Privacy and identity selection

Mestrado em Engenharia de Computadores e TelemáticaEste trabalho aborda algumas das tecnologias emergentes, que visam providenciar modelos com suporte para identidade, sobre a arquitectura da internet. Enquanto que tais propostas providenciam de facto modelos de identidade mais adequados para a Web 2.0, ignoram que a arquitectura sobre a qual assentam hão pode suportar os requisitos de privacidade necessários. A fim de demonstrar que é necessário providenciar garantias de privacidade nas camadas inferiores da arquitectura existentes, este trabalho apresenta uma implementação de demonstrac¸ ˜ao que explora vulnerabilidades da arquitectura existente a ataques de privacidade, assim como uma implementação que dá garantias de privacidade para múltiplas identidades. ABSTRACT: This work presents some of the technologies, that aim at introducing user centric identity models over the existing Internet architecture. While such technologies do provide suitable identity models for theWeb 2.0, they neglect that the underlying Internet architecture does not support the necessary privacy requirements for such models. As a demonstration that the underlying network layers must provide some privacy guarantees, this work presents an implementation that explores privacy vulnerabilities and proceeds to propose mechanisms that ensure privacy between multiple identities

Segurança e privacidade em terminologia de rede

Security and Privacy are now at the forefront of modern concerns, and drive a significant part of the debate on digital society. One particular aspect that holds significant bearing in these two topics is the naming of resources in the network, because it directly impacts how networks work, but also affects how security mechanisms are implemented and what are the privacy implications of metadata disclosure. This issue is further exacerbated by interoperability mechanisms that imply this information is increasingly available regardless of the intended scope. This work focuses on the implications of naming with regards to security and privacy in namespaces used in network protocols. In particular on the imple- mentation of solutions that provide additional security through naming policies or increase privacy. To achieve this, different techniques are used to either embed security information in existing namespaces or to minimise privacy ex- posure. The former allows bootstraping secure transport protocols on top of insecure discovery protocols, while the later introduces privacy policies as part of name assignment and resolution. The main vehicle for implementation of these solutions are general purpose protocols and services, however there is a strong parallel with ongoing re- search topics that leverage name resolution systems for interoperability such as the Internet of Things (IoT) and Information Centric Networks (ICN), where these approaches are also applicable.Segurança e Privacidade são dois topicos que marcam a agenda na discus- são sobre a sociedade digital. Um aspecto particularmente subtil nesta dis- cussão é a forma como atribuímos nomes a recursos na rede, uma escolha com consequências práticas no funcionamento dos diferentes protocols de rede, na forma como se implementam diferentes mecanismos de segurança e na privacidade das várias partes envolvidas. Este problema torna-se ainda mais significativo quando se considera que, para promover a interoperabili- dade entre diferentes redes, mecanismos autónomos tornam esta informação acessível em contextos que vão para lá do que era pretendido. Esta tese foca-se nas consequências de diferentes políticas de atribuição de nomes no contexto de diferentes protocols de rede, para efeitos de segurança e privacidade. Com base no estudo deste problema, são propostas soluções que, através de diferentes políticas de atribuição de nomes, permitem introdu- zir mecanismos de segurança adicionais ou mitigar problemas de privacidade em diferentes protocolos. Isto resulta na implementação de mecanismos de segurança sobre protocolos de descoberta inseguros, assim como na intro- dução de mecanismos de atribuiçao e resolução de nomes que se focam na protecçao da privacidade. O principal veículo para a implementação destas soluções é através de ser- viços e protocolos de rede de uso geral. No entanto, a aplicabilidade destas soluções extende-se também a outros tópicos de investigação que recorrem a mecanismos de resolução de nomes para implementar soluções de intero- perabilidade, nomedamente a Internet das Coisas (IoT) e redes centradas na informação (ICN).Programa Doutoral em Informátic

