Information Security Technical Report最新文献

Analyses of two end-user software vulnerability exposure metrics (extended version) 两个终端用户软件漏洞暴露度量(扩展版本)分析

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.02.002

Jason L. Wright, Miles McQueen, Lawrence Wellman

引用次数: 3

Oblivious and fair server-aided two-party computation 无关和公平的服务器辅助两方计算

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.03.002

Amir Herzberg, Haya Shulman

引用次数: 11

Toward web-based information security knowledge sharing 面向网络的信息安全知识共享

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.03.004

Daniel Feledi, Stefan Fenz, Lukas Lechner

{"title":"Toward web-based information security knowledge sharing","authors":"Daniel Feledi, Stefan Fenz, Lukas Lechner","doi":"10.1016/j.istr.2013.03.004","DOIUrl":"10.1016/j.istr.2013.03.004","url":null,"abstract":"<div><p>Today IT security professionals are working hard to keep a high security standard for their information systems. In doing so, they often face similar problems, for which they have to create appropriate solutions. An exchange of knowledge between experts would be desirable in order to prevent developing always the same solutions by independent persons. Such an exchange could also lead to solutions of higher quality, as existing approaches could be advanced, instead of always reinventing the security wheel.</p><p>This paper examines how information security knowledge can be shared between different organizations on the basis of a web portal utilizing Web-Protégé. It can be shown that through the use of ontologies the domain of information security can be modeled and stored in a human- and a machine-readable format, enabling both human editing and automation (e.g. for risk calculations). The evaluation of the web portal has shown that the most important challenge a tool for knowledge sharing has to face is the aspect of motivating users to participate in a knowledge exchange.</p><p>Results from the evaluation have been used to further develop and enhance the web portal by implementing additional facilitating features. These features include a credit system, which rewards users for contributions, as well as the ability to select multiple entities, improving the system's usability.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 4","pages":"Pages 199-209"},"PeriodicalIF":0.0,"publicationDate":"2013-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2013.03.004","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115283582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 49

Analyzing settings for social identity management on Social Networking Sites: Classification, current state, and proposed developments 分析社交网站上的社会身份管理设置:分类、现状和建议的发展

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.02.005

Moritz Riesner, Michael Netter, Günther Pernul

{"title":"Analyzing settings for social identity management on Social Networking Sites: Classification, current state, and proposed developments","authors":"Moritz Riesner, Michael Netter, Günther Pernul","doi":"10.1016/j.istr.2013.02.005","DOIUrl":"10.1016/j.istr.2013.02.005","url":null,"abstract":"<div><p>The rising prevalence of Social Networking Sites (SNS) and their usage in multiple contexts poses new privacy challenges and increasingly prompts users to manage their online identity. To address privacy threats stemming from interacting with other users on SNS, effective Social Identity Management (SIdM) is a key requirement. It refers to the deliberate and targeted disclosure of personal attribute values to a subset of one's contacts or other users on the SNS. Protection against other entities such as the site operator itself or advertisers and application programmers is not covered by SIdM, but could be incorporated in further refinement steps. Features and settings to perform SIdM have been proposed and subsequently implemented partly by some SNS. Yet, these are often isolated solutions that lack integration into a reference framework that states the requirements for successfully managing one's identity. In this article, such a reference framework of existing and desired SIdM settings is derived from identity theory, literature analysis, and existing SNS. Based thereupon, we examine the SIdM capabilities of prevalent SNS and highlight possible improvements. Lastly, we reason about developing a metric to objectively compare the capability of SNS in regards to their support for SIdM.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 4","pages":"Pages 185-198"},"PeriodicalIF":0.0,"publicationDate":"2013-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2013.02.005","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114448466","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 8

InnoDB database forensics: Enhanced reconstruction of data manipulation queries from redo logs InnoDB数据库取证:增强从重做日志中重建数据操作查询

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.02.003

Peter Frühwirt, Peter Kieseberg, Sebastian Schrittwieser, Markus Huber, Edgar Weippl

引用次数: 29

On measuring the parasitic backscatter of sensor-enabled UHF RFID tags 基于传感器的超高频RFID标签寄生后向散射测量研究

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.02.004

Thomas Plos, Christian Maierhofer

{"title":"On measuring the parasitic backscatter of sensor-enabled UHF RFID tags","authors":"Thomas Plos, Christian Maierhofer","doi":"10.1016/j.istr.2013.02.004","DOIUrl":"10.1016/j.istr.2013.02.004","url":null,"abstract":"<div><p>Radio-frequency identification (RFID) tags have found their way into many applications. When tags implement cryptographic algorithms, side-channel analysis (SCA) attacks become a concern. Especially tags in the ultra-high frequency (UHF) range are susceptible to so-called parasitic-backscatter attacks that can be applied from a distance. Whereas it is known that such attacks are a threat for passive low-cost tags, no results are so far available for sensor-enabled tags. In this work, we evaluate the parasitic backscatter of wireless identification and sensing platform (WISP) tags by conducting differential electromagnetic analysis (DEMA) attacks. We apply the attacks on a passively as well as a semi-passively operated WISP tag from a distance of 30 cm and compare the results with an attack on a commercial low-cost tag. The results show that the evaluated WISP tags are less susceptible to DEMA attacks based on the parasitic backscatter than the evaluated commercial low-cost tag. Moreover, we present a measurement approach that allows to detect the weak parasitic backscatter modulated on the strong reader field without the need for an expensive hardware receiver or a dedicated demodulation circuit.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 4","pages":"Pages 239-252"},"PeriodicalIF":0.0,"publicationDate":"2013-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2013.02.004","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121178380","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 3

