Abstract The traditional approach of computer scientists to Law is that laws (statutes, regulations, etc.) set the requirements, logicians and requirements analysts model them, and finally IT technical solutions or organizational patterns... more
Abstract The traditional approach of computer scientists to Law is that laws (statutes, regulations, etc.) set the requirements, logicians and requirements analysts model them, and finally IT technical solutions or organizational patterns are used to implement them. In this paper we try to answer a radically different question: Can a technical solution (eg a requirement in a security and dependability pattern) be implemented by legal means?
Open multi-application smart cards that allow post-issuance evolution (ie loading of new applets) are very attractive for both smart card developers and card users. Since these applications contain sensitive data and can exchange... more
Open multi-application smart cards that allow post-issuance evolution (ie loading of new applets) are very attractive for both smart card developers and card users. Since these applications contain sensitive data and can exchange information, a major concern is the assurance that these applications will not exchange data unless permitted by their respective policies.
Requirement evolution has drawn a lot of attention from the community with a major focus on management and consistency of requirements. Here, we tackle the fundamental, albeit less explored, alternative of modeling the future evolution of... more
Requirement evolution has drawn a lot of attention from the community with a major focus on management and consistency of requirements. Here, we tackle the fundamental, albeit less explored, alternative of modeling the future evolution of requirements. Our approach is based on the explicit representation of controllable evolutions vs observable evolutions, which can only be estimated with a certain probability.
Quality of Protection: Security Measurements and Metrics is an edited volume based on the Quality of Protection Workshop in Milano, Italy (September 2005). This volume discusses how security research can progress towards quality of... more
Quality of Protection: Security Measurements and Metrics is an edited volume based on the Quality of Protection Workshop in Milano, Italy (September 2005). This volume discusses how security research can progress towards quality of protection in security comparable to quality of service in networking and software measurements, and metrics in empirical software engineering. Information security in the business setting has matured in the last few decades.
Java card technology have progressed at the point of running web servers and web clients on a smart card. Yet concrete deployment of multi-applications smart cards have remained extremely rare because the business model of the... more
Java card technology have progressed at the point of running web servers and web clients on a smart card. Yet concrete deployment of multi-applications smart cards have remained extremely rare because the business model of the asynchronous download and update of applications by different parties requires the control of interactions among possible applications after the card has been fielded. Yet the current security models and techniques do not support this type of evolution.
Abstract This panel is aimed at assessing the state of the art and exploring trends and emerging issues in computer security in general and protocol verification in particular. It brings together experts from both the security community... more
Abstract This panel is aimed at assessing the state of the art and exploring trends and emerging issues in computer security in general and protocol verification in particular. It brings together experts from both the security community and the verification area. Some of questions over which they will be invited to discuss their views, and maybe even to answer, include:
Most Secure Development Software Life Cycles (SSDLCs) start from security requirements. Security Management standards do likewise. There are several methods from industry and academia to elicit and analyze security requirements, but there... more
Most Secure Development Software Life Cycles (SSDLCs) start from security requirements. Security Management standards do likewise. There are several methods from industry and academia to elicit and analyze security requirements, but there are few empirical evaluations to investigate whether these methods are effective in identifying security requirements.
Nowadays IT systems are undergoing an irreversible evolution: we face a socio-technical system where humans are not just “users” but decision makers whose decisions determine the behavior of the system as a whole. These decisions will not... more
Nowadays IT systems are undergoing an irreversible evolution: we face a socio-technical system where humans are not just “users” but decision makers whose decisions determine the behavior of the system as a whole. These decisions will not necessarily be system supported, nor planned in advance and sometimes not even informed, but they will nonetheless be taken.
Users of mobile devices are increasingly requesting a controlled way to exit from the sandboxing model in order to exploit the full computational power of the device. Porting in-line security monitors to mobile devices requires to solve... more
Users of mobile devices are increasingly requesting a controlled way to exit from the sandboxing model in order to exploit the full computational power of the device. Porting in-line security monitors to mobile devices requires to solve both theoretical and practical challenges. Current security monitors provided solutions only for the desktop and either monitor a single instance of an application. In this demonstration we show an inline monitoring system for.
The Safety and Security in Multiagent Systems (SASEMAS) series of workshops that took place from 2004-2006 provided a forum for the exchange of ideas and discussion on areas related to the safety and security of multiagent systems.
Abstract Change management and change propagation across the various models of the system (such as requirements, design and testing models) are well-known problems in software engineering. For such problems a number of solutions have been... more
Abstract Change management and change propagation across the various models of the system (such as requirements, design and testing models) are well-known problems in software engineering. For such problems a number of solutions have been proposed that are usually based on the integration of model repositories and on the maintenance of traceability links between the models.
Abstract. Showing that business processes comply with regulatory requirements is not easy. We investigate this compliance problem in the case that the requirements are expressed as a directed, acyclic graph, with high-level requirements... more
Abstract. Showing that business processes comply with regulatory requirements is not easy. We investigate this compliance problem in the case that the requirements are expressed as a directed, acyclic graph, with high-level requirements (called control objectives) at the top and with low-level requirements (called control activities) at the bottom. These control activities are then implemented by control processes.
Security and trust are core research issues for the further development of the Information Society and for 10 years have played, and continue to play, an integral part in the European Union's Framework Programmes (FPs) for R&D.... more
Security and trust are core research issues for the further development of the Information Society and for 10 years have played, and continue to play, an integral part in the European Union's Framework Programmes (FPs) for R&D. EU-supported collaborative research projects in trust and security bring together multi-partner stakeholders from industry (technology and service providers, system integrators and end-users), academic and research laboratories working in several interdisciplinary research fields.
Logical cryptanalysis has been introduced by Massacci and Marraro as a general framework for encoding properties of crypto-algorithms into SAT problems, with the aim of generating SAT benchmarks that are controllable and that share the... more
Logical cryptanalysis has been introduced by Massacci and Marraro as a general framework for encoding properties of crypto-algorithms into SAT problems, with the aim of generating SAT benchmarks that are controllable and that share the properties of real-world problems and randomly generated problems.
Abstract In order to provide certified security services we must provide indicators that can measure the level of assurance that a complex business process can offer. Unfortunately the formulation of security indicators is not amenable to... more
Abstract In order to provide certified security services we must provide indicators that can measure the level of assurance that a complex business process can offer. Unfortunately the formulation of security indicators is not amenable to efficient algorithms able to evaluate the level of assurance of complex process from its components.
Abstract If all applications could be loaded at the start this would boil down to information flow analysis for which many solutions exist, but this is precisely what we want to overcome. When applications are not known in advance and can... more
Abstract If all applications could be loaded at the start this would boil down to information flow analysis for which many solutions exist, but this is precisely what we want to overcome. When applications are not known in advance and can be updated asynchronously and possibly without connection to trusted third parties, we must preserve the security policies of the various owners of the applets during such autonomous evolution.
Security Requirements Engineering is an emerging field which lies at the crossroads of Security and Software Engineering. Much research has focused on this field in recent years, spurred by the realization that security must be dealt with... more
Security Requirements Engineering is an emerging field which lies at the crossroads of Security and Software Engineering. Much research has focused on this field in recent years, spurred by the realization that security must be dealt with in the earliest phases of the software development process as these phases cover a broader organizational perspective. Agent-oriented methodologies have proved to be especially useful in this setting as they support the modeling of the social context in which the system-to-be will operate.
deutsch english. Publication View. 5887708. Enhancements to a mobile robot virtual path language assembler / (1996). McCarty, Paul Sidney. Abstract. Typescript.. Thesis (MS)--University of South Carolina, 1996.. Includes bibliographical... more
deutsch english. Publication View. 5887708. Enhancements to a mobile robot virtual path language assembler / (1996). McCarty, Paul Sidney. Abstract. Typescript.. Thesis (MS)--University of South Carolina, 1996.. Includes bibliographical references (leaves 64). Publication details. Download, http://worldcat.org/oclc/37740583. Repository, OCLC's Experimental Thesis Catalog (United States). Type, text. Language, eng.
The formal verification of security protocols is one of the successful applications of automated reasoning 1. Techniques based on belief logics, model checking, and theorem proving have been successful in determining strengths and... more
The formal verification of security protocols is one of the successful applications of automated reasoning 1. Techniques based on belief logics, model checking, and theorem proving have been successful in determining strengths and weaknesses of many protocols, some of which have been even fielded before being discovered badly wrong. This tutorial presents the problems to the “security illiterate”, explaining aims, objectives and tools of this application of automated reasoning.
Properties like confidentiality, authentication and integrity are of increasing importance to communication protocols. Hence the development of formal methods for the verification of security protocols. This paper proposes to represent... more
Properties like confidentiality, authentication and integrity are of increasing importance to communication protocols. Hence the development of formal methods for the verification of security protocols. This paper proposes to represent the verification of security properties as a (deductive or model-based) logical AI planning problem. The key intuition is that security attacks can be seen as plans.
Page 1. SecureTropos STTool A CASE tool for securityaware software requirements analysis Departement of Information and Communication Technology – University of Trento, Italy Departement of Computer Science – University of Toronto, Canada... more
Page 1. SecureTropos STTool A CASE tool for securityaware software requirements analysis Departement of Information and Communication Technology – University of Trento, Italy Departement of Computer Science – University of Toronto, Canada Paolo Giorgini ∙ Fabio Massacci ∙ John Mylopoulos ∙ Nicola Zannone Page 2.
Abstract. Security protocols intend to give their parties reasonable assurance that certain security properties will protect their communication session. However, the literature confirms that the protocols may suffer subtle and hidden... more
Abstract. Security protocols intend to give their parties reasonable assurance that certain security properties will protect their communication session. However, the literature confirms that the protocols may suffer subtle and hidden attacks. Flawed protocols are customarily sent back to the design process, but the costs of reengineering a deployed protocol may be prohibitive.
This paper presents a prefixed tableaux calculus for Propositional Dynamic Logic with Converse based on a combination of different techniques such as prefixed tableaux for modal logics and model checkers for mu-calculus. We prove the... more
This paper presents a prefixed tableaux calculus for Propositional Dynamic Logic with Converse based on a combination of different techniques such as prefixed tableaux for modal logics and model checkers for mu-calculus. We prove the correctness and completeness of the calculus and illustrate its features. We also discuss the transformation of the tableaux method (naively NEXPTIME) into an EXPTIME algorithm.
Abstract. Reasoning about trust management and credential-based systems such as SDSI/SPKI, is one of today's security challenges. The representation and reasoning problem for this (simple) public key infrastructure is challenging: we need... more
Abstract. Reasoning about trust management and credential-based systems such as SDSI/SPKI, is one of today's security challenges. The representation and reasoning problem for this (simple) public key infrastructure is challenging: we need to represent permissions, complex naming constructions (“Martinelli's officemate is FAST's PC-Chair's Colleague”), intervals of time and metric time for expiration dates and validity intervals.
