Visible to the public Biblio

Filters: Keyword is software tools  [Clear All Filters]
2021-03-01
Meskauskas, Z., Jasinevicius, R., Kazanavicius, E., Petrauskas, V..  2020.  XAI-Based Fuzzy SWOT Maps for Analysis of Complex Systems. 2020 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE). :1–8.
The classical SWOT methodology and many of the tools based on it used so far are very static, used for one stable project and lacking dynamics [1]. This paper proposes the idea of combining several SWOT analyses enriched with computing with words (CWW) paradigm into a single network. In this network, individual analysis of the situation is treated as the node. The whole structure is based on fuzzy cognitive maps (FCM) that have forward and backward chaining, so it is called fuzzy SWOT maps. Fuzzy SWOT maps methodology newly introduces the dynamics that projects are interacting, what exists in a real dynamic environment. The whole fuzzy SWOT maps network structure has explainable artificial intelligence (XAI) traits because each node in this network is a "white box"-all the reasoning chain can be tracked and checked why a particular decision has been made, which increases explainability by being able to check the rules to determine why a particular decision was made or why and how one project affects another. To confirm the vitality of the approach, a case with three interacting projects has been analyzed with a developed prototypical software tool and results are delivered.
2021-02-08
Chesnokov, N. I., Korochentsev, D. A., Cherckesova, L. V., Safaryan, O. A., Chumakov, V. E., Pilipenko, I. A..  2020.  Software Development of Electronic Digital Signature Generation at Institution Electronic Document Circulation. 2020 IEEE East-West Design Test Symposium (EWDTS). :1–5.
the purpose of this paper is investigation of existing approaches to formation of electronic digital signatures, as well as the possibility of software developing for electronic signature generation at electronic document circulation of institution. The article considers and analyzes the existing algorithms for generating and processing electronic signatures. Authors propose the model for documented information exchanging in institution, including cryptographic module and secure key storage, blockchain storage of electronic signatures, central web-server and web-interface. Examples of the developed software are demonstrated, and recommendations are given for its implementation, integration and using in different institutions.
2020-12-17
Abeykoon, I., Feng, X..  2019.  Challenges in ROS Forensics. 2019 IEEE SmartWorld, Ubiquitous Intelligence Computing, Advanced Trusted Computing, Scalable Computing Communications, Cloud Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI). :1677—1682.

The usage of robot is rapidly growth in our society. The communication link and applications connect the robots to their clients or users. This communication link and applications are normally connected through some kind of network connections. This network system is amenable of being attached and vulnerable to the security threats. It is a critical part for ensuring security and privacy for robotic platforms. The paper, also discusses about several cyber-physical security threats that are only for robotic platforms. The peer to peer applications use in the robotic platforms for threats target integrity, availability and confidential security purposes. A Remote Administration Tool (RAT) was introduced for specific security attacks. An impact oriented process was performed for analyzing the assessment outcomes of the attacks. Tests and experiments of attacks were performed in simulation environment which was based on Gazbo Turtlebot simulator and physically on the robot. A software tool was used for simulating, debugging and experimenting on ROS platform. Integrity attacks performed for modifying commands and manipulated the robot behavior. Availability attacks were affected for Denial-of-Service (DoS) and the robot was not listened to Turtlebot commands. Integrity and availability attacks resulted sensitive information on the robot.

2020-11-02
Sayed-Ahmed, Amr, Haj-Yahya, Jawad, Chattopadhyay, Anupam.  2019.  SoCINT: Resilient System-on-Chip via Dynamic Intrusion Detection. 2019 32nd International Conference on VLSI Design and 2019 18th International Conference on Embedded Systems (VLSID). :359—364.

Modern multicore System-on-Chips (SoCs) are regularly designed with third-party Intellectual Properties (IPs) and software tools to manage the complexity and development cost. This approach naturally introduces major security concerns, especially for those SoCs used in critical applications and cyberinfrastructure. Despite approaches like split manufacturing, security testing and hardware metering, this remains an open and challenging problem. In this work, we propose a dynamic intrusion detection approach to address the security challenge. The proposed runtime system (SoCINT) systematically gathers information about untrusted IPs and strictly enforces the access policies. SoCINT surpasses the-state-of-the-art monitoring systems by supporting hardware tracing, for more robust analysis, together with providing smart counterintelligence strategies. SoCINT is implemented in an open source processor running on a commercial FPGA platform. The evaluation results validate our claims by demonstrating resilience against attacks exploiting erroneous or malicious IPs.

