Recent research has demonstrated the severity of co-residency side-channel attacks on computing clouds. These attacks have been successfully employed by malicious tenants to extract sensitive private information from selected neighboring tenants. Solutions towards addressing such attacks have presented customized solutions for specific variants of these attacks that often require significant modifications to the hardware, client virtual machines (VM), or hypervisors. These solutions are not generic and will not succeed with mutating versions of these attacks. Except for the impractical, resource inefficient, and costly single tenant solutions, co-residency will always be an issue to cloud service providers. In this paper, inspired from the camouflaging process of the sea chameleons evading predators, we present MIGRATE. MIGRATE is a container management framework that employs resource-efficient, scalable, real-time moving target defense to obfuscate the container execution behavior complicating the attacker's task to locate their targets. MIGRATE, offers generic defense against side-channel attacks and employs efficient real-time probabilistic random migrations of cloud tenants' applications contained in Linux containers between different hosts. To minimize the probability of attacker-victim co-residency on the same host. Eliminating the stable co-residency issue eliminates most of the side-channel attacks that face such a platform. Given the current implementation of MIGRATE tested on VMware V-Sphere Cloud, results showed that it can induce high frequency migrations with almost no effect on the enclosed applications making it suitable for mission-critical applications and as a mitigation against fast side-channel attacks.
{"title":"MIGRATE: Towards a Lightweight Moving-Target Defense Against Cloud Side-Channels","authors":"M. Azab, M. Eltoweissy","doi":"10.1109/SPW.2016.28","DOIUrl":"https://doi.org/10.1109/SPW.2016.28","url":null,"abstract":"Recent research has demonstrated the severity of co-residency side-channel attacks on computing clouds. These attacks have been successfully employed by malicious tenants to extract sensitive private information from selected neighboring tenants. Solutions towards addressing such attacks have presented customized solutions for specific variants of these attacks that often require significant modifications to the hardware, client virtual machines (VM), or hypervisors. These solutions are not generic and will not succeed with mutating versions of these attacks. Except for the impractical, resource inefficient, and costly single tenant solutions, co-residency will always be an issue to cloud service providers. In this paper, inspired from the camouflaging process of the sea chameleons evading predators, we present MIGRATE. MIGRATE is a container management framework that employs resource-efficient, scalable, real-time moving target defense to obfuscate the container execution behavior complicating the attacker's task to locate their targets. MIGRATE, offers generic defense against side-channel attacks and employs efficient real-time probabilistic random migrations of cloud tenants' applications contained in Linux containers between different hosts. To minimize the probability of attacker-victim co-residency on the same host. Eliminating the stable co-residency issue eliminates most of the side-channel attacks that face such a platform. Given the current implementation of MIGRATE tested on VMware V-Sphere Cloud, results showed that it can induce high frequency migrations with almost no effect on the enclosed applications making it suitable for mission-critical applications and as a mitigation against fast side-channel attacks.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"101 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116074972","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mobile users are unlikely to guard against information security risks that do not come to mind in typical situations. As more people conduct sensitive transactions through mobile devices, what risks do they perceive? To inform the design of mobile applications we present a user study of perceived risk for information technology workers accessing company data, consumers using mobile personal banking, and doctors accessing medical records. Shoulder surfing and network snooping were the most commonly cited classes of risk, and perceived risk was influenced by the surrounding environment and source of information. However, overall risk awareness was low. The possible risks of device theft and loss, hacking, malware and data stored on devices were not prominent concerns. The study also revealed differences in the way the groups think about network-related threats. Based on these results, we suggest research directions for effective protection of sensitive data in mobile environments.