Abstract The workflow of a Virtual Organization is often divided into fragments that are run by different entities having different clearance level or accessibility permissions. Therefore, an important issue is a decomposition of the... more
Abstract The workflow of a Virtual Organization is often divided into fragments that are run by different entities having different clearance level or accessibility permissions. Therefore, an important issue is a decomposition of the overall business process into workflow views that can be outsourced to the side of the corresponding contractors.
Abstract The basic tenet of security management when actions violate policies is that the former must be forbidden or amended. This requires to specify precisely all possible exceptions and corrections to the default workflow. In many... more
Abstract The basic tenet of security management when actions violate policies is that the former must be forbidden or amended. This requires to specify precisely all possible exceptions and corrections to the default workflow. In many practical e-health business processes this is not feasible: the default clinical or administrative protocol is simple and well understood by clinicians but the precise codification of all possible amendable errors into the policy would transform it from a straight-line to an unreadable spaghetti-graph.
Autonomic Communication is a new paradigm for dynamic network integration. An Autonomic Network crosses organizational boundaries and is provided by entities that see each other just as business partners. Policy-base network anagement... more
Autonomic Communication is a new paradigm for dynamic network integration. An Autonomic Network crosses organizational boundaries and is provided by entities that see each other just as business partners. Policy-base network anagement already requires a paradigm shift in the access control mechanism (from identity-based access control to trust management and negotiation), but this is not enough for cross organizational autonomic communication.
Abstract We investigate a generalization of the notion of XML security view introduced by Stoica and Farkas (Proceedings of the 16th International Conference on Data and Applications Security (IFIP'02). IFIP Conference Proceedings, vol.... more
Abstract We investigate a generalization of the notion of XML security view introduced by Stoica and Farkas (Proceedings of the 16th International Conference on Data and Applications Security (IFIP'02). IFIP Conference Proceedings, vol. 256, pp. 133–146. Kluwer, Dordrecht, 2002) and later refined by Fan et al.(Proceedings of the ACM SIG-MOD International Conference on Management of Data (SIGMOD'04), pp. 587–598. ACM Press, New York, 2004).
Abstract We illustrate AL SP (Action Language for Security Protocol), a declarative executable specification language for planning attacks to security protocols. AL SP is based on logic programming with negation as failure, and with... more
Abstract We illustrate AL SP (Action Language for Security Protocol), a declarative executable specification language for planning attacks to security protocols. AL SP is based on logic programming with negation as failure, and with stable model semantics. In AL SP we can give a declarative specification of a protocol with the natural semantics of send and receive actions which can be performed in parallel.
Abstract The scenarios of Ambient Intelligence introduce a new computing paradigm and set new challenges for the design and engineering of secure and dependable sys-tems. This chapter describes SERENITY, a comprehensive approach to... more
Abstract The scenarios of Ambient Intelligence introduce a new computing paradigm and set new challenges for the design and engineering of secure and dependable sys-tems. This chapter describes SERENITY, a comprehensive approach to overcome those problems. The key to success in this scenario is to capture security expertise in such a way that it can be supported by automated means.
The last years have seen a renewed interest in modal and description logics (MDLs). Better algorithms, coding, and technology have led to effective systems based on tableau and constraint systems [6,7] to DPLL-based implementations [5],... more
The last years have seen a renewed interest in modal and description logics (MDLs). Better algorithms, coding, and technology have led to effective systems based on tableau and constraint systems [6,7] to DPLL-based implementations [5], first order provers [8] and the inverse method [13]. PSPACE problems such as satisfiability are within reach for realistic instances [10] and potentially EX- PTIME problems stemming from real applications can also be solved [3,7].
This paper presents a prefixed tableaux calculus for Propositional Dynamic Logic with Converse based on a combination of different techniques such as prefixed tableaux for modal logics and model checkers for μ-calculus. We prove the... more
This paper presents a prefixed tableaux calculus for Propositional Dynamic Logic with Converse based on a combination of different techniques such as prefixed tableaux for modal logics and model checkers for μ-calculus. We prove the correctness and completeness of the calculus and illustrate its features. We also discuss the transformation of the tableaux method (naively NEXPTIME) into an EXPTIME algorithm.
We propose a tableaux calculus requiring simple exponential time for satis ability of an ALC concept C wrt a TBox T containing general axioms of the form C v D.> From correspondences with Propositional Dynamic Logic (PDL) it is known that... more
We propose a tableaux calculus requiring simple exponential time for satis ability of an ALC concept C wrt a TBox T containing general axioms of the form C v D.> From correspondences with Propositional Dynamic Logic (PDL) it is known that this problem is in EXPTIME Pratt, 1978; Vardi and Wolper, 1986].
✓ Long-lived systems need to be flexible and to adapt to changes in order to remain useful.✓ Software-based systems are getting increasingly security-critical since software now pervades the whole critical infrastructures dealing with... more
✓ Long-lived systems need to be flexible and to adapt to changes in order to remain useful.✓ Software-based systems are getting increasingly security-critical since software now pervades the whole critical infrastructures dealing with critical data.✓ A challenging aspect is thus to develop techniques and tools that ensure long-running evolving software systems are compliant to evolving security, privacy and dependability requirements.
Abstract System vulnerabilities are often caused by the presence of conflicts within the organization where the system-to-be would eventually operate. In particular, conflicts of interest are very harmful since actors can exploit their... more
Abstract System vulnerabilities are often caused by the presence of conflicts within the organization where the system-to-be would eventually operate. In particular, conflicts of interest are very harmful since actors can exploit their positions/roles relative to the system for gaining personal advantage. Capturing and resolving such conflicts is a necessary condition for developing secure information systems. In this paper, we show how conflicts of interest can be formally detected during requirements analysis.
Abstract Inlined Reference Monitor (IRM) is a flexible mechanism to enforce the security of untrusted applications. One of the shortcomings of IRM is that it might introduce a significant overhead in otherwise perfectly secure... more
Abstract Inlined Reference Monitor (IRM) is a flexible mechanism to enforce the security of untrusted applications. One of the shortcomings of IRM is that it might introduce a significant overhead in otherwise perfectly secure application. In this paper we propose six different framework models for IRM optimization with respect to components that are needed to be trusted or untrusted. Then, we describe an approach for IRM optimization using automata modulo theory.
Abstract We investigate non-interference (secure information flow) policies for web browsers, replacing or complementing the Same Origin Policy. First, we adapt a recently proposed dynamic information flow enforcement mechanism to support... more
Abstract We investigate non-interference (secure information flow) policies for web browsers, replacing or complementing the Same Origin Policy. First, we adapt a recently proposed dynamic information flow enforcement mechanism to support asynchronous I/O. We prove detailed security and precision results for this enforcement mechanism, and implement it for the Featherweight Firefox browser model.
Abstract. Modern multi-application smart cards based on the Java Card technology can become an integrated environment where applications from different providers are loaded on the fly and collaborate in order to facilitate lives of the... more
Abstract. Modern multi-application smart cards based on the Java Card technology can become an integrated environment where applications from different providers are loaded on the fly and collaborate in order to facilitate lives of the cardholders. This initiative requires an embedded verification mechanism to ensure that all applications on the card respect the application interactions policy. The Security-by-Contract (S× C) approach for loading time verification consists of two phases.
Abstract Business Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises. Whereas the security and access control policies for basic web services and distributed systems are... more
Abstract Business Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises. Whereas the security and access control policies for basic web services and distributed systems are well studied and almost standardized, there is not yet a comprehensive proposal for an access control architecture for business processes.
Abstract Recent experimental results have shown that the strength of resolution, the propositional DPLL procedure, the KSAT procedure for description logics, or related tableau-like implementations such as DLP, is due to reduction rules... more
Abstract Recent experimental results have shown that the strength of resolution, the propositional DPLL procedure, the KSAT procedure for description logics, or related tableau-like implementations such as DLP, is due to reduction rules which propagate constraints and prune the search space.
Abstract The possibility of solving the Quantified Boolean Formulae (QBF) problems using the SMV system is a consequence of two wellknown theoretical results: the membership of QBF to PSPACE, and the PSPACE-hardness of LTL (and therefore,... more
Abstract The possibility of solving the Quantified Boolean Formulae (QBF) problems using the SMV system is a consequence of two wellknown theoretical results: the membership of QBF to PSPACE, and the PSPACE-hardness of LTL (and therefore, of SMV). Nevertheless, such results do not imply the existence of a reduction that is also of practical utility. In this paper, we show a reduction from QBF to SMV that is linear (instead of cubic), and uses a constant-size specification.
Abstract. Single Step Tableaux (SST) are the basis of a calculus for modal logics that combines different features of sequent and prefixed tableaux into a simple, modular, strongly analytic, and effective calculus for a wide range of... more
Abstract. Single Step Tableaux (SST) are the basis of a calculus for modal logics that combines different features of sequent and prefixed tableaux into a simple, modular, strongly analytic, and effective calculus for a wide range of modal logics. The paper presents a number of the computational results about SST (confluence, decidability, space complexity, modularity, etc.) and compares SST with other formalisms such as translation methods, modal resolution, and Gentzen-type tableaux.
Abstract There are numerous metrics proposed to assess security and dependability of technical systems (eg, number of defects per thousand lines of code). Unfortunately, most of these metrics are too low-level, and lack on capturing... more
Abstract There are numerous metrics proposed to assess security and dependability of technical systems (eg, number of defects per thousand lines of code). Unfortunately, most of these metrics are too low-level, and lack on capturing high-level system abstractions required for organisation analysis. The analysis essentially enables the organisation to detect and eliminate possible threats by system re-organisations or re-configurations.
There is increasing demand for running multiple times a number of interacting applications in a secure and controllable way on mobile devices. Such demand is not supported by the Java/. NET security models based on trust domains nor by... more
There is increasing demand for running multiple times a number of interacting applications in a secure and controllable way on mobile devices. Such demand is not supported by the Java/. NET security models based on trust domains nor by current security monitors or language-based security approaches. Trust domains don't allow for interactions while language-based security doesn't support enough customizable policies.
Abstract There is increasing demand for running interacting applications in a secure and controllable way on mobile devices. Such demand is not fully supported by the Java/.NET security model based on trust domains nor by current security... more
Abstract There is increasing demand for running interacting applications in a secure and controllable way on mobile devices. Such demand is not fully supported by the Java/.NET security model based on trust domains nor by current security monitors or language-based security approaches. We propose an approach that allows security policies that are i) expressive enough to capture multiple sessions and interacting applications, ii) suitable for efficient monitoring, iii) convenient for a developer to specify them.
Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software security. Thus far, several models have been proposed with some evidence supporting their goodness-of-fit. In this work we... more
Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software security. Thus far, several models have been proposed with some evidence supporting their goodness-of-fit. In this work we describe an independent validation of the applicability of these models to the vulnerabilities of the popular browsers Firefox, Google Chrome and Internet Explorer. The result shows that some VMDs do not simply fit the data, while for others there are both positive and negative evidences.
