Lotfi Ben Othmane

An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing

Entities (e.g., users, services) have to authenticate themselves to service providers (SPs) in order to use their services. An entity provides personally identifiable information (PII) that uniquely identifies it to an SP. In the traditional application-centric Identity Management (IDM) model, each application keeps trace of identities of the entities that use it. In cloud computing, entities may have multiple accounts associated with different SPs, or one SP. Sharing PIIs of the same entity across services along with associated attributes can lead to mapping of PIIs to the entity. We propose an entity-centric approach for IDM in the cloud. The approach is based on: (1) active bundles—each including a payload of PII, privacy policies and a virtual machine that enforces the policies and uses a set of protection mechanisms to protect themselves, (2) anonymous identification to mediate interactions between the entity and cloud services using entity’s privacy policies. The main characteristics of the approach are: it is independent of third party, gives minimum information to the SP and provides ability to use identity data on untrusted hosts.

Protection of Identity Information in Cloud Computing without Trusted Third Party

Cloud computing allows the use of Internet-based services to support business processes and rental of IT-services on a utility-like basis. It offers a concentration of resources but also poses risks for data privacy. A single breach can cause significant loss. The heterogeneity of “users” represents a danger of multiple, collaborative threats. In cloud computing, entities may have multiple accounts associated with a single or multiple service providers (SPs). Sharing sensitive identity information (that is, Personally Identifiable information or PII) along with associated attributes of the same entity across services can lead to mapping of the identities to the entity, tantamount to privacy loss. Identity management (IDM) is one of the core components in cloud privacy and security and can help alleviate some of the problems associated with cloud computing. Available solutions use trusted third party (TTP) in identifying entities to SPs. The solution providers do not recommend the usage of their solutions on untrusted hosts. We propose an approach for IDM, which is independent of TTP and has the ability to use identity data on untrusted hosts. The approach is based on the use of predicates over encrypted data and multi-party computing for negotiating a use of a cloud service. It uses active bundle—which is a middleware agent that includes PII data, privacy policies, a virtual machine that enforces the policies, and has a set of protection mechanisms to protect itself. An active bundle interacts on behalf of a user to authenticate to cloud services using user’s privacy policies.

Protecting Privacy of Sensitive Data Dissemination Using Active Bundles

The solution for protecting data privacy proposed in this paper&#8212, called Active Bundles&#8212, protects sensitive data from their disclosure to unauthorized parties and from unauthorized dissemination (even if started by an authorized party). The Active Bundles solution protects private or sensitive data throughout their entire lifecycle, from creation through dissemination to partial or total destruction (such as evaporation or apoptosis defined in the paper). In addition, it protects identity of entities exchanging private data. The core of the solution are active bundles themselves, which are containers with a payload of sensitive data, metadata, and a virtual machine specific to the active bundle. Metadata control access to private data and dissemination of active bundles. The main virtual machine roles are: validating integrity of its active bundle, and enforcing access control policies and dissemination policies for data of the active bundle. The Active Bundles solution also includes the active bundle exchange protocol for transmitting the bundles between hosts. The protocol uses buddies to provide anonymity to senders and receivers. The performance of the Active Bundles solution for data dissemination is evaluated analytically and by a simulation. The results indicate that: (i) the percentage of sensitive data that reaches unauthorized hosts during dissemination can be high, (ii) the apoptosis mechanism protects sensitive data from dissemination to unauthorized hosts, (iii) the Active Bundles solution provides a level of anonymity to hosts while it does not decrease significantly the throughput of buddies.

A simulation study of ad hoc networking of UAVs with opportunistic resource utilization networks

Specialized ad hoc networks of unmanned aerial vehicles (UAVs) have been playing increasingly important roles in applications for homeland defense and security. Common resource virtualization techniques are mainly designed for stable networks; they fall short in providing optimal performance in more dynamic networks-such as mobile ad hoc networks (MANETs)-due to their highly dynamic and unstable nature. We propose application of Opportunistic Resource Utilization Networks (Oppnets), a novel type of MANETs, for UAV ad hoc networking. Oppnets provide middleware to facilitate building flexible and adaptive distributed systems that provide all kinds of resources or services to the requesting application via a helper mechanism. We simulated a homeland defense use case for Oppnets that involves detecting a suspicious watercraft. Our simulation compares performance of an Oppnet with a baseline case in which no Oppnet is used. The simulation results show that Oppnets are a promising framework for high-performance ad hoc UAV networking. They provide excellent performance even under imperfect (and realistic) conditions, such as a less invasive use of helpers, denial of help by some of the candidate helpers, and imperfect detection capabilities of Oppnet components.

