154,901 research outputs found
Combining behavioural types with security analysis
Today's software systems are highly distributed and interconnected, and they
increasingly rely on communication to achieve their goals; due to their
societal importance, security and trustworthiness are crucial aspects for the
correctness of these systems. Behavioural types, which extend data types by
describing also the structured behaviour of programs, are a widely studied
approach to the enforcement of correctness properties in communicating systems.
This paper offers a unified overview of proposals based on behavioural types
which are aimed at the analysis of security properties
Recommended from our members
Techniques for the dynamic randomization of network attributes
Critical infrastructure control systems continue to foster predictable communication paths and static configurations that allow easy access to our networked critical infrastructure around the world. This makes them attractive and easy targets for cyber-attack. We have developed technologies that address these attack vectors by automatically reconfiguring network settings. Applying these protective measures will convert control systems into «moving targets» that proactively defend themselves against attack. This «Moving Target Defense» (MTD) revolves about the movement of network reconfiguration, securely communicating reconfiguration specifications to other network nodes as required, and ensuring that connectivity between nodes is uninterrupted. Software-defined Networking (SDN) is leveraged to meet many of these goals. Our MTD approach eliminates adversaries targeting known static attributes of network devices and systems, and consists of the following three techniques: (1) Network Randomization for TCP/UDP Ports; (2) Network Randomization for IP Addresses; (3) Network Randomization for Network Paths In this paper, we describe the implementation of the aforementioned technologies. We also discuss the individual and collective successes for the techniques, challenges for deployment, constraints and assumptions, and the performance implications for each technique
Cryptographic requirements for chaotic secure communications
In recent years, a great amount of secure communications systems based on
chaotic synchronization have been published. Most of the proposed schemes fail
to explain a number of features of fundamental importance to all cryptosystems,
such as key definition, characterization, and generation. As a consequence, the
proposed ciphers are difficult to realize in practice with a reasonable degree
of security. Likewise, they are seldom accompanied by a security analysis.
Thus, it is hard for the reader to have a hint about their security. In this
work we provide a set of guidelines that every new cryptosystems would benefit
from adhering to. The proposed guidelines address these two main gaps, i.e.,
correct key management and security analysis, to help new cryptosystems be
presented in a more rigorous cryptographic way. Also some recommendations are
offered regarding some practical aspects of communications, such as channel
noise, limited bandwith, and attenuation.Comment: 13 pages, 3 figure
Email for communicating results of diagnostic medical investigations to patients
<p>Background: As medical care becomes more complex and the ability to test for conditions grows, pressure on healthcare providers to convey increasing volumes of test results to patients is driving investigation of alternative technological solutions for their delivery. This review addresses the use of email for communicating results of diagnostic medical investigations to patients.</p>
<p>Objectives: To assess the effects of using email for communicating results of diagnostic medical investigations to patients, compared to SMS/ text messaging, telephone communication or usual care, on outcomes, including harms, for health professionals, patients and caregivers, and health services.</p>
<p>Search methods: We searched: the Cochrane Consumers and Communication Review Group Specialised Register, Cochrane Central Register of Controlled Trials (CENTRAL, The Cochrane Library, Issue 1 2010), MEDLINE (OvidSP) (1950 to January 2010), EMBASE (OvidSP) (1980 to January 2010), PsycINFO (OvidSP) (1967 to January 2010), CINAHL (EbscoHOST) (1982 to February 2010), and ERIC (CSA) (1965 to January 2010). We searched grey literature: theses/dissertation repositories, trials registers and Google Scholar (searched July 2010). We used additional search methods: examining reference lists and contacting authors.</p>
<p>Selection criteria: Randomised controlled trials, quasi-randomised trials, controlled before and after studies and interrupted time series studies of interventions using email for communicating results of any diagnostic medical investigations to patients, and taking the form of 1) unsecured email 2) secure email or 3) web messaging. All healthcare professionals, patients and caregivers in all settings were considered.</p>
<p>Data collection and analysis: Two review authors independently assessed the titles and abstracts of retrieved citations. No studies were identified for inclusion. Consequently, no data collection or analysis was possible.</p>
<p>Main results: No studies met the inclusion criteria, therefore there are no results to report on the use of email for communicating results of diagnostic medical investigations to patients.</p>
<p>Authors' conclusions: In the absence of included studies, we can draw no conclusions on the effects of using email for communicating results of diagnostic medical investigations to patients, and thus no recommendations for practice can be stipulated. Further well-designed research should be conducted to inform practice and policy for communicating patient results via email, as this is a developing area.</p>
SEABASS: Symmetric-keychain Encryption and Authentication for Building Automation Systems
There is an increasing security risk in Building Automation Systems (BAS) in that its communication is unprotected, resulting in the adversary having the capability to inject spurious commands to the actuators to alter the behaviour of BAS. The communication between the Human-Machine-Interface (HMI) and the controller (PLC) is vulnerable as there is no secret key being used to protect the authenticity, confidentiality and integrity of the sensor data and commands.
We propose SEABASS, a lightweight key management scheme to distribute and manage session keys between HMI and PLCs, providing a secure communication channel between any two communicating devices in BAS through a symmetric-key based hash-chain encryption and authentication of message exchange. Our scheme facilitates automatic renewal of session keys periodically based on the use of a reversed hash-chain. A prototype was implemented using the BACnet/IP communication protocol and the preliminary results show that the symmetric keychain approach is lightweight and incurs low latency
On M2M Micropayments : A Case Study of Electric Autonomous Vehicles
The proliferation of electric vehicles has spurred the research interest in
technologies associated with it, for instance, batteries, and charging
mechanisms. Moreover, the recent advancements in autonomous cars also encourage
the enabling technologies to integrate and provide holistic applications. To
this end, one key requirement for electric vehicles is to have an efficient,
secure, and scalable infrastructure and framework for charging, billing, and
auditing. However, the current manual charging systems for EVs may not be
applicable to the autonomous cars that demand new, automatic, secure,
efficient, and scalable billing and auditing mechanism. Owing to the
distributed systems such as blockchain technology, in this paper, we propose a
new charging and billing mechanism for electric vehicles that charge their
batteries in a charging-on-the-move fashion. To meet the requirements of
billing in electric vehicles, we leverage distributed ledger technology (DLT),
a distributed peer-to-peer technology for micro-transactions. Our
proof-of-concept implementation of the billing framework demonstrates the
feasibility of such system in electric vehicles. It is also worth noting that
the solution can easily be extended to the electric autonomous cars (EACs)
Towards the Model-Driven Engineering of Secure yet Safe Embedded Systems
We introduce SysML-Sec, a SysML-based Model-Driven Engineering environment
aimed at fostering the collaboration between system designers and security
experts at all methodological stages of the development of an embedded system.
A central issue in the design of an embedded system is the definition of the
hardware/software partitioning of the architecture of the system, which should
take place as early as possible. SysML-Sec aims to extend the relevance of this
analysis through the integration of security requirements and threats. In
particular, we propose an agile methodology whose aim is to assess early on the
impact of the security requirements and of the security mechanisms designed to
satisfy them over the safety of the system. Security concerns are captured in a
component-centric manner through existing SysML diagrams with only minimal
extensions. After the requirements captured are derived into security and
cryptographic mechanisms, security properties can be formally verified over
this design. To perform the latter, model transformation techniques are
implemented in the SysML-Sec toolchain in order to derive a ProVerif
specification from the SysML models. An automotive firmware flashing procedure
serves as a guiding example throughout our presentation.Comment: In Proceedings GraMSec 2014, arXiv:1404.163
- …