32,797 research outputs found
Sciunits: Reusable Research Objects
Science is conducted collaboratively, often requiring knowledge sharing about
computational experiments. When experiments include only datasets, they can be
shared using Uniform Resource Identifiers (URIs) or Digital Object Identifiers
(DOIs). An experiment, however, seldom includes only datasets, but more often
includes software, its past execution, provenance, and associated
documentation. The Research Object has recently emerged as a comprehensive and
systematic method for aggregation and identification of diverse elements of
computational experiments. While a necessary method, mere aggregation is not
sufficient for the sharing of computational experiments. Other users must be
able to easily recompute on these shared research objects. In this paper, we
present the sciunit, a reusable research object in which aggregated content is
recomputable. We describe a Git-like client that efficiently creates, stores,
and repeats sciunits. We show through analysis that sciunits repeat
computational experiments with minimal storage and processing overhead.
Finally, we provide an overview of sharing and reproducible cyberinfrastructure
based on sciunits gaining adoption in the domain of geosciences
CamFlow: Managed Data-sharing for Cloud Services
A model of cloud services is emerging whereby a few trusted providers manage
the underlying hardware and communications whereas many companies build on this
infrastructure to offer higher level, cloud-hosted PaaS services and/or SaaS
applications. From the start, strong isolation between cloud tenants was seen
to be of paramount importance, provided first by virtual machines (VM) and
later by containers, which share the operating system (OS) kernel. Increasingly
it is the case that applications also require facilities to effect isolation
and protection of data managed by those applications. They also require
flexible data sharing with other applications, often across the traditional
cloud-isolation boundaries; for example, when government provides many related
services for its citizens on a common platform. Similar considerations apply to
the end-users of applications. But in particular, the incorporation of cloud
services within `Internet of Things' architectures is driving the requirements
for both protection and cross-application data sharing.
These concerns relate to the management of data. Traditional access control
is application and principal/role specific, applied at policy enforcement
points, after which there is no subsequent control over where data flows; a
crucial issue once data has left its owner's control by cloud-hosted
applications and within cloud-services. Information Flow Control (IFC), in
addition, offers system-wide, end-to-end, flow control based on the properties
of the data. We discuss the potential of cloud-deployed IFC for enforcing
owners' dataflow policy with regard to protection and sharing, as well as
safeguarding against malicious or buggy software. In addition, the audit log
associated with IFC provides transparency, giving configurable system-wide
visibility over data flows. [...]Comment: 14 pages, 8 figure
Mayall:a framework for desktop JavaScript auditing and post-exploitation analysis
Writing desktop applications in JavaScript offers developers the opportunity to write cross-platform applications with cutting edge capabilities. However in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime --- an increasingly popular server-side technology. In bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. The paper also exposes fifteen highly popular Electron applications and demonstrates that two thirds of applications were found to be using known vulnerable elements with high CVSS scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed
Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials
Personal cryptographic keys are the foundation of many secure services, but
storing these keys securely is a challenge, especially if they are used from
multiple devices. Storing keys in a centralized location, like an
Internet-accessible server, raises serious security concerns (e.g. server
compromise). Hardware-based Trusted Execution Environments (TEEs) are a
well-known solution for protecting sensitive data in untrusted environments,
and are now becoming available on commodity server platforms.
Although the idea of protecting keys using a server-side TEE is
straight-forward, in this paper we validate this approach and show that it
enables new desirable functionality. We describe the design, implementation,
and evaluation of a TEE-based Cloud Key Store (CKS), an online service for
securely generating, storing, and using personal cryptographic keys. Using
remote attestation, users receive strong assurance about the behaviour of the
CKS, and can authenticate themselves using passwords while avoiding typical
risks of password-based authentication like password theft or phishing. In
addition, this design allows users to i) define policy-based access controls
for keys; ii) delegate keys to other CKS users for a specified time and/or a
limited number of uses; and iii) audit all key usages via a secure audit log.
We have implemented a proof of concept CKS using Intel SGX and integrated this
into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation
performs approximately 6,000 signature operations per second on a single
desktop PC. The latency is in the same order of magnitude as using
locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on
Security, Privacy, and Identity Management in the Cloud (SECPID) 201
An Immune Inspired Approach to Anomaly Detection
The immune system provides a rich metaphor for computer security: anomaly
detection that works in nature should work for machines. However, early
artificial immune system approaches for computer security had only limited
success. Arguably, this was due to these artificial systems being based on too
simplistic a view of the immune system. We present here a second generation
artificial immune system for process anomaly detection. It improves on earlier
systems by having different artificial cell types that process information.
Following detailed information about how to build such second generation
systems, we find that communication between cells types is key to performance.
Through realistic testing and validation we show that second generation
artificial immune systems are capable of anomaly detection beyond generic
system policies. The paper concludes with a discussion and outline of the next
steps in this exciting area of computer security.Comment: 19 pages, 4 tables, 2 figures, Handbook of Research on Information
Security and Assuranc
Recommended from our members
Smart Computer Security Audit: Reinforcement Learning with a Deep Neural Network Approximator
A significant challenge in modern computer security is the growing skill gap as intruder capabilities increase, making it necessary to begin automating elements of penetration testing so analysts can contend with the growing number of cyber threats. In this paper, we attempt to assist human analysts by automating a single host penetration attack. To do so, a smart agent performs different attack sequences to find vulnerabilities in a target system. As it does so, it accumulates knowledge, learns new attack sequences and improves its own internal penetration testing logic. As a result, this agent (AgentPen for simplicity) is able to successfully penetrate hosts it has never interacted with before. A computer security administrator using this tool would receive a comprehensive, automated sequence of actions leading to a security breach, highlighting potential vulnerabilities, and reducing the amount of menial tasks a typical penetration tester would need to execute. To achieve autonomy, we apply an unsupervised machine learning algorithm, Q-learning, with an approximator that incorporates a deep neural network architecture. The security audit itself is modelled as a Markov Decision Process in order to test a number of decisionmaking strategies and compare their convergence to optimality. A series of experimental results is presented to show how this approach can be effectively used to automate penetration testing using a scalable, i.e. not exhaustive, and adaptive approach
- …