{"title":"Perceptions of Risk in Mobile Transaction","authors":"Shari Trewin, C. Swart, Larry Koved, Kapil Singh","doi":"10.1109/SPW.2016.37","DOIUrl":"https://doi.org/10.1109/SPW.2016.37","url":null,"abstract":"Mobile users are unlikely to guard against information security risks that do not come to mind in typical situations. As more people conduct sensitive transactions through mobile devices, what risks do they perceive? To inform the design of mobile applications we present a user study of perceived risk for information technology workers accessing company data, consumers using mobile personal banking, and doctors accessing medical records. Shoulder surfing and network snooping were the most commonly cited classes of risk, and perceived risk was influenced by the surrounding environment and source of information. However, overall risk awareness was low. The possible risks of device theft and loss, hacking, malware and data stored on devices were not prominent concerns. The study also revealed differences in the way the groups think about network-related threats. Based on these results, we suggest research directions for effective protection of sensitive data in mobile environments.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129647286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Security and privacy of computation, and the related concept of (deliberate) sharing, have, historically, largely been afterthoughts. In a traditional multi-user, multi-application Web hosting environment, typically applications are public by default. Applications wishing to offer a notion of private resources must take it upon themselves to independently manage authentication and authorization of users, leading to difficult and disjointed notions of access and sharing. In such a context, LangSec-based vulnerabilities threaten catastrophic loss of privacy for all users of the system, likely even of non-vulnerable applications. This is a tragic state of affairs, but is thankfully not inevitable! We present the Sandstorm system, a capability-based, private-bydefault, tightly-sandboxing, proactively secure environment for running web applications, complete with a single, pervasive sharing mechanism. Sandstorm, and capability systems, are likely of interest to the LangSec community: LangSec bugs are mitigated through the robust isolation imposed by the Sandstorm supervisor, and the mechanism of capability systems offers the potential to turn difficult authorization decisions into LangSec's bread and butter, namely syntactic constraints on requests: every well-formed request which can be stated is authorized. We present aspects of the Sandstorm system and show how those aspects have, by building systematic protection into several levels of the system, dramatically reduced the severity of LangSec bugs in hosted applications. To study the range of impact, we will characterize addressed vulnerabilities using MITRE's Common Weakness Enumeration (CWE) scheme.
{"title":"Research Report: Mitigating LangSec Problems with Capabilities","authors":"N. Filardo","doi":"10.1109/SPW.2016.57","DOIUrl":"https://doi.org/10.1109/SPW.2016.57","url":null,"abstract":"Security and privacy of computation, and the related concept of (deliberate) sharing, have, historically, largely been afterthoughts. In a traditional multi-user, multi-application Web hosting environment, typically applications are public by default. Applications wishing to offer a notion of private resources must take it upon themselves to independently manage authentication and authorization of users, leading to difficult and disjointed notions of access and sharing. In such a context, LangSec-based vulnerabilities threaten catastrophic loss of privacy for all users of the system, likely even of non-vulnerable applications. This is a tragic state of affairs, but is thankfully not inevitable! We present the Sandstorm system, a capability-based, private-bydefault, tightly-sandboxing, proactively secure environment for running web applications, complete with a single, pervasive sharing mechanism. Sandstorm, and capability systems, are likely of interest to the LangSec community: LangSec bugs are mitigated through the robust isolation imposed by the Sandstorm supervisor, and the mechanism of capability systems offers the potential to turn difficult authorization decisions into LangSec's bread and butter, namely syntactic constraints on requests: every well-formed request which can be stated is authorized. We present aspects of the Sandstorm system and show how those aspects have, by building systematic protection into several levels of the system, dramatically reduced the severity of LangSec bugs in hosted applications. To study the range of impact, we will characterize addressed vulnerabilities using MITRE's Common Weakness Enumeration (CWE) scheme.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129667340","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We previously presented a theory of analysis for expressive low-level languages that is capable of proving non-interference for expressive languages. We now provide an independent result for the taint-flow analysis that drives tracking of information. In particular, we show that the taint-tracking can be derived from the results of a taint-free analysis. In addition to improving performance, this independence broadens the applicability of the underlying approach to information-flow analysis.
