Hard Problems: Resilient Security Architectures (ACM)

SoS Logo

Hard Problems: Resilient Security Architectures (ACM)


Resilient security architectures are a hard problem in the Science of Security.  A survey of the ACM Digital Library found these scholarly articles about research into resilient security architectures that were published in 2014. A separate listing of works published by IEEE is referenced under the heading “Resilient Security Architectures (IEEE).” A great deal of research useful to resilience is coming from the literature on control theory. In addition to the Science of Security community, much of this work is also relevant to the SURE project.


Stylianos Gisdakis, Thanassis Giannetsos, Panos Papadimitratos; SPPEAR: Security & Privacy-Preserving Architecture for Participatory-Sensing Applications; WiSec '14 Proceedings of the 2014 ACM Conference On Security And Privacy In Wireless & Mobile Networks, July 2014, Pages 39-50. Doi: 10.1145/2627393.2627402  Abstract: Recent advances in sensing, computing, and networking have paved the way for the emerging paradigm of participatory sensing (PS). The openness of such systems and the richness of user data they entail raise significant concerns for their security, privacy and resilience. Prior works addressed different aspects of the problem. But in order to reap the benefits of this new sensing paradigm, we need a comprehensive solution. That is, a secure and accountable PS system that preserves user privacy, and enables the provision of incentives to the participants. At the same time, we are after a PS system that is resilient to abusive users and guarantees privacy protection even against multiple misbehaving PS entities (servers). We address these seemingly contradicting requirements with our SPPEAR architecture. Our full blown implementation and experimental evaluation demonstrate that SPPEAR is efficient, practical, and scalable. Last but not least, we formally assess the achieved security and privacy properties. Overall, our system is a comprehensive solution that significantly extends the state-of-the-art and can catalyze the deployment of PS applications.
Keywords: anonymity, participatory sensing, privacy, security (ID#: 15-5487)


Balakrishnan Chandrasekaran, Theophilus Benson; Tolerating SDN Application Failures with LegoSDN; HotNets-XIII Proceedings of the 13th ACM Workshop on Hot Topics in Networks, October 2014, Page 22. Doi:  10.1145/2670518.2673880 Abstract: Despite Software Defined Network's (SDN) proven benefits, there remains significant reluctance in adopting it. Among the issues that hamper SDN's adoption two stand out: reliability and fault tolerance. At the heart of these issues is a set of fate-sharing relationships: The first between the SDN-Apps and controllers, where-in the crash of the former induces a crash of the latter, and thereby affecting availability; and, the second between the SDN-App and the network, where-in a byzantine failure e.g., black-holes and network-loops, induces a failure in the network, and thereby affecting network availability. The principal position of this paper is that availability is of utmost concern -- second only to security. To this end, we present a re-design of the controller architecture centering around a set of abstractions to eliminate these fate-sharing relationships, and make the controllers and network resilient to SDN-App failures. We illustrate how these abstractions can be used to improve the reliability of an SDN environment, thus eliminating one of the barriers to SDN's adoption.
Keywords: Fault Tolerance, Software-Defined Networking (ID#: 15-5488)
URL: http://doi.acm.org/10.1145/2670518.2673880


Daniel Migault, Daniel Palomares, Hendrik Hendrik, Maryline Laurent; Secure IPsec Based Offload Architectures for Mobile Data; Q2SWinet '14 Proceedings of the 10th ACM Symposium on QoS and Security For Wireless And Mobile Networks, September 2014, Pages 95-104. Doi: 10.1145/2642687.2642690 Abstract: Radio Access Network (RAN) are likely to be overloaded, and some places will not be able to provide the necessary requested bandwidth. In order to respond to the demand of bandwidth, overloaded RAN are currently offloading their traffic on WLAN. WLAN Access Points like (ISP provided xDSL boxes) are untrusted, unreliable and do not handle mobility. As a result, mobility, multihoming, and security cannot be handled by the network anymore, and must be handled by the terminal. This paper positions offload architectures based on IPsec and shows that IPsec can provide end-to-end security, as well as seamless connectivity across IP networks. Then, the remaining of the paper evaluates how mobility on these IPsec based architectures impacts the Quality of Service (QoS) for real time applications such as an audio streaming service. QoS is measured using network interruption time and POLQA. Measurements compare TCP/HLS and UDP/RTSP over various IPsec configurations.
Keywords: IPsec mobility, IPsec multiple interfaces, quality of service, terminal mobility, wlan offload architecture (ID#: 15-5489)
URL: http://doi.acm.org/10.1145/2642687.2642690


Teklemariam Tsegay Tesfay, Jean-Pierre Hubaux, Jean-Yves Le Boudec, Philippe Oechslin; Cyber-secure Communication Architecture for Active Power Distribution Networks; SAC '14 Proceedings of the 29th Annual ACM Symposium on Applied Computing, March 2014, Pages 545-552. Doi:  10.1145/2554850.2555082 Abstract: Active power distribution networks require sophisticated monitoring and control strategies for efficient energy management and automatic adaptive reconfiguration of the power infrastructure. Such requirements are realised by deploying a large number of various electronic automation and communication field devices, such as Phasor Measurement Units (PMUs) or Intelligent Electronic Devices (IEDs), and a reliable two-way communication infrastructure that facilitates transfer of sensor data and control signals. In this paper, we perform a detailed threat analysis in a typical active distribution network's automation system. We also propose mechanisms by which we can design a secure and reliable communication network for an active distribution network that is resilient to insider and outsider malicious attacks, natural disasters, and other unintended failure. The proposed security solution also guarantees that an attacker is not able to install a rogue field device by exploiting an emergency situation during islanding.
Keywords: PKI, active distribution network, authentication, islanding, smart grid, smart grid security, unauthorised access (ID#: 15-5490)
URL: http://doi.acm.org/10.1145/2554850.2555082


