Secrecy for Mobile Implementations of Security Protocols

Mobile code technology offers interesting possibilities to the practitioner, but also raises strong concerns about security. One aspect of security is secrecy, the preservation of confidential information. This thesis investigates the modelling, specification and verification of secrecy in mobile applications which access and transmit confidential information through a possibly compromised medium (e.g. the Internet). These applications can be expected to communicate secret information using a security protocol, a mechanism to guarantee that the transmitted data does not reach unauthorized entities. The central idea is therefore to relate the secrecy properties of the application to those of the protocol it implements, through the definition of a ``confidential protocol implementation'' relation. The argument takes an indirect form, showing that a confidential implementation transmits secret data only in the ways indicated by the protocol. We define the implementation relation using labelled transition semantics, bisimulations and relabelling functions. To justify its technical definition, we relate this property to a notion of noninterference for nondeterministic systems derived from Cohen's definition of Selective Independency. We also provide simple and local conditions that greatly simplify its verification, and report on our experiments on an architecture showing how the proposed formulations could be used in practice to enforce secrecy of mobile code

Towards goal-based autonomic networking

The ability to quickly deploy and efficiently manage services is critical to the telecommunications industry. Currently, services are designed and managed by different teams with expertise over a wide range of concerns, from high-level business to low level network aspects. Not only is this approach expensive in terms of time and resources, but it also has problems to scale up to new outsourcing and/or multi-vendor models, where subsystems and teams belong to different organizations. We endorse the idea, upheld among others in the autonomic computing community, that the network and system components involved in the provision of a service must be crafted to facilitate their management. Furthermore, they should help bridge the gap between network and business concerns. In this paper, we sketch an approach based on early work on the hierarchical organization of autonomic entities that possibly belong to different organizations. An autonomic entity governs over other autonomic entities by defining their goals. Thus, it is up to each autonomic entity to decide its line of actions in order to fulfill its goals, and the governing entity needs not know about the internals of its subordinates. We illustrate the approach with a simple but still rich example of a telecom service

Secrecy for mobile implementations of security protocols

Mobile code technology offers interesting possibilities tothe practitioner, but also raises strong concerns aboutsecurity. One aspect of security is secrecy, the preservationof confidential information. This thesis investigates themodelling, specification and verification of secrecy in mobileapplications which access and transmit confidential informationthrough a possibly compromised medium (e.g. the Internet).These applications can be expected to communicate secretinformation using a security protocol, a mechanism to guaranteethat the transmitted data does not reach unauthorizedentities. The central idea is therefore to relate the secrecyproperties of the application to those of the protocol itimplements, through the definition of a "confidential protocolimplementation" relation. The argument takes an indirect form,showing that a confidential implementation transmits secretdata only in the ways indicated by the protocol. We define theimplementation relation using labelled transition semantics,bisimulations and relabelling functions. To justify itstechnical definition, we relate this property to a notion ofnoninterference for nondeterministic systems derived fromCohen\u92s definition of Selective Independency. We alsoprovide simple and local conditions that greatly simplify itsverification, and report on our experiments on an architectureshowing how the proposed formulations could be used in practiceto enforce secrecy of mobile code.NR 2014080

Memory Consumption Analysis of Java Smart Cards

Memory is a scarce resource in Java smart cards. Developers and card suppliers alike would want to make sure, at compile- or load-time, that a Java Card applet will not overflow memory when performing dynamic class instantiations. Although there are good solutions to the general problem, the challenge is still out to produce a static analyser that is certified and could execute on-card. We provide a constraint-based algorithm which determines potential loops and (mutually) recursive methods. The algorithm operates on the bytecode of an applet and is written as a set of rules associating one or more constraints to each bytecode instruction. The rules are designed so that a certified analyser could be extracted from their proof of correctness. By keeping a clear separation between the rules dealing with the inter- and intra-procedural aspects of the analysis we are able to reduce the space-complexity of a previous algorithm

Memory consumption analysis of Java smart cards

Memory is a scarce resource in Java smart cards. Developers and card suppliers alike would want to make sure, at compile- or load-time, that a Java Card applet will not overflow memory when performing dynamic class instantiations. Although there are good solutions to the general problem, the challenge is still out to produce a static analyser that is certified and could execute on-card. We provide a constraint-based algorithm which determines potential loops and (mutually) recursive methods. The algorithm operates on the bytecode of an applet and is written as a set of rules associating one or more constraints to each bytecode instruction. The rules are designed so that a certified analyser could be extracted from their proof of correctness. By keeping a clear separation between the rules dealing with the inter- and intra-procedural aspects of the analysis we are able to reduce the space-complexity of a previous algorithm.

Confidentiality for mobile code: the case of a simple payment protocol

We propose an approach to support confidentiality for mobile implementations of security-sensitive protocols us-ing Java/JVM. An applet which receives and passes on con-fidential information onto a public network has a rich set of direct and indirect channels available to it. The problem is to constrain applet behaviour to prevent those leakages that are unintended while preserving those that are specified in the protocol. We use an approach based on the idea of cor-relating changes in observable behaviour with changes in input. In the special case where no changes in (low) be-haviour are possible we retrieve a version of noninterfer-ence. Mapping our approach to JVM a number of particular concerns need to be addressed, including the use of object libraries for IO, the use of labelling to track input/output of secrets, and the choice of proof strategy. We use the bisimu-lation proof technique. To provide user feedback we employ a variant of proof-carrying code to instrument a security assistant which will let users of an applet inquire about its security properties such as the destination of data input into different fields. 1

Quality of Service Evaluation in Virtual Organizations Using SLAs

Cooperating in Virtual organizations requires trust between the constituting organizations. SLA contracts are put in place in order to specify the quality of service of services offered. For these contracts to be effective they also need to be monitored effectively. In a Service Oriented Architecture this often means monitoring Web service invocations and evaluating if the service fulfills the obligations in its SLA. In this paper we present an implementation of a rule engine based SLA Evaluator specifically designed for the needs of a virtual organization. The evaluator fits in the context of a virtual organization through the use of open XML-based standards and a loosely coupled, event-driven architecture