: Visual Analysis of Information Flows within SELinux Policies and Attack Logs. In: Huang R., Ghorbani A.A., Pasi G., Yamaguchi T., Yen N.Y., Jin B.
Formalization Of Security Properties Enforcement For Machine Learning
(eds) Active Media Technology. Lecture Notes in Computer Science, vol 7669. Springer, Berlin, Heidelberg. DOI. Publisher Name Springer, Berlin, Heidelberg. Print ISBN 978-3-642-35235-5.
Online ISBN 978-3-642-35236-2. eBook Packages.
Thesis and HiWi Topics We are offering interesting research topics to students in all of the areas we are working in:. You can work with us both by writing a thesis or as a HiWi. Below you can find a short description of each of our research areas, together with a selection of open research topics that you could work on.
We usually have more topics than we advertise, so if you are interested in a particular area and want to contribute to it, feel free to approach us. Runtime Enforcement When a program does not comply with given security requirements itself, one can employ a dynamic enforcement mechanism to make the program compliant while it is executed. A dynamic enforcement mechanism can be seen as an encapsulation that protects a program from a malicious environment or, vice versa, the environment from a malicious program.
Dynamic enforcement is an active research area which comprises both theoretical aspects (e.g., the question which security policies are enforceable) as well as practical aspects (e.g., how to implement dynamic enforcement mechanisms). At MAIS, we particularly focus on distributed dynamic enforcement, which bears challenges like race conditions and incomplete information about the global state of the program. Service Automata Service Automata are a concept developed at MAIS for runtime enforcement of properties in distributed systems. They are a flexible and generic enforcement mechanism, meaning that they can be instantiated with different policies. Security Automata have been modeled in the process algebra CSP. This formalization of the mechanism allows formal proofs that the desired security guarantees of a system are enforced. CliSeAu CliSeAu is a proof-of-concept implementation of Service Automata.
It can be used to enforce properties on distributed systems consisting of programs written in Java and Ruby as well as Android applications. Evaluations on case studies have shown that CliSeAu has only little runtime overhead.
Open research topics. Efficient runtime enforcement for distributed applications (contact ). Policy languages for decentralized distributed runtime enforcement (contact ). Security enforcement in Android applications / smart phones, service-oriented architectures, business processes, file systems, etc.
(contact ). A library of standard enforcement strategies (contact ). Security enforcement for Software-Defined Networking (contact ). Dynamic enforcement mechanisms for mitigating timing side channels (contact ). And more. Contact us if you are interested!
Contact: Creating information systems that process private information requires special care to ensure the systems' security. Deferring the consideration of security aspects until the system is implemented is risky since the mitigation of security issues may require expensive changes to the system's design. The approach of security engineering is to determine security requirements up-front and design the system such that it conforms to these requirements. At MAIS, we develop methodology and tools for the design and verification of secure information systems and investigate how these designs can be implemented such that their security guarantees are preserved. MAKS MAKS, the Modular Assembly Kit for Security, is a framework for reasoning about information-flow properties on the specification level in a modular fashion. There are many different security properties in the literature. In many cases, it is difficult to compare these properties.
Hence, it is unclear which one is adequate for specifying a particular security requirement on a system. MAKS addresses this problem by providing simple building blocks for security properties that can be combined depending on the particular needs of the scenario at hand. Many properties from the literature can be constructed using MAKS. Additionally, MAKS provides compositionality guarantees for the building blocks. This allows for a design process of secure systems in which security only has to be proven for the individual components of a system. The security of the entire system then follows automatically from the built-in compositionality results.
Open research topics. Developing the theoretical foundations of MAKS. And more. Contact us if you are interested! I-MAKS I-MAKS is a formalization of the MAKS framework in the automated proof assistant Isabelle/HOL. It enables partially automated security proofs of system specifications. Furthermore, it includes a front-end for the process algebra CSP, which makes it easier to specify systems.
Since all parts of the I-MAKS formalization and all proofs done within it are machine-checked by Isabelle/HOL for correctness, using I-MAKS provides a high degree of confidence in security guarantees established with it. Research topics. Extending I-MAKS by further modules. Applying I-MAKS in case studies to evaluate it. Developing a front-end for an additional system specification language. Developing a front-end for defining security guarantees. And more.