Rui Zhuang, Scott A. DeLoach, Xinming Ou; Towards a Theory of Moving Target Defense; MTD '14 Proceedings of the First ACM Workshop on Moving Target Defense, November 2014, Pages 31-40. Doi: 10.1145/2663474.2663479 Abstract: The static nature of cyber systems gives attackers the advantage of time. Fortunately, a new approach, called the Moving Target Defense (MTD) has emerged as a potential solution to this problem. While promising, there is currently little research to show that MTD systems can work effectively in real systems. In fact, there is no standard definition of what an MTD is, what is meant by attack surface, or metrics to define the effectiveness of such systems. In this paper, we propose an initial theory that will begin to answer some of those questions. The paper defines the key concepts required to formally talk about MTD systems and their basic properties. It also discusses three essential problems of MTD systems, which include the MTD Problem (or how to select the next system configuration), the Adaptation Selection Problem, and the Timing Problem. We then formalize the MTD Entropy Hypothesis, which states that the greater the entropy of the system's configuration, the more effective the MTD system.
Keywords: computer security, moving target defense, network security, science of security (ID#: 15-5491)


S. T. Choden Konigsmark, Leslie K. Hwang, Deming Chen, Martin D. F. Wong; System-of-PUFs: Multilevel Security for Embedded Systems; CODES '14 Proceedings of the 2014 International Conference on Hardware/Software Codesign and System Synthesis, October 2014, Article No. 27. Doi: 10.1145/2656075.2656099 Abstract: Embedded systems continue to provide the core for a wide range of applications, from smart-cards for mobile payment to smart-meters for power-grids. The resource and power dependency of embedded systems continues to be a challenge for state-of-the-art security practices. Moreover, even theoretically secure algorithms are often vulnerable in their implementation. With decreasing cost and complexity, physical attacks are an increasingly important threat. This threat led to the development of Physically Unclonable Functions (PUFs) which are disordered physical systems with various applications in hardware security. However, consistent security oriented design of embedded systems remains a challenge, as most formalizations and security models are concerned with isolated physical components or high-level concept. We provide four unique contributions: (i) We propose a system-level security model to overcome the chasm between secure components and requirements of high-level protocols; this enables synergy between component-oriented security formalizations and theoretically proven protocols. (ii) An analysis of current practices in PUF protocols using the proposed system-level security model; we identify significant issues and expose assumptions that require costly security techniques. (iii) A System-of-PUF (SoP) that utilizes the large PUF design-space to achieve security requirements with minimal resource utilization; SoP requires 64% less gate-equivalent units than recently published schemes. (iv) A multilevel authentication protocol based on SoP which is validated using our system-level security model and which overcomes current vulnerabilities. Furthermore, this protocol offers breach recognition and recovery.
Keywords: hardware authentication, physically unclonable functions (ID#: 15-5492)
URL: http://doi.acm.org/10.1145/2656075.2656099


Markus Kammerstetter, Lucie Langer, Florian Skopik, Wolfgang Kastner; Architecture-Driven Smart Grid Security Management;  IH&MMSec '14 Proceedings of the 2nd ACM Workshop On Information Hiding And Multimedia Security, June 2014, Pages 153-158. Doi: 10.1145/2600918.2600937 Abstract: The introduction of smart grids goes along with an extensive use of ICT technologies in order to support the integration of renewable energy sources. However, the use of ICT technologies bears risks in terms of cyber security attacks which could negatively affect the electrical power grid. These risks need to be assessed, mitigated and managed in a proper way to ensure the security of both current and future energy networks. Existing approaches have been either restricted to very specific components of the smart grid (e.g., smart meters), or provide a high-level view only. We therefore propose an architecture-driven security management approach for smart grids which goes beyond a mere abstract view without focusing too much on technical details. Our approach covers architecture modeling, risk identification and assessment as well as risk mitigation and compliance checking. We have proven the practical usability of this process together with leading manufacturers and utilities.
Keywords: risks, security, security management, smart grid (ID#: 15-5493)
URL: http://doi.acm.org/10.1145/2600918.2600937


Bradley Schmerl, Javier Cámara, Jeffrey Gennari, David Garlan, Paulo Casanova, Gabriel A. Moreno, Thomas J. Glazier, Jeffrey M. Barnes; Architecture-Based Self-Protection: Composing and Reasoning About Denial-of-Service Mitigations; HotSoS '14 Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, April 2014, Article No. 2. Doi: 10.1145/2600176.2600181 Abstract: Security features are often hardwired into software applications, making it difficult to adapt security responses to reflect changes in runtime context and new attacks. In prior work, we proposed the idea of architecture-based self-protection as a way of separating adaptation logic from application logic and providing a global perspective for reasoning about security adaptations in the context of other business goals. In this paper, we present an approach, based on this idea, for combating denial-of-service (DoS) attacks. Our approach allows DoS-related tactics to be composed into more sophisticated mitigation strategies that encapsulate possible responses to a security problem. Then, utility-based reasoning can be used to consider different business contexts and qualities. We describe how this approach forms the underpinnings of a scientific approach to self-protection, allowing us to reason about how to make the best choice of mitigation at runtime. Moreover, we also show how formal analysis can be used to determine whether the mitigations cover the range of conditions the system is likely to encounter, and the effect of mitigations on other quality attributes of the system. We evaluate the approach using the Rainbow self-adaptive framework and show how Rainbow chooses DoS mitigation tactics that are sensitive to different business contexts.
Keywords: denial-of-service, probabilistic model checking, self-adaptation (ID#: 15-5494)
URL: http://doi.acm.org/10.1145/2600176.2600181


