发布求助
文献互助 智能选刊 最新文献

International journal of secure software engineering最新文献

筛选
英文 中文
An Empirical Bandwidth Analysis of Interrupt-Related Covert Channels 中断相关隐蔽信道的带宽实证分析
International journal of secure software engineering Pub Date : 2015-04-01 DOI: 10.4018/IJSSE.2015040101
Richard Gay, H. Mantel, Henning Sudbrock
{"title":"An Empirical Bandwidth Analysis of Interrupt-Related Covert Channels","authors":"Richard Gay, H. Mantel, Henning Sudbrock","doi":"10.4018/IJSSE.2015040101","DOIUrl":"https://doi.org/10.4018/IJSSE.2015040101","url":null,"abstract":"Interrupt-related covert channels IRCCs utilize hardware interrupts for enabling communication between processes. This article provides an empirical evaluation of IRCC vulnerabilities, based on an actual exploit. The evaluation combines experiments with an information-theoretic analysis for computing the channel bandwidth. The evaluation shows that a bandwidth of multiple bits per second is achievable in a desktop system via interrupts of a network interface card. This result clarifies the significance of this IRCC vulnerability for one particular system. The exploit presented is configurable, and the article provides a solution for computing an optimal exploit configuration for a given system. While side channels based on hardware interrupts have been discussed before, this is the first empirical evaluation of covert channels based on hardware interrupts.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"1 1","pages":"1-22"},"PeriodicalIF":0.0,"publicationDate":"2015-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77850957","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 11
Calculating Quantitative Integrity and Secrecy for Imperative Programs 命令式程序的数量完整性和保密性计算
International journal of secure software engineering Pub Date : 2015-04-01 DOI: 10.4018/IJSSE.2015040102
Tom Chothia, Chris Novakovic, R. Singh
{"title":"Calculating Quantitative Integrity and Secrecy for Imperative Programs","authors":"Tom Chothia, Chris Novakovic, R. Singh","doi":"10.4018/IJSSE.2015040102","DOIUrl":"https://doi.org/10.4018/IJSSE.2015040102","url":null,"abstract":"This paper presents a framework for calculating measures of data integrity for programs in a small imperative language. The authors develop a Markov chain semantics for their language which calculates Clarkson and Schneider's definitions of data contamination, data suppression, program suppression and program transmission. The authors then propose their own definition of program integrity for probabilistic specifications. These definitions are based on conditional mutual information and entropy; they present a result relating them to mutual information, which can be calculated by a number of existing tools. The authors extend a quantitative information flow tool CH-IMP to calculate these measures of integrity and demonstrate this tool with examples including error correcting codes, the Dining Cryptographers protocol and the attempts by a number of banks to influence the Libor rate.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"49 1","pages":"23-46"},"PeriodicalIF":0.0,"publicationDate":"2015-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77872460","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Assessing the Usefulness of Testing for Validating and Correcting Security Risk Models Based on Two Industrial Case Studies 基于两个工业案例研究的安全风险模型验证和修正测试的有效性评估
International journal of secure software engineering Pub Date : 2015-04-01 DOI: 10.4018/IJSSE.2015040105
Gencer Erdogan, Fredrik Seehusen, K. Stølen, Jon Hofstad, J. Aagedal
{"title":"Assessing the Usefulness of Testing for Validating and Correcting Security Risk Models Based on Two Industrial Case Studies","authors":"Gencer Erdogan, Fredrik Seehusen, K. Stølen, Jon Hofstad, J. Aagedal","doi":"10.4018/IJSSE.2015040105","DOIUrl":"https://doi.org/10.4018/IJSSE.2015040105","url":null,"abstract":"The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two industrial case studies. In the first case study the authors analyzed a multilingual financial Web application, while in the second case study they analyzed a mobile financial application. In both case studies, the testing yielded new information which was not found in the risk assessment phase. In particular, in the first case study, new vulnerabilities were found which resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"41 1","pages":"90-112"},"PeriodicalIF":0.0,"publicationDate":"2015-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89535888","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Risk-Based Privacy-Aware Information Disclosure 基于风险的隐私意识信息披露
International journal of secure software engineering Pub Date : 2015-04-01 DOI: 10.4018/IJSSE.2015040104
A. Armando, M. Bezzi, N. Metoui, A. Sabetta
{"title":"Risk-Based Privacy-Aware Information Disclosure","authors":"A. Armando, M. Bezzi, N. Metoui, A. Sabetta","doi":"10.4018/IJSSE.2015040104","DOIUrl":"https://doi.org/10.4018/IJSSE.2015040104","url":null,"abstract":"Risk-aware access control systems grant or deny access to resources based on the notion of risk. It has many advantages compared to classical approaches, allowing for more flexibility, and ultimately supporting for a better exploitation of data. The authors propose and demonstrate a risk-aware access control framework for information disclosure, which supports run-time risk assessment. In their framework access-control decisions are based on the disclosure-risk associated with a data access request and, differently from existing models, adaptive anonymization operations are used as risk-mitigation method. The inclusion of on-the-fly anonymization allows for extending access to data, still preserving privacy below the maximum tolerable risk. Risk thresholds can be adapted to the trustworthiness of the requester role, so a single access control framework can support multiple data access use cases, ranging from sharing data among a restricted (highly trusted) group to public release (low trust value). The authors have developed a prototype implementation of their framework and have assessed it by running a number of queries against the Adult Data Set from the UCI Machine Learning Repository, a publicly available dataset that is widely used by the research community. The experimental results are encouraging and confirm the feasibility of the proposed approach.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"66 1","pages":"70-89"},"PeriodicalIF":0.0,"publicationDate":"2015-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74606641","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 15
Balancing Product and Process Assurance for Evolving Security Systems 为发展中的安全系统平衡产品和过程保证
International journal of secure software engineering Pub Date : 2015-01-01 DOI: 10.4018/ijsse.2015010103
Wolfgang Raschke, Massimiliano Zilli, Philip Baumgartner, Johannes Loinig, C. Steger, Christian Kreiner
{"title":"Balancing Product and Process Assurance for Evolving Security Systems","authors":"Wolfgang Raschke, Massimiliano Zilli, Philip Baumgartner, Johannes Loinig, C. Steger, Christian Kreiner","doi":"10.4018/ijsse.2015010103","DOIUrl":"https://doi.org/10.4018/ijsse.2015010103","url":null,"abstract":"At present, security-related engineering usually requires a big up-front design BUFD regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today's volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"51 1","pages":"47-75"},"PeriodicalIF":0.0,"publicationDate":"2015-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87627786","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
A Pattern-Based and Tool-Supported Risk Analysis Method Compliant to ISO 27001 for Cloud Systems 基于模式和工具支持的符合ISO 27001的云系统风险分析方法
International journal of secure software engineering Pub Date : 2015-01-01 DOI: 10.4018/IJSSE.2015010102
A. Alebrahim, Denis Hatebur, Stephan Faßbender, Ludger Goeke, Isabelle Côté
{"title":"A Pattern-Based and Tool-Supported Risk Analysis Method Compliant to ISO 27001 for Cloud Systems","authors":"A. Alebrahim, Denis Hatebur, Stephan Faßbender, Ludger Goeke, Isabelle Côté","doi":"10.4018/IJSSE.2015010102","DOIUrl":"https://doi.org/10.4018/IJSSE.2015010102","url":null,"abstract":"To benefit from cloud computing and the advantages it offers, obstacles regarding the usage and acceptance of clouds have to be cleared. For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, the authors present a method for cloud computing systems to perform risk analysis according to the ISO 27001. The authors' structured method is tailored to SMEs. It relies upon patterns to describe context and structure of a cloud computing system, elicit security requirements, identify threats, and select controls, which ease the effort for these activities. The authors' method guides companies through the process of risk analysis in a structured manner. Furthermore, the authors provide a model-based tool for supporting the ISO 27001 standard certification. The authors' tool consists of various plug-ins for conducting different steps of their method.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"85 1","pages":"24-46"},"PeriodicalIF":0.0,"publicationDate":"2015-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78215416","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 18
A Method and Case Study for Using Malware Analysis to Improve Security Requirements 利用恶意软件分析提高安全需求的方法和案例研究
International journal of secure software engineering Pub Date : 2015-01-01 DOI: 10.4018/ijsse.2015010101
N. Mead, J. Morales, G. Alice
{"title":"A Method and Case Study for Using Malware Analysis to Improve Security Requirements","authors":"N. Mead, J. Morales, G. Alice","doi":"10.4018/ijsse.2015010101","DOIUrl":"https://doi.org/10.4018/ijsse.2015010101","url":null,"abstract":"In this paper, the authors propose to enhance current software development lifecycle models by implementing a process for including use cases that are based on previous cyberattacks and their associated malware. Following the proposed process, the authors believe that developers can create future systems that are more secure, from inception, by including use cases that address previous attacks. In support of this, the authors present a case study of a malware sample that is used to generate new requirements for a mobile application.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"315 1","pages":"1-23"},"PeriodicalIF":0.0,"publicationDate":"2015-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77250551","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Evolution of Security Engineering Artifacts: A State of the Art Survey 安全工程工件的演化:技术现状调查
International journal of secure software engineering Pub Date : 2014-10-01 DOI: 10.4018/IJSSE.2014100103