Abstract The goal of this paper is to present and discuss a simple and rather e ective tableau calculus which combines modal logics of knowledge and belief with contextual reasoning. The system is made by a multiple combination. For modal... more
Abstract The goal of this paper is to present and discuss a simple and rather e ective tableau calculus which combines modal logics of knowledge and belief with contextual reasoning. The system is made by a multiple combination. For modal proofs, it labels formulae as pre xed tableaux but uses message (knowledge) passing rules similar to those of sequentlike tableaux.
We study the interplay in the evolution of Firefox source code and known vulnerabilities in Firefox over six major versions (v1. 0, v1. 5, v2. 0, v3. 0, v3. 5, and v3. 6) spanning almost ten years of development, and integrating a numbers... more
We study the interplay in the evolution of Firefox source code and known vulnerabilities in Firefox over six major versions (v1. 0, v1. 5, v2. 0, v3. 0, v3. 5, and v3. 6) spanning almost ten years of development, and integrating a numbers of sources (NVD, CVE, MFSA, Firefox CVS). We conclude that a large fraction of vulnerabilities apply to code that is no longer maintained in older versions. We call these after-life vulnerabilities.
The natural business model of OSGi is dynamic loading and removal of bundles or services on an OSGi platform. If bundles can come from different stakeholders, how do we make sure that one's services will only be invoked by the authorized... more
The natural business model of OSGi is dynamic loading and removal of bundles or services on an OSGi platform. If bundles can come from different stakeholders, how do we make sure that one's services will only be invoked by the authorized bundles? A simple solution is to interweave functional and security logic within each bundle, but this decreases the benefits of using a common platform for service deployment and is a well-known source of errors.
The aim of the TABLEAUX-2000 Non-Classical (Modal) System Comparisons (TANCS-2000) is to provide a set of benchmarks and a standardized methodology for the assessment and comparison of ATP systems in non-classical logics, as it is done... more
The aim of the TABLEAUX-2000 Non-Classical (Modal) System Comparisons (TANCS-2000) is to provide a set of benchmarks and a standardized methodology for the assessment and comparison of ATP systems in non-classical logics, as it is done for first-order logic with the CADE System Competition.
Modern multi-application smart cards can be an integrated environment where applications from different providers are loaded on the fly and collaborate in order to facilitate lives of the cardholders. This initiative requires an embedded... more
Modern multi-application smart cards can be an integrated environment where applications from different providers are loaded on the fly and collaborate in order to facilitate lives of the cardholders. This initiative requires an embedded verification mechanism to ensure that all applications on the card respect the application interactions policy. The Security-by-Contract approach for loading time verification consists of two phases. During the first phase the loaded code is verified to be compliant with the supplied contract.
Abstract Formal verification is a key step in the development of trusted and reliable multi-agent distributed systems. This is particularly relevant when security concerns such as privacy, integrity and availability impose limitations on... more
Abstract Formal verification is a key step in the development of trusted and reliable multi-agent distributed systems. This is particularly relevant when security concerns such as privacy, integrity and availability impose limitations on the operations that can be performed on sensitive data. The aim of access control is to limit what agents (humans, programs, softbots, etc.) of distributed systems can do directly or indirectly by delegating their powers and tasks.
Abstract Managing changes in Security Engineering is a difficult task: the analyst must keep the consistency between security knowledge such as assets, attacks and treatments to stakeholders' goals and security requirements. Research-wise... more
Abstract Managing changes in Security Engineering is a difficult task: the analyst must keep the consistency between security knowledge such as assets, attacks and treatments to stakeholders' goals and security requirements. Research-wise the usual solution is an integrated methodology in which risk, security requirements and architectural solutions are addressed within the same tooling environment and changes can be easily propagated.
Abstract We propose AL SP a Declarative Executable Specification Language for Planning Attacks to Security Protocols based on logic programming. In AL SP we can give a declarative specification of a protocol with the natural semantics of... more
Abstract We propose AL SP a Declarative Executable Specification Language for Planning Attacks to Security Protocols based on logic programming. In AL SP we can give a declarative specification of a protocol with the natural semantics of send and receive actions. We view a protocol trace as a plan to reach a goal, so that attacks are just plans reaching goals that correspond to security violations, which can be also declaratively specified.
Abstract. The veri cation of security properties is one of the key issues of computer science and automated reasoning tools play a key role in the high level veri cation of cryptographic protocols. Yet almost nobody uses these reasoning... more
Abstract. The veri cation of security properties is one of the key issues of computer science and automated reasoning tools play a key role in the high level veri cation of cryptographic protocols. Yet almost nobody uses these reasoning tools for the veri cation and cryptanalysis of the algorithms upon which these protocols are based. In this paper we advocate that it is possible to use logic to encode the low-level properties of state-of-the-art cryptographic algorithms and then use automated theorem proving for reasoning about them.
Autonomic Communication is a new paradigm for dynamic network integration. An Autonomic Network crosses organizational and management boundaries and is provided by entities that see each other just as business partners. Policy-based... more
Autonomic Communication is a new paradigm for dynamic network integration. An Autonomic Network crosses organizational and management boundaries and is provided by entities that see each other just as business partners. Policy-based network access and management already requires a paradigm shift in the access control mechanism: from identity-based access control to trust management and negotiation, but this is not enough for cross organizational autonomic communication.
Business Processes for Web Services (BPEL4WS) are the new paradigms for lightweight enterprise integration. They cross organizational boundaries and are provided by entities that see each other just as business partners. Web services... more
Business Processes for Web Services (BPEL4WS) are the new paradigms for lightweight enterprise integration. They cross organizational boundaries and are provided by entities that see each other just as business partners. Web services require shift in the access control mechanism: from identity-based access control to trust management and negotiation, but this is not enough for cross organizational business processes.
Abstract In this paper we present an approach and algorithm for selecting the “best” secure architecture for supporting a business process according to a variety of assurance indicators. The key difficulty is to select an architectural... more
Abstract In this paper we present an approach and algorithm for selecting the “best” secure architecture for supporting a business process according to a variety of assurance indicators. The key difficulty is to select an architectural design in presence of multiple indicators that might offer alternative notions of minimality. Therefore we must use the notion of Pareto optimality in order to select alternatives that are not dominated by others.
Abstract Applications on multi-application smart cards contain sensitive data and can exchange information. Thus a major concern is that these applications should not exchange data unless permitted by their respective policy. As modern... more
Abstract Applications on multi-application smart cards contain sensitive data and can exchange information. Thus a major concern is that these applications should not exchange data unless permitted by their respective policy. As modern smart cards allow post-issuance installation and removal of applications, traditional approaches for information flow analysis are not suitable.
Given a partially ordered set (poset) of security levels, and a labelling of inputs and outputs with such levels, non-interference (or secure information flow) is a security property expressing that outputs of level l only depend on... more
Given a partially ordered set (poset) of security levels, and a labelling of inputs and outputs with such levels, non-interference (or secure information flow) is a security property expressing that outputs of level l only depend on inputs that are labelled with a level smaller than l. In other words, there is no information flow from high (confidential) levels, to low (public) levels.
Abstract The last years have seen an increasing attention on privacy-aware technologies and mechanisms for the negotiation of private information between customers and enterprises. Unfortunately, current proposals are still unsatisfactory... more
Abstract The last years have seen an increasing attention on privacy-aware technologies and mechanisms for the negotiation of private information between customers and enterprises. Unfortunately, current proposals are still unsatisfactory since they do not cover the entire spectrum of privacy management. Moreover, they do not provide support for emerging business models such as the inter-organizational business process (also known as virtual organizations).
This paper presents SeCMER, a tool for requirements evolution management developed in the context of the SecureChange project. The tool supports automatic detection of requirement changes and violation of security properties using... more
This paper presents SeCMER, a tool for requirements evolution management developed in the context of the SecureChange project. The tool supports automatic detection of requirement changes and violation of security properties using change-driven transformations. The tool also supports argumentation analysis to check security properties are preserved by evolution and to identify new security properties that should be taken into account.
Abstract. Security concerns for physical, software and virtual worlds have captured the attention of researchers and the general public, thanks to a series of dramatic events during the past decade. Unsurprisingly, this has resulted in... more
Abstract. Security concerns for physical, software and virtual worlds have captured the attention of researchers and the general public, thanks to a series of dramatic events during the past decade. Unsurprisingly, this has resulted in increased research activity on topics that relate to security requirements. At the very core of this activity lies the problem of determining a suitable set of concepts (aka ontology) for modeling security requirements. Many proposals for such ontologies exist in the literature.
Runtime enforcement is a common mechanism for ensuring that program executions adhere to constraints specified by a security policy. It is based on two simple ideas: the enforcement mechanism should leave good executions without changes... more
Runtime enforcement is a common mechanism for ensuring that program executions adhere to constraints specified by a security policy. It is based on two simple ideas: the enforcement mechanism should leave good executions without changes (transparency) and make sure that the bad ones got amended (soundness).
Abstract: Security protocols intend to give their parties reasonable assurance that certain security properties will protect their communication session. However, the literature confirms that the protocols may suffer subtle and hidden... more
Abstract: Security protocols intend to give their parties reasonable assurance that certain security properties will protect their communication session. However, the literature confirms that the protocols may suffer subtle and hidden attacks. Flawed protocols are customarily sent back to the design process, but the costs of reengineering a deployed protocol may be prohibitive.
Future pervasive environments are characterized by non-fixed architectures made of users and ubiquitous computers. They will be shaped by pervasive client downloads, ie new (untrusted) applications will be dynamically downloaded to make a... more
Future pervasive environments are characterized by non-fixed architectures made of users and ubiquitous computers. They will be shaped by pervasive client downloads, ie new (untrusted) applications will be dynamically downloaded to make a better use of the computational power available in the ubiquitous computing environment.
ABSTRACT The classical approach to access control of Web Services is to present a number of credentials for the access to a service and possibly negotiate their disclosure using a suitable negotiation protocol and a policy to protect... more
ABSTRACT The classical approach to access control of Web Services is to present a number of credentials for the access to a service and possibly negotiate their disclosure using a suitable negotiation protocol and a policy to protect them. In practice a “Web Service” is not really a single service but rather a set of services that can be accessed only through a suitable conversation.
Management of requirements evolution is a challenging process. Requirements change continuously making the traceability of requirements difficult and the monitoring of requirements unreliable. Moreover, changing requirements might have an... more
Management of requirements evolution is a challenging process. Requirements change continuously making the traceability of requirements difficult and the monitoring of requirements unreliable. Moreover, changing requirements might have an impact on the security properties a system design should satisfy: certain security properties that are satisfied before evolution might no longer be valid or new security properties need to be satisfied after changes have been introduced.