David Basin, Cas Cremers, Tiffany Hyun-Jin Kim, Adrian Perrig, Ralf Sasse, Pawel Szalachowski; ARPKI: Attack Resilient Public-Key Infrastructure; CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 382-393. Doi:  10.1145/2660267.2660298 Abstract: We present ARPKI, a public-key infrastructure that ensures that certificate-related operations, such as certificate issuance, update, revocation, and validation, are transparent and accountable. ARPKI is the first such infrastructure that systematically takes into account requirements identified by previous research. Moreover, ARPKI is co-designed with a formal model, and we verify its core security property using the Tamarin prover. We present a proof-of-concept implementation providing all features required for deployment. ARPKI efficiently handles the certification process with low overhead and without incurring additional latency to TLS. ARPKI offers extremely strong security guarantees, where compromising n-1 trusted signing and verifying entities is insufficient to launch an impersonation attack. Moreover, it deters misbehavior as all its operations are publicly visible.
Keywords: attack resilience, certificate validation, formal validation, public log servers, public-key infrastructure, tls (ID#: 15-5495)
URL: http://doi.acm.org/10.1145/2660267.2660298


Teng Xu, James Bradley Wendt, Miodrag Potkonjak; Secure Remote Sensing and Communication Using Digital PUFs; ANCS '14 Proceedings of the Tenth ACM/IEEE Symposium on Architectures for Networking and Communications Systems, October 2014, Pages 173-184. Doi: 10.1145/2658260.2658279 Abstract: Small form, mobile, and remote sensor network systems require secure and ultralow power data collection and communication solutions due to their energy constraints. The physical unclonable function (PUF) has emerged as a popular modern low power security primitive. However, current designs are analog in nature and susceptible to instability and difficult to integrate into existing circuitry. In this paper, we present the digital PUF which is stable in the same sense that digital logic is stable, has a very small footprint and very small timing overhead, and can be easily integrated into existing designs. We demonstrate the use of the digital PUF on two applications that are crucial for sensor networks: trusted remote sensing and logic obfuscation. We present our security analysis using standard randomness tests and confusion and diffusion analysis, and apply our new obfuscation approach on a set of standard design benchmarks.
Keywords: security (ID#: 15-5496)
URL: http://doi.acm.org/10.1145/2658260.2658279


Gilles Barthe, Gustavo Betarte, Juan Campo, Carlos Luna, David Pichardie; System-level Non-interference for Constant-time Cryptography; CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 1267-1279. Doi: 10.1145/2660267.2660283 Abstract: Cache-based attacks are a class of side-channel attacks that are particularly effective in virtualized or cloud-based environments, where they have been used to recover secret keys from cryptographic implementations. One common approach to thwart cache-based attacks is to use constant-time implementations, i.e., which do not branch on secrets and do not perform memory accesses that depend on secrets. However, there is no rigorous proof that constant-time implementations are protected against concurrent cache-attacks in virtualization platforms with shared cache; moreover, many prominent implementations are not constant-time. An alternative approach is to rely on system-level mechanisms. One recent such mechanism is stealth memory, which provisions a small amount of private cache for programs to carry potentially leaking computations securely. Stealth memory induces a weak form of constant-time, called S-constant-time, which encompasses some widely used cryptographic implementations. However, there is no rigorous analysis of stealth memory and S-constant-time, and no tool support for checking if applications are S-constant-time.  We propose a new information-flow analysis that checks if an x86 application executes in constant-time, or in S-constant-time. Moreover, we prove that constant-time (resp. S-constant-time) programs do not leak confidential information through the cache to other operating systems executing concurrently on virtualization platforms (resp. platforms supporting stealth memory). The soundness proofs are based on new theorems of independent interest, including isolation theorems for virtualization platforms (resp. platforms supporting stealth memory), and proofs that constant-time implementations (resp. S-constant-time implementations) are non-interfering with respect to a strict information flow policy which disallows that control flow and memory accesses depend on secrets. We formalize our results using the Coq proof assistant and we demonstrate the effectiveness of our analyses on cryptographic implementations, including PolarSSL AES, DES and RC4, SHA256 and Salsa20.
Keywords: cache-based attacks, constant-time cryptography, coq, non-interference, stealth memory (ID#: 15-5497)
URL: http://doi.acm.org/10.1145/2660267.2660283


Fangzhou Yao, Read Sprabery, Roy H. Campbell; CryptVMI: A Flexible and Encrypted Virtual Machine Introspection System in the Cloud;  SCC '14 Proceedings of the 2nd International Workshop on Security in Cloud Computing, June 2014, Pages 11-18. Doi: 10.1145/2600075.2600078 Abstract: Virtualization has demonstrated its importance in both public and private cloud computing solutions. In such environments, multiple virtual instances run on the same physical machine concurrently. Thus, the isolation in the system is not guaranteed by the physical infrastructure anymore. Reliance on logical isolation makes a system vulnerable to attacks. Thus, Virtual Machine Introspection techniques become essential, since they simplify the process to acquire evidence for further analysis in this complex system. However, Virtual Machine Introspection tools for the cloud are usually written specifically for a single system and do not provide a standard interface to work with other security monitoring systems. Moreover, this technique breaks down the borders of the segregation between multiple tenants, which should be avoided in a public cloud computing environment. In this paper, we focus on building a flexible and encrypted Virtual Machine Introspection system, CryptVMI, to address the above concerns. Our approach maintains a client application on the user end to send queries to the cloud, as well as parse the results returned in a standard form. We also have a handler that cooperates with an introspection application in the cloud infrastructure to process queries and return encrypted results. This work shows our design and implementation of this system, and the benchmark results prove that it does not incur much performance overhead.
Keywords: cloud computing, confidentiality, virtual machine introspection, virtualization (ID#: 15-5498)
URL: http://doi.acm.org/10.1145/2600075.2600078


