250 likes | 385 Views
SoBeNeT project 5 th User group meeting 07/12/2007. Agenda. Overview. Project context Overview of main results Valorization program Outlook on finalization. I. Context: project in a nutshell. IWT SBO project (2003-2007) Extended until April 2008
E N D
Overview • Project context • Overview of main results • Valorization program • Outlook on finalization
I. Context: project in a nutshell • IWT SBO project (2003-2007) • Extended until April 2008 • Context: availability of security components (still evolving but relatively mature) • Goal: to enable the development of secure software applications • 4 Research tracks: • Programming and Composition Technology • Software engineering – “full life cycle” • Tamper and analysis resistance • Shielding and interception
3E Agfa Alcatel Application Engineers Cryptomatic EMC2 Inno.com Johan Peeters bvba Microsoft L-SEC NBB OWASP-Belgium Philips PWC Siemens UZ Gasthuisberg Zetes The project’s user group • User group • Channel for direct feedback on the execution of the project • Primary audience for dissemination • Possible channel for validation and valorization • Composition:
II. Project status@End of fourth project year • Significant amount of results • Academic: • scientific publications at all levels • several completed PhD’s • involvement in national and international events • Broader dissemination: workshops and courses • Project execution is on schedule • Taking into account the project extension • Priorities were fine-tuned during execution • Industrial validation: • Spin-off projects • Opportunities for feedback • Continuous interest in practical validation !
Looking Back… Year 1 • Project support activities • Vulnerability study and classification • Inception of case studies • Feasibility study of engineering application-level security with AOSD • Study of techniques for tamper and analysis resistance • Study of interception techniques
Headlines of Year 2 • Model for addressing code injection vulnerabilities • Interrelations between point solutions in track I (Languages and composition) • E.g., security contracts as a language extension and a vehicle for reasoning on composition • Focus on component frameworks • Activating the software engineering track • Study activities (incl. workshops) • Architecture for management and monitoring • Survey of attack methods and options in application protocols • First industrial validations
Headlines of Year 3 • Release of dnmalloc • Support for different types of security contracts • CAS, data dependencies, concurrency • Fine-tuning of modularized access control • Study of AOP security implications • Refinement of secure development process activities (leveraged, among others, by results of other tracks) • Improved techniques for tamper and analysis resistance • Security management and monitoring applied to the .Net platform
Headlines Y4: Track 1 • General model for security contracts (PhD) • Language specification and static verification based on Spec# • Access Control Interfaces (PhD) • Security-tuned composition mechanism based on AOSD technology • AOPS, a permission system for dealing with AOP risks • Security architecture for third-party applications on mobile devices
Headlines Y4: Track 2 • In-depth study and comparison of SDL, CLASP and Touchpoints has resulted in the activity matrix • Analysis and systematic support for security principles in process activities • Towards automated transition from requirements -> architecture • Survey of security patterns
Headlines Y4: Track 3 • New techniques and attacks • Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings [SAC 2007] • Remote attestation on legacy operating systems with trusted platform modules [REM 2007] • Software Security Through Targeted Diversification [CoBaSSA 2007] • SoProTo - Software Protection Tool • White-box cryptography • Obfuscation transformations
Headlines Y4: Track 4 • Application protocol checker • Integration of protocol checker in application-level firewall
Some numbers • Over 100 publications in 4 years (>10 researchers involved) • 3 PhD’s completed, more coming up • (Co-)organization of >10 dissemination events • Project specific workshops • International conferences and workshops • >5 spin-off projects with industrial partners • Intensive contacts with >10 partners from user group
III. Valorization • A number of results are applicable in practical settings • C/C++ memory allocator • Protocol checking for web applications • SSE process comparison • Library of analysis / tamper resistance techniques • National and international contact networks • Several spin-of projects have been created
Some of the spin-off projects • Pecman • Bcrypt • EHIP II (possibly starting in 2008)
Pecman: Personal Content Management • Project summary • A user-centric solution enabling uniform storage and manipulation of personal data as well as universal access to this data • Security-specific expectations • Security service bus: an architectural approach for crosscutting security enforcement • User-level policies, and their translation to system-level policies • http://projects.ibbt.be/pecman
BCRYPT: Belgian Fundamental Research on Cryptology and Information Security • Project summary • Interuniversity Attraction Pole (IAP) • Concrete expectations • Fundamental research:discrete mathematics, cryptographic algorithms and protocols, watermarking, secure software, and secure hardware. • Application areas: secure documents, ultra low power crypto for sensor networks, ambient intelligence and RFID, mobile terminals, DRM and trusted computing • https://www.cosic.esat.kuleuven.be/bcrypt/
Industry segments • System Integrators and consultants (software development on a project base) • Product development companies • Traditional Embedded systems • Telecom • Other • (boundaries are vague) • Other stakeholders in software applications: business owner, system manager
IV. Outlook • Finalization headlines • Provably correct inliner • Improvement of verification techniques • Validation of AOP permission system • SoProTo • Extended analysis front-end • Self-encrypting code module • Opportunities for validation ? • Incubation of SoBeNeT II (SEC SODA)
SECSODA • Stands for SECure of SOftware in Distributed Applications … • IWT SBO Proposal • Due January 2008 • Project: 2008-2012
Research Themes • Programming and Composition Technology • Software Engineering 4 Security • Tamper and Analysis Resistance • Verification • Application case studies • Extensions of practical technologies and methodologies (WS, SOA, .NET, …) • mailto: {bartd, wouter}@cs.kuleuven.be
Thank you!http://sobenet.cs.kuleuven.be/ Questions?