82 research outputs found
Towards the Model-Driven Engineering of Secure yet Safe Embedded Systems
We introduce SysML-Sec, a SysML-based Model-Driven Engineering environment
aimed at fostering the collaboration between system designers and security
experts at all methodological stages of the development of an embedded system.
A central issue in the design of an embedded system is the definition of the
hardware/software partitioning of the architecture of the system, which should
take place as early as possible. SysML-Sec aims to extend the relevance of this
analysis through the integration of security requirements and threats. In
particular, we propose an agile methodology whose aim is to assess early on the
impact of the security requirements and of the security mechanisms designed to
satisfy them over the safety of the system. Security concerns are captured in a
component-centric manner through existing SysML diagrams with only minimal
extensions. After the requirements captured are derived into security and
cryptographic mechanisms, security properties can be formally verified over
this design. To perform the latter, model transformation techniques are
implemented in the SysML-Sec toolchain in order to derive a ProVerif
specification from the SysML models. An automotive firmware flashing procedure
serves as a guiding example throughout our presentation.Comment: In Proceedings GraMSec 2014, arXiv:1404.163
Model the System from Adversary Viewpoint: Threats Identification and Modeling
Security attacks are hard to understand, often expressed with unfriendly and
limited details, making it difficult for security experts and for security
analysts to create intelligible security specifications. For instance, to
explain Why (attack objective), What (i.e., system assets, goals, etc.), and
How (attack method), adversary achieved his attack goals. We introduce in this
paper a security attack meta-model for our SysML-Sec framework, developed to
improve the threat identification and modeling through the explicit
representation of security concerns with knowledge representation techniques.
Our proposed meta-model enables the specification of these concerns through
ontological concepts which define the semantics of the security artifacts and
introduced using SysML-Sec diagrams. This meta-model also enables representing
the relationships that tie several such concepts together. This representation
is then used for reasoning about the knowledge introduced by system designers
as well as security experts through the graphical environment of the SysML-Sec
framework.Comment: In Proceedings AIDP 2014, arXiv:1410.322
Measuring Password Strength: An Empirical Analysis
We present an in-depth analysis on the strength of the almost 10,000
passwords from users of an instant messaging server in Italy. We estimate the
strength of those passwords, and compare the effectiveness of state-of-the-art
attack methods such as dictionaries and Markov chain-based techniques.
We show that the strength of passwords chosen by users varies enormously, and
that the cost of attacks based on password strength grows very quickly when the
attacker wants to obtain a higher success percentage. In accordance with
existing studies we observe that, in the absence of measures for enforcing
password strength, weak passwords are common. On the other hand we discover
that there will always be a subset of users with extremely strong passwords
that are very unlikely to be broken.
The results of our study will help in evaluating the security of
password-based authentication means, and they provide important insights for
inspiring new and better proactive password checkers and password recovery
tools.Comment: 15 pages, 9 figure
Secure P2P Data Storage and Maintenance
P2P data storage requires strong reliability and security assurances. Existing data storage solutions have been designed for centralized as well as distributed settings; yet they do not address the security and cooperation issues raised by self-organization. P2P systems also introduce new needs regarding data availability due to the dynamicity of the infrastructure, which are unaddressed so far. This paper first discusses the approaches for tackling these problems. A solution is then introduced that relies on self-organizing security mechanisms in conjunction with a data rejuvenation scheme using erasure codes
Summary of Articles
CARAM Experiments. This file contains the simulation data (see Section Experimental results) including the risk values for several classes of CSCs for all the analyzed CSPs from STAR. (XLSX 331 kb
The SLOOP project: Simulations, Parallel Object-Oriented Languages, Interconnection Networks
International audienc
- …