Davide Ariu, Luca Didaci, G. Fumera, E. Frumento, Federica Freschi, G. Giacinto, F. Roli
In this paper we describe the road mapping methodology we developed in the context of the CyberROAD EU FP7 project, whose aim is to develop a research roadmap for cybercrime and cyber terrorism. To this aim we built on state-of-the-art methodologies and available guidelines, including related projects, and adapted them to the peculiarities of our road mapping subject. In particular, its distinctive feature is that cybercrime and cyber terrorism co-evolve with their contextual environment (i.e., Technology, society, politics and economy), which poses specific challenges to a road mapping effort. Our approach can become a best practice in the field of cyber security, and can be also generalised to phenomena that exhibit a similar, strong co-evolution with their contextual environment. We aim to describe here the road mapping methodology that will lead to the roadmap but not the roadmap itself (this one being, incidentally, still under construction at the time of writing this paper).
在本文中,我们描述了我们在CyberROAD EU FP7项目背景下开发的道路测绘方法,其目的是为网络犯罪和网络恐怖主义制定研究路线图。为此,我们采用了最先进的方法和现有的指导方针,包括相关项目,并使其适应我们的道路测绘主题的特点。特别是,其显著特征是网络犯罪和网络恐怖主义与其上下文环境(即技术、社会、政治和经济)共同发展,这对路线图工作提出了具体挑战。我们的方法可以成为网络安全领域的最佳实践,也可以推广到与其上下文环境表现出类似的、强烈的共同进化的现象。我们的目标是在这里描述将导致路线图的道路映射方法,而不是路线图本身(顺便说一句,在撰写本文时,这一方法仍在构建中)。
{"title":"Yet Another Cybersecurity Roadmapping Methodology","authors":"Davide Ariu, Luca Didaci, G. Fumera, E. Frumento, Federica Freschi, G. Giacinto, F. Roli","doi":"10.1109/ARES.2015.87","DOIUrl":"https://doi.org/10.1109/ARES.2015.87","url":null,"abstract":"In this paper we describe the road mapping methodology we developed in the context of the CyberROAD EU FP7 project, whose aim is to develop a research roadmap for cybercrime and cyber terrorism. To this aim we built on state-of-the-art methodologies and available guidelines, including related projects, and adapted them to the peculiarities of our road mapping subject. In particular, its distinctive feature is that cybercrime and cyber terrorism co-evolve with their contextual environment (i.e., Technology, society, politics and economy), which poses specific challenges to a road mapping effort. Our approach can become a best practice in the field of cyber security, and can be also generalised to phenomena that exhibit a similar, strong co-evolution with their contextual environment. We aim to describe here the road mapping methodology that will lead to the roadmap but not the roadmap itself (this one being, incidentally, still under construction at the time of writing this paper).","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"148 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116545249","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This study analyzes 0-day vulnerabilities in the broader context of cybercrime and economic markets. The work is based on the interviews of several leading experts and on a field research of the authors. In particular, cybercrime is considered when involving traditional criminal activities or when military operations are involved. A description of different 0-day vulnerability markets - White, Black and Government markets - is provided, as well as the characteristics of malware factories and their major customers are discussed.
{"title":"0-Day Vulnerabilities and Cybercrime","authors":"J. Armin, P. Foti, M. Cremonini","doi":"10.1109/ARES.2015.55","DOIUrl":"https://doi.org/10.1109/ARES.2015.55","url":null,"abstract":"This study analyzes 0-day vulnerabilities in the broader context of cybercrime and economic markets. The work is based on the interviews of several leading experts and on a field research of the authors. In particular, cybercrime is considered when involving traditional criminal activities or when military operations are involved. A description of different 0-day vulnerability markets - White, Black and Government markets - is provided, as well as the characteristics of malware factories and their major customers are discussed.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115788340","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cloud computing is frequently being used to host online services. Abuse of cloud resources poses an important problem for cloud service providers. If third parties are affected by abuse, bad publicity or legal liabilities may ensue for the provider. There is an unsatisfactory level of protection against abuse of cloud offerings at the moment. In this paper, we analyse the current state of abuse detection and prevention in IaaS cloud computing. To establish what constitutes abuse in an IaaS environment, a survey of acceptable use policies of cloud service providers was conducted. We have found that existing intrusion detection and prevention techniques are only of limited use in this environment due to the high level of control that users can exercise over their resources. However, cloud computing opens up different opportunities for intrusion detection. We present possible approaches for abuse detection, which we plan to investigate further in future work.
