Global ETD Search

111	Validating Side Channel models in RISC-V using Model-Based Testing Vitek, Viktor January 2021 (has links) Microarchitecture’s optimizations have increased the performance but lowered the security. Speculative execution is one of the optimizations that was thought to be secure, but it is exploitable to leak information. The problem with these exploits is that there is no easy software defence and many exploits could be unexplored due to it being a fairly recent discovery. This thesis explores a way to find code that is vulnerable to this. The solution to the problem is to use the tool Side Channel Abstract Model Validator (SCAMV) which implements the method Model-Based Testing (MBT). We examine the core CVA6, which is a RISCV Central Processing Unit (CPU). Test cases are generated by program generators and interesting ones are selected by applying an observational model to them. The observational model abstracts side-channel leakage of the microarchitecture. The selected test cases are executed on the platform to validate the used observational models. The results of the test cases showed no indication of modifying the side channels under speculative execution. The results showed that SCAMV can examine timing-based channels. The conclusion is that our findings indicate that the CVA6 core is not vulnerable to speculative cache or timing-based side-channel attacks. / Optimeringar på mikroarkitektur nivåer har ökat prestandan men minskat säkerheten. Spekulativt utförande (speculative execution) är en av de optimeringar som har ansetts vara säkert, men det har visats att det kan utnyttjas för att läcka information. Problemet med dessa sårbarheter är att det inte finns något enkelt mjukvaruförsvar och att många sårbarheter fortfarande kan vara outforskade. Denna avhandling undersöker ett sätt att försöka hitta kod som är sårbar för detta. Lösningen på problemet är att använda verktyget SCAMV som använder sig av metoden Model-Baserad Testning. Vi undersöker CVA6, vilket är en RISCV CPU. Testfall genereras av programgeneratorer och intressanta testfall väljs genom att tillämpa en observationsmodell på dem. Observationsmodellen abstraherar sidokanalläckage i mikroarkitekturen. De valda testprogrammen verkställs på plattformen för att validera de använda observationsmodellerna. Resultatet från testfallen visade ingen indikation på att det går att modifiera sidokanalerna under spekulativt utförande. Resultatet visade att SCAMV kan undersöka tidsbaserade kanaler. Slutsatsen är att våra resultat indikerar att CVA6 inte är sårbar för spekulativa cache eller tidsbaserade sidokanalattacker. Computer Sciences Datavetenskap (datalogi)
112	Achieving Compositional Security and Privacy in IoT Environments Muslum Ozgur Ozmen (18870154) 11 September 2024 (has links) <p dir="ltr">The Internet of Things (IoT) systems include sensors that measure the physical world, actuators that influence it, and IoT apps that automate these sensors and actuators. Although IoT environments have revolutionized our lives by integrating digital connectivity into physical processes, they also introduce unique security and privacy concerns. Particularly, these systems include multiple components that are unified through the cyber and physical domains. For instance, smart homes include various devices and multiple IoT apps that control these devices. Thus, attacks against any single component can have rippling effects, amplifying due to the composite behavior of sensors, actuators, apps, and the physical environment.</p><p dir="ltr">In this dissertation, I explore the emerging security and privacy issues that arise from the complex physical interactions in IoT environments. To discover and mitigate these emerging issues, there is a need for composite reasoning techniques that consider the interplay between digital and physical domains. This dissertation addresses these challenges to build secure IoT environments and enhance user privacy with new formal techniques and systems.</p><p dir="ltr">To this end, I first describe my efforts in ensuring the safety and security of IoT en- vironments. Particularly, I introduced IoTSeer, a security service that discovers physical interaction vulnerabilities among IoT apps. I then proposed attacks that evade prior event verification systems by exploiting the complex physical interactions between IoT sensors and actuators. To address them, I developed two defenses, software patching and sensor placement, to make event verification systems robust against evasion attacks. These works provide a suite of tools to achieve compositional safety and security in IoT environments. </p><p dir="ltr">Second, I discuss my work that identifies the privacy risks of emerging IoT devices. I designed DMC-Xplorer to find vulnerabilities in voice assistant platforms and showed that an adversary can eavesdrop on privacy-sensitive device states and prevent users from controlling devices. I then developed a remote side-channel attack against intermittent devices to infer privacy-sensitive information about the environment in which they are deployed. These works highlight new privacy issues in emerging commodity devices used in IoT environments.</p> Data and information privacy System and network security IoT Security Cyber-physical systems security Internet of Things Privacy Formal Methods
113	An investigation of information security policies and practices in Mauritius Sookdawoor, Oumeshsingh 30 November 2005 (has links) With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems) Adherence to established standards Information security framework Information security policy Information security practices Security standards Compliance Information security risk Procedures 005.8096982 Information policy -- Mauritius
114	Virtue Ethics: Examining Influences on the Ethical Commitment of Information System Workers in Trusted Positions Gray, John Max 01 January 2015 (has links) Despite an abundance of research on the problem of insider threats, only limited success has been achieved in preventing trusted insiders from committing security violations. Virtue ethics may be an approach that can be utilized to address this issue. Human factors such as moral considerations impact Information System (IS) design, use, and security; consequently they affect the security posture and culture of an organization. Virtue ethics based concepts have the potential to influence and align the moral values and behavior of information systems workers with those of an organization in order to provide increased protection of IS assets. An individual’s character strengths have been linked to positive personal development, but there has been very little research into how the positive characteristics of virtue ethics, exhibited through the character development of information systems workers, can contribute to improving system security. This research aimed to address this gap by examining factors that affect and shape the ethical perspectives of individuals entrusted with privileged access to information. This study builds upon prior research and theoretical frameworks on institutionalizing ethics into organizations and Information Ethics to propose a new theoretical model which demonstrates the influences on Information Systems Security (ISS) trusted worker ethical behavior within an organization. Components of the research model include ISS virtue ethics based constructs, organizational based internal influences, societal based external influences, and trusted worker ethical behavior. This study used data collected from 395 professionals in an ISS organization to empirically assess the model. Partial Least Squares Structural Equation Modeling was employed to analyze the indicators, constructs, and path relationships. Various statistical tests determined validity and reliability, with mixed but adequate results. All of the relationships between constructs were positive, although some were stronger and more significant. The expectation of the researcher in this study was to better understand the character of individuals who pose an insider threat by validating the proposed model, thereby providing a conceptual analysis of the character traits which influence the ethical behavior of trusted workers and ultimately information system security. Information science Information technology Ethics construct development ethical behavior model information systems security insider threat trusted workers virtue ethics Computer Sciences Computer Security Databases and Information Systems Ethics and Political Philosophy
115	Addressing the incremental risks associated with adopting a Bring Your Own Device program by using the COBIT 5 framework to identify keycontrols Weber, Lyle 04 1900 (has links) Thesis (MComm)--Stellenbosch University, 2014. / ENGLISH ABSTRACT: Bring Your Own Device (BYOD) is a technological trend which individuals of all ages are embracing. BYOD involves an employee of an organisation using their own mobile devices to access their organisations network. Several incremental risks will arise as a result of adoption of a BYOD program by an organisation. The research aims to assist organisations to identify what incremental risks they could potentially encounter if they adopt a BYOD program and how they can use a framework like COBIT 5 in order to reduce the incremental risks to an acceptable level. By means of an extensive literature review the study revealed 50 incremental risks which arise as a result of the adoption of a BYOD program. COBIT 5 was identified as the most appropriate framework which could be used to map the incremental risks against. Possible safeguards were identified from the mapping process which would reduce the incremental risks to an acceptable level. It was identified that 13 of the 37 COBIT 5 processes were applicable for the study. Theses -- Accountancy Dissertations -- Accountancy Computer networks -- Security measures Computer security -- Risk assessment Dissertations -- Computer auditing Theses -- Computer auditing UCTD
116	Statistical broadcast protocol design for VANET Unknown Date (has links) This work presents the development of the Statistical Location-Assisted Broadcast (SLAB) protocol, a multi-hop wireless broadcast protocol designed for vehicular ad-hoc networking (VANET). Vehicular networking is an important emerging application of wireless communications. Data dissemination applications using VANET promote the ability for vehicles to share information with each other and the wide-area network with the goal of improving navigation, fuel consumption, public safety, and entertainment. A critical component of these data dissemination schemes is the multi-hop wireless broadcast protocol. Multi-hop broadcast protocols for these schemes must reliably deliver broadcast packets to vehicles in a geographically bounded region while consuming as little wireless bandwidth as possible. This work contains substantial research results related to development of multi-hop broadcast protocols for VANET, culminating in the design of SLAB. Many preliminary research and development efforts have been required to arrive at SLAB. First, a high-level wireless broadcast simulation tool called WiBDAT is developed. Next, a manual optimization procedure is proposed to create efficient threshold functions for statistical broadcast protocols. This procedure is then employed to design the Distribution-Adaptive Distance with Channel Quality (DADCQ) broadcast protocol, a preliminary cousin of SLAB. DADCQ is highly adaptive to node density, node spatial distribution pattern, and wireless channel quality in realistic VANET scenarios. However, the manual design process used to create DADCQ has a few deficiencies. In response to these problems, an automated design procedure is created that uses a black-box global optimization algorithm to search for efficient threshold functions that are evaluated using WiBDAT. SLAB is finally designed using this procedure. / Expansive simulation results are presented comparing the performance of SLAB to two well-published VANET broadcast protocols, p -persistence and Advanced Adaptive Gossip (AAG), and to DADCQ. The four protocols are evaluated under varying node density and speed on five different road topologies with varying wireless channel fading conditions. The results demonstrate that unlike p-persistence and AAG, SLAB performs well across a very broad range of environmental conditions. Compared to its cousin protocol DADCQ, SLAB achieves similar reachability while using around 30% less wireless bandwidth, highlighting the improvement in the automated design methodology over the manual design. / by Michael J. Slavik. / Thesis (Ph.D.)--Florida Atlantic University, 2011. / Includes bibliography. / Electronic reproduction. Boca Raton, Fla., 200?. Mode of access: World Wide Web. Mobile communication systems--Evaluation
117	Enhancing security in distributed systems with trusted computing hardware Reid, Jason Frederick January 2007 (has links) The need to increase the hostile attack resilience of distributed and internet-worked computer systems is critical and pressing. This thesis contributes to concrete improvements in distributed systems trustworthiness through an enhanced understanding of a technical approach known as trusted computing hardware. Because of its physical and logical protection features, trusted computing hardware can reliably enforce a security policy in a threat model where the authorised user is untrusted or when the device is placed in a hostile environment. We present a critical analysis of vulnerabilities in current systems, and argue that current industry-driven trusted computing initiatives will fail in efforts to retrofit security into inherently flawed operating system designs, since there is no substitute for a sound protection architecture grounded in hardware-enforced domain isolation. In doing so we identify the limitations of hardware-based approaches. We argue that the current emphasis of these programs does not give sufficient weight to the role that operating system security plays in overall system security. New processor features that provide hardware support for virtualisation will contribute more to practical security improvement because they will allow multiple operating systems to concurrently share the same processor. New operating systems that implement a sound protection architecture will thus be able to be introduced to support applications with stringent security requirements. These can coexist alongside inherently less secure mainstream operating systems, allowing a gradual migration to less vulnerable alternatives. We examine the effectiveness of the ITSEC and Common Criteria evaluation and certification schemes as a basis for establishing assurance in trusted computing hardware. Based on a survey of smart card certifications, we contend that the practice of artificially limiting the scope of an evaluation in order to gain a higher assurance rating is quite common. Due to a general lack of understanding in the marketplace as to how the schemes work, high evaluation assurance levels are confused with a general notion of 'high security strength'. Vendors invest little effort in correcting the misconception since they benefit from it and this has arguably undermined the value of the whole certification process. We contribute practical techniques for securing personal trusted hardware devices against a type of attack known as a relay attack. Our method is based on a novel application of a phenomenon known as side channel leakage, heretofore considered exclusively as a security vulnerability. We exploit the low latency of side channel information transfer to deliver a communication channel with timing resolution that is fine enough to detect sophisticated relay attacks. We avoid the cost and complexity associated with alternative communication techniques suggested in previous proposals. We also propose the first terrorist attack resistant distance bounding protocol that is efficient enough to be implemented on resource constrained devices. We propose a design for a privacy sensitive electronic cash scheme that leverages the confidentiality and integrity protection features of trusted computing hardware. We specify the command set and message structures and implement these in a prototype that uses Dallas Semiconductor iButtons. We consider the access control requirements for a national scale electronic health records system of the type that Australia is currently developing. We argue that an access control model capable of supporting explicit denial of privileges is required to ensure that consumers maintain their right to grant or withhold consent to disclosure of their sensitive health information in an electronic system. Finding this feature absent in standard role-based access control models, we propose a modification to role-based access control that supports policy constructs of this type. Explicit denial is difficult to enforce in a large scale system without an active central authority but centralisation impacts negatively on system scalability. We show how the unique properties of trusted computing hardware can address this problem. We outline a conceptual architecture for an electronic health records access control system that leverages hardware level CPU virtualisation, trusted platform modules, personal cryptographic tokens and secure coprocessors to implement role based cryptographic access control. We argue that the design delivers important scalability benefits because it enables access control decisions to be made and enforced locally on a user's computing platform in a reliable way. trusted computing trusted computing hardware trusted systems operating system security distributed systems security smart card security evaluation tamper resistance distance bounding protocol side channel leakage electronic cash electronic health records role-based access control
118	Security and usability of authentication by challenge questions in online examination Ullah, Abrar January 2017 (has links) Online examinations are an integral component of many online learning environments and a high-stake process for students, teachers and educational institutions. They are the target of many security threats, including intrusion by hackers and collusion. Collu-sion happens when a student invites a third party to impersonate him/her in an online test, or to abet with the exam questions. This research proposed a profile-based chal-lenge question approach to create and consolidate a student's profile during the learning process, to be used for authentication in the examination process. The pro-posed method was investigated in six research studies using a usability test method and a risk-based security assessment method, in order to investigate usability attributes and security threats. The findings of the studies revealed that text-based questions are prone to usability issues such as ambiguity, syntactic variation, and spelling mistakes. The results of a usability analysis suggested that image-based questions are more usable than text-based questions (p < 0.01). The findings identified that dynamic profile questions are more efficient and effective than text-based and image-based questions (p < 0.01). Since text-based questions are associated with an individual's personal information, they are prone to being shared with impersonators. An increase in the numbers of chal-lenge questions being shared showed a significant linear trend (p < 0.01) and increased the success of an impersonation attack. An increase in the database size decreased the success of an impersonation attack with a significant linear trend (p < 0.01). The security analysis of dynamic profile questions revealed that an impersonation attack was not successful when a student shared credentials using email asynchronously. However, a similar attack was successful when a student and impersonator shared information in real time using mobile phones. The response time in this attack was significantly different when a genuine student responded to his challenge questions (p < 0.01). The security analysis revealed that the use of dynamic profile questions in a proctored exam can influence impersonation and abetting. This view was supported by online programme tutors in a focus group study. 371.33
119	Towards a conceptual framework for information security digital divide Chisanga, Emmanuel 10 1900 (has links) In the 21st century, information security has become the heartbeat of any organisation. One of the best-known methods of tightening and continuously improving security on an information system is to uniquely and efficiently combine the human aspect, policies, and technology. This acts as leverage for designing an access control management approach which not only avails parts of the system that end-users are permitted to but also regulates which data is relevant according to their scope of work. This research explores information security fundamentals at organisational and theoretical levels, to identify critical success factors which are vital in assessing the organisation’s security maturity through a model referred to as “information security digital divide maturity framework”. The foregoing is based on a developed conceptual framework for information security digital divide. The framework strives to divide end-users, business partners, and other stakeholders into “specific information haves and have-nots”. It intends to assist organisations to continually evaluate and improve on their security governance, standards, and policies which permit access on the basis of each end-user