Studying Maximum Information Leakage Using Karush-Kuhn-Tucker Conditions

When studying the information leakage in programs or protocols, a natural question arises: "what is the worst case scenario?". This problem of identifying the maximal leakage can be seen as a channel capacity problem in the information theoretical sense. In this paper, by combining two powerful theories: Information Theory and Karush-Kuhn-Tucker conditions, we demonstrate a very general solution to the channel capacity problem. Examples are given to show how our solution can be applied to practical contexts of programs and anonymity protocols, and how this solution generalizes previous approaches to this problem

Algebraic Foundations for Information Theoretical, Probabilistic and Guessability measures of Information Flow

Several mathematical ideas have been investigated for Quantitative Information Flow. Information theory, probability, guessability are the main ideas in most proposals. They aim to quantify how much information is leaked, how likely is to guess the secret and how long does it take to guess the secret respectively. In this paper, we show how the Lattice of Information provides a valuable foundation for all these approaches; not only it provides an elegant algebraic framework for the ideas, but also to investigate their relationship. In particular we will use this lattice to prove some results establishing order relation correspondences between the different quantitative approaches. The implications of these results w.r.t. recent work in the community is also investigated. While this work concentrates on the foundational importance of the Lattice of Information its practical relevance has been recently proven, notably with the quantitative analysis of Linux kernel vulnerabilities. Overall we believe these works set the case for establishing the Lattice of Information as one of the main reference structure for Quantitative Information Flow

Dissecting Smart Contract Languages: A Survey

Blockchain is a distributed ledger technology that gained popularity for enabling the transformation of cryptocurrency among peers without mediation by a centralized third-party authority. Smart contracts expand the applications of blockchain technology and have played a role in its widespread adoption. Smart contracts are immutable digital programs that are deployed on blockchains to codify agreements between parties. Existing smart contract implementations have faced challenges, including security vulnerabilities, leading to significant losses and concerns. This has stimulated a wave of attempts to improve Smart Contract Languages (SCLs) to overcome implementation challenges and ensure code quality, producing many languages with diverse features. Scholars have made some attempts to classify SCLs and clarify the process of selecting an SCL, but to the best of our knowledge, no comprehensive survey of existing SCLs has been published. Our work surpasses earlier efforts by evaluating a significantly larger set of SCLs, in greater depth, to ease the process of SCL selection for blockchain research and implementation. In this paper, we (1) propose a robust framework for comparing existing SCLs, (2) analyze and discuss 36 SCLs, addressing issues beyond those used to construct the comparison framework, and (3) define new parameters for future research and development of SCLs. The survey provides a guide for those who intend to select or use an SCL to implement smart contracts, develop new SCLs, or add new extensions to the existing SCLs

Integrating Security Risk Management into Business Process Management for the Cloud

Abstract-Security issues are still preventing wider adoption of cloud computing, especially for businesses which are handling sensitive information. Indeed, by outsourcing its information system (IS), a company can lose control over its infrastructure, its software or even its data. Therefore, new methods and tools need to be defined to respond to this challenge. In this paper we propose to integrate Security Risk Management approaches into Business Process Management to effectively treat security issues at the early phases of the Information System construction. We focus on cloud brokers, emerging actors of the cloud delivery model, who enhance and aggregate existing cloud services to match them with their cloud consumers' requirements. Our main goal is to provide them with tools and techniques to increase the global security level of an IS through different risk treatment strategies

Holding on to dissensus: Participatory interactions in security design

Recent high-profile cyber-attacks affecting the National Health Service (NHS) in the UK have brought into focus the fact that data, devices, and people are so intermingled that we now need a new way of approaching everyday security that provides an account of place. The assumption until now has been that the security of the individual will follow from technical security and that designing for security requires purely technological solutions. Our creative engagement method puts the human security of actors in the foreground, ensuring that actors who may ordinarily be marginalized may have their perspectives taken into account. The creative methods used include participatory physical modelling to co-design representations of what constitutes ontological security in the everyday for communities. LEGO and other materials allow participants to physically model matters of concern as tangible scenarios, using colored bricks to encode actors, infrastructure, and the movement of data. In this paper, a single LEGO model, depicting an internet-protocol home-banking service, is described in detail. A number of playful and agonistic interactions between our participants are examined through a place-based lens, using descriptive concepts from ontological and autonomous design, an approach designed to tease apart different aspects of our results. This reveals how a community constructs place, the perspectives and horizons of actors, and networks of resilience. We find that participants achieve positive insight into these scenarios by testing out the ways in which they can be broken down by antagonists and adversaries. Participants sustain a space of contestation in which dissensus is established and anticipation of breakdown can be played with.Keywords: ontological design, autonomous design, ontological security, co-design, LEGO