Analysing the Design of Privacy-Preserving Data-Sharing Architecture

Privacy has become an essential software quality to consider in a software system. Privacy practices should be adopted from the early stages of the system design to safeguard personal data from privacy violations. Privacy patterns are proposed in industry and academia as reusable design solutions to address different privacy issues. However, the diverse types and granularity of the patterns lead to difficulty for the practitioner to select and adopt them in the architecture. First, the fragmented information about the system actors in the patterns does not align with the regulatory entities and interactions between them. Second, these privacy patterns lack architectural perspectives that could help weave patterns into concrete software designs. Third, the consequences of applying the patterns have not covered the impacts on software quality attributes. This thesis aims to provide guidance to software architects and practitioners for considering and applying privacy patterns in their design, by adding new perspectives to the existing patterns. First, the research provides an analysis of the relationships between regulatory entities and their responsibility in adopting the patterns in a software design. Then, the research reports studies that were conducted using architectural-level modelling-based approaches, to analyse the architectural views of privacy patterns. The analyses aim to improve understanding of how privacy patterns are applied in software designs and how such a design affects software quality attributes, including privacy, performance, and modifiability. Finally, in an effort to harmonise and unite the extended view of privacy patterns that have a close relation to system architecture, this research proposes an enhanced pattern catalogue and a systematic privacy-by-design (PbD) pattern-selection model that aims to aid and guide software architects in pattern selection during software design. The enhanced pattern catalogue offers consolidated information on the extended view of privacy patterns. The selection model provides a structured way for the practitioner to know when and how to use the pattern catalogue in the system-design process. Two industry case studies are used to evaluate the proposed pattern catalogue and selection model. The findings demonstrate how the proposed frameworks are applicable to different types of data-sharing software systems and their usability in supporting pattern selection decisions in the privacy design

Periodic Report (PR1)

Comprehensive report of the first year of the StratusLab project

MATURITY MODEL FOR HEALTHCARE CLOUD SECURITY

Management of security across eHealth cloud services is a major organizational challenge that healthcare organizations seek to resolve in order to aid their trusts in cloud and increase the adoption of cloud services in healthcare. The organizational challenges regarding implementations of technical security solutions are the major limiting factors for the adoption of the eHealth cloud. As such, the aim of this research will focus on developing a security maturity model, which will help healthcare organizations to provide a description of the application of their cloud security services, and an assessment and improvement of their cloud security services over time, as well as to guide and educate relevant stakeholders concerning the optimization of their security practices. The identified gaps in the review are in the aspect of adoption – the maturity models are either too complicated to implement, or they require the healthcare organization’s processes to be refined to suit the maturity model’s implementation. The Maturity Model for Healthcare Cloud Security (M2HCS) was developed using the Design Science Research Methodology (DSRM). It was validated using a formulated case study, web-based survey and interviews with practitioners, DSRM framework, and feedback from scientific community. The novel contribution of this research is the proposal of the model. M2HCS is a high level, holistic model that can be used to support and promote healthcare organization’s usable security practices against cyber and cloud security attacks

Security and trust in cloud computing and IoT through applying obfuscation, diversification, and trusted computing technologies

