Howard Chivers

Agile development of secure web applications

A secure system is one that is protected against specific undesired outcomes.Delivering a secure system, and particularly a secure web application, is not easy.Integrating general-purpose information systems development methods withsecurity development activities could be a useful means to surmount thesedifficulties Agile processes, such as Extreme Programming, are of increasing interest insoftware development. Most significantly for web applications, agile processesencourage and embrace requirements change, which is a desirable characteristicfor web application development.In this paper, we present an agile process to deliver secure web applications.The contribution of the research is not the development of a new method or processthat addresses security concerns. Rather, we investigate general-purpose informationsystemdevelopment methods (e.g., Feature-Driven Development (FDD)) and mature security methods, namely risk analysis, and integrate them to address the development of secure web applications. The key features of our approach are(1) a process capable of dealing with the key challenges of web applicationsdevelopment, namely decreasing life-cycle times and frequently changing requirements; and (2) an iterative approach to risk analysis that integrates security design throughout the development process.

A Novel Approach to the Detection of Cheating in Multiplayer Online Games

Modern online multiplayer games are complex heterogeneous distributed systems comprised of servers and untrusted clients, which are often engineered under considerable commercial pressures. Under these conditions, security breaches allowing clients to employ illegal behaviours have become common; current commercial approaches have limited capabilities for reacting rapidly to such threats. This paper presents an approach to the detection of a cheating player, and describes a proof-of-concept system designed to detect cheating play (specifically wall-hacking) through the analysis of player behaviour. This approach differs from current methods in that it does not rely on knowledge about specific vulnerabilities and their method of exploitation in order to protect the system, but instead monitors player behaviour for indications of cheating play. Statistical evidence is presented which shows that the proof-of-concept correctly distinguishes between most cheating and non-cheating players.

Recovery of Encryption Keys from Memory Using a Linear Scan

As encrypted containers are encountered more frequently the need for live imaging is likely to increase. However, an acquired live image of an open encrypted file system cannot later be verified against any original evidence, since when the power is removed the decrypted contents are no longer accessible. This paper shows that if a memory image is also obtained at the same time as the live container image, by the design of on-the-fly encryption, decryption keys can be recovered from the memory dump. These keys can then be used offline to gain access to the encrypted container file, facilitating standard, repeatable, forensic file system analysis. The recovery method uses a linear scan of memory to generate trial keys from all possible memory positions to decrypt the container. The effectiveness of this approach is demonstrated by recovering TrueCrypt decryption keys from a memory dump of a Windows XP system.

Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise

Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rule-breaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.

Breaking the Model: Finalisation and a Taxonomy of Security Attacks

It is well known that security properties are not preserved by refinement, and that refinement can introduce new, covert, channels, such as timing channels. The finalisation step in refinement can be analysed to identify some of these channels, as unwanted finalisations that can break the assumptions of the formal model. We introduce a taxonomy of such unwanted finalisations, and give examples of attacks that exploit them.

Risk profiles and distributed risk assessment

Risk assessment is concerned with discovering threat paths between potential attackers and critical assets, and is generally carried out during a systems design and then at fixed intervals during its operational life. However, the currency of such analysis is rapidly eroded by system changes; in dynamic systems these include the need to support ad-hoc collaboration, and dynamic connectivity between the systems components. This paper resolves these problems by showing how risks can be assessed incrementally as a system changes, using risk profiles, which characterize the risk to a system from subverted components. We formally define risk profiles, and show that their calculation can be fully distributed; each component is able to compute its own profile from neighbouring information. We further show that profiles converge to the same risks as systematic threat path enumeration, that changes in risk are efficiently propagated throughout a distributed system, and that the distributed computation provides a criterion for when the security consequences of a policy change are local to a component, or will propagate into the wider system. Risk profiles have the potential to supplement conventional risk assessments with useful new metrics, maintain accurate continuous assessment of risks in dynamic distributed systems, link a risk assessment to the wider environment of the system, and evaluate defence-in-depth strategies.

Forensic data recovery from the Windows Search Database

Windows Search maintains a single database of the files, emails, programmes and Internet history of all the users of a personal computer, providing a potentially valuable source of information for a forensic investigator, especially since some information within the database is persistent, even if the underlying data are not available to the system (e.g. removable or encrypted drives). However, when files are deleted from the system their record is also deleted from the database. Existing tools to extract information from Windows Search use a programmatic interface to the underlying database, but this approach is unable to recover deleted records that may remain in unused space within the database or in other parts of the file system. This paper explores when unavailable files are indexed, and therefore available to an investigator via the search database, and how this is modified by the indexer scope and by attributes that control the indexing of encrypted content. Obtaining data via the programmatic interface is contrasted with a record carving approach using a new database record carver (wdsCarve); the strengths and weaknesses of the two approaches are reviewed, and the paper identifies several different strategies that may be productive in recovering deleted database records.

Private browsing: A window of forensic opportunity

Abstract The release of Internet Explorer 10 marks a significant change in how browsing artifacts are stored in the Windows file system, moving away from well-understood Index.dat files to use a high performance database, the Extensible Storage Engine. Researchers have suggested that despite this change there remain forensic opportunities to recover InPrivate browsing records from the new browser. The prospect of recovering such evidence, together with its potential forensic significance, prompts questions including where and when such evidence can be recovered, and if it is possible to prove that a recovered artefact originated from InPrivate browsing. This paper reports the results of experiments which answer these questions, and also provides some explanation of the increasingly complex data structures used to record Internet activity from both the desktop and Windows 8 Applications. We conclude that there is a time window between the private browsing session and the next use of the browser in which browsing records may be carved from database log files, after which it is necessary to carve from other areas of disk. It proved possible to recover a substantial record of a users InPrivate browsing, and to reliably associate such records with InPrivate browsing.

Windows Vista and digital investigations

Several of the new features of Windows Vista may create challenges for digital investigators. However, some also provide opportunities and create interesting new evidential artefacts which can be recovered and analysed. This paper examines several of these new features and describes methods for recovering shadow copies of files from Restore Points, identifying BitLocker on a system, the importance of recovery keys in dealing with BitLocker encrypted volumes and also the problems that User Account Control could cause for live investigations.

Security planning and refactoring in extreme programming

Security is a critical part of systems development, particularly for web-based systems. There is little known about how to effectively integrate security into incremental development processes such as Extreme Programming. This paper presents the results of a project that used Extreme Programming practices and deferred consideration of security until system functionality was complete. The findings suggest that refactorings within incremental development processes are capable of delivering high quality security solutions, and provide insights into how security requirements can be incorporated in the planning game.