• Today's smart phones/nomadic devices have more computing and communication power than PCs 20 years ago, but…• Not even remotely the amount of third party software available for PCs at that time, and• A long term market growth cannot be... more
• Today's smart phones/nomadic devices have more computing and communication power than PCs 20 years ago, but…• Not even remotely the amount of third party software available for PCs at that time, and• A long term market growth cannot be based on selling ring-tones as the only “addedvalue” services.© 2007 by DoCoMo Communications Laboratories Europe GmbH
The trustworthiness of business services is widely recognised as a critical factor for the success of an organization. Businesses are increasing in complexity and unpredictability, while demand for accountability, as well as regulatory... more
The trustworthiness of business services is widely recognised as a critical factor for the success of an organization. Businesses are increasing in complexity and unpredictability, while demand for accountability, as well as regulatory compliance is becoming mandatory. Yet, some reports indicate that the level of fraud within an organization is far from decreasing. Thus, a structured approach to Governance, Risk and Compliance (GRC) has become a high priority goal for many organizations.
Abstract Future mobile platforms will be characterized by pervasive client downloads. Users would like to download new (untrusted) applications on the spot in order to exploit the computational power of their mobile devices to make a... more
Abstract Future mobile platforms will be characterized by pervasive client downloads. Users would like to download new (untrusted) applications on the spot in order to exploit the computational power of their mobile devices to make a better use of the services available in the environment. Such business model is not adequately supported by the current mobile security architecture and our article aims at extending the scope of security monitoring as a viable alternative.
Abstract Reasoning about credential-based systems such as SDSI, SPKI is one of today's security challenges. The representation and reasoning problem for this (simple) public key infrastructure is challenging: we need to represent... more
Abstract Reasoning about credential-based systems such as SDSI, SPKI is one of today's security challenges. The representation and reasoning problem for this (simple) public key infrastructure is challenging: we need to represent permissions, naming and identities of agents and complex naming constructions (Blackburn's office-mate is M4M's PC-Chair's Colleague), then we need to reason about intervals of time and metric time for expiration dates and validity intervals.
The first phase of the SET protocol, namely Cardholder Registration, has been modelled inductively. This phase is presented in outline and its formal model is described. A number of basic lemmas have been proved about the protocol using... more
The first phase of the SET protocol, namely Cardholder Registration, has been modelled inductively. This phase is presented in outline and its formal model is described. A number of basic lemmas have been proved about the protocol using Isabelle/HOL, along with a theorem stating that a certification authority will certify a given key at most once. Many ambiguities, contradictions and omissions were noted while formalizing the protocol.
We present an algorithm for the translation of security protocol specifications in the HLPSL language developed in the framework of the AVISPA project to a dialect of the applied pi calculus. This algorithm provides us with two... more
We present an algorithm for the translation of security protocol specifications in the HLPSL language developed in the framework of the AVISPA project to a dialect of the applied pi calculus. This algorithm provides us with two interesting scientific contributions: at first, it provides an independent semantics of the HLPSL specification language and, second, makes it possible to verify protocols specified in HLPSL with the applied pi calculus-based ProVerif tool.
Abstract Secure electronic transaction (SET) is an immense e-commerce protocol designed to improve the security of credit card purchases. In this paper, we focus on the initial bootstrapping phases of SET, whose objective is the... more
Abstract Secure electronic transaction (SET) is an immense e-commerce protocol designed to improve the security of credit card purchases. In this paper, we focus on the initial bootstrapping phases of SET, whose objective is the registration of cardholders and merchants with a SET certificate authority.
Abstract In their works on the theoretical side of Polymer, Ligatti and his co-authors have identified a new class of enforcement mechanisms based on the notion of edit automata that can transform sequences and enforce more than simple... more
Abstract In their works on the theoretical side of Polymer, Ligatti and his co-authors have identified a new class of enforcement mechanisms based on the notion of edit automata that can transform sequences and enforce more than simple safety properties.
Abstract Contextual reasoning has been proposed as a tool for solving the problem of generality in AI and for effectively handling huge knowledge bases, while approximate reasoning has been developed to overcome the computational barrier... more
Abstract Contextual reasoning has been proposed as a tool for solving the problem of generality in AI and for effectively handling huge knowledge bases, while approximate reasoning has been developed to overcome the computational barrier of classical deduction. This paper combines these approaches to provide an intuitive representation of knowledge and an effective deduction. Its semantics and a tableau calculus are presented. The key computational features are discussed.
Autonomic communication and computing is the new paradigm for dynamic service integration over a network. An autonomic network crosses organizational and management boundaries and is provided by entities that see each other just as... more
Autonomic communication and computing is the new paradigm for dynamic service integration over a network. An autonomic network crosses organizational and management boundaries and is provided by entities that see each other just as partners that need to collaborate with little known or even unknown parties.
Abstract The Secure Electronic Transaction (SET) protocol has been proposed by a consortium of credit card companies and software corporations to secure e-commerce transactions. When the customer makes a purchase, the SET dual signature... more
Abstract The Secure Electronic Transaction (SET) protocol has been proposed by a consortium of credit card companies and software corporations to secure e-commerce transactions. When the customer makes a purchase, the SET dual signature guarantees authenticity while keeping the customer's account details secret from the merchant and his choice of goods secret from the bank. This paper reports the first verification results for the complete purchase phase of SET.
A strong analytic tableau calculus is presentend for the most common normal modal logics. The method combines the advantages of both sequent-like tableaux and prefixed tableaux. Proper rules are used, instead of complex closure operations... more
A strong analytic tableau calculus is presentend for the most common normal modal logics. The method combines the advantages of both sequent-like tableaux and prefixed tableaux. Proper rules are used, instead of complex closure operations for the accessibility relation, while non determinism and cut rules, used by sequent-like tableaux, are totally eliminated. A strong completeness theorem without cut is also given for symmetric and euclidean logics.
Abstract The problem of supporting the secure execution of potentially malicious third-party applications has received a considerable amount of attention in the past decade. In this paper we describe a security architecture for mobile... more
Abstract The problem of supporting the secure execution of potentially malicious third-party applications has received a considerable amount of attention in the past decade. In this paper we describe a security architecture for mobile devices that supports the flexible integration of a variety of advanced technologies for such secure execution of applications, including run-time monitoring, static verification and proof-carrying code.
Computer Security is one of today's hot topic and the need for conceptual models of security features have brought up a number of proposals ranging from UML extensions to novel conceptual models. What is still missing, however, are models... more
Computer Security is one of today's hot topic and the need for conceptual models of security features have brought up a number of proposals ranging from UML extensions to novel conceptual models. What is still missing, however, are models that focus on high-level security requirements, without forcing the modeler to immediately get down to security mechanisms.
Many key verification problems such as boundedmodel-checking, circuit verification and logical cryptanalysis are formalized with combined clausal and affine logic (ie clauses with xor as the connective) and cannot be efficiently (if at... more
Many key verification problems such as boundedmodel-checking, circuit verification and logical cryptanalysis are formalized with combined clausal and affine logic (ie clauses with xor as the connective) and cannot be efficiently (if at all) solved by using CNF-only provers. We present a decision procedure to efficiently decide such problems.
Ambient assisted living is a new interdisciplinary field aiming at supporting senior citizens in their home by means of embedded technologies. This domain offer an interesting challenge for providing dependability and security in a... more
Ambient assisted living is a new interdisciplinary field aiming at supporting senior citizens in their home by means of embedded technologies. This domain offer an interesting challenge for providing dependability and security in a privacy-respecting way: in order to provide services in an emergency we cannot monitor on a second-by-second base a senior citizen. Beside being immoral, it would be illegal (at least in Europe). At the same time if we do not get notified of an emergency, the entire system would be useless.
Abstract Propositional modal logics have two independent sources of complexity: unbounded logical omniscience and unbounded logical introspection. This paper discusses an approximation method to tame both of them, by merging propositional... more
Abstract Propositional modal logics have two independent sources of complexity: unbounded logical omniscience and unbounded logical introspection. This paper discusses an approximation method to tame both of them, by merging propositional approximations with a new technique tailored for multi-modal logics. It provides both skeptical and credulous approximations (or approximation that are neither of the two). On this semantics we build an anytime proof procedure with a simple modification to classical modal tableaux.
This document summarizes the work performed in Task 6.6 of Work Package 6 of the SecureChange project funded by the European Commission within the Seventh Framework Programme. The overall objective of Work Package 6 is the development of... more
This document summarizes the work performed in Task 6.6 of Work Package 6 of the SecureChange project funded by the European Commission within the Seventh Framework Programme. The overall objective of Work Package 6 is the development of verification techniques for evolving systems, with a strong focus on the development time and deployment time phases of the software lifecycle. In the first two years of the project, WP6 developed several technologies to support verification of evolving systems.
In this paper we propose the notion of security-by-contract, a mobile contract that an application carries with itself. The key idea of the framework is that a digital signature should not just certify the origin of the code but rather... more
In this paper we propose the notion of security-by-contract, a mobile contract that an application carries with itself. The key idea of the framework is that a digital signature should not just certify the origin of the code but rather bind together the code with a contract. We provide a description of the overall life-cycle of mobile code in the setting of security-by-contract, describe a tentative structure for a contractual language and propose a number of algorithms for one of the key steps in the process, the contract-policy matching issue.
The quest for designing secure and trusted software has led to refined Software Engineering methodologies that rely on tools to support the design process. Automated reasoning mechanisms for requirements and software verification are by... more
The quest for designing secure and trusted software has led to refined Software Engineering methodologies that rely on tools to support the design process. Automated reasoning mechanisms for requirements and software verification are by now a well-accepted part of the design process, and model driven architectures support the automation of the refinement process.
Usage control governs the handling of sensitive data after it has been given away. The enforcement of usage control requirements is a challenge because the service requester in general has no control over the service provider's... more
Usage control governs the handling of sensitive data after it has been given away. The enforcement of usage control requirements is a challenge because the service requester in general has no control over the service provider's information processing devices.
Interactive access control allows a server to compute on the fly missing credentials needed to grant access and to adapt its responses on the basis of client's presented and declined credentials. Yet, it may disclose too much information... more
Interactive access control allows a server to compute on the fly missing credentials needed to grant access and to adapt its responses on the basis of client's presented and declined credentials. Yet, it may disclose too much information on what credentials a client needs. Automated trust negotiation allows for a controlled disclosure on what credentials a client has during a mutual disclosure process. Yet, it requires pre-arranged policies and sophisticated strategies.
Abstract This paper describes the verification of Secure Electronic Transaction (SET), an e-commerce protocol by VISA and MasterCard. The main tasks are to comprehend the written documentation, to produce an accurate formal model, to... more
Abstract This paper describes the verification of Secure Electronic Transaction (SET), an e-commerce protocol by VISA and MasterCard. The main tasks are to comprehend the written documentation, to produce an accurate formal model, to identify specific protocol goals, and, finally, to prove them. The main obstacles are the protocol s complexity (due in part to its use of digital envelopes) and its unusual goals involving partial information sharing.