{"title":"Towards Abuse Detection and Prevention in IaaS Cloud Computing","authors":"Jens Lindemann","doi":"10.1109/ARES.2015.72","DOIUrl":"https://doi.org/10.1109/ARES.2015.72","url":null,"abstract":"Cloud computing is frequently being used to host online services. Abuse of cloud resources poses an important problem for cloud service providers. If third parties are affected by abuse, bad publicity or legal liabilities may ensue for the provider. There is an unsatisfactory level of protection against abuse of cloud offerings at the moment. In this paper, we analyse the current state of abuse detection and prevention in IaaS cloud computing. To establish what constitutes abuse in an IaaS environment, a survey of acceptable use policies of cloud service providers was conducted. We have found that existing intrusion detection and prevention techniques are only of limited use in this environment due to the high level of control that users can exercise over their resources. However, cloud computing opens up different opportunities for intrusion detection. We present possible approaches for abuse detection, which we plan to investigate further in future work.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125236122","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yury Zhauniarovich, A. Philippov, O. Gadyatskaya, B. Crispo, F. Massacci
Many state-of-art mobile application testing frameworks (e.g., Dynodroid [1], EvoDroid [2]) enjoy Emma [3] or other code coverage libraries to measure the coverage achieved. The underlying assumption for these frameworks is availability of the app source code. Yet, application markets and security researchers face the need to test third-party mobile applications in the absence of the source code. There exists a number of frameworks both for manual and automated test generation that address this challenge. However, these frameworks often do not provide any statistics on the code coverage achieved, or provide coarse-grained ones like a number of activities or methods covered. At the same time, given two test reports generated by different frameworks, there is no way to understand which one achieved better coverage if the reported metrics were different (or no coverage results were provided). To address these issues we designed a framework called BBOXTESTER that is able to generate code coverage reports and produce uniform coverage metrics in testing without the source code. Security researchers can automatically execute applications exploiting current state-of-art tools, and use the results of our framework to assess if the security-critical code was covered by the tests. In this paper we report on design and implementation of BBOXTESTER and assess its efficiency and effectiveness.
{"title":"Towards Black Box Testing of Android Apps","authors":"Yury Zhauniarovich, A. Philippov, O. Gadyatskaya, B. Crispo, F. Massacci","doi":"10.1109/ARES.2015.70","DOIUrl":"https://doi.org/10.1109/ARES.2015.70","url":null,"abstract":"Many state-of-art mobile application testing frameworks (e.g., Dynodroid [1], EvoDroid [2]) enjoy Emma [3] or other code coverage libraries to measure the coverage achieved. The underlying assumption for these frameworks is availability of the app source code. Yet, application markets and security researchers face the need to test third-party mobile applications in the absence of the source code. There exists a number of frameworks both for manual and automated test generation that address this challenge. However, these frameworks often do not provide any statistics on the code coverage achieved, or provide coarse-grained ones like a number of activities or methods covered. At the same time, given two test reports generated by different frameworks, there is no way to understand which one achieved better coverage if the reported metrics were different (or no coverage results were provided). To address these issues we designed a framework called BBOXTESTER that is able to generate code coverage reports and produce uniform coverage metrics in testing without the source code. Security researchers can automatically execute applications exploiting current state-of-art tools, and use the results of our framework to assess if the security-critical code was covered by the tests. In this paper we report on design and implementation of BBOXTESTER and assess its efficiency and effectiveness.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122334793","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
D. Buhov, Markus Huber, Georg Merzdovnik, E. Weippl, V. Dimitrova
The digital world is in constant battle for improvement - especially in the security field. Taking into consideration the revelations from Edward Snowden about the mass surveillance programs conducted by governmental authorities, the number of users that raised awareness towards security is constantly increasing. More and more users agree that additional steps must be taken to ensure the fact that communication will remain private as intended in the first place. Taking in consideration the ongoing transition in the digital world, there are already more mobile phones than people on this planet. According to recent statistics there are around 7 billion active cell phones by 2014 out of which nearly 2 billion are smartphones. The use of smartphones by itself could open a great security hole. The most common problem when it comes to Android applications is the common misuse of the HTTPS protocol. Having this in mind, this paper addresses the current issues when it comes to misuse of the HTTPS protocol and proposes possible solutions to overcome this common problem. In this paper we evaluate the SSL implementation in a recent set of Android applications and present some of the most common missuses. The goal of this paper is to raise awareness to current and new developers to actually consider security as one of their main goals during the development life cycle of applications.