{"title":"A Posteriori Taint-Tracking for Demonstrating Non-interference in Expressive Low-Level Languages","authors":"P. Aldous, M. Might","doi":"10.1109/SPW.2016.58","DOIUrl":"https://doi.org/10.1109/SPW.2016.58","url":null,"abstract":"We previously presented a theory of analysis for expressive low-level languages that is capable of proving non-interference for expressive languages. We now provide an independent result for the taint-flow analysis that drives tracking of information. In particular, we show that the taint-tracking can be derived from the results of a taint-free analysis. In addition to improving performance, this independence broadens the applicability of the underlying approach to information-flow analysis.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116520482","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Differential privacy (DP) is a framework to quantify to what extent individual privacy in a statistical database is preserved while releasing useful aggregate information about the database. In this work, we aim an exploratory study to understand questions related to the optimality of noise generation mechanisms (NGMs) in differential privacy by taking into consideration the (i) query sensitivity, (ii) query side information, and (iii) the presence of longitudinal and collusion attacks. The results/observations from our study serve three important purposes: (i) provide us with conjectures on appropriate (in the sense of privacy-utility tradeoffs) oblivious NGM selection for scalar queries in both non-Bayesian as well as Bayesian user settings, (ii) provide supporting evidence and counterexamples to existing theory results on the optimality of NGMs when they are tested on a relaxed assumption set, and (ii) lead to a string of interesting open questions for the theory community in relation to the design and analysis of provably optimal oblivious differential privacy mechanisms.
{"title":"Oblivious Mechanisms in Differential Privacy: Experiments, Conjectures, and Open Questions","authors":"Chien-Lun Chen, R. Pal, L. Golubchik","doi":"10.1109/SPW.2016.27","DOIUrl":"https://doi.org/10.1109/SPW.2016.27","url":null,"abstract":"Differential privacy (DP) is a framework to quantify to what extent individual privacy in a statistical database is preserved while releasing useful aggregate information about the database. In this work, we aim an exploratory study to understand questions related to the optimality of noise generation mechanisms (NGMs) in differential privacy by taking into consideration the (i) query sensitivity, (ii) query side information, and (iii) the presence of longitudinal and collusion attacks. The results/observations from our study serve three important purposes: (i) provide us with conjectures on appropriate (in the sense of privacy-utility tradeoffs) oblivious NGM selection for scalar queries in both non-Bayesian as well as Bayesian user settings, (ii) provide supporting evidence and counterexamples to existing theory results on the optimality of NGMs when they are tested on a relaxed assumption set, and (ii) lead to a string of interesting open questions for the theory community in relation to the design and analysis of provably optimal oblivious differential privacy mechanisms.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128132664","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The point of Software-Defined Infrastructure is an infrastructure that is at once more flexible, controllable, and transparent to user and developer. One important characteristic of this infrastructure is that it is not owned or controlled by the user. At runtime, it is an opaque black box. Thus, it must have guaranteed properties of both performance and function. Infrastructure also has limited visibility and debuggability. It's hard to diagnose network problems, and it's hard to diagnose runtime issues on a remote system. Thus, programs which manipulate the infrastructure (e.g., orchestration systems, SDN applications, etc.) should have their infrastructure manipulations verified, to the extent that this is possible â?A S we need to catch bugs statically to the extent that we can, performance and correctness both. Fortunately, infrastructure configurations ought to be inherently verifiable. Verification of state-free systems is in NP; verification of finite-state systems, at least for safety properties, is similarly in NP It has been shown by a number of authors that OpenFlow rulesets are state-free, and verification is therefore in NP. Similar arguments can be made for various orchestration layers and workflow engines, depending on precise semantics. These results imply that the underlying model of computation for configuration of software-defined networking and at least some elements of software-defined infrastructure are state-free or, at worst, finite-state, and therefore that verification of these systems is relatively tractable. It is, at the least, not undecidable. The large challenge before the community is then to design configuration models for software-defined infrastructure that preserve the precise and weak semantics of the implementation domain; offer appropriate abstractions of performance characteristics; and nonetheless retain usability and concision.
