Yves Deswarte

Intrusion-tolerant middleware: the road to automatic security

The pervasive interconnection of systems throughout the world has given computer services a significant socioeconomic value that both accidental faults and malicious activity can affect. The classical approach to security has mostly consisted of trying to prevent bad things from happening-by developing systems without vulnerabilities, for example, or by detecting attacks and intrusions and deploying ad hoc countermeasures before any part of the system is damaged. Building an intrusion-tolerant system to arrive at some notion of intrusion-tolerant middleware for application support presents multiple challenges. Surprising as it might seem, intrusion tolerance isnt just another instantiation of accidental fault tolerance

Access Control for Collaborative Systems: A Web Services Based Approach

Nowadays, systems are more and more open, distributed and collaborative. In this context, access control is an important issue that should be studied, specified and well enforced. This work proposes a new access control model for collaborative systems: PolyOrBAC. On the one hand, we extend OrBAC (organization-based access control model) to specify local as well as collaboration access control rules; on the other hand, we enforce these security policies by applying Web services mechanisms (XML, SOAP, UDDI and WSDL). Then, we present a representative scenario of secure collaborative applications. Furthermore, we propose a XACML-based implementation of PolyOrBAC and we discuss the most important approaches that emphasize access control in collaborative environments.

Enforcing kernel constraints by hardware-assisted virtualization

This article deals with kernel security protection. We propose a characterization of malicious kernel-targeted actions, based on how the way they act to corrupt the kernel. Then, we discuss security measures able to counter such attacks. We finally expose our approach based on hardware-virtualization that is partially implemented into our demonstrator Hytux, which is inspired from bluepill (Rutkowska in subverting vista kernel for fun and profit. In: Black Hat in Las Vegas, 2006), a malware that installs itself as a lightweight hypervisor—on a hardware-virtualization compliant CPU—and puts a running Microsoft Windows Operating System into a virtual machine. However, in contrast with bluepill, Hytux is a lightweight hypervisor that implements protection mechanisms in a more privileged mode than the Linux kernel.

Execution Patterns in Automatic Malware and Human-Centric Attacks

With the massive surges of new malware, the intuitive detection techniques currently used in most security tools deem ineffective. Consequently, we urgently need better solutions that are established on solid theoretical basis. It becomes, thus, necessary to search for more efficient techniques and algorithms as well as taxonomies and models for attacks and malware. We present, in this paper, the analysis we made on both automatic malware and human-centric attacks, which allowed us to construct a model for attack process. The main objective of this work is to construct a model that can aide in the generation of real attack scenarios and use it in the evaluation of Intrusion Detection Systems. However, the model described here could have many other potential uses. For example, it can be used for writing execution- based signatures, event correlation, penetration testing, security simulations as well as security educations.

Connecting commercial computers to avionics systems

In this paper, we present two case studies identified for new aircraft generations in which bidirectional communications are carried between onboard and off-board computers. These two case studies deal respectively with flight parameter calculation and enhanced maintenance operations for future aircraft. We emphasize the safety and security challenges in such communications, and propose a safe architecture allowing the connection of commercial computers to avionics systems, without altering any embedded software component behavior.

Critical Infrastructures Security Modeling, Enforcement and Runtime Checking

This paper identifies the most relevant security requirements for critical infrastructures (CIs), and according to these requirements, proposes an access control framework. The latter supports the CI security policy modeling and enforcement. Then, it proposes a runtime model checker for the interactions between the organizations forming the CIs, to verify their compliance with previously signed contracts. In this respect, not only our security framework handles secure local and remote accesses, but also audits and verifies the different interactions. In particular, remote accesses are controlled, every deviation from the signed contracts triggers an alarm, the concerned parties are notified, and audits can be used as evidence for sanctioning the party responsible for the deviation.

AMORES: an architecture for mobiquitous resilient systems

We present the AMORES project, which aims to provide an architecture for the provision of privacy preserving and resilient collaborative services in mobiquitous (i.e., mobile and ubiquitous) systems. The project is built around three use-cases from the area of public transportation: (1) dynamic carpooling, (2) real-time computation of multimodal transportation itineraries and (3) mobile social networking. Four main research tasks are presented in this paper. The first task deals with use-cases, prototypes and privacy assessment. The second task addresses geo-communication primitives: verified positioning, locanyms and geo-services. The third task deals with privacy-preserving communication means such as anonymous routing and geo-cryptography. Finally, the last task is devoted to collaborative behaviors.

Single-Database private information retrieval schemes: overview, performance study, and usage with statistical databases

This paper presents an overview of the current single-database private information retrieval (PIR) schemes and proposes to explore the usage of these protocols with statistical databases. The vicinity of this research field with the one of Oblivious Transfer, and the different performance measures used for the last few years have resulted in re-discoveries and contradictory comparisons of performance in different publications. The contribution of this paper is twofold. First, we present the different schemes through the innovations they have brought to this field of research, which gives a global view of the evolution since the first of these schemes was presented by Kushilevitz and Ostrovsky in 1997. We know of no other survey of the current PIR protocols. We also compare the most representative of these schemes with a single set of communication performance measures. When compared to the usage of global communication cost as a single measure, we assert that this set simplifies the evaluation of the cost of using PIR and reveals the best adapted scheme to each situation. We conclude this overview and performance study by introducing some important issues resulting from PIR usage with statistical databases and highlighting some directions for further research.

Enhancing dependability in avionics using virtualization

Software in avionics has always been totally separated from open-world software, in order to avoid any interaction that could corrupt critical on-board systems. However, new aircraft generations need more interaction with off-board systems to offer extended services, which makes these information flows potentially dangerous.n In this paper, we present a case study (identified in the ArSec project) that requires bidirectional communication between critical on-board systems and untrusted off-board systems. We propose the use of virtualization to ensure dependability of critical applications despite such communication.

A model-driven approach for experimental evaluation of intrusion detection systems

Because attacks are becoming more frequent and more complex, intrusion detection systems IDSes need significant improvements to be able to detect new attacks and variants of already known attacks. It is thus necessary to assess precisely their quality of detection, performance, and robustness in the environment where they will be deployed. In this paper, we present an evaluation approach designed to overcome most of the identified weaknesses in several IDS evaluation: the lack of a rigorous methodology, the use of non-representative test datasets, and the use of inappropriate metrics. In our approach, model-based evaluation is combined with experimental testing. Because testing an IDS against all possible attacks is practically impossible, we propose a classification of elementary attacks and a model of attack processes. Then, we developed the attack planning and injection tool that helps security administrators to plan and select the most relevant attack scenarios. Attack planning and injection tool is able to generate and carry out concrete and adaptable attacks on specifically identified computers. To demonstrate the validity of our approach, we experimented our tool in a case study environment to compare well-known IDSes. Copyright