International journal of secure software engineering最新文献

{"title":"Performance Evaluation of Secure Key Deployment and Exchange Protocol for MANETs","authors":"Alastair Nisbet, M. A. Rashid","doi":"10.4018/JSSE.2011010101","DOIUrl":"https://doi.org/10.4018/JSSE.2011010101","url":null,"abstract":"Secure Key Deployment and Exchange Protocol SKYE is a new encryption Key Management Scheme KMS based on combination of features from recent protocols combined with new features for Mobile Ad Hoc Networks MANETs. The design focuses on a truly ad hoc networking environment where geographical size of the network, numbers of network members, and mobility of the members is all unknown before deployment. Additionally, all key management is performed online making it distinct from most other implementations. This paper attempts to describe the process of development of the protocol and to more thoroughly discuss the simulation software design used to evaluate the performance of the proposed protocol. Simulation results show that security within the network can be increased by requiring more servers to collaborate to produce a certificate for the new member, or by requiring a higher trust threshold along the certificate request chain. SKYE works well within the limitations set by entirely online network formation and key management.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"111 1","pages":"1-21"},"PeriodicalIF":0.0,"publicationDate":"2011-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79195339","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Rigorous Approach to the Definition of an International Vocational Master's Degree in Information Security Management","authors":"F. Girard, B. Meunier, Duan Hua, E. Dubois","doi":"10.4018/JSSE.2010100101","DOIUrl":"https://doi.org/10.4018/JSSE.2010100101","url":null,"abstract":"In Luxembourg, like in many other countries, information security has become a central issue for private companies and public organizations. Today, information is the main asset of a company for its business and, at the same time, regulations are imposing more and more rules regarding its management. As a consequence, in Luxembourg, a clear need has emerged regarding the development of new learning trajectory fulfilling the requirements of the new job profile associated with a Chief Security Officer. This need was relayed by the national professional security association which asked for the development of a new education program targeting professional people engaged in a lifelong learning trajectory. The paper reports on the rigorous and scientific participatory approach for producing the adequate learning program meeting requirements elicited from the professional association members. The authors present the skills card that has been elaborated for capturing these requirements and the program, which has been built together with the University of Luxembourg for matching these requirements. This program proposes a holistic approach to information security management by including organization, human and technical security risks within the context of regulations and norms.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"51 1","pages":"1-17"},"PeriodicalIF":0.0,"publicationDate":"2010-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75587924","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Secure Software Education: A Contextual Model-Based Approach","authors":"J. Simpson, M. Simpson, B. Endicott-Popovsky, Viatcheslav Popovsky","doi":"10.4018/JSSE.2010100103","DOIUrl":"https://doi.org/10.4018/JSSE.2010100103","url":null,"abstract":"This article establishes a context for secure information systems development as well as a set of models used to develop and apply a secure software production pedagogy. A generic system model is presented to support the system context development, and to provide a framework for discussing security relationships that exist between and among information systems and their applications. An asset protection model is tailored to provide a conceptual ontology for secure information system topics, and a stable logical framework that is independent of specific organizations, technologies, and their associated changes. This asset protection model provides a unique focus for each of the three primary professional communities associated with the development and operation of secure information systems. In this paper, a secure adaptive response model is discussed to provide an analytical tool to assess risk associated with the development and deployment of secure information systems, and to use as a security metric. A pedagogical model for information assurance curriculum development is then established in the context and terms of the developed secure information system models. The relevance of secure coding techniques to the production of secure systems, architectures, and organizational operations is also discussed.