Nora Cuppens

A formal approach for testing security rules

Nowadays, security policies are the key point of every modern infrastructure. The specification and the testing of such policies are the fundamental steps in the development of a secure system since any error in a set of rules is likely to harm the global security. To address both challenges, we propose a framework to specify security policies and test their implementation on a system. Our framework makes it possible to generate in an automatic manner, test sequences, in order to validate the conformance of a security policy. system behavior is specified using a formal description technique based on extended finite state machine (EFSM) [12]. The integration of security rules within the system specification is performed by specific algorithms. Then, the automatic tests generation is performed using a dedicated tool, called SIRIUS, developed in our laboratory. Finally, we briefly present a weblog system as a case study to demonstrate the reliability of our framework.

Security policy compliance with violation management

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the information system enforces its associated security policy if and only if actions executed in this system are permitted by the policy (if the policy is closed) or not prohibited (if the policy is open) and every obligatory actions are actually executed in the system (no violation of obligations). In this paper, we investigate a more sophisticated approach in which an information system specification is compliant with its security policy even though some security requirements may be violated. Our proposal is to consider that this is acceptable when the security policy specifies additional requirements that apply in case of violation of other security requirements. In this case, we formally define conditions to be satisfied by an information system to comply with its security policy. We then present a proof-based approach to check if these conditions are enforced.

An additive and lossless watermarking method based on invariant image approximation and Haar wavelet transform

In this article, we propose a new additive lossless watermarking scheme which identifies parts of the image that can be reversibly watermarked and conducts message embedding in the conventional Haar wavelet transform coefficients. Our approach makes use of an approximation of the image signal that is invariant to the watermark addition for classifying the image in order to avoid over/underflows. The method has been tested on different sets of medical images and some usual natural test images as Lena. Experimental result analysis conducted with respect to several aspects including data hiding capacity and image quality preservation, shows that our method is one of the most competitive existing lossless watermarking schemes in terms of high capacity and low distortion.

Comparison of some reversible watermarking methods in application to medical images

Several reversible watermarking schemes have been proposed for images of sensitive content, like medical imaging, for which any modification may affect their interpretation. In this work, we distinguish these methods according to the way watermark insertion is conducted: additive and substitutive. Some of these approaches have been tested on different sets of medical images issued from three distinct modalities: Magnetic Resonance Images, Positron Emission Tomography and Ultrasound Imaging. Comparison analysis has been conducted with respect to several aspects including data hiding capacity and image quality preservation. Experimental results show different limitations which depend on the watermark approach but also on image modality specificities.

Reversible watermarking based on invariant image classification and dynamical error histogram shifting

In this article, we present a novel reversible watermarking scheme. Its originality stands in identifying parts of the image that can be watermarked additively with the most adapted lossless modulation between: Pixel Histogram Shifting (PHS) or Dynamical Error Histogram Shifting (DEHS). This classification process makes use of a reference image derived from the image itself, a prediction of it, which has the property to be invariant to the watermark addition. In that way, watermark embedded and reader remain synchronized through this image of reference. DEHS is also an original contribution of this work. It shifts predict-errors between the image and its reference image taking care of the local specificities of the image, thus dynamically. Conducted experiments, on different medical image test sets issued from different modalities and some natural images, show that our method can insert more data with lower distortion than the most recent and efficient methods of the literature.

Evaluating the Trustworthiness of Contributors in a Collaborative Environment

We propose a method to evaluate the contributions of each participant to the development of a document in a collaborative environment. The algorithm proceeds ex post, by analyzing the different steps that led to the final (assumed satisfying) version of the document. Such an evaluation might be considered as a trust or reputation note, and therefore can be used as an input for trust mechanisms aimed at incentivizing users to contribute efficiently.

Privacy Preserving Record Matching Using Automated Semi-trusted Broker

In this paper, we present a novel scheme that allows multiple data publishers that continuously generate new data and periodically update existing data, to share sensitive individual records with multiple data subscribers while protecting the privacy of their clients. An example of such sharing is that of health care providers sharing patients’ records with clinical researchers. Traditionally, such sharing is performed by sanitizing personally identifying information from individual records. However, removing identifying information prevents any updates to the source information to be easily propagated to the sanitized records, or sanitized records belonging to the same client to be linked together. We solve this problem by utilizing the services of a third party, which is of very limited capabilities in terms of its abilities to keep a secret, secret, and by encrypting the identification part used to link individual records with different keys. The scheme is based on strong security primitives that do not require shared encryption keys.

Towards the Evaluation of End-to-End Resilience Through External Consistency

Contemporary systems are built from complex arrangements of interoperating components implementing functional and other non-functional concerns that are necessary to ensure continuing service delivery. One of these concerns—resilience—relies on components that implement a variety of mechanisms, such as access controls, adaptability and redundancy. How these mechanisms interoperate with each other and the systems’ functional components to provide resilience is considered in this paper. External consistency, defined as the extent to which data in the system corresponds to its real-world value, provides a natural interpretation for the definition of resilience. A model of resilience is developed that can be used to trace how the functional and non-functional components in a system contribute to the determination of our confidence in the external consistency of the data that they process.

Demo: Do not trust your neighbors! A small IoT platform illustrating a man-in-the-middle attack

This demonstration defines a small IoT wireless network that uses TI CC2538-OpenMote as hardware platform and state-of-the-art IETF network standards such as 6LoWPAN, RPL, and CoAP implemented by ContikiOS. The IoT nodes are controlled from outside the IoT network using end-to-end connectivity provided by IPv6-CoAP messages. We implement a man-in-the-middle attack that disrupts the normal behavior of the system. Our attack leverages on the inherent hierarchical routing topology of RPL-based IoT networks. The demonstration aims at highlighting the need for end-to-end source-authentication and authorization enforcement of information even inside a trusted IoT network. We also provide some insights on how these services can be offered in a IoT-friendly way.

Firewall Policies Provisioning Through SDN in the Cloud

The evolution of the digital world drives cloud computing to be a key infrastructure for data and services. This breakthrough is transforming Software Defined Networking into the cloud infrastructure backbone because of its advantages such as programmability, abstraction and flexibility. As a result, many cloud providers select SDN as a cloud network service and offer it to their customers. However, due to the rising number of network cloud providers and their security offers, network cloud customers strive to find the best provider candidate who satisfies their security requirements. In this context, we propose a negotiation and an enforcement framework for SDN firewall policies provisioning. Our solution enables customers and SDN providers to express their firewall policies and to negotiate them via an orchestrator. Then, it reinforces these security requirements using the holistic view of the SDN controllers and it deploys the generated firewall rules into the network elements. We evaluate the performance of the solution and demonstrate its advantages.