Samik Basu

Model-carrying code: a practical approach for safe execution of untrusted applications

This paper presents a new approach called model-carrying code (MCC) for safe execution of untrusted code. At the heart of MCC is the idea that untrusted code comes equipped with a concise high-level model of its security-relevant behavior. This model helps bridge the gap between high-level security policies and low-level binary code, thereby enabling analyses which would otherwise be impractical. For instance, users can use a fully automated verification procedure to determine if the code satisfies their security policies. Alternatively, an automated procedure can sift through a catalog of acceptable policies to identify one that is compatible with the model. Once a suitable policy is selected, MCC guarantees that the policy will not be violated by the code. Unlike previous approaches, the MCC framework enables code producers and consumers to collaborate in order to achieve safety. Moreover, it provides support for policy selection as well as enforcement. Finally, MCC makes no assumptions regarding the inherent risks associated with untrusted code. It simply provides the tools that enable a consumer to make informed decisions about the risk that he/she is willing to tolerate so as to benefit from the functionality offered by an untrusted application.

A taxonomy of intrusion response systems

Recent advances in the field of intrusion detection brought new requirements to intrusion prevention and response. Traditionally, the response to an attack is manually triggered by an administrator. However, increased complexity and speed of the attack-spread during recent years show acute necessity for complex dynamic response mechanisms. Although intrusion detection systems are being actively developed, research efforts in intrusion response are still isolated. In this work we present a taxonomy of intrusion response systems, together with a review of current trends in intrusion response research. We also provide a set of essential features as a requirement for an ideal intrusion response system.

On Context-Specific Substitutability of Web Services

Web service substitution refers to the problem of identifying a service that can replace another service in the context of a composition with a specified functionality. Existing solutions to this problem rely on detecting the functional and behavioral equivalence of a particular service to be replaced and candidate services that could replace it. We introduce the notion of context-specific substitutability, where context refers to the overall functionality of the composition that is required to be maintained after replacement of its constituents. Using the context information, we investigate two variants of the substitution problem, namely environment-independent and environment- dependent, where environment refers to the constituents of a composition and show how the substitutability criteria can be relaxed within this model. We provide a logical formulation of the resulting criteria based on model checking techniques as well as prove the soundness and completeness of the proposed approach.

Compositional model checking of software product lines using variation point obligations

This paper introduces a technique for incremental and compositional model checking that allows efficient reuse of model-checking results associated with the features in a product line. As the use of product lines has increased, so has the need to verify the models used to construct the products in the product line. However, this effort is currently hampered by the difficulty of composing model-checking results for the features in a way that allows reuse for subsequent products. The contributions of this paper are to remove restrictions on how the features can be sequentially composed, to describe how to generate obligations such that all sequentially composed systems can be verified, and to show how to compositionally model check the product in the product line by reusing the variation-point obligations. The paper develops the technique and its implementation in the context of a medical-device product line.

Choreography conformance via synchronizability

Choreography analysis has been a crucial problem in service oriented computing. Interactions among services involve message exchanges across organizational boundaries in a distributed computing environment, and in order to build such systems in a reliable manner, it is necessary to develop techniques for analyzing such interactions. Choreography conformance involves verifying that a set of services behave according to a given choreography specification that characterizes their interactions. Unfortunately this is an undecidable problem when services interact with asynchronous communication. In this paper we present techniques that identify if the interaction behavior for a set of services remain the same when asynchronous communication is replaced with synchronous communication. This is called the synchronizability problem and determining the synchronizability of a set of services has been an open problem for several years. We solve this problem in this paper. Our results can be used to identify synchronizable services for which choreography conformance can be checked efficiently. Our results on synchronizability are applicable to any software infrastructure that supports message-based interactions.

Automated Choreographer Synthesis for Web Services Composition Using I/O Automata

We study the problem of synthesis of a choreographer in Web service composition for a given set of services and a goal. Services and goal are represented using I/O automata which can succinctly and precisely describe the interfaces of the services. Our technique considers existence and synthesis of two types of the choreographers: a simple choreographer capable of only relaying outputs from one service to input of another and a transducing choreographer which is capable of storing and reusing inputs/outputs from the services. The central theme of our technique relies on generating I/O automata representation of all possible choreographed behavior of existing services (captured in form of universal service automaton, a concept introduced in this paper) and verifying that the goal can be simulated by the universal set of choreographed behaviors.

Cross-Layer Based Anomaly Detection in Wireless Mesh Networks

Wireless mesh networking has been a cost-effective technology that provides wide-coverage broadband wireless network services. However, security and privacy in this proliferated network environment have not been widely studied. In this work, we propose a cross-layer based anomaly intrusion detection system (IDS) to accommodate the integrated property of routing protocols with link information in wireless mesh networks (WMNs). An IDS software prototype over a wireless mesh network testbed has been implemented and evaluated. By comparing the performance of the cross-layer approach with that of single-layer based intrusion detection, especially an IDS at network layer, we validate the effectiveness of cross-layer based anomaly detection in WMNs.

Analysis & Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs

SQL injection attacks occur due to vulnerabilities in the design of queries where a malicious user can take advantage of input opportunities to insert code in the queries that modify the query-conditions resulting in unauthorized database access. We provide a novel technique to identify the possibilities of such attacks. The central theme of our technique is based on automatically developing a model for a SQL query such that the model captures the dependencies between various components (sub-queries) of the query. We, then, analyze the model using CREST test-case generator and identify the conditions under which the query corresponding to the model is deemed vulnerable. We further analyze the obtained condition-set to identify its subset; this subset being referred to as the causal set of the vulnerability. Our technique considers the semantics of the query conditions, i.e., the relationship between the conditions, and as such complements the existing techniques which only rely on syntactic structure of the SQL query. In short, our technique can detect vulnerabilities in nested SQL queries, and can provide results with no false positives or false negatives when compared to the existing techniques.

Web Service Substitution Based on Preferences Over Non-functional Attributes

In many applications involving composite Web services, one or more component services may become unavailable. This presents us with the problem of identifying other components that can take their place, while maintaining the overall functionality of the composite service. Given a choice of candidate substitutions that offer the desired functionality, it is often necessary to select the most preferred substitution based on non-functional attributes of the service, e.g., security, reliability, etc. We propose an approach to this problem using preference networks for representing and reasoning about preferences over non-functional properties. We present algorithms for solving several variants of this problem: a) when the choice of the preferred substitution is independent of the other constituents of the composite service; b) when the choice of the preferred substitution depends on the other constituents of the composite service; and c) when multiple constituents of a composite service need to be replaced simultaneously. The proposed solutions to the service substitution problem based on preferences over non-functional properties are independent of the specific formalism used to represent functional requirements of a composite service as well as the specific algorithm used to assemble the composite service.

A Framework for Cost Sensitive Assessment of Intrusion Response Selection

In recent years, cost-sensitive intrusion response has gained significant interest, mainly due to its emphasis on the balance between potential damage incurred by the intrusion and cost of the response. However, one of the challenges in applying this approach is defining a consistent and adaptable measurement of these cost factors on the basis of system requirements and policy. In this paper,we present a host-based framework for the cost-sensitive assessment and selection of intrusion response. Specifically,we introduce a set of measurements that characterize the potential costs associated with the intrusion handling process, and propose an intrusion response evaluation method with respect to the risk of potential intrusion damage, the effectiveness of the response action and the response cost for a system. We provide an implementation of the proposed solution as an IDS-independent plugin tool and demonstrate its advantages on the several attack examples.