110 likes | 125 Views
Discover software flaws through precise logic examination and examine feature interactions. Explore implementation of VoIP and web-based systems, with focus on security. Research access control methods and develop new paradigms.
E N D
Luigi LogrippoSITE Logic and implementation issues in VoIP and security luigi@site.uottawa.ca
Two main ideas • Many software flaws can be discovered by making the logic precise and thoroughly examining it by the use of logic tools • Feature interactions are the result of logic flaws • Application areas: • Security • New VoIP and Web based systems • Many others
Feature Interaction in Automotive • Electronic Stability Program (ESP) and Cruise Control (CC) • ESP: Break if wheels slip on wet road • CC: Increase speed until cruise speed is reached • FI detectable by the fact that the two features have contradicting requirements
Feature interaction in security • Bell-LaPadula information protection system prevents individuals from accessing information at a higher clearance level than they have • By using delegation, individuals can confer their information access authority to other individuals
Research directions • Implementation of VoIP and Web-based services with complex functionalities • Development of logic-based methods to discover flaws in these functionalities
Already done • Implementation of two open-source SIP VoIP systems • Vocal, Asterix • Implementation study of new complex functionalities, mainly presence-based features
Forthcoming • Implementation of presence features in our SIP telephony systems • Study of security aspects related to these functionalities
Already done • In-depth study of the Feature Interaction problem in telecom systems (over 12 years of experience) • Feature Interactions can lead to security flaws
Forthcoming • Study of feature interactions in new complex VoIP functionalities • Such as presence
Already done • Study of access control methods: • Firewalls • Access control languages such as XACML • Development of new access control paradigms: • Process-based access control • Shown that logic flaws in the specifications of such systems can lead to security flaws
Forthcoming • Generalizing this research, by applying our method to other access control systems • Extension to business control languages such as BPEL and variations • Extensions to SLAs (Service-Level Agreements)