The Role of the Adversary Model in Applied Security Research

Adversary models have been integral to the design of provably-secure cryptographic schemes or protocols. However, their use in other computer science research disciplines is relatively limited, particularly in the case of applied security research (e.g., mobile app and vulnerability studies). In this study, we conduct a survey of prominent adversary models used in the seminal field of cryptography, and more recent mobile and Internet of Things (IoT) research. Motivated by the findings from the cryptography survey, we propose a classification scheme for common app-based adversaries used in mobile security research, and classify key papers using the proposed scheme. Finally, we discuss recent work involving adversary models in the contemporary research field of IoT. We contribute recommendations to aid researchers working in applied (IoT) security based upon our findings from the mobile and cryptography literature. The key recommendation is for authors to clearly define adversary goals, assumptions and capabilities

Privacy-Aware Access Protocols for MEC Applications in 5G

Multi-access edge computing (MEC) is one of the emerging key technologies in fifth generation (5G) mobile networks, providing reduced end-to-end latency for applications and reduced load in the transport network. This paper proposes mechanisms to enhance user privacy in MEC within 5G. We consider a basic MEC usage scenario, where the user accesses an application hosted in the MEC platform via the radio access network of the mobile network operator (MNO). First, we create a system model based on this scenario. Second, we define the adversary model and give the list of privacy requirements for this system model. We also analyze the impact on user privacy when some of the parties in our model share information that is not strictly needed for providing the service. Third, we introduce a privacy-aware access protocol for the system model and analyze this protocol against the privacy requirements

ПРИНЦИПИ ЗАБЕЗПЕЧЕННЯ БЕЗПЕКИ АРХІТЕКТУРИ ІНФОРМАЦІЙНОЇ СИСТЕМИ НА БАЗІ КЛІЄНТСЬКИХ ДОДАТКІВ ДЛЯ ОС ANDROID

In this article common attack vectors on the information systems, which are based on the Android client applications, are observed, analyzed and compared. The purpose of this analysis consists in creating the theoretical base for development the practical principles of securing the architecture level of such systems. To accomplish the aims set, there was conducted the categorization of attacks and vulnerabilities specific to the Android information infrastructure and environment. There were also conducted analysis of Android application functional components and typical underlying infrastructure which have possible impact on a system security. Available data about the widespread vulnerabilities of the described elements was analyzed in context of possible exploitation. Based on the Android application usage model there were figured out several adversary models and attack vectors related to the researched information system type. Developed adversary models were formed with a focus on technical possibilities and threat abstraction. Mentioned vectors can be used by an attacker to violate the confidentiality and integrity of critical information in the system. The carried out research was used to form the characteristic comparison of the mentioned vectors and adversary models to evaluate the attack surface on the different parts of information system represented as attack vectors. As a result, we have developed the theoretical principles for securing the architecture of Android applications-driven information systems. Achieved results can be used to form the threat and adversary model, create practical recommendations for the information risk reducing practices in Android-applications driven information systems and to develop the technical requirements for security testing and development.У статті розглядаються, порівнюються та аналізуються основні вектори атак на інформаційні системи, що використовують додатки ОС Android в якості клієнтських інтерфейсів. Даний аналіз проводиться з метою отримання базового матеріалу для розробки практичних принципів забезпечення безпеки на рівні архітектури таких систем. Виконано категоріювання можливих атак та вразливостей, що полягають в їхній основі в контексті безпеки Android додатків та з урахуванням моделі безпеки самої операційної системи і середовища. Для виконання поставлених дослідницьких завдань було проведено аналіз компонентів Android-додатку та типової інформаційної інфраструктури досліджуваних систем. що так чи інакше впливають на їхню захищеність. Проведено аналіз наявної інформації щодо розповсюджених вразливостей цих компонентів та атак, що передбачають експлуатацію даних проблем. Досліджено декілька можливих моделей порушника, що можуть виконувати атаки на інформаційну систему. В результаті проведеного дослідження отримано аналітичні дані щодо векторів порушення цілісності та конфіденційності інформації з обмеженим доступом в інформаційних системах, що надають доступ до неї через мобільні додатки. В рамках порівняльної характеристики надається аналіз можливого впливу порушника на інформаційну систему зважаючи на його технічні можливості та поверхні атаки на кожному з визначених напрямків. Отримані теоретичні висновки щодо модифікації архітектури інформаційних систем, побудованих на базі мобільних додатків з метою підвищення їх захищеності від розповсюджених загроз інформації. Результати можуть бути використані для формування моделі загроз та порушника для додатку, що надає доступ до інформації з обмеженим доступом, розробки рекомендацій щодо реалізації тих чи інших етапів життєвого циклу інформаційної системи з метою зменшення ризиків компрометації даних, розробки технічних вимог до етапів тестування та розробки тощо

The Comparison Performance of Digital Forensic Tools Using Additional Root Access Options

This research used MiChat and SayHi as materials for forensic investigations using three different tools, namely MOBILedit, Magnet Axiom, and Belkasoft. These three tools will show each performance in the forensic process. We also added a rooting process as an option if data cannot be extracted optimally even when using these three applications. The result of this study shows that the cases studied with processes without root access and with root access have the aim of complementing each other in obtaining evidence. So that these two processes complement each other's shortcomings. The main contribution of this research is a recommendation of a tool based on the best performance shown during the forensic process with rooting access and without rooting access. Based on the comparison, Magnet Axiom is superior with a total of 34 items of data found without root access, while MOBILedit is 30 items and 30 items for Belkasoft. While comparison using root access, Magnet Axiom and MOBILedit are superiors with a total of 36 items found in Magnet Axiom without root access, while MOBILedit is 36 items and 33 items for Belkasoft. Based on the test results, it can be concluded that the recommended tool according to the used scenario is Magnet Axiom

