Responding to Computer Crime: A Security Practitioner's Guide

ABSTRACT

In this paper, we present an aspect-oriented approach and propose a high-level language called SHL (Security Hardening Language) for the systematic security hardening of software. The primary contribution of this proposition is providing the software architects with the capabilities to perform security hardening by applying well-defined solutions and without the need to have expertise in the security solution domain. At the same time, the security hardening is applied in an organized and systematic way in order not to alter the original functionalities of the software. This is done by providing an abstraction over the actions required to improve the security of a program and adopting aspect-oriented programming to build and develop the solutions. SHL allows the developers to describe and specify the security hardening plans and patterns needed to harden systematically security into open source software. It is a minimalist language built on top of the current aspect-oriented technologies that are based on advice-poincut model and can also be used in conjunction with them. We explore the viability and relevance of our proposition by applying it into several security hardening case studies and presenting their experimental results.     

New AspectJ Pointcuts for Integer Overflow and Underflow Detection

ABSTRACT

Aspect-oriented Programming (AOP) appears to be a promising paradigm for software security hardening. Using AOP, security experts can be responsible for coding security properties, and developers can concentrate on the basic functionality of the program. AspectJ extends the Java programming language to implement crosscutting concerns modularly in general. In this paper, we have extended AspectJ with new pointcuts in order to detect integer overflows and underflows in Java. Integer overflows and underflows in Java occur silently without throwing an exception. A malicious user can exploit them to produce a security breach. Hence, we implement new pointcuts: addition, multiplication, and subtraction that allow to write advices around integer arithmetic operations to detect integer overflow and underflow and consequently prevent considerable number of security breaches.     

Software design patterns classification and selection using text categorization approach

ContextNumerous software design patterns have been introduced and cataloged either as a canonical or a variant solution to solve a design problem. The existing automatic techniques for design pattern(s) selection aid novice software developers to select the more appropriate design pattern(s) from the list of applicable patterns to solve a design problem in the designing phase of software development life cycle.GoalHowever, the existing automatic techniques are limited to the semi-formal specification, multi-class problem, an adequate sample size to make precise learning and individual classifier training in order to determine a candidate design pattern class and suggest more appropriate pattern(s).MethodTo address these issues, we exploit a text categorization based approach via Fuzzy c-means (unsupervised learning technique) that targets to present a systematic way to group the similar design patterns and suggest the appropriate design pattern(s) to developers related to the specification of a given design problem. We also propose an evaluation model to assess the effectiveness of the proposed approach in the context of several real design problems and design pattern collections. Subsequently, we also propose a new feature selection method Ensemble-IG to overcome the multi-class problem and improve the classification performance of the proposed approach.ResultsThe promising experimental results suggest the applicability of the proposed approach in the domain of classification and selection of appropriate design patterns. Subsequently, we also observed the significant improvement in learning precision of the proposed approach through Ensemble-IG.ConclusionThe proposed approach has four advantages as compared to previous work. First, the semi-formal specification of design patterns is not required as a prerequisite; second, the ground reality of class label assignment is not mandatory; third, lack of classifier’s training for each design pattern class and fourth, an adequate sample size is not required to make precise learning.     

Automated verification of security pattern compositions

Software security becomes a critically important issue for software development when more and more malicious attacks explore the security holes in software systems. To avoid security problems, a large software system design may reuse good security solutions by applying security patterns. Security patterns document expert solutions to common security problems and capture best practices on secure software design and development. Although each security pattern describes a good design guideline, the compositions of these security patterns may be inconsistent and encounter problems and flaws. Therefore, the compositions of security patterns may be even insecure. In this paper, we present an approach to automated verification of the compositions of security patterns by model checking. We formally define the behavioral aspect of security patterns in CCS through their sequence diagrams. We also prove the faithfulness of the transformation from a sequence diagram to its CCS representation. In this way, the properties of the security patterns can be checked by a model checker when they are composed. Composition errors and problems can be discovered early in the design stage. We also use two case studies to illustrate our approach and show its capability to detect composition errors.     

An advanced approach for modeling and detecting software vulnerabilities

ContextPassive testing is a technique in which traces collected from the execution of a system under test are examined for evidence of flaws in the system.ObjectiveIn this paper we present a method for detecting the presence of security vulnerabilities by detecting evidence of their causes in execution traces. This is a new approach to security vulnerability detection.MethodOur method uses formal models of vulnerability causes, known as security goal models and vulnerability detection conditions (VDCs). The former are used to identify the causes of vulnerabilities and model their dependencies, and the latter to give a formal interpretation that is suitable for vulnerability detection using passive testing techniques. We have implemented modeling tools for security goal models and vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces of compiled programs for evidence of VDCs.ResultsWe present the full definitions of security goal models and vulnerability detection conditions, as well as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in several open source projects. By testing versions with known vulnerabilities, we can quantify the effectiveness of the approach.ConclusionAlthough the current implementation has some limitations, passive testing for vulnerability detection works well, and using models as the basis for testing ensures that users of the testing tool can easily extend it to handle new vulnerabilities.     

Common weaving approach in mainstream languages for software security hardening

In this paper, we propose a novel aspect-oriented approach based on GIMPLE, a language-independent and a tree-based representation generated by the GNU Compiler Collection (GCC), for the systemization of application security hardening. The security solutions are woven into GIMPLE representations in a systematic way, eliminating the need for manual hardening that might generate a considerable number of errors. To achieve this goal, we present a formal specification for GIMPLE weaving and the implementation strategies of the proposed weaving semantics. Syntax for a common aspect-oriented language that is abstract and multi-language support together with syntax for a core set for GIMPLE constructs are presented to express the weaving semantics. GIMPLE weaving accompanied by a common aspect-oriented language (1) allows security experts providing security solutions using this common language, (2) lets developers focus on the main functionality of programs by relieving them from the burden of security issues, (3) unifies the matching and the weaving processes for mainstream languages, and (4) facilitates introducing new security features in AOP languages. We handle the correctness and the completeness of GIMPLE weaving in two different ways. In the first approach, we prove them according to the rules and algorithms provided in this paper. In the second approach, we accommodate Kniesel's discipline that ensures that security solutions specified by our approach are applied at all and only the required points in source code, taking into consideration weaving interactions and interferences. Finally, we explore the viability and the relevance of our propositions by applying the defined approach for systematic security hardening to develop case studies.     

Using Data Normalization Techniques for Effective Data Base Design

Abstract

Today's users want to access their data through fourth-generation languages, or 4GLs, and microcomputers. More flexible data bases are required to satisfy this growing need. These data bases must be based on the data as perceived by users, not as viewed by a system—the normalized approach to data base design provides for this. Data bases can be built that satisfy user needs and establish a logical design done only once regardless of the DBMS or computer system that will subsequently use the data.     

A systematic review on security in Process-Aware Information Systems – Constitution,challenges, and future directions

ContextSecurity in Process-Aware Information Systems (PAIS) has gained increased attention in current research and practice. However, a common understanding and agreement on security is still missing. In addition, the proliferation of literature makes it cumbersome to overlook and determine state of the art and further to identify research challenges and gaps. In summary, a comprehensive and systematic overview of state of the art in research and practice in the area of security in PAIS is missing.ObjectiveThis paper investigates research on security in PAIS and aims at establishing a common understanding of terminology in this context. Further it investigates which security controls are currently applied in PAIS.MethodA systematic literature review is conducted in order to classify and define security and security controls in PAIS. From initially 424 papers, we selected in total 275 publications that related to security and PAIS between 1993 and 2012. Furthermore, we analyzed and categorized the papers using a systematic mapping approach which resulted into 5 categories and 12 security controls.ResultsIn literature, security in PAIS often centers on specific (security) aspects such as security policies, security requirements, authorization and access control mechanisms, or inter-organizational scenarios. In addition, we identified 12 security controls in the area of security concepts, authorization and access control, applications, verification, and failure handling in PAIS. Based on the results, open research challenges and gaps are identified and discussed with respect to possible solutions.ConclusionThis survey provides a comprehensive review of current security practice in PAIS and shows that security in PAIS is a challenging interdisciplinary research field that assembles research methods and principles from security and PAIS. We show that state of the art provides a rich set of methods such as access control models but still several open research challenges remain.     

