i minds2009 secure and distributed software prof wouter joosen (ibbt distrinet ku leuven)
DESCRIPTION
TRANSCRIPT
Secure and Distributed
Software
Wouter Joosen, IBBT-DistriNet
Context
Rapid growth of the Internet:
“not just network applications but
distributed software with
new and complex applications crossing the boundaries
of organisations…”
Hence a boom of
security challenges.....
(focus of this talk)
Mission
“To be a one stop
shop for security
research”
Cryptography
Secure
Programming
Languages
Security Middleware
Privacy
Risk
Management
Watermarking
Secure
D
evelo
pm
ent
DRM
Biometric
Expertise (1/2)
Secure programming languages (Piessens, Joosen)
Security middleware and component frameworks (Piessens, Desmet, Joosen)
Secure development process (Scandariato, Joosen)
Security monitoring and management (Huygens, Joosen)
Security for computer networks and pervasive systems (Verbaeten, Huygens, Preneel, Verbauwhede)
Security for ad-hoc and wireless networks (Preneel, Verbauwhede)
Privacy enhancing technologies, identity management (De Decker, Preneel)
Cryptographic software and software obfuscation (Piessens, Preneel)
Cryptographic hardware and embedded systems (Verbauwhede, Preneel, Rijmen)
Document security, watermarking and perceptual hashing (Preneel)
Trusted computing (Verbauwhede, Preneel)
Expertise (2/2)
Cryptographic algorithms and protocols, foundations of cryptography and
provable security (Rijmen, Preneel)
Risk management (Huygens)
Authorisation technologies (Piessens, Joosen, Desmet)
Secure System Software (Piessens, Joosen)
HW implementation of DRM, watermarking and perceptual hashing (Verbauwhede, Preneel)
Side-channel attacks and countermeasures (Verbauwhede, Rijmen, Preneel)
Embedded biometry (Verbauwhede, Tuyls)
Security for RFID’s, smart-cards, sensor nodes (Verbauwhede, Batina, Preneel)
Evaluation of system security, including requirements, security
architectures, software, hardware, cryptographic libraries and smart cards (All)
Relevance
Thus a continuous “stream” of human
capital can enter the labour market
Resulting in a competitive education
in a European context
Tradition in Flanders: security
companies have flourished
In addition, society urgently
needs solutions – e.g. privacy
Evolution and Trends
Systems and applications of growing scale, heterogeneity and
pervasiveness ... “Towards the Internet of Things”
Loosely-coupled ecosystems of services, multi-tenant systems, outsourced deployment, Software as a Service
(SaaS).
High frequency of change – dynamic adaptations are required.
Support for long term evolution
“All these trends impose challenges for the development and
deployment of software and systems,
the challenge of securing these co-evolves with these trends....”
From the FP7 Work Programme: ”Technology and Tools for Trustworthy ICT”
In highly distributed networked process control systems and in
networks of very high number of things. Understanding threat patterns
for pro-active protection.
For user-centric and privacy preserving identity management,
including for management of risks and policy compliance verification.
For management and assurance of security, integrity and availability,
also at very long term, of data and knowledge in business processes
and services.
For assurance and assessment of the trustworthiness of complex and
continuously evolving software systems and services.
In enabling technologies for trustworthy ICT. This includes
cryptography, biometrics; trustworthy communication; virtualisation;
and certification methodologies.
9
Security Team: 9 professors, 80 researchers
Prof. Bart Preneel
Prof. Vincent Rijmen
Prof. Ingrid Verbauwhede
7 postdocs
40+ doctoral students
Prof. Dave Clarke
Prof. Bart De Decker
Prof. Christophe Huygens
Prof. Wouter Joosen
Prof. Frank Piessens
5 postdocs
30+ doctoral students
Illustration
AES [Open Competition1997-2001]
PeCMan [IBBT] 2007-2009
Secure Change [FP7] 2009-2012
Turbine [FP7] 2008-2011
S3MS [FP6+] 2006-2009
TAS3
[FP7] 2008-2011
HATS
[FP7] 2009-2013
Cryptographic algorithms: Rijndael/AES
Key S
chedule
round
. . . . .
round
round
round
S S S S S S S S S S S S S S S S
S S S S S S S S S S S S S S S S MixColumns MixColumns MixColumns MixColumns
key length: 16/24/32 bytes
block length:
Rijndael: 16/24/32 bytes
AES: 16 bytes
From 2009 onwards all Intel
processors will have a hardware AES implementation
S3MS: Security of Software and Services for Mobile Systems
FP6 STREP and beyond
Objective:
creation of framework and technological solutions for secure deployment and execution of mobile
applications
Outcomes:
Definition of the Security by Contract (SxC) paradigm
Java ME and .NET CF realizations of all the necessary supporting technologies for SxC
S3MS: Security by contract in a nutshell
Turbine: Innovative Digital Identity Solutions
TURBINE aims to develop innovative digital identity solutions, combining:
secure, automatic user identification thanks to electronic fingerprint authentication
reliable protection of the biometrics data through advanced cryptography technology.
Research efforts focus on transformation of a description of fingerprints, so that the result can only be re-generated by the person with the fingerprints.
Name: SMITH
Date of birth: .....
Identity managed by issuance
State, including biometrics,
certificates & data protection
mechanism
Mr SMITH + ID1 + I0I 0II I0I 0II II0 00II 0I
ID2 + I0I I0I II0 I0I II0 I0I0 I0
ID3 + II0 0II 0II I0I I0I 0II0 I0 .....
Identities are not invertible
PecMan: Introducing Security Service Bus
Security Service Bus Manager Service
Application Binding
Application Binding
Application Binding
Authorization & Attribute Requests
Authorization Service
(XACML)
Authorization & Attribute Requests
PeCMan
Client
Client
PeCMan
Client
Client
PeCMan
Server 3rd Party
Service
Middleware platform 1
PeCMan Server 1
Metadata
Service 3rd Party
Service
Middleware platform 2
PeCMan Server 2
PecMan: An Open Deployment Architecture
AZN Server
PDP 1
3P PIP Metadata
PIP
Metadata
PEP
3P PIP
MP1 PEP
3P PEP
PDP 2
TAS3
TAS3 focuses on federated identity management
TAS3 consolidates scattered research inSecurity, Trust,
Privacy, Digital identities, Authorization, Authentication…
TAS3 integrates adaptive business-driven end2end Trust
Services based on personal information:Semantic integration
of Security, Trust, Privacy components
TAS3 provides dynamic view on application-level end2end
exchange of personal data:Distributed data repositories
TAS3
Trusted
Employability
Platform
Employability
Repository
Employability
Portfolio
Schools
Universities
Public
Employment Services Social
Network
Social
Security Services
Certification
Services
Employability
Service Providers
Private
Employment Services
Training
Institutes
Companies
HATS: Advanced software validation tools
Advanced software validation tools need rigorous
and unambiguous models
Abstract Behavioural Specification Language
Adaptability concerns drive its design
Formalises successful SWPF development method
Behavioural model: concurrency, composability,
modularity, deployment
Abstract away from programming languages, system
architecture
Parameter
space
HATS: Scaling Formal Methods to Adaptable Systems
Software Family
ABS Modeling
Language
models
Domain Feature model
describes
variability
System derivation
& customization
System Product
spatial
variability
temporal
evolution
models Existing Formal Methods SPEC#, JML, UML, OCL, State
Diagrams, ...
Secure Change: Lifelong Development Cycle
4 Research Programs for ICT Security
Embedded Security
Privacy and Identity Management
Secure Software: support at the implementation level
Security Engineering: support throughout the software/hardware engineering
process
Obvious collaborations
Enabling technologies
Application domains
Industrial collaboration
Europe
Flanders
2019 WILL BRING...
THANK YOU