{"title":"Declarative Verifiable SDI Specifications","authors":"R. McGeer","doi":"10.1109/SPW.2016.49","DOIUrl":"https://doi.org/10.1109/SPW.2016.49","url":null,"abstract":"The point of Software-Defined Infrastructure is an infrastructure that is at once more flexible, controllable, and transparent to user and developer. One important characteristic of this infrastructure is that it is not owned or controlled by the user. At runtime, it is an opaque black box. Thus, it must have guaranteed properties of both performance and function. Infrastructure also has limited visibility and debuggability. It's hard to diagnose network problems, and it's hard to diagnose runtime issues on a remote system. Thus, programs which manipulate the infrastructure (e.g., orchestration systems, SDN applications, etc.) should have their infrastructure manipulations verified, to the extent that this is possible â?A S we need to catch bugs statically to the extent that we can, performance and correctness both. Fortunately, infrastructure configurations ought to be inherently verifiable. Verification of state-free systems is in NP; verification of finite-state systems, at least for safety properties, is similarly in NP It has been shown by a number of authors that OpenFlow rulesets are state-free, and verification is therefore in NP. Similar arguments can be made for various orchestration layers and workflow engines, depending on precise semantics. These results imply that the underlying model of computation for configuration of software-defined networking and at least some elements of software-defined infrastructure are state-free or, at worst, finite-state, and therefore that verification of these systems is relatively tractable. It is, at the least, not undecidable. The large challenge before the community is then to design configuration models for software-defined infrastructure that preserve the precise and weak semantics of the implementation domain; offer appropriate abstractions of performance characteristics; and nonetheless retain usability and concision.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134174662","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Inspired by the human immune system, we explore the development of a new multiple detector set artificial immune system (mAIS) for the detection of mobile malware based on the information flows in Android apps. mAISs differ from conventional AISs in that multiple detector sets are evolved concurrently via negative selection. Typically, the first detector set is composed of detectors that match information flows associated with malicious apps while the second detector set is composed of detectors that match the information flows associated with benign apps. The mAIS presented in this paper incorporates feature selection along with a negative selection technique known as the split detector method (SDM). This new mAIS has been compared with a variety of conventional AISs and mAISs using a dataset of information flows captured from malicious and benign Android applications. Our preliminary results show that the newly designed mAIS outperforms the conventional AISs and mAISs in terms of accuracy and false positive rate of malware detection. This paper ends with a discussion of how mAISs can be used to solve dynamic cybersecurity problems as well as a discussion of our future research. This approach achieved 93.33% accuracy with a 0.00% false positive rate.
{"title":"Detection of Mobile Malware: An Artificial Immunity Approach","authors":"James Brown, Mohd Anwar, G. Dozier","doi":"10.1109/SPW.2016.32","DOIUrl":"https://doi.org/10.1109/SPW.2016.32","url":null,"abstract":"Inspired by the human immune system, we explore the development of a new multiple detector set artificial immune system (mAIS) for the detection of mobile malware based on the information flows in Android apps. mAISs differ from conventional AISs in that multiple detector sets are evolved concurrently via negative selection. Typically, the first detector set is composed of detectors that match information flows associated with malicious apps while the second detector set is composed of detectors that match the information flows associated with benign apps. The mAIS presented in this paper incorporates feature selection along with a negative selection technique known as the split detector method (SDM). This new mAIS has been compared with a variety of conventional AISs and mAISs using a dataset of information flows captured from malicious and benign Android applications. Our preliminary results show that the newly designed mAIS outperforms the conventional AISs and mAISs in terms of accuracy and false positive rate of malware detection. This paper ends with a discussion of how mAISs can be used to solve dynamic cybersecurity problems as well as a discussion of our future research. This approach achieved 93.33% accuracy with a 0.00% false positive rate.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133134265","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In any software system, unprincipled handling of input data presents significant security risks. This is particularly true in the case of mobile platforms, where the prevalence of applications developed by amateur developers in combination with devices that hold a wealth of users' personal information can lead to significant security and privacy concerns. Of particular concern is the so-called shotgun parser pattern, in which input recognition is intermixed with input processing throughout the code base. In this work, we take the first steps toward building a tool for identification of shotgun parsers in Android applications. By extending the FlowDroid framework for static taint analysis, we are able to quantify the spread of untrusted data through 55 applications selected from 15 categories on the Google Play store. Our analysis reveals that on average, most untrusted input propagates a relatively short distance within the application code. However, we also find several specific instances of very long data propagations. In addition to providing a first look at the "state of parsing" in a variety of Android applications, our work in this paper lays the groundwork for more precise shotgun parser signature recognition.
