Frédéric Cuppens

Data and Applications Security and Privacy XXVI

The 17 revised full and 15 short papers presented together with 1 invited paper were carefully reviewed and selected from 49 submissions. The papers are organized in topical sections on access control, confidentiality and privacy, smart cards security, privacy-preserving technologies, data management, intrusion and malware, probabilistic attacks and protection, and cloud computing.

FORM: a federated rights expression model for open DRM frameworks

Digital Rights Management frameworks (DRM) aim at protecting and controlling information contents widely distributed on client devices. Using a license, the content provider can decide which rights can be rendered and who are the authorized end-users (as identity holders) allowed to exercise those rights. Most of the time, it is hard to add new feature to the client application, it is even impossible when the new feature is not considered trustworthy by the corporation distributing the rendering application. In a same way, the rendering application identifies the end-user with a dedicated identity and it is impossible to take into account an identity provided by an external corporation. In this paper, we aim at providing a federated approach called FORM where a content provider can decide to trust external rendering rights and external identities. We even go further introducing identity providers, actions providers as we consider content providers. Thus, all kind of providers can define license specifying what can be done with the object they provide. FORM defines a new license model and a new license interpretation mechanism taking into account all licenses issued by a federation of object providers.

A Framework to Enforce Access Control, Usage Control and Obligations

In this paper, we define a core language to express access control, usage control and obligation policies and we specify a policy controller in charge of evaluating such policies. This policy language can be used to specify security requirements of many applications such as drm (Digital Right Management), P2P or Web Service applications. It is used to express both contextual permissions and obligations. In our formalism, a permission is associated with two conditions: The “start condition” that must be true just when the access request is evaluated (access control) and the “ongoing condition” that must be always satisfied while the access is in progress (usage control). Moreover, we introduce the concept of cancellation actions to authorize users to cancel access in progress. Obligations are mandatory access that users must perform. An obligation is associated with two conditions as well: The “raise condition” to trigger the obligation and the “deadline condition” to determine when the obligation is violated. Moreover, we introduce the concept of non-persistent obligation where the raise condition must be true until the corresponding request is received or the deadline expires, otherwise the corresponding access is no longer mandatory.RésuméDans cet article, nous définissons les bases d’un langage pour exprimer des politiques de contrôle d’accès, de contrôle d’usage et d’obligations et spécifions un module de contrôle ayant la charge d’évaluer ces politiques. Ce langage peut être utilisé pour spécifier, par exemple, des exigences de sécurité d’applications de drm (Digital Right Management — Gestion électronique des droits), P2P ou services web. Il permet d’exprimer des permissions contextuelles ainsi que des obligations. Dans notre formalisme, une permission est associée à deux conditions: la condition de „démarrage” qui doit être vraie lorsque la demande d’accès est évaluée (contrôle d’accès) et la condition de „poursuite” qui doit toujours être vérifiée pendant l’exécution de l’action (contrôle d’usage). Nous introduisons également le concept d’action d’annulation pour autoriser les utilisateurs à annuler un accès en cours. Les obligations correspondent aux accès que les utilisateurs doivent réaliser. Nous associons deux conditions aux obligations: la condition de „déclenchement” de l’obligation et la condition „d’échéance” qui détermine à partir de quand l’obligation est violée. De plus, nous proposons le concept d’obligation non persistante lorsque la condition de déclenchement doit rester vraie tant que l’obligation n’est pas remplie ou bien la date d’échéance est atteinte, sinon l’accès correspondant n’est plus obligatoire.

Probabilistic Event Graph to Model Safety and Security for Diagnosis Purposes

Diagnosing accidental and malicious events in an industrial control system requires an event model with specific capacities. Most models are dedicated to either safety or security but rarely both. And the latter are developed for objectives other than diagnosis and therefore unfit for this task. In this paper, we propose an event model considering both safety and security events, usable in real-time, with a probabilistic measure of on-going and future events. This model is able to replace alerts in the context of more global scenarios, including with reinforcements or conflicts between safety and security. The model is then used to provide an analysis of some of the security and safety events in the Taum Sauk Hydroelectric Power Station.

Towards the Evaluation of End-to-End Resilience Through External Consistency

Contemporary systems are built from complex arrangements of interoperating components implementing functional and other non-functional concerns that are necessary to ensure continuing service delivery. One of these concerns—resilience—relies on components that implement a variety of mechanisms, such as access controls, adaptability and redundancy. How these mechanisms interoperate with each other and the systems’ functional components to provide resilience is considered in this paper. External consistency, defined as the extent to which data in the system corresponds to its real-world value, provides a natural interpretation for the definition of resilience. A model of resilience is developed that can be used to trace how the functional and non-functional components in a system contribute to the determination of our confidence in the external consistency of the data that they process.

Privacy Enforcement of Composed Services in Cellular Networks

In this paper, we study privacy policy issues of composed services in cellular networks. We focus on the two basic services of location and presence provided in cellular networks. Based on our privacy policy model, named PrivOrBAC, we propose a composition methodology for the privacy policy of the resulting service. Our work tends to extend contextual privacy management to take into account the privacy attributes compliance between the two basic services.

USB Packets Filtering Policies and an Associated Low-Cost Simulation Framework

In recent years, USB has become the most popular standard for connecting hosts and peripherals due to its plug-and-play and fast speed features. However, with the emergence of attacks such as badUSB, USB security issues become increasingly prominent. In reaction, different USB protection mechanisms have been proposed, including USB communication filtering. Nevertheless, it is worth noting that currently there is no formalised universal USB filtering strategy, and the vast majority of those filters are implemented at the OS level, leaving a part of the OS and the firmware of USB host controllers unprotected. This paper proposes flexible, formalised, universal USB filtering policies and explores the differences between filtering USB communications at the OS level and directly at the USB packet transmission level. Moreover, we address a simulation framework that can be used in the early stages of research and development to conceive and evaluate USB packet filtering policies.

Linking Differential Identifiability with Differential Privacy

The problem of preserving privacy while mining data has been studied extensively in recent years because of its importance for enabling sharing data sets. Differential Identifiability, parameterized by the probability of individual identification (rho ), was proposed to provide a solution to this problem. Our study of the proposed Differential Identifiability model shows that: First, its usability is based on a very strong requirement. That is, the prior probability of an individual being present in a database is the same for all individuals. Second, there is no formal link between the proposed model and well known privacy models such as Differential Privacy. This paper presents a new differential identifiability model for preventing the disclosure of the presence of an individual in a database while considering an adversary with arbitrary prior knowledge about each individual. We show that the general Laplace noise addition mechanism can be used to satisfy our new differential identifiability definition and that there is a direct link between differential privacy and our proposed model. The evaluation of our model shows that it provides a good privacy/utility trade-off for most aggregate queries.

wirelessOrBAC: Towards an access-control-based IDS for Wireless Sensor Networks

Nowadays, Wireless Sensor Network (WSN) is a well-established paradigm. It has a large variety of applications ranging from home to industrial applications (such as health care and military applications). However, as this kind of networks is becoming wider, more heterogeneous and interconnected, ensuring the security of these decentralized systems is also becoming more challenging. In this paper, we propose wirelessOrBAC a formal Intrusion Detection System specially tailored to enforce the security of Wireless Sensor Networks. It allows defining in a comprehensive and easy way, security rules that model accurately wireless nodes behavior. Based on the build model, Intrusion Detection tasks are performed in order to detect malicious actions.