In this paper, we introduce Audlib, an extendable tool for generating security-relevant information on Unix systems. Audlib is a wrapper environment that generates application level audit information from existing executable programs. Audlib is not a detection system, instead it is designed to supplement existing audit systems and work transparently with them. Audlib records information that is not presently available from existing kernel-level audit sources. Here, we describe the design of the Audlib framework and the information it provides. We compare auditing the actions of a web server with Audlib to existing kernel audit sources and show that we have 2–4 times the throughput of Linux auditd and less than half the performance overhead of Solaris BSM while collecting detailed information about the server’s execution. Although Audlib is focused on recording security information, this technique can be used to collect data for a wide variety of purposes including profiling, dependency analysis, and debugging. Copyright © 2010 John Wiley & Sons, Ltd.

USB memory devices are both portable and easily accessible, and have thus become one of the most popular forms of external storage device. However, if a USB device is lost, stolen, or hacked, it may lead to leakage of critical information. It is a logical outcome that malicious individuals will try to steal their colleagues’ USB memories. Consequently, various USB products with built-in security functions have been developed. To our knowledge, there has been little or no security analysis and comparison of these devices. This paper explores technological and architectural approaches to secure USB memories while analyzing their vulnerabilities, especially for resistance to reverse engineering attacks on the authentication protocols and data decryption. In this analysis, we classify vulnerabilities of these devices into 12 categories to summarize the current security situations on USB memories. Additionally, we derive a more secure authentication protocol based on our analysis. It is expected for secure USB products, including USB memory devices, to be revised with enhanced authentication protocols as a result of this effort. Copyright © 2012 John Wiley & Sons, Ltd.

Two new ventures are aimed at helping web and software developers reduce the number of security vulnerabilities in their software.

The Interpolique framework from Recursion Ventures – set up by Dan Kaminsky, Michael Tiffany and Henry Bar-Levav – aims to help web developers eliminate vulnerabilities to SQL injection and cross-site scripting attacks.

A key method is to convert input from users into Base64, which means that any code or SQL instructions added by users cannot be executed. The framework also includes an extension to MySQL to decode the Base64 strings.

At the moment, the framework is experimental and Recursion is seeking feedback. In the meantime, Kaminsky has suggested using stored procedures or prepared SQL statements as a first line of defence. More info at:

Meanwhile, Veracode has updated its SecurityReview cloud-based application-security-testing service that allows developers to upload code and get back information about vulnerabilities and suggestions for fixing the problems. The new version offers additional APIs and reference integrations that support popular Java, .Net, C/C++, ColdFusion and PHP development environments.

Increasingly, new regulations are governing organizations and their information systems. Individuals responsible for ensuring legal compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. While software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations, there is little support to manage these requirements and their relationships to various policies and regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with government regulations.

This document identifies data needs of the security research community. This document is in response to a request for a “data wish list”. Because specific data needs will evolve in conjunction with evolving threats and research problems, we augment the wish list with commentary about some of the broader issues for data usage. We divide this document into two parts. Section 1 provides background on data collection as often practiced today and a few of its uses. Section 2 identifies the need for a process for ongoing data sharing with the research community, and then provides the wish list itself.

Deceptive techniques played a prominent role in many hu- man conflicts throughout history. Digital conflicts are no different as the use of deception has found its way to com- puting since at least the 1980s. However, many computer defenses that uses deception were ad-hoc attempts to incor- porate deceptive elements in them. In this paper, we present a model that can be used to plan and integrate deception in computer security defenses. We present an overview of why deception fundamentally works and what are the essen- tial principles in using such techniques. We investigate the unique advantages deception-based mechanisms bring to tra- ditional computer security defenses. Furthermore, we show how our model can be used to incorporate deception to many part of computer systems and discuss how we can use such techniques effectively. A successful deception should present plausible alternative(s) to the truth and these should be de- signed to exploit specific adversaries’ biases. We investigate these biases and discuss how can they be used by presenting a number of examples.

When confronted with an issue, someone with a computing background typically gathers data, applies a decision algorithm, and makes a definitive choice. We are, after all, dealing with ones and zeroes on a daily basis!

Real-life policy choices are not quite that simple, however, especially those with political aspects. A policy choice often includes considerations about consistency with past choices (and laws), philosophical positions about the role of government, economic consequences, reputation and image, timing, and other factors that seldom present a single, obvious choice. Furthermore, choices are compounded by political considerations (especially near election seasons), and by simple ignorance (for example, the late Sen. Ted Stevens’ description of the Internet as a “series of tubes”). The way these choices and priorities are mixed often result in outcomes that perplex—and possibly enrage—observers.

One recent example was the controversy over the Stop Online Piracy Act (SOPA) and its companion Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (the PROTECT IP Act, or PIPA). In late 2011, people throughout the U.S. (and elsewhere) grew concerned about these proposed laws, with particular attention focused on SOPA. They feared the legislative language would inappropriately allow authorities to shut down whole domains and penalize fair use of copyrighted materials, among other possible results. An online protest grew, eventually resulting in a massive online “blackout” on January 18, 2012.

ACM’s U.S. Public Policy Council (USACM) was involved in this issue well before the blackout. USACM’s mandate is to help policymakers understand the computing-related aspects of their activities. We are uniquely positioned for this task because ACM is a non-partisan, professional organization devoted to computing. USACM focuses on the technical issues of computing, while acknowledging there are often more factors involved in policy. Thus, our usual mode of operation is to provide education and background on issues, although we sometimes take an advocacy position.

It was clear that SOPA (and PIPA) could result in adverse effects for some Internet users—a point not lost on some legislators. However, they also believed other factors outweighed or mitigated these risks. Three of these were specifically presented to USACM during our discussions about this legislation:

There are millions of people in the U.S. whose jobs, directly or indirectly, depend on intellectual property protection and licensing. Pension funds and investors hold significant equity positions in companies that depend on intellectual property. New and existing companies (including many not in the entertainment industry) depend on intellectual property protections to compete in the international marketplace. As an international issue, the U.S. lacks legal jurisdiction where the most egregious violations originate. Some of the host nations have agendas that include the weakening or destruction of the U.S. economy, thus this activity is tolerated. Some governments have close ties to the criminal elements involved and will not take action. Others are resource-constrained and unable to mount investigations and prosecutions. Most legal systems depend on discretion. Everything from deciding whether someone should get a speeding ticket to capital murder cases depend on some amount of discretion and expenditure of resources. USACM did not address any of those concerns. Instead, we focused on the proposed legislation’s technical aspects. Members of USACM provided briefings to Congressional staff and others about the ramifications should the legislation be passed. We also submitted formal statements to legislators in both the House and the Senate, with particular emphasis on how the proposed legislation could damage the deployment of the DNS Security Extensions (DNSSEC). In mid-January, one senior staff member told us that our private meeting gave them the first true understanding of how DNS and DNSSEC worked, and thus why the legislation was problematic.

The combination of technical problems and political pressure were overwhelming; the bills were eventually withdrawn by their sponsors for further consideration. Some in the Internet community viewed this as a victory, but it will be fleeting: the underlying problems of intellectual property violations and fraud continue. Thus, we expect ongoing pressure for some legislative proposals.

The computing community must continue to be involved in the process to ensure that all such legislation is technically sound and consistent with our vision of computing. It involves being sensitive to the nuances and factors that influence policy beyond simply our own narrow interests, and continuing to provide expert technical advice. It may be confusing, but it is not impossible.

The vast majority of hosts on the Internet, including mobile clients, are running on one of three major operating system families. Malicious operating system kernel software, such as the code introduced by a kernel rootkit, is strongly dependent on the organization of the victim operating system. Due to the lack of diversity of operating systems, attackers can craft a single kernel exploit that has the potential to infect millions of hosts. If the underlying structure of vulnerable operating system components has been changed, in an unpredictable manner, then attackers must create many unique variations of their exploit to attack vulnerable systems en masse. If enough variants of the vulnerable software exist, then mass exploitation is much more difficult to achieve. Many forms of automatic software diversification have been explored and found to be useful for preventing malware infection. Forrest et. al. make a strong case for software diversity and describe a few possible techniques including: adding or removing nonfunctional code, reordering code, and reordering memory layouts. Our techniques build on the latter. We describe two different ways to mutate an operating system kernel using memory layout randomization to resist kernel-based attacks. We introduce a new method for randomizing the stack layout of function arguments. Additionally, we refine a previous technique for record layout randomization by introducing a static analysis technique for determining the randomizability of a record. We developed prototypes of our techniques using the plugin architecture offered by GCC. To test the security benefits our techniques, we randomized multiple Linux kernels using our compiler plugins. We attacked the randomized kernels using multiple kernel rootkits. We show that by strategically selecting just a few components for randomization, our techniques prevent kernel rootkit infection.

WIIS 2011 Workshop Statement: This workshop brings together researchers with interests in applying pertinent areas of natural-language-related web intelligence to new and existing issues in information assurance and security. Information assurance and security topics range from web security per se, with its trust, deception detection, and credibility concerns (as applied to text)—to counterintelligence, preemptive cyber attack detection, and disinformation as part of “cyber warfare.” The workshop goal is to bring together researchers and practitioners in the two areas, thus creating a multidisciplinary atmosphere and providing a new and exciting testing ground for web intelligence, while contributing at the same time to the scientific foundation of cyber security.

Process Coloring is an information-preserving, provenance-aware software system for computer malware detection and investigation. By tainting each application process with a distinct color and propagating the color to other processes or system objects along with system call operations, Process Coloring preserves the “provenance” of malware attacks (namely, “Through which process did a malware program infiltrate the system?”). Process Coloring enables three useful malware defense capabilities: (1) color-based malware detection, (2) color-based malware break-in point identification, and (3) color-based log partitioning. Implemented on top of a virtualization platform, Process Coloring achieves strong tamper-resistance as the logs generated by the protected (virtual) machine are stored and processed outside the machine under attack. Finally, Process Coloring can be integrated with techniques that track information flows inside a program. The resultant integrated system achieves better malware detection accuracy by eliminating false positive alerts, especially for client-side environments. This report gives an overview of the Process Coloring project and presents the design, implementation, and evaluation highlights in the research effort.

Virtual worlds have seen tremendous growth in recent years. However, security and privacy risks are major considerations in different forms of commerce and exchange in virtual worlds. The studies of behavioral economics and lessons from markets provide fertile ground in the employment of virtual worlds to demonstrate study and examine behaviors. In this chapter, we address user and organizational concerns about security and privacy risks by exploring the relationships among risk, perception of risk, and economic behavior in virtual worlds. To make their interaction more effective, we recommend organizations to understand perceptions of risk in virtual worlds and then implement policies and procedures to enhance trust and reduce risk. Such understanding depends in turn on the multidisciplinary nature of cyber security economics and online behavior

There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.