Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management

With the growing amount of personal information exchanged over the Internet, privacy is becoming more and more a concern for users. One of the key principles in protecting privacy is data minimisation. This principle requires that only the minimum amount of information necessary to accomplish a certain goal is collected and processed. "Privacy-enhancing" communication protocols have been proposed to guarantee data minimisation in a wide range of applications. However, currently there is no satisfactory way to assess and compare the privacy they offer in a precise way: existing analyses are either too informal and high-level, or specific for one particular system. In this work, we propose a general formal framework to analyse and compare communication protocols with respect to privacy by data minimisation. Privacy requirements are formalised independent of a particular protocol in terms of the knowledge of (coalitions of) actors in a three-layer model of personal information. These requirements are then verified automatically for particular protocols by computing this knowledge from a description of their communication. We validate our framework in an identity management (IdM) case study. As IdM systems are used more and more to satisfy the increasing need for reliable on-line identification and authentication, privacy is becoming an increasingly critical issue. We use our framework to analyse and compare four identity management systems. Finally, we discuss the completeness and (re)usability of the proposed framework

Cornucopia: Temporal safety for CHERI heaps

Use-after-free violations of temporal memory safety continue to plague software systems, underpinning many high-impact exploits. The CHERI capability system shows great promise in achieving C and C++ language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level temporal safety on CHERI requires capability revocation, traditionally achieved either via table lookups (avoided for performance in the CHERI design) or by identifying capabilities in memory to revoke them (similar to a garbage-collector sweep). CHERIvoke, a prior feasibility study, suggested that CHERI’s tagged capabilities could make this latter strategy viable, but modeled only architectural limits and did not consider the full implementation or evaluation of the approach. Cornucopia is a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++ temporal memory safety for standard heap allocations. It extends the CheriBSD virtual-memory subsystem to track capability flow through memory and provides a concurrent kernel-resident revocation service that is amenable to multi-processor and hardware acceleration. We demonstrate an average overhead of less than 2% and a worst-case of 8.9% for concurrent revocation on compatible SPEC CPU2006 benchmarks on a multi-core CHERI CPU on FPGA, and we validate Cornucopia against the Juliet test suite’s corpus of temporally unsafe programs. We test its compatibility with a large corpus of C programs by using a revoking allocator as the system allocator while booting multi-user CheriBSD. Cornucopia is a viable strategy for always-on temporal heap memory safety, suitable for production environments.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and HR0011-18-C-0016 (“ECATS”). We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ABP Grant (EP/P020011/1), the ERC ELVER Advanced Grant (789108), the Gates Cambridge Trust, Arm Limited, HP Enterprise, and Google, Inc

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks

Wireless mesh networks (WMNs) have emerged as a promising concept to meet the challenges in next-generation wireless networks such as providing flexible, adaptive, and reconfigurable architecture while offering cost-effective solutions to service providers. As WMNs become an increasingly popular replacement technology for last-mile connectivity to the home networking, community and neighborhood networking, it is imperative to design efficient and secure communication protocols for these networks. However, several vulnerabilities exist in currently existing protocols for WMNs. These security loopholes can be exploited by potential attackers to launch attack on WMNs. The absence of a central point of administration makes securing WMNs even more challenging. The broadcast nature of transmission and the dependency on the intermediate nodes for multi-hop communications lead to several security vulnerabilities in WMNs. The attacks can be external as well as internal in nature. External attacks are launched by intruders who are not authorized users of the network. For example, an intruding node may eavesdrop on the packets and replay those packets at a later point of time to gain access to the network resources. On the other hand, the internal attacks are launched by the nodes that are part of the WMN. On example of such attack is an intermediate node dropping packets which it was supposed to forward. This chapter presents a comprehensive discussion on the current authentication and privacy protection schemes for WMN. In addition, it proposes a novel security protocol for node authentication and message confidentiality and an anonymization scheme for privacy protection of users in WMNs.Comment: 32 pages, 10 figures. The work is an extended version of the author's previous works submitted in CoRR: arXiv:1107.5538v1 and arXiv:1102.1226v

On Cryptographic Building Blocks and Transformations

Cryptographic building blocks play a central role in cryptography, e.g., encryption or digital signatures with their security notions. Further, cryptographic building blocks might be constructed modularly, i.e., emerge out of other cryptographic building blocks. Essentially, one cryptographically transforms the underlying block(s) and their (security) properties into the emerged block and its properties. This thesis considers cryptographic building blocks and new cryptographic transformations