Fraile, Francisco, Flores, José Luis, Anaya, Victor, Saiz, Eduardo, Poler, Raúl.  2018.  A Scaffolding Design Framework for Developing Secure Interoperability Components in Digital Manufacturing Platforms. 2018 International Conference on Intelligent Systems (IS). :564—569.
This paper presents the Virtual Open Operating System (vf-OS) Input / Output (IO) Toolkit Generator, which is a design tool to develop vf-OS IO components that interact with all kinds of manufacturing assets, either physical devices like Program Logic Controllers (PLCs), software applications like Enterprise Resource Planning Systems (ERPs) or legacy file formats like STEP. The vf-OS IO Toolkit Generator is based on software scaffolding, a code generation technique that allows a developer to create a working component to interact with a manufacturing asset from the vf-OS Platform without writing a line of code. As described in this paper, software scaffolding not only simplifies the development of interoperability components, but it also fosters system security and platform integration automation. Another contribution of this paper is to propose possible integrations between the IO Toolkit Generator and the vf-OS Security Command Centre in charge of platform security. Additionally, this paper describes how the concept can be extended to address other digital manufacturing platforms like Fi-Ware.
2020-03-27
Coblenz, Michael, Sunshine, Joshua, Aldrich, Jonathan, Myers, Brad A..  2019.  Smarter Smart Contract Development Tools. 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB). :48–51.

Much recent work focuses on finding bugs and security vulnerabilities in smart contracts written in existing languages. Although this approach may be helpful, it does not address flaws in the underlying programming language, which can facilitate writing buggy code in the first place. We advocate a re-thinking of the blockchain software engineering tool set, starting with the programming language in which smart contracts are written. In this paper, we propose and justify requirements for a new generation of blockchain software development tools. New tools should (1) consider users' needs as a primary concern; (2) seek to facilitate safe development by detecting relevant classes of serious bugs at compile time; (3) as much as possible, be blockchain-agnostic, given the wide variety of different blockchain platforms available, and leverage the properties that are common among blockchain environments to improve safety and developer effectiveness.

2019-05-01
Mili, S., Nguyen, N., Chelouah, R..  2018.  Attack Modeling and Verification for Connected System Security. 2018 13th Annual Conference on System of Systems Engineering (SoSE). :157–162.

In the development process of critical systems, one of the main challenges is to provide early system validation and verification against vulnerabilities in order to reduce cost caused by late error detection. We propose in this paper an approach that, firstly allows formally describe system security specifications, thanks to our suggested extended attack tree. Secondly, static and dynamic system modeling by using a SysML connectivity profile to model error propagation is introduced. Finally, a model checker has been used in order to validate system specifications.

2019-04-05
Vastel, A., Rudametkin, W., Rouvoy, R..  2018.  FP -TESTER : Automated Testing of Browser Fingerprint Resilience. 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS PW). :103-107.
Despite recent regulations and growing user awareness, undesired browser tracking is increasing. In addition to cookies, browser fingerprinting is a stateless technique that exploits a device's configuration for tracking purposes. In particular, browser fingerprinting builds on attributes made available from Javascript and HTTP headers to create a unique and stable fingerprint. For example, browser plugins have been heavily exploited by state-of-the-art browser fingerprinters as a rich source of entropy. However, as browser vendors abandon plugins in favor of extensions, fingerprinters will adapt. We present FP-TESTER, an approach to automatically test the effectiveness of browser fingerprinting countermeasure extensions. We implement a testing toolkit to be used by developers to reduce browser fingerprintability. While countermeasures aim to hinder tracking by changing or blocking attributes, they may easily introduce subtle side-effects that make browsers more identifiable, rendering the extensions counterproductive. FP-TESTER reports on the side-effects introduced by the countermeasure, as well as how they impact tracking duration from a fingerprinter's point-of-view. To the best of our knowledge, FP-TESTER is the first tool to assist developers in fighting browser fingerprinting and reducing the exposure of end-users to such privacy leaks.
2018-08-23
Vassena, M., Breitner, J., Russo, A..  2017.  Securing Concurrent Lazy Programs Against Information Leakage. 2017 IEEE 30th Computer Security Foundations Symposium (CSF). :37–52.
Many state-of-the-art information-flow control (IFC) tools are implemented as Haskell libraries. A distinctive feature of this language is lazy evaluation. In his influencal paper on why functional programming matters, John Hughes proclaims:,,Lazy evaluation is perhaps the most powerful tool for modularization in the functional programmer's repertoire.,,Unfortunately, lazy evaluation makes IFC libraries vulnerable to leaks via the internal timing covert channel. The problem arises due to sharing, the distinguishing feature of lazy evaluation, which ensures that results of evaluated terms are stored for subsequent re-utilization. In this sense, the evaluation of a term in a high context represents a side-effect that eludes the security mechanisms of the libraries. A naïve approach to prevent that consists in forcing the evaluation of terms before entering a high context. However, this is not always possible in lazy languages, where terms often denote infinite data structures. Instead, we propose a new language primitive, lazyDup, which duplicates terms lazily. By using lazyDup to duplicate terms manipulated in high contexts, we make the security library MAC robust against internal timing leaks via lazy evaluation. We show that well-typed programs satisfy progress-sensitive non-interference in our lazy calculus with non-strict references. Our security guarantees are supported by mechanized proofs in the Agda proof assistant.
2018-06-07
Reynolds, Z. P., Jayanth, A. B., Koc, U., Porter, A. A., Raje, R. R., Hill, J. H..  2017.  Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools. 2017 IEEE/ACM 4th International Workshop on Software Engineering Research and Industrial Practice (SER IP). :55–61.