{"title":"In Search of Shotgun Parsers in Android Applications","authors":"Katherine Underwood, M. Locasto","doi":"10.1109/SPW.2016.41","DOIUrl":"https://doi.org/10.1109/SPW.2016.41","url":null,"abstract":"In any software system, unprincipled handling of input data presents significant security risks. This is particularly true in the case of mobile platforms, where the prevalence of applications developed by amateur developers in combination with devices that hold a wealth of users' personal information can lead to significant security and privacy concerns. Of particular concern is the so-called shotgun parser pattern, in which input recognition is intermixed with input processing throughout the code base. In this work, we take the first steps toward building a tool for identification of shotgun parsers in Android applications. By extending the FlowDroid framework for static taint analysis, we are able to quantify the spread of untrusted data through 55 applications selected from 15 categories on the Google Play store. Our analysis reveals that on average, most untrusted input propagates a relatively short distance within the application code. However, we also find several specific instances of very long data propagations. In addition to providing a first look at the \"state of parsing\" in a variety of Android applications, our work in this paper lays the groundwork for more precise shotgun parser signature recognition.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"60 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130768768","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To carry out a true privacy risk analysis and go beyond a traditional security analysis, it is essential to distinguish the notions of feared events and their impacts, called "privacy harms" here, and to establish a link between them. In this paper, we provide a clear relationship among harms, feared events, privacy weaknesses and risk sources and describe their use in the analysis of smart grid systems. This work also lays the foundation for a more systematic and rigorous approach to privacy risk assessment.
{"title":"Privacy Harm Analysis: A Case Study on Smart Grids","authors":"S. De, D. Métayer","doi":"10.1109/SPW.2016.21","DOIUrl":"https://doi.org/10.1109/SPW.2016.21","url":null,"abstract":"To carry out a true privacy risk analysis and go beyond a traditional security analysis, it is essential to distinguish the notions of feared events and their impacts, called \"privacy harms\" here, and to establish a link between them. In this paper, we provide a clear relationship among harms, feared events, privacy weaknesses and risk sources and describe their use in the analysis of smart grid systems. This work also lays the foundation for a more systematic and rigorous approach to privacy risk assessment.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"119 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124671829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper we consider the limits of formal modeling of infrastructures and the application of social explanation for the analysis of insider threats in security and safety critical areas. As an area of study for the analysis we take examples from aviation, firstly since incidents are typically well-documented and secondly since it is an important area per se. In March 2015, a Germanwings flight crashed in the French Alps in what is quite firmly believed to have been intentionally caused by the copilot who locked the pilot out of the cockpit and programmed the autopilot on constant descent. We investigate the security controls and policies in airplanes against insider threats using logical modeling in Isabelle.
{"title":"Investigating Airplane Safety and Security Against Insider Threats Using Logical Modeling","authors":"F. Kammüller, Manfred Kerber","doi":"10.1109/SPW.2016.47","DOIUrl":"https://doi.org/10.1109/SPW.2016.47","url":null,"abstract":"In this paper we consider the limits of formal modeling of infrastructures and the application of social explanation for the analysis of insider threats in security and safety critical areas. As an area of study for the analysis we take examples from aviation, firstly since incidents are typically well-documented and secondly since it is an important area per se. In March 2015, a Germanwings flight crashed in the French Alps in what is quite firmly believed to have been intentionally caused by the copilot who locked the pilot out of the cockpit and programmed the autopilot on constant descent. We investigate the security controls and policies in airplanes against insider threats using logical modeling in Isabelle.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"172 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114626107","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: