Eric Totel

Hypercollecting semantics and its application to static analysis of information flow

We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a set of sets transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS 04) and the type system of Hunt and Sands (POPL 06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.

Assessment of an Automatic Correlation Rules Generator

Information systems are prone to attacks. Those attacks can take different forms, from an obvious DDOS to a complex attack scenario involving a step by step stealthy compromise of key nodes in the target system. In order to detect those multi-steps attack scenarios, alert correlation systems are required. Those systems rely on explicit or implicit correlation rules in order to detect complex links between various events or alerts produced by IDSes. Explicit and accurate correlation rules strongly linked with the system are difficult to build and maintain manually. However this process can be partially automated when enough information on the attack scenario and the target system are available. In this paper, we focus on the evaluation of correlation rules produced by an automatic process. In a first place, the method is evaluated on a representative system. In this realistic evaluation context, when the knowledge of both the attack scenario and the targeted system is precise enough, the generated rules allow to have a perfect detection rate no false positive and no false negative. Then stress tests are conducted in order to measure the robustness of the approach when the generation of rules relies on a provided knowledge which is either partially incorrect or incomplete.

From SSIR to CIDre: A New Security Research Group in Rennes, France

CIDre, which stands for ``Confidentialy, Integrity, Availability, and repartition, is the name of a new research group created in Rennes, France, as a follow-up of the SSIR team (www.rennes.supelec.fr/ren/rd/ssir), which was, until 2011, a Supélec team whose work was mainly focused on intrusion detection and spontaneous network (ad hoc, P2P) security. The global research objective of this new CIDre research group is to study new security solutions for nodes and network of nodes, in particular through the use of classical but potentially revised approaches coming from the distributed computing field. More especially, we focus on three different aspects of security: privacy, trust, and intrusion detection.