This paper presents our results from identifying anddocumenting false positives generated by static code analysistools. By false positives, we mean a static code analysis toolgenerates a warning message, but the warning message isnot really an error. The goal of our study is to understandthe different kinds of false positives generated so we can (1)automatically determine if an error message is truly indeed a truepositive, and (2) reduce the number of false positives developersand testers must triage. We have used two open-source tools andone commercial tool in our study. The results of our study haveled to 14 core false positive patterns, some of which we haveconfirmed with static code analysis tool developers.

2018-04-04
Zhang, B., Ye, J., Feng, C., Tang, C..  2017.  S2F: Discover Hard-to-Reach Vulnerabilities by Semi-Symbolic Fuzz Testing. 2017 13th International Conference on Computational Intelligence and Security (CIS). :548–552.
Fuzz testing is a popular program testing technique. However, it is difficult to find hard-to-reach vulnerabilities that are nested with complex branches. In this paper, we propose semi-symbolic fuzz testing to discover hard-to-reach vulnerabilities. Our method groups inputs into high frequency and low frequency ones. Then symbolic execution is utilized to solve only uncovered branches to mitigate the path explosion problem. Especially, in order to play the advantages of fuzz testing, our method locates critical branch for each low frequency input and corrects the generated test cases to comfort the branch condition. We also implemented a prototype\textbackslashtextbarS2F, and the experimental results show that S2F can gain 17.70% coverage performance and discover more hard-to-reach vulnerabilities than other vulnerability detection tools for our benchmark.
2018-02-06
Detken, K. O., Jahnke, M., Rix, T., Rein, A..  2017.  Software-Design for Internal Security Checks with Dynamic Integrity Measurement (DIM). 2017 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). 1:367–373.

Most security software tools try to detect malicious components by cryptographic hashes, signatures or based on their behavior. The former, is a widely adopted approach based on Integrity Measurement Architecture (IMA) enabling appraisal and attestation of system components. The latter, however, may induce a very long time until misbehavior of a component leads to a successful detection. Another approach is a Dynamic Runtime Attestation (DRA) based on the comparison of binary code loaded in the memory and well-known references. Since DRA is a complex approach, involving multiple related components and often complex attestation strategies, a flexible and extensible architecture is needed. In a cooperation project an architecture was designed and a Proof of Concept (PoC) successfully developed and evaluated. To achieve needed flexibility and extensibility, the implementation facilitates central components providing attestation strategies (guidelines). These guidelines define and implement the necessary steps for all relevant attestation operations, i.e. measurement, reference generation and verification.

2018-02-02
Tramèr, F., Atlidakis, V., Geambasu, R., Hsu, D., Hubaux, J. P., Humbert, M., Juels, A., Lin, H..  2017.  FairTest: Discovering Unwarranted Associations in Data-Driven Applications. 2017 IEEE European Symposium on Security and Privacy (EuroS P). :401–416.