An architecture for automatically developing secure OLAP applications from models

ContextDecision makers query enterprise information stored in Data Warehouses (DW) by using tools (such as On-Line Analytical Processing (OLAP) tools) which use specific views or cubes from the corporate DW or Data Marts, based on the multidimensional modeling. Since the information managed is critical, security constraints have to be correctly established in order to avoid unauthorized accesses.ObjectiveIn previous work we have defined a Model-Driven based approach for developing a secure DWs repository by following a relational approach. Nevertheless, is also important to define security constraints in the metadata layer that connects the DWs repository with the OLAP tools, that is, over the same multidimensional structures that final users manage. This paper defines a proposal to develop secure OLAP applications and incorporates it into our previous approach.MethodOur proposal is composed of models and transformations. Our models have been defined using the extension capabilities from UML (conceptual model) and extending the OLAP package of CWM with security (logical model). Transformations have been defined by using a graphical notation and implemented into QVT and MOFScript. Finally, this proposal has been evaluated through case studies.ResultsA complete MDA architecture for developing secure OLAP applications. The main contributions of this paper are: improvement of a UML profile for conceptual modeling; definition of a logical metamodel for OLAP applications; and definition and implementation of transformations from conceptual to logical models, and from logical models to the secure implementation into a specific OLAP tool (SSAS).ConclusionOur proposal allows us to develop secure OLAP applications, providing a complete MDA architecture composed of several security models and automatic transformations towards the final secure implementation. Security aspects are early identified and fitted into a most robust solution that provides us a better information assurance and a saving of time in maintenance.     

Rigorous automated network security management

Achieving a security goal in a networked system requires the cooperation of a variety of devices, each device potentially requiring a different configuration. Many information security problems may be solved with appropriate models of these devices and their interactions, giving a systematic way to handle the complexity of real situations.We present an approach, rigorous automated network security management, that front-loads formal modeling and analysis before problem solving, thereby providing easy-to-run tools with rigorously justified results. With this approach, we model the network and a class of practically important security goals. The models derived suggest algorithms that, given system configuration information, determine the security goals satisfied by the system. The modeling provides rigorous justification for the algorithms, which may then be implemented as ordinary computer programs requiring no formal methods training to operate.We have applied this approach to several problems. In this paper we describe two: distributed packet filtering and the use of IP security (IPsec) gateways. We also describe how to piece together the two separate solutions to these problems, jointly enforcing packet filtering as well as IPsec authentication and confidentiality on a single network.     

Utilizing architectural styles to enhance the adaptation support of middleware platforms

ContextModern middleware platforms provide the applications deployed on top of them with facilities for their adaptation. However, the level of adaptation support provided by the state-of-the-art middleware solutions is often limited to dynamically loading and off-loading of software components. Therefore, it is left to the application developers to handle the details of change such that the system’s consistency is not jeopardized.ObjectiveWe aim to change the status quo by providing the middleware facilities necessary to ensure the consistency of software after adaptation. We would like these facilities to be reusable across different applications, such that the middleware can streamline the process of achieving safe adaptation.MethodOur approach addresses the current shortcomings by utilizing the information encoded in a software system’s architectural style. This information drives the development of reusable adaptation patterns. The patterns specify both the exact sequence of changes and the time at which those changes need to occur. We use the patterns to provide advanced adaptation support on top of an existing architectural middleware platform.ResultsOur experience shows the feasibility of deriving detailed adaptation patterns for several architectural styles. Applying the middleware to adapt two real-world software systems shows the approach is effective in consistently adapting these systems without jeopardizing their consistency.ConclusionWe conclude the approach is effective in alleviating the application developers from the responsibility of managing the adaptation process at the application-level. Moreover, we believe this study provides the foundation for changing the way adaptation support is realized in middleware solutions.     

Designing hypermedia information retrieval systems for multimedia art catalogues

Abstract

Multimedia art catalogues present a number of recurring characteristics in both the type of data and the users involved, and in the type of operations required. Typical data include textual catalogue cards manageable through an information retrieval system (IRS), as well as textual captions, images, video, and speech, organizable as a hypermedia network. In this paper we propose a model for the design of these applications, and discuss its effectiveness in improving the quality of the application. The model exploits a multi-level design approach to organize data and access structures of the IRS, while the Entity-Relationship (E-R) approach, tailored to model hypermedia applications, is adopted to describe the structure of the documents and their links.     