or stakeholder’s business function, role, and responsibility while at the same time preserving the traditional standpoint of confidentiality, integrity, and availability. After a thorough review of a range of frameworks that have influenced the information security landscape, COBITTM was relied upon as a baseline for the development of the framework of the study because of its rich insight and maturity on IT management and governance. To ascertain that the proposed framework meets the required expectation, a survey targeting end-users within three participating organisations was carried out. The outcome revealed the current maturity level of each participating organisation, highlighting strengths and limitations of current information security practices. As such, for new organisations relying on the proposed framework for the first time, the outcome of such an assessment will represent a benchmark to be relied on for further improvement before embarking on the next maturity assessment cycle. In addition, a second survey was conducted with subject matter experts in information security. Data generated and collected through a questionnaire was then analysed and interpreted qualitatively and quantitatively in order to identify aspects, not only to gauge the acceptance of the proposed conceptual framework but also to identify areas for improvements. The study found that there was a general consensus amongst experts on the importance of a framework for benchmarking information security digital divide in organisations. It also provided a range of valuable input relied upon to improve the framework to its final version. / School of Computing / M. Sc. (Computing) Capability maturity Digital divide Information security Information systems Critical success factors Information security digital divide Information security maturity level Frameworks Benchmarking 005.8 Computer security Computer networks -- Security measures
120	An investigation of information security policies and practices in Mauritius Sookdawoor, Oumeshsingh 30 November 2005 (has links) With the advent of globalisation and ever changing technologies, the need for increased attention to information security is becoming more and more vital. Organisations are facing all sorts of risks and threats these days. It therefore becomes important for all business stakeholders to take the appropriate proactive measures in securing their assets for business survival and growth. Information is today regarded as one of the most valuable assets of an organisation. Without a proper information security framework, policies, procedures and practices, the existence of an organisation is threatened in this world of fierce competition. Information security policies stand as one of the key enablers to safeguarding an organisation from risks and threats. However, writing a set of information security policies and procedures is not enough. If one really aims to have an effective security framework in place, there is a need to develop and implement information security policies that adhere to established standards such as BS 7799 and the like. Furthermore, one should ensure that all stakeholders comply with established standards, policies and best practices systematically to reap full benefits of security measures. These challenges are not only being faced in the international arena but also in countries like Mauritius. International researches have shown that information security policy is still a problematic area when it comes to its implementation and compliance. Findings have shown that several major developed countries are still facing difficulties in this area. There was a general perception that conditions in Mauritius were similar. With the local government's objective to turn Mauritius into a "cyber-island" that could act as an Information Communication & Technology (ICT) hub for the region, there was a need to ensure the adoption and application of best practices specially in areas of information security. This dissertation therefore aims at conducting a research project in Mauritius and assessing whether large Mauritian private companies, that are heavily dependent on IT, have proper and reliable security policies in place which comply with international norms and standards such as British Standard Organisation (BSO) 7799/ ISO 17799/ ISO 27001. The study will help assess the state of, and risks associated with, present implementation of information security policies and practices in the local context. Similarities and differences between the local security practices and international ones have also been measured and compared to identify any specific characteristics in local information security practices. The findings of the study will help to enlighten the security community, local management and stakeholders, on the realities facing corporations in the area of information security policies and practices in Mauritius. Appropriate recommendations have been formulated in light of the findings to improve the present state of information security issues while contributing to the development of the security community / Computing / M.Sc. (Information Systems) Adherence to established standards Information security framework Information security policy Information security practices Security standards Compliance Information security risk Procedures 005.8096982 Information policy -- Mauritius

Search results