SEMINAR: SECURE SYSTEMS ENGINEERING. Introduction October 20, 2016

Similar documents
Proseminar. (with Eclipse) Jun.-Prof. Dr.-Ing. Steffen Becker. Model-Driven Software Engineering. Software Engineering Group

Use of the LLVM framework for the MSIL code generation

Pre-Course Meeting Proseminar Network Hacking & Defense

Secure Programming Lecture 15: Information Leakage

Preemptive PREventivE Methodology and Tools to protect utilities

INFORMATION SESSION. MS Software Engineering, specialization in Cybersecurity

Web Security Vulnerabilities: Challenges and Solutions

A Model Transformation from Misuse Cases to Secure Tropos

Critical Infrastructures and Cyber Protection Center (CICPC) Professional Development Programs. FISMA Compliance Review Program Sample Syllabus FISMA

Descriptions for CIS Classes (Fall 2017)

Lecture 08. Android Permissions Demystified. Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner. Operating Systems Practical

The SPARKS Project Motivation, Objectives and Results

Advisory: Students should have already taken MICROCOMPUTER APPLICATIONS II - 431

Ontology- and Bayesian- based Information Security Risk Management

Instructor: Eric Rettke Phone: (every few days)

Oklahoma State University Institute of Technology Face-to-Face Common Syllabus Fall 2017

SI - Computer Security

Course Curriculum for Master Degree in Network Engineering and Security

TEL2813/IS2820 Security Management

send application for a topic until Wednesday, October 25, 1pm

Experience Security, Risk, and Governance

ITT Technical Institute. CS420 Application Security Onsite Course SYLLABUS

Degree Branch / Specialization College University CSE SONA COLLEGE OF TECHNOLOGY : ASSISTANT PROFESSOR (SENIOR GRADE) ASSISTANT PROFESSOR

MORGAN STATE UNIVERSITY DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING COURSE SYLLABUS FALL, 2015

Secure Programming Lecture 1: Introduction

Seminar Model-Based Quality Engineering

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

TRAINING CURRICULUM 2017 Q2

MINIMUM SECURITY CONTROLS SUMMARY

The GenCyber Program. By Chris Ralph

Framework for Improving Critical Infrastructure Cybersecurity

Introducing Cyber Resiliency Concerns Into Engineering Education

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

System Approach for Single Keyword Search for Encrypted data files Guarantees in Public Infrastructure Clouds

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

Advanced Compiler Construction

Systems Security Research in SIIS Lab

DROPLET, A BLOCKS BASED EDITOR FOR TEXT CODE. David Anthony Bau Phillips Exeter Academy 20 Main Street, Exeter, NH

Bachelor of Information Technology (Network Security)

Security Management Models And Practices Feb 5, 2008

Differential Privacy. Seminar: Robust Data Mining Techniques. Thomas Edlich. July 16, 2017

Seminar Column-Oriented Database Management Systems

STUDY OF PRIVILEGE ESCALATION ATTACK ON ANDROID AND ITS COUNTERMEASURES

Systematic generation of attack scenarios against industrial systems

AppSec in a DevOps World

Kick-Off. and presentation of available topics

PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices

Learning, teaching, playing with compiler construction - A web based host platform for target virtual machines

NOTE: COURSE CONTENT MAY BE CHANGED, TERM TO TERM, WITHOUT NOTICE.

SECURE INTEGRATION OF CRYPTOGRAPHIC SOFTWARE

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

IT Security in Large IT Infrastructures SS18 Lecture 00: Preliminary Discussion

Visual Amortization Analysis of Recompilation Strategies

Lessons learned from 2G,3G,4G what we need to fix in 5G ETSI Security Week G Security Adrian Dabrowski

Stavros Nikolaou. 413 Gates Hall URL: Ithaca, NY, 14853, USA Date of Birth: December, 1987

ECET 590 Special Problems in Electrical & Computer Engineering Technology (SmartGrid Technology)

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

OVERVIEW OF SUBJECT REQUIREMENTS

Writing a good seminar paper Seminar in Software and Service Engineering

Training Fees 4,250 US$ per participant for Public Training includes Materials/Handouts, tea/coffee breaks, refreshments & Buffet Lunch

Towards Systematic Usability Verification

Implementation of Handling Android Application using SMS (Short Message Service)

Securing the future of mobility

An object of research has changed System events System renewal Mathematical computer tools reliability dependability

SECURITY PATTERN DETECTION AN ANDROID APPLICATION

Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android

Compiling Techniques

CS 553: Algorithmic Language Compilers (PLDI) Graduate Students and Super Undergraduates... Logistics. Plan for Today

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

A Java Based Component Identification Tool for Measuring Circuit Protections. James D. Parham J. Todd McDonald Michael R. Grimaila Yong C.

