The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

SESS05

Wed, January 05, 2005General

This workshop will provide a venue to discuss techniques that enable the building and validation of secure applications. We are especially interested in (1) design and implementation approaches that make it easier to deal with security requirements, and (2)  program analysis techniques that enhance the trustworthiness of applications.

Software Engineering for Secure Systems

    (SESS05)


  Building Trustworthy Applications


  http://homes.dico.unimi.it/~monga/sess05.html



  May 15-16, 2005


    St. Louis, Missouri   USA



An ICSE 2005 workshop


  http://www.cs.wustl.edu/icse05



* Theme and goals



Every software application is built and deployed to accomplish some goal pursued by its interested parties. Thus,  software engineers aim at designing, implementing, and maintaining valid applications that meet the needs of stakeholders. However, every application can be also potentially misused, that is, used to pursue goals that contrast the ones intended by stakeholders.  Therefore, software engineers should try to design applications   that,  while still valid,  are also trustworthy and cannot be misused. Validity and trustworthiness are goals that often cannot be achieved either because they are too costly or because they stem from conflicting needs.  Historically,  the software engineering community has strived more to obtain validity
than trustiness. Nowadays, however,  software ubiquity in the creation of critical infrastructures has risen the value of trustworthiness and new efforts should be dedicated to achieve it.



The major source of vulnerability of systems has been recognized to be poor-quality software. However,  while secure applications are also valid and   robust ones,  security is   a specific non-functional requirement that has to be explicitly and carefully taken into account during analysis, implementation,  testing, and deployment. Moreover, some of the most successful techniques used by software engineers may conflict with security objectives.  Abstraction, for example,  is the invaluable device the designers use in order to cope with complexity, but, since it is rarely applied as a pure mathematical generalization, it could force one to neglect details that can be exploited to misuse an application; late binding,  while a fundamental tool in pursuing
design for change, could be hijacked to adapt systems to malicious goals; COTS, commercial off-the-shelf components, if they might foster the profitableness of software industry, they also introduce black-box subsystems that are difficult to manage when reasoning about the chain of trust of the whole system.



This workshop will provide a venue to discuss techniques that enable the building and validation of secure applications. We are especially interested in (1) design and implementation approaches that make it easier to deal with security requirements, and (2)  program analysis techniques that enhance the trustworthiness of applications.



* Topics



Areas of interest include, but are not limited to:



    o Security requirements management


    o Architecture and design of trustworthy systems


    o Architecture and design of protection systems


    o Separation of the security concern in complex systems


    o Secure programming


    o Black box components trustworthiness


    o Security testing


    o Trustworthiness verification and clearance


    o Defining and supporting the process of building secure software


    o Deployment of secure applications



Workshop papers must be limited to 7 pages in the ICSE two column format.



* Important dates



** Submission of workshop papers


    21 February 2005


** Notification of workshop papers


    21 March 2005


** Publication-ready version


    4 April 2005



* Program Committe



    o Annie I. Anto`n, North Carolina State University


    o Elisa Bertino, Center for Education and Research in Information Assurance and Security, Purdue University


    o Premkumar T. Devanbu, University of California at Davis


    o Carlo Ghezzi, Politecnico di Milano, Italy


    o Charles B. Haley, The Open University, UK


    o Constance Heitmeyer, Naval Research Laboratory


    o Somesh Jha, University of Wisconsin at Madison


    o Richard A. Kemmerer, University of California at Santa Barbara


    o Christopher Kruegel, Technische University St Wien, Austria


    o Axel van Lamsweerde, University Catholique de Louvain


    o Gene Spafford, Purdue University


    o Stuart Stubblebine, Stubblebine Research Labs and University of California at Davis


    o Wietse Z. Venema, IBM T.J. Watson Research Center


    o John Viega, Secure Software, Inc.
    o Giovanni Vigna, University of California at Santa Barbara


    o Alexander L. Wolf, University of Colorado at Boulder



* Organizing Committe



    o Danilo Bruschi, Universita`  degli Studi di Milano, Italy


    o Bart De Win, Katholieke Universiteit Leuven, Belgium


    o Mattia Monga, Universita`  degli Studi di Milano, Italy


Get Your Degree with CERIAS