131 |
Automated Security Analysis of Infrastructure CloudsBleikertz, Sören January 2010 (has links)
Cloud computing has gained remarkable popularity in the recent years by a wide spectrum of consumers, ranging from small start-ups to governments. However, its benefits in terms of flexibility, scalability, and low upfront investments, are shadowed by security challenges which inhibit its adoption. In particular, these highly flexible but complex cloud computing environments are prone to misconfigurations leading to security incidents, eg, erroneous exposure of services due to faulty network security configurations. In this thesis we present a novel approach in the security assessment of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. In order to perform this assessment for the currently deployed configuration, we automated the process of extracting the configuration using the Amazon API and translating it into a generic data model for later analysis. In the assessment we focused on the reachability and vulnerability of services in the virtual infrastructure, and presented a way for the visualization andautomated analysis based on reachability and attack graphs. We proposed a query and policy language for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. We have implemented the security assessment in a prototype and evaluated it for practical andtheoretical scenarios. Furthermore, a framework is presented which allows the evaluation of configuration changes in the agile and dynamic cloud environments with regard to properties like vulnerabilities or expected availability. In case of a vulnerability perspective, this evaluation can be used to monitor the securitylevels of the configuration over its lifetime and to indicate degradations.
|
132 |
Specification of security properties by JMLDulaj, Ilir January 2010 (has links)
Nowadays, verification of programs is gaining increased importance. The software industry appears more and more interested in methods and tools to ensure security in their applications. Java Modeling Language has been successfully used in the past by programmers to express their intentions in the Design by Contract fashion in sequential programming. One of the design goals of JML was to improve the functional software correctness of Java applications. Regarding the verification of security properties, JML was mostly successful in Java Smart Card applets due to the specifics of these applications. In this thesis work we investigate the feasibility of JML to express high-level security properties in Java applications that have more realistic requirements and are implemented in the object oriented technology. We do a threat analysis of a case study regarding a medical clinic and derive the required security properties to secure the application. We develop a prototype application where we specify high-level security properties with JML and use a runtime assertion checking tool to verify the code. We model the functional behavior of the prototype that establishes the security proper-ties as a finite state automaton. Our prototype is developed based on this automaton. States and state transitions modeled in the automaton are expressed in the prototype with JML annotations and verified during runtime. We observe that currently available features in JML are not very feasible to capture the security related behavior of Java programs on the level of the entire application.
|
133 |
Design and implementation of a framework for security metrics creation / Konstruktion och användning av ett ramverk för säkerhetsmetrikerLundholm, Kristoffer January 2009 (has links)
<p>Measuring information security is the key to unlocking the knowledge of how secure information systems really are. In order to perform these measurements, security metrics can be used. Since all systems and organizations are different, there is no single set of metrics that is generally applicable. In order to help organizations create metrics, this thesis will present a metrics creation framework providing a structured way of creating the necessary metrics for any information system. The framework takes a high level information security goal as input, and transforms it to metrics using decomposition of goals that are then inserted into a template. The thesis also presents a set of metrics based on a minimum level of information security produced by the Swedish emergency management agency. This set of metrics can be used to show compliance with the minimum level or as a base when a more extensive metrics program is created.</p>
|
134 |
Share Computing Protocols over Fields and RingsKahrs, Katharina January 2009 (has links)
<p>In this thesis, we explain linear secret sharing schemes, in particular multiplicative threshold linear secret sharing schemes, over fields and rings in a compact and concise way. We explain two characterisations of linear secret sharing schemes, and in particular, we characterise threshold linear secret sharing schemes. We develop an algorithm to generate all multiplicative $(t+1)$-out-of-$n$ threshold linear secret sharing schemes over a field $mathbb{Z}sb{p}$. For the ring $mathbb{Z}sb{2sp{32}}$, we explain the generation of secret sharing schemes for threshold access structures and prove the non-existence of $(t+1)$-out-of-$n$ threshold linear secret sharing schemes with $n > t+1$.</p>
|
135 |
Trusted secure service design : Enhancing trust with the future sim-cardsVilarinho, Thomas Carlyle January 2009 (has links)