The last years have seen the definition of many languages, models and standards tailored to specify and enforce access control policies, but such frameworks do not provide methodological support during the policy specification process. In... more
The last years have seen the definition of many languages, models and standards tailored to specify and enforce access control policies, but such frameworks do not provide methodological support during the policy specification process. In particular, they do not provide facilities for the analysis of the social context where the system operates. In this paper we propose a model-driven approach for the specification and analysis of access control policies.
Abstract Security requirements engineering is emerging as a branch of software engineering, spurred by the realization that security must be dealt with early on during the requirements phase. We propose ST-tool, a CASE tool developed for... more
Abstract Security requirements engineering is emerging as a branch of software engineering, spurred by the realization that security must be dealt with early on during the requirements phase. We propose ST-tool, a CASE tool developed for modeling and analyzing functional and security requirements.
Abstract Designing a secure and dependable system is not just a technical issue, it involves also a deep analysis of the organizational and the social environment in which the system will operate. In this paper, we detail our experience... more
Abstract Designing a secure and dependable system is not just a technical issue, it involves also a deep analysis of the organizational and the social environment in which the system will operate. In this paper, we detail our experience in modeling and analyzing requirements for an industrial case (air traffic management system) using the Secure Tropos framework.
ABSTRACT Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose the adoption of the implementation of minimal precautionary security measures. Several frameworks have been proposed... more
ABSTRACT Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose the adoption of the implementation of minimal precautionary security measures. Several frameworks have been proposed to deal with this issue. For instance, purpose-based access control is normally considered a good solution for meeting the requirements of privacy legislation.
The last years have seen a number of proposals to incorporate Security Engineering into mainstream Software Requirements Engineering. However, capturing trust and security requirements at an organizational level (as opposed to a design... more
The last years have seen a number of proposals to incorporate Security Engineering into mainstream Software Requirements Engineering. However, capturing trust and security requirements at an organizational level (as opposed to a design level) is still an open problem. This paper presents a formal framework for modeling and analyzing security and trust requirements. It extends the Tropos methodology, an agent-oriented software engineering methodology.
Over the last few years, the success of GPS-enabled PDAs has finally instigated a breakthrough of mobile devices. Many people now already have a device that can connect to the Internet and run untrusted code, typically a cell-phone or... more
Over the last few years, the success of GPS-enabled PDAs has finally instigated a breakthrough of mobile devices. Many people now already have a device that can connect to the Internet and run untrusted code, typically a cell-phone or PDA. Having such a large interconnected and powerful computing base presents some new security issues. In order to counter new threats, the traditional security architectures need to be overhauled to support a new and more flexible way of securely executing mobile code.
Extending Requirements Engineering modelling and formal analysis methodologies to cope with Security Requirements has been a major effort in the past decade. Yet, only few works describe complex case studies that show the ability of the... more
Extending Requirements Engineering modelling and formal analysis methodologies to cope with Security Requirements has been a major effort in the past decade. Yet, only few works describe complex case studies that show the ability of the informal and formal approaches to cope with the level complexity required by compliance with ISO-17799 security management requirements.
Zusammenfassung Dienstorientierte Architekturen (Service Oriented Architectures–SOA) sind dank der Flexibilität der Dienste und der aus ihnen komponierten Anwendungen die heutige Referenz für die IT-Unterstützung agiler Unternehmen, die... more
Zusammenfassung Dienstorientierte Architekturen (Service Oriented Architectures–SOA) sind dank der Flexibilität der Dienste und der aus ihnen komponierten Anwendungen die heutige Referenz für die IT-Unterstützung agiler Unternehmen, die in einem dichten Netz mit Partnerunternehmen agieren und dynamisch Geschäftsprozesse ausgliedern.
In a federation of heterogeneous nodes that organize themselves, the lack of a trusted third party does not allow establishing a priori trust relationships among strangers. Automated trust negotiation (TN) is a promising approach to... more
In a federation of heterogeneous nodes that organize themselves, the lack of a trusted third party does not allow establishing a priori trust relationships among strangers. Automated trust negotiation (TN) is a promising approach to establish sufficient trust among parties, allowing them to access sensitive data and services in open environments. Although the literature on TN is growing, two key issues have still to be addressed.
Abstract. The last years have seen a peak in privacy related research. The focus has been mostly on how to protect the individual from being tracked, with plenty of anonymizing solutions. We advocate another model that is closer to the... more
Abstract. The last years have seen a peak in privacy related research. The focus has been mostly on how to protect the individual from being tracked, with plenty of anonymizing solutions. We advocate another model that is closer to the “physical” world: we consider our privacy respected when our personal data is used for the purpose for which we gave it in the first place. Essentially, in any distributed authorization protocol, credentials should mention their purpose beside their powers.
We propose the notion of security-by-contract, a mobile contract that an application carries with itself. The key idea of the framework is that a digital signature should not just certify the origin of the code but rather bind together... more
We propose the notion of security-by-contract, a mobile contract that an application carries with itself. The key idea of the framework is that a digital signature should not just certify the origin of the code but rather bind together the code with a contract. We provide a description of the workflow for the deployment and execution of mobile code in the setting of security-by-contract, describe a structure for a contractual language and propose a number of algorithms for one of the key steps in the process, the contract-policy matching issue.
This paper describes the S3MS. NET run time monitor, a tool that can enforce security policies expressed in a variety of policy languages for. NET desktop or mobile applications. The tool consists of two major parts: a bytecode inliner... more
This paper describes the S3MS. NET run time monitor, a tool that can enforce security policies expressed in a variety of policy languages for. NET desktop or mobile applications. The tool consists of two major parts: a bytecode inliner that rewrites. NET assemblies to insert calls to a policy decision point, and a policy compiler that compiles source policies to executable policy decision points. The tool supports both singlethreaded and multithreaded applications, and is sufficiently mature to be used on real-world applications.
Abstract In the quest for expressive description logics for real-world applications, a powerful combination of constructs has so far eluded practical decision procedures: intersection and composition of roles. We propose tableau-based... more
Abstract In the quest for expressive description logics for real-world applications, a powerful combination of constructs has so far eluded practical decision procedures: intersection and composition of roles. We propose tableau-based decision procedures for the satisfiability of logics extending ALC with the intersection⊓, composition◦, union⊔, converse·− of roles and role identity id (·). We show that 1. the satisfiability of ALC (⊓,◦,⊔), for which a 2-EXPTIME upper bound was given by treeautomata techniques, is PSPACE-complete; 2.
We present a semantic tableaux calculus for propositional nonmonotonic modal logics, based on possible-worlds characterisations for nonmonotonic modal logics. This method is parametric with respect to both the modal logic and the... more
We present a semantic tableaux calculus for propositional nonmonotonic modal logics, based on possible-worlds characterisations for nonmonotonic modal logics. This method is parametric with respect to both the modal logic and the preference semantics, since it handles in a uniform way the entailment problem for a wide class of nonmonotonic modal logics: McDermott and Doyle's logics and ground logics. It also achieves the computational complexity lower bounds.
Abstract There is a large number of research papers and standards dedicated to security for outsourced data. Yet, most papers propose new controls to access and protect the data rather than to assess the level of assurance of the whole... more
Abstract There is a large number of research papers and standards dedicated to security for outsourced data. Yet, most papers propose new controls to access and protect the data rather than to assess the level of assurance of the whole process that is currently deployed. The main contributions of the paper is an approach for aggregating security properties of individual tasks of a complex business process in order to receive the level of assurance provided by the whole process.
Requirements engineering is a key step in the software development process that has little counterpart in the design of secure business processes and secure workflows for web services. This paper presents a methodology that allows a... more
Requirements engineering is a key step in the software development process that has little counterpart in the design of secure business processes and secure workflows for web services. This paper presents a methodology that allows a business process designer to derive the skeleton of the concrete coarse grained secure business process, that can be further refined into workflows, from the early requirements analysis.
Abstract Security-by-Contract (S× C) is a paradigm providing security assurances for mobile applications. In this work, we present an extension of S× C enriched with an automatic trust management infrastructure. Indeed, we enhance the... more
Abstract Security-by-Contract (S× C) is a paradigm providing security assurances for mobile applications. In this work, we present an extension of S× C enriched with an automatic trust management infrastructure. Indeed, we enhance the already existing architecture by adding new modules and configurations for contracts managing. At deploy-time, our system decides the run-time configuration depending on the credentials of contract provider.
Abstract. The computational complexity of reasoning in classical and non-classical logics makes traditional deduction not feasible in practice. This paper advocates the introduction of approximate proofs within automated deduction for... more
Abstract. The computational complexity of reasoning in classical and non-classical logics makes traditional deduction not feasible in practice. This paper advocates the introduction of approximate proofs within automated deduction for classical and non-classical logics and a corresponding intuition of super cial semantics to overcome this limitation.
Abstract Security requirements engineering is emerging as a branch of software engineering, spurred by the realization that security must be dealt with early on during the requirements phase. Methodologies in this field are challenging,... more
Abstract Security requirements engineering is emerging as a branch of software engineering, spurred by the realization that security must be dealt with early on during the requirements phase. Methodologies in this field are challenging, as they must take into account subtle notions such as trust (or lack thereof), delegation, and permission; they must also model entire organizations and not only systems-to-be.
Abstract Software patterns are key building blocks used to construct the architecture of a software system. Patterns also have an important role during the architecture assessment phase, as they represent the design rationale, which is... more
Abstract Software patterns are key building blocks used to construct the architecture of a software system. Patterns also have an important role during the architecture assessment phase, as they represent the design rationale, which is central to evaluation. This work presents a quantitative approach to assess the security of a pattern-based software architecture. In particular, security patterns are used to measure to what extent an architecture is protected against relevant security threats.
Nowadays many companies understand the benefit of outsourcing. Yet, in current outsourcing practices, clients usually focus primarily on business objectives and security is negotiated only for communication links. It is however not... more
Nowadays many companies understand the benefit of outsourcing. Yet, in current outsourcing practices, clients usually focus primarily on business objectives and security is negotiated only for communication links. It is however not determined how data must be protected after transmission. Strong protection of a communication link is of little value if data can be easily stolen or corrupted while on a supplier's server.
Abstract. The Secure Electronic Transaction (SET) protocol has been proposed by a consortium of credit card companies and software corporations to secure e-commerce transactions. When the customer makes a purchase, the SET dual signature... more
Abstract. The Secure Electronic Transaction (SET) protocol has been proposed by a consortium of credit card companies and software corporations to secure e-commerce transactions. When the customer makes a purchase, the SET dual signature guarantees authenticity while keeping the customer's account details secret from the merchant and his choice of goods secret from the bank.
