Interrupt-related covert channels (IRCCs) utilize hardware interrupts for enabling communication between processes. This article provides an empirical evaluation of IRCC vulnerabilities, based on an... Show More

Interrupt-related covert channels (IRCCs) utilize hardware interrupts for enabling communication between processes. This article provides an empirical evaluation of IRCC vulnerabilities, based on an actual exploit. The evaluation combines experiments with an information-theoretic analysis for computing the channel bandwidth. The evaluation shows that a bandwidth of multiple bits per second is achievable in a desktop system via interrupts of a network interface card. This result clarifies the significance of this IRCC vulnerability for one particular system. The exploit presented is configurable, and the article provides a solution for computing an optimal exploit configuration for a given system. While side channels based on hardware interrupts have been discussed before, this is the first empirical evaluation of covert channels based on hardware interrupts.

This paper presents a framework for calculating measures of data integrity for programs in a small imperative language. The authors develop a Markov chain semantics for their language which... Show More

This paper presents a framework for calculating measures of data integrity for programs in a small imperative language. The authors develop a Markov chain semantics for their language which calculates Clarkson and Schneider's definitions of data contamination, data suppression, program suppression and program transmission. The authors then propose their own definition of program integrity for probabilistic specifications. These definitions are based on conditional mutual information and entropy; they present a result relating them to mutual information, which can be calculated by a number of existing tools. The authors extend a quantitative information flow tool (CH-IMP) to calculate these measures of integrity and demonstrate this tool with examples including error correcting codes, the Dining Cryptographers protocol and the attempts by a number of banks to influence the Libor rate.

The acquisition of information about computer systems by mostly non-technical means is called social engineering. Most critical systems are vulnerable to social threats, even when technical security... Show More

The acquisition of information about computer systems by mostly non-technical means is called social engineering. Most critical systems are vulnerable to social threats, even when technical security is high. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap, (iv) almost impossible to eliminate completely. The integration of social engineering attackers with other attackers, such as software or network ones, is missing so far. Existing research focuses on classifying and analyzing social engineering attacks. The authors' contribution is to consider social engineering exploits together with technical vulnerabilities. The authors introduce a method for the integration of social engineering exploits into attack graphs and propose a simple quantitative analysis of the graphs that helps to develop a comprehensive defensive strategy.

Risk-aware access control systems grant or deny access to resources based on the notion of risk. It has many advantages compared to classical approaches, allowing for more flexibility, and... Show More

Risk-aware access control systems grant or deny access to resources based on the notion of risk. It has many advantages compared to classical approaches, allowing for more flexibility, and ultimately supporting for a better exploitation of data. The authors propose and demonstrate a risk-aware access control framework for information disclosure, which supports run-time risk assessment. In their framework access-control decisions are based on the disclosure-risk associated with a data access request and, differently from existing models, adaptive anonymization operations are used as risk-mitigation method. The inclusion of on-the-fly anonymization allows for extending access to data, still preserving privacy below the maximum tolerable risk. Risk thresholds can be adapted to the trustworthiness of the requester role, so a single access control framework can support multiple data access use cases, ranging from sharing data among a restricted (highly trusted) group to public release (low trust value). The authors have developed a prototype implementation of their framework and have assessed it by running a number of queries against the Adult Data Set from the UCI Machine Learning Repository, a publicly available dataset that is widely used by the research community. The experimental results are encouraging and confirm the feasibility of the proposed approach.

The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two... Show More

The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two industrial case studies. In the first case study the authors analyzed a multilingual financial Web application, while in the second case study they analyzed a mobile financial application. In both case studies, the testing yielded new information which was not found in the risk assessment phase. In particular, in the first case study, new vulnerabilities were found which resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.