<p>The SIM cards are going through several new enhancements both in the underlying hardware and its capabilities. They are becoming secure wireless networked devices containing embedded sensors. This thesis assess how this new SIM capabilities together with its pervasiveness and security can support the development and design of trust-based applications. It reviews the new trust possibilities based on the identity factor, connectivity and context-awareness sensors on the SIM. Moreover, we present a specific use-case around a seamless trust builder for social networks, which makes use of sensed inputs towards building hard contextual evidences to trust relations. We conclude with the description of the challenges of building this evidence based trust-builder and the necessary steps to going from the prototype we developed to a real application which may accurately describe trust relations.</p>
|
136 |
Detection of intermediary hosts through TCP latency propagationSingh, Gurvinder January 2009 (has links)
<p>Today people from all lifestyles, government officials, researchers and executives use internet. The people start to depend on internet for their daily life. However, the increased dependence comes with a great risk. The popularity and potential of internet attracts users with illegal intentions as well. The attackers generally establish a connection chain by logging in to a number of intermediary hosts before launching an attack at the victim host. These intermediary hosts are called as stepping-stones. On the victim side, it becomes hard to detect that the peer communicating with the victim is whether a real originator of the connection or it is merely acting as an intermediary host in the connection chain. This master dissertation proposed an approach based on Interarrival packet time to distinguish an incoming connection from a connection coming via some intermediary hosts. The proposed approach uses information available at the receiving end and applicable to encrypted traffic too. The approach was successfully tested for SSH, Telnet, FTP, HTTP and SMTP protocols and implemented in to an intrusion detection system for corresponding protocols. The main applications for the proposed approach are Manual intrusion detection, Tor usage detection and Spam messages detection. The approach is also applicable for the digital forensics investigations. Keywords : Network security, Stepping stone detection, Manual intrusion detection, Tor usage detection, Spam detection and Digital forensics investigation.</p>
|
137 |
Identity Management with Petname SystemsFerdous, Md. Sadek January 2009 (has links)
<p>In the first part of the thesis, we have focused on providing a brief overview of Petname Systems starting from the introductory concept of Entity, Identity and Identity Management with a brief description on different IdM architectures. We have found that the Petname Model is well suited to be integrated in the Personal SP Identity model. We also provided a brief description on Identity Theft and the Phishing attack with different attack techniques and defense mechanisms. Then we summarized the history and evolution of the Petname Model in one place. Previously it was scattered among several web articles. We have formally defined the properties of Petname Systems and explained how this set of properties can satisfy the essential security usability principles. It is our belief that if these properties are followed in developing applications based on the Petname Model, it will improve the user experience and improve overall security by removing security vulnerabilities related to poor usability. The thesis has also analyzed two available Petname-based applications for server identification management and shown that they represent an improvement in usability, but unfortunately do not satisfy all the specified Security Usability principles. In the second part, we have developed the UniPet, a Petname Model based application with similar functionalities of the Petname Tool and the TrustBar, that utilizes the concept of aiding user in identifying SP identities securely on their side. We have deployed several technologies to meet the complex level of interaction the UniPet asks for. We have provided a brief discussion on each of the technologies to better understand the UniPet architecture. We have also shown that the UniPet has been a major improvement on GUI and on the security usability issues over those two applications. The UniPet satisfies all the properties of a Petname System and thus is fully compliant with the Security Usability principles. We believe that the UniPet will provide the users with an improved and secure browsing experience.</p>
|
138 |
Performance Evaluation Framework for a SIP-based Telecommunication Call Handling SystemSangvanphant, Nattanond January 2009 (has links)
<p>Session Initiation Protocol (SIP) has been used for signaling in many Voice over IP (VoIP) applications. Being more cost-effective than conventional circuit-switched systems, IP-based telecommunication systems are extensively employed by many service providers. As these systems gain more popularity, the need for dimensioning of such systems grows correspondingly. Moreover, accurate information about system capacity is necessary for future improvements of the system, as well as service provision and implementation planning. For these reasons, a solution supporting system performance evaluation is useful and beneficial in several ways. The goal of this research was to develop a performance evaluation framework for a SIP-based telecommunication system. The developed framework facilitates measurements of the maximum number of requests which can be processed by a system, and the amount of time required for call session establishment. With a user-friendly interface, the framework enables system testers to perform experiments using simulated SIP traffics, as well as to deal with results interpretation easily. In order to achieve the objective, studies of related technologies and available tools for SIP traffic generation have been carried out. Afterwards, the performance evaluation framework is designed and implemented. Lastly, the developed framework is used for evaluating the performance of EasyVPaBX, a SIP-based call handling system, in various system configurations. Keywords: SIP, Performance, Evaluation, Dimensioning, Measurement</p>