It is a widespread belief that tableaux methods are hopeless for\ real life" deduction. This is a key issue for hw/sw veri cation tools since variants of tableaux are used by Isabelle, PVS, or HOL. If tableaux-like methods are\ hopeless... more
It is a widespread belief that tableaux methods are hopeless for\ real life" deduction. This is a key issue for hw/sw veri cation tools since variants of tableaux are used by Isabelle, PVS, or HOL. If tableaux-like methods are\ hopeless by nature", then their use for decidable sub-theories would be impractical. One could then consult ad-hoc systems as oracles but proofs would be shaded by many black-box steps.
Abstract. The aim of access control is to limit what users of distributed systems can do directly or through their programs. As the size of the systems and the sensitivity of data increase formal methods of analysis are often required.... more
Abstract. The aim of access control is to limit what users of distributed systems can do directly or through their programs. As the size of the systems and the sensitivity of data increase formal methods of analysis are often required. This paper presents a prefixed tableaux method for the calculus of access control in distributed system developed at DEC-SRC by Abadi, Lampson et. al.
When we model and analyze trust in organizations or information systems we have to take into account two different levels of analysis: social and individual. Social levels define the structure of organizations, whereas individual levels... more
When we model and analyze trust in organizations or information systems we have to take into account two different levels of analysis: social and individual. Social levels define the structure of organizations, whereas individual levels focus on individual agents. This is particularly important when capturing security requirements where a “normally” trusted organizational role can be played by an untrusted individual.
AbstrAct Autonomic communication and computing is the new paradigm for dynamic service integration over a network. In an autonomic network, clients may have the right credentials to access a service but may not know it; equally, it is... more
AbstrAct Autonomic communication and computing is the new paradigm for dynamic service integration over a network. In an autonomic network, clients may have the right credentials to access a service but may not know it; equally, it is unrealistic to assume that service providers would publish their policies on the Web so that clients could do policy evaluation themselves.
While logging events is becoming increasingly common in computing, in communication and in collaborative environments, log systems need to satisfy increasingly challenging (if not conflicting) requirements. In this paper we propose a... more
While logging events is becoming increasingly common in computing, in communication and in collaborative environments, log systems need to satisfy increasingly challenging (if not conflicting) requirements. In this paper we propose a high-level framework for modeling log systems, and reasoning about them. This framework allows one to give a high-level representation of a log system and to check whether it satisfies given audit and privacy properties which in turn can be expressed in standard logic.
With the advent of the next generation java servlet on the smartcard, the Future Internet will be composed by web servers and clients silently yet busily running on high end smart cards in our phones and our wallets. In this brave new... more
With the advent of the next generation java servlet on the smartcard, the Future Internet will be composed by web servers and clients silently yet busily running on high end smart cards in our phones and our wallets. In this brave new world we can no longer accept the current security model where programs can be downloaded on our machines just because they are vaguely “trusted”. We want to know what they do in more precise details.
Abstract Designing secure and dependable IT systems requires a deep analysis of organizational as well as social aspects of the environment where the system will operate. Domain experts and analysts often face security and dependability... more
Abstract Designing secure and dependable IT systems requires a deep analysis of organizational as well as social aspects of the environment where the system will operate. Domain experts and analysts often face security and dependability (S&D) issues they have already encountered before. These concerns require the design of S&D patterns to facilitate designers when developing IT systems.
Abstract. It is widely believed that a family n of unsatis able formulae de ned by Cook and Reckhow Proc. of the ACM Symp. on Theory of Comp. 1974] gives a lower bound of O (22n) on the proof size with analytic tableaux. This claim plays... more
Abstract. It is widely believed that a family n of unsatis able formulae de ned by Cook and Reckhow Proc. of the ACM Symp. on Theory of Comp. 1974] gives a lower bound of O (22n) on the proof size with analytic tableaux. This claim plays a key role in the proof that tableaux cannot polynomially simulate tree resolution.
Business Processes for Web Services are the new paradigm for lightweight enterprise integration. They cross organizational boundaries, are provided by entities that see each other just as business partners, and require access control... more
Business Processes for Web Services are the new paradigm for lightweight enterprise integration. They cross organizational boundaries, are provided by entities that see each other just as business partners, and require access control mechanisms based on trust management. Stateful Business Processes, enforcing separation of duties or service limitations based on past or current usage, pose additional research challenges.
ST-Tool is a graphical tool integrating an agent-oriented requirements engineering methodology with tools for the formal analysis of models. Essentially, the tool allows designers to draw visual models representing functional, security... more
ST-Tool is a graphical tool integrating an agent-oriented requirements engineering methodology with tools for the formal analysis of models. Essentially, the tool allows designers to draw visual models representing functional, security and trust requirements of systems and, then, to verify formally and automatically their correctness and consistency through different model-checkers.
Abstract The logic of context with the ist (c; p) modality has been proposed by McCarthy as a foundation for contextual reasoning. This paper shows that propositional logic of context is NP-complete and therefore more tractable than... more
Abstract The logic of context with the ist (c; p) modality has been proposed by McCarthy as a foundation for contextual reasoning. This paper shows that propositional logic of context is NP-complete and therefore more tractable than multimodal logics or Multi Language hierarchical logics which are PSPACE-complete. This result is given in a proof-theoretical way by providing a tableau calculus, which can be used as a decision procedure for automated reasoning.
The introduction of information technologies in health care systems often requires to re-engineer the business processes used to deliver care. Obviously, the new and re-engineered processes are observationally different and thus we cannot... more
The introduction of information technologies in health care systems often requires to re-engineer the business processes used to deliver care. Obviously, the new and re-engineered processes are observationally different and thus we cannot use existing model-based techniques to argue that they are somehow “equivalent”.
Abstract. Runtime enforcement is a common mechanism for ensuring that program executions adhere to constraints specified by a security policy. It is based on two simple ideas: the enforcement mechanism should leave good executions without... more
Abstract. Runtime enforcement is a common mechanism for ensuring that program executions adhere to constraints specified by a security policy. It is based on two simple ideas: the enforcement mechanism should leave good executions without changes and make sure that the bad ones got amended. From the theory side, a number of papers [6, 10, 12] provide the precise characterization of good executions that can be captured by a security policy and thus enforced by a specific mechanism.
Abstract The logic of context with the ist (c, p) modality has been proposed by McCarthy as a foundation for contextual reasoning. This paper shows that propositional logic of context is NP-complete and therefore more tractable than... more
Abstract The logic of context with the ist (c, p) modality has been proposed by McCarthy as a foundation for contextual reasoning. This paper shows that propositional logic of context is NP-complete and therefore more tractable than multimodal logics or Multi Language hierarchical logics which are PSPACE-complete, This result is given in a proof-theoretical way by providing a tableau calculus, which can be used as a decision procedure for automated reasoning.
Abstract The importance of critical systems has been widely recognized and several efforts are devoted to integrate dependability requirements in their development process. Such efforts result in a number of models, frameworks, and... more
Abstract The importance of critical systems has been widely recognized and several efforts are devoted to integrate dependability requirements in their development process. Such efforts result in a number of models, frameworks, and methodologies that have been proposed to model and assess the dependability of critical systems. Among them, risk analysis considers the likelihood and severity of failures for evaluating the risk affecting the system.
Abstract. Formal verification of real-world e-commerce protocols such as SET is hindered by the sheer complexity of their descriptions. In this paper we build upon the results of Bella, Massacci, Paulson and Tramontano [ESORICS 00] and... more
Abstract. Formal verification of real-world e-commerce protocols such as SET is hindered by the sheer complexity of their descriptions. In this paper we build upon the results of Bella, Massacci, Paulson and Tramontano [ESORICS 00] and propose a number of progressively simplified models of SET Payment Phase. We discuss the rationale behind each simplification step and the potential impact on verification.
E-government refers to the introduction of digital technologies into public administrations and it is assuming a pivotal role in many countries, including Italy. In particular, the supply of on-line services by public administrations... more
E-government refers to the introduction of digital technologies into public administrations and it is assuming a pivotal role in many countries, including Italy. In particular, the supply of on-line services by public administrations represents a rapidly expanding phenomenon. The objective of the paper is to support system designer in the development of IT systems that comply with regulations that govern the use of technologies in public administrations.
The paradigm of pervasive services (Bacon 2002) envisions a nomadic user traversing a variety of environments and seamlessly and constantly receiving services from other portables, handhelds, embedded, or wearable computers. Bootstrapping... more
The paradigm of pervasive services (Bacon 2002) envisions a nomadic user traversing a variety of environments and seamlessly and constantly receiving services from other portables, handhelds, embedded, or wearable computers. Bootstrapping and managing security of services in this scenario is a major challenge.
Abstract Model-carrying code and security-by-contract have proposed to augment mobile code with a claim on its security behavior that could be matched against a mobile platform policy before downloading the code. In order to capture... more
Abstract Model-carrying code and security-by-contract have proposed to augment mobile code with a claim on its security behavior that could be matched against a mobile platform policy before downloading the code. In order to capture realistic scenarios with potentially infinite transitions (eg" only connections to urls starting with https") we have proposed to represent those policies with the notion of Automata Modulo Theory (AMT), an extension of Buchi Automata (BA), with edges labeled by expressions in a decidable theory.
Hippocratic Databases have been proposed as a mechanism to guarantee the respect of privacy principles in data management. We argue that three major principles are missing from the proposed mechanism: hierarchies of purposes, delegation... more
Hippocratic Databases have been proposed as a mechanism to guarantee the respect of privacy principles in data management. We argue that three major principles are missing from the proposed mechanism: hierarchies of purposes, delegation of tasks and authorizations (ie outsourcing), and the minimal disclosure of private information.
Abstract We present the notion of Security-by-Contract (S× C), a mobile contract that an application carries with itself. The key idea of the framework is that a digital signature should not just certify the origin of the code but rather... more
Abstract We present the notion of Security-by-Contract (S× C), a mobile contract that an application carries with itself. The key idea of the framework is that a digital signature should not just certify the origin of the code but rather bind together the code with a contract. In a nutshell, a contract describes the security relevant interactions that the mobile application could have with the mobile device.
Business Processes for Web Services are the new paradigm for virtual organization. In such cross organizational partnerships no business partner may guess a priori what kind of credentials will be sent by clients nor the clients may know... more
Business Processes for Web Services are the new paradigm for virtual organization. In such cross organizational partnerships no business partner may guess a priori what kind of credentials will be sent by clients nor the clients may know a priori the needed credentials for the successful completion of a business process. This requires an interaction between server and clients. We propose a framework for managing the authorization interactions for business processes and a BPEL4WS based implementation using Collaxa server.
Abstract Once upon a time a professor of computing and a father was complaining at a radiology ward. A CD with the X-rays of his son's chest had garbled images. Unfortunately, the CD burning process has been outsourced and, in compliance... more
Abstract Once upon a time a professor of computing and a father was complaining at a radiology ward. A CD with the X-rays of his son's chest had garbled images. Unfortunately, the CD burning process has been outsourced and, in compliance with e-health security policies, technicians could not see the images on the system. Only doctors could.
