Optimising Unicode Regular Expression Evaluation with Previews

The jsre regular expression library was designed to provide fast matching of complex expressions over large input streams using user-selectable character encodings. An established design approach was used: a simulated non-deterministic automaton (NFA) implemented as a virtual machine, avoiding exponential cost functions in either space or time. A deterministic automaton (DFA) was chosen as a general dispatching mechanism for Unicode character classes and this also provided the opportunity to use compact DFAs in various optimization strategies. The result was the development of a regular expression Preview which provides a summary of all the matches possible from a given point in a regular expression in a form that can be implemented as a compact DFA and can be used to further improve the performance of the standard NFA simulation algorithm. This paper formally defines a preview and describes and evaluates several optimizations using this construct. They provide significant speed improvements accrued from fast scanning of anchor positions, avoiding retesting of repeated strings in unanchored searches, and efficient searching of multiple alternate expressions which in the case of keyword searching has a time complexity which is logarithmic in the number of words to be searched

Control Consistency as a Management Tool: The Identification of Systematic Security Control Weaknesses in Air Traffic Management

In 2008 EUROCONTROL published Information and Communications Technology (ICT) Security Guidance to Air Navigation Service Providers (ANSPs), to assist them in complying with regulatory security requirements. This included a visualisation tool which allowed the consistency of control sets to be reviewed and communicated: consistency being the degree to which more sophisticated controls were supported by core controls. The validation of that guidance included surveys which were conducted to contrast current practice in European ANSPs with a baseline control set based on ISO/IEC 27001:2005. The consistency test revealed significant gaps in the control strategies of these organisations: despite relatively sophisticated control regimes there were areas which lacked core controls. Key missing elements identified in the ANSPs surveyed include security management and senior management engagement, system accreditation, the validation and authentication of data used by ATM systems, incident management, and business continuity preparedness. Since anonymity requires that little can be said about the original surveys these results are necessarily indicative, so the paper contrasts these findings with contemporaneous literature, including audit reports on security in US ATM systems. The two sources prove to be in close agreement, confirming the value of the control consistency view in providing an overview of an organisation's security control regime

Navigating the Windows Mail database

The Extensible Storage Engine (ESE) database is used to support many forensically important applications in the Windows operating system, and a study of how ESE is used in one application provides wider insights into data storage in other current and future applications. In Windows 10, WindowsMail uses an ESE database to store messages, appointments and related data; however, field (column) names used to identify these records are hexadecimal property tags, many of which are undocumented. To support forensic analysis a series of experiments were carried out to identify the function of these tags, and this work resulted in a body of related information about the Mail application. This paper documents property tags that have been mapped, and presents how Windows Mail artifacts recovered from the ESE store.vol database can be interpreted, including how the paths of files recorded by the Mail system are derived from database records. We also present examples that illustrate forensic issues in the interpretation of email messages and appointment records, and show how additional information can be obtained by associating these records with other information in the ESE database

Security design analysis

EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Private browsing : a window of forensic opportunity

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user’s InPrivate browsing, and to reliably associate such records with InPrivate browsing

Forensic Data Recovery From The Windows Search Database

Windows Search maintains a single database of the files, emails, programmes and Internet history of all the users of a personal computer, providing a potentially valuable source of information for a forensic investigator, especially since some information within the database is persistent, even if the underlying data are not available to the system (e.g.removable or encrypted drives). However, when files are deleted from the system their record is also deleted from the database. Existing tools to extract information from Windows Search use a programmatic interface to the underlying database, but this approach is unable to recover deleted records that may remain in unused space within the database or in other parts of the file system. This paper explores when unavailable files are indexed, and therefore available to an investigator via the search database, and how this is modified by the indexer scope and by attributes that control the indexing of encrypted content. Obtaining data via the programmatic interface is contrasted with a record carving approach using a new database record carver (wdsCarve); the strengths and weaknesses of the two approaches are reviewed, and the paper identifies several different strategies that may be productive in recovering deleted database records

Knowing Who to Watch : Efficiently Identifying Subtle Attackers

Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rulebreaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring

2

Risk has always motivated security in general terms; both assurance and IT governance approaches to security begin with a focus on risk, but the connection between risk and technical security is soon lost. As a result it is usually impossible to quantify the value of security features, or give metrics for the value of a security design compared to alternatives. This thesis describes the Security Design Analysis Framework (SeDAn), which relates a system design to its security environment (security goals, organisations, users, and attackers), allowing the connection between systematic risk and security requirements to be maintained and analysed. SeDAn innovations include: modelling the flexible relationships between organisations, assets and security goals in emerging networked systems; security requirements that constrain service behaviour; and the decomposition of systematic risk to sub-systems, allowing implementers to relate components of a system to their organisational and physical context. The framework also provides quality metrics for complete protection strategies, including: the value of security requirements in terms of risk; the degree of trust, o

Overview

One of the functions of the UK e-science security task force is to identify and promulgate good security practice in grid and related systems. Many Grid-based projects have developed distinctive security analyses, requirements, and/or technical solutions to distributed system security, but as yet there is little public record of this activity. The purpose of this workshop is to bring together those with practical experience in this area, to share good practice and discuss problems with others who are addressing similar issues. These proceedings contain extended abstracts that were reviewed from the perspective of relevance, and the extent that they might provoke a useful workshop discussion. They fall into two broad categories: those reporting project experience, and those making proposals or highlighting problems associated with particular applications. The more substantial papers in the former category may later be expanded and published in a special edition of Software: Practice and Experience. We would like to thank all those involved in organising this event, particularly the committee for their advice and speedy reviewing and the staff at Oxford for managin