A semantic approach to improving machine readability of a large-scale attack graph

Automation in cyber security can be achieved by using attack graphs. Attack graphs allow us to model possible paths that a potential attacker can use to intrude into a target network. In particular, graph representation is often used to increase visibility of information, but it is not effective when a large-scale attack graph is produced. However, it is inevitable that such a voluminous attack graph is generated by modeling a variety of data from an increasing number of network hosts. Therefore, we need more intelligent ways of inferring the knowledge required to harden network security from the attack graph, beyond getting information such as possible attack paths. Ontology technology enables a machine to understand information and makes it easier to infer knowledge based on relational facts from big data. Constructing ontology in the domain of attack graph generation is a prerequisite for increasing machine intelligence and implementing an automated process. In this paper, we propose a semantic approach to make a large-scale attack graph machine readable. The approach provides several benefits. First, users can obtain relational facts based on reasoning from a large-scale attack graph, and the semantics of an attack graph can provide intuition to users. In addition, intelligence-based security assessment can be possible using the obtained ontological structures. By improving the machine readability of an attack graph, our approach could lead to automated assessment of network security.

     

A survey of experienced user perceptions about software design patterns

ContextAlthough the concept of the software design pattern is well-established, there is relatively little empirical knowledge about the patterns that experienced users consider to be most valuable.AimTo identify which patterns from the set catalogued by the ‘Gang of Four’ are considered to be useful by experienced users, which ones are considered as not being useful, and why this is so.MethodWe undertook a web-based survey of experienced pattern users, seeking information about their experiences as software developers and maintainers. Our sampling frame consisted of the authors of all of the pattern papers that we had identified in a preceding systematic review of studies of patterns.ResultsWe received 206 usable responses, corresponding to a response rate of 19% from the original sampling frame. Most respondents were involved with software development rather than maintenance.ConclusionWhile patterns can provide a means of sharing ‘knowledge schemas’ between designers, only three patterns were widely regarded as valuable. Around one quarter of the patterns gained very low approval or worse. These observations need to be considered when using patterns; teaching students about the pattern concept; and planning empirical studies about patterns.     

A metamodeling approach for pattern specification and management

The formal specification of design patterns is central to pattern research and is the foundation of solving various pattern-related problems.In this paper,we propose a metamodeling approach for pattern specification,in which a pattern is modeled as a meta-level class and its participants are meta-level references.Instead of defining a new metamodel,we reuse the Unified Modeling Language(UML)metamodel and incorporate the concepts of Variable and Set into our approach,which are unavailable in the UML but essential for pattern specification.Our approach provides straightforward solutions for pattern-related problems,such as pattern instantiation,evolution,and implementation.By integrating the solutions into a single framework,we can construct a pattern management system,in which patterns can be instantiated,evolved,and implemented in a correct and manageable way.     

MobileTrust: a trust enhanced security architecture for mobile agent systems

While offering many practical benefits for distributed applications, mobile agent systems pose some fundamental security challenges. In this paper, we present a new approach to mobile agent security which helps to address some of these challenges. We present a new technique, which we refer to as trust enhanced security, and apply it to mobile agent-based systems; this new technique advocates a shift in security solutions from security-centric to trust-centric. This extends the traditional security mechanisms by enabling trust decisions through explicit specification and management of security-related trust relationships. The integration of the trust decisions into security decision-making process leads to our trust enhanced security performance. A formal trust model is proposed and is incorporated into the development of a novel trust management architecture—MobileTrust for mobile agent-based applications. We have conducted detailed practical investigations to evaluate and validate the emergent properties of the trust enhanced security technique. We present and discuss the key results in this paper.     