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"116 1","pages":"35-61"},"PeriodicalIF":0.0,"publicationDate":"2010-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79370833","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Development of a Master of Software Assurance Reference Curriculum","authors":"N. Mead, Julia H. Allen, M. Ardis, T. Hilburn, A. Kornecki, R. Linger, J. McDonald","doi":"10.4018/JSSE.2010100102","DOIUrl":"https://doi.org/10.4018/JSSE.2010100102","url":null,"abstract":"Modern society is deeply and irreversibly dependent on software systems of remarkable scope and complexity in areas that are essential for preserving this way of life. The security and correct functioning of these systems are vital. Recognizing these realities, the U. S. Department of Homeland Security DHS National Cyber Security Division NCSD enlisted the resources of the Software Engineering Institute at Carnegie Mellon University to develop a curriculum for a Master of Software Assurance degree program and define transition strategies for implementation. In this article, the authors present an overview of the Master of Software Assurance curriculum project, including its history, student prerequisites and outcomes, a core body of knowledge, and curriculum architecture from which to create such a degree program. The authors also provide suggestions for implementing a Master of Software Assurance program.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"48 1","pages":"18-34"},"PeriodicalIF":0.0,"publicationDate":"2010-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73932457","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Assimilating and Optimizing Software Assurance in the SDLC: A Framework and Step-Wise Approach","authors":"A. O. Adeniji, Seok-Won Lee","doi":"10.4018/JSSE.2010100104","DOIUrl":"https://doi.org/10.4018/JSSE.2010100104","url":null,"abstract":"Software Assurance is the planned and systematic set of activities that ensures software processes and products conform to requirements while standards and procedures in a manner that builds trusted systems and secure software. While absolute security may not yet be possible, procedures and practices exist to promote assurance in the software lifecycle. In this paper, the authors present a framework and step-wise approach towards achieving and optimizing assurance by infusing security knowledge, techniques, and methodologies into each phase of the Software Development Lifecycle SDLC.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"14 1","pages":"62-80"},"PeriodicalIF":0.0,"publicationDate":"2010-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83722746","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Monitoring Buffer Overflow Attacks: A Perennial Task","authors":"H. Shahriar, Mohammad Zulkernine","doi":"10.4018/JSSE.2010070102","DOIUrl":"https://doi.org/10.4018/JSSE.2010070102","url":null,"abstract":"Buffer overflow BOF is a well-known, and one of the worst and oldest, vulnerabilities in programs. BOF attacks overwrite data buffers and introduce wide ranges of attacks like execution of arbitrary injected code. Many approaches are applied to mitigate buffer overflow vulnerabilities; however, mitigating BOF vulnerabilities is a perennial task as these vulnerabilities elude the mitigation efforts and appear in the operational programs at run-time. Monitoring is a popular approach for detecting BOF attacks during program execution, and it can prevent or send warnings to take actions for avoiding the consequences of the exploitations. Currently, there is no detailed classification of the proposed monitoring approaches to understand their common characteristics, objectives, and limitations. In this paper, the authors classify runtime BOF attack monitoring and prevention approaches based on seven major characteristics. Finally, these approaches are compared for attack detection coverage based on a set of BOF attack types. The classification will enable researchers and practitioners to select an appropriate BOF monitoring approach or provide guidelines to build a new one.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"44 1","pages":"18-40"},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83186125","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards Tool-Support for Usable Secure Requirements Engineering with CAIRIS","authors":"Shamal Faily, I. Flechais","doi":"10.4018/IJSSE.2010070104","DOIUrl":"https://doi.org/10.4018/IJSSE.2010070104","url":null,"abstract":"Understanding how to better elicit, specify, and manage requirements for secure and usable software systems is a key challenge in security software engineering, however, there lacks tool-support for specifying and managing the voluminous amounts of data the associated analysis yields. Without these tools, the subjectivity of analysis may increase as design activities progress. This paper describes CAIRIS Computer Aided Integration of Requirements and Information Security, a step toward tool-support for usable secure requirements engineering. CAIRIS not only manages the elements associated with task, requirements, and risk analysis, it also supports subsequent analysis using novel approaches for analysing and visualising security and usability. The authors illustrate an application of CAIRIS by describing how it was used to support requirements analysis in a critical infrastructure case study.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"3 1","pages":"56-70"},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79358853","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Katana: Towards Patching as a Runtime Part of the Compiler-Linker-Loader Toolchain","authors":"S. Bratus, James Oakley, Ashwin Ramaswamy, Sean W. Smith, M. Locasto","doi":"10.4018/JSSE.2010070101","DOIUrl":"https://doi.org/10.4018/JSSE.2010070101","url":null,"abstract":"The mechanics of hot patching the process of upgrading a program while it executes remain understudied, even though it offers capabilities that act as practical benefits for both consumer and mission-critical systems. A reliable hot patching procedure would serve particularly well by reducing the downtime necessary for critical functionality or security upgrades. However, hot patching also carries the risk-real or perceived-of leaving the system in an inconsistent state, which leads many owners to forgo its benefits as too risky; for systems where availability is critical, this decision may result in leaving systems un-patched and vulnerable. In this paper, the authors present a novel method for hot patching ELF binaries that supports synchronized global data and code updates, and reasoning about the results of applying the hot patch. In this regard, the Patch Object format was developed to encode patches as a special type of ELF re-locatable object file. The authors then built a tool, Katana, which automatically creates these patch objects as a by-product of the standard source build process. Katana also allows an end-user to apply the Patch Objects to a running process.