scholarly journals Friendly Fire

2021 ◽  
Vol 24 (3) ◽  
pp. 1-40
Author(s):  
Musard Balliu ◽  
Massimo Merro ◽  
Michele Pasqua ◽  
Mikhail Shcherbakov
Keyword(s):  
Program Analysis ◽  
Security Policy ◽  
Smart Devices ◽  
External Information ◽  
Semantic Framework ◽  
Analysis Techniques ◽  
Friendly Fire ◽  
Safety Risks ◽  
Iot Platforms ◽  
Enforcement Mechanisms

IoT platforms enable users to connect various smart devices and online services via reactive apps running on the cloud. These apps, often developed by third-parties, perform simple computations on data triggered by external information sources and actuate the results of computations on external information sinks. Recent research shows that unintended or malicious interactions between the different (even benign) apps of a user can cause severe security and safety risks. These works leverage program analysis techniques to build tools for unveiling unexpected interference across apps for specific use cases. Despite these initial efforts, we are still lacking a semantic framework for understanding interactions between IoT apps. The question of what security policy cross-app interference embodies remains largely unexplored. This article proposes a semantic framework capturing the essence of cross-app interactions in IoT platforms. The framework generalizes and connects syntactic enforcement mechanisms to bisimulation-based notions of security, thus providing a baseline for formulating soundness criteria of these enforcement mechanisms. Specifically, we present a calculus that models the behavioral semantics of a system of apps executing concurrently, and use it to define desirable semantic policies targeting the security and safety of IoT apps. To demonstrate the usefulness of our framework, we define and implement static analyses for enforcing cross-app security and safety, and prove them sound with respect to our semantic conditions. We also leverage real-world apps to validate the practical benefits of our tools based on the proposed enforcement mechanisms.

Security Re-Divided: The Distinctiveness of Policy-Making in ESDP and JHA

2009 ◽  
Vol 44 (3) ◽  
pp. 268-287 ◽  
Author(s):  
Moritz Weiss ◽  
Simon Dalferth
Keyword(s):  
Policy Making ◽  
Security Policy ◽  
Political Actors ◽  
Security Practices ◽  
Policy Making Process ◽  
Enforcement Mechanisms ◽  
Rule Setting ◽  
External Actors ◽  
Political Decisions ◽  
Made In

In this article, we argue that the premature abolishment of the allegedly anachronistic concepts of internal versus external security is of doubtful heuristic value for the study of security practices. The two domains may gradually converge from the perspective of problems, but do so much less in terms of political practices. We show that security policy is pursued according to different systems of rules. It follows distinct institutional logics. We undertake a systematic comparison of policy-making in the European Union’s Security and Defence Policy (ESDP) and Justice and Home Affairs (JHA). It is structured along the distinction between making and implementing an agreement as indicative stages of the policy-making process. First, rule-setting asks how decisions are made in the two domains: with or without the inclusion of external actors. Second, we explore whether the implementation of political decisions involves management or enforcement mechanisms. The empirical results are unambiguous: the political actors follow different systems of rules in the two domains. There are still ‘ideal-typical’ differences in a Weberian sense. This implies that internal and external security may be closely linked, like the opposite sides of the same coin, but must be separated for the purpose of analytical clarity.

Adding Context into an Access Control Model for Computer Security Policy

2011 ◽  
pp. 439-456
Author(s):  
Shangping Ren ◽  
Jeffrey J.P. Tsai ◽  
Ophir Frieder
Keyword(s):  
Access Control ◽  
Computer Security ◽  
Security Policy ◽  
Contextual Information ◽  
Control Model ◽  
External Information ◽  
Role Based Access Control ◽  
Access Control Model ◽  
Role Based ◽  
Access Policies

In this chapter, we present the role-based context constrained access control (RBCC) model. The model integrates contextual constraints specified in first-order logic with the standard role-based access control (RBAC). In the RBCC access control model, the permission assignment functions are constrained by the user’s current accessing contexts. The accessing contests are further categorized in two classes, that is, system contexts and application contexts. System contexts may contain accessing time, accessing location, and other security-related system information; while application contexts are abstractions of relationships among different types of entities (i.e., subjects, roles, and objects) as well as implicit relationships derived from protected information content and external information. The ability to integrate contextual information allows the RBCC model to be flexible and capable of specifying a variety of complex access policies and providing tight and just-intime permission activations. A set of medical domain examples will be used to demonstrate the expressiveness of the RBCC model.

Preventing insider malware threats using program analysis techniques

2010 ◽  
Author(s):  
Hira Agrawal ◽  
James Alberi ◽  
Lisa Bahler ◽  
William Conner ◽  
Josephine Micallef ◽  
...  
Keyword(s):  
Program Analysis ◽  
Analysis Techniques

scholarly journals Architecture of Maritime Awareness System Supplied with External Information

2016 ◽  
Vol 23 (1) ◽  
pp. 135-149 ◽  
Author(s):  
Milena Stróżyna ◽  
Jacek Małyszko ◽  
Krzysztof Węcel ◽  
Dominik Filipiak ◽  
Witold Abramowicz
Keyword(s):  
Information Fusion ◽  
External Information ◽  
Automatic Identification ◽  
Identification System ◽  
Intelligence Analysis ◽  
Proof Of Concept ◽  
Analysis Techniques ◽  
External Data ◽  
Web Crawlers ◽  
Awareness System

Abstract In this paper, we discuss a software architecture, which has been developed for the needs of the System for Intelligent Maritime Monitoring (SIMMO). The system bases on the state-of-the-art information fusion and intelligence analysis techniques, which generates an enhanced Recognized Maritime Picture and thus supports situation analysis and decision- making. The SIMMO system aims to automatically fuse an up-to-date maritime data from Automatic Identification System (AIS) and open Internet sources. Based on collected data, data analysis is performed to detect suspicious vessels. Functionality of the system is realized in a number of different modules (web crawlers, data fusion, anomaly detection, visualization modules) that share the AIS and external data stored in the system’s database. The aim of this article is to demonstrate how external information can be leveraged in maritime awareness system and what software solutions are necessary. A working system is presented as a proof of concept.

scholarly journals Static Analysis for Java Servlets and JSP

2006 ◽  
Vol 13 (10) ◽  
Author(s):  
Christian Kirkegaard ◽  
Anders Møller
Keyword(s):  
Static Analysis ◽  
Program Analysis ◽  
Web Applications ◽  
Control Flow ◽  
Analysis Techniques ◽  
Session State ◽  
Context Free ◽  
Context Free Grammars

We present an approach for statically reasoning about the behavior of Web applications that are developed using Java Servlets and JSP. Specifically, we attack the problems of guaranteeing that all output is well-formed and valid XML and ensuring consistency of XHTML form fields and session state. Our approach builds on a collection of program analysis techniques developed earlier in the JWIG and X<small>ACT</small> projects, combined with work on balanced context-free grammars. Together, this provides the necessary foundation concerning reasoning about output streams and application control flow.

Sign in / Sign up

Export Citation Format

Share Document