718 research outputs found
The Science of Information Protection
Workshop on Education in Computer Security (WECS) 7The presentation of Information Protection material can be improved in two important ways. First, if the
material is arranged in a systematic/scientific fashion it can show how all the various pieces fit together
and it can also demonstrate completeness by showing that all threats are addressed. Second, if each
protection technique is preceded by a clear description of the threat that it addresses learning is
significantly enhanced because the protection technique is motivated. This paper presents an
information threat model that 1) arranges the material in a scientific/systematic fashion and 2) facilitates
a threat-first presentation of Information Protection techniques
Information Flow Model for Commercial Security
Information flow in Discretionary Access Control (DAC) is a well-known difficult problem. This paper formalizes the fundamental concepts and establishes a theory of information flow security. A DAC system is information flow secure (IFS), if any data never flows into the hands of owner’s enemies (explicitly denial access list.
Mobile Devices Attacks
Táto práca sa zaoberá bezpeÄŤnostnĂ˝mi architektĂşrami v mobilnĂ˝ch zariadeniach a rĂ´znymi formami Ăştokov proti nim. V prvej ÄŤasti je Ăşvod do bezpeÄŤnosti mobilnĂ˝ch zariadenĂ a bezpeÄŤnostnĂ© riziká sĂşvisiace s mobilnĂ˝mi zariadeniami. SĂş tu uvedenĂ© slabĂ© miesta vo WLAN sieĹĄach a Ăşvod do Bluetooth technolĂłgie aj s rizikami. V druhej ÄŤasti je predstavenie produkÄŤnĂ©ho testovania, ktorĂ© sa vyuĹľĂva u spoloÄŤnosti Nokia a popis jednotlivĂ˝ch testov pouĹľĂvanĂ˝ch na vyskúšanie funkÄŤnosti zariadenĂ. Rovnako sa v nej nachádza popis architektĂşry, ktorou sĂş mobilnĂ© zariadenia u spoloÄŤnosti Nokia zabezpeÄŤenĂ© voÄŤi rĂ´znym formám Ăştokov viaĹľucim sa na inštalovanie softwaru a testovanie.This thesis studies security architecture in mobile devices and different forms of attack against them. The first part introduces the mobile devices security and security threats related to mobile devices. WLAN security threats are introduced, Bluetooth technology is described and security threats related to it. The second part introduces Nokia production testing and description of the tests which are used to proof the device stability and functionality. In the second part is also description of whole device security related to production testing and software installing.
Functionality-based application confinement: A parameterised and hierarchical approach to policy abstraction for rule-based application-oriented access controls
Access controls are traditionally designed to protect resources from users, and consequently make access decisions based on the identity of the user, treating all processes as if they are acting on behalf of the user that runs them. However, this user-oriented approach is insufficient at protecting against contemporary threats, where security compromises are often due to applications running malicious code, either due to software vulnerabilities or malware. Application-oriented access controls can mitigate this threat by managing the authority of individual applications. Rule-based application-oriented access controls can restrict applications to only allow access to the specific finely-grained resources required for them to carry out their tasks, and thus can significantly limit the damage that can be caused by malicious code. Unfortunately existing application-oriented access controls have policy complexity and usability problems that have limited their use.
This thesis proposes a new access control model, known as functionality-based application confinement (FBAC). The FBAC model has a number of unique features designed to overcome problems with previous approaches. Policy abstractions, known as functionalities, are used to assign authority to applications based on the features they provide. Functionalities authorise elaborate sets of finely grained privileges based on high-level security goals, and adapt to the needs of specific applications through parameterisation. FBAC is hierarchical, which enables it to provide layers of abstraction and encapsulation in policy. It also simultaneously enforces the security goals of both users and administrators by providing discretionary and mandatory controls.
An LSM-based (Linux security module) prototype implementation, known as FBAC-LSM, was developed as a proof-of-concept and was used to evaluate the new model and associated techniques. The policy requirements of over one hundred applications were analysed, and policy abstractions and application policies were developed. Analysis showed that the FBAC model is capable of representing the privilege needs of applications. The model is also well suited to automaiii tion techniques that can in many cases create complete application policies a priori, that is, without first running the applications. This is an improvement over previous approaches that typically rely on learning modes to generate policies. A usability study was conducted, which showed that compared to two widely-deployed alternatives (SELinux and AppArmor), FBAC-LSM had significantly higher perceived usability and resulted in significantly more protective policies. Qualitative analysis was performed and gave further insight into the issues surrounding the usability of application-oriented access controls, and confirmed the success of the FBAC model
Cyberciege scenario illustrating integrity risks to a military like facility
Note: the appendix file for this item is not available.As the number of computer users continues to grow, attacks on assets stored on computer devices have increased. Despite an increase in computer security awareness, many users and policy makers still do not implement security principles in their daily lives. Ineffective education and the lack of personal experience and tacit understanding might be a main cause. The CyberCIEGE game can be used to convey requisite facts and to generate tacit understanding of general computer security concepts to a broad audience. This thesis asked if a Scenario Definition File (SDF) for the CyberCIEGE game could be developed to educate and train players in Information Assurance on matters related to information integrity in a networking environment. The primary educational concern is the protection of stored data. Another goal was to test whether the game engine properly simulates real world behavior. The research concluded that it is possible to create SDFs for the CyberCIEGE game engine to teach specifically about integrity issues. Three specific SDFs were developed for teaching purposes. Several SDFs were developed to demonstrate the game engine's ability to simulate real world behavior for specific, isolated educational goals. These tests led to recommendations to improve the game engine.http://archive.org/details/cyberciegescenar109451434Lieutenant, German NavyApproved for public release; distribution is unlimited
Faculty Workshops for Teaching Information Assurance through Hands-On Exercises and Case Studies
Though many Information Assurance (IA) educators agree that hands-on exercises and case studies improve student learning, hands-on exercises and case studies are not widely adopted due to the time needed to develop them and integrate them into curriculum. Under the support of the National Science Foundation (NSF) Scholarship for Service program, we organized two faculty development workshops to disseminate effective hands-on exercises and case studies developed through multiple previous and ongoing grants. To develop faculty expertise in IA, the workshop covered a wide range of IA topics. This paper describes the hands-on exercises and case studies we disseminated through the workshops and reports our experiences of holding the faculty summer workshops. The evaluation results show that workshop participants demonstrated high levels of satisfaction with knowledge and skills gained in both the 2012 and 2013 workshops. Workshop participants also reported use of hands-on lab and case study materials in our follow-up survey and interviews. The workshops provided a valuable opportunity for IA educators to communicate and form collaborations in teaching and research in IA
Bibliography for computer security, integrity, and safety
A bibliography of computer security, integrity, and safety issues is given. The bibliography is divided into the following sections: recent national publications; books; journal, magazine articles, and miscellaneous reports; conferences, proceedings, and tutorials; and government documents and contractor reports
- …