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"17 1","pages":"1-17"},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84679015","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards Designing E-Services that Protect Privacy","authors":"George Yee","doi":"10.4018/JSSE.2010040102","DOIUrl":"https://doi.org/10.4018/JSSE.2010040102","url":null,"abstract":"The growth of electronic services (e-services) has resulted in large amounts of personal information in the hands of service organizations like banks, insurance companies, and online retailers. This has led to the realization that such information must be protected, not only to comply with privacy regulations but also and more importantly, to attract clients. One important dimension of this goal is to design e-services that protect privacy. In this paper, the author proposes a design approach that incorporates privacy risk analysis of UML diagrams to minimize privacy risks in the final design. The approach iterates between the risk analysis and design modifications to eliminate the risks until a design is obtained that is close to being risk free. problem and then bringing the tools of access control to bear for privacy control (Adams & Barbieri, 2006), treating privacy protection as a privacy rights management problem using the techniques of digital rights management (Kenny & Korba, 2002), and considering privacy protection as a privacy policy compliance problem, verifying compliance with secure logs (Yee & Korba, 2004). However, most e-services today do not use the above approaches, preferring to rely instead on stating a privacy policy and then trying to follow that policy manually, without any of the above techniques or tools or any automated checks in place. As a result, the public is often the victim, as privacy leaks (e.g., credit card files stolen) are discovered and reported in the media. Thus, today’s e-services do a poor job of protecting consumer privacy and new effective approaches for such protection are always needed. This is the motivation for this work. DOI: 10.4018/jsse.2010040102 International Journal of Secure Software Engineering, 1(2), 18-34, April-June 2010 19 Copyright © 2010, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. The area of e-services has been chosen for this work because it probably holds the highest risk for the loss of privacy today, in terms of the amount of private information held and the growth of that information. Consider the following. E-services probably require the most consumer private information in order to function than any other type of application. This can be seen once one realizes that if an application requires consumer private information, it can probably be categorized as an e-service. E-services include e-health services where privacy is critical. E-services are growing very rapidly, along with the Internet. The various approaches for protecting privacy described above all presume to know where and what protection is needed. They presume that some sort of analysis has been done that answers the question of “where” and “what” with respect to privacy risks. Without such answers, the effectiveness of the protection comes into question. For example, protection against house break-ins is totally ineffective if the owner ","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"196 1","pages":"18-34"},"PeriodicalIF":0.0,"publicationDate":"2010-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77086445","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Improving Memory Management Security for C and C++","authors":"Yves Younan, W. Joosen, F. Piessens, Hans Van den Eynden","doi":"10.4018/JSSE.2010040104","DOIUrl":"https://doi.org/10.4018/JSSE.2010040104","url":null,"abstract":"Memory managers are an important part of modern language and are used to dynamically allocate memory. Many managers exist; however, two major types can be identified: manual memory allocators and garbage collectors. In the case of manual memory allocators, the programmer must manually release memory back to the system when it is no longer needed. Problems can occur when a programmer forgets to release it, releases it twice or uses freed memory. These problems are solved in garbage collectors. However, both manual memory allocators and garbage collectors store management information. This paper describes several vulnerabilities for C and C++ and how these could be remedied by modifying the management information of a representative manual memory allocator and garbage collector. Additionally, the authors present an approach that, when applied to memory managers, will protect against these attack vectors.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"70 1","pages":"57-82"},"PeriodicalIF":0.0,"publicationDate":"2010-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83920434","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}