A Static Verification Framework for Secure Peer-to-Peer Applications

In this paper we present a static verification framework to support the design and verification of secure peer-to-peer applications. The framework supports the specification, modeling, and analysis of security aspects together with the general characteristics of the system, during early stages of the development life-cycle. The approach avoids security issues to be taken into consideration as a separate layer that is added to the system as an afterthought by the use of security protocols. The main functionality supported by the framework are concerned with the modeling of the system together with its security aspects by using an extension of UML, modeling of abuse cases to represent scenarios of attackers and assist with the identification of properties to be verified, specification of properties to be verified in a graphical template language, verification of the models against the properties, and visualization of the results of the verification process

Un diseño experimental sobre algoritmo de clasificación de elementos de modelos de procesos SPME 2.0 de la herramienta AVISPA por medio del análisis de varianza ANOVA

Introduction: This publication is the product of research: “SPEM 2.0 Process Model Metrics in the Reliability of its Visual Analysis” throughout 2019, which supports the work of a master’s degree in Systems Engineering at the University of Cauca. Objective: Rebase a process model metrics set in order to increase AVISPA reliability to support the visual analysis of SPEM 2.0 software process models. Methodology: In order to improve AVISPA, a systematic literature review had been performed to find software process model metrics that are potentially apt to be represented in AVISPA. Next, a set of assessments were performed in order to enhance visual analysis tool. Finally, an ANOVA statistical assessment was realized in order to find a variance differential between AVISPA versions by comparing their F1-Score process model elements classification values. Results: AVISPA significantly improved its general classification algorithm. Most of errors were found in SPEM 2.0 variability resolution feature and collections with duplicated elements. Multiple misclassifications still persists. Conclusion: General AVISPA process model elements classification is improved. However, some process model samples remain scattered according to ANOVA results. Originality: AVISPA is a recent solution for SPEM 2.0 software process model assessment. It's recent emergence carried to a lack of articles about software process model metrics and few works about AVISPA improvements. These are the main contributions of this paper. Limitations: The project has been widely expensive in terms of execution time, traceability with all software process model elements, and mainly to find experts in software process that can meet the research requirement

High-level Cryptographic Abstractions

The interfaces exposed by commonly used cryptographic libraries are clumsy, complicated, and assume an understanding of cryptographic algorithms. The challenge is to design high-level abstractions that require minimum knowledge and effort to use while also allowing maximum control when needed. This paper proposes such high-level abstractions consisting of simple cryptographic primitives and full declarative configuration. These abstractions can be implemented on top of any cryptographic library in any language. We have implemented these abstractions in Python, and used them to write a wide variety of well-known security protocols, including Signal, Kerberos, and TLS. We show that programs using our abstractions are much smaller and easier to write than using low-level libraries, where size of security protocols implemented is reduced by about a third on average. We show our implementation incurs a small overhead, less than 5 microseconds for shared key operations and less than 341 microseconds (< 1%) for public key operations. We also show our abstractions are safe against main types of cryptographic misuse reported in the literature

Formal Analysis of ISO/IEC 9798-2 Authentication Standard using AVISPA

International audienceUse of formal methods is considered as a useful and efficient technique for the validation of security properties of the protocols. In this paper, we analyze the protocols of ISO/IEC 9798-2 entity authentication standard using a state-of-the-art tool for automated analysis named AVISPA. Our analysis of the standard using AVISPA's OFMC and CL-AtSe back-ends shows that the two party protocols are secure against the specified security properties while the back-ends are able to find attacks against unilateral and mutual authentication protocols involving a trusted third party

Security-Oriented Formal Techniques

Security of software systems is a critical issue in a world where Information Technology is becoming more and more pervasive. The number of services for everyday life that are provided via electronic networks is rapidly increasing, as witnessed by the longer and longer list of words with the prefix "e", such as e-banking, e-commerce, e-government, where the "e" substantiates their electronic nature. These kinds of services usually require the exchange of sensible data and the sharing of computational resources, thus needing strong security requirements because of the relevance of the exchanged information and the very distributed and untrusted environment, the Internet, in which they operate. It is important, for example, to ensure the authenticity and the secrecy of the exchanged messages, to establish the identity of the involved entities, and to have guarantees that the different system components correctly interact, without violating the required global properties