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

CYBERCRIME AS A NEW FORM OF CONTEMPORARY CRIME

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

An Open Source Java Framework for Biometric Web Authentication based on BioAPI

Construction of Trusted Computing Platform Based on Android System

( It will be applied from Fall)

Information Assurance A Key Imperative

Aspects of Enhancing Security in Software Development Life Cycle

Android. Studies on Risk Level Evaluation Schemes using APK Metadata

Human Biases Meet Cybersecurity of Embedded and Networked Systems

Master & Doctor of Philosophy Programs in Computer Science

High Performance Computing using a Parallella Board Cluster PROJECT PROPOSAL. March 24, 2015

Naval Postgraduate School Department of Computer Science Graduation Checklist for MSCS Degree 6203P Subspecialty Code (Revised: FALL AY17)

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

V Conference on Application Security and Modern Technologies

Improving SCADA System Security

A Review on Security in Smart Grids

Operations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ

UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS

Architecture-Based Self-Protecting Software Systems Adnan Alawneh CS 788

Achieving Java Application Security With Parasoft Jtest

Fraude dans la Telephonie

CURRICULUM VITAE. DI Dr. Matthias Grimmer Michael-Hainisch-Straße Linz

Overview of Web Application Security and Setup

Product Security Briefing

Nomair A. Naeem. Personal Data. Education. Teaching Experience. Course Instructor/Sessional

(In)Security of Java SecureRandom Implementations

TCOM 663/CFRS Intrusion Detection and Forensics Department of Electrical and Computer Engineering George Mason University Fall, 2010

Test Driven Development (TDD), and Working with Legacy Code Using C# Workshop ( 4 days)

CompTIA Cybersecurity Analyst+

Transcription:

SEMINAR: SECURE SYSTEMS ENGINEERING Introduction October 20, 2016

OUTLINE 1. Basic Requirements 2. Preliminary Dates 3. Seminar Guidelines 4. Presentation of the Topics

Basic Requirements Completion of a seminar thesis in English 20 pages written in LaTeX We provided a template Design and run a presentation Presentation is 30 min, to be held in a block seminar 20 min for the contents 10 min for discussion Reviews Internal peer-review by students also by supervisor

Preliminary Dates Thu, 20.10., 4:00 p.m.: Topic presentation Thu, 27.10., 11:00 a.m.: Seminar guidelines & introduction to scientific working The following dates have their deadline 23:59 MEZ: Thu, 24.11.: Outline and literature references (student) Thu, 15.12.: Seminar thesis for review (student) Fr, 16.12.: Assignment of peer reviews (supervisors) Fr, 23.12.: Completed peer-review (student) Su, 15.01.: Presentation for supervisor feedback (student) Su, 22.01.: Supervisor feedback: presentation (supervisors) Su, 12.02.: Camera-ready version of thesis (student) Su, 26.02.: Supervisor feedback: thesis (supervisors) Su, 12.03.: Final hand-in of thesis (student) Presentations (block seminar): 30.01.-03.02.2016

Seminar Guidelines Thursday, 27.10., 11:00 a.m. in ZM1.02-48 Presentation of seminar guidelines and rules Introduction into scientific working Participation is mandatory Topic Selection Doodle poll Choose exactly three topics Each topic will be drawn from all applicants Poll will be opened today at 6 p.m. and will be closed on Monday, October 24 th at 4 p.m. You will be informed via e-mail which topic you are assigned Please confirm this mail until Tuesday, October 25 th at 6 p.m.

