Checking and Enforcing Security through Opacity in Healthcare Applications

The Internet of Things (IoT) is a paradigm that can tremendously revolutionize health care thus benefiting both hospitals, doctors and patients. In this context, protecting the IoT in health care against interference, including service attacks and malwares, is challenging. Opacity is a confidentiality property capturing a system's ability to keep a subset of its behavior hidden from passive observers. In this work, we seek to introduce an IoT-based heart attack detection system, that could be life-saving for patients without risking their need for privacy through the verification and enforcement of opacity. Our main contributions are the use of a tool to verify opacity in three of its forms, so as to detect privacy leaks in our system. Furthermore, we develop an efficient, Symbolic Observation Graph (SOG)-based algorithm for enforcing opacity

Compositional and Abstraction-Based Approach for Synthesis of Edit Functions for Opacity Enforcement

This paper develops a novel compositional and abstraction-based approach to synthesize edit functions for opacity enforcement in modular discrete event systems. Edit functions alter the output of the system by erasing or inserting events in order to obfuscate the outside intruder, whose goal is to infer the secrets of the system from its observation. We synthesize edit functions to solve the opacity enforcement problem in a modular setting, which significantly reduces the computational complexity compared with the monolithic approach. Two abstraction methods called opaque observation equivalence and opaque bisimulation are first employed to abstract the individual components of the modular system and their observers. Subsequently, we propose a method to transform the synthesis of edit functions to the calculation of modular supremal nonblocking supervisors. We show that the edit functions synthesized in this manner correctly solve the opacity enforcement problem

Guess my vote : a study of opacity and information flow in voting systems

With an overall theme of information flow, this thesis has two main strands. In the first part of the thesis, I review existing information flow properties, highlighting a recent definition known as opacity [25]. Intuitively, a predicate cP is opaque if for every run in which cP is true, there exists an indistinguishable run in which it is false, where a run can be regarded as a sequence of events. Hence, the observer is never able to establish the truth of cPo The predicate cP can be defined according to requirements of the system, giving opacity a great deal of flexibility and versatility. Opacity is then studied in relation to several well-known definitions for information flow. As will be shown, several of these properties can be cast as variations of opacity, while others have a relationship by implication with the opacity property [139]. This demonstrates the flexibility of opacity, at the same time establishing its distinct character. In the second part of the thesis, I investigate information flow in voting systems. Pret a Voter [36] is the main exemplar, and is compared to other schemes in the case study. I first analyse information flow in Pret a Voter and the FOO scheme [59], concentrating on the core protocols. The aim is to investigate the security requirements of each scheme, and the extent to which they can be captured using opacity. I then discuss a systems-based analysis of Pret a Voter [163], which adapts and extends an earlier analysis of the Chaum [35] and Neff [131]' [132]' [133] schemes in [92]. Although this analysis has identified several potential vulnerabilities, it cannot be regarded as systematic, and a more rigorous approach may be necessary. It is possible that a combination of the information flow and systems- based analyses might be the answer. The analysis of coercion-resistance, which is performed on Pret a Voter and the FOO scheme, may exemplify this more systematic approach. Receipt-freeness usually means that the voter is unable to construct a proof of her vote. Coercion-resistance is a stronger property in that it accounts for the possibility of interaction between the coercer and the voter during protocol execution. It appears that the opacity property is ideally suited to expressing the requirements for coercion-resistance in each scheme. A formal definition of receipt-freeness cast as a variation of opacity is proposed [138], together with suggestions on how it might be reinforced to capture coercion-resistance. In total, the thesis demonstrates the remarkable flexibility of opacity, both in expressing differing security requirements and as a tool for security analysis. This work lays the groundwork for future enhancement of the opacity framework.EThOS - Electronic Theses Online ServiceDSTL : EPSRCGBUnited Kingdo

Proceedings of the 3rd International Workshop on Formal Aspects in Security and Trust (FAST2005)

The present report contains the pre-proceedings of the third international Workshop on Formal Aspects in Security and Trust (FAST2005), held in Newcastle upon Tyne, 18-19 July 2005. FAST is an event affliated with the Formal Methods 2005 Congress (FM05). The third international Workshop on Formal Aspects in Security and Trust (FAST2005) aims at continuing the successful effort of the previous two FAST workshop editions for fostering the cooperation among researchers in the areas of security and trust. The new challenges offered by the so-called ambient intelligence space, as a future paradigm in the information society, demand for a coherent and rigorous framework of concepts, tools and methodologies to provide user\u27s trust&confidence on the underlying communication/interaction infrastructure. It is necessary to address issues relating to both guaranteeing security of the infrastructure and the perception of the infrastructure being secure. In addition, user confidence on what is happening must be enhanced by developing trust models effective but also easily comprehensible and manageable by users

Technology-mediated Control: Case Examples and Research Directions for the Future of Organizational Control

This study explores the emerging topic of technology-mediated control (TMC), which refers to an organization’s using digital technologies to influence workers to behave in a manner consistent with organizational objectives. The popular press has discussed many mobile apps, digital sensors, software algorithms, and other technologies that support, or automate, managerial control processes. Building on the rich history of research on organizational and information systems (IS) control and on ubiquitous technology, we explore how TMC approaches have increasingly begun to replace traditional, face-to-face control relationships. In particular, we analyze four illustrative case examples (UPS, Uber, Rationalizer, and Humanyze) to propose a detailed research agenda for future study in this important new topic area

From Security Enforcement to Supervisory Control in Discrete Event Systems: Qualitative and Quantitative Analyses