Arto Juhola, Titta Ahola, Kimmo Ahola; Adaptive Risk Management with Ontology Linked Evidential Statistics and SDN; ECSAW '14 Proceedings of the 2014 European Conference on Software Architecture Workshops, August 2014, Article No. 2.  Doi: 10.1145/2642803.2642805 Abstract: New technologies have increased the dynamism of distributed systems; advances such as Software Defined Networking (SDN) and cloud computing enable unprecedented service flexibility and scalability. By their nature, they are in a constant state of flux, presenting tough challenges for system security. Here an adaptive -- in real time - risk management system capable of keeping abreast of these developments is considered. This paper presents an on-going work on combining a hierarchical threat ontology, real-time risk analysis, and SDN to an efficient whole. The main contribution of this paper is on finding the suitable architectures, components, necessary requirements, and favorable modifications on the systems and system modelling (including the models involving the security analysis) to reach this goal.
Keywords: Adaptive security, Dempster-Schafer, Dezert-Smarandache, Neural Network inspired Fuzzy C-means, SDN, Threat ontology (ID#: 15-5499)
URL: http://doi.acm.org/10.1145/2642803.2642805


Tomas Bures, Petr Hnetynka, Frantisek Plasil; Strengthening Architectures of Smart CPS by Modeling Them as Runtime Product-Lines; CBSE '14 Proceedings of the 17th International ACM Sigsoft Symposium On Component-Based Software Engineering, June 2014, Pages 91-96.  Doi: 10.1145/2602458.2602478 Abstract: Smart Cyber-Physical Systems (CPS) are complex distributed decentralized systems of cooperating mobile and stationary devices which closely interact with the physical environment. Although Component-Based Development (CBD) might seem as a viable solution to target the complexity of smart CPS, existing component models scarcely cope with the open-ended and very dynamic nature of smart CPS. This is especially true for design-time modeling using hierarchical explicit architectures, which traditionally provide an excellent means of coping with complexity by providing multiple levels of abstractions and explicitly specifying communication links between component instances. In this paper we propose a modeling method (materialized in the SOFA NG component model) which conveys the benefits of explicit architectures of hierarchical components to the design of smart CPS. Specifically, we base our method on modeling systems as reference architectures of Software Product Lines (SPL). Contrary to traditional SPL, which is a fully design-time approach, we create SPL configurations at runtime. We do so in a decentralized way by translating the configuration process to the process of establishing component ensembles (i.e. dynamic cooperation groups of components) of our DEECo component model.
Keywords: component model, component-based development, cyber-physical systems, software architecture, software components (ID#: 15-5500)
URL: http://doi.acm.org/10.1145/2602458.2602478


Benoît Libert, Marc Joye, Moti Yung; Born and Raised Distributively: Fully Distributed Non-Interactive Adaptively-Secure Threshold Signatures with Short Shares; PODC '14 Proceedings of the 2014 ACM Symposium On Principles Of Distributed Computing, July 2014, Pages 303-312. Doi: 10.1145/2611462.2611498 Abstract: Threshold cryptography is a fundamental distributed computational paradigm for enhancing the availability and the security of cryptographic public-key schemes. It does it by dividing private keys into n shares handed out to distinct servers. In threshold signature schemes, a set of at least t+1 ≤ n servers is needed to produce a valid digital signature. Availability is assured by the fact that any subset of t+1 servers can produce a signature when authorized. At the same time, the scheme should remain robust (in the fault tolerance sense) and unforgeable (cryptographically) against up to t corrupted servers; i.e., it adds quorum control to traditional cryptographic services and introduces redundancy. Originally, most practical threshold signatures have a number of demerits: They have been analyzed in a static corruption model (where the set of corrupted servers is fixed at the very beginning of the attack), they require interaction, they assume a trusted dealer in the key generation phase (so that the system is not fully distributed), or they suffer from certain overheads in terms of storage (large share sizes). In this paper, we construct practical fully distributed (the private key is born distributed), non-interactive schemes --- where the servers can compute their partial signatures without communication with other servers--- with adaptive security (i.e., the adversary corrupts servers dynamically based on its full view of the history of the system). Our schemes are very efficient in terms of computation, communication, and scalable storage (with private key shares of size O(1), where certain solutions incur O(n) storage costs at each server). Unlike other adaptively secure schemes, our schemes are erasure-free (reliable erasure is a hard to assure and hard to administer property in actual systems).  To the best of our knowledge, such a fully distributed highly constrained scheme has been an open problem in the area. In particular, and of special interest, is the fact that Pedersen's traditional distributed key generation (DKG) protocol can be safely employed in the initial key generation phase when the system is born -- although it is well-known not to ensure uniformly distributed public keys. An advantage of this is that this protocol only takes one round optimistically (in the absence of faulty player).
Keywords: adaptive security, availability, distributed key generation, efficiency, erasure-free schemes, fault tolerance, fully distributed systems, non-interactivity, threshold signature schemes (ID#: 15-5501)
URL: http://doi.acm.org/10.1145/2611462.2611498


Javier Cámara, Pedro Correia, Rogério de Lemos, Marco Vieira; Empirical Resilience Evaluation of an Architecture-Based Self-Adaptive Software System; QoSA '14 Proceedings of the 10th International ACM Sigsoft Conference on Quality of Software Architectures, June 2014, Pages 63-72. Doi:  10.1145/2602576.2602577 Abstract: Architecture-based self-adaptation is considered as a promising approach to drive down the development and operation costs of complex software systems operating in ever changing environments. However, there is still a lack of evidence supporting the arguments for the beneficial impact of architecture-based self-adaptation on resilience with respect to other customary approaches, such as embedded code-based adaptation. In this paper, we report on an empirical study about the impact on resilience of incorporating architecture-based self-adaptation in an industrial middleware used to collect data in highly populated networks of devices. To this end, we compare the results of resilience evaluation between the original version of the middleware, in which adaptation mechanisms are embedded at the code-level, and a modified version of that middleware in which the adaptation mechanisms are implemented using Rainbow, a framework for architecture-based self-adaptation. Our results show improved levels of resilience in architecture-based compared to embedded code-based self-adaptation.
Keywords: architecture-based self-adaptation probabilistic model checking, rainbow, resilience evaluation (ID#: 15-5502)
URL: http://doi.acm.org/10.1145/2602576.2602577


Ebrahim Tarameshloo, Philip W.L. Fong, Payman Mohassel; On Protection in Federated Social Computing Systems; CODASPY '14 Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, March 2014, Pages 75-86. Doi: 10.1145/2557547.2557555  Abstract: Nowadays, a user may belong to multiple social computing systems (SCSs) in order to benefit from a variety of services that each SCS may provide. To facilitate the sharing of contents across the system boundary, some SCSs provide a mechanism by which a user may "connect" his accounts on two SCSs. The effect is that contents from one SCS can now be shared to another SCS. Although such a connection feature delivers clear usability advantages for users, it also generates a host of privacy challenges. A notable challenge is that the access control policy of the SCS from which the content originates may not be honoured by the SCS to which the content migrates, because the latter fails to faithfully replicate the protection model of the former. In this paper we formulate a protection model for a federation of SCSs that support content sharing via account connection. A core feature of the model is that sharable contents are protected by access control policies that transcend system boundary - they are enforced even after contents are migrated from one SCS to another. To ensure faithful interpretation of access control policies, their evaluation involves querying the protection states of various SCSs, using Secure Multiparty Computation (SMC). An important contribution of this work is that we carefully formulate the conditions under which policy evaluation using SMC does not lead to the leakage of information about the protection states of the SCSs. We also study the computational problem of statically checking if an access control policy can be evaluated without information leakage. Lastly, we identify useful policy idioms.
Keywords: account connection, composite policy, federated social computing systems, policy language, protection model, safe function evaluation, secure content sharing, secure multiparty computation (ID#: 15-5503)
URL: http://doi.acm.org/10.1145/2557547.2557555


Sebastian Mödersheim, Luca Viganò; Sufficient Conditions for Vertical Composition of Security Protocols; ASIA CCS '14 Proceedings of the 9th ACM Symposium On Information, Computer And Communications Security, June 2014, Pages 435-446.   Doi: 10.1145/2590296.2590330 Abstract: Vertical composition of security protocols means that an application protocol (e.g., a banking service) runs over a channel established by another protocol (e.g., a secure channel provided by TLS). This naturally gives rise to a compositionality question: given a secure protocol P1 that provides a certain kind of channel as a goal and another secure protocol P2 that assumes this kind of channel, can we then derive that their vertical composition P2[P1] is secure? It is well known that protocol composition can lead to attacks even when the individual protocols are all secure in isolation. In this paper, we formalize seven easy-to-check static conditions that support a large class of channels and applications and that we prove to be sufficient for vertical security protocol composition.
Keywords: model checking, protocol composition, security protocols, static analysis, verification (ID#: 15-5504)
URL: http://doi.acm.org/10.1145/2590296.2590330


Chuangang Ren, Kai Chen, Peng Liu; Droidmarking: Resilient Software Watermarking for Impeding Android Application Repackaging; ASE '14 Proceedings of the 29th ACM/IEEE International Conference On Automated Software Engineering, September 2014, Pages 635-646. Doi: 10.1145/2642937.2642977  Abstract: Software plagiarism in Android markets (app repackaging) is raising serious concerns about the health of the Android ecosystem. Existing app repackaging detection techniques fall short in detection efficiency and in resilience to circumventing attacks; this allows repackaged apps to be widely propagated and causes extensive damages before being detected. To overcome these difficulties and instantly thwart app repackaging threats, we devise a new dynamic software watermarking technique - Droidmarking - for Android apps that combines the efforts of all stakeholders and achieves the following three goals: (1) copyright ownership assertion for developers, (2) real-time app repackaging detection on user devices, and (3) resilience to evading attacks. Distinct from existing watermarking techniques, the watermarks in Droidmarking are non-stealthy, which means that watermark locations are not intentionally concealed, yet still are impervious to evading attacks. This property effectively enables normal users to recover and verify watermark copyright information without requiring a confidential watermark recognizer. Droidmarking is based on a primitive called self-decrypting code (SDC). Our evaluations show that Droidmarking is a feasible and robust technique to effectively impede app repackaging with relatively small performance overhead.
Keywords: android, app repackaging, software watermarking (ID#: 15-5505)


Sampsa Rauti, Johannes Holvitie, Ville Leppänen; Towards a Diversification Framework for Operating System Protection; CompSysTech '14 Proceedings of the 15th International Conference on Computer Systems and Technologies, June 2014, Pages 286-293. Doi: 10.1145/2659532.2659642  Abstract: In order to use resources of a computer, malware has to know the interfaces provided by the operating system. If we make these critical interfaces unique by diversifying the operating system and user applications, a piece of malware can no longer successfully interact with its environment. Diversification can be considered as a computer-specific secret. This paper discusses how this API diversification could be performed. We also study how much work would be needed to diversify the Linux kernel in order to hide the system call interface from malware.
Keywords: code diversification, malware protection, operating system security (ID#: 15-5506)
URL: http://doi.acm.org/10.1145/2659532.2659642