{"title":"Network Security Challenges in Android Applications","authors":"D. Buhov, Markus Huber, Georg Merzdovnik, E. Weippl, V. Dimitrova","doi":"10.1109/ARES.2015.59","DOIUrl":"https://doi.org/10.1109/ARES.2015.59","url":null,"abstract":"The digital world is in constant battle for improvement - especially in the security field. Taking into consideration the revelations from Edward Snowden about the mass surveillance programs conducted by governmental authorities, the number of users that raised awareness towards security is constantly increasing. More and more users agree that additional steps must be taken to ensure the fact that communication will remain private as intended in the first place. Taking in consideration the ongoing transition in the digital world, there are already more mobile phones than people on this planet. According to recent statistics there are around 7 billion active cell phones by 2014 out of which nearly 2 billion are smartphones. The use of smartphones by itself could open a great security hole. The most common problem when it comes to Android applications is the common misuse of the HTTPS protocol. Having this in mind, this paper addresses the current issues when it comes to misuse of the HTTPS protocol and proposes possible solutions to overcome this common problem. In this paper we evaluate the SSL implementation in a recent set of Android applications and present some of the most common missuses. The goal of this paper is to raise awareness to current and new developers to actually consider security as one of their main goals during the development life cycle of applications.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133599914","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The threat of mass surveillance and the need for privacy have become mainstream recently. Most of the anonymity schemes have focused on Internet privacy. We propose an anonymity scheme for cellular phone calls. The cellular phones form an ad-hoc network relaying phone conversations through direct wifi connections. A proof-of-concept implementation on an Android smartphone is completed and shown to work with minimal delay in communications.
{"title":"AnonCall: Making Anonymous Cellular Phone Calls","authors":"Eric Chan-Tin","doi":"10.1109/ARES.2015.13","DOIUrl":"https://doi.org/10.1109/ARES.2015.13","url":null,"abstract":"The threat of mass surveillance and the need for privacy have become mainstream recently. Most of the anonymity schemes have focused on Internet privacy. We propose an anonymity scheme for cellular phone calls. The cellular phones form an ad-hoc network relaying phone conversations through direct wifi connections. A proof-of-concept implementation on an Android smartphone is completed and shown to work with minimal delay in communications.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133651852","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Extremism appears to be on the increase. Electronic communication reaches countless people across borders, canvassing support for radical views and/or inciting hatred and/or violence. This legal discussion deals with many inter-related questions that are of global relevance as electronic communication permeates our lives. Should a government tighten surveillance of electronic communication to combat and/or detect extremism or does such information gathering practices violate the user's right to freedom of expression and privacy? Should government agencies carry out the surveillance or should the ISP as provider of access and/or hosting of information gather information on extremist communication? Will the aftermath of the 2013 Snowden revelations of unwarranted, general and bulk state surveillance result in governments being wary to tighten state surveillance powers or has the level of extremism reached such a degree that it warrants governments to focus on monitoring as a surveillance method counteracting radicalism that may endanger the safety and security of a country. Tension between human rights protection and government use of surveillance powers is unavoidable as some argue that security and safety factors are exaggerated to justify extension of state surveillance powers, however the evidence of extremism unfortunately speaks for itself. This discussion provides an overview of the approach to surveillance a government may apply to online extremism.
{"title":"Intensifying State Surveillance of Electronic Communications: A Legal Solution in Addressing Extremism or Not?","authors":"M. Watney","doi":"10.1109/ARES.2015.51","DOIUrl":"https://doi.org/10.1109/ARES.2015.51","url":null,"abstract":"Extremism appears to be on the increase. Electronic communication reaches countless people across borders, canvassing support for radical views and/or inciting hatred and/or violence. This legal discussion deals with many inter-related questions that are of global relevance as electronic communication permeates our lives. Should a government tighten surveillance of electronic communication to combat and/or detect extremism or does such information gathering practices violate the user's right to freedom of expression and privacy? Should government agencies carry out the surveillance or should the ISP as provider of access and/or hosting of information gather information on extremist communication? Will the aftermath of the 2013 Snowden revelations of unwarranted, general and bulk state surveillance result in governments being wary to tighten state surveillance powers or has the level of extremism reached such a degree that it warrants governments to focus on monitoring as a surveillance method counteracting radicalism that may endanger the safety and security of a country. Tension between human rights protection and government use of surveillance powers is unavoidable as some argue that security and safety factors are exaggerated to justify extension of state surveillance powers, however the evidence of extremism unfortunately speaks for itself. This discussion provides an overview of the approach to surveillance a government may apply to online extremism.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"29 2","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114007276","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Use-after-free conditions occur when an execution path of a process accesses an incorrectly deal located object. Such access is problematic because it may potentially allow for the execution of arbitrary code by an adversary. However, while increasingly common, such flaws are rarely detected by compilers in even the most obvious instances. In this paper, we design and implement a static analysis method for the detection of use-after-free conditions in binary code. Our new analysis is similar to available expression analysis and traverses all code paths to ensure that every object is defined before each use. Failure to achieve this property indicates that an object is improperly freed and potentially vulnerable to compromise. After discussing the details of our algorithm, we implement a tool and run it against a set of enterprise-grade, publicly available binaries. We show that our tool can not only catch textbook and recently released in-situ examples of this flaw, but that it has also identified 127 additional use-after-free conditions in a search of 652 compiled binaries in the Windows system32 directory. In so doing, we demonstrate not only the power of this approach in combating this increasingly common vulnerability, but also the ability to identify such problems in software for which the source code is not necessarily publicly available.
{"title":"Uncovering Use-After-Free Conditions in Compiled Code","authors":"David Dewey, Bradley Reaves, Patrick Traynor","doi":"10.1109/ARES.2015.61","DOIUrl":"https://doi.org/10.1109/ARES.2015.61","url":null,"abstract":"Use-after-free conditions occur when an execution path of a process accesses an incorrectly deal located object. Such access is problematic because it may potentially allow for the execution of arbitrary code by an adversary. However, while increasingly common, such flaws are rarely detected by compilers in even the most obvious instances. In this paper, we design and implement a static analysis method for the detection of use-after-free conditions in binary code. Our new analysis is similar to available expression analysis and traverses all code paths to ensure that every object is defined before each use. Failure to achieve this property indicates that an object is improperly freed and potentially vulnerable to compromise. After discussing the details of our algorithm, we implement a tool and run it against a set of enterprise-grade, publicly available binaries. We show that our tool can not only catch textbook and recently released in-situ examples of this flaw, but that it has also identified 127 additional use-after-free conditions in a search of 652 compiled binaries in the Windows system32 directory. In so doing, we demonstrate not only the power of this approach in combating this increasingly common vulnerability, but also the ability to identify such problems in software for which the source code is not necessarily publicly available.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"75 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123226617","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Katharina Krombholz, P. Frühwirt, T. Rieder, Ioannis Kapsalis, Johanna Ullrich, E. Weippl
QR codes have emerged as a popular medium to make content instantly accessible. With their high information density and robust error correction, they have found their way to the mobile ecosystem. However, QR codes have also proven to be an efficient attack vector, e.g. To perform phishing attacks. Attackers distribute malicious codes under false pretenses in busy places or paste malicious QR codes over already existing ones on billboards. Ultimately, people depend on reader software to ascertain if a given QR code is benign or malicious. In this paper, we present a comprehensive analysis of QR code security. We determine why users are still susceptible to QR code based attacks and why currently deployed smartphone apps are unable to mitigate these attacks. Based on our findings, we present a set of design recommendations to build usable and secure mobile applications. To evaluate our guidelines, we implemented a prototype and found that secure and usable apps can effectively protect users from malicious QR codes.
