Combining behavioural types with security analysis

Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties

Proofs of retrievability: theory and implementation,”

Abstract A proof of retrievability (POR) is a compact proof by a file system (prover) to a client (verifier) that a target file F is intact, in the sense that the client can fully recover it. As PORs incur lower communication complexity than transmission of F itself, they are an attractive building block for high-assurance remote storage systems. In this paper, we propose a theoretical framework for the design of PORs. Our framework improves the previously proposed POR constructions of Juels-Kaliski and Shacham-Waters, and also sheds light on the conceptual limitations of previous theoretical models for PORs. It supports a fully Byzantine adversarial model, carrying only the restriction-fundamental to all PORs-that the adversary's error rate be bounded when the client seeks to extract F . Our techniques support efficient protocols across the full possible range of , up to non-negligibly close to 1. We propose a new variant on the Juels-Kaliski protocol and describe a prototype implementation. We demonstrate practical encoding even for files F whose size exceeds that of client main memory

Proof-carrying Bytecode

AbstractIn the Mobile Resource Guarantees project's Proof Carrying Code implementation, .class files are associated with Isabelle [Tobias Nipkow, Lawrence C. Paulson, Markus Wenzel, Isabelle/HOL: A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer-Verlag, 2002] proof scripts containing proofs of bounds on their resource consumption. By using the tools gf and isabelle on the consumer-side, it is possible to verify after download, that a piece of code conforms to a particular resource policy specified by the consumer, and prevent execution in the event that it does not. We present here a prototype implementation using certain features of the J2SE 5.0 Platform [Sun Microsystems, Inc. Java 2 Platform, Standard Edition 1.5.0, http://java.sun.com/j2se/1.5.0/, May 27, 2004]. The (unmodified) bytecode and its proof are packaged as a JAR file for convenient distribution. The codebase uses Java agents providing the Instrumentation interface, and implements a custom permission class and Security Manager. The external tools are invoked from within Java. Two system commands makeMRGjar and MRGjava provide a convenient way of using this implementation

Audit-based Compliance Control (AC2) for EHR Systems

Traditionally, medical data is stored and processed using paper-based files. Recently, medical facilities have started to store, access and exchange medical data in digital form. The drivers for this change are mainly demands for cost reduction, and higher quality of health care. The main concerns when dealing with medical data are availability and confidentiality. Unavailability (even temporary) of medical data is expensive. Physicians may not be able to diagnose patients correctly, or they may have to repeat exams, adding to the overall costs of health care. In extreme cases availability of medical data can even be a matter of life or death. On the other hand, confidentiality of medical data is also important. Legislation requires medical facilities to observe the privacy of the patients, and states that patients have a final say on whether or not their medical data can be processed or not. Moreover, if physicians, or their EHR systems, are not trusted by the patients, for instance because of frequent privacy breaches, then patients may refuse to submit (correct) information, complicating the work of the physicians greatly. \ud \ud In traditional data protection systems, confidentiality and availability are conflicting requirements. The more data protection methods are applied to shield data from outsiders the more likely it becomes that authorized persons will not get access to the data in time. Consider for example, a password verification service that is temporarily not available, an access pass that someone forgot to bring, and so on. In this report we discuss a novel approach to data protection, Audit-based Compliance Control (AC2), and we argue that it is particularly suited for application in EHR systems. In AC2, a-priori access control is minimized to the mere authentication of users and objects, and their basic authorizations. More complex security procedures, such as checking user compliance to policies, are performed a-posteriori by using a formal and automated auditing mechanism. To support our claim we discuss legislation concerning the processing of health records, and we formalize a scenario involving medical personnel and a basic EHR system to show how AC2 can be used in practice. \ud \ud This report is based on previous work (Dekker & Etalle 2006) where we assessed the applicability of a-posteriori access control in a health care scenario. A more technically detailed article about AC2 recently appeared in the IJIS journal, where we focussed however on collaborative work environments (Cederquist, Corin, Dekker, Etalle, & Hartog, 2007). In this report we first provide background and related work before explaining the principal components of the AC2 framework. Moreover we model a detailed EHR case study to show its operation in practice. We conclude by discussing how this framework meets current trends in healthcare and by highlighting the main advantages and drawbacks of using an a-posteriori access control mechanism as opposed to more traditional access control mechanisms

Emission Targets and Equilibrium Choice of Technique

We study the technological pre-conditions for a cost-minimizing choice of technique in the presence of government emission targets on by- products of production. Whether a by-product is a desirable commodity or an undesirable pollutant is determined endogeneously as part of the price-quantity equilibrium solution. Non-trivial counter-examples highlight the potential risk of over-ambitious pollution targets. We show that pollution targets can be supported by the appropriate taxes providing that technology allows for a certain type of labour-intensive pollution abatement activities. Our proof is constructive: the tax equilibria we posit can be computed by the Lemke Complementary Pivoting Algorithm.Multisectoral Growth Theory, Choice of Technique, Pollution Taxes, Permit Markets, Lemke Algorithm