Ren-Shuo Liu, De-Yu Shen, Chia-Lin Yang, Shun-Chih Yu, Cheng-Yuan Michael Wang; NVM Duet: Unified Working Memory and Persistent Store Architecture; ACM SIGPLAN Notices - ASPLOS '14, Volume 49 Issue 4, April 2014, Pages 455-470. Doi: 10.1145/2644865.2541957  Abstract: Emerging non-volatile memory (NVM) technologies have gained a lot of attention recently. The byte-addressability and high density of NVM enable computer architects to build large-scale main memory systems. NVM has also been shown to be a promising alternative to conventional persistent store. With NVM, programmers can persistently retain in-memory data structures without writing them to disk. Therefore, one can envision that in the future, NVM will play the role of both working memory and persistent store at the same time.  Persistent store demands consistency and durability guarantees, thereby imposing new design constraints on the memory system. Consistency is achieved at the expense of serializing multiple write operations. Durability requires memory cells to guarantee non-volatility and thus reduces the write speed. Therefore, a unified architecture oblivious to these two use cases would lead to suboptimal design. In this paper, we propose a novel unified working memory and persistent store architecture, NVM Duet, which provides the required consistency and durability guarantees for persistent store while relaxing these constraints if accesses to NVM are for working memory. A cross-layer design approach is adopted to achieve the design goal. Overall, simulation results demonstrate that NVM Duet achieves up to 1.68x (1.32x on average) speedup compared with the baseline design.
Keywords:  consistency, durability, memory management, memory scheduler, non-volatile memory, phase-change memory, refresh, resistance drift, resistance distribution, storage-class memory (ID#: 15-5507)
URL: http://doi.acm.org/10.1145/2644865.2541957


Keita Teranishi, Michael A. Heroux; Toward Local Failure Local Recovery Resilience Model using MPI-ULFM; EuroMPI/ASIA '14 Proceedings of the 21st European MPI Users' Group Meeting, September 2014, Pages 51ff.   Doi: 10.1145/2642769.2642774  Abstract: The current system reaction to the loss of a single MPI process is to kill all the remaining processes and restart the application from the most recent checkpoint. This approach will become unfeasible for future extreme scale systems. We address this issue using an emerging resilient computing model called Local Failure Local Recovery (LFLR) that provides application developers with the ability to recover locally and continue application execution when a process is lost. We discuss the design of our software framework to enable the LFLR model using MPI-ULFM and demonstrate the resilient version of MiniFE that achieves a scalable recovery from process failures.
Keywords: Fault Tolerance, MPI, PDE solvers, Scientific Computing, User Level Fault Mitigation (ID#: 15-5508)
URL: http://doi.acm.org/10.1145/2642769.2642774


Fangfang Zhang, Heqing Huang, Sencun Zhu, Dinghao Wu, Peng Liu; ViewDroid: Towards Obfuscation-Resilient Mobile Application Repackaging Detection; WiSec '14 Proceedings of the 2014 ACM Conference On Security And Privacy In Wireless & Mobile Networks, July 2014, Pages 25-36.  Doi: 10.1145/2627393.2627395  Abstract: In recent years, as mobile smart device sales grow quickly, the development of mobile applications (apps) keeps accelerating, so does mobile app repackaging. Attackers can easily repackage an app under their own names or embed advertisements to earn pecuniary profits. They can also modify a popular app by inserting malicious payloads into the original app and leverage its popularity to accelerate malware propagation. In this paper, we propose ViewDroid, a user interface based approach to mobile app repackaging detection. Android apps are user interaction intensive and event dominated, and the interactions between users and apps are performed through user interface, or views. This observation inspires the design of our new birthmark for Android apps, namely, feature view graph, which captures users' navigation behavior across app views. Our experimental results demonstrate that this birthmark can characterize Android apps from a higher level abstraction, making it resilient to code obfuscation. ViewDroid can detect repackaged apps at a large scale, both effectively and efficiently. Our experiments also show that the false positive and false negative rates of ViewDroid are both very low.
Keywords: mobile application, obfuscation resilient, repackaging, user interface (ID#: 15-5509)
URL: http://doi.acm.org/10.1145/2627393.2627395


Kevin M. Carter, James F. Riordan, Hamed Okhravi; A Game Theoretic Approach to Strategy Determination for Dynamic Platform Defenses; MTD '14 Proceedings of the First ACM Workshop on Moving Target Defense, November 2014, Pages 21-30.  Doi: 10.1145/2663474.2663478   Abstract: Moving target defenses based on dynamic platforms have been proposed as a way to make systems more resistant to attacks by changing the properties of the deployed platforms. Unfortunately, little work has been done on discerning effective strategies for the utilization of these systems, instead relying on two generally false premises: simple randomization leads to diversity and platforms are independent. In this paper, we study the strategic considerations of deploying a dynamic platform system by specifying a relevant threat model and applying game theory and statistical analysis to discover optimal usage strategies. We show that preferential selection of platforms based on optimizing platform diversity approaches the statistically optimal solution and significantly outperforms simple randomization strategies. Counter to popular belief, this deterministic strategy leverages fewer platforms than may be generally available, which increases system security.
Keywords: game theory, moving target, system diversity (ID#: 15-5510)