|
139 |
Study of TCP friendliness of CEAS routing system in comparison with Distance Vector Routing and Link State RoutingTamrakar, Sandeep January 2009 (has links)
<p>With the continuous development of the Internet technologies new routing requirements have surfaced. In response, several adaptive, stochastic routing algorithms have been purposed. The Cross Entropy Ant System (CEAS) is an adaptive, robust and distributed routing and management system based on the swarm intelligence. Several prototype implementations and enhancements have been made on this system, however the level of TCP friendliness the CEAS may provide is yet an important issue. In order to investigate the level of TCP friendliness, the behavior of the CEAS system during different network dynamics needs to be understood. For this reason, the behavior of the CEAS system under different network event and its corresponding effects on TCP performance is examined first using a simple network. Later the level of TCP performance is measured on complex networks. Also the load sharing capabilities of the CEAS system is investigated the efficiency of the system to manage and update according to the network load. Additionally the results are compared against the results obtained from the standard Link State Routing protocol and the Distance Vector Routing protocol under similar conditions. In this work, we find that the update process in response to the change in network dynamics is slower on CEAS compared to the other systems. However, the update process speeds up with the increase in the ant rates. During such period the use of multiple path reduces the TCP performance. We also find that large amount of packets loop around some links during link failures. Such looping reduces the TCP performance significantly. However, implementing previous hop memory technique removes such loops and also help TCP resume transmission immediately after the link failure. Compare to the LSRP and the DVR, we find that CEAS manages network resources more efficiently to produce higher TCP performance. We find that the CEAS diverts the data traffic on the basis of the quality of the path rather than the length of the path. We also find that the CEAS system handles multiple TCP stream independently with equal priority. But the smaller transition delay on the ants compared to the data packet reduces the TCP performance to some extent. However, forcing the ants to experience longer queuing delay according to the traffic load improves the TCP performance as well as helps CEAS update more accurately.</p>
|
140 |
A secure mobile phone-based interactive logon in WindowsBodriagov, Oleksandr January 2010 (has links)
<p>Password-based logon schemes have many security weaknesses. Smart card and biometric based authentication solutions are available as a replacement for standard password-based schemes for security sensitive environments. However, the cost of deployment and maintenance of these systems is quite high. On the other hand, mobile network operators have a huge base of deployed smart cards that can be reused to provide authentication in other areas significantly reducing costs. This masters thesis presents a study of how the workstation identity management can be made more secure and user-friendly by using a mobile phone in the Windows workstation logon process. Two workstation logon schemes that utilize both the mobile phone and the UICC inside of the phone are proposed as a result of this study. The first scheme emulates a smart card reader and a smart card in order to interoperate with the Windows smart card framework to provide PKI-based logon. The mobile phone with the UICC card emulates a smart card that communicates with the emulated smart card reader via protected Bluetooth channel. The proposed scheme reuses the Windows smart card infrastructure as much as possible, both in terms of software and hardware. Therefore, a seamless integration with Active Directory and Window server is achieved. This scheme can work with any authentication scheme used with real smart cards. It can be used not only for the logon but also for all other functions typically done with smart cards (e.g. signing of documents, e-mails). In the second scheme, the mobile phone with the UICC serves as a token for generating OTP values based on a shared secret key and the time parameter. In order to design Windows logon architectures based on mobile phones, a study of relevant technologies, components, and their security aspects has been conducted.Existing phone-based authentication schemes have been thoroughly studied both from the usability and from the security points of view. This has been done to understand possible alternatives for different aspects of the architectures that were designed. The thesis analyzed how new authentication schemes in general and those that work with mobile phones in particular could be integrated into the Windows logon system. A conclusion is made that it is impossible to make a generic architecture that would easily support all existing and possible future mobile phone authentication schemes for the Windows logon. Windows is already a highly customizable environment and can support virtually any authentication scheme for the logon, though a considerable amount of modifications may be required to implement a particular scheme.</p>
|
Page generated in 0.0307 seconds