Harmonised security across devices (interview with Prof. Antonio Lioy)

In the face of disparate security options across mobile devices, an EU-funded project is proposing to move security applications from device to network nodes

The ForwardDiffSig scheme for multicast authentication

This paper describes ForwardDiffSig, an efficient scheme for multicast authentication with forward security. This scheme provides source authentication, data integrity, and non-repudiation since it is based on the use of asymmetric cryptography. At the same time, it offers also protection against key exposure as it exploits OptiSum, our optimized implementation of the ISum forward-secure signature scheme. A tradeoff exists in the used keys: Short keys provide speed at the signer, whereas long keys are preferable for long-term non-repudiation. Performance has been evaluated with a custom packet simulator and shows that, by grouping the packets, ForwardDiffSig is efficient in terms of speed even for long keys at the price of a significant signature overhead. Therefore, ForwardDiffSig is fast, exhibits low delay, and provides non-repudiation and protection against key exposure, but has a nonnegligible impact in applications with strict energy or bandwidth constraint

Dependability in wireless networks: can we rely on WiFi?

WiFi - short for "wireless fidelity" - is the commercial name for the 802.11 products that have flooded the corporate wireless local area network (WLAN) market and are becoming rapidly ingrained in our daily lives via public hotspots and digital home networks. Authentication and confidentiality are crucial issues for corporate WiFi use, but privacy and availability tend to dominate pervasive usage. However, because a technology's dependability requirements are proportional to its pervasiveness, newer applications mandate a deeper understanding of how much we can rely on WiFi and its security promises. In this article, we present an overview of WiFi vulnerabilities and investigate their proximate and ultimate origins. The intended goal is to provide a foundation to discuss WiFi dependability and its impact on current and future usage scenarios. Although a wireless network's overall security depends on the network stack to the application layer, this article focuses on specific vulnerabilities at the physical (PHY) and data (MAC) layers of 802.11 network

User-oriented Network Security Policy Specification

The configuration and management of security controls and applications is complex and not well understood by the majority of end-users (i.e. it typically requires specific skills). The security policy language simplifies this task and reduces the number of errors and anomalies. This paper proposes the specification of the two mechanisms for defining user’s security policies, namely High-level Security Policy Language (HSPL) and Medium-level Security Policy Language (MSPL). HSPL is suitable for expressing the protection requirements of typical non-technical users, while MSPL is a lower-levelabstraction useful for expressing specific configurations of security controls in a generic format (as such it is more appealing for technical users)

Anatomia del malware

L'esistenza di malware (virus, worm, cavalli di Troia) è uno degli aspetti negativi più rilevanti della rivoluzione digitale, con risvolti penali ed economici. Il fenomeno coinvolge anche il settore dei dispositivi mobili (smartphone, tablet, …) in cui si è passati da circa 2000 malware nel 2011, a più di 13000 nel 2012. Questo articolo analizza le tecniche per realizzare malware e permettere allo stesso di introdursi nei sistemi, rendersi residente, prenderne il controllo ed attivarsi a fronte di certi eventi, nascondendosi contemporaneamente ai programmi anti-virus. L'analisi considera sia i normali personal computer sia i più recenti dispositivi mobil

Practical assessment of Biba integrity for TCG-enabled platforms

Checking the integrity of an application is necessary to determine if the latter will behave as expected. The method defined by the Trusted Computing Group consists in evaluating the fingerprints of the platform hardware and software components required for the proper functioning of the application to be assessed. However, this only ensures that a process was working correctly at load-time but not for its whole life-cycle. Policy-Reduced Integrity Measurement Architecture (PRIMA) addresses this problem by enforcing a security policy that denies information flows from potentially malicious processes to an application target of the evaluation and its dependencies (requirement introduced by CW-Lite, an evolution of the Biba integrity model). Given the difficulty of deploying PRIMA (as platform administrators have to tune their security policies to satisfy the CW-Lite requirements) we propose in this paper Enhanced IMA, an extended version of the Integrity Measurement Architecture (IMA) that, unlike PRIMA, works almost out of the box and just reports information flows instead of enforcing them. In addition, we introduce a model to evaluate the information reported by Enhanced IMA with existing technique

Using MACsec to protect a Network Functions Virtualisation Infrastructure

IEEE 802.1AE is a standard for Media Access Control security (MACsec), which enables data integrity, authentication, and confidentiality for traffic in a broadcast domain. This protects network communications against attacks at link layer, hence it provides a higher degree of security and flexibility compared to other security protocols, such as IPsec. Softwarised network infrastructures, based on Network Functions Virtualisation (NFV) and Software Defined Networking (SDN), provide higher flexibility than traditional networks. Nonetheless, these networks have a larger attack surface compared to legacy infrastructures based on hardware appliances. In this scenario, communication security is important to ensure that the traffic in a broadcast domain is not intercepted or manipulated. We propose an architecture for centralised management of MACsec-enabled switches in a NFV environment. Moreover, we present a PoC that integrates MACsec in the Open Source MANO NFV framework and we evaluate its performance