A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control

Access control is fundamental and prerequisite to govern and safeguard information assets within an organisation. Organisations generally use web enabled remote access coupled with applications access distributed on the various networks facing various challenges including increase operation burden, monitoring issues due to the dynamic and complex nature of security policies for access control. The increasingly dynamic nature of collaborations means that in one context a user should have access to sensitive information and not applicable for another context. The current access control models are static and lack of Dynamic Segregation of Duties (SoD), Task instance level of Segregation and decision making in real time. This paper addresses the limitations and supports access management in borderless network environment with dynamic SoD capability at real time access control decision making and policy enforcement. This research makes three contributions: i) Defining an Authorising Workflow Task Role Based Access Control using the existing task and workflow concepts. It integrates the dynamic SoD considering the task instance restriction to ensure overall access governance and accountability. It enhances the existing access control models such as RBAC by dynamically granting users access right and providing Access governance. ii) Extended the OASIS standard of XACML policy language to support the dynamic access control requirements and enforce the access control rules for real time decision making to mitigate risk relating to access control such as escalation of privilege in broken access control and insufficient logging and monitoring iii) The model is implemented using open source Balana policy engine to demonstrate its applicability to a real industrial use case from a financial institution. The results show that, AW-TRBAC is scalable consuming relatively large number of complex request and able to meet the requirements of dynamic access control characteristics

Security Verification in the Context of 5G Sensor Networks, Journal of Telecommunications and Information Technology, 2021, nr 2

In order to develop reliable safety standards for 5G sensor networks (SN) and the Internet of Things, appropriate verification tools are needed, including those offering the ability to perform automated symbolic analysis process. The Tamarin prover is one of such software-based solutions. It allows to formally prove security protocols. This paper shows the modus operandi of the tool in question. Its application has been illustrated using an example of an exchange of messages between two agents, with asynchronous encryption. The scheme may be implemented, for instance, in the TLS/DTLS protocol to create a secure cryptographic key exchange mechanism. The aim of the publication is to demonstrate that automated symbolic analysis may be relied upon to model 5G sensor networks security protocols. Also, a use case in which the process of modeling the DTLS 1.2 handshake protocol enriched with the TCP SYN Cookies mechanism, used to preventing DoS attacks, is presente

KRNC: New Foundations for Permissionless Byzantine Consensus and Global Monetary Stability

This paper applies biomimetic engineering to the problem of permissionless Byzantine consensus and achieves results that surpass the prior state of the art by four orders of magnitude. It introduces a biologically inspired asymmetric Sybil-resistance mechanism, Proof-of-Balance, which can replace symmetric Proof-of-Work and Proof-of-Stake weighting schemes. The biomimetic mechanism is incorporated into a permissionless blockchain protocol, Key Retroactivity Network Consensus ("KRNC"), which delivers ~40,000 times the security and speed of today's decentralized ledgers. KRNC allows the fiat money that the public already owns to be upgraded with cryptographic inflation protection, eliminating the problems inherent in bootstrapping new currencies like Bitcoin and Ethereum. The paper includes two independently significant contributions to the literature. First, it replaces the non-structural axioms invoked in prior work with a new formal method for reasoning about trust, liveness, and safety from first principles. Second, it demonstrates how two previously overlooked exploits, book-prize attacks and pseudo-transfer attacks, collectively undermine the security guarantees of all prior permissionless ledgers.Comment: 104 page

Big Data Security (Volume 3)

After a short description of the key concepts of big data the book explores on the secrecy and security threats posed especially by cloud based data storage. It delivers conceptual frameworks and models along with case studies of recent technology

Improving Security of Crypto Wallets in Blockchain Technologies

A big challenge in blockchain and cryptocurrency is securing the private key from potential hackers. Nobody can rollback a transaction made with a stolen key once the network confirms it. The technical solution to protect private keys is the cryptocurrency wallet, software, hardware, or a combination to manage the keys. In this dissertation, we try to investigate the significant challenges in existing cryptocurrency wallets and propose innovative solutions. Firstly, almost all cryptocurrency wallets suffer from the lack of a secure and convenient backup and recovery process. We offer a new cryptographic scheme to securely back up a hardware wallet relying on the side-channel human visual verification on the hardware wallet. Another practical mechanism to protect the funds is splitting the money between two wallets with small and large amounts. We propose a new scheme to create hierarchical wallets that we call deterministic sub-wallet to achieve this goal. The user can send funds from the wallet with a large amount to a smaller one in a secure way. We propose a multilayered architecture for cryptocurrency wallets based on a Defense-in-Depth strategy to protect private keys with a balance between convenience and security. The user protects the private keys in three restricted layers with different protection mechanisms. Finally, we try to solve another challenge in cryptocurrencies, which is losing access to private keys by its user, resulting in inaccessible coins. We propose a new mechanism called lean recovery transaction to tackle this problem. We make a change in wallet key management to generate a recovery transaction when needed. We implement a proof-of-concept for all of our proposals on a resource-constraint hardware wallet with a secure element, an embedded display, and one physical button. Furthermore, we evaluate the performance of our implementation and analyze the security of our proposed mechanisms