Constructing Independently Verifiable Privacy-Compliant Type Systems for Message Passing between Black-Box Components

Privacy by design (PbD) is the principle that privacy should be considered at every stage of the software engineering process. It is increasingly both viewed as best practice and required by law. It is therefore desirable to have formal methods that provide guarantees that certain privacy-relevant properties hold. We propose an approach that can be used to design a privacy-compliant architecture without needing to know the source code or internal structure of any individual component. We model an architecture as a set of agents or components that pass messages to each other. We present in this paper algorithms that take as input an architecture and a set of privacy constraints, and output an extension of the original architecture that satisfies the privacy constraints

Addressing Data-Centric Security Requirements for IoT-Based Systems

Allowing users to control access to their data is paramount for the success of the Internet of Things; therefore, it is imperative to ensure it, even when data has left the users' control, e.g. shared with cloud infrastructure. Consequently, we propose several state of the art mechanisms from the security and privacy research fields to cope with this requirement. To illustrate how each mechanism can be applied, we derive a data-centric architecture providing access control and privacy guaranties for the users of IoT-based applications. Moreover, we discuss the limitations and challenges related to applying the selected mechanisms to ensure access control remotely. Also, we validate our architecture by showing how it empowers users to control access to their health data in a quantified self use case

Towards Unified Authorization for Android

International audienceAndroid applications that manage sensitive data such as email and files downloaded from cloud storage services need to protect their data from malware installed on the phone. While prior security analyses have focused on protecting system data such as GPS locations from malware, not much attention has been given to the protection of application data. We show that many popular commercial applications incorrectly use Android authorization mechanisms leading to attacks that steal sensitive data. We argue that formal verification of application behaviors can reveal such errors and we present a formal model in ProVerif that accounts for a variety of Android authorization mechanisms and system services. We write models for four popular applications and analyze them with ProVerif to point out attacks. As a countermeasure, we propose Authzoid, a sample standalone application that lets applications define authorization policies and enforces them on their behalf

Cross section measurements of proton capture reactions on Mo isotopes relevant to the astrophysical p process

.Cross section measurements of (p,) reactions on the Mo isotopes have been performed at beam energies from 2 to 6.2 MeV that are relevant to the p-process. Partial cross sections and isomeric ratios were also determined for the Mo-92 case. Astrophysical S factors as well as reaction rates were derived from the experimental cross sections. Statistical model calculations were performed using the latest version (1.9) of the statistical model code TALYS and were compared with the new data. An overall good agreement between theory and experiment was found. In addition, the effect of different combinations of the nuclear input parameters entering the stellar reaction-rate calculations was investigated. It was found that, for certain combinations of optical-model potentials, nuclear level densities and -ray strength functions, the nuclear uncertainties propagated through the Hauser-Feshbach calculations are less than a factor of 2 which is well below the average discrepancies of the calculated p-nuclei abundances and the observations