{"title":"QR Code Security -- How Secure and Usable Apps Can Protect Users Against Malicious QR Codes","authors":"Katharina Krombholz, P. Frühwirt, T. Rieder, Ioannis Kapsalis, Johanna Ullrich, E. Weippl","doi":"10.1109/ARES.2015.84","DOIUrl":"https://doi.org/10.1109/ARES.2015.84","url":null,"abstract":"QR codes have emerged as a popular medium to make content instantly accessible. With their high information density and robust error correction, they have found their way to the mobile ecosystem. However, QR codes have also proven to be an efficient attack vector, e.g. To perform phishing attacks. Attackers distribute malicious codes under false pretenses in busy places or paste malicious QR codes over already existing ones on billboards. Ultimately, people depend on reader software to ascertain if a given QR code is benign or malicious. In this paper, we present a comprehensive analysis of QR code security. We determine why users are still susceptible to QR code based attacks and why currently deployed smartphone apps are unable to mitigate these attacks. Based on our findings, we present a set of design recommendations to build usable and secure mobile applications. To evaluate our guidelines, we implemented a prototype and found that secure and usable apps can effectively protect users from malicious QR codes.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123726040","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Recently, we proposed a reputation based trust management scheme built upon a Mobility-based Clustering Approach (MCA) organizing Mobile Ad hoc Network MANET and detecting and isolating malicious behaviors. The whole scheme was called TMCA (Trust based MCA) and was extended in a second time with a delegation process resulting a proposition baptized DTMCA (Delegation TMCA based process). However, deploying such scheme is error prone and it appears necessary to validate it before its real implementation. In fact, scheme specification and validation constitute two fundamental challenges in the development of secure communication systems ensuring that the scheme is correctly enforced and complete. Hence, the main contribution of this paper concerns a validation framework for DTMCA scheme. The first step towards validation process is its formal specification. This is our first concern in this paper: a formal specification language called SCMSL (Secured Clustered MANET Specification Language) defined through a syntax based on authorization and obligation rules and a clear semantics. The second part of this paper proves the two major characteristics that must be guaranteed in such case: consistency and completeness. Consistency is proved by showing that there is no conflict in our scheme whereas completeness is proved by assessing that all potential situations are handled. The proof of consistency and completeness is made using automated systems through the definition of adequate algorithms.
{"title":"A Model for Specification and Validation of a Trust Management Based Security Scheme in a MANET Environment","authors":"Aida Ben Chehida Douss, Ryma Abassi, S. Fatmi","doi":"10.1109/ARES.2015.92","DOIUrl":"https://doi.org/10.1109/ARES.2015.92","url":null,"abstract":"Recently, we proposed a reputation based trust management scheme built upon a Mobility-based Clustering Approach (MCA) organizing Mobile Ad hoc Network MANET and detecting and isolating malicious behaviors. The whole scheme was called TMCA (Trust based MCA) and was extended in a second time with a delegation process resulting a proposition baptized DTMCA (Delegation TMCA based process). However, deploying such scheme is error prone and it appears necessary to validate it before its real implementation. In fact, scheme specification and validation constitute two fundamental challenges in the development of secure communication systems ensuring that the scheme is correctly enforced and complete. Hence, the main contribution of this paper concerns a validation framework for DTMCA scheme. The first step towards validation process is its formal specification. This is our first concern in this paper: a formal specification language called SCMSL (Secured Clustered MANET Specification Language) defined through a syntax based on authorization and obligation rules and a clear semantics. The second part of this paper proves the two major characteristics that must be guaranteed in such case: consistency and completeness. Consistency is proved by showing that there is no conflict in our scheme whereas completeness is proved by assessing that all potential situations are handled. The proof of consistency and completeness is made using automated systems through the definition of adequate algorithms.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124836488","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: