Catálogo de publicaciones - libros

Over the last decade a bewildering array of techniques have been proposed to protect software from piracy, malicious reverse engineering , and tampering . While we can broadly classify these techniques as obfuscation, watermarking/fingerprinting, birthmarking , and tamperproofing there is a need for a more constructive taxonomy. In this paper we present a model of Surreptitious Software techniques inspired by defense mechanisms found in other areas: we will look at the way humans have historically protected themselves from each other and from the elements, how plants and animals have evolved to protect themselves from predators, and how secure software systems have been architected to protect against malicious attacks. In this model we identify a set of primitives which underlie many protection schemes. We propose that these primitives can be used to characterize existing techniques and can be combined to construct novel schemes which address a specific set of protective requirements.

The introduction of self-healing capabilities to software systems could offer a way to alter the current, unfavorable imbalance in the software security arms race. Consequently, self-healing software systems have emerged as a research area of particular interest in recent years. Motivated by the inability of traditional techniques to guarantee software integrity and availability, especially against motivated human adversaries, self-healing approaches are meant to complement existing approaches to security. In this paper, we provide a first attempt to characterize self-healing software systems by surveying some of the existing work in the field. We focus on systems that effect structural changes to the software under protection, as opposed to block-level system reconfiguration. Our goal is to begin mapping the space of software self-healing capabilities. We believe this to be a necessary first step in exploring the boundaries of the research space and understanding the possibilities that such systems enable, as well as determining the risks and limitations inherent in automatic-reaction schemes.

Secure protocols rely on a number of assumptions about the environment which, once made, free the designer from thinking about the complexity of what surrounds the execution context. Henceforth, the designer forgets about the environment and moves on proving her algorithm correct, given the assumptions. When assumptions do not represent with sufficient accuracy the environment they are supposed to depict, they may become the door to successful attacks on an otherwise mathematically correct algorithm. Moreover, this can happen as unwitting to systems as a Trojan Horse’s action. We wish to discuss the theoretical underpinnings of those problems and evaluate some recent research results that demonstrate a few of those limitations in actual secure protocols.

Smart cards are portable tamper-resistant cryptographic devices that play a key role in digital security. This paper reviews the latest use of smart cards in securing network, online services, operating systems, and card-holder identity. Smart card network authentication is routinely used on GSM and 3G networks, and this paper shows how the same infrastructure can be extended to perform WiFi access point authentication. Securing online services with smart card is traditionally performed using public key cryptography and certificates, or using one-time-passwords. This paper presents new smart card authentication methods that either allow to reuse already issued cards or infrastructure, or provide stronger card-to-server mutual authentication. Finally, the paper will show how smart cards and trusted platform module have complementary roles for recuring the operating systems, and the use of smart cards in identity frameworks such as liberty alliance or Microsoft cardspace.

The spread of viruses and worms has severe implications on the performance of virtually any network. Current methods to stop the propagation of malicious code rely on anti-virus signature recognition to prevent hosts from being infected. Unfortunately, the latency between the introduction of a new virus into a network and the implementation/distribution of a patch can be significant. Within this period, a network can be crippled by the abnormally high rate of traffic generated by infected hosts. Previous research has provided a mechanism for controlling the rate at which a host can make new network connections when exhibiting virus-like behavior. Extending this technology to network routers provides the benefit of network protection without the need for individual client support, and serves as an initial step in developing a virus-resilient network. This paper/presentation reflects on the unique challenge of adapting the Virus Throttle mechanism to HP ProCurve network switch routers. Also discussed is the method of proving that it works in realistic network conditions to protect against worms without interfering with normal network traffic.

During last decade the number of successful intruder attacks has increased in many times. The damage caused by these attacks is estimated in hundreds millions of dollars. Insiders have a significant advantage over others who might want to harm an organization. Insiders can bypass physical and technical security measures designed to prevent unauthorized access. Mechanisms such as firewalls, intrusion detection systems, and electronic building access systems are implemented primarily to defend against external cyber threats. In spite of the complexity the problem, insiders can be stopped by means of a layered defense strategy consisting of policies, procedures, and technical controls. The paper describes a threat model of insider attacks and modern technologies that allow to protect computer systems against insiders. The paper covers advantages and disadvantages of different approaches that are used nowadays for detection and prevention of insider attacks.

We integrate programming constructs for managing confidentiality in an ML-like imperative and higher-order programming language, dealing with both access control and information flow control. Our language includes in particular a construct for declassifying information, and constructs for granting, restricting or testing the read access level of a program. We introduce a type and effect system to statically check access rights and information flow. We show that typable programs are secure, that is, they do not attempt at making illegal read accesses, nor illegal information leakage. This provides us with a natural restriction on declassification, namely that a program may only declassify information that is has the right to read.

Delegation and trust are essential to the smooth operation of large, geographically distributed systems, such as the US electronic retail payment system. This system supports billions of electronic transactions— from routine banking and store purchases to electronic commerce on the Internet. Because such systems provide the electronic fabric of our networked information society, it is crucial to understand rigorously and precisely the basis for the delegation and trust relationships in them. In this paper, we use a modal logic for access control to analyze these relationships in the context of checks (and their electronic equivalents) as payment instruments. While not free from risk, the retail payment system effectively balances trust, delegation, and risk on billions of transactions. Our logic allows us to explore with rigor the details of trust, delegation, and risk in these transactions.

We consider a cryptographic scenario of two honest parties which share no secret key initially, but their final goal is to generate an information-theoretical secure key. In order to reach this goal they use assistance ofsome trusted center (as a satellite) that broadcasts a random string to legal users over noisy channels. An eavesdropper is able to receive also this string over another noisy channel. After an execution of the initialization phase, legal parties use discussion over noiseless public channels existing between them. The eavesdropper can intervene in the transmission and change the messages transmitted by legal parties. Thus, it is necessary to provide authentication of these messages. Otherwise the legal parties may agree a false key with the eavesdropper instead. In this paper we develop a concept of authentication based on noisy channels and present a performance evaluation of authentication procedures both for non-asymptotic and asymptotic cases.

A key assignment scheme is a model for enforcing an information flow policy using cryptographic techniques. Such schemes have been widely studied in recent years. Each security label is associated with a symmetric encryption key: data objects are encrypted and authorised users are supplied with the appropriate key(s). However, updates to encryption keys pose a significant problem, as the new keys have to be issued to all authorised users. In this paper, we propose three generic approaches to key assignment schemes that remove the problem of key redistribution following key updates. We analyse the overheads incurred by these approaches and conclude that these overheads are negligible in practical applications.