M. Felderer, Basel Katt, P. Kalb, J. Jürjens, Martín Ochoa, F. Paci, L. M. Tran, T. Tun, Koen Yskout, R. Scandariato, F. Piessens, Dries Vanoverberghe, Elizabeta Fourneret, M. Gander, Bjørnar Solhaug, R. Breu
{"title":"Evolution of Security Engineering Artifacts: A State of the Art Survey","authors":"M. Felderer, Basel Katt, P. Kalb, J. Jürjens, Martín Ochoa, F. Paci, L. M. Tran, T. Tun, Koen Yskout, R. Scandariato, F. Piessens, Dries Vanoverberghe, Elizabeta Fourneret, M. Gander, Bjørnar Solhaug, R. Breu","doi":"10.4018/IJSSE.2014100103","DOIUrl":"https://doi.org/10.4018/IJSSE.2014100103","url":null,"abstract":"Security is an important quality aspect of modern open software systems. However, it is challenging to keep such systems secure because of evolution. Security evolution can only be managed adequately if it is considered for all artifacts throughout the software development lifecycle. This article provides state of the art on the evolution of security engineering artifacts. The article covers the state of the art on evolution of security requirements, security architectures, secure code, security tests, security models, and security risks as well as security monitoring. For each of these artifacts the authors give an overview of evolution and security aspects and discuss the state of the art on its security evolution in detail. Based on this comprehensive survey, they summarize key issues and discuss directions of future research.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"50 1","pages":"48-98"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87318895","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 16
Validating Security Design Pattern Applications by Testing Design Models 通过测试设计模型来验证安全设计模式应用程序
International journal of secure software engineering Pub Date : 2014-10-01 DOI: 10.4018/ijsse.2014100101
Takanori Kobashi, Nobukazu Yoshioka, H. Kaiya, H. Washizaki, T. Okubo, Y. Fukazawa
{"title":"Validating Security Design Pattern Applications by Testing Design Models","authors":"Takanori Kobashi, Nobukazu Yoshioka, H. Kaiya, H. Washizaki, T. Okubo, Y. Fukazawa","doi":"10.4018/ijsse.2014100101","DOIUrl":"https://doi.org/10.4018/ijsse.2014100101","url":null,"abstract":"Software developers are not necessarily security experts, confirming potential threats and vulnerabilities at an early stage of the development process (e.g., in the requirementand design-phase) is insufficient. Additionally, even if designed software considers security at an early stage, whether the software really satisfies the security requirements must be confirmed. To realize secure design, this work proposes an application to validate security patterns using model testing. Its method provides extended security patterns, which include requirementand design-level patterns as well as a new model testing process using these patterns. After a developer specifies threats and vulnerabilities in the target system during an early stage of development, this method can validate whether the security patterns are properly applied and assess if these vulnerabilities are resolved. Validating Security Design Pattern Applications by Testing Design Models","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"1 1","pages":"1-30"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83000659","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
A Tagging Approach to Extract Security Requirements in Non-Traditional Software Development Processes 非传统软件开发过程中提取安全需求的标记方法
International journal of secure software engineering Pub Date : 2014-10-01 DOI: 10.4018/ijsse.2014100102
Annette Tetmeyer, Daniel D. Hein, H. Saiedian
{"title":"A Tagging Approach to Extract Security Requirements in Non-Traditional Software Development Processes","authors":"Annette Tetmeyer, Daniel D. Hein, H. Saiedian","doi":"10.4018/ijsse.2014100102","DOIUrl":"https://doi.org/10.4018/ijsse.2014100102","url":null,"abstract":"While software security has become an expectation, stakeholders often have difficulty expressing such expectations. Elaborate (and expensive) frameworks to identify, analyze, validate and incorporate security requirements for large software systems (and organizations) have been proposed, however, small organizations working within short development lifecycles and minimal resources cannot justify such frameworks and often need a light and practical approach to security requirements engineering that can be easily integrated into their existing development processes. This work presents an approach for eliciting, analyzing, prioritizing and developing security requirements which can be integrated into existing software development lifecycles for small organizations. The approach is based on identifying candidate security goals using part of speech (POS) tagging, categorizing security goals based on canonical security definitions, and understanding the stakeholder goals to develop preliminary security requirements and to prioritize them. It uses a case study to validate the feasibility and effectiveness of the proposed approach. A Tagging Approach to Extract Security Requirements in Non-Traditional Software Development Processes","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"33 1","pages":"31-47"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80089806","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信