A Systematic Empirical Analysis of Forging Fingerprints to Fool Biometric Systems

This paper serves to systematically describe the attempts made to forge fingerprints to fool biometric systems and to review all relevant publications on forging fingerprints to fool sensors. The research finds that many of the related works fail in this aspect and that past successes could not be repeated. First, the basics of biometrics are explained in order to define the meaning of the term security in this special context. Next, the state of the art of biometric systems is presented, followed by to the topic of security of fingerprint scanners. For this, a series of more than 30,000 experiments were conducted to fool scanners. The authors were able to reproduce and keep records of each single step in the test and to show which methods lead to the desired results. Most studies on this topic exclude a number of steps in producing a fake finger and fooling a fingerprint scanner are not explained, which means that some of the studies cannot be replicated. In addition, the authors’ own ideas and slight variations of existing experiment set-ups are presented.

JavaSPI

This paper presents JavaSPI, a “model-driven” development framework that allows the user to reliably develop security protocol implementations in Java, starting from abstract models that can be verified formally. The main novelty of this approach stands in the use of Java as both a modeling language and the implementation language. The JavaSPI framework is validated by implementing a scenario of the SSL protocol. The JavaSPI implementation can successfully interoperate with OpenSSL, and has comparable execution time with the standard Java JSSE library.

Performance Evaluation of Secure Key Deployment and Exchange Protocol for MANETs

Secure Key Deployment and Exchange Protocol (SKYE) is a new encryption Key Management Scheme (KMS) based on combination of features from recent protocols combined with new features for Mobile Ad Hoc Networks (MANETs). The design focuses on a truly ad hoc networking environment where geographical size of the network, numbers of network members, and mobility of the members is all unknown before deployment. Additionally, all key management is performed online making it distinct from most other implementations. This paper attempts to describe the process of development of the protocol and to more thoroughly discuss the simulation software design used to evaluate the performance of the proposed protocol. Simulation results show that security within the network can be increased by requiring more servers to collaborate to produce a certificate for the new member, or by requiring a higher trust threshold along the certificate request chain. SKYE works well within the limitations set by entirely online network formation and key management.

Building Secure Software Using XP

Security is an important and challenging aspect that needs to be considered at an early stage during software development. Traditional software development methodologies do not deal with security issues and so there is no structured guidance for security design and development; security is usually an afterthought activity. This paper discusses the integration of XP with security activities based on the CLASP (Comprehensive Lightweight Application Security Process) methodology. This integration will help developers using XP develop secure software by applying security measures in all phases and activities, thereby minimizing the security vulnerabilities exploited by attackers.

A Formal Language for XML Authorisations Based on Answer Set Programming and Temporal Interval Logic Constraints

The Extensible Markup Language is susceptible to security breaches because it does not incorporate methods to protect the information it encodes. This work focuses on the development of a formal language that can provide role-based access control to information stored in XML formatted documents. This language has the capacity to reason whether access to an XML document should be allowed. The language, Axml(T), allows for the specification of authorisations on XML documents and distinguishes itself from other research with the inclusion of temporal interval reasoning and the XPath query language.

Using Executable Slicing to Improve Rogue Software Detection Algorithms

This paper describes a research effort to use executable slicing as a pre-processing aid to improve the prediction performance of rogue software detection. The prediction technique used here is an information retrieval classifier known as cosine similarity that can be used to detect previously unknown, known or variances of known rogue software by applying the feature extraction technique of randomized projection. This paper provides direction in answering the question of is it possible to only use portions or subsets, known as slices, of an application to make a prediction on whether or not the software contents are rogue. This research extracts sections or slices from potentially rogue applications and uses these slices instead of the entire application to make a prediction. Results show promise when applying randomized projections to cosine similarity for the predictions, with as much as a 4% increase in prediction performance and a five-fold decrease in processing time when compared to using the entire application.

Security Gaps in Databases

When deploying database-centric web applications, administrators should pay special attention to database security requirements. Acknowledging this, Database Management Systems (DBMS) implement several security mechanisms that help Database Administrators (DBAs) making their installations secure. However, different software products offer different sets of mechanisms, making the task of selecting the adequate package for a given installation quite hard. This paper proposes a methodology for detecting database security gaps. This methodology is based on a comprehensive list of security mechanisms (derived from widely accepted security best practices), which was used to perform a gap analysis of the security features of seven software packages composed by widely used products, including four DBMS engines and two Operating Systems (OS). The goal is to understand how much each software package helps developers and administrators to actually accomplish the security tasks that are expected from them. Results show that while there is a common set of security mechanisms that is implemented by most packages, there is another set of security tasks that have no support at all in any of the packages.

Eliciting Policy Requirements for Critical National Infrastructure Using the IRIS Framework

Despite existing work on dealing with security and usability concerns during the early stages of design, there has been little work on synthesising the contributions of these fields into processes for specifying and designing systems. Without a better understanding of how to deal with both concerns at an early stage, the design process risks disenfranchising stakeholders, and resulting systems may not be situated in their contexts of use. This paper presents the IRIS process framework, which guides technique selection when specifying usable and secure systems. The authors illustrate the framework by describing a case study where the process framework was used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. The authors conclude with three lessons informing future efforts to integrate Security, Usability, and Requirements Engineering techniques for secure system design.

Integrating Patient Consent in e-Health Access Control

Many initiatives exist that integrate e-health systems on a large scale. One of the main technical challenges is access control, although several frameworks and solutions, like XACML, are becoming standard practice. Data is no longer shared within one affinity domain but becomes ubiquitous, which results in a loss of control. As patients will be less willing to participate without additional control strategies, patient consents are introduced that allow the patients to determine precise access rules on their medical data. This paper explores the consequences of integrating consent in e-health access control. First, consent requirements are examined, after which an architecture is proposed which incorporates patient consent in the access control service of an e-health system. To validate the proposed concepts, a proof-of-concept implementation is built and evaluated.

Ell Secure Information System Using Modal Logic Technique

In this paper, the authors propose a formal logic technique to protect information systems. As the widespread use of computer systems grows, the security of the information stored in such systems has become more important. As a security mechanism, authorization or access control ensures that all accesses to the system resources occur exclusively according to the access polices and rules specified by the system security agent. Authorization specification has been widely studied and a variety of approaches have been investigated. The authors propose a formal language with modal logic to specify the system security policies. The authors also provide the reasoning in response to system access requests, especially in situations where the security agent’s knowledge base is incomplete. The semantics of this language is provided by translating it into epistemic logic program in which knowledge related modal operators are employed to represent agents’ knowledge in reasoning. The authors demonstrate how this approach handles the situation where the security agent’s knowledge on access decision is incomplete. The proposed mechanism effectively prevents unauthorized and malicious access to information systems.