WOSIS 2011 Abstracts


Full Papers
Paper Nr: 2
Title:

A Comparative Review of Cloud Security Proposals with ISO/IEC 27002

Authors:

Oscar Rebollo, Daniel Mellado and Eduardo Fernández-Medina

Abstract: Information Security is considered one of the main reasons why users are reluctant to adopt the new generation of services offered by cloud computing providers. In order to minimize risks, some security proposals have been developed, with the purpose of facing a wide range of security concerns. This paper reviews these existing approaches and defines a security comparative framework, based on ISO/IEC 27002, suitable for the cloud environment. The analysis process of these alternatives shows a partial compliance with the defined requirements as each one is focused on different issues. As a consequence, more investigation is needed to achieve a comprehensive cloud security framework. The results of this paper highlight the gaps and weaknesses of each proposal, so that directions are settled for future work.

Paper Nr: 4
Title:

Security Pattern Mining: Systematic Review and Proposal

Authors:

Santiago Moral-García, Santiago Moral-Rubio and Eduardo Fernández-Medina

Abstract: Organizations have suffered an increase in cyber attacks in recent years. For this reason, they need to guarantee confidentiality, integrity and availability of their information assets. To do this, they should seek support from security architectures. Security patterns are a good way to design security architectures, but most current security patterns are not applicable to this field. In a previous work, we defined a new pattern template to support the design of security architectures. After that work, we realized that it was necessary to discover and identify new security patterns adapted to this template, in order to facilitate the work of those security engineers who design architectures. A good way to discover and identify new patterns is pattern mining; therefore, in this paper we have carried out a Systematic Review (SR) of security pattern mining. After performing the SR, we have reached the conclusion that the proposals analyzed do not fulfill all main requirements to cover our needs. That’s the reason why we have defined a high-level architecture of a new framework to discover, design and document security patterns focused on the design of security architectures.

Paper Nr: 5
Title:

Accessing Cloud through API in a More Secure and Usable Way

Authors:

HongQian Karen Lu

Abstract: A common method for accessing and managing cloud computing resources is through an Application Programming Interface (API). Each API request from an application must include a client authentication to the cloud service, which proves the possession of a secret key. Securing such keys is critical to the confidentiality, integrity, and availability of the data and services hosted in the cloud. Currently users manually handle these keys; a process that is neither secure nor user-friendly. Where to store the keys and how to access them are still security challenges especially for those applications that reside in the cloud themselves. Furthermore, keys are in clear text at least in a computer’s memory. Attackers can find ways to recover them. This paper presents a solution to these problems by using portable security devices. The device securely exchanges keys with the cloud serve, securely stores the keys, and performs cryptographic computations using these keys for the client authentication. The user must have the device and authenticate to it in order use it. The solution enables a two-factor hierarchical security protection of the cloud computing resources. It not only enhances the security but also improves the usability.

Paper Nr: 10
Title:

Enhancing Cryptographic Code Against Side Channel Cryptanalysis With Aspects

Authors:

Jérôme Dossogne and Stephane Fernandes Medeiros

Abstract: In this paper we introduce a new way to protect software implementation of cryptographic protocols against Side Channel Attacks (SCA) using Aspect Oriented Programming (AOP). For this purpose we have implemented the RSA algorithm in Java and our aspects with AspectJ. As a result, we show how AOP can help tremendously to enhance cryptographic protocols against SCA with nearly no negative side-effects. Moreover, we illustrate a new countermeasure against timing attacks aiming for the simple modular exponentiation technique. Our simulation performs a timing attack against the hamming weight of the secret key in a RSA cryptosystem. The success rate of the attack drops from 80% to 0% with our countermeasure.

Paper Nr: 11
Title:

Expert Assessment on the Probability of Successful Remote Code Execution Attacks

Authors:

Hannes Holm, Teodor Sommestad, Ulrik Franke and Mathias Ekstedt

Abstract: This paper describes a study on how cyber security experts assess the importance of three variables related to the probability of successful remote code execution attacks – presence of: (i) non-executable memory, (ii) access and (iii) exploits for High or Medium vulnerabilities as defined by the Common Vulnerability Scoring System. The rest of the relevant variables were fixed by the environment of a cyber defense exercise where the respondents participated. The questionnaire was fully completed by fifteen experts. These experts perceived access as the most important variable and availability of exploits for High vulnerabilities as more important than Medium vulnerabilities. Non-executable memory was not seen as significant, however, presumably due to lack of address space layout randomization and canaries in the network architecture of the cyber defense exercise scenario.