In a world where traditional notions of privacy are increasingly challenged by the myriad companies that collect and analyze our data, it is important that decision-making entities are held accountable for unfair treatments arising from irresponsible data usage. Unfortunately, a lack of appropriate methodologies and tools means that even identifying unfair or discriminatory effects can be a challenge in practice. We introduce the unwarranted associations (UA) framework, a principled methodology for the discovery of unfair, discriminatory, or offensive user treatment in data-driven applications. The UA framework unifies and rationalizes a number of prior attempts at formalizing algorithmic fairness. It uniquely combines multiple investigative primitives and fairness metrics with broad applicability, granular exploration of unfair treatment in user subgroups, and incorporation of natural notions of utility that may account for observed disparities. We instantiate the UA framework in FairTest, the first comprehensive tool that helps developers check data-driven applications for unfair user treatment. It enables scalable and statistically rigorous investigation of associations between application outcomes (such as prices or premiums) and sensitive user attributes (such as race or gender). Furthermore, FairTest provides debugging capabilities that let programmers rule out potential confounders for observed unfair effects. We report on use of FairTest to investigate and in some cases address disparate impact, offensive labeling, and uneven rates of algorithmic error in four data-driven applications. As examples, our results reveal subtle biases against older populations in the distribution of error in a predictive health application and offensive racial labeling in an image tagger.

2017-12-12
Durante, L., Seno, L., Valenza, F., Valenzano, A..  2017.  A model for the analysis of security policies in service function chains. 2017 IEEE Conference on Network Softwarization (NetSoft). :1–6.

Two emerging architectural paradigms, i.e., Software Defined Networking (SDN) and Network Function Virtualization (NFV), enable the deployment and management of Service Function Chains (SFCs). A SFC is an ordered sequence of abstract Service Functions (SFs), e.g., firewalls, VPN-gateways, traffic monitors, that packets have to traverse in the route from source to destination. While this appealing solution offers significant advantages in terms of flexibility, it also introduces new challenges such as the correct configuration and ordering of SFs in the chain to satisfy overall security requirements. This paper presents a formal model conceived to enable the verification of correct policy enforcements in SFCs. Software tools based on the model can then be designed to cope with unwanted network behaviors (e.g., security flaws) deriving from incorrect interactions of SFs of the same SFC. 

2015-04-30
Del Rosso, A., Liang Min, Chaoyang Jing.  2014.  High performance computation tools for real-time security assessment. PES General Meeting | Conference Exposition, 2014 IEEE. :1-1.

This paper presents an overview of the research project “High-Performance Hybrid Simulation/Measurement-Based Tools for Proactive Operator Decision-Support”, performed under the auspices of the U.S. Department of Energy grant DE-OE0000628. The objective of this project is to develop software tools to provide enhanced real-time situational awareness to support the decision making and system control actions of transmission operators. The integrated tool will combine high-performance dynamic simulation with synchrophasor measurement data to assess in real time system dynamic performance and operation security risk. The project includes: (i) The development of high-performance dynamic simulation software; (ii) the development of new computationally effective measurement-based tools to estimate operating margins of a power system in real time using measurement data from synchrophasors and SCADA; (iii) the development a hybrid framework integrating measurement-based and simulation-based approaches, and (iv) the use of cutting-edge visualization technology to display various system quantities and to visually process the results of the hybrid measurement-base/simulation-based security-assessment tool. Parallelization and high performance computing are utilized to enable ultrafast transient stability analysis that can be used in a real-time environment to quickly perform “what-if” simulations involving system dynamics phenomena. EPRI's Extended Transient Midterm Simulation Program (ETMSP) is modified and enhanced for this work. The contingency analysis is scaled for large-scale contingency analysis using MPI-based parallelization. Simulations of thousands of contingencies on a high performance computing machine are performed, and results show that parallelization over contingencies with MPI provides good scalability and computational gains. Different ways to reduce the I/O bottleneck have been also exprored. Thread-parallelization of the sparse linear solve is explored also through use of the SuperLU_MT library. Based on performance profiling results for the implicit method, the majority of CPU time is spent on the integration steps. Hence, in order to further improve the ETMSP performance, a variable time step control scheme for the original trapezoidal integration method has been developed and implemented. The Adams-Bashforth-Moulton predictor-corrector method was introduced and designed for ETMSP. Test results show superior performance with this method.