Extending the Agile Development Process to Develop Acceptably Secure Software

The agile software development approach makes developing secure software challenging. Existing approaches for extending the agile development process, which enables incremental and iterative software development, fall short of providing a method for efficiently ensuring the security of the software increments produced at the end of each iteration. This article (a) proposes a method for security reassurance of software increments and demonstrates it through a simple case study, (b) integrates security engineering activities into the agile software development process and uses the security reassurance method to ensure producing acceptably secure-by the business owner-software increments at the end of each iteration, and (c) discusses the compliance of the proposed method with the agile values and its ability to produce secure software increments.

A Survey of Security and Privacy in Connected Vehicles

Electronic control units (ECUs) of a vehicle control the behavior of its devices—e.g., break and engine. They communicate through the in-vehicle network. Vehicles communicate with other vehicles and road side units (RSUs) through vehicular ad-hoc networks (VANets), with personal devices through wireless personal area networks (WPANs), and with service center systems through cellular networks. A vehicle that uses an external network, in addition to the in-vehicle network, is called connected vehicle.

Towards extended safety in connected vehicles

Current standards for vehicle safety consider only accidental failures; they do not consider failures caused by malicious attackers. The standards implicitly assume that the sensors and Electronic Control Units (ECUs) of each vehicle compose a secure in-vehicle network because no external entity communicates with the nodes of the network. These standards assume that safety and security aspects are independent. Connecting vehicles to external entities, e.g., through Vehicle to Mobile (V2M), Vehicle to Vehicle (V2V), and Vehicle to Infrastructure (V2I), proved to be useful: it enables using Intelligent Transportation Systems (ITS) applications that improve our safety, efficiency, and comfort; but vulnerable to security threats. This paper provides an overview of AGORA framework: a framework generating secure and tested boiler-plate code needed for ITS applications, demonstrates that safety and security aspects in motor vehicles are not independent, and proposes extending safety assurance by considering security aspects. It also discusses a set of research challenges related to extended safety assurance in connected vehicles.

An End-to-End Security Auditing Approach for Service Oriented Architectures

Service-Oriented Architecture (SOA) is becoming a major paradigm for distributed application development in the recent explosion of Internet services and cloud computing. However, SOA introduces new security challenges not present in the single-hop client-server architectures due to the involvement of multiple service providers in a service request. The interactions of independent service domains in SOA could violate service policies or SLAs. In addition, users in SOA systems have no control on what happens in the chain of service invocations. Although the establishment of trust across all involved partners is required as a prerequisite to ensure secure interactions, still a new end-to-end security auditing mechanism is needed to verify the actual service invocations and its conformance to the expected service orchestration. In this paper, we provide an efficient solution for end-to-end security auditing in SOA. The proposed security architecture introduces two new components called taint analysis and trust broker in addition to taking advantages of WS-Security and WS-Trust standards. The interaction of these components maintains session auditing and dynamic trust among services. This solution is transparent to the services, which allows auditing of legacy services without modification. Moreover, we have implemented a prototype of the proposed approach and verified its effectiveness in a LAN setting and the Amazon EC2 cloud computing infrastructure.

Impact of Initial Target Position on Performance of UAV Surveillance Using Opportunistic Resource Utilization Networks

We propose application of Opportunistic Resource Utilization Networks (Oppnets), a novel type of Mobile Ad Hoc NETworks (MANETs), for ad hoc networking of Unmanned Aerial Vehicles (UAVs) in surveillance missions. Oppnets provide effective resource virtualization and adaption to highly dynamic and unstable nature of MANETs. They can be viewed as middleware to facilitate building flexible and adaptive distributed systems that provide all kinds of resources or services to the requesting application via the so called helper mechanism. The simulation study focuses on the impact of an initial target position on the performance of Oppnet-based UAV surveillance systems. We find that detection success ratios and time to detect a target are negligibly affected by the initial target position in the surveillance area when UAVs expand up their Oppnet quickly, but strongly affected by the initial target position when UAVs are slow in building up their Oppnet.

Incorporating attacker capabilities in risk estimation and mitigation

The risk exposure of a given threat to an information system is a function of the likelihood of the threat and the severity of its impacts. Existing methods for estimating threat likelihood assume that the attacker is able to cause a given threat, that exploits existing vulnerabilities, if s/he has the required opportunities (e.g., sufficient attack time) and means (e.g., tools and skills), which is not true; often, s/he can perform an attack and cause the related threat only if s/he has the ability to access related resources (objects) of the system that allow to do so. This paper proposes a risk estimation method that incorporates attacker capabilities in estimating the likelihood of threats as conditions for using the means and opportunities, demonstrates the use of the proposed risk estimation method through two examples: video conferencing systems and connected vehicles, shows that changing attacker capabilities changes the risks of the threats, and compares the uncertainty of experts in evaluating the likelihood of threats considering and not considering attacker capabilities for two experiments. The results of the experiments suggest that experts are less uncertain about their estimations of threat likelihoods when they consider attacker capabilities.