718 research outputs found

    The Science of Information Protection

    Get PDF
    Workshop on Education in Computer Security (WECS) 7The presentation of Information Protection material can be improved in two important ways. First, if the material is arranged in a systematic/scientific fashion it can show how all the various pieces fit together and it can also demonstrate completeness by showing that all threats are addressed. Second, if each protection technique is preceded by a clear description of the threat that it addresses learning is significantly enhanced because the protection technique is motivated. This paper presents an information threat model that 1) arranges the material in a scientific/systematic fashion and 2) facilitates a threat-first presentation of Information Protection techniques

    Information Flow Model for Commercial Security

    Get PDF
    Information flow in Discretionary Access Control (DAC) is a well-known difficult problem. This paper formalizes the fundamental concepts and establishes a theory of information flow security. A DAC system is information flow secure (IFS), if any data never flows into the hands of owner’s enemies (explicitly denial access list.

    Mobile Devices Attacks

    Get PDF
    Táto práca sa zaoberá bezpečnostnými architektúrami v mobilných zariadeniach a rôznymi formami útokov proti nim. V prvej časti je úvod do bezpečnosti mobilných zariadení a bezpečnostné riziká súvisiace s mobilnými zariadeniami. Sú tu uvedené slabé miesta vo WLAN sieťach a úvod do Bluetooth technológie aj s rizikami. V druhej časti je predstavenie produkčného testovania, ktoré sa využíva u spoločnosti Nokia a popis jednotlivých testov používaných na vyskúšanie funkčnosti zariadení. Rovnako sa v nej nachádza popis architektúry, ktorou sú mobilné zariadenia u spoločnosti Nokia zabezpečené voči rôznym formám útokov viažucim sa na inštalovanie softwaru a testovanie.This thesis studies security architecture in mobile devices and different forms of attack against them. The first part introduces the mobile devices security and security threats related to mobile devices. WLAN security threats are introduced, Bluetooth technology is described and security threats related to it. The second part introduces Nokia production testing and description of the tests which are used to proof the device stability and functionality. In the second part is also description of whole device security related to production testing and software installing.

    Functionality-based application confinement: A parameterised and hierarchical approach to policy abstraction for rule-based application-oriented access controls

    Get PDF
    Access controls are traditionally designed to protect resources from users, and consequently make access decisions based on the identity of the user, treating all processes as if they are acting on behalf of the user that runs them. However, this user-oriented approach is insufficient at protecting against contemporary threats, where security compromises are often due to applications running malicious code, either due to software vulnerabilities or malware. Application-oriented access controls can mitigate this threat by managing the authority of individual applications. Rule-based application-oriented access controls can restrict applications to only allow access to the specific finely-grained resources required for them to carry out their tasks, and thus can significantly limit the damage that can be caused by malicious code. Unfortunately existing application-oriented access controls have policy complexity and usability problems that have limited their use. This thesis proposes a new access control model, known as functionality-based application confinement (FBAC). The FBAC model has a number of unique features designed to overcome problems with previous approaches. Policy abstractions, known as functionalities, are used to assign authority to applications based on the features they provide. Functionalities authorise elaborate sets of finely grained privileges based on high-level security goals, and adapt to the needs of specific applications through parameterisation. FBAC is hierarchical, which enables it to provide layers of abstraction and encapsulation in policy. It also simultaneously enforces the security goals of both users and administrators by providing discretionary and mandatory controls. An LSM-based (Linux security module) prototype implementation, known as FBAC-LSM, was developed as a proof-of-concept and was used to evaluate the new model and associated techniques. The policy requirements of over one hundred applications were analysed, and policy abstractions and application policies were developed. Analysis showed that the FBAC model is capable of representing the privilege needs of applications. The model is also well suited to automaiii tion techniques that can in many cases create complete application policies a priori, that is, without first running the applications. This is an improvement over previous approaches that typically rely on learning modes to generate policies. A usability study was conducted, which showed that compared to two widely-deployed alternatives (SELinux and AppArmor), FBAC-LSM had significantly higher perceived usability and resulted in significantly more protective policies. Qualitative analysis was performed and gave further insight into the issues surrounding the usability of application-oriented access controls, and confirmed the success of the FBAC model

    Cyberciege scenario illustrating integrity risks to a military like facility

    Get PDF
    Note: the appendix file for this item is not available.As the number of computer users continues to grow, attacks on assets stored on computer devices have increased. Despite an increase in computer security awareness, many users and policy makers still do not implement security principles in their daily lives. Ineffective education and the lack of personal experience and tacit understanding might be a main cause. The CyberCIEGE game can be used to convey requisite facts and to generate tacit understanding of general computer security concepts to a broad audience. This thesis asked if a Scenario Definition File (SDF) for the CyberCIEGE game could be developed to educate and train players in Information Assurance on matters related to information integrity in a networking environment. The primary educational concern is the protection of stored data. Another goal was to test whether the game engine properly simulates real world behavior. The research concluded that it is possible to create SDFs for the CyberCIEGE game engine to teach specifically about integrity issues. Three specific SDFs were developed for teaching purposes. Several SDFs were developed to demonstrate the game engine's ability to simulate real world behavior for specific, isolated educational goals. These tests led to recommendations to improve the game engine.http://archive.org/details/cyberciegescenar109451434Lieutenant, German NavyApproved for public release; distribution is unlimited

    Information sharing and security in dynamic coalitions

    Get PDF

    Faculty Workshops for Teaching Information Assurance through Hands-On Exercises and Case Studies

    Get PDF
    Though many Information Assurance (IA) educators agree that hands-on exercises and case studies improve student learning, hands-on exercises and case studies are not widely adopted due to the time needed to develop them and integrate them into curriculum. Under the support of the National Science Foundation (NSF) Scholarship for Service program, we organized two faculty development workshops to disseminate effective hands-on exercises and case studies developed through multiple previous and ongoing grants. To develop faculty expertise in IA, the workshop covered a wide range of IA topics. This paper describes the hands-on exercises and case studies we disseminated through the workshops and reports our experiences of holding the faculty summer workshops. The evaluation results show that workshop participants demonstrated high levels of satisfaction with knowledge and skills gained in both the 2012 and 2013 workshops. Workshop participants also reported use of hands-on lab and case study materials in our follow-up survey and interviews. The workshops provided a valuable opportunity for IA educators to communicate and form collaborations in teaching and research in IA

    Computer database security and Oracle security implementation

    Get PDF

    Bibliography for computer security, integrity, and safety

    Get PDF
    A bibliography of computer security, integrity, and safety issues is given. The bibliography is divided into the following sections: recent national publications; books; journal, magazine articles, and miscellaneous reports; conferences, proceedings, and tutorials; and government documents and contractor reports
    • …
    corecore