The ECJ as a Constitutional and a Private Law Court: a Methodological Comparison

It is common ground that in the EU the role of adjudication has always been, and continues to be, more important than in the Member States as the degree of political consensus is much more limited at European level. Therefore, issues which could be decided politically in the Member States had to be solved legally in the European context. At the same time, the authority and legitimacy of European court decisions is more fragile than that of national ones - not only as the EU crucially depends on the collaboration of national administrations and courts for the effective implementation and enforcement of its legal system, but also because the legitimacy of the EU itself as a political entity is more fragile than that of European Nation States, most of which are firmly rooted in democratic traditions and enjoy a considerable degree of political stability. These weaknesses notwithstanding, legal integration in the EC has been a long success story reconstructed by Joseph Weiler and others. Judicial activism led to important progress of the integration process not only in the foundationary period, but also in the years of political stagnation after the 1967 crisis and after the relance of the integration process following the Single Market project 1985. This kind of activism primarily relates to the constitutional foundations of the EC: the structural constitution (i.e. the relationship of European and national law including the famous doctrines of direct effect, supremacy, state li-ability), the substantive constitution (mainly composed of the basic market freedoms, competition law, and the protection of human rights) and the institutional constitution (setting forth the competencies and the rules of interaction of the various European institutions). In these fields, the ECJ has successfully developed the treaties into a full and mostly coherent constitutional system. On the whole, these developments have met the acceptance of Member States and enjoy a sufficient degree of legitimacy. This is probably so because they are primarily related to the initial project of market integration through the abolition of national restrictions and the establishment of a system of undistorted competition - on which there was an initial consensus of all Member States and which has in most cases led to economic benefits for a majority of them. In the case of human rights protection, this only replicated a more or less com-mon standard reflecting common historical and cultural heritage and achievements. Yet, in other areas - specifically in areas covered by European secondary legislation, which the ECJ is bound to administer so to speak as an ordinary court - European adjudication has proven to be far less successful. This is particularly true for the field of European private law which is a relative new-comer to legal harmonisation policy. European private law is characterised by selective European acts limited in scope which aim in most cases at consumer protection and which have to co-exist with a more or less coherent and encom-passing body of national law (“islands and archipelagos in an ocean”). In this constellation, numerous problems exist: First, one finds problems of access and effectiveness of justice, as the most frequent preliminary reference procedure usually lasts more than 2 years and only provides interpretations of European law, without resolving the case - which frequently leads to a “ping-pong” game between European and national courts to the detriment of the parties which has lasted in some cases more than 10 years. Moreover, we are con-fronted with quality problems, as it becomes ever more apparent that the ECJ judges cannot deal convincingly, without a meaningful degree of specialisation, with all legal matters ranging from constitutional to company and tax law. More generally, the usual methodological style of the ECJ, a combination between legal formalism and effect utile-oriented interpretation, is not suited to private law, whose essential task is to balance opposed interests among the parties in a just way. This is particularly so as the overall effects of the combined application of European and national law - which alone determines the outcome of a case - is almost never considered by the ECJ which limits itself to the interpretation of European law only. But there are more structural problems related to the specific characteristics of the field. Due to the fragmentation of European sources, decisions on European acts in private law often concern their scope of applicability and do not lead, unlike in national law, to an ever more precise and coherent systematisation of the field. Specifically, the ECJ is not well suited to decide on dispositive law issues, which typically do not reflect public policy matters, but consists of a balancing of party interests. This requires significant knowledge of the social and economic context of specific types of transactions - knowledge which the ECJ frequently lacks. Taken together, these problems render the effectiveness and legitimacy of European adjudication in private law thin in many instances. A way out from this dilemma is not easy to design in general terms. How-ever, basic provisos may still be formulated: The ECJ should handle private law with caution and more often resort to judicial self restraint. It should be aware of the fact that it is not the suitable court to do the fine-tuning in private law systems and to deliver private law justice (mostly commutative and only exceptionally distributive justice). Correspondingly, it should limit itself to implementing basic European principles such as market freedoms and human rights, and to instigating and monitoring learning and rationalisation processes in national law (a "procedural" function). Moreover, it should systematically reflect the consequences of its decisions resulting from the combined application of European and national law. In short, one might say that it is by behaving like a constitutional court for private law that the ECJ might replicate its constitutional law success story there

Formal Mitigation Strategies for the Insider Threat: A Security Model and Risk Analysis Framework

The advancement of technology and reliance on information systems have fostered an environment of sharing and trust. The rapid growth and dependence on these systems, however, creates an increased risk associated with the insider threat. The insider threat is one of the most challenging problems facing the security of information systems because the insider already has capabilities within the system. Despite research efforts to prevent and detect insiders, organizations remain susceptible to this threat because of inadequate security policies and a willingness of some individuals to betray their organization. To investigate these issues, a formal security model and risk analysis framework are used to systematically analyze this threat and develop effective mitigation strategies. This research extends the Schematic Protection Model to produce the first comprehensive security model capable of analyzing the safety of a system against the insider threat. The model is used to determine vulnerabilities in security policies and system implementation. Through analysis, mitigation strategies that effectively reduce the threat are identified. Furthermore, an action-based taxonomy that expresses the insider threat through measurable and definable actions is presented. A risk analysis framework is also developed that identifies individuals within an organization that display characteristics indicative of a malicious insider. The framework uses a multidisciplinary process by combining behavior and technical attributes to produce a single threat level for each individual within the organization. Statistical analysis using the t-distribution and prediction interval on the threat levels reveal those individuals that are a potential threat to the organization. The effectiveness of the framework is illustrated using the case study of Robert Hanssen, demonstrating the process would likely have identified him as an insider threat