Aspect-orientation is a rewarding investment into future code changes – As long as the aspects hardly change

ContextAspect-Oriented Programming (AOP) is often described as a technique which improves the resulting software’s modularity. However, previous experiments seem to indicate that AOP is a technique which potentially increases the development or maintenance time. A possible reason why previous experiments were not able to show such a benefit is that those experiments did not consider situations where AOP has its strength: situations where aspects change.ObjectivesOur objective is to analyze whether initial higher development times caused by aspect-oriented programming can be compensated by frequent changes on the aspect code.MethodThis study is an empirical study with 15 subjects based on a within-subject design (repeated measurement) using two randomized groups. The measurement is development time until programming tasks completion. Additionally, an exploratory study is performed which analyzed (a) in separation out- and under-performing subjects with respect to development time, (b) the possible influence of the lines of code, (c) the possible influence of the number of advice and pointcuts, and finally (d) the possible impact of if-statements in the aspect-oriented solutions.ResultsThe experiment shows that frequent changes in the crosscutting code which do not change the aspect’s underlying structure compensate an initial higher development time for those concerns. But it also shows that changes, which do alter the concern’s structure again, result in higher development times when using AOP. Furthermore, the paper shows that the results are similar for out- and under-performing subjects in the experiment. Finally it shows that if changes are required in an aspect’s structure, subjects tend to perform such structural changes in a non-uniform way.ConclusionAOP is a potential rewarding investment into future code changes – but it has risks.     

Blending design patterns with aspects: A quantitative study

Design patterns often need to be blended (or composed) when they are instantiated in a software system. The composition of design patterns consists of assigning multiple pattern elements into overlapping sets of classes in a software system. Whenever the modularity of each design pattern is not preserved in the source code, their implementation becomes tangled with each other and with the classes’ core responsibilities. As a consequence, the change or removal of each design pattern will be costly or prohibitive as the software system evolves. In fact, composing design patterns is much harder than instantiating them in an isolated manner. Previous studies have found design pattern implementations are naturally crosscutting in object-oriented systems, thereby making it difficult to modularly compose them. Therefore, aspect-oriented programming (AOP) has been pointed out as a natural alternative for modularizing and blending design patterns. However, there is little empirical knowledge on how AOP models influence the composability of widely used design patterns. This paper investigates the influence of using AOP models for composing the Gang-of-Four design patterns. Our study categorizes different forms of pattern composition and studies the benefits and drawbacks of AOP in these contexts. We performed assessments of several pair-wise compositions taken from 3 medium-sized systems implemented in Java and two AOP models, namely, AspectJ and Compose*. We also considered complex situations where more than two patterns involved in each composition, and the patterns were interacting with other aspects implementing other crosscutting concerns of the system. In general, we observed two dominant factors impacting the pattern composability with AOP: (i) the category of the pattern composition, and (ii) the AspectJ idioms used to implement the design patterns taking part in the composition.     

SealFSv2: combining storage-based and ratcheting for tamper-evident logging

Tamper-evident logging is paramount for forensic audits and accountability subsystems. It is based on a forward integrity model: upon intrusion, the attacker is not able to counterfeit the logging data generated before controlling the system. There are local and distributed solutions to this problem. Distributed solutions are suitable for common scenarios, albeit not appropriate for autonomous and loosely connected systems. Moreover, they can be complex and introduce new security issues. Traditional local tamper-evident logging systems use cryptographic ratchets. In previous works, we presented SealFS (from now on, SealFSv1), a system that follows a radically different approach for local tamper-evident logging based on keystream storage. In this paper, we present a new version, SealFSv2, which combines ratcheting and storage-based log anti-tamper protection. This new approach is flexible and enables the user to decide between complete theoretical security (like in SealFSv1) and partial linear degradation (like in a classical ratchet scheme), exchanging storage for computation with user-defined parameters to balance security and resource usage. We also describe an implementation of this scheme. This implementation, which showcases our approach, is an optimized evolution of the original sealfs Linux kernel module. It implements a stackable file system that enables transparent tamper-evident logging to all user space applications and provides instant deployability. Last, we present a complete performance evaluation of our current implementation and a fair performance comparison of the two opposite approaches for local tamper-evident logging (i.e., storage-based vs. ratcheting). This comparison suggests that, on current systems and general-purpose hardware, the storage-based approach and hybrid schemes perform better than the traditional ratchet approach.