Yves Deswarte

• French National Centre for Scientific Research

Colloquium INRIA, Rocquencourt (France), February 2004

Improving the security of computing systems embedded into commercial airplanes has become a major concern for the avionics industry. This paper deals with one of the techniques that can be applied to improve the security of such systems: vulnerability assessment. More precisely, this paper presents experiments carried out on an experimental embedde...

Embedded electronic components, so-called ECU (Electronic Controls Units), are nowadays a prominent part of a car's architecture. These ECUs, monitoring and controlling the different subsystems of a car, are interconnected through several gateways and compose the global internal network of the car. Moreover, modern cars are now able to communicate...

Virtualization techniques are at the heart of Cloud Computing, and these techniques add their own vulnerabilities to those traditional in any connected computer system. This paper presents an overview of such vulnerabilities, as well as possible counter-measures to cope with them. <http://hal.archives-ouvertes.fr/hal-00761206>

Because security is becoming a major concern for aircraft manufacturers and satellite makers, vulnerability discovery and countermeasures should be integrated into onboard computing systems early during their development. Attacks against aerospace computer systems fall into two main classes. One aims to corrupt the computing system's core functions...

We present the AMORES project, which aims to provide an architecture for the provision of privacy preserving and resilient collaborative services in "mobiquitous" (i.e., mobile and ubiquitous) systems. The project is built around three use-cases from the area of public transportation: (1) dynamic carpooling, (2) real-time computation of multimodal...

Information such as security advisories, emergency recommendations, e-government information, etc., is unclassified, but its availability and integrity may be vital. Such data are intended to be made widely available and thus need to be accessible through open networks such as the Internet. The systems distributing this kind of information are usua...

A privacy-preserving identity card is a personal device device that allows its owner to prove some binary statements about himself (such as his right of access to some resources or a property linked to his identity) while minimizing personal information leakage. After introducing the desirable properties that a privacy-preserving identity card shou...

In general, designing reasonable metrics for privacy quantification is an approach of several disciplines. This section focuses on technical and formal metrics. They can be distinguished depending on purposes or use-cases, available data, and the way results can be interpreted. The purpose of a privacy metric for protocols or communication systems...

Traditionally, software in avionics has been totally separated from open-world software, in order to avoid any interaction that could corrupt critical on-board systems. However, new aircraft generations need more interaction with off-board systems to offer extended services, which makes these information flows potentially dangerous. In a previous w...

The idea that diverse or dissimilar computations could be used to detect errors can be traced back to Dynosius Lardner’s analysis of Babbage’s mechanical computers in the early 19th century. In the modern era of electronic computers, diverse redundancy techniques were pioneered in the 1970’s by Elmendorf, Randell, Aviz̆ienis and Chen. Since then, t...

For a few years now, attacks involving I/O controllers have been subject to a growing interest. Unlocking smart phones and game consoles through USB connections, or bypassing authentication through Fire Wire are examples of such attacks. Our study focuses on I/O-based attacks targeting Intel PC-based information systems such as laptop or desktop co...

This paper presents the architecture of an authorization service proposed for composite operations involving many Internet partners. The main contributions of this paper are: (1) a scheme for access control systematically applied at the fine-grained level of each elementary operation, (2) a novel proof of authorization concept and flexible authoriz...

In critical infrastructures (CIs), different organizations must cooperate, while being mutually suspicious since they have different interests and can be in competition on some markets. Moreover, in most cases, there is no recognized authority that can impose global security rules to all participating organizations. In such a context, it is difficu...

This article deals with kernel security protection. We propose a characterization of malicious kernel-targeted actions, based on how the way they act to corrupt the kernel. Then, we discuss security measures able to counter such attacks. We finally expose our approach based on hardware-virtualization that is partially implemented into our demonstra...

This paper analyzes the problem of checking the integrity of files stored on remote servers. Since servers are prone to successful attacks by malicious hackers, the result of simple integrity checks run on the servers cannot be trusted. Conversely, downloading the files from the server to the verifying host is impractical. Two solutions are propose...

With the emergence of Web Services-based collaborative systems, new issues arise, in particular those related to security. In this context, Web Service access control should be studied, specified and enforced. This work proposes a new access control framework for Inter-Organizational Web Services: “PolyOr- BAC”. On the one hand, the authors extend...

In this paper, we propose to replace the national identity card, currently used in many countries, by a personal device that allows its user to prove some binary statements about him while minimizing personal information leakage. The privacy of the user is protected through the use of anonymous credentials that, allows him to prove binary statement...

It is difficult to protect an operating system kernel in an efficient way. Attackers can corrupt or subvert it by two different means: (1) the CPU; (2) the Direct Memory Access (DMA) capability of I/O controllers. DMA-based attacks can be blocked using an I/OMMU. This component, embedded in most of current chipsets, enables the operating system to...

Converting a conventional contract to an electronic one that can be enforced, queried and verified by computers is a challenging task. The difficulties are mainly caused by the ambiguities that the original human oriented text is likely to contain. In this paper, we present new templates to specify the requirements of e-contracts, to securely check...

In this paper, we present two case studies identified for new aircraft generations in which bidirectional communications are carried between onboard and off-board computers. These two case studies deal respectively with flight parameter calculation and enhanced maintenance operations for future aircraft. We emphasize the safety and security challen...

Due to physical and logical vulnerabilities, a critical infrastructure (CI) can encounter failures of various degrees of severity, and since there are many interdependencies between CIs, simple failures can have dramatic consequences on the users. In this paper, we mainly focus on malicious threats that might affect the information and communicatio...

In this paper, we propose to replace the national identity card, currently used in many countries, by a personal device that allows its user to prove some binary statements about himself while minimiz- ing personal information leakage. The privacy of the user is protected through the use of anonymous credentials which allows him to prove bi- nary s...

Current systems providing anonymous interactive communication [15, 22] are based on networks of anonymity-providing relays called MIXes. An important issue with such systems is that a MIX is able to betray its users, and thus it is necessary to use several MIXes sequentially for each communication, which distributes the trust among,them. This incre...

We present a case study in the avionics context, in which bidirectional information flows exist between critical components and less critical ones. These flows raise security and safety concerns that have to be taken into account to guarantee correct operation of the critical tasks. To allow upwards flows, we propose fault tolerance mechanisms base...

Ensuring safety in avionics has mostly been achieved through a complete separation between avionics software and open-world software, in order to avoid any interaction that could corrupt critical on-board systems. However, new aircraft generations need more interaction with off-board systems to offer extended services. The extent to which such inte...

Testing network-based security tools such as intrusion detection and prevention systems (IDS/IPS) differs from testing ordinary network tools (e.g., routers and switches). Basically, in addition to the parameters (such as bandwidth utilization, routing information and packets timing) that are important for network tools, security tools are more sen...

Nowadays, more and more information systems are connected to the Internet and offer Web interfaces to the general public or to a restricted set of users. Such openness makes them likely targets for intruders, and conventional protection techniques have been shown insufficient to prevent all intrusions in such open systems. This paper proposes a gen...

Software in avionics has always been totally separated from open-world software, in order to avoid any interaction that could corrupt critical on-board systems. However, new aircraft generations need more interaction with off-board systems to offer extended services, which makes these information flows potentially dangerous. In this paper, we prese...

With the emergence of Web Services-based collaborative systems, new issues arise, in particular those related to security. In this context, Web Service access control should be studied, specified and enforced. This work proposes a new access control framework for Inter-Organizational Web Services: “PolyOr- BAC”. On the one hand, the authors extend...

Collaboration allows sharing, processing and exchanging large amounts of data between individuals as well as groups and organizations. In this context, security and access control are important issues that should be studied, specified and enforced. In this paper, we discuss the different approaches that address access control for cooperative system...

This paper identifies the most relevant security requirements for critical infrastructures (CIs), and according to these requirements, proposes an access control framework. The latter supports the CI security policy modeling and enforcement. Then, it proposes a runtime model checker for the interactions between the organizations forming the CIs, to...

Checking data possession in networked information systems such as those related to critical infrastructures (power facilities, airports, data vaults, defense systems, etc.) is a matter of crucial importance. Remote data possession checking protocols permit to check that a remote server can access an uncorrupted file in such a way that the verifier...

With the massive surges of new malware, the intuitive detection techniques currently used in most security tools deem ineffective. Consequently, we urgently need better solutions that are established on solid theoretical basis. It becomes, thus, necessary to search for more efficient techniques and algorithms as well as taxonomies and models for at...

Among all the security issues in Voice over IP (VoIP) communications, one of the most difficult to achieve is traffic analysis resistance. Indeed, classical approaches provide a reasonable degree of security but induce large round-trip times that are incompatible with VoIP. In this paper, we describe some of the privacy and security issues derived...

In computer systems, commercial off-the-shelf (COTS) components offer extended functionalities for a rea-sonable cost, and consequently have an important economic advantage. However, such components are hard to integrate into critical systems because of the integrity requirements placed on such systems. To alleviate this problem, we consider the us...

Nowadays, systems are more and more open, distributed and collaborative. In this context, access control is an important issue that should be studied, specified and well enforced. This work proposes a new access control model for collaborative systems: "PolyOrBAC". On the one hand, we extend OrBAC (organization-based access control model) to specif...

To ameliorate the quality of protection provided by intrusion detection systems (IDS) we strongly need more effective evaluation and testing procedures. Evaluating an IDS against all known and unknown attacks is probably impossible. Nevertheless, a sensible selection of representative attacks is necessary to obtain an unbiased evaluation of such sy...

Honeypots are more and more used to collect data on malicious activities on the Internet and to better understand the strategies and techniques used by attackers to compromise target systems. Analysis and modeling methodologies are needed to support the characterization of attack processes based on the data collected from the honeypots. This paper...

Honeypots are more and more used to collect data on malicious activities on the Internet and to better understand the strategies and techniques used by attackers to compromise target systems. Analysis and modeling methodologies are needed to support the characterization of attack processes based on the data collected from the honeypots. This paper...

In this chapter we discuss the susceptibility of critical information in- frastructures to computer-borne attacks and faults, mainly due to their largely computerized nature, and to the pervasive interconnection of systems all over the world. We discuss how to overcome these problems and achieve resilience of critical information infrastructures, t...

This paper presents an overview of the current single-database private information retrieval (PIR) schemes and proposes to explore the usage of these protocols with statistical databases. The vicinity of this research field with the one of Oblivious Transfer, and the different performance measures used for the last few years have resulted in re-dis...

The pervasive interconnection of systems throughout the world has given computer services a significant socioeconomic value that both accidental faults and malicious activity can affect. The classical approach to security has mostly consisted of trying to prevent bad things from happening-by developing systems without vulnerabilities, for example,...

Cet article propose un nouveau modèle de contrôle d'accès pour les applications complexes, hétérogènes, interopérables et distribuées : « Multi-OrBAC » (pour MultiOrganization-Based Access Control). Ce modèle permet de spécifier, dans un cadre homogène, plusieurs politiques de sécurité pour des organisations hétérogènes devant coopérer. Le but est...

This paper describes a new access control scheme for distributed object-oriented systems. This scheme defines new access rights, called symbolic rights that control the authorization to perform high level operations involving several objects. We present these new access rights and give an example of their usefulness.

Cet article présente le projet européen PRIME, avec ses objectifs, ses axes de recherches et les résultats attendus.

This paper presents an overview of the current and next solutions for privacy protection on the Internet. We highlight five categories of Privacy Enhancing Technologies (Pets). First, we introduce the multiple virtual identities that can represent a person, and the way the person can manage them. Then, we focus on the untraceability problem, which...

The Internet has become essential to most enterprises and many private individuals. However, both the network and computer systems connected to it are still too vulnerable and attacks are becoming evermore frequent. To face this situation, traditional security techniques are insufficient and fault-tolerance techniques are becoming increasingly cost...

Privacy is extremely important in healthcare systems. Unfortunately, most of the solutions already deployed are developed empirically. After discussing some of such existing solutions, this paper describes an analytic and generic approach to protect personal data by anonymization. This approach is then applied to some representative scenarios. The...

Current systems providing anonymous communication with low latency are based on relay-networks. Since a single relay can betray its users, it is necessary to use several relays for each communication which distributes the trust among them. This increases the complexity of the protocols as well as the latency, and lowers the throughput to the one of...

The CADHo project (Collection and Analysis of Data from Honeypots) is an ongoing research action funded by the French ACI “Securiteé & Informatique” [1]. It aims at building an environment to better understand threats on the Internet and also at providing models to analyze the observed phenomena. Our approach consists in deploying and sharing with...

Nowadays, more and more applications use sensitive and personal information, and preserving citizens' privacy is becoming extremely important. Addressing this issue, this paper suggests a rigorous approach to define data anonymization requirements, as well as how to characterize, select and build anonymizing solutions. This approach is illustrated...

MIXes are routers that accept packets until their buffers are full, and then send them to the recipients hiding the link (usually through reencryption and rearrangement) between incoming and outgoing packets. MIXes and their variants are used today to provide untraceable communication with systems such as TOR, and they have been a major issue of re...

Nowadays, more and more applications use sensitive and personal information. Subsequently, hiding identities and respecting citizens' privacy are becoming extremely important. Dedicated to this issue, this paper is organized as follows: after defining the topic through an example of collaborative complex and heterogeneous system, this paper analyze...

Résumé Cet article présente des travaux menés dans le projet MP6 1 . Il montre comment, compte tenu de la sensibilité des informations manipulées, les Systèmes d'Information et Communication en Santé et Social (SICSS) peuvent être convoités par des individus malintentionnés. Sont alors présentés les objectifs de MP6 face au besoin crucial de sécuri...

Nowadays, more and more applications use sensitive and personal information. Subsequently, hiding identities and respecting citizens' privacy are becoming extremely important. Dedicated to this issue, this paper is organized as follows: after defining the topic through an example of collaborative complex and heterogeneous system, this paper analyze...

This paper proposes a security model which is generic enough to cover all the diversity of Health Care Computing and Communication Systems (HCCS). One of the aims of this model is to facilitate the HCCS interoperability, with a sufficient flexibility to take into account any improvement or change in the security policy. This model achieves a good c...

Security and reliability issues in distributed systems have been investigated for several years at LAAS using a technique called Fragmentation-Redundancy-Scattering (FRS). The aim of FRS is to tolerate both accidental and intentional faults: the core idea consists in fragmenting confidential information in order to produce insignificant fragments a...

Nowadays, more and more applications use sensitive and personal information. Subsequently, respecting citizens' privacy is becoming extremely important. Dedicated to this issue, this paper suggests a rigorous approach to define anonymization requirements, as well as how to characterize, select and build solutions. Afterwards, a new generic procedur...

Résumé L'anonymisation des identités des personnes figurant dans des fichiers informatisés, en particulier lorsqu'ils contiennent des informations sensibles pouvant porter atteint à la vie privée, est une préoccupation actuelle majeure. L'étude des techniques d'anonymisation que nous présentons ici s'articule comme suit: Après avoir défini la probl...

In Private Information Retrieval (PIR), a user obtains one of N records from a server, without the server learning what record was requested. Recent research in “practical PIR” has limited the players to the user and server and limited the user’s work to negotiating a session key (eg. as in SSL)—but then added a secure coprocessor to the server an...

The Internet has become essential to most enterprises and many private individuals. However, both the network and computer systems connected to it are still too vulnerable and attacks are becoming evermore frequent. To face this situation, traditional security techniques are insufficient and fault tolerance techniques are becoming increasingly cost...

This paper analyzes the problem of checking the integrity of files stored on remote servers. Since servers are prone to successful attacks by malicious hackers, the result of simple integrity checks run on the servers cannot be trusted. Conversely, downloading the files from the server to the verifying host is impractical. Two solutions are propose...

This paper presents a new technique for anonymizing personal data for studies in which the real name of the person has to be hidden. Firstly, the privacy problem is introduced and a set of related terminology is then presented. Then, we suggest a rigorous approach to define anonymization requirements, as well as how to characterize, select and buil...

None of the classical access control models such as DAC, MAC, RBAC, TBAC or TMAC is fully satisfactory to model security policies that are not restricted to static permissions but also include contextual rules related to permissions, prohibitions, obligations and recommendations. This is typically the case of security policies that apply to the hea...

We describe a general architecture for intrusion-tolerant enterprise systems and the implementation of an intrusion-tolerant Web server as a specific instance. The architecture comprises functionally redundant COTS servers running on diverse operating systems and platforms, hardened intrusion-tolerance proxies that mediate client requests and verif...

The Dependable Intrusion Tolerance (DIT) architecture is a flexible, adaptive, and intrusion-tolerant server design. We briefly discuss its prototype implementation and validation, and demonstrate how it resists sample attacks.

Health Care Computing and Communication Systems (HCCS) are characterized by the complexity of the organizations to take into account and the richness of properties that are required. To address this complexity and richness, we propose a security policy based on roles, groups of objects and context. Indeed, similarly to roles that structure the subj...

None of the classical access control models such as DAC, MAC, RBAC, TBAC or TMAC is fully satisfac-tory to model security policies that are not restricted to static permissions but also include contextual rules related to permissions, prohibitions, obligations and recommendations. This is typically the case of se-curity policies that apply to the h...

This paper describes a generic architecture for intrusion tolerant Internet servers. It aims to build systems that are able to survive attacks in the context of an open network such as the Internet. To do so, the design is based on fault tolerance techniques, in particular redundancy and diversification. These techniques give a system the additiona...

None of the classical access control models such as DAC, MAC, RBAC, TBAC or TMAC is fully satisfactory to model security policies that are not restricted to static permissions but also include contextual rules related to permissions, prohibitions, obligations and recommendations. This is typically the case of security policies that apply to the hea...

means in particular that these specifications should no longer be probabilistic (unless the service itself is probabilistic, e.g., for a coin flipping protocol). We have defined abstract specifications for two initial examples: secure point-to-point channels, in both the synchronous and the asynchronous timing model, and certified mail. We were ind...

We describe a general architecture for intrusion-tolerant enterprise systems and the implementation of an intrusion-tolerant Web server as a specific instance. The architecture comprises functionally redundant COTS servers running on diverse operating systems and platforms, hardened intrusion-tolerance proxies that mediate client requests and verif...

a unique fault generates different errors on different replicates internal hardware fault: identical copies external hardware fault: similar copies design fault / interaction fault: diversified copies o On-line model checking Backward recovery Forward recovery Compensation-based recovery (fault masking) 1 2 3 3 12 13 11 1 2 3 1 2 3 1 2 3 4 5 6 7 Er...

This document describes MAFTIA authorisation services and how they will be implemented in the MAFTIA architecture. The authorisation services implement a fine grain protection, i.e., capable of protecting each object method invocation, in order to satisfy as much as possible the least privilege principle and to obtain the best protection efficacy....

ty Safety Confidentiality Integrity Maintainability w.r.t. authorized actions Are these attributes sufficient? Dependability Fault Prevention Fault Tolerance Fault Removal Fault Forecasting Impairments Attributes Availability Reliability Safety Confidentiality Integrity Maintainability Fault Error Failure Methods 4 Security Properties Confidentiali...

: This document describes MAFTIA authorisation services and how

This paper presents an authorization scheme for applications distributed on the Internet with two levels of access control: a global level, implemented through a fault- and intrusion-tolerant authorization server, and a local level implemented as a security kernel located on both the local host Java Virtual Machine (JVM) and on a Java Card connecte...

The purpose of the multilevel integrity mechanisms of the GUARDS architecture is to protect critical components from the propagation of errors due to residual design faults in less-critical components. The notions of multiple integrity levels and multiple criticality levels are very tightly linked, but there is an important distinction. Integrity l...

This document constitutes the first deliverable of MAFTIA work package. The objective of this work package is to define a consistent framework for ensuring the dependability of distributed applications in the face of a wide class of threats. In particular, the aim is to develop a coherent set of concepts for an architecture that can tolerate delibe...

This document constitutes the first deliverable of MAFTIA work

This paper describes a new approach for security in open distributed systems. This approach is currently developed in the framework of the Delta 4 project. After a few reminders about two existing distributed security architectures, the proposed "intrusion-tolerant" approach is specified. It is based on a fragmentation-scattering technique applied...