Cloud computing and Internet of Things (IoT) are very widely spread and commonly used technologies nowadays. The advanced services offered by cloud computing have made it a highly demanded technology. Enterprises and businesses are more and more relying on the cloud to deliver services to their customers. The prevalent use of cloud means that more data is stored outside the organization’s premises, which raises concerns about the security and privacy of the stored and processed data. This highlights the significance of effective security practices to secure the cloud infrastructure. The number of IoT devices is growing rapidly and the technology is being employed in a wide range of sectors including smart healthcare, industry automation, and smart environments. These devices collect and exchange a great deal of information, some of which may contain critical and personal data of the users of the device. Hence, it is highly significant to protect the collected and shared data over the network; notwithstanding, the studies signify that attacks on these devices are increasing, while a high percentage of IoT devices lack proper security measures to protect the devices, the data, and the privacy of the users. In this dissertation, we study the security of cloud computing and IoT and propose software-based security approaches supported by the hardware-based technologies to provide robust measures for enhancing the security of these environments. To achieve this goal, we use obfuscation and diversification as the potential software security techniques. Code obfuscation protects the software from malicious reverse engineering and diversification mitigates the risk of large-scale exploits. We study trusted computing and Trusted Execution Environments (TEE) as the hardware-based security solutions. Trusted Platform Module (TPM) provides security and trust through a hardware root of trust, and assures the integrity of a platform. We also study Intel SGX which is a TEE solution that guarantees the integrity and confidentiality of the code and data loaded onto its protected container, enclave. More precisely, through obfuscation and diversification of the operating systems and APIs of the IoT devices, we secure them at the application level, and by obfuscation and diversification of the communication protocols, we protect the communication of data between them at the network level. For securing the cloud computing, we employ obfuscation and diversification techniques for securing the cloud computing software at the client-side. For an enhanced level of security, we employ hardware-based security solutions, TPM and SGX. These solutions, in addition to security, ensure layered trust in various layers from hardware to the application. As the result of this PhD research, this dissertation addresses a number of security risks targeting IoT and cloud computing through the delivered publications and presents a brief outlook on the future research directions.Pilvilaskenta ja esineiden internet ovat nykyään hyvin tavallisia ja laajasti sovellettuja tekniikkoja. Pilvilaskennan pitkälle kehittyneet palvelut ovat tehneet siitä hyvin kysytyn teknologian. Yritykset enenevässä määrin nojaavat pilviteknologiaan toteuttaessaan palveluita asiakkailleen. Vallitsevassa pilviteknologian soveltamistilanteessa yritykset ulkoistavat tietojensa käsittelyä yrityksen ulkopuolelle, minkä voidaan nähdä nostavan esiin huolia taltioitavan ja käsiteltävän tiedon turvallisuudesta ja yksityisyydestä. Tämä korostaa tehokkaiden turvallisuusratkaisujen merkitystä osana pilvi-infrastruktuurin turvaamista. Esineiden internet -laitteiden lukumäärä on nopeasti kasvanut. Teknologiana sitä sovelletaan laajasti monilla sektoreilla, kuten älykkäässä terveydenhuollossa, teollisuusautomaatiossa ja älytiloissa. Sellaiset laitteet keräävät ja välittävät suuria määriä informaatiota, joka voi sisältää laitteiden käyttäjien kannalta kriittistä ja yksityistä tietoa. Tästä syystä johtuen on erittäin merkityksellistä suojata verkon yli kerättävää ja jaettavaa tietoa. Monet tutkimukset osoittavat esineiden internet -laitteisiin kohdistuvien tietoturvahyökkäysten määrän olevan nousussa, ja samaan aikaan suuri osuus näistä laitteista ei omaa kunnollisia teknisiä ominaisuuksia itse laitteiden tai niiden käyttäjien yksityisen tiedon suojaamiseksi. Tässä väitöskirjassa tutkitaan pilvilaskennan sekä esineiden internetin tietoturvaa ja esitetään ohjelmistopohjaisia tietoturvalähestymistapoja turvautumalla osittain laitteistopohjaisiin teknologioihin. Esitetyt lähestymistavat tarjoavat vankkoja keinoja tietoturvallisuuden kohentamiseksi näissä konteksteissa. Tämän saavuttamiseksi työssä sovelletaan obfuskaatiota ja diversifiointia potentiaalisiana ohjelmistopohjaisina tietoturvatekniikkoina. Suoritettavan koodin obfuskointi suojaa pahantahtoiselta ohjelmiston takaisinmallinnukselta ja diversifiointi torjuu tietoturva-aukkojen laaja-alaisen hyödyntämisen riskiä. Väitöskirjatyössä tutkitaan luotettua laskentaa ja luotettavan laskennan suoritusalustoja laitteistopohjaisina tietoturvaratkaisuina. TPM (Trusted Platform Module) tarjoaa turvallisuutta ja luottamuksellisuutta rakentuen laitteistopohjaiseen luottamukseen. Pyrkimyksenä on taata suoritusalustan eheys. Työssä tutkitaan myös Intel SGX:ää yhtenä luotettavan suorituksen suoritusalustana, joka takaa suoritettavan koodin ja datan eheyden sekä luottamuksellisuuden pohjautuen suojatun säiliön, saarekkeen, tekniseen toteutukseen. Tarkemmin ilmaistuna työssä turvataan käyttöjärjestelmä- ja sovellusrajapintatasojen obfuskaation ja diversifioinnin kautta esineiden internet -laitteiden ohjelmistokerrosta. Soveltamalla samoja tekniikoita protokollakerrokseen, työssä suojataan laitteiden välistä tiedonvaihtoa verkkotasolla. Pilvilaskennan turvaamiseksi työssä sovelletaan obfuskaatio ja diversifiointitekniikoita asiakaspuolen ohjelmistoratkaisuihin. Vankemman tietoturvallisuuden saavuttamiseksi työssä hyödynnetään laitteistopohjaisia TPM- ja SGX-ratkaisuja. Tietoturvallisuuden lisäksi nämä ratkaisut tarjoavat monikerroksisen luottamuksen rakentuen laitteistotasolta ohjelmistokerrokseen asti. Tämän väitöskirjatutkimustyön tuloksena, osajulkaisuiden kautta, vastataan moniin esineiden internet -laitteisiin ja pilvilaskentaan kohdistuviin tietoturvauhkiin. Työssä esitetään myös näkemyksiä jatkotutkimusaiheista