Cyber-physical systems are technological systems that involve physical components that are monitored and controlled by multiple computational units that exchange information through a communication network. Examples of cyber-physical systems arise in transportation, power, smart manufacturing, and other classes of systems that have a large degree of automation. Analysis and control of cyber-physical systems is an active area of research. The increasing demands for safety, security and performance improvement of cyber-physical systems put stringent constraints on their design and necessitate the use of formal model-based methods to synthesize control strategies that provably enforce required properties. This dissertation focuses on the higher level control logic in cyber-physical systems using the framework of discrete event systems. It tackles two classes of problems for discrete event systems. The first class of problems is related to system security. This problem is formulated in terms of the information flow property of opacity. In this part of the dissertation, an interface-based approach called insertion/edit function is developed to enforce opacity under the potential inference of malicious intruders that may or may not know the implementation of the insertion/edit function. The focus is the synthesis of insertion/edit functions that solve the opacity enforcement problem in the framework of qualitative and quantitative games on finite graphs. The second problem treated in the dissertation is that of performance optimization in the context of supervisory control under partial observation. This problem is transformed to a two-player quantitative game and an information structure where the game is played is constructed. A novel approach to synthesize supervisors by solving the game is developed. The main contributions of this dissertation are grouped into the following five categories. (i) The transformation of the formulated opacity enforcement and supervisory control problems to games on finite graphs provides a systematic way of performing worst case analysis in design of discrete event systems. (ii) These games have state spaces that are as compact as possible using the notion of information states in each corresponding problem. (iii) A formal model-based approach is employed in the entire dissertation, which results in provably correct solutions. (iv) The approaches developed in this dissertation reveal the interconnection between control theory and formal methods. (v) The results in this dissertation are applicable to many types of cyber-physical systems with security-critical and performance-aware requirements.PHDElectrical and Computer EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/150002/1/jiyiding_1.pd

Conceptualising the surveillance of teachers

Schools are risky places: the risk of a poor Ofsted report, the risk of sliding down league tables, the risk of teachers abusing children, the risk of teachers being falsely accused of abuse. As a result of risk anxiety and the ever increasing sophistication of technology, the surveillance of teachers has proliferated, becoming a future-oriented pursuit to manage this risk. Drawing on the surveillance studies literature, this article attempts to theorise the surveillance of teachers. Firstly it argues that there are three types of teacher surveillance: the vertical perpetuated by Ofsted and senior schools leaders such as teaching observations and learning walks, but also students recording their teachers on mobile phones; horizontal surveillance enacted by peers in terms of concertive control but also parental surveillance via online and offline networks; finally, intrapersonal surveillance embracing reflective practice, data reporting and self-policing proximity from children. The article concludes by arguing that while surveillance in schools embraces the themes of modern surveillance in general, by doggedly retaining the proximal and the interpersonal, it should be considered a hybrid form between traditional and modern forms of surveillance

Formal Aspects in Security and Trust

his book constitutes the thoroughly refereed post-proceedings of the Third International Workshop on Formal Aspects in Security and Trust, FAST 2005, held in Newcastle upon Tyne, UK in July 2005. The 17 revised papers presented together with the extended abstract of 1 invited paper were carefully reviewed and selected from 37 submissions. The papers focus on formal aspects in security and trust policy models, security protocol design and analysis, formal models of trust and reputation, logics for security and trust, distributed trust management systems, trust-based reasoning, digital assets protection, data protection, privacy and ID issues, information flow analysis, language-based security, security and trust aspects in ubiquitous computing, validation/analysis tools, web service security/trust/privacy, GRID security, security risk assessment, and case studies

Five Answers and Three Questions after United States v. Jones (2012), the Fourth Amendment GPS Case

Each year, the United States Supreme Court\u27s docket includes a range of high profile cases that attract attention not merely from law professors and others with an acquired fascination with the Court, but also from a general audience of law students, lawyers, scholars and commentators on American politics and society, as well as, occasionally, the public at large. During the 2011 Term, one of those cases was the GPS case, formally known as United States v. Jones.\u27 Media coverage of the case spread far beyond the legal blogosphere to a wide variety of mainstream and popular sources, both in print and online. Many people who had no familiarity with the legal doctrinal intricacies of Fourth Amendment law nevertheless waited with bated breath to hear what the Court would say about what limitations, if any, the Constitution might place on the authority of the police to use GPS technology for tracking criminal suspects-or, more broadly, the authority of the Government in general to maintain surveillance of the public movements of people in everyday life. When the decision was announced in January 2012, nearly everyone from the layperson reading a news update online to the law professor ready to thoroughly dissect the ramifications of the opinion with a criminal procedure class-was left underwhelmed by the Court\u27s resolution of the case, at least compared to the anticipation beforehand. In two respects, at least, the Court was unanimous and clear: the Defendant\u27s argument prevailed and the Fourth Amendment applied to what the police had done on the facts of the case. Other than that, however, the Court did not provide very much guidance about the Fourth Amendment implications of GPS surveillance or similar tracking technologies in the future. The lack of clarity was particularly acute because the reasoning underlying the Court\u27s holding revealed a 5-4 split among the Justices - a division that differed from the stereotypical perception of the Justices\u27 ideological divides as well as a concurring opinion that seemingly agreed with both of the other two camps while simultaneously staking out a position broader than either. At first glance the three opinions revealed a Court seemingly intent on avoiding the complex and difficult issues of Fourth Amendment rights in a digital, Internet-interconnected age and putting off these tough judgment calls for another case on another day. As is often true of the Court\u27s decisions, though, the reality is more nuanced than initial appearances might suggest. While the opinions in Jones undeniably left open several significant questions for resolution in future cases, they actually provided answers to a number of subsidiary questions. Consequently, it is worth taking the time to carefully consider not only the issues the Jones decision leaves open, but also the questions it answers