On Properties of Policy-Based Specifications

The advent of large-scale, complex computing systems has dramatically increased the difficulties of securing accesses to systems' resources. To ensure confidentiality and integrity, the exploitation of access control mechanisms has thus become a crucial issue in the design of modern computing systems. Among the different access control approaches proposed in the last decades, the policy-based one permits to capture, by resorting to the concept of attribute, all systems' security-relevant information and to be, at the same time, sufficiently flexible and expressive to represent the other approaches. In this paper, we move a step further to understand the effectiveness of policy-based specifications by studying how they permit to enforce traditional security properties. To support system designers in developing and maintaining policy-based specifications, we formalise also some relevant properties regarding the structure of policies. By means of a case study from the banking domain, we present real instances of such properties and outline an approach towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338

On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

Know Your Enemy: Stealth Configuration-Information Gathering in SDN

Software Defined Networking (SDN) is a network architecture that aims at providing high flexibility through the separation of the network logic from the forwarding functions. The industry has already widely adopted SDN and researchers thoroughly analyzed its vulnerabilities, proposing solutions to improve its security. However, we believe important security aspects of SDN are still left uninvestigated. In this paper, we raise the concern of the possibility for an attacker to obtain knowledge about an SDN network. In particular, we introduce a novel attack, named Know Your Enemy (KYE), by means of which an attacker can gather vital information about the configuration of the network. This information ranges from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that an attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk of being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. To address the KYE attack, we also propose an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideratio

Economic Policy Analysis and the Internet: Coming to Terms with a Telecommunications Anomaly

The significant set of public policy issues for economic analysis that arise from the tensions between the ‘special benefits’ of the Internet as a platform for innovation, and the drawbacks of the “anomalous” features of the Internet viewed as simply one among the array of telecommunications systems, is the focus of discussion in this chapter. Economists concerned with industrial organization and regulation (including antitrust and merger law) initially found new scope for application of their expertise in conventional policy analyses of the Internet’s interactions with other segments of the telecommunications sector (broadcast and cable television, radio and telephone), and emphasized the potential congestion problems posed by user anonymity and flat rate pricing. Policy issues of a more dynamic kind have subsequently come to the fore. These involve classic tradeoffs between greater efficiency and producer and consumer surpluses today, and a potential for more innovation in Web-based products and service in the future. Many such tradeoffs involve choices such as that between policies that would preserve the original ‘end-to-end’ design of the original Internet architecture, and those that would be more encouraging of market-driven deployment of new technologies that afforded ISPs with greater market power the opportunity to offer (and extract greater profits from) restricted-Web services that consumers valued highly, such as secure and private VOIP.public policy, telecommunications, Web-based products, user anonymity

SafeWeb: A Middleware for Securing Ruby-Based Web Applications

Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a “safety net” to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS)

Surveillant assemblages of governance in massively multiplayer online games:a comparative analysis

This paper explores governance in Massively Multiplayer Online Games (MMOGs), one sub-sector of the digital games industry. Informed by media governance studies, Surveillance Studies, and game studies, this paper identifies five elements which form part of the system of governance in MMOGs. These elements are: game code and rules; game policies; company community management practices; player participatory practices; and paratexts. Together these governance elements function as a surveillant assemblage, which relies to varying degrees on lateral and hierarchical forms of surveillance, and the assembly of human and nonhuman elements.Using qualitative mixed methods we examine and compare how these elements operate in three commercial MMOGs: Eve Online, World of Warcraft and Tibia. While peer and participatory surveillance elements are important, we identified two major trends in the governance of disruptive behaviours by the game companies in our case studies. Firstly, an increasing reliance on automated forms of dataveillance to control and punish game players, and secondly, increasing recourse to contract law and diminishing user privacy rights. Game players found it difficult to appeal the changing terms and conditions and they turned to creating paratexts outside of the game in an attempt to negotiate the boundaries of the surveillant assemblage. In the wider context of self-regulated governance systems these trends highlight the relevance of consumer rights, privacy, and data protection legislation to online games and the usefulness of bringing game studies and Surveillance Studies into dialogue