Privacidade em redes de próxima geração

Doutoramento em Engenharia InformáticaIn the modern society, communications and digital transactions are becoming the norm rather than the exception. As we allow networked computing devices into our every-day actions, we build a digital lifestyle where networks and devices enrich our interactions. However, as we move our information towards a connected digital environment, privacy becomes extremely important as most of our personal information can be found in the network. This is especially relevant as we design and adopt next generation networks that provide ubiquitous access to services and content, increasing the impact and pervasiveness of existing networks. The environments that provide widespread connectivity and services usually rely on network protocols that have few privacy considerations, compromising user privacy. The presented work focuses on the network aspects of privacy, considering how network protocols threaten user privacy, especially on next generation networks scenarios. We target the identifiers that are present in each network protocol and support its designed function. By studying how the network identifiers can compromise user privacy, we explore how these threats can stem from the identifier itself and from relationships established between several protocol identifiers. Following the study focused on identifiers, we show that privacy in the network can be explored along two dimensions: a vertical dimension that establishes privacy relationships across several layers and protocols, reaching the user, and a horizontal dimension that highlights the threats exposed by individual protocols, usually confined to a single layer. With these concepts, we outline an integrated perspective on privacy in the network, embracing both vertical and horizontal interactions of privacy. This approach enables the discussion of several mechanisms to address privacy threats on individual layers, leading to architectural instantiations focused on user privacy. We also show how the different dimensions of privacy can provide insight into the relationships that exist in a layered network stack, providing a potential path towards designing and implementing future privacy-aware network architectures.Na sociedade moderna, as comunicações e transacções digitais estão a tornar-se a regra e não a excepção. À medida que permitimos a intromissão de dispositivos electrónicos de rede no nosso quotidiano, vamos construíndo um estilo de vida digital onde redes e dispositivos enrirquecem as nossas interacções. Contudo, ao caminharmos para um ambiente digital em rede, a nossa privacidade vai-se revestindo de maior importãncia, pois a nossa informação pessoal passa a encontrar-se cada vez mais na rede. Isto torna-se particularmente relevante ao adoptarmos redes de próxima geração, que permitem acesso ubíquo a redes, serviços e conteúdos, aumentando o impacte e pervasividade das redes actuais. Os ambientes onde a conectividade e os serviços se tornam uma constante, assentam em protocolos de rede que normalmente contemplam poucas considerações sobre privacidade, comprometendo desta forma o utlizador. O presente trabalho centra-se nos aspectos de privacidade que dizem respeito à rede devido à forma como os protocolos são utilizados nas diferentes camadas, e que resultando em ameaças à privacidade do utilizador. Abordamos especificamente os identificadores presentes nos protocolos de rede, e que são essenciais à sua função. Neste contexto exploramos a possibilidade destes identificadores comprometerem a privacidade do utilizador através da informação neles contida, bem como das relações que podem ser estabelecidas entre identificadores de diferentes protocolos. Após este estudo centrado nos identificadores, mostramos como a privacidade em redes pode ser explorada ao longo de duas dimensões: uma dimensão que acentua as relações verticais de privacidade, cruzando vários protocolos até chegar ao utilizador, e uma dimensão horizontal que destaca as ameaças causadas por cada protocolo, de forma individual, normalmente limitadas a uma única camada. Através destes conceitos, mostramos uma visão integrada de privacidade em redes, abrangendo tanto as interacçoes de privacidade verticais como as horizontais. Esta visão permite discutir vários mecanismos para mitigar ameaças específicas a cada camada de rede, resultando em instânciações arquitecturais orientadas à privacidade do utilizador. Finalmente, mostramos como as diferentes dimensões de privacidade podem fornecer uma visão diferente sobre as relações estabelecidas na pilha protocolar que assenta em camadas, mostrando um caminho possível para o desenvolvimento de futuras arquitecturas de rede com suporte para privacidade

