Foundations of Security Analysis and Design III, FOSAD 2004/2005- Tutorial Lectures

he increasing relevance of security to real-life applications, such as electronic commerce and Internet banking, is attested by the fast-growing number of research groups, events, conferences, and summer schools that address the study of foundations for the analysis and the design of security aspects. This book presents thoroughly revised versions of eight tutorial lectures given by leading researchers during two International Schools on Foundations of Security Analysis and Design, FOSAD 2004/2005, held in Bertinoro, Italy, in September 2004 and September 2005. The lectures are devoted to: Justifying a Dolev-Yao Model under Active Attacks, Model-based Security Engineering with UML, Physical Security and Side-Channel Attacks, Static Analysis of Authentication, Formal Methods for Smartcard Security, Privacy-Preserving Database Systems, Intrusion Detection, Security and Trust Requirements Engineering

Achieving Security Assurance with Assertion-based Application Construction

abstract: Modern software applications are commonly built by leveraging pre-fabricated modules, e.g. application programming interfaces (APIs), which are essential to implement the desired functionalities of software applications, helping reduce the overall development costs and time. When APIs deal with security-related functionality, it is critical to ensure they comply with their design requirements since otherwise unexpected flaws and vulnerabilities may consequently occur. Often, such APIs may lack sufficient specification details, or may implement a semantically-different version of a desired security model to enforce, thus possibly complicating the runtime enforcement of security properties and making it harder to minimize the existence of serious vulnerabilities. This paper proposes a novel approach to address such a critical challenge by leveraging the notion of software assertions. We focus on security requirements in role-based access control models and show how proper verification at the source-code level can be performed with our proposed approach as well as with automated state-of-the-art assertion-based techniques.The final version of this article, as published in EAI Endorsed Transactions on Collaborative Computing, can be viewed online at: http://eudl.eu/doi/10.4108/eai.21-12-2015.15081

Modelos para el análisis comparativo de herramientas de software: Una revisión sistemática de la literatura

El análisis comparativo es el proceso mediante el cual se analiza el uso de determinadas herramientas de software bajo criterios de evaluación con la finalidad de determinar cuál es la más adecuada para el contexto seleccionado. Dicho análisis requiere modelos y sus elementos (procedimientos, prácticas, técnicas y herramientas, entre otros) bajo los cuales debe ser llevado a cabo para obtener los mejores resultados sobre el objeto de estudio. (OBJETIVOS) En este estudio se busca identificar modelos y sus elementos propuestos para la realización de análisis comparativo de herramientas para el desarrollo de software. (MÉTODOS) Para la identificación de los modelos y sus elementos se realizó una revisión sistemática de la literatura en las bases de datos reconocidas. (RESULTADOS) De un total de 1226 artículos revisados, se identificaron 32 artículos que hacen referencia a 8 modelos y sus elementos para la realización de análisis comparativo. Además se puede señalar que los modelos de análisis comparativo en la industria de software son utilizados para la evaluación de herramientas y/o metodologías de desarrollo de software. (CONCLUSIONES) Se puede concluir que existen diversos modelos y sus elementos para la realización de análisis comparativo en el ámbito de desarrollo de software siendo el modelo de definición de criterios el más utilizado en los estudios primarios seleccionados para la evaluación de herramientas y/o metodologías en el ámbito de la ingeniería de software.Trabajo de investigació

Federated Access Management for Collaborative Environments

abstract: Access control has been historically recognized as an effective technique for ensuring that computer systems preserve important security properties. Recently, attribute-based access control (ABAC) has emerged as a new paradigm to provide access mediation by leveraging the concept of attributes: observable properties that become relevant under a certain security context and are exhibited by the entities normally involved in the mediation process, namely, end-users and protected resources. Also recently, independently-run organizations from the private and public sectors have recognized the benefits of engaging in multi-disciplinary research collaborations that involve sharing sensitive proprietary resources such as scientific data, networking capabilities and computation time and have recognized ABAC as the paradigm that suits their needs for restricting the way such resources are to be shared with each other. In such a setting, a robust yet flexible access mediation scheme is crucial to guarantee participants are granted access to such resources in a safe and secure manner. However, no consensus exists either in the literature with respect to a formal model that clearly defines the way the components depicted in ABAC should interact with each other, so that the rigorous study of security properties to be effectively pursued. This dissertation proposes an approach tailored to provide a well-defined and formal definition of ABAC, including a description on how attributes exhibited by different independent organizations are to be leveraged for mediating access to shared resources, by allowing for collaborating parties to engage in federations for the specification, discovery, evaluation and communication of attributes, policies, and access mediation decisions. In addition, a software assurance framework is introduced to support the correct construction of enforcement mechanisms implementing our approach by leveraging validation and verification techniques based on software assertions, namely, design by contract (DBC) and behavioral interface specification languages (BISL). Finally, this dissertation also proposes a distributed trust framework that allows for exchanging recommendations on the perceived reputations of members of our proposed federations, in such a way that the level of trust of previously-unknown participants can be properly assessed for the purposes of access mediation.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Security analysis of a biometric authentication system using umlsec and jml

Abstrac