Embed Size (px)
Citation preview
Frid
ay D
ecem
ber
7, 2
007
SoBeNeT project 5th User group meeting
07/12/2007
2
Frid
ay D
ecem
ber
7, 2
007
Agenda
16:00h Welcoming
16:10h Project overview and status
16:40h CLASP, SDL and TouchPoints compared
17:00h SoProTo – A software protection tool
17:20h Run-time enforcement of security policies on the .NET framework
17:40h Discussion and wrap-up
18:00h Drink
3
Frid
ay D
ecem
ber
7, 2
007
Overview
1. Project context
2. Overview of main results
3. Valorization program
4. Outlook on finalization
4
Frid
ay D
ecem
ber
7, 2
007
I. Context: project in a nutshell
IWT SBO project (2003-2007) Extended until April 2008
Context: availability of security components (still evolving but relatively mature)
Goal: to enable the development of secure software applications
4 Research tracks: Programming and Composition Technology Software engineering – “full life cycle” Tamper and analysis resistance Shielding and interception
5
Frid
ay D
ecem
ber
7, 2
007
The project’s user group
3E Agfa Alcatel Application Engineers Cryptomatic EMC2
Inno.com Johan Peeters bvba
Microsoft L-SEC NBB OWASP-Belgium Philips PWC Siemens UZ Gasthuisberg Zetes
User group Channel for direct feedback on the execution of
the project Primary audience for dissemination Possible channel for validation and valorization
Composition:
7
Frid
ay D
ecem
ber
7, 2
007
II. Project status@End of fourth project year
Significant amount of results Academic:
• scientific publications at all levels• several completed PhD’s • involvement in national and international events
Broader dissemination: workshops and courses Project execution is on schedule
Taking into account the project extension Priorities were fine-tuned during execution
Industrial validation: Spin-off projects Opportunities for feedback Continuous interest in practical validation !
8
Frid
ay D
ecem
ber
7, 2
007
Looking Back… Year 1
Project support activitiesVulnerability study and classification Inception of case studies
Feasibility study of engineering application-level security with AOSD
Study of techniques for tamper and analysis resistance
Study of interception techniques
9
Frid
ay D
ecem
ber
7, 2
007
Headlines of Year 2
Model for addressing code injection vulnerabilities Interrelations between point solutions in track I
(Languages and composition) E.g., security contracts as a language extension and a
vehicle for reasoning on composition Focus on component frameworks
Activating the software engineering track Study activities (incl. workshops)
Architecture for management and monitoring Survey of attack methods and options in application
protocols
First industrial validations
10
Frid
ay D
ecem
ber
7, 2
007
Headlines of Year 3
Release of dnmalloc Support for different types of security contracts
CAS, data dependencies, concurrency Fine-tuning of modularized access control Study of AOP security implications Refinement of secure development process activities
(leveraged, among others, by results of other tracks) Improved techniques for tamper and analysis
resistance Security management and monitoring applied to
the .Net platform
11
Frid
ay D
ecem
ber
7, 2
007
Headlines Y4: Track 1
General model for security contracts (PhD)
Language specification and static verification based on Spec#
Access Control Interfaces (PhD)
Security-tuned composition mechanism based on AOSD technology
AOPS, a permission system for dealing with AOP risks
Security architecture for third-party applications on mobile devices
12
Frid
ay D
ecem
ber
7, 2
007
Headlines Y4: Track 2
In-depth study and comparison of SDL, CLASP and Touchpoints has resulted in the activity matrix
Analysis and systematic support for security principles in process activities
Towards automated transition from requirements -> architecture
Survey of security patterns
13
Frid
ay D
ecem
ber
7, 2
007
Headlines Y4: Track 3
New techniques and attacks Cryptanalysis of White-Box DES Implementations