Convergence du web et des services de communication

Les services de communication, du courrier postal à la téléphonie, en passant par la voix et la vidéo sur IP (Internet Protocol), la messagerie électronique, les salons de discussion sur Internet, les visioconférences ou les télécommunications immersives ont évolué au fil du temps. Un système de communication voix-vidéo sur IP est réalisé grâce à deux couches architecturales fondamentales : la couche de signalisation et la couche média. Le protocole de signalisation est utilisé pour créer, modifier et terminer des sessions multimédias entre des participants. La couche de signalisation est divisée en deux sous-couches - la couche de service et celle de contrôle - selon la spécification de l IP Multimedia Subsystem (IMS). Deux systèmes de communication largement utilisés sont l IMS et SIP Pair-à- Pair (P2P SIP). Les fournisseurs de services, qui se comportent en tant qu intermédiaires entre appelants et appelés, implémentent les systèmes de communication, contrôlant strictement la couche signalisation. Or ces fournisseurs de services ne prennent pas en compte la diversité des utilisateurs. Cette thèse identifie trois barrières technologiques dans les systèmes de communication actuels et plus précisément concernant la couche de signalisation. I. Un manque d ouverture et de flexibilité dans la couche de signalisation pour les utilisateurs. II. Un développement difficile des services basés sur le réseau et les sessions. III. Une complexification du la couche de signalisation lors d un très grand nombre d appels. Ces barrières technologiques gênent l innovation des utilisateurs avec ces services de communication. Basé sur les barrières technologiques listées cidessus, le but initial de cette thèse est de définir un concept et une architecture de système de communication dans lequel chaque individu devient un fournisseur de service. Le concept, "My Own Communication Service Provider" (MOCSP) et le système MOCSP sont proposés, accompagné d un diagramme de séquence. Ensuite, la thèse fournit une analyse qui compare le système MOCSP avec les systèmes de communication existants en termes d ouverture et de flexibilité. La seconde partie de la thèse présente des solutions pour les services basés sur le réseau ou les sessions, mettant en avant le système MOCSP proposé. Deux services innovants, user mobility et partial session transfer/retrieval (PSTR) sont pris comme exemples de services basés sur le réseau ou les sessions. Les services basés sur un réseau ou des sessions interagissent avec une session ou sont exécutés dans une session. Dans les deux cas, une seule entité fonctionnelle entre l appelant et l appelé déclenche le flux multimédia pendant l initialisation de l appel et/ou en cours de communication. De plus, la coopération entre le contrôle d appel réseau et les différents pairs est facilement réalisé. La dernière partie de la thèse est dédiée à l extension de MOCSP en cas de forte densité d appels, elle inclut une analyse comparative. Cette analyse dépend de quatre facteurs - limite de passage à l échelle, niveau de complexité, ressources de calcul requises et délais d établissement de session - qui sont considérés pour évaluer le passage à l échelle de la couche de signalisation. L analyse comparative montre clairement que la solution basée sur MOCSP est simple et améliore l usage effectif des ressources de calcul par rapport aux systèmes de communication traditionnelsDifferent communication services from delivery of written letters to telephones, voice/video over Internet Protocol(IP), email, Internet chat rooms, and video/audio conferences, immersive communications have evolved over time. A communication system of voice/video over IP is the realization of a two fundamental layered architecture, signaling layer and media layer. The signaling protocol is used to create, modify, and terminate media sessions between participants. The signaling layer is further divided into two layers, service layer and service control layer, in the IP Multimedia Subsystem (IMS) specification. Two widely used communication systems are IMS, and Peer-to-Peer Session Initiation Protocol (P2P SIP). Service providers, who behave as brokers between callers and callees, implement communication systems, heavily controlling the signaling layer. These providers do not take the diversity aspect of end users into account. This dissertation identifies three technical barriers in the current communication systems especially in the signaling layer. Those are: I. lack of openness and flexibility in the signaling layer for end users. II. difficulty of development of network-based, session-based services. III. the signaling layer becomes complex during the high call rate. These technical barriers hinder the end-user innovation with communication services. Based on the above listed technical barriers, the first part of this thesis defines a concept and architecture for a communication system in which an individual user becomes the service provider. The concept, My Own Communication Service Provider (MOCSP) and MOCSP system is proposed and followed by a call flow. Later, this thesis provides an analysis that compares the MOCSP system with existing communication systems in terms of openness and flexibility. The second part of this thesis presents solutions for network-based, session based services, leveraging the proposed MOCSP system. Two innovative services, user mobility and partial session transfer/retrieval are considered as examples for network-based, session-based services. The network-based, sessionbased services interwork with a session or are executed within a session. In both cases, a single functional entity between caller and callee consistently enables the media flow during the call initiation and/or mid-call. In addition, the cooperation of network call control and end-points is easily achieved. The last part of the thesis is devoted to extending the MOCSP for a high call rate and includes a preliminary comparative analysis. This analysis depends on four factors - scalability limit, complexity level, needed computing resources and session setup latency - that are considered to specify the scalability of the signaling layer. The preliminary analysis clearly shows that the MOCSP based solution is simple and has potential for improving the effective usage of computing resources over the traditional communication systemsEVRY-INT (912282302) / SudocSudocFranceF