XRound : A reversible template language and its application in model-based security analysis

Successful analysis of the models used in Model-Driven Development requires the ability to synthesise the results of analysis and automatically integrate these results with the models themselves. This paper presents a reversible template language called XRound which supports round-trip transformations between models and the logic used to encode system properties. A template processor that supports the language is described, and the use of the template language is illustrated by its application in an analysis workbench, designed to support analysis of security properties of UML and MOF-based models. As a result of using reversible templates, it is possible to seamlessly and automatically integrate the results of a security analysis with a model. (C) 2008 Elsevier B.V. All rights reserved

Optimising Unicode Regular Expression Evaluation with Previews

The jsre regular expression library was designed to provide fast matching of complex expressions over large input streams using user-selectable character encodings. An established design approach was used: a simulated non-deterministic automaton (NFA) implemented as a virtual machine, avoiding exponential cost functions in either space or time. A deterministic automaton (DFA) was chosen as a general dispatching mechanism for Unicode character classes and this also provided the opportunity to use compact DFAs in various optimization strategies. The result was the development of a regular expression Preview which provides a summary of all the matches possible from a given point in a regular expression in a form that can be implemented as a compact DFA and can be used to further improve the performance of the standard NFA simulation algorithm. This paper formally defines a preview and describes and evaluates several optimizations using this construct. They provide significant speed improvements accrued from fast scanning of anchor positions, avoiding retesting of repeated strings in unanchored searches, and efficient searching of multiple alternate expressions which in the case of keyword searching has a time complexity which is logarithmic in the number of words to be searched

Control Consistency as a Management Tool: The Identification of Systematic Security Control Weaknesses in Air Traffic Management

In 2008 EUROCONTROL published Information and Communications Technology (ICT) Security Guidance to Air Navigation Service Providers (ANSPs), to assist them in complying with regulatory security requirements. This included a visualisation tool which allowed the consistency of control sets to be reviewed and communicated: consistency being the degree to which more sophisticated controls were supported by core controls. The validation of that guidance included surveys which were conducted to contrast current practice in European ANSPs with a baseline control set based on ISO/IEC 27001:2005. The consistency test revealed significant gaps in the control strategies of these organisations: despite relatively sophisticated control regimes there were areas which lacked core controls. Key missing elements identified in the ANSPs surveyed include security management and senior management engagement, system accreditation, the validation and authentication of data used by ATM systems, incident management, and business continuity preparedness. Since anonymity requires that little can be said about the original surveys these results are necessarily indicative, so the paper contrasts these findings with contemporaneous literature, including audit reports on security in US ATM systems. The two sources prove to be in close agreement, confirming the value of the control consistency view in providing an overview of an organisation's security control regime

Navigating the Windows Mail database

The Extensible Storage Engine (ESE) database is used to support many forensically important applications in the Windows operating system, and a study of how ESE is used in one application provides wider insights into data storage in other current and future applications. In Windows 10, WindowsMail uses an ESE database to store messages, appointments and related data; however, field (column) names used to identify these records are hexadecimal property tags, many of which are undocumented. To support forensic analysis a series of experiments were carried out to identify the function of these tags, and this work resulted in a body of related information about the Mail application. This paper documents property tags that have been mapped, and presents how Windows Mail artifacts recovered from the ESE store.vol database can be interpreted, including how the paths of files recorded by the Mail system are derived from database records. We also present examples that illustrate forensic issues in the interpretation of email messages and appointment records, and show how additional information can be obtained by associating these records with other information in the ESE database

An analysis of the structure and behaviour of the Windows 7 operating system thumbnail cache

Operating systems such as Windows 7 implement a thumbnail cache structure to store visual thumbnails and associated metadata. There is no standard implementation of a thumbnail cache or its functions, which has led developers to implement their own structures and behaviour. The artefacts present within a thumbnail cache are of interest to a forensic analyst as they can provide information on files within the system which may be of use to the investigation. This research investigates the structure and behaviour of the thumbnail cache implemented in Windows 7 and shows that as well as storing information relating to visual thumbnails the cache also stores the names of networked computers, GUIDs relating to system artefacts and allocated drive letter information. It also shows that due to the behaviour of the cache, information such as records relating to files which are no longer on the system may be available, proving interesting forensic evidence

Information Modeling for Automated Risk Analysis

Abstract. Systematic security risk analysis requires an information model which integrates the system design, the security environment (the attackers, security goals etc) and proposed security requirements. Such a model must be scalable to accommodate large systems, and support the efficient discovery of threat paths and the production of risk-based metrics; the modeling approach must balance complexity, scalability and expressiveness. This paper describes such a model; novel features include combining formal information modeling with informal requirements traceability to support the specification of security requirements on incompletely specified services, and the typing of information flow to quantify path exploitability and model communications security

Security design analysis

EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Private browsing : a window of forensic opportunity

The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a user’s InPrivate browsing, and to reliably associate such records with InPrivate browsing

Scoping the Cyber Security Body of Knowledge

Cybersecurity is becoming an important element in curricula at all education levels. However, the foundational knowledge on which the field of cybersecurity is being developed is fragmented, and as a result, it can be difficult for both students and educators to map coherent paths of progression through the subject. The Cyber Security Body of Knowledge (CyBOK) project (www.cybok.org) aims to codify the foundational and generally recognized knowledge on cybersecurity.</p