OUTLINE 1. Basic Requirements 2. Preliminary Dates 3. Seminar Guidelines 4. Presentation of the Topics

Model-driven Security for Embedded Systems Supervisor: Johannes Geismann 1 When designing safe and secure embedded systems not only software but also hardware has to be considered Model-driven approaches are used to assist designers and developers in early development steps SysML-Sec is a method for this task Your task: Give a comprehensive overview Which threats / attacks are considered? Which viewpoints are covered? What are the assumptions/limitations made in this approach? Compare to related approaches Ludovic Apvrille, Yves Roudier, "SysML-Sec: A Model-Driven Environment for Developing Secure Embedded Systems", Proceedings of the 8th conference on the security of network architecture and information systems (SARSSI'2013), Mont de Marsan, France, 16-18 sept. 2013 Ludovic Apvrille, Yves Roudier, "SysML-Sec: A Model Driven Approach for Designing Safe and Secure Systems", Special session on Security and Privacy in Model Based Engineering, 3rd International Conference on Model-Driven Engineering and Software Development (Modelsward), Angers, France, Feb. 2015 7 Software Engineering

Modelling of Cryptographic Algorithms Stefan Krüger 2 In Summary: Candidates Task: Compare two modelling languages in terms of their suitability for cryptography One student: Comparison based on papers Two students: Papers + Creating a model of subdomain in both languages Supervisor: Stefan Krüger stefan.krueger@upb.de [Boucher et al., Introducing TVL, a Textbased Feature Modelling Language, VaMos 2010] [Nadi et al., Variability Modeling of Cryptographic Components (Clafer Experience Report), VaMos 2016] [Bak et al., Unifying Class and Feature Modelling, SoSyM 2014]

Architecture-based Intrusion Detection David Schubert 3 UserClient Database Code typically has flaws that can be exploited Finding all these flaws manually or by automated analyses is hard and expensive A second line of defense are runtime approaches that monitor the running system and aim at detecting intrusions (deviations from normal system behavior) These approaches are categorized by their information source Literature: Yuan, Eric, and Malek, Sam. "Mining Software Component Interactions to Detect Security Threats at the Architectural Level." DOI 10.1109/WICSA.2016.12 Lazarevic, Aleksandar, Vipin Kumar, and Jaideep Srivastava. "Intrusion detection: A survey." DOI 10.1007/0-387-24230-9_2 Your Task: 1. Recap the approach by Yuan and Malek 2. Emphazise the (dis)advantages compared to classical host and network-based intrusion detection 9 Software Engineering

Secure Isolation of Native Code for Java Andreas Dann adann@mail.upb.de General Risk: Java, Python, C#, JS, etc. Security Risk: Malicious/Buggy 4 Real-Problem: Web-Server, Android, Plugins Java Application 3 rd Party Library Outside of Language Security Solution: SFI, Process, Approaches: Robusta, Siefers J. et al., 2010 DOI: 10.1145/1866307.1866331 JVM-Portable Sandboxing, Sun, M., 2012 DOI: 10.1007/978-3-642-33167-1_48 JNICodejail, Hassanshai B., 2013 DOI: 10.1145/2500828.2500848 Your Task: Compare Approaches What is the concept? What threats are mitigated? What are drawbacks? Your Conclusion? 10 Software Engineering

Static Analysis using LLVM Supervisor: Philipp Schubert (Philipp.Schubert@upb.de) 5 Static analyses can be used for automated bug detection and code optimization Static analysis builds on compiler infrastructure and vice versa Your task Familiarize yourself with the powerful compiler technology LLVM (C/C++ based) Give an overview on LLVMs capabilities What is the concept? What are the benefits? What are the drawbacks? What are the characteristics of the used IR? Compare the LLVM project to related approaches Two students: comprehensive comparison with Graal & Truffle project Learning outcomes Understand basic concepts of compiler technology & static analysis Gain deeper understanding of how programming languages are processed Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization (CGO '04). IEEE Computer Society, Washington, DC, USA, 75-. 11 Software Engineering

Graal & Truffle Compiler Technology Supervisor: Philipp Schubert (Philipp.Schubert@upb.de) 6 Static analyses can be used for automated bug detection and code optimization Several compiler projects exist (specific advantages / disadvantages) Your task Familiarize yourself with the Graal & Truffle project (Java based) What is the concept of Graal & Truffle? What are the benefits? What are the drawbacks? What are the characteristics of the used IR? Compare the Graal project to related approaches Two students: comprehensive comparison with the LLVM project Learning outcomes Understand basic concepts of compiler technology & static analysis Gain deeper understanding of how programming languages work https://github.com/graalvm/graal-core/blob/master/docs/publications.md 12 Software Engineering

Security Risks in Android s Inter-App Communication Supervisor: Goran Piskachev 7 Android Apps can exchange messages to make a re-use of some functionalities provided by components in other applications For example, a review app for restaurants can ask the map application to display the location of the restaurant Problem: The Android passing message system which enables the Inter-App communication may be attacked if it is used incorrectly. The messages can be sniffed, modified, or stolen. Approach: Analysis of Android applications and automatic detection of known vulnerabilities related to the Inter-App communication Your task: Give an overview and classification of attacks to the Inter-App communication Evaluate at least two analysis tools using your classification Literature: Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th international conference on Mobile systems, applications, and services (MobiSys '11). ACM, New York, NY, USA, 239-252 Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis. In Proceedings of the 22nd USENIX conference on Security (SEC'13). USENIX Association, Berkeley, CA, USA, 543-558.

