Thomas Scheffler

A privacy-aware localization service for healthcare environments

This paper presents a privacy-aware localization service which has been developed to fulfill the privacy requirements of an assistance system for elderly people. The privacy concept is based on the sticky-policy approach that simplifies the enforcement of policies in a distributed environment. We discuss two well-known policy languages, XACML and GEOPRIVs Common Policy, in respect to their usability for our scenario.

An Implementation of a Privacy Enforcement Scheme based on the Java Security Framework using XACML Policies

In this paper we discuss implementation issues of a distributed privacy enforcement scheme to support Owner-Retained Access Control for digital data repositories. Our approach is based on the Java Security Framework. In order to achievepolicy enforcement dependent on the accessed data object, we had to implement our own class loader that supports instance-level policy assignment. Access policies are described using XACML and stored together with the data as sticky policies. Enforcement of generic policies over sticky policy objects required the extension of XACML with XPath specific functions. Our use-case scenario is the user-controlled distribution of Electronic Health Records.

IPv6 Network Attack Detection with HoneydV6

During 2012, we conducted a long term IPv6-darknet experiment. We observed a relatively high number of interesting events and therefore needed additional network security tools to capture and analyse potentially harmful IPv6 traffic. This paper presents HoneydV6, a low-interaction IPv6 honeypot that can simulate entire IPv6 networks and which may be utilized to detect and analyze IPv6 network attacks. Our implementation is based on the well-known low-interaction honeypot Honeyd. To the best of our knowledge, this is the first low-interaction honeypot which is able to simulate entire IPv6 networks on a single host. Enticing attackers to exploit an IPv6 honeypot requires new approaches and concepts because of the huge IPv6 address space. We solved this problem through a dynamic instantiation mechanism that increases the likelihood for an attacker to find a target host in our IPv6 honeynet.

Privacy requirements for embedded sensor devices

This paper analyses data privacy issues as they arise from different deployment scenarios for networks that use embedded sensor devices. Maintaining data privacy in pervasive environments requires the management and implementation of privacy protection measures close to the data source. We propose a set of atomic privacy parameters that is generic enough to form specific privacy classes and might be applied directly at the embedded sensor device

Manage resource-constrained IoT devices through dynamically generated and deployed YANG models

This paper presents an experimental design/approach that allows the standardized management protocol NETCONF to handle dynamically changing networks found in the IoT and Home-Networking domain. Management of such networks is challenging, because they usually grow out of spontaneous device assemblies, rather than an engineering blueprint. Network membership may be highly dynamic and the devices might only possess very limited computation and communication budgets. It is our goal to develop methods and strategies for automatic device discovery and configuration maintenance in such networks. In our experiment we dynamically generate YANG data models and NETCONF RPCs from device profiles written in JSON and map these to configuration commands in the lightweight MQTT protocol.

Taming the Ipv6 address space with hyhoneydv6

This paper presents a new hybrid honeypot architecture which focuses on the coverage of large IPv6 address spaces. Results from a 15-months darknet experiment verify that attackers and researchers utilise various approaches to scan wide and unforeseeable IPv6 address ranges which cannot be managed with current honeypot solutions. The huge IPv6 address space not only makes it hard for attackers to find target hosts, it also makes it difficult for a honeypot to get found by an attacker. We solve this challenge through the use of dynamically configured high-interaction honeypots that can cover large chunks of the IPv6 address space. A new proxy mechanism is used to transparently handover and forward traffic from low-to high-interaction honeypots on demand to provide the best possible service granularity. Measurements with our prototype implementation show that the proposed approach performs well on off-the-shelf hardware and has low maintenance costs.

Shellcode detection in IPv6 networks with HoneydV6

More and more networks and services are reachable via IPv6 and the interest for security monitoring of these IPv6 networks is increasing. Honeypots are valuable tools to monitor and analyse network attacks. HoneydV6 is a low-interaction honeypot which is well suited to deal with the large IPv6 address space, since it is capable of simulating a large number of virtual hosts on a single machine. This paper presents an extension for HoneydV6 which allows the detection, extraction and analyses of shellcode contained in IPv6 network attacks. The shellcode detection is based on the open source library libemu and combined with the online malware analysis tool Anubis. We compared the shellcode detection rate of HoneydV6 and Dionaea. While HoneydV6 is able to detect about 25 % of the malicious samples, the Dionaea honeypot detects only about 6 %.

Secure access and management of smart objects with SNMPv3

Smart Objects are ordinary objects that become part of a network architecture. This allows remote control and management of such devices, as well as the development of tightly integrated usage scenarios. Application security for such devices is a very important prerequisite. This paper presents implementation details of an SNMPv3 agent that offers secure control and management functionality through application layer encryption and authentication provided by the integrated User Based Security Model. Our prototypical implementation of a smart object uses a wireless network based on the IEEE 802.15.4 standard. The network layer is built on IPv6 which is transmitted over a 6LoWPAN adaptation layer. The smart object uses an 8-bit microcontroller from Atmel and runs the network-enabled operating system Contiki in version 2.6.

Using AOP-based enforcement of prioritised XACML policies for location privacy

Location-based services have become more and more popular over the last years and allow the tracking of persons and goods. Users of these services often have little control over their private data as it is accessed, processed and stored. This paper presents a privacy enforcement concept that combines a sticky-policy approach with an aspect-oriented programming-based reference monitor. Furthermore, we introduce prioritised policies which allow users to define their own access rules without accidentally generating inconsistent rule sets. For the implementation of this concept, we propose a new XACML combining algorithm, the priority policy combining algorithm. We demonstrate the feasibility and ease-of-use of our concept with the example of a theme-park location service.

IP - Next Generation a New Version for the Internet Protocol

Abstract The internet has become hugely successful in recent years and people are constantly developing new services to put on the internet. The technical means that has made it possible to generate this interconnected network is the IP-protocol, which was standardised in 1981. It has been up to the task so far, but IP-addresses are becoming a scarce resource. A new version of this protocol has finally arrived to target these needs. The author introduces the features of this protocol, implications for transition to the new protocol and shows ways to manage all the interconnected devices on the network.