Managing Vulnerabilities of Tactical Wireless RF Network Systems: A Case Study

Organisations and individuals benefit when wireless networks are protected. After assessing the risks associated with wireless technologies, organisations can reduce the risks by applying countermeasures to address specific threats and vulnerabilities. These countermeasures include management, operational and technical controls. While these countermeasures will not prevent all penetrations and adverse events, they can be effective in reducing many of the common risks associated with wireless RF networks. Among engineers dealing with different scaled and interconnected engineering systems, such as tactical wireless RF communication systems, there is a growing need for a means of analysing complex adaptive systems. We propose a methodology based on the systematic resolution of complex issues to manage the vulnerabilities of tactical wireless RF systems. There are is a need to assemble and balance the results of any successful measure, showing how well each solution meets the system’s objectives. The uncertain arguments used and other test results are combined using a form of mathematical theory for their analysis. Systems engineering thinking supports design decisions and enables decision‐makers to manage and assess the support for each solution. In these circumstances, complexity management arises from the many interacting and conflicting requirements of an increasing range of possible parameters. There may not be a single ‘right’ solution, only a satisfactory set of resolutions which this system helps to facilitate. Smart and innovative performance matrixes are introduced using a mathematical Bayesian network to manage, model, calculate and analyse all the potential vulnerability paths in wireless RF networks

A pattern-based development of secure business processes

Iga andmeturbest huvitatud äriettevõte valib iseendale sobilikud turvameetmed, et vältida ootamatuid sündmusi ja õnnetusi. Nende turvameetmete esmane ülesanne on kaitsta selle äriettevõtte ressursse ja varasid. Äriettevõtetes aset leidvad õnnetused (vähemtähtsad või katastroofilised) on enamikel juhtudel oma olemuselt sarnased ning põhjustatud sarnaste turvariskide poolt. Paljudel andmeturbe spetsialistidel on raskusi leidmaks õiget lahendust konkreetsetele probleemidele, kuna eelmiste samalaadsete probleemide lahendused ei ole korrektselt dokumenteeritud. Selles kontekstis on turvalisuse mustrid (Security Patterns) kasulikud, kuna nad esitavad tõestatud lahendusi spetsiifiliste probleemide jaoks. Käesolevas väitekirjas arendasime välja kümme turvariskidele suunatud mustrit (SRP ehk Security Risk-oriented Patterns) ja defineerisime, kuidas kasutada neid mustreid vastumeetmetena turvariskidele äriprotsesside mudelite sees. Oma olemuselt on need mustrid sõltumatud modelleerimiskeelest. Lihtsustamaks nende rakendamist, on mudelid esitatud graafilises vormingus äriprotsesside modelleerimise keeles (BPMN). Me demonstreerime turvariskidele suunatud mustrite (SRP) kasutatavust kahe tööstusettevõtte ärimudeli näite põhjal. Esitame mustrite rakendamise kohta kvantitatiivsed analüüsid ja näitame, kuidas turvariskidele suunatud mustrid (SRP) aitavad demonstreerida andmeturbe nõrku kohti ärimudelites ning pakume välja lahendusi andmeturvalisusega seotud probleemidele. Selle uurimistöö tulemused võivad julgustada andmeturvalisusega tegelevaid analüütikuid jälgima mustritel-põhinevaid lähenemisi oma äriettevõtete kaitsmiseks, et aidata seeläbi kaasa ka infosüsteemide (Information Systems (IS)) kaitsmisele.Every security concerned enterprise selects its own security measures in order to avoid unexpected events and accidents. The main objective of these security measures is to protect the enterprise’s own resources and assets from damage. Most of the time, the accidents or disasters take place in enterprise are similar in nature, and are caused by similar kind of vulnerabilities. However, many security analysts find it difficult to select the right security measure for a particular problem because the previous proven solutions are not properly documented. In this context Security Patterns could be helpful since they present the proven solutions that potentially could be reused in the similar situations. In this thesis, we develop a set of ten Security Risk-oriented Patterns (SRP) and define the way how they could be used to define security countermeasures within the business process models. In principle, patterns are modelling language-independent. Moreover, to ease their application, we represent them in a graphical form using the Business Process Modelling Notation (BPMN) modelling approach. We demonstrate the usability of the Security Risk-oriented Patterns (SRP) by applying them on two industrial business models. We present the quantitative analysis of their application. We show that Security Risk-oriented Patterns (SRP) help to determine security risks in business models and suggest rationale for security solutions. The results of this research could potentially encourage the security analysts to follow pattern-based approach to develop secure business processes, thus, contributing to secure Information Systems (IS)