An event-trace language for software decoys /

Fragkos, Georgios.

January 2002

Thesis (M.S. in Computer Science)--Naval Postgraduate School, September 2002. / Thesis advisor(s): James Bret Michael, Mikhail Auguston. Includes bibliographical references (p. 35). Also available online.

Security-driven software evolution using a model driven approach

Guan, Hui

January 2014

High security level must be guaranteed in applications in order to mitigate risks during the deployment of information systems in open network environments. However, a significant number of legacy systems remain in use which poses security risks to the enterprise' assets due to the poor technologies used and lack of security concerns when they were in design. Software reengineering is a way out to improve their security levels in a systematic way. Model driven is an approach in which model as defined by its type directs the execution of the process. The aim of this research is to explore how model driven approach can facilitate the software reengineering driven by security demand. The research in this thesis involves the following three phases. Firstly, legacy system understanding is performed using reverse engineering techniques. Task of this phase is to reverse engineer legacy system into UML models, partition the legacy system into subsystems with the help of model slicing technique and detect existing security mechanisms to determine whether or not the provided security in the legacy system satisfies the user's security objectives. Secondly, security requirements are elicited using risk analysis method. It is the process of analysing key aspects of the legacy systems in terms of security. A new risk assessment method, taking consideration of asset, threat and vulnerability, is proposed and used to elicit the security requirements which will generate the detailed security requirements in the specific format to direct the subsequent security enhancement. Finally, security enhancement for the system is performed using the proposed ontology based security pattern approach. It is the stage that security patterns derived from security expertise and fulfilling the elicited security requirements are selected and integrated in the legacy system models with the help of the proposed security ontology. The proposed approach is evaluated by the selected case study. Based on the analysis, conclusions are drawn and future research is discussed at the end of this thesis. The results show this thesis contributes an effective, reusable and suitable evolution approach for software security.

005.1

Quality of freeware antivirus software / Qquality of freeware security software

Rasool, Muhammad Ahsan, Jamal, Abdul

January 2011

War between malware and antimalware software started two decade back and have adopted the modern techniques with the evolution of technological development in the field of information technology. This thesis was targeted to analyze the performance of freeware antivirus programs available in the market. Several tests were performed to analyze the performance with respect to the core responsibilities of these software’s to scan and detect the viruses and also prevent and eradicate form them. Although irrelevant for common users may be but very important for technical professionals, many tests were performed to analyze the quality of these softwares with respect to their effects on the system it-self like utilization and engagement of precious resources, processing times and also system slowdown because of monitoring techniques. The results derived from these tests show not only the performance and quality of these softwares but also enlighten some areas to be focused for further analysis.

Quality of freeware Antivirus

security software

Antivirus quality.

Three essays on managing information systems security : patch management, learning dynamics, and security software market /

Zhang, Guo Ying,

January 2007

Thesis (Ph. D.)--University of Washington, 2007. / Vita. Includes bibliographical references (leaves 91-98).

Security engineering with patterns : origins, theoretical models, and new applications /

Schumacher, Markus.

January 2003

Techn. Univ., Diss.--Darmstadt, 2003.

Recommendations for secure initialization routines in operating systems /

Dodge, Catherine A.

January 2005

Thesis (M.S. in Computer Science)--Naval Postgraduate School, December 2004. / Thesis Advisor(s): Cynthia E. Irvine, Thuy D. Nguyen. Includes bibliographical references (p. 107-109) Also available online.

Automatic detection of software security vulnerabilities in executable program files

Tevis, Jay-Evan J. Hamilton, John A.

January 2005

Dissertation (Ph.D.)--Auburn University, 2005. / Abstract. Includes bibliographic references (p.134-148).

Trustworthy services through attestation

Lyle, John

January 2011

Remote attestation is a promising mechanism for assurance of distributed systems. It allows users to identify the software running on a remote system before trusting it with an important task. This functionality is arriving at exactly the right time as security-critical systems, such as healthcare and financial services, are increasingly being hosted online. However, attestation has limitations and has been criticized for being impractical. Too much effort is required for too little reward: a large, rapidly-changing list of software must be maintained by users, who then have insufficient information to make a trust decision. As a result attestation is rarely used today. This thesis evaluates attestation in a service-oriented context to determine whether it can be made practical for assurance of servers rather than client machines. There are reasons to expect that it can: servers run fewer programs and the overhead of integrity reporting is more appropriate on a server which may be protecting important assets. However, a literature review and new experiments show that problems remain, many stemming from the large trusted computing base as well as the lack of information linking software identity to expected behaviour. Three novel solutions are proposed. Web service middleware is restructured to minimize the software running at the endpoint, thus lowering the effort for the relying party. A key advantage of the proposed two-tier structure is that strong integrity guarantees can be made without loss of conformance with service standards. Secondly, a program modelling approach is investigated to further automate the attestation and verification process and add more information about system behaviour. Several sets of programs are modelled, including the bootloader, a web service and a menu-based shell. Finally, service behaviour is attested through source code properties established during compilation. This provides a trustworthy and verifiable connection between the identity of the software on a service platform and its expected runtime behaviour. This approach is applicable to any programming language and verification method, and has the advantage of not requiring a runtime monitor. These contributions are evaluated using an example e-voting service to show the level of assurance attestation can provide. Overall, this thesis demonstrates that attestation can be made significantly more practical through the described new techniques. Although some problem remain, with further improvements to operating systems and better software engineering methods, attestation may become a trustworthy and reliable assurance mechanism for web services.

005.3

Trust and security risks in mobile banking

Messaggi Kaya, Monica

January 2013

With the development and growth of mobile technologies, mobile phones enable users to perform a number of different tasks with their devices: from sending simple text messages, checking e-mails and browsing the internet, to running elaborated applications. Nowadays, the mobile phone platform creates great opportunities for businesses, especially due to its capabilities and population coverage: the number of mobile subscriptions approaches global population figures. In order to explore such opportunities, most banks have already launched their mobile applications and/or re-designed mobile version of their websites. One of the benefits of using mobile banking is the possibility for users to carry out bank transactions, such online payments or transfers, at anytime and anywhere. Expectations for the adoption of mobile banking were high; however, it represents about 20% of mobile phone users at the present. One factor has been recognised as being a strong reason for users not to adopt mobile banking: their concerns about security. This dissertation focuses on the relationship between the trust users have in mobile banking and the security risks that the use of mobile devices potentially pose. A questionnaire was created in order to gather users’ perception of security about mobile banking, and its results compared with recognised security issues.

005.8

Software pro podporu projektování elektrické zabezpečovací signalizace / Support software for projection of burglar alarm systems

Fikejs, Jan

January 2010

This graduation thesis deals with a software design of burglar alarm. The software has been developed in compliance with the applicable standards and regulations governing burglar alarm designs and on the basis of practical experience with designing and implementing electronic security systems. The software is written in C# and uses .NET platform. On the ground of that, this software can be run on any computer with the Windows operation system. Any ground plan picture file can be used as the underlying project map on which all the object security system can be built. It makes it possible to produce both wire and wireless electronic security systems. The software includes an editable database of components and conductors used in the electronic security alarms. The database components can be created, edited and deleted through the software. The database has been saved in format XML. The software also includes a folder of picture files containing photographs of the components and schematic symbols used in the software. You use a mouse to drag and drop individual components into the ground plan picture, where they are well arranged in a tree structure. The components can be interconnected by a conductor, which enables creation of a precise design of the electronic security system of the object. The software output includes drawings, bills of material and pricing. As for the space components, you can graphically display their range and thus visually confirm the design. The software includes automatic design verification. There, you can verify whether the right components have been used and whether the designed conductor lengths are acceptable, whether they correspond with the system load, and whether the voltage drops on the conductors do not exceed the permitted limit. The software has been developed for all electronic security system designers and for engineers attending to these problems.