Evaluation of Anonymized ONS Queries

Electronic Product Code (EPC) is the basis of a pervasive infrastructure for the automatic identification of objects on supply chain applications (e.g., pharmaceutical or military applications). This infrastructure relies on the use of the (1) Radio Frequency Identification (RFID) technology to tag objects in motion and (2) distributed services providing information about objects via the Internet. A lookup service, called the Object Name Service (ONS) and based on the use of the Domain Name System (DNS), can be publicly accessed by EPC applications looking for information associated with tagged objects. Privacy issues may affect corporate infrastructures based on EPC technologies if their lookup service is not properly protected. A possible solution to mitigate these issues is the use of online anonymity. We present an evaluation experiment that compares the of use of Tor (The second generation Onion Router) on a global ONS/DNS setup, with respect to benefits, limitations, and latency.Comment: 14 page

Aggregating and Deploying Network Access Control Policies

The existence of errors or inconsistencies in the configuration of security components, such as filtering routers and/or firewalls, may lead to weak access control policies -- potentially easy to be evaded by unauthorized parties. We present in this paper a proposal to create, manage, and deploy consistent policies in those components in an efficient way. To do so, we combine two main approaches. The first approach is the use of an aggregation mechanism that yields consistent configurations or signals inconsistencies. Through this mechanism we can fold existing policies of a given system and create a consistent and global set of access control rules -- easy to maintain and manage by using a single syntax. The second approach is the use of a refinement mechanism that guarantees the proper deployment of such a global set of rules into the system, yet free of inconsistencies.Comment: 9 page

Misconfiguration Management of Network Security Components

Many companies and organizations use firewalls to control the access to their network infrastructure. Firewalls are network security components which provide means to filter traffic within corporate networks, as well as to police incoming and outcoming interaction with the Internet. For this purpose, it is necessary to configure firewalls with a set of filtering rules. Nevertheless, the existence of errors in a set of filtering rules is very likely to degrade the network security policy. The discovering and removal of these configuration errors is a serious and complex problem to solve. In this paper, we present a set of algorithms for such a management. Our approach is based on the analysis of relationships between the set of filtering rules. Then, a subsequent rewriting of rules will derive from an initial firewall setup -- potentially misconfigured -- to an equivalent one completely free of errors. At the same time, the algorithms will detect useless rules in the initial firewall configuration.Comment: 9 pages, 4 figures, 10 references, 7th International Symposium on System and Information Security (SSI), Sao Paulo, Brazi

Simulaciones software para el estudio de amenazas contra sistemas SCADA

El objetivo de las tecnologías SCADA (acrónimo de Supervisory Control And Data Acquisition), es proporcionar control remoto para la supervisión de infraestructuras críticas. Ataques contra tales sistemas suponen un riesgo importante. Nuestro interés en la temática es poder investigar mejoras en la seguridad de los sistemas SCADA, usando abstracciones a nivel de software, herramientas de simulación, dispositivos físicos y trazas de datos a partir de sistemas reales. Este artículo presenta, de manera general, algunas construcciones básicas de lo que son las tecnologías SCADA y sus componentes. Introduce, también, características generales de algunos simuladores open source disponibles. Por último, detalla limitaciones y mejoras potenciales, orientadas a completar el estudio de técnicas de detección de anomalías a nivel de señales físicas entre los componentes de sistemas SCADA

Multiple-polynomial LFSR based pseudorandom number generator for EPC Gen2 RFID tags

International audienceWe present a lightweight pseudorandom number generator (PRNG) design for EPC Gen2 RFID tags. It is based on a linear feedback shift register (LFSR) configured with multiple feedback polynomials that are selected by a physical source of randomness. The proposal successfully handles the inherent linearity of LFSR based PRNGs and satisfies the statistical requirements imposed by the EPC Gen2 standard. Statistical analysis of the sequences generated by our generator confirms the validity of the proposed technique.We show that our proposal has, moreover, a simpler hardware implementation and energy consumption than previous designs reported in the literature

QoS and security in Link State Routing protocols for MANETs

Abstract—We study security issues in the Optimized Link State Routing (OLSR) protocol with Quality-of-Service (QoS). We propose the function k-robust-QANS, to construct a Quality Advertisement Neighbor Set (QANS). Given a node v, the one-hop nodes selected as part of its QANS generate routing information to advertise, when possible, a set with k+1 links to reach any two-hop neighbor. Several approaches have been proposed to construct a QANS. However, none of them guarantees that the best links are advertised. A mechanism is presented for QANS construction with guarantee that the best links are advertised with respect to a given routing metric. We present the unadvertised quality links problem when QoS is considered. We also address the slanderer attack, i.e., a misbehaving node that advertises incomplete routing information. Our goal is to find a tradeoff between security and amount of information disseminated. We conduct simulations that confirm our claims