Contact us if you are interested! Information-Flow Security When running a program that requires access to confidential data, one wants to be sure that no information about the confidential data is leaked to untrusted third parties. For instance, a banking application requires access to a user's login credentials, but no information about the login credentials must be leaked to the developers of the app even if they legitimately receive other information, e.g. Usage statistics. Such security requirements can be formally expressed with information-flow properties.
Program analysis techniques, such as security type systems, can check automatically whether a program satisfies a given information-flow property. In the scenario of the banking application, a positive result of the analysis combined with a so-called soundness result for the analysis technique guarantees that no information about the user's login crendentials is leaked to the developers. At MAIS, we develop and improve information-flow properties, and sound analysis techniques for these properties. Furthermore, we develop tools for the automatic verification of programs based on these analysis techniques. Contact: Mobile devices store and collect a wide range of sensitive information, such as the user's current location, his contacts, calendar entries, e-mails, photos, and many other kinds of information. Maintaining the privacy of this sensitive information is an open issue.
In the past, many leaks of sensitive information by Android apps, both intentionally and unintentionally, have been reported. This is in spite of existing security mechanisms provided by Android., the Certifying App Store for Secure Android Applications, addresses this problem by integrating an information-flow analysis into an app store. This allows users to check whether apps he would like to install respect his privacy requirements.
In the development of Cassandra, we are addressing both theoretical and practical research questions. On the theory side, the analysis is formalized as a security type system. It is proven to be sound against a formal semantics of Android applications and a formal definition of security.
This means that all applications passing the analysis are guaranteed to be secure. On the practical side, we have developed a system architecture that enables fast analyses as well as an optimized analysis algorithm. Here, we are also considering how to enable non-expert users to specify their privacy requirements and how to make sure that they can understand the results of the analysis. Open research topics. Making the security analysis of Cassandra more flexible and precise by extending the type system. Analyzing the Android framework in order to remove the need for manual specification by experts. Proving the soundness of the type system in the automated proof assistant Isabelle/HOL.
Generating a verified implementation of the security type system from Isabelle/HOL. Developing a formal definition and a sound analysis for multi-threaded Android apps. Extending an existing specification language to express more complex security requirements.
And more. Contact us if you are interested! Security under Weak Memory Models.
Contact: Modern multi-core processors implement various optimizations intended to improve their performance, such as caches, reordering of instructions, and branch prediction. These optimizations can have effects that are unintuitive and unexpected.
Weak memory models have been developed to describe the effects of processor optimizations. We have found that weak memory models have subtle effects on the security of programs: Security guarantees that have been established without taking into account processor optimizations no longer hold in general when a program is executed under a weak memory model. This is a significant issue, since many devices nowadays are equipped with multi-core processors.
At MAIS, we are further exploring the effects of weak memory models on security and developing techniques for re-establishing security guarantees. To this end, we are investigating a number of theoretical research questions, including how weak memory models can be incorporated in formal semantics, how different semantics incorporating weak memory models compare to each other, and what the impact of weak memory models is on security properties. On the practical side, we are evaluating whether the executions possible under a given memory model are the same as those possible on an actual given processor and are investigating whether existing analyses and tools can be adapted to address the effects of the memory model of a given processor architecture. Open research topics. Developing an experimental setup for exploring the ARM memory model on a Raspberry Pi 2. And more.
Contact us if you are interested! Side-Channel Analysis and Mitigation Side channels are unintended indirect flows of information revealed by physical executions of a computer program. Examples of side channels include program's running time, cache behavior, power consumption, electromagnetic radiation, etc.
Such unintended flows of information may be correlated to secrets e.g., private cryptographic keys, and this makes side channels a severe security vulnerability. By exploiting such correlation, the hacker can recover the secrets, and this is known as a side-channel attack. Due to improvements in security protection mechanisms traditional security vulnerabilities like programming bugs, are getting harder to exploit, and that is why side channels are becoming now more and more attractive to hackers. Among different types of side channels, timing side channels are particularly critical since timing attacks can be mounted remotely over computer networks and do not require direct physical access to the system under attack. At MAIS, we develop methods and tools for sound detection of timing side channels, assessment of their seriousness, construction of timing attacks and design of proper countermeasures. Open research topics. Taxonomy of coding guidelines for side-channel resillient code.
We can develop an idea for a topic together! (contact or ).