Towards the Model-Driven Engineering of Secure yet Safe Embedded Systems

We introduce SysML-Sec, a SysML-based Model-Driven Engineering environment aimed at fostering the collaboration between system designers and security experts at all methodological stages of the development of an embedded system. A central issue in the design of an embedded system is the definition of the hardware/software partitioning of the architecture of the system, which should take place as early as possible. SysML-Sec aims to extend the relevance of this analysis through the integration of security requirements and threats. In particular, we propose an agile methodology whose aim is to assess early on the impact of the security requirements and of the security mechanisms designed to satisfy them over the safety of the system. Security concerns are captured in a component-centric manner through existing SysML diagrams with only minimal extensions. After the requirements captured are derived into security and cryptographic mechanisms, security properties can be formally verified over this design. To perform the latter, model transformation techniques are implemented in the SysML-Sec toolchain in order to derive a ProVerif specification from the SysML models. An automotive firmware flashing procedure serves as a guiding example throughout our presentation.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Pretty Private Group Management

Group management is a fundamental building block of today's Internet applications. Mailing lists, chat systems, collaborative document edition but also online social networks such as Facebook and Twitter use group management systems. In many cases, group security is required in the sense that access to data is restricted to group members only. Some applications also require privacy by keeping group members anonymous and unlinkable. Group management systems routinely rely on a central authority that manages and controls the infrastructure and data of the system. Personal user data related to groups then becomes de facto accessible to the central authority. In this paper, we propose a completely distributed approach for group management based on distributed hash tables. As there is no enrollment to a central authority, the created groups can be leveraged by various applications. Following this paradigm we describe a protocol for such a system. We consider security and privacy issues inherently introduced by removing the central authority and provide a formal validation of security properties of the system using AVISPA. We demonstrate the feasibility of this protocol by implementing a prototype running on top of Vuze's DHT

Ethanol quantification in pineapple waste by an electrochemical impedance spectroscopy-based system and artificial neural networks

[EN] Electrochemical impedance spectroscopy (EIS) technique has been applied to determine the ethanol concentration in pineapple waste samples. To do this, six different concentrations of ethanol were added to the pineapple samples and were analyzed using the system designed by our research group and consisting of the Advanced Voltammetry, Impedance Spectroscopy & Potentiometry Analyzer (AVISPA) device associated to a stainless steel double needle electrode. Results indicated that phase data in frequencies between 6.0 x 10(5) Hz and 8.0 x 10(5) Hz showed the highest sensitivity to ethanol concentrations. A principal component analysis (PCA) confirmed the potential discrimination and partial least squares (PLS) regression showed mathematical models able to quantify ethanol in samples accurately. In order to implement flexible and precise models in programmable equipment, different types of artificial neural networks (ANNs) have been studied: Fuzzy ARTMAP and multi-layer feed-forward (MLFF) algorithms. As a result, a coefficient of determination (R2) = 0.996 and a root mean square error of prediction (RMSEP) = 0.408 have been obtained. Therefore, it allows us to introduce this technique as an alternative method for ethanol quantification along the fermentation of pineapple waste in an easy, low-cost, rapid and portable way.Financial support from the European FEDER and the Spanish government (MAT2012-34829-C04-04), the Generalitat Valenciana (PROMETEOII/2014/047) and the FPI-UPV Program funds are gratefully acknowledged.Conesa Domínguez, C.; Gil Sánchez, L.; Seguí Gil, L.; Fito Maupoey, P.; Laguarda-Miro, N. (2017). Ethanol quantification in pineapple waste by an electrochemical impedance spectroscopy-based system and artificial neural networks. Chemometrics and Intelligent Laboratory Systems. 161:1-7. https://doi.org/10.1016/j.chemolab.2016.12.005S1716