Abstract. Business Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises. Yet, there is not a comprehensive proposal for a logical framework for access control for business... more
Abstract. Business Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises. Yet, there is not a comprehensive proposal for a logical framework for access control for business processes though logics for access control policies for basic web services are well studied. In this paper we propose a logical framework for reasoning (deduction, abduction, consistency checking) about access control for business processes for web services.
The last ten years, since the seminal work on the BAN logic [6], have seen the rapid development of formal methods for the analysis of security protocols. But security protocols have also developed rapidly, becoming more and more complex.... more
The last ten years, since the seminal work on the BAN logic [6], have seen the rapid development of formal methods for the analysis of security protocols. But security protocols have also developed rapidly, becoming more and more complex. Protocols for electronic commerce are the béte noir: six pages were enough to describe the Needham-Schroeder protocol in 1978 [15], six hundred pages were not enough to describe the SET protocol of VISA and Mastercard [11, 12, 13] twenty years later.
The Governance, Risk, and Compliance (GRC) management process for Information Security is a necessity for any software systems where important information is collected, processed, and used. To this extent, many standards for security... more
The Governance, Risk, and Compliance (GRC) management process for Information Security is a necessity for any software systems where important information is collected, processed, and used. To this extent, many standards for security managements at operational level exists (eg, ITIL, ISO27K family etc). What is often missing is a process to govern security at organizational level.
In this paper we analyze the need and the opportunity for establishing a discipline for engineering secure Future Internet Services, typically based on research in the areas of software engineering, of service engineering and security... more
In this paper we analyze the need and the opportunity for establishing a discipline for engineering secure Future Internet Services, typically based on research in the areas of software engineering, of service engineering and security engineering. Generic solutions that ignore the characteristics of Future Internet services will fail, yet it seems obvious to build on best practices and results that have emerged from various research communities.
Modern multi-application smart cards can become an integrated environment where applications from different providers are loaded on the fly and collaborate in order to facilitate lives of the cardholders. This initiative requires an... more
Modern multi-application smart cards can become an integrated environment where applications from different providers are loaded on the fly and collaborate in order to facilitate lives of the cardholders. This initiative requires an embedded verification mechanism to ensure that all applications on the card respect the application interactions policy. The Security-by-Contract approach for loading time verification consists of two phases.
ABSTRACT NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative... more
ABSTRACT NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative of attacks found in the wild. To address this question we have constructed a database (EKITS) based on the vulnerabilities currently used in exploit kits from the black market and extracted another database of vulnerabilities from Symantec's Threat Database (SYM).
Abstract Providing formal assurance of correctness is a key issue for cryptographic algorithms. Yet, automated reasoning tools have only been used for the veri cation of security protocols, and almost never for the veri cation and... more
Abstract Providing formal assurance of correctness is a key issue for cryptographic algorithms. Yet, automated reasoning tools have only been used for the veri cation of security protocols, and almost never for the veri cation and cryptanalysis of the cryptographic algorithms on which those protocols rely.
ABSTRACT The goal of this paper is to present a tableau calculus for propositional modal logics that is e ective for automated proof search, easy to use for proof presentation, and applicable to a wide range of modal logics for knowledge... more
ABSTRACT The goal of this paper is to present a tableau calculus for propositional modal logics that is e ective for automated proof search, easy to use for proof presentation, and applicable to a wide range of modal logics for knowledge representation. The calculus is also enhanced to provide a form of contextual reasoning to deal with (classical) inconsistency.
Abstract. The problem of supporting the secure execution of potentially malicious third-party applications has received a considerable amount of attention in the past decade. In this paper we describe a security architecture for Web 2.0... more
Abstract. The problem of supporting the secure execution of potentially malicious third-party applications has received a considerable amount of attention in the past decade. In this paper we describe a security architecture for Web 2.0 applications that supports the flexible integration of a variety of advanced technologies for such secure execution of applications, including run-time monitoring, static verification and proof-carrying code.
Abstract. The natural business model of OSGi is dynamic loading and removal of bundles or services on an OSGi platform. If bundles can come from different stakeholders, how do we make sure that one's services will only be invoked by the... more
Abstract. The natural business model of OSGi is dynamic loading and removal of bundles or services on an OSGi platform. If bundles can come from different stakeholders, how do we make sure that one's services will only be invoked by the authorized bundles? A simple solution is to interweave functional and security logic within each bundle, but this decreases the benefits of using a common platform for service deployment and is a well-known source of errors.
Abstract Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose them to implement minimal precautionary security measures. Several IT solutions (eg, Privacy Enhancing Technologies,... more
Abstract Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose them to implement minimal precautionary security measures. Several IT solutions (eg, Privacy Enhancing Technologies, Access Control Infrastructure, etc.) have been proposed to address security and privacy issues.
Abstract. Tableau and sequent calculi are the basis for most popular interactive theorem provers for formal verification. Yet, when it comes to automatic proof search, tableaux are often slower than Davis-Putnam, SAT procedures or other... more
Abstract. Tableau and sequent calculi are the basis for most popular interactive theorem provers for formal verification. Yet, when it comes to automatic proof search, tableaux are often slower than Davis-Putnam, SAT procedures or other techniques. This is partly due to the absence of a bivalence principle (viz. the cut-rule) but there is another source of inefficiency: the lack of constraint propagation mechanisms.
Abstract Management of a modern enterprise is based on the assumption that executive reports of lower-layer management are faithful to what is actually happening in the field. As some well-publicised major recent disasters (such as... more
Abstract Management of a modern enterprise is based on the assumption that executive reports of lower-layer management are faithful to what is actually happening in the field. As some well-publicised major recent disasters (such as Barings, AllFirst-Allied Irish Bank, ENRON, Societé Generale) have shown, this assumption is not well-founded. Intermediate managers can misrepresent the actual state of their systems in order to hide negative events or to" doctor" reports which have been already produced.
Abstract. In the last few years we have seen how increasing computational power of electronic devices triggers the functionality growth of the software that runs on them. The natural consequence is that modern software is no longer... more
Abstract. In the last few years we have seen how increasing computational power of electronic devices triggers the functionality growth of the software that runs on them. The natural consequence is that modern software is no longer single-pieced, it becomes, instead, the composition of autonomous components that run on the shared platform.
It is widely believed that a family Σ n of unsatisfiable formulae proposed by Cook and Reckhow in their landmark paper (Proc. ACM Symp. on Theory of Computing, 1974) can be used to give a lower bound of 2 Ω (2n) on the proof size with... more
It is widely believed that a family Σ n of unsatisfiable formulae proposed by Cook and Reckhow in their landmark paper (Proc. ACM Symp. on Theory of Computing, 1974) can be used to give a lower bound of 2 Ω (2n) on the proof size with analytic tableaux. This claim plays a key role in the proof that tableaux cannot polynomially simulate tree resolution.
1 Abstract The rst part of this dissertation is devoted to the design and validation (both theoretical and experimental) of a number of e cient tableau inference systems, for modal, propositional and dynamic logic with converse. Beside... more
1 Abstract The rst part of this dissertation is devoted to the design and validation (both theoretical and experimental) of a number of e cient tableau inference systems, for modal, propositional and dynamic logic with converse. Beside establishing correctness and completeness, the dissertation discusses also computational properties such as modularity, query combination, the design of decision procedures and the complexity of search strategies.
Abstract Advanced methodologies for compliance such as CobiT identify a number of maturity levels that must be reached: first the existence of an infrastructure for the enforcement of security controls; second, the ability to continuously... more
Abstract Advanced methodologies for compliance such as CobiT identify a number of maturity levels that must be reached: first the existence of an infrastructure for the enforcement of security controls; second, the ability to continuously monitor and audit quantifiable indicators for the controls put in place; and third, the ability to react when a policy violation is detected. In this paper, we go further and define a governance and compliance maturity model (GoCoMM) that is process-oriented.
With the advent of the next generation java servlet on the smartcard, the Future Internet will be composed by web servers and clients silently yet busily running on high end smart cards in our phones and our wallets. In this new world... more
With the advent of the next generation java servlet on the smartcard, the Future Internet will be composed by web servers and clients silently yet busily running on high end smart cards in our phones and our wallets. In this new world model we can no longer accept the current security model where programs can be downloaded on our machines just because they are vaguely" trusted". We want to know what they do in more precise details.
The current theory of runtime enforcement is based on two properties for evaluating an enforcement mechanism: soundness and transparency. Soundness defines that the output is always good (“no bad traces slip out”) and transparency defines... more
The current theory of runtime enforcement is based on two properties for evaluating an enforcement mechanism: soundness and transparency. Soundness defines that the output is always good (“no bad traces slip out”) and transparency defines that good input is not changed (“no surprises on good traces”). However, in practical applications it is also important to specify how bad traces are fixed so that the system exhibits a reasonable behavior.
Abstract Ambient assisted living is a new interdisciplinary field aiming at supporting senior citizens in their home by means of embedded technologies. This domain offer an interesting challenge for providing dependability and security in... more
Abstract Ambient assisted living is a new interdisciplinary field aiming at supporting senior citizens in their home by means of embedded technologies. This domain offer an interesting challenge for providing dependability and security in a privacy-respecting way: in order to provide services in an emergency we cannot monitor on a second-by-second base a senior citizen. Beside being immoral, it would be illegal (at least in Europe). At the same time if we don't get notified of an emergency the entire system would be useless.
Abstract Recent years have seen a trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many papers focused on vulnerability discovery models based upon... more
Abstract Recent years have seen a trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many papers focused on vulnerability discovery models based upon either a public vulnerability databases (eg, CVE, NVD), or vendor ones (eg, MFSA). Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them?
Abstract Computer security depends heavily on the strength of cryptographic algorithms. Thus, cryptographic key search is often THE search problem for many governments and corporations. In the recent years, AI search techniques have... more
Abstract Computer security depends heavily on the strength of cryptographic algorithms. Thus, cryptographic key search is often THE search problem for many governments and corporations. In the recent years, AI search techniques have achieved notable successes in solving “real world” problems.
Nowadays organizations face fast organizational changes and employee turnover, eg user are unavailable or they change roles because of a promotion, that might compromise the execution of a business process instance and, thus, the... more
Nowadays organizations face fast organizational changes and employee turnover, eg user are unavailable or they change roles because of a promotion, that might compromise the execution of a business process instance and, thus, the achievement of organizational business goals. In this paper, we investigate the problem of dynamic resiliency to changes in the assignment of users to roles.
Abstract. The introduction of ITs in e-Health often requires to re-engineer the business processes used to deliver care. Obviously the new and re-engineered processes are observationally different and thus we cannot use existing... more
Abstract. The introduction of ITs in e-Health often requires to re-engineer the business processes used to deliver care. Obviously the new and re-engineered processes are observationally different and thus we cannot use existing modelbased techniques to argue that they are somehow “equivalent”.