Paper Nr: 13
Title:

Towards a Pattern-Based Security Methodology to Build Secure Information Systems

Authors:

Roberto Ortiz, Santiago Moral-Rubio, Javier Garzás and Eduardo Fernández-Medina

Abstract: Methodologies for the construction of secure systems provide a controlled, planned development process, with verifications in all stages, thus avoiding unexpected errors and leading to an improvement in the quality and security of the system produced. These methodologies can be enriched from the use of security patterns, since these tools are widely accepted by both the scientific community and industry for the construction of secure information systems owing to the fact that they accumulate security experts’ knowledge in a documented and structured manner, thus providing a systematic means to solve recurrent problems. In this paper we present a first approximation of a pattern-based security methodology to support both the construction of secure information systems and maintenance of the level of security attained. This proposal is based on real case studies, and is now in the first stages of application in real settings. Interesting results are already appearing that will allow us to refine and validate the proposal.

Paper Nr: 14
Title:

An efficient Security Solution for Dealing with Shortened URL Analysis

Authors:

Jaime Devesa, Xabier Cantero, Gonzalo Alvarez and Pablo G. Bringas

Abstract: With the boom of the Internet, and particularly of social networks, information sharing possibilities have increased. In this context, the so called URL shortening services, consisting of compacting a web link into a much shorter and manageable one, have arisen. However, the popularity of Web 2.0 also causes users to be unprotected against certain types of unwanted contents and attacks motivated by the desire of economic profit, which translates as an exponential increase in security incidents. Moreover, URL shortening services provide attackers a new method of obfuscation to malicious web links, hindering the analysis and detection of unwanted sites. Thus, we propose here a solution to solve the real destination of a shortened URL, analysing it in terms of security.

Paper Nr: 18
Title:

A Privacy Model for Social Networks

Authors:

Alban Gabillon

Abstract: This paper defines a new multilevel privacy model for social networks like Facebook. This model is user-friendly i.e. it does not require the users to alter some security settings. It provides the users with a privacy policy with a high expressive power. First, authorizations are based on the type of relationships that the users have between them. Second, relationships themselves are protected.

Paper Nr: 20
Title:

Enhancing Cooperation in Wireless Vehicular Networks

Authors:

J. Molina-Gil, P. Caballero-Gil and C. Caballero-Gil

Abstract: Vehicular Ad-hoc NETworks (VANETs) may be seen as a special case of mobile ad-hoc networks, featured by their high mobility and changing topology. They will become very important in our society because of their applications in traffic safety and management. Operations in VANETs rely on the cooperation of participating nodes to route data for each other. Consequently, the quality of communication in VANETs can be degraded if the number of non-cooperative vehicles is very large. As distributed networks, nodes might behave noncooperatively for their own benefits. In order to prevent this non-cooperative behaviour from tampering packet relaying in the network, in this work we propose a self-organized and decentralized security mechanism. The system combines different techniques based on time and distance, reputation lists and acknowledgment messages. Within our proposal, privacy and integrity are protected while misbehaving and faulty nodes are detected and prevented from disrupting the network by using tools implemented with current technology. As an example of application of the proposal, its use to avoid traffic congestions is shown.

Paper Nr: 26
Title:

Towards a Semantic Web-enabled Knowledge Base to Elicit Security Requirements for Misuse Cases

Authors:

Haibo Hu, Dan Yang, Hong Xiang, Li Fu, Chunxiao Ye and Ren Li

Abstract: Eliciting security requirements is critical but hard for non-expert to fulfill an exhaustive analysis on large body of security knowledge. Emerging models in requirements engineering (RE) society release some burden of such difficulty, as well as security ontologies are booming for knowledge sharing and reuse. There exists necessity for the synergy of them, such as utilizing security ontology (SO) as the back end of Knowledge Base (KB) for capturing security requirements by using known RE models. Research advances in the Semantic Web (SW) community provide a common framework of technologies that allows data to be shared and reused across boundaries of various application and community. This paper proposes a knowledge base which is constructed on SO and Misuse Case Model (MCM), by representing them into OWL (Web Ontology Language). Semantic rules can be derived from the correlation of SO and MCM to be utilized for reasoning and querying security knowledge via MCM-based requirements elicitation. The proposed KB coordinates SO with a specific RE model to facilitate knowledge sharing to be a foundation for eliciting security requirements auto-matically.

Short Papers
Paper Nr: 6
Title:

A Trusted Routing Based Service Discovery Protocol with Backup Nodes in MANETs

Authors:

Min-Hua Shao, Yi-Ping Lee, Yen-Fen Hou and Cheng-Yi Ho

Abstract: The wireless MANET is particularly vulnerable on account of its intrinsic characteristics of open medium, dynamic topology, absence of central authorities, distributed cooperation and constrained capability. These vulnerabilities create significant challenges for routing protocols operating in the entire network. They have inspired lot of research interests regarding node connectivity in MANETs, but very few measures exist to trust-integrated cooperation for service discovery. In this paper, we employ cross-layer approaches to propose a new trusted routing based service discovery protocol called TRSDP. The TRSDP is a kind of a reactive routing protocol, improved on the Dynamic Source Routing. Moreover, a backup node mechanism for quick reconnection during link failures is provided in TRSDP in order to cope with the dynamism of such networks. Case studies involving security and service discovery scenarios were presented to demonstrate how the proposed protocol works. As a result, this paper gives a solution for the trusted and efficient cooperation of routing and service discovery in MANETs.

Paper Nr: 8
Title:

Architecture of Plagiarism Detection Service that Does Not Violate Intellectual Property of the Student

Authors:

Sergey Butakov, Craig Barber, Vadim Diagilev and Alexey Mikhailov

Abstract: Plagiarism detection services (PDS) have become a vital part of Learning Management Systems (LMS). Commercial or non-commercial PDS can be easily attached to the most popular LMS these days. In most such systems, to compare a submitted work with all possible sources on the Internet a university has to transfer the student submission to the third party. Such an approach is often criticized by students who may see a violation of copyright law in this process. This paper outlines an improved approach for PDS development that should allow universities to avoid such criticism. The major proposed alteration of the mainstream architecture of the improved PDS is a move of document preprocessing and search result clarification from the server side to the client side. Such a split allows users to submit only limited information to the third party, and to do so in a way that will not make it possible to fully recover the submitted work but will allow the PDS to maintain the same search quality.

Paper Nr: 27
Title:

Desirable Characteristics for an ISMS Oriented to SMEs

Authors:

Antonio Santos-Olmo, Luis Enrique Sánchez, Eduardo Fernández-Medina and Mario Piattini

Abstract: Information Society depends more and more on Information Security Management Systems (ISMSs) and the availability of these systems has become vital for SMEs’ evolution. However, this kind of companies need that ISMSs are adapted to their special characteristics as well as optimized from the viewpoint of the necessary resources to implement and maintain them. In this paper, we present an analysis of the different proposals that are arising oriented to im-plement ISMSs into SMEs with the purpose of determining the characteristics that a security management methodology oriented to SMEs should have.

Paper Nr: 28
Title:

Automated Security Metrics in ISMSs to Discover the Level of Security of OSs and DBMSs

Authors:

Angel Gallego, Antonio Santos-Olmo, Luís Enrique Sánchez and Eduardo Fernández-Medina

Abstract: The information society is ever-increasingly dependent upon Information Security Management Systems (ISMSs), and the availability of these systems has come to be vital to the evolution of SMEs. However, this type of companies requires ISMSs which have been adapted to their particular characteristics, and which are optimised from the point of view of the resources that are necessary to install and maintain them. This paper concentrates on the development of a process for ISMSs that will allow the level of security of critical applications installed in these sytems, i.e., Operative Systems and Data Base Management Systems, to be measured. This process is currently being directly applied in real cases, thus leading to an improvement in its application.

Paper Nr: 29
Title:

Implementation of the Finite Automaton Public Key Cryptosystem on FPGA

Authors:

Dina Satybaldina, Altynbek Sharipbayev and Aigul Adamova

Abstract: Hardware implementation aspects of the finite automaton public key cryptosystem are discussed in this paper. A general architecture of the multiplication of a square matrix on a vector over GF(q) is presented in the paper. Our design was implemented on Altera EP3C5E144C8N of the Cyclone III FPGA family. The performance of finite automaton public key cryptosystems is mainly appointed by the efficiency of the underlying finite field arithmetic. The results are compared with reported reconfigurable hardware implementations of RSA. Proposed hardware realization of cryptographic system allows organizing pipeline calculations.