Joachim Posegga

leanTAP: Lean tableau-based deduction

Abstract“prove ((E, F), A, B, C, D) : - !, prove (E, [F ∣ A], B, C, D).prove ((E; F), A, B, C, D) : - !, prove (E, A, B, C, D), prove (F, A, B, C, D).prove (all(H, I), A, B, C, D) : - !, ∖+ length (C, D), copy_term ((H, I, C), (G, F, C)), append (A, [all (H, I)], E), prove(F, E, B, [G ∣ C], D).prove (A,_, [C ∣ D] ,_, _) :-((A= − (B); − (A) = B)) -> (unify(B, C); prove (A, [], D,_,_)).prove (A, [E ∣ F], B, C, D): - prove (E, F, [A∣B], C,D).”implements a first-order theorem prover based on free-variable semantic tableaux. It is complete, sound, and efficient.

XSSDS: Server-Side Detection of Cross-Site Scripting Attacks

Cross-site scripting (XSS) has emerged to one of the most prevalent type of security vulnerabilities. While the reason for the vulnerability primarily lies on the server-side, the actual exploitation is within the victims Web browser on the client-side. Therefore, an operator of a Web application has only very limited evidence of XSS issues. In this paper, we propose a passive detection system to identify successful XSS attacks. Based on a prototypical implementation, we examine our approachs accuracy and verify its detection capabilities. We compiled a data-set of 500.000 individual HTTP request/response-pairs from 95 popular web applications for this, in combination with both real word and manually crafted XSS-exploits; our detection approach results in a total of zero false negatives for all tests, while maintaining an excellent false positive rate for more than 80% of the examined Web applications.

How to turn a GSM SIM into a web server

We describe the WebSIM, an approach that integrates GSM SIMs into the Internet. The underlying idea is to implement a Web Server inside a SIM, and to allow for transparent access to it from the Internet.

Byte Code Verification for Java Smart Card Based on Model Checking

The paper presents a novel approach to Java byte code verification: The verification process is performed “offline” on a network server, instead of incorporating it in the client. Furthermore, the most critical part of the verification process is based upon a formal model and uses a model checker for checking the verification conditions. The result of the verification process can be securely communicated to the runtime platform with cryptographic means.

Kynoid: real-time enforcement of fine-grained, user-defined, and data-centric security policies for android

We introduce Kynoid, a real-time monitoring and enforcement framework for Android. Kynoid is based on user-defined security policies which are defined for data-items. This allows users to define temporal, spatial, and destination constraints which have to hold for single items. We introduce an innovative approach to allow for the real-time tracking and enforcement of such policies. In this way, Kynoid is the first extension of Android which enables the sharing of resources while respecting individual security policies for the data-items stored in these resources. We outline Kynoids architecture, present its operation and discuss it in terms of applicability, performance, and usability. By providing a proof-of-concept implementation we further show the feasibility of our framework.

Sanitizable signatures in XML signature: performance, mixing properties, and revisiting the property of transparency

We present the performance measures of our Java Cryptography Architecture (JCA) implementation that integrates sanitizable signature schemes into the XML Signature Specification. Our implementation shows mostly negligible performance impacts when using the Ateniese scheme with four different chameleon hashes and the Miyazaki scheme in XML Signatures. Thus, sanitizable signatures can be added to the XML Security Toolbox. Applying the new tools we show how to combine different hash algorithms over different document parts adding and removing certain properties of the sanitizable signature scheme; this mixing comes very natural in XML Signatures. Finally, we motivate that existing definitions for the property of Transparency are counterintuitive in these combinations. Our conclusion is that the document-level Transparency property is independent of the sub-document properties Weak and Strong Transparency.

Mobile agents and telcos' nightmares

The paper analyzes the current state- of- the- art of mobile agents technology wrt security, seen from the standpoint of a public network operator (pno). It is argued that the current state- of- the- art does not offer sufficient security for large- scale, commercial applications of mobile agents technology within the pno ’s networks. To support this premise, the most important security issues in this context are discussed, and a number of deficiencies are identified. Some of these deficiencies pose principal questions for future research that are not necessarily widely accepted within the agent community.RésuméCet article analyse l’état de l’art dans le domaine de la sécurité des agents mobiles du point de vue d’un opérateur de télécommunication. L’argument principal introduit dans l’article est l’insuffisance des solutions existantes par rapport aux exigences de facteur d’échelle qu ’on retrouve chez les opérateurs. Les principaux problèmes de sécurité rencontrés dans ce cadre sont analysés et les défauts correspondants sont identifiés. Certains de ces problèmes soulèvent des questions controversées concernant la recherche future dans le domaine de la sécurité des agents mobiles.

LeanTAP: Lean tableau-based theorem proving

implements a rst-order theorem prover based on free-variable semantic tableaux. It is complete, sound, and eecient.“prove((E,F),A,B,C,D):- !, prove(E,[F|A],B,C,D). prove((E;F),A,B,C,D):- !, prove(E,A,B,C,D), prove(F,A,B,C,D). prove(all(H,I),A,B,C,D):- !, +length(C,D), copy_term((H,I,C), (G,F,C)), append(A, [all(H,I)],E), prove(F,E,B, [G|C],D). prove(A,_,[C|D],_,_):-((A= -(B); -(A)=B)) → (unify(B,C); prove(A,[],D,_,_)). prove(A,[E|F],B,C,D):- prove(E,F, [A|B],C,D).” implements a first-order theorem prover based on free-variable semantic tableaux. It is complete, sound, and efficient.

On the Relation between Redactable and Sanitizable Signature Schemes

Malleable signature schemes (

Java Bytecode Verification by Model Checking

\mathcal MSS