Bridging the gap between role mining and role engineering via migration guides 通过迁移指南弥合角色挖掘和角色工程之间的差距

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.03.003

Anne Baumgrass, Mark Strembeck

{"title":"Bridging the gap between role mining and role engineering via migration guides","authors":"Anne Baumgrass, Mark Strembeck","doi":"10.1016/j.istr.2013.03.003","DOIUrl":"10.1016/j.istr.2013.03.003","url":null,"abstract":"<div><p>In the context of role-based access control (RBAC), mining approaches, such as role mining or organizational mining, can be applied to derive permissions and roles from a system's configuration or from log files. In this way, mining techniques document the current state of a system and produce <em>current-state RBAC models</em>. However, such current-state RBAC models most often follow from structures that have evolved over time and are not the result of a systematic rights management procedure. In contrast, role engineering is applied to define a tailored RBAC model for a particular organization or information system. Thus, role engineering techniques produce a <em>target-state RBAC model</em> that is customized for the business processes supported via the respective information system. The migration from a current-state RBAC model to a tailored target-state RBAC model is, however, a complex task. In this paper, we present a systematic approach to migrate current-state RBAC models to target-state RBAC models. In particular, we use model comparison techniques to identify differences between two RBAC models. Based on these differences, we derive migration rules that define which elements and element relations must be changed, added, or removed. A <em>migration guide</em> then includes all migration rules that need to be applied to a particular current-state RBAC model to produce the corresponding target-state RBAC model. We conducted two comparative studies to identify which visualization technique is most suitable to make migration guides available to human users. Based on the results of these comparative studies, we implemented tool support for the derivation and visualization of migration guides. Our software tool is based on the Eclipse Modeling Framework (EMF). Moreover, this paper describes the experimental evaluation of our tool.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 4","pages":"Pages 148-172"},"PeriodicalIF":0.0,"publicationDate":"2013-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2013.03.003","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116416475","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 16

Semantic analysis of role mining results and shadowed roles detection 角色挖掘结果的语义分析与影子角色检测

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.03.001

Safaà Hachana , Frédéric Cuppens , Nora Cuppens-Boulahia , Joaquin Garcia-Alfaro

{"title":"Semantic analysis of role mining results and shadowed roles detection","authors":"Safaà Hachana , Frédéric Cuppens , Nora Cuppens-Boulahia , Joaquin Garcia-Alfaro","doi":"10.1016/j.istr.2013.03.001","DOIUrl":"10.1016/j.istr.2013.03.001","url":null,"abstract":"<div><p>The use of role engineering has grown in importance with the expansion of highly abstracted access control frameworks in organizations. In particular, the use of role mining techniques for the discovery of roles from previously deployed authorizations has facilitated the configuration of such frameworks. However, the literature lacks from a clear basis for appraising and leveraging the learning outcomes of the role mining process. In this paper, we provide such a formal basis. We compare sets of roles by projecting roles from one set into the other set. This approach is useful to measure how comparable the two configurations of roles are, and to interpret each role. We formally define the problem of comparing sets of roles, and prove that the problem is NP-complete. Then, we propose an algorithm to map the inherent relationship between the sets based on Boolean expressions. We demonstrate the correctness and completeness of our solution, and investigate some further issues that may benefit from our approach, such as detection of unhandled perturbations or source misconfiguration. In particular, we emphasize that the presence of shadowed roles in the role configuration increases the time complexity of sets of roles comparison. We provide a definition of the shadowed roles problem and propose a solution that detects different cases of role shadowing.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 4","pages":"Pages 131-147"},"PeriodicalIF":0.0,"publicationDate":"2013-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2013.03.001","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116818298","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 5

ARES 2012 special issue ARES 2012特别版

Information Security Technical Report Pub Date : 2013-05-01 DOI: 10.1016/j.istr.2013.04.001

引用次数: 0

SmartK: Smart cards in operating systems at kernel level SmartK:内核级操作系统中的智能卡

Information Security Technical Report Pub Date : 2013-02-01 DOI: 10.1016/j.istr.2012.10.003

Luigi Catuogno, Roberto Gassirà, Michele Masullo, Ivan Visconti

{"title":"SmartK: Smart cards in operating systems at kernel level","authors":"Luigi Catuogno, Roberto Gassirà, Michele Masullo, Ivan Visconti","doi":"10.1016/j.istr.2012.10.003","DOIUrl":"10.1016/j.istr.2012.10.003","url":null,"abstract":"<div><p>A smart card is a tamper-resistant miniature computer that performs some basic computations on input a secret information. So far, smart cards have been widely used for securing many digital transactions (e.g., pay television, ATM machines).</p><p>We focus on the implementation of operating system security services leveraging on smart cards. This very challenging feature allows one to personalize some functionalities of the operating system by simply changing a smart card. Current solutions for integrating smart card features in operating system services require at least a partial execution of some of the operating system functionalities at “user level”. Unfortunately, system functionalities built on top of components lying at both kernel and user levels may negatively affect the overall system security, due to the introduction of multiple points of failure.</p><p>In this work, we present the design and implementation of SmartK: a framework that integrates features of smart cards uniquely in the Linux kernel. In order to validate our approach, we propose a host of enhancements to the Linux operating system built on top of SmartK: 1) in-kernel clients' authentication with Kerberos; 2) execution of trusted code; 3) key management in secure network filesystems.</p><p>In particular, we present an experimental Linux OS distribution (SalSA), which addresses the security issues related to downloading packages and to updating an operating system through the Internet.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 3","pages":"Pages 93-104"},"PeriodicalIF":0.0,"publicationDate":"2013-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2012.10.003","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126036304","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 9