with Arbitrary External Encodings [SAC 2007] Remote attestation on legacy operating systems
with trusted platform modules [REM 2007]
Software Security Through Targeted Diversification [CoBaSSA 2007]
SoProTo - Software Protection Tool White-box cryptography Obfuscation transformations
14
Frid
ay D
ecem
ber
7, 2
007
Headlines Y4: Track 4
Application protocol checkerIntegration of protocol checker in
application-level firewall
15
Frid
ay D
ecem
ber
7, 2
007
Some numbers
Over 100 publications in 4 years (>10 researchers involved)
3 PhD’s completed, more coming up (Co-)organization of >10 dissemination
events Project specific workshops International conferences and workshops
>5 spin-off projects with industrial partners Intensive contacts with >10 partners from user
group
16
Frid
ay D
ecem
ber
7, 2
007
III. Valorization
A number of results are applicable in practical settings C/C++ memory allocator Protocol checking for web applications SSE process comparison Library of analysis / tamper resistance techniques
National and international contact networksSeveral spin-of projects have been created
17
Frid
ay D
ecem
ber
7, 2
007
Some of the spin-off projects
Pecman BcryptEHIP II (possibly starting in 2008)
18
Frid
ay D
ecem
ber
7, 2
007
Pecman: Personal Content Management
Project summary A user-centric solution enabling uniform
storage and manipulation of personal data as well as universal access to this data
Security-specific expectations Security service bus: an
architectural approach for crosscutting security enforcement
User-level policies, and their translation to system-level policies
http://projects.ibbt.be/pecman
19
Frid
ay D
ecem
ber
7, 2
007
BCRYPT: Belgian Fundamental Research on Cryptology and Information Security
Project summary Interuniversity Attraction Pole (IAP)
Concrete expectations Fundamental research: discrete mathematics,
cryptographic algorithms and protocols, watermarking, secure software, and secure hardware.
Application areas: secure documents, ultra low power crypto for sensor networks, ambient intelligence and RFID, mobile terminals, DRM and trusted computing
https://www.cosic.esat.kuleuven.be/bcrypt/
20
Frid
ay D
ecem
ber
7, 2
007
Industry segments
System Integrators and consultants (software development on a project base)
Product development companies Traditional Embedded systems Telecom Other (boundaries are vague)
Other stakeholders in software applications: business owner, system manager
21
Frid
ay D
ecem
ber
7, 2
007
Upcoming events
December 18-19, 2007 Remote EnTrusting by RUn-time Software auThentication (RE-TRUST) - Workshop, Leuven
March 3-7, 2008 Secure Application Development course, Leuven
July 22, 2008 Advanced Applications for the Electronic Identity Card (ADAPID) – Workshop, Leuven
July 23-25, 2008 The 8th Privacy Enhancing Technologies Symposium (PETS 2008), Leuven
To be announced OWASP event on secure software development processes
22
Frid
ay D
ecem
ber
7, 2
007
IV. Outlook
Finalization headlinesProvably correct inliner Improvement of verification techniquesValidation of AOP permission systemSoProTo
• Extended analysis front-end• Self-encrypting code module
Opportunities for validation ?Incubation of SoBeNeT II (SEC SODA)
23
Frid
ay D
ecem
ber
7, 2
007
SECSODA
Stands for SECure of SOftware in Distributed Applications …
IWT SBO ProposalDue January 2008Project: 2008-2012
24
Frid
ay D
ecem
ber
7, 2
007
Research Themes
Programming and Composition TechnologySoftware Engineering 4 SecurityTamper and Analysis ResistanceVerification
Application case studiesExtensions of practical technologies and
methodologies (WS, SOA, .NET, …)mailto: {bartd, wouter}@cs.kuleuven.be
Frid
ay D
ecem
ber
7, 2
007
Thank you!
http://sobenet.cs.kuleuven.be/
Questions?
26
Frid
ay D
ecem
ber
7, 2
007
Agenda
16:00h Welcoming
16:10h Project overview and status
16:40h CLASP, SDL and TouchPoints compared
17:00h SoProTo – A software protection tool
17:20h Run-time enforcement of security policies on the .NET framework
17:40h Discussion and wrap-up
18:00h Drink