Giovanni Toso, Daniele Munaretto, Mauro Conti, Michele Zorzi; Attack Resilient Underwater Networks Through Software Defined Networking; WUWNET '14 Proceedings of the International Conference on Underwater Networks & Systems, November 2014, Article No. 44.  Doi: 10.1145/2671490.2674589  Abstract: In this paper we discuss how security of Underwater Acoustic Networks (UANs) could be improved by leveraging the concept of Software Defined Networking (SDN). In particular, we consider a set of realistic network deployment scenarios and security threats. We propose possible approaches towards security countermeasures that employ the SDN paradigm, and that could significantly mitigate the impact of attacks. Furthermore, we discuss those approaches with respect to deployment issues such as routing configuration, nodes trajectory optimization, and management of the node buffers. We believe that the proposed approaches could pave the way to further research in the design of UANs that are more resilient to both attacks and failures.  
Keywords: Software Defined Networking, Underwater Acoustic Networks (ID#: 15-5511)


Young-Jin Kim, Keqiang He, Marina Thottan, Jayant G. Deshpande; Self-Configurable and Scalable Utility Communications Enabled by Software-Defined Networks; e-Energy '14 Proceedings of the 5th International Conference On Future Energy Systems, June 2014, Pages 217-218. Doi: 10.1145/2602044.2602074  Abstract: Utility communications are increasingly required to support machine-to-machine communications for thousands to millions of end devices ranging from meters and PMUs to tiny sensors and electric vehicles. The Software Defined Network (SDN) concept provides inherent features to support in a scalable and self-configurable manner the deployment and management of existing and envisioned utility end devices and applications. Using the SDN technology, we can create dynamically adaptable virtual network slices to cost-effectively and securely meet the utility communication needs. The programmability of SDN allows the elastic, fast, and scalable deployment of present and future utility applications with varying requirements on security and time criticality. In this work, we design a SDN-enabled utility communication architecture to support scalable deployment of applications that leverage many utility end devices. The feasibility of the architecture over an SDN network is discussed.
Keywords: machine-to-machine (M2M), performance, scalability, self-configurability (ID#: 15-5512)


Euijin Choo, Jianchun Jiang, Ting Yu; COMPARS: Toward an Empirical Approach for Comparing the Resilience of Reputation Systems; CODASPY '14 Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, March 2014, Pages 87-98. Doi: 10.1145/2557547.2557565  Abstract: Reputation is a primary mechanism for trust management in decentralized systems. Many reputation-based trust functions have been proposed in the literature. However, picking the right trust function for a given decentralized system is a non-trivial task. One has to consider and balance a variety of factors, including computation and communication costs, scalability and resilience to manipulations by attackers. Although the former two are relatively easy to evaluate, the evaluation of resilience of trust functions is challenging. Most existing work bases evaluation on static attack models, which is unrealistic as it fails to reflect the adaptive nature of adversaries (who are often real human users rather than simple computing agents). In this paper, we highlight the importance of the modeling of adaptive attackers when evaluating reputation-based trust functions, and propose an adaptive framework - called COMPARS - for the evaluation of resilience of reputation systems. Given the complexity of reputation systems, it is often difficult, if not impossible, to exactly derive the optimal strategy of an attacker. Therefore, COMPARS takes a practical approach that attempts to capture the reasoning process of an attacker as it decides its next action in a reputation system. Specifically, given a trust function and an attack goal, COMPARS generates an attack tree to estimate the possible outcomes of an attacker's action sequences up to certain points in the future. Through attack trees, COMPARS simulates the optimal attack strategy for a specific reputation function f, which will be used to evaluate the resilience of f. By doing so, COMPARS allows one to conduct a fair and consistent comparison of different reputation functions.
Keywords: evaluation framework, reputation system, resilience, trust functions (ID#: 15-5513)
URL: http://doi.acm.org/10.1145/2557547.2557565


Fan Long, Stelios Sidiroglou-Douskos, Martin Rinard; Automatic Runtime Error Repair and Containment via Recovery Shepherding; PLDI '14 Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2014, Pages 227-238. Doi: 10.1145/2666356.2594337  Abstract: We present a system, RCV, for enabling software applications to survive divide-by-zero and null-dereference errors. RCV operates directly on off-the-shelf, production, stripped x86 binary executables. RCV implements recovery shepherding, which attaches to the application process when an error occurs, repairs the execution, tracks the repair effects as the execution continues, contains the repair effects within the application process, and detaches from the process after all repair effects are flushed from the process state. RCV therefore incurs negligible overhead during the normal execution of the application.  We evaluate RCV on all divide-by-zero and null-dereference errors available in the CVE database [2] from January 2011 to March 2013 that 1) provide publicly-available inputs that trigger the error which 2) we were able to use to trigger the reported error in our experimental environment. We collected a total of 18 errors in seven real world applications, Wireshark, the FreeType library, Claws Mail, LibreOffice, GIMP, the PHP interpreter, and Chromium. For 17 of the 18 errors, RCV enables the application to continue to execute to provide acceptable output and service to its users on the error-triggering inputs. For 13 of the 18 errors, the continued RCV execution eventually flushes all of the repair effects and RCV detaches to restore the application to full clean functionality. We perform a manual analysis of the source code relevant to our benchmark errors, which indicates that for 11 of the 18 errors the RCV and later patched versions produce identical or equivalent results on all inputs.
Keywords: divide-by-zero, error recovery, null-dereference (ID#: 15-5514)
URL: http://doi.acm.org/10.1145/2666356.2594337


