1,339,434 research outputs found
Breaking parameter modulated chaotic secure communication system
This paper describes the security weakness of a recently proposed secure
communication method based on parameter modulation of a chaotic system and
adaptive observer-based synchronization scheme. We show that the security is
compromised even without precise knowledge of the chaotic system used.Comment: 8 pages, 3 figures, latex forma
A Spatial-Epistemic Logic for Reasoning about Security Protocols
Reasoning about security properties involves reasoning about where the
information of a system is located, and how it evolves over time. While most
security analysis techniques need to cope with some notions of information
locality and knowledge propagation, usually they do not provide a general
language for expressing arbitrary properties involving local knowledge and
knowledge transfer. Building on this observation, we introduce a framework for
security protocol analysis based on dynamic spatial logic specifications. Our
computational model is a variant of existing pi-calculi, while specifications
are expressed in a dynamic spatial logic extended with an epistemic operator.
We present the syntax and semantics of the model and logic, and discuss the
expressiveness of the approach, showing it complete for passive attackers. We
also prove that generic Dolev-Yao attackers may be mechanically determined for
any deterministic finite protocol, and discuss how this result may be used to
reason about security properties of open systems. We also present a
model-checking algorithm for our logic, which has been implemented as an
extension to the SLMC system.Comment: In Proceedings SecCo 2010, arXiv:1102.516
K-bass: A KnowledgeâBased Access Security System For Medical Environments
Enforcing security requires the application of an access control model. The access control models used today have limitations that become evident when applied in collaborative environments, such as medical environments. To overcome these problems, a system has been developed in order to introduce dynamic access security. The system at hand combines effectively (C-TMAC) Team-based access control using contexts model and knowledge base technology. The systemâs security scheme fine-grains the usersâ access rights by integrating the Role Based Access Controls (RBAC) model and the (C-TMAC) model through knowledge-based systems technology. The originality lies on the fact that the users in the system are authenticated by combining their individual access rights (RBAC), their teamâs access rights (C-TMAC) and the context information associated with the team they belong to.
Furthermore, knowledge-based technology is used for the representation of knowledge and reasoning. The system initiates with some facts and rules and is able to learn, infer knowledge and produce meta-knowledge. Therefore the system can train itself and respond in non-deterministic way to user requests. Any change in context information fires a new rule in the knowledge base. The proposed system is an automated and self-controlled system called (K-BASS) Knowledge-based Access Security System that may be used in medical environments, to dynamically assign permission rights and to add new medical staff and patients
Classical Knowledge for Quantum Security
We propose a decision procedure for analysing security of quantum
cryptographic protocols, combining a classical algebraic rewrite system for
knowledge with an operational semantics for quantum distributed computing. As a
test case, we use our procedure to reason about security properties of a
recently developed quantum secret sharing protocol that uses graph states. We
analyze three different scenarios based on the safety assumptions of the
classical and quantum channels and discover the path of an attack in the
presence of an adversary. The epistemic analysis that leads to this and similar
types of attacks is purely based on our classical notion of knowledge.Comment: extended abstract, 13 page
Towards operational measures of computer security
Ideally, a measure of the security of a system should capture quantitatively the intuitive notion of âthe ability of the system to resist attackâ. That is, it should be operational, reflecting the degree to which the system can be expected to remain free of security breaches under particular conditions of operation (including attack). Instead, current security levels at best merely reflect the extensiveness of safeguards introduced during the design and development of a system. Whilst we might expect a system developed to a higher level than another to exhibit âmore secure behaviourâ in operation, this cannot be guaranteed; more particularly, we cannot infer what the actual security behaviour will be from knowledge of such a level. In the paper we discuss similarities between reliability and security with the intention of working towards measures of âoperational securityâ similar to those that we have for reliability of systems. Very informally, these measures could involve expressions such as the rate of occurrence of security breaches (cf rate of occurrence of failures in reliability), or the probability that a specified âmissionâ can be accomplished without a security breach (cf reliability function). This new approach is based on the analogy between system failure and security breach. A number of other analogies to support this view are introduced. We examine this duality critically, and have identified a number of important open questions that need to be answered before this quantitative approach can be taken further. The work described here is therefore somewhat tentative, and one of our major intentions is to invite discussion about the plausibility and feasibility of this new approach
A Formal Approach to Exploiting Multi-Stage Attacks based on File-System Vulnerabilities of Web Applications (Extended Version)
Web applications require access to the file-system for many different tasks.
When analyzing the security of a web application, secu- rity analysts should
thus consider the impact that file-system operations have on the security of
the whole application. Moreover, the analysis should take into consideration
how file-system vulnerabilities might in- teract with other vulnerabilities
leading an attacker to breach into the web application. In this paper, we first
propose a classification of file- system vulnerabilities, and then, based on
this classification, we present a formal approach that allows one to exploit
file-system vulnerabilities. We give a formal representation of web
applications, databases and file- systems, and show how to reason about
file-system vulnerabilities. We also show how to combine file-system
vulnerabilities and SQL-Injection vulnerabilities for the identification of
complex, multi-stage attacks. We have developed an automatic tool that
implements our approach and we show its efficiency by discussing several
real-world case studies, which are witness to the fact that our tool can
generate, and exploit, complex attacks that, to the best of our knowledge, no
other state-of-the-art-tool for the security of web applications can find
- âŠ