1,721,209 research outputs found
Addressing combinatorial experiments and scarcity of subjects by provably orthogonal and crossover experimental designs
No full textContext: Experimentation in Software and Security Engineering is a common research practice, in particular with human subjects. Problem: The combinatorial nature of software configurations and the difficulty of recruiting experienced subjects or running complex and expensive experiments make the use of full factorial experiments unfeasible to obtain statistically significant results. Contribution: Provide comprehensive alternative Designs of Experiments (DoE) based on orthogonal designs or crossover designs that provably meet desired requirements such as balanced pair-wise configurations or balanced ordering of scenarios to mitigate bias or learning effects. We also discuss and formalize the statistical implications of these design choices, in particular for crossover designs. Artifact: We made available the algorithmic construction of the design for ℓ=2,3,4,5 levels for arbitrary K factors and illustrated their use with examples from security and software engineering research.</p
Retaliation Against Protocol Attacks
No full textSecurity protocols intend to give their parties reasonable assurance that certain security properties will protect their communication session. However, the literature confirms that the protocols may suffer subtle and hidden attacks. Flawed protocols are customarily sent back to the design process, but the costs of reengineering a deployed protocol may be prohibitive. This paper outlines the concept of retaliation: who would steal a sum of money today, should this pose significant risks of having twice as much stolen back tomorrow? When ethics is left behind, attacks are always balanced decisions: if an attack can be retaliated, the economics of security may convince the attacker to refrain from attacking, and us to live with a flawed protocol. This new perspective requires a new threat model where any party may decide to subvert the protocol for his own sake, depending on the risks of retaliation. This threat model, which for example is also suitable to studying non-repudiation protocols, seems more appropriate than the Dolev-Yao model to the present technological/social setting. It is demonstrated that machine-assisted protocol verification can and must be tailored to the new threat model
An automatic method for assessing the versions affected by a vulnerability
No full textVulnerability data sources are used by academics to build models, and by industry and government to assess compliance. Errors in such data sources therefore not only are threats to validity in scientific studies, but also might cause organizations, which rely on retro versions of software, to lose compliance. In this work, we propose an automated method to determine the code evidence for the presence of vulnerabilities in retro software versions. The method scans the code base of each retro version of software for the code evidence to determine whether a retro version is vulnerable or not. It identifies the lines of code that were changed to fix vulnerabilities. If an earlier version contains these deleted lines, it is highly likely that this version is vulnerable. To show the scalability of the method we performed a large scale experiments on Chrome and Firefox (spanning 7,236 vulnerable files and approximately 9,800 vulnerabilities) on the National Vulnerability Database (NVD). The elimination of spurious vulnerability claims (e.g. entries to a vulnerability database such as NVD) found by our method may change the conclusions of studies on the prevalence of foundational vulnerabilities
Assessing a requirements evolution approach: Empirical studies in the air traffic management domain
Full text linkIn this paper, we report the results of the empirical evaluation of a novel approach for modeling and reasoning on evolving requirements. We evaluated the effectiveness of the approach in modeling requirements evolution by means of a series of empirical studies in the air traffic management (ATM) domain
An experimental comparison of two risk-based security methods
No full textA significant number of methods have been proposed to identify and analyze threats and security requirements, but there are few empirical evaluations that show these methods work in practice. This paper reports a controlled experiment conducted with 28 master students to compare two classes of risk-based methods, visual methods (CORAS) and textual methods (SREP). The aim of the experiment was to compare the effectiveness and perception of the two methods. The participants divided in groups solved four different tasks by applying the two methods using a randomized block design. The dependent variables were effectiveness of the methods measured as number of threats and security requirements identified, and perception of the methods measured through a post-task questionnaire based on the Technology Acceptance Model. The experiment was complemented with participants' interviews to determine which features of the methods influence their effectiveness. The main findings were that the visual method is more effective for identifying threats than the textual one, while the textual method is slightly more effective for eliciting security requirements. In addition, visual method overall perception and intention to use were higher than for the textual method
Computer Aided Threat Identification
No full textRecently, there has been an increase of reported security threats hitting organizations. Some of them are originated from the assignments to users of inappropriate permissions on organizational sensitive data. Thus it is crucial for organizations to recognize as early as possible the risks deriving by inappropriate access right management and to identify the solutions that they need to prevent such risks. In this paper, we propose a framework to identify threats during the requirements analysis of organizations' IT systems. With respect to other works which have attempted to include security analysis into requirement engineering process (e.g., KAOS, Elahi et al., Asnar et al.), our framework does not rely on the level of expertise of the security analyst to detect threats but allows to automatically identify threats that derive from inappropriate access management. To capture the organization's setting and the system stakeholders' requirements, we adopt SI* [1], a requirement engineering framework founded on the concepts of actors, goals, tasks and resources. This framework extends SI* with a reasoning technique that identifies potential security threats on resources and relevant goals. The reasoning is based on Answer Set Programming (ASP) logic rules that take into account the relationships between resources and the delegation of permission relations between actors. We illustrate this framework using an eHealth scenario
Agency Problems and Airport Security: Quantitative and Qualitative Evidence on the Impact of Security Training
Full text linkWe analyze the issue of agency costs in aviation security by combining results from a quantitative economic model with a qualitative study based on semi-structured interviews. Our model extends previous principal-agent models by combining the traditional fixed and varying monetary responses to physical and cognitive effort with nonmonetary welfare and potentially transferable value of employees' own human capital. To provide empirical evidence for the tradeoffs identified in the quantitative model, we have undertaken an extensive interview process with regulators, airport managers, security personnel, and those tasked with training security personnel from an airport operating in a relatively high-risk state, Turkey. Our results indicate that the effectiveness of additional training depends on the mix of “transferable skills” and “emotional” buy-in of the security agents. Principals need to identify on which side of a critical tipping point their agents are to ensure that additional training, with attached expectations of the burden of work, aligns the incentives of employees with the principals' own objectives
An Experimental Comparison of Two Risk-Based Security Methods
No full textA significant number of methods have been proposed to identify and analyze threats and security requirements, but there are few empirical evaluations that show these methods work in practice. This paper reports a controlled experiment conducted with 28 master students to compare two classes of risk-based methods, visual methods (CORAS) and textual methods (SREP). The aim of the experiment was to compare the effectiveness and perception of the two methods. The participants divided in groups solved four different tasks by applying the two methods using a randomized block design. The dependent variables were effectiveness of the methods measured as number of threats and security requirements identified, and perception of the methods measured through a post-task questionnaire based on the Technology Acceptance Model. The experiment was complemented with participants' interviews to determine which features of the methods influence their effectiveness. The main findings were that the visual method is more effective for identifying threats than the textual one, while the textual method is slightly more effective for eliciting security requirements. In addition, visual method overall perception and intention to use were higher than for the textual method
A Load Time Policy Checker for Open Multi-Application Smart Cards
No full textApplications on multi-application smart cards contain sensitive data and can exchange information. Thus a major concern is that these applications should not exchange data unless permitted by their respective policy. As modern smart cards allow post-issuance installation and removal of applications, traditional approaches for information flow analysis are not suitable. We suggest the Security-by-Contract approach for loading time application certification on the card, that will enable the stakeholders with the means to ensure the compliance of every update of the card with their security policy. We describe an extension of the card security architecture to deal with verification for different types of updates and present a Java Card prototype implementation of the Policy Checker with performance measurements
- …