Jason XIn Zheng, Miodrag Potkonjak; A Digital PUF-Based IP Protection Architecture for Network Embedded Systems; ANCS '14 Proceedings of the tenth ACM/IEEE Symposium on Architectures for Networking and Communications Systems, October, 2014, Pages 255-256. Doi: 10.1145/2658260.2661776   Abstract: In this paper we present an architecture for a secure embedded system that is resilient to tempering and code injection attacks and offers anti-piracy protection for the software and hardware Intellectual Property (IP). We incorporate digital Physical Unclonable Functions (PUFs) in an authentication mechanism at the machine code level. The digital PUFs are used to de-obfuscate, at run time, a firmware that's issued by a central authority with very little performance and resource overhead. Each PUF is unique to the hosting device, and at the same time can be reconfigured with new seeds. The reconfigurable digital PUFs (drPUFs) have much lower risks of side-channel attacks and vastly higher number of usable challenge-response pairs, while retaining the speed and ease to implementation of digital PUFs.
Keywords: embedded systems, ip protection, obfuscation, puf (ID#: 15-5515)
URL: http://doi.acm.org/10.1145/2658260.2661776


Xing Chen, Wei Yu, David Griffith, Nada Golmie, Guobin Xu; On Cascading Failures and Countermeasures Based on Energy Storage in the Smart Grid; RACS '14 Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems, October 2014, Pages 291-296. Doi:  10.1145/2663761.2663770  Abstract: Recently, there have been growing concerns about electric power grid security and resilience. The performance of the power grid may suffer from component failures or targeted attacks. A sophisticated adversary may target critical components in the grid, leading to cascading failures and large blackouts. To this end, this paper begins with identifying the most critical components that lead to cascading failures in the grid and then presents a defensive mechanism using energy storage to defend against cascading failures. Based on the optimal power flow control on the standard IEEE power system test cases, we systematically assess component significance, simulate attacks against power grid components, and evaluate the consequences. We also conduct extensive simulations to investigate the effectiveness of deploying Energy Storage Systems (ESSs), in terms of storage capacity and deployment locations, to mitigate cascading failures. Through extensive simulations, our data shows that integrating energy storage systems into the smart grid can efficiently mitigate cascading failures.
Keywords: cascading failure, cascading mitigation, energy storage, smart grid (ID#: 15-5516)


Min Suk Kang, Virgil D. Gligor;  Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures; CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 321-333. Doi: 10.1145/2660267.2660299  Abstract: How pervasive is the vulnerability to link-flooding attacks that degrade connectivity of thousands of Internet hosts? Are some geographic regions more vulnerable than others? Do practical countermeasures exist? To answer these questions, we introduce the notion of the routing bottlenecks and show that it is a fundamental property of Internet design; i.e., it is a consequence of route-cost minimizations. We illustrate the pervasiveness of routing bottlenecks in an experiment comprising 15 countries and 15 cities distributed around the world, and measure their susceptibility to scalable link-flooding attacks. We present the key characteristics of routing bottlenecks, including size, link type, and distance from host destinations, and suggest specific structural and operational countermeasures to link-flooding attacks. These countermeasures can be deployed by network operators without needing major Internet redesign.
Keywords: ddos attack, link-flooding attack, power law, routing bottleneck (ID#: 15-5517)
URL: http://doi.acm.org/10.1145/2660267.2660299


Der-Yeuan Yu, Aanjhan Ranganathan, Thomas Locher, Srdjan Capkun, David Basin; Short Paper: Detection of GPS Spoofing Attacks in Power Grids; WiSec '14 Proceedings of the 2014 ACM Conference On Security And Privacy In Wireless & Mobile Networks, July 2014, Pages 99-104.  Doi: 10.1145/2627393.2627398  Abstract: Power companies are deploying a multitude of sensors to monitor the energy grid. Measurements at different locations should be aligned in time to obtain the global state of the grid, and the industry therefore uses GPS as a common clock source. However, these sensors are exposed to GPS time spoofing attacks that cause misaligned aggregated measurements, leading to inaccurate monitoring that affects power stability and line fault contingencies. In this paper, we analyze the resilience of phasor measurement sensors, which record voltages and currents, to GPS spoofing performed by an adversary external to the system. We propose a solution that leverages the characteristics of multiple sensors in the power grid to limit the feasibility of such attacks. In order to increase the robustness of wide-area power grid monitoring, we evaluate mechanisms that allow collaboration among GPS receivers to detect spoofing attacks. We apply multilateration techniques to allow a set of GPS receivers to locate a false GPS signal source. Using simulations, we show that receivers sharing a local clock can locate nearby spoofing adversaries with sufficient confidence.
Keywords: clock synchronization, gps spoofing, power grids (ID#: 15-5518)


Camille Fayollas, Philippe Palanque, Jean-Charles Fabre, David Navarre, Eric Barboni, Martin Cronel, Yannick Deleris; A Fault-Tolerant Architecture for Resilient Interactive Systems; IHM '14 Proceedings of the 26th Conference on l'Interaction Homme-Machine, October 2014, Pages 80-90. Doi:  10.1145/2670444.2670462  Abstract: Research contributions to improve interactive systems reliability as, for now, mainly focused towards fault occurrence prevention by removing software bugs at development time. However, Interactive Systems complexity is so high that whatever efforts are deployed at development time, faults and failures occur at operation time. Root causes of such failures may be due to transient hardware faults or (when systems are used in high atmosphere) may be so called "natural faults" triggered by alpha particles in processors or neutrons from cosmic radiations. This paper proposes an exhaustive identification of faults to be handled in order to improve interactive systems reliability. As currently no research has been carried out in the field of interactive systems to detect and remove natural faults, this paper proposes a software architecture providing fault-tolerant mechanisms dedicated to interactive systems. More precisely, the paper how such architecture addresses the various component of interactive applications namely widgets, user application and window manager. These concepts are demonstrated through a case study from the domain of interactive cockpits of large civil aircrafts.
Keywords: critical interactive systems, fault-tolerance, resilience, software architecture (ID#: 15-5519)
URL: http://doi.acm.org/10.1145/2670444.2670462


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.