Spyros T. Halkidis

Design Pattern Detection Using Similarity Scoring

The identification of design patterns as part of the reengineering process can convey important information to the designer. However, existing pattern detection methodologies generally have problems in dealing with one or more of the following issues: identification of modified pattern versions, search space explosion for large systems and extensibility to novel patterns. In this paper, a design pattern detection methodology is proposed that is based on similarity scoring between graph vertices. Due to the nature of the underlying graph algorithm, this approach has the ability to also recognize patterns that are modified from their standard representation. Moreover, the approach exploits the fact that patterns reside in one or more inheritance hierarchies, reducing the size of the graphs to which the algorithm is applied. Finally, the algorithm does not rely on any pattern-specific heuristic, facilitating the extension to novel design structures. Evaluation on three open-source projects demonstrated the accuracy and the efficiency of the proposed method

A novel technique for image steganography based on a high payload method and edge detection

Image steganography has received a lot of attention during the last decade due to the lowering of the cost of storage media, which has allowed for wide use of a large number of images. We present a novel technique for image steganography which belongs to techniques taking advantage of sharp areas in images in order to hide a large amount of data. Specifically, the technique is based on the edges present in an image. A hybrid edge detector is used for this purpose. Moreover, a high payload technique for color images is exploited. These two techniques are combined in order to produce a new steganographic algorithm. Experimental results show that the new method achieves a higher peak signal to noise ratio for the same number of bits per pixel of embedded image.

Architectural Risk Analysis of Software Systems Based on Security Patterns

The importance of software security has been profound, since most attacks to software systems are based on vulnerabilities caused by poorly designed and developed software. Furthermore, the enforcement of security in software systems at the design phase can reduce the high cost and effort associated with the introduction of security during implementation. For this purpose, security patterns that offer security at the architectural level have been proposed in analogy to the well-known design patterns. The main goal of this paper is to perform risk analysis of software systems based on the security patterns that they contain. The first step is to determine to what extent specific security patterns shield from known attacks. This information is fed to a mathematical model based on the fuzzy-set theory and fuzzy fault trees in order to compute the risk for each category of attacks. The whole process has been automated using a methodology that extracts the risk of a software system by reading the class diagram of the system under study.

A qualitative analysis of software security patterns

Software security, which has attracted the interest of the industrial and research community during the last years, aims at preventing security problems by building software without the so-called security holes. One way to achieve this goal is to apply specific patterns in software architecture. In the same way that the well-known design patterns for building well-structured software have been defined, a new kind of patterns called security patterns have emerged. These patterns enable us to incorporate a level of security already at the design phase of a software system. There exists no strict set of rules that can be followed in order to develop secure software. However, a number of guidelines have already appeared in the literature. Furthermore, the key problems in building secure software and major threat categories for a software system have been identified. An attempt to evaluate known security patterns based on how well they follow each principle, how well they encounter with possible problems in building secure software and for which of the threat categories they do take care of, is performed in this paper. Thirteen security patterns were evaluated based on these three sets of criteria. The ability of some of these patterns to enhance the security of the design of a software system is also examined by an illustrative example of fortifying a published design.

A qualitative evaluation of security patterns

Software Security has received a lot of attention during the last years. It aims at preventing security problems by building software without the so-called security holes. One of the ways to do this is to apply specific patterns in software architecture. In the same way that the well-known design patterns for building well-structured software have been used, a new kind of patterns, called security patterns have emerged. The way to build secure software is still vague, but guidelines for this have already appeared in the literature. Furthermore, the key problems in building secure software have been mentioned. Finally, threat categories for a software system have been identified. Based on these facts, it would be useful to evaluate known security patterns based on how well they follow each guideline, how they encounter with possible problems in building secure software and for which of the threat categories they do take care of.

Quantitative evaluation of systems with security patterns using a fuzzy approach

The importance of Software Security has been evident, since it has been shown that most attacks to software systems are based on vulnerabilities caused by software poorly designed and developed Furthermore, it has been discovered that it is desirable to embed security already at design phase Therefore, patterns aiming at enhancing the security of a software system, called security patterns, have been suggested The main target of this paper is to propose a mathematical model, based on fuzzy set theory, in order to quantify the security characteristics of systems using security patterns In order to achieve this we first determine experimentally to what extent specific security patterns enhance several security aspects of systems To determine this, we have developed two systems, one without security patterns and one containing them and have experimentally determined the level of the higher robustness to attacks of the latter The proposed mathematical model follows.

A Provably Secure One-Pass Two-Party Key Establishment Protocol

For two parties to communicate securely over an insecure channel, they must be able to authenticate one another and establish a common session key. We propose a new secure one-pass authenticated key establishment protocol which is well suited to one-way communication channels. The protocol is examined using an extension of the Bellare-Rogaway model proposed by Blake-Wilson et. al., and is shown to be provably secure, in the sense that defeating the protocol is equivalent to solving a CDH problem. We compare our protocol to existing approaches, in terms of security and efficiency. To the best of our knowledge, ours is the only one-pass protocol that resists general key-compromise impersonation attacks, and avoids certain vulnerabilities to loss of information attacks found in other protocols of its class.

Moving from Requirements to Design Confronting Security Issues: A Case Study

Since the emergence of software security as a research area, it has been evident that security should be incorporated as early as possible in the software lifecycle. The advantage is that large gains can be achieved in terms of cost and effort compared to the introduction of security as an afterthought. The earliest possible phase to consider possible attacks is during requirements specification. A widely accepted approach to consider security in the requirements is the employment of misuse cases. In this paper we examine a case study to automatically generate a class diagram, based on the use and misuse cases present in the requirements. Particularly, we extend a natural language processing approach to move beyond a general domain model and produce a detailed class diagram. Moreover, security patterns are introduced in appropriate places of the design to confront the documented attacks and protect the threatened resources. Additionally, we perform an experimental study to investigate the tradeoff between the additional effort to mitigate the attacks and the security risk of the resulting system. Finally, the optimization problem of finding the smallest system regarding additional effort given a maximum acceptable risk is established and an appropriate algorithm to solve it is proposed.

Brief Review of Software Security History with an Emphasis on Efforts Focused at Early Stages of the Software Lifecycle

The importance of software security has been profound recently. The main issue during the early efforts of the late 90s was how to counterattack the buffer overflows problem. However, emphasis has recently shifted on how to counterfeit software attacks at the design level starting with the introduction of security patterns. We have qualitatively analyzed the most important security patterns, and quantitatively evaluated software systems based on their design, using fuzzy risk analysis, based on the security patterns they contain and the STRIDE model of attacks. Additionally, we have analyzed the effectiveness of code obfuscation techniques, which we think is a starting point for future research.