The last years have seen the emergence of standards for capturing security and privacy aspects of information systems [Ashley et al., 2003, Cranor et al., 2002, OASIS, 2005]. Those standards provide language constructs but offer no... more
The last years have seen the emergence of standards for capturing security and privacy aspects of information systems [Ashley et al., 2003, Cranor et al., 2002, OASIS, 2005]. Those standards provide language constructs but offer no methodological tool for actually making design decisions. In this setting, the inclusion of security features within the system design is usually done after the functional design phase.
Formal verification of security protocols has become a key issue in computer security. Yet, it has proven to be a hard task often error prone and discouraging for non-experts in formal methods. In this paper we show how security protocols... more
Formal verification of security protocols has become a key issue in computer security. Yet, it has proven to be a hard task often error prone and discouraging for non-experts in formal methods. In this paper we show how security protocols can be specified and verified efficiently and effectively by embedding reasoning about actions into a logic programming language. In a nutshell, we view a protocol trace as a plan to achieve a goal, so that protocol attacks are plans achieving goals that correspond to security violations.
Abstract. Role-based access control (RBAC) is one of the most promising techniques for the design and implementation of security policies and its diffusion may be enhanced by the development of formal and automated method of analysis.... more
Abstract. Role-based access control (RBAC) is one of the most promising techniques for the design and implementation of security policies and its diffusion may be enhanced by the development of formal and automated method of analysis. This paper presents a logic for practical reasoning about role based access control which simplifies and adapts to RBAC the calculus developed at Digital SRC. Beside a language and a formal semantics, a decision method based on analytic tableaux is also given.
Abstract Protecting privacy means to ensure users that access to their personal data complies with their preferences. However, information can be manipulated in order to derive new objects that may disclose part of the original... more
Abstract Protecting privacy means to ensure users that access to their personal data complies with their preferences. However, information can be manipulated in order to derive new objects that may disclose part of the original information. Therefore, control of information flow is necessary for guaranteeing privacy protection since users should know and control not only who access their personal data, but also who access information derived from their data.
Abstract This paper presents a tableaux calculus for the Propositional Logic of Contexts with the ist (c,¢) modality. This approach has a twofold advantage: from the user viewpoint it presents rules which intuitively reflect epistemic... more
Abstract This paper presents a tableaux calculus for the Propositional Logic of Contexts with the ist (c,¢) modality. This approach has a twofold advantage: from the user viewpoint it presents rules which intuitively reflect epistemic properties (lifting, use of assumptions etc.); from a computational perspective it allows local and incremental computation, satisfies strong confluence and can therefore be adapted efficiently to different search heuristics. The modelling of contexts as partial objects is obtained by using superficial assignments.
Abstract Recently, there has been an increase of reported security threats hitting organizations. Some of them are originated from the assignments to users of inappropriate permissions on organizational sensitive data. Thus it is crucial... more
Abstract Recently, there has been an increase of reported security threats hitting organizations. Some of them are originated from the assignments to users of inappropriate permissions on organizational sensitive data. Thus it is crucial for organizations to recognize as early as possible the risks deriving by inappropriate access right management and to identify the solutions that they need to prevent such risks.
Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot... more
Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength.
How to design a security engineering process that can cope with the dynamic evolution of Future Internet scenarios and the rigidity of existing system engineering processes?
Abstract Autonomic communications seek to improve the ability of network and services to cope with unpredicted change, including changes in topology, load, task, the physical and logical characteristics of the networks that can be... more
Abstract Autonomic communications seek to improve the ability of network and services to cope with unpredicted change, including changes in topology, load, task, the physical and logical characteristics of the networks that can be accessed, and so forth.
Integrating security concerns throughout the whole software development process is one of today's challenges in software and requirements engineering research. A challenge that so far has proved difficult to meet. The major difficulty is... more
Integrating security concerns throughout the whole software development process is one of today's challenges in software and requirements engineering research. A challenge that so far has proved difficult to meet. The major difficulty is that providing security does not only require to solve technical problems but also to reason on the organization as a whole.
• New application C arrives on the platform. Desired behavior:-C will only call shareable interfaces ID1, ID2, ID3-C will only call shareable interface ID-C will only call ID2 after calling ID3• Advanced Desired Behavior:-Information flow... more
• New application C arrives on the platform. Desired behavior:-C will only call shareable interfaces ID1, ID2, ID3-C will only call shareable interface ID-C will only call ID2 after calling ID3• Advanced Desired Behavior:-Information flow only TO and FROM service ID1 at any point-Call Flow TO service ID2 only after service call FROM ID3
Autonomic communication and computing is a new paradigm for dynamic service integration over a network. An autonomic network crosses organizational and management boundaries and is provided by entities that see each other just as... more
Autonomic communication and computing is a new paradigm for dynamic service integration over a network. An autonomic network crosses organizational and management boundaries and is provided by entities that see each other just as partners. For many services no autonomic partner may guess a priori what will be sent by clients nor clients know a priori what credentials are required to access a service.
To address this problem we propose a new interactive access control: servers should interact with clients, asking for missing credentials necessary to grant access, whereas clients may supply or decline the requested credentials. Servers evaluate their policies and interact with clients until a decision of grant or deny is taken.
This proposal is grounded in a formal model on policy-based access control. It identifies the formal reasoning services of deduction, abduction and consistency. Based on them, the work proposes a comprehensive access control framework for autonomic systems. An implementation of the interactive model is given followed by system performance evaluation.
To address this problem we propose a new interactive access control: servers should interact with clients, asking for missing credentials necessary to grant access, whereas clients may supply or decline the requested credentials. Servers evaluate their policies and interact with clients until a decision of grant or deny is taken.
This proposal is grounded in a formal model on policy-based access control. It identifies the formal reasoning services of deduction, abduction and consistency. Based on them, the work proposes a comprehensive access control framework for autonomic systems. An implementation of the interactive model is given followed by system performance evaluation.
he protection of customer privacy is a fundamental issue in today’s corporate marketing strategies. Not surprisingly, many research efforts have proposed new privacy-aware technologies. Among them, Hippocratic databases offer mechanisms... more
he protection of customer privacy is a fundamental issue in today’s corporate marketing strategies. Not surprisingly, many research efforts have proposed new privacy-aware technologies. Among them, Hippocratic databases offer mechanisms for enforcing privacy rules in database systems for inter-organizational business processes (also known as virtual organizations). This paper extends these mechanisms to allow for hierarchical purposes, distributed authorizations and minimal disclosure supporting the business processes of virtual organizations that want to offer their clients a number of ways to fulfill a service. Specifically, we use a goal-oriented approach to analyze privacy policies of the enterprises involved in a business process. On the basis of the purpose hierarchy derived through a goal refinement process, we provide algorithms for determining the minimum set of authorizations needed to achieve a service. This allows us to automatically derive access control policies for an inter-organizational business process from the collection of privacy policies associated with different participating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to access a service.
SET (Secure Electronic Transaction) is a suite of protocols proposed by a consortium of credit card companies and software corporations to secure e-commerce transactions. The Purchase part of the suite is intended to guarantee the... more
SET (Secure Electronic Transaction) is a suite of protocols proposed by a consortium of credit card companies and software corporations to secure e-commerce transactions. The Purchase part of the suite is intended to guarantee the integrity and authenticity of the payment transaction while keeping the Cardholder's account details secret from the Merchant and his choice of goods secret from the Bank. This paper details the first verification results for the complete Purchase protocols of SET. Using Isabelle and the inductive method, we show that their primary goal is indeed met. However, a lack of explicitness in the dual signature makes some agreement properties fail: it is impossible to prove that the Cardholder meant to send his credit card details to the very payment gateway that receives them. A major effort in the verification went into digesting the SET documentation to produce a realistic model. The protocol's complexity and size make verification difficult, compared with other protocols. However, our effort has yielded significant insights.
Autonomic computing and communication has become a new paradigm for dynamic service integration and resource sharing in today's ambient networks. Devices and systems need to dynamically collaborate and federate with little known or even... more
Autonomic computing and communication has become a new paradigm for dynamic service integration and resource sharing in today's ambient networks. Devices and systems need to dynamically collaborate and federate with little known or even unknown parties in order to perform everyday tasks. Those devices and systems act as independent nodes that autonomously manage and enforce their own security policies.
Thus in autonomic pervasive communications clients may not know a priori what access rights they need in order to execute a service nor service providers know a priori what credentials and privacy requirements clients have so that they can take appropriate access decisions.
To solve this problem we propose a negotiation scheme that protects security and privacy interests with respect to information disclosure while still providing effective access control to services. The scheme proposes a negotiation protocol that allows entities in a network to mutually establish sufficient access rights needed to grant a service.
Thus in autonomic pervasive communications clients may not know a priori what access rights they need in order to execute a service nor service providers know a priori what credentials and privacy requirements clients have so that they can take appropriate access decisions.
To solve this problem we propose a negotiation scheme that protects security and privacy interests with respect to information disclosure while still providing effective access control to services. The scheme proposes a negotiation protocol that allows entities in a network to mutually establish sufficient access rights needed to grant a service.
Privacy protection is a growing concern in the marketplace. Yet, privacy requirements and mechanisms are usually retro-fitted into a pre-existing design which may not be able to accommodate them due to potential conflicts with functional... more
Privacy protection is a growing concern in the marketplace. Yet, privacy requirements and mechanisms are usually retro-fitted into a pre-existing design which may not be able to accommodate them due to potential conflicts with functional requirements.
We propose a procedure for automatically extracting privacy requirements from databases supporting access control mechanisms for personal data (hereafter Hippocratic databases) and representing them in the Secure Tropos framework where tools are available for checking the correctness and consistency of privacy requirements. The procedure is illustrated with a case study.
We propose a procedure for automatically extracting privacy requirements from databases supporting access control mechanisms for personal data (hereafter Hippocratic databases) and representing them in the Secure Tropos framework where tools are available for checking the correctness and consistency of privacy requirements. The procedure is illustrated with a case study.
In earlier work, we have introduced Secure Tropos, a requirements engineering methodology that extends the Tropos methodology and is intended for the design and analysis of security requirements. This paper briefly recaps the concepts... more
In earlier work, we have introduced Secure Tropos, a requirements engineering methodology that extends the Tropos methodology and is intended for the design and analysis of security requirements. This paper briefly recaps the concepts proposed for capturing security aspects, and presents an implemented graphical CASE tool that supports the Secure Tropos methodology. Specifically, the tool supports the creation of Secure Tropos models, their translation to formal specifications, as well as the analysis of these specifications to ensure that they comply with specific security properties. Apart from presenting the tool, the paper also presents a two-tier evaluation consisting of two case studies and an experimental evaluation of the tool’s scalability
A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into... more
A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into security and trust management policies is still an open problem. This paper proposes a set of concepts founded on the notions of ownership, permission, and trust and intended for requirements modeling. It also extends Tropos, an agent-oriented software engineering methodology, to support security requirements engineering. These concepts are formalized and are shown to support the automatic verification of security and trust requirements using Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.