Logical Foundations of Multilevel Databases

International audienceIn this paper, we propose a formal model for multilevel databases. This model aims at being a generic model, that is it can be interpreted for any kind of database (relational, object-oriented...). Our model has three layers. The first layer corresponds to a model for a non-protected database. The second layer corresponds to a model for a multilevel database. In this second layer, we propose a list of theorems that must be respected in order to build a secure multilevel database. We also propose a new solution to manage cover stories without using the ambiguous technique of polyinstantiation. The third layer corresponds to a model for a MultiView database, that is, a database that provides at each security level a consistent view of the multilevel database. Finally, as an illustration, we interpret our 3-layer model in the case of an object-oriented database

Negotiating and delegating obligations

International audienceIn this paper, we describe a security model where users are allowed to control their obligations partially or totally, depending on the security policy. The main motivation of our work is to design more flexible systems that take into account users' requirements in order to avoid obligation violations and therefore sanctions. In our model, users are able to negotiate or delegate their obligations in the case of incapacity to fulfill them. This is an important aspect to be considered, since it is common that, at work or in everyday life, a user may need to negotiate the fulfillment of a given obligation, or also need the help of others to perform a task on his/her behalf. This may be due to several reasons such as absence, vacation, conflict of interest, lack of time, of resource, of competence or simply for the sake of efficiency. In our model, we propose an approach to deal with the negotiation and the delegation of obligations based on the concept of contexts

Misconfiguration Management of Network Security Components

Many companies and organizations use firewalls to control the access to their network infrastructure. Firewalls are network security components which provide means to filter traffic within corporate networks, as well as to police incoming and outcoming interaction with the Internet. For this purpose, it is necessary to configure firewalls with a set of filtering rules. Nevertheless, the existence of errors in a set of filtering rules is very likely to degrade the network security policy. The discovering and removal of these configuration errors is a serious and complex problem to solve. In this paper, we present a set of algorithms for such a management. Our approach is based on the analysis of relationships between the set of filtering rules. Then, a subsequent rewriting of rules will derive from an initial firewall setup -- potentially misconfigured -- to an equivalent one completely free of errors. At the same time, the algorithms will detect useless rules in the initial firewall configuration.Comment: 9 pages, 4 figures, 10 references, 7th International Symposium on System and Information Security (SSI), Sao Paulo, Brazi

Cover Story Management

International audienceIn a multilevel database, cover stories are usually managed using the ambiguous technique of polyinstantiation. In this paper, we define a new technique to manage cover stories and propose a formal representation of a multilevel database containing cover stories. Our model aims to be a generic model, that is, it can be interpreted for any kind of database (e.g. relational, object- oriented etc). We then consider the problem of updating a multilevel database containing cover stories managed with our technique

Detection of illegal control flow in Android System: Protecting private data used by Smartphone Apps

International audienceToday, security is a requirement for smartphone operating systems that are used to store and handle sensitive information. How- ever, smartphone users usually download third-party applications that can leak personal data without user authorization. For this reason, the dynamic taint analysis mechanism is used to control the manipulation of private data by third-party apps [9]. But this technique does not detect control flows. In particular, untrusted applications can circumvent An- droid system and get privacy sensitive information through control flows. In this paper, we propose a hybrid approach that combines static and dynamic analysis to propagate taint along control dependencies in An- droid system. To evaluate the effectiveness of our approach, we analyse 27 free Android applications. We found that 14 of these applications use control flows to transfer sensitive data. We successfully detect that 8 of them leaked private information. Our approach creates 19% performance overhead that is due to the propagation of taint in the control flow. By using our approach, it becomes possible to detect leakage of personal data through control flows

Protection against Code Obfuscation Attacks based on control dependencies in Android Systems

International audienceIn Android systems, an attacker can obfuscate an application code to leak sensitive information. TaintDroid is an information flow tracking system that protects private data in smartphones. But, TainDroid cannot detect control flows. Thus, it can be circumvented by an obfuscated code attack based on control dependencies. In this paper, we present a collection of obfuscated code attacks on TaintDroid system. We propose a technical solution based on a hybrid approach that combines static and dynamic analysis. We formally specify our solution based on two propagation rules. Finally, we evaluate our approach and show that we can avoid the obfuscated code attacks based on control dependencies by using these propagation rules

Access and privacy control enforcement in RFID middleware systems: Proposal and implementation on the Fosstrak platform

International audienceRadio Frequency IDentification (RFID) technology offers a new way of automating the identification and storing of information in RFID tags. The emerging opportunities for the use of RFID technology in human centric applications like monitoring and indoor guidance systems indicate how important this topic is in term of privacy. Holding privacy issues from the early stages of RFID data collection helps to master the data view before translating it into business events and storing it in databases. An RFID middleware is the entity that sits between tag readers and database applications. It is in charge of collecting, filtering and aggregating the requested events from heterogeneous RFID environments. Thus, the system, at this point, is likely to suffer from parameter manipulation and eavesdropping, raising privacy concerns. In this paper, we propose an access and privacy controller module that adds a security level to the RFID middleware standardized by the EPCglobal consortium. We provide a privacy policy-driven model using some enhanced contextual concepts of the extended Role Based Access Control model, namely the purpose, the accuracy and the consent principles. We also use the provisional context to model security rules whose activation depends on the history of previously performed actions. To show the feasibility of our privacy enforcement model, we first provide a proof-of-concept prototype integrated into the middleware of the Fosstrak platform, then evaluate the performance of the integrated module in terms of execution time

fQuery: SPARQL Query Rewriting to Enforce Data Confidentiality

International audienceRDF is an increasingly used framework for describing Web resources, including sensitive and confidential resources. In this context, we need an expressive language to query RDF databases. SPARQL has been defined to easily localize and extract data in an RDF graph. Since confidential data are accessed, SPARQL queries must be filtered so that only authorized data are returned with respect to some confidentiality policy. In this paper, we model a confidentiality policy as a set of positive and negative filters (corresponding respectively to permissions and prohibitions) that apply to SPARQL queries. We then define rewriting algorithms that transform the queries so that the results returned by transformed queries are compliant with the confidentiality policy

Medical image integrity control combining digital signature and lossless watermarking

International audienceEnforcing protection of medical content becomes a major issue of computer security. Since medical contents are more and more widely distributed, it is necessary to develop security mechanism to guarantee their confidentiality, integrity and traceability in an autonomous way. In this context, watermarking has been recently proposed as a complementary mechanism for medical data protection. In this paper, we focus on the verification of medical image integrity through the combination of digital signatures with such a technology, and especially with Reversible Watermarking (RW). RW schemes have been proposed for images of sensitive content for which any modification may aspect their interpretation. Whence, we compare several recent RW schemes and discuss their potential use in the framework of an integrity control process in application to different sets of medical images issued from three distinct modalities: Magnetic Resonance Images, Positron Emission Tomography and Ultrasound Imaging. Experimental results with respect to two aspects including data hiding capacity and image quality preservation, show different limitations which depend on the watermark approach but also on image modality specificities