Surveying Requirements Specification Approaches for Information Flow Security Supervisor: Christopher Gerking 8 Secure Information Flow of Cyber-Physical Systems (CPS) is critical Problem: How to specify Information Flow Requirements? Your Task: review existing Approaches for Security Requirements Specification, asses their Applicability in the Context of Information Flow Security for CPS Literature Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Engineering 15(1), 7 40 (2010) Meland, P.H., Tøndel, I.A., Jaatun, M.G.: Security requirements for the rest of us: A survey. IEEE Software 25(1), 20 27 (2008) Mellado, D., Blanco, C., Sánchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Computer Standards Interfaces 32(4), 153 165 (2010) 14 Software Engineering

Relaxing Information Flow Restrictions by means of Information Declassification Supervisor: Christopher Gerking 9 Classical Noninterference Policy too strict in Practice Problem: How to relax Information Flow Restrictions? Your Task: study the Theory of Noninterference, give an Overview of existing Approaches for Declassification, demonstrate Advantages and Shortcomings in the context of CPS Literature Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy. pp. 11 20. IEEE Computer Society (1982) Zdancewic, S.: Challenges for information-flow security. In: Workshop on the Programming Language Interference and Dependence (PLID 04) (2004) Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. Journal of Computer Security 17(5), 517 548 (2009) 15 Software Engineering

A Survey of Static Code Analysis techniques for PLC Programs Supervisor: Faezeh Ghassemi Static code analysis (SCA) is analyzing the code without executing it 10 There are plenty of SCA tools and techniques for languages like Java and C Not many tools/ approaches for PLC programming languages Your task Make a survey of existing static analysis tools and methods for PLC programming languages and explain their capabilities as well as advantages and disadvantages Literature H. Prahofer; F. Angerer; R. Ramler; F. Grillenberger, "Static Code Analysis of IEC 61131-3 Programs: Comprehensive Tool Support and Experiences from Large-Scale Industrial Application," in IEEE Transactions on Industrial Informatics, vol.pp, no.99, pp.1-1 doi: 10.1109/TII.2016.2604760 S. Stattelmann, S. Biallas, B. Schlich and S. Kowalewski, "Applying static code analysis on industrial controller code," Proceedings of the 2014 IEEE Emerging Technology and Factory Automation (ETFA), Barcelona, 2014, pp. 1-4. doi: 10.1109/ETFA.2014.7005254 faezeh.ghassemi@iem.fraunhofer.de

SECURE TROPOS Integrating Security and Systems Engineering Supervisor: Thorsten Koch 11 Problem Security is a crucial issue for information systems. However, in Software Engineering security is mainly considered as non-function requirements after the definition of the systems. This approach often leads to problems, which translate to security vulnerabilities. Approach The methodology Secure Tropos is proposed to model and analyze security requirements alongside functional requirements. It provides a requirements analysis process that drives system designers from the acquisition of requirements up to their verification to consider security during the whole development process. Your Task Describe the methodology Secure Tropos Especially focus on the possibilities to analyze the specified security requirements Literature Mouratidis, H.; Giorgini, P.; Manson, G.: Integrating Security and Systems engineering: Towards the Modelling of Secure Information Systems in CAiSE 2003 [http://dx.doi.org/10.1007/3-540-45017-3_7] [http://www.troposproject.org/node/301]

Topic Selection Doodle poll Choose exactly three topics Each topic will be drawn from all applicants Poll will be opened today at 6 p.m. and will be closed on Monday, October 24 th at 4 p.m. Write a mail if you would like to work in a group Names of both students Topic number Important: Both students have to mark this topic in the doodle poll! You will be informed via e-mail which topic you are assigned Please confirm this mail until Tuesday, October 25 th at 6 p.m.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback