1 / 25

SoBeNeT project 5 th User group meeting 07/12/2007

SoBeNeT project 5 th User group meeting 07/12/2007. Agenda. Overview. Project context Overview of main results Valorization program Outlook on finalization. I. Context: project in a nutshell. IWT SBO project (2003-2007) Extended until April 2008

ely
Download Presentation

SoBeNeT project 5 th User group meeting 07/12/2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SoBeNeT project 5th User group meeting07/12/2007

  2. Agenda

  3. Overview • Project context • Overview of main results • Valorization program • Outlook on finalization

  4. I. Context: project in a nutshell • IWT SBO project (2003-2007) • Extended until April 2008 • Context: availability of security components (still evolving but relatively mature) • Goal: to enable the development of secure software applications • 4 Research tracks: • Programming and Composition Technology • Software engineering – “full life cycle” • Tamper and analysis resistance • Shielding and interception

  5. 3E Agfa Alcatel Application Engineers Cryptomatic EMC2 Inno.com Johan Peeters bvba Microsoft L-SEC NBB OWASP-Belgium Philips PWC Siemens UZ Gasthuisberg Zetes The project’s user group • User group • Channel for direct feedback on the execution of the project • Primary audience for dissemination • Possible channel for validation and valorization • Composition:

  6. II. Project status@End of fourth project year • Significant amount of results • Academic: • scientific publications at all levels • several completed PhD’s • involvement in national and international events • Broader dissemination: workshops and courses • Project execution is on schedule • Taking into account the project extension • Priorities were fine-tuned during execution • Industrial validation: • Spin-off projects • Opportunities for feedback • Continuous interest in practical validation !

  7. Looking Back… Year 1 • Project support activities • Vulnerability study and classification • Inception of case studies • Feasibility study of engineering application-level security with AOSD • Study of techniques for tamper and analysis resistance • Study of interception techniques

  8. Headlines of Year 2 • Model for addressing code injection vulnerabilities • Interrelations between point solutions in track I (Languages and composition) • E.g., security contracts as a language extension and a vehicle for reasoning on composition • Focus on component frameworks • Activating the software engineering track • Study activities (incl. workshops) • Architecture for management and monitoring • Survey of attack methods and options in application protocols • First industrial validations

  9. Headlines of Year 3 • Release of dnmalloc • Support for different types of security contracts • CAS, data dependencies, concurrency • Fine-tuning of modularized access control • Study of AOP security implications • Refinement of secure development process activities (leveraged, among others, by results of other tracks) • Improved techniques for tamper and analysis resistance • Security management and monitoring applied to the .Net platform

  10. Headlines Y4: Track 1 • General model for security contracts (PhD) • Language specification and static verification based on Spec# • Access Control Interfaces (PhD) • Security-tuned composition mechanism based on AOSD technology • AOPS, a permission system for dealing with AOP risks • Security architecture for third-party applications on mobile devices

  11. Headlines Y4: Track 2 • In-depth study and comparison of SDL, CLASP and Touchpoints has resulted in the activity matrix • Analysis and systematic support for security principles in process activities • Towards automated transition from requirements -> architecture • Survey of security patterns

  12. Headlines Y4: Track 3 • New techniques and attacks • Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings [SAC 2007] • Remote attestation on legacy operating systems with trusted platform modules [REM 2007] • Software Security Through Targeted Diversification [CoBaSSA 2007] • SoProTo - Software Protection Tool • White-box cryptography • Obfuscation transformations

  13. Headlines Y4: Track 4 • Application protocol checker • Integration of protocol checker in application-level firewall

  14. Some numbers • Over 100 publications in 4 years (>10 researchers involved) • 3 PhD’s completed, more coming up • (Co-)organization of >10 dissemination events • Project specific workshops • International conferences and workshops • >5 spin-off projects with industrial partners • Intensive contacts with >10 partners from user group

  15. III. Valorization • A number of results are applicable in practical settings • C/C++ memory allocator • Protocol checking for web applications • SSE process comparison • Library of analysis / tamper resistance techniques • National and international contact networks • Several spin-of projects have been created

  16. Some of the spin-off projects • Pecman • Bcrypt • EHIP II (possibly starting in 2008)

  17. Pecman: Personal Content Management • Project summary • A user-centric solution enabling uniform storage and manipulation of personal data as well as universal access to this data • Security-specific expectations • Security service bus: an architectural approach for crosscutting security enforcement • User-level policies, and their translation to system-level policies • http://projects.ibbt.be/pecman

  18. BCRYPT: Belgian Fundamental Research on Cryptology and Information Security • Project summary • Interuniversity Attraction Pole (IAP) • Concrete expectations • Fundamental research:discrete mathematics, cryptographic algorithms and protocols, watermarking, secure software, and secure hardware. • Application areas: secure documents, ultra low power crypto for sensor networks, ambient intelligence and RFID, mobile terminals, DRM and trusted computing • https://www.cosic.esat.kuleuven.be/bcrypt/

  19. Industry segments • System Integrators and consultants (software development on a project base) • Product development companies • Traditional Embedded systems • Telecom • Other • (boundaries are vague) • Other stakeholders in software applications: business owner, system manager

  20. Upcoming events

  21. IV. Outlook • Finalization headlines • Provably correct inliner • Improvement of verification techniques • Validation of AOP permission system • SoProTo • Extended analysis front-end • Self-encrypting code module • Opportunities for validation ? • Incubation of SoBeNeT II (SEC SODA)

  22. SECSODA • Stands for SECure of SOftware in Distributed Applications … • IWT SBO Proposal • Due January 2008 • Project: 2008-2012

  23. Research Themes • Programming and Composition Technology • Software Engineering 4 Security • Tamper and Analysis Resistance • Verification • Application case studies • Extensions of practical technologies and methodologies (WS, SOA, .NET, …) • mailto: {bartd, wouter}@cs.kuleuven.be

  24. Thank you!http://sobenet.cs.kuleuven.be/ Questions?

  25. Agenda

More Related