Introduction – October 20, 2016

SEMINAR: SECURE SYSTEMS ENGINEERING

OUTLINE

1. Basic Requirements

2. Preliminary Dates

3. Seminar Guidelines

4. Presentation of the Topics

Basic Requirements

Completion of a seminar thesis in English

20 pages written in LaTeX

We provided a template

Design and run a presentation

Presentation is 30 min, to be held in a block seminar

20 min for the contents

10 min for discussion

Reviews

Internal peer-review by students

also by supervisor

Thu, 20.10., 4:00 p.m.: Topic presentation

Thu, 27.10., 11:00 a.m.: Seminar guidelines & introduction to scientific working

The following dates have their deadline 23:59 MEZ:

Thu, 24.11.: Outline and literature references (student)

Thu, 15.12.: Seminar thesis for review (student)

Fr, 16.12.: Assignment of peer reviews (supervisors)

Fr, 23.12.: Completed peer-review (student)

Su, 15.01.: Presentation for supervisor feedback (student)

Su, 22.01.: Supervisor feedback: presentation (supervisors)

Su, 12.02.: Camera-ready version of thesis (student)

Su, 26.02.: Supervisor feedback: thesis (supervisors)

Su, 12.03.: Final hand-in of thesis (student)

Presentations (block seminar): 30.01.-03.02.2016

Preliminary Dates

Seminar Guidelines

Thursday, 27.10., 11:00 a.m. in ZM1.02-48

Presentation of seminar guidelines and rules

Introduction into scientific working

Participation is mandatory

Topic Selection

Doodle poll

Choose exactly three topics

Each topic will be drawn from all applicants

Poll will be opened today at 6 p.m. and will be closed on Monday,

October 24th at 4 p.m.

You will be informed via e-mail which topic you are assigned

Please confirm this mail until Tuesday, October 25th at 6 p.m.

OUTLINE

1. Basic Requirements

2. Preliminary Dates

3. Seminar Guidelines

4. Presentation of the Topics

Model-driven Security for Embedded SystemsSupervisor: Johannes Geismann

7

When designing safe and secure embedded systems not only software but also

hardware has to be considered

Model-driven approaches are used to assist designers and developers in early

development steps

SysML-Sec is a method for this task

Your task:

Give a comprehensive overview

Which threats / attacks are considered?

Which viewpoints are covered?

What are the assumptions/limitations made in this approach?

Compare to related approaches

Software Engineering

Ludovic Apvrille, Yves Roudier, "SysML-Sec: A Model-Driven Environment for Developing Secure Embedded Systems", Proceedings of the 8th conference

on the security of network architecture and information systems (SARSSI'2013), Mont de Marsan, France, 16-18 sept. 2013

Ludovic Apvrille, Yves Roudier, "SysML-Sec: A Model Driven Approach for Designing Safe and Secure Systems", Special session on Security and Privacy

in Model Based Engineering, 3rd International Conference on Model-Driven Engineering and Software Development (Modelsward), Angers, France, Feb.

2015

1

[Nadi et al., Variability Modeling of Cryptographic

Components (Clafer Experience Report), VaMos

2016]

[Boucher et al., Introducing TVL, a Text-

based

Feature Modelling Language, VaMos

2010]

[Bak et al., Unifying Class and

Feature Modelling, SoSyM

2014]

Candidates In Summary:

Task: Compare two modelling languages in terms of their suitability for

cryptography

One student: Comparison based on papers

Two students: Papers + Creating a model of subdomain in both languages

Supervisor: Stefan Krüger

stefan.krueger@upb.de

2Modelling of Cryptographic AlgorithmsStefan Krüger

Architecture-based Intrusion DetectionDavid Schubert

9

Literature:

Yuan, Eric, and Malek, Sam. "Mining Software

Component Interactions to Detect Security Threats at the

Architectural Level." DOI 10.1109/WICSA.2016.12

Lazarevic, Aleksandar, Vipin Kumar, and Jaideep

Srivastava. "Intrusion detection: A survey." DOI

10.1007/0-387-24230-9_2

Software Engineering

Your Task:

1. Recap the approach by Yuan and Malek

2. Emphazise the (dis)advantages compared to

classical host and network-based intrusion detection

Code typically has flaws that can be exploited

Finding all these flaws manually or by automated analyses is hard and expensive

A second line of defense are runtime approaches that monitor the running system and aim at detecting intrusions (deviations from

normal system behavior)

These approaches are categorized by their information source

DatabaseUserClient

3

Secure Isolation of Native Code for JavaAndreas Dann adann@mail.upb.de

10 Software Engineering

3rd Party

LibraryJava Application

Security Risk:

Malicious/Buggy

Outside of

Language Security

General Risk:

Java, Python, C#,

JS, etc.

Real-Problem:

Web-Server,

Android, Plugins…

Solution:

SFI, Process,…

Your Task: Compare Approaches

• What is the concept?

• What threats are mitigated?

• What are drawbacks?

• Your Conclusion?

Approaches:

• Robusta, Siefers J. et al., 2010

DOI: 10.1145/1866307.1866331

• JVM-Portable Sandboxing, Sun, M., 2012

DOI: 10.1007/978-3-642-33167-1_48

• JNICodejail, Hassanshai B., 2013

DOI: 10.1145/2500828.2500848

4

Static Analysis using LLVMSupervisor: Philipp Schubert (Philipp.Schubert@upb.de)

Software Engineering11

Static analyses can be used for automated bug detection and code optimization

Static analysis builds on compiler infrastructure and vice versa

Your task

Familiarize yourself with the powerful compiler technology LLVM (C/C++ based)

Give an overview on LLVMs capabilities

What is the concept? What are the benefits? What are the drawbacks?

What are the characteristics of the used IR?

Compare the LLVM project to related approaches

Two students: comprehensive comparison with Graal & Truffle project

Learning outcomes

Understand basic concepts of compiler technology & static analysis

Gain deeper understanding of how programming languages are processed

Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the international symposium

on Code generation and optimization: feedback-directed and runtime optimization (CGO '04). IEEE Computer Society, Washington, DC, USA, 75-.

5

Graal & Truffle Compiler TechnologySupervisor: Philipp Schubert (Philipp.Schubert@upb.de)

Software Engineering12

Static analyses can be used for automated bug detection and code optimization

Several compiler projects exist (specific advantages / disadvantages)

Your task

Familiarize yourself with the Graal & Truffle project (Java based)

What is the concept of Graal & Truffle?

What are the benefits? What are the drawbacks?

What are the characteristics of the used IR?

Compare the Graal project to related approaches

Two students: comprehensive comparison with the LLVM project

Learning outcomes

Understand basic concepts of compiler technology & static analysis

Gain deeper understanding of how programming languages work

https://github.com/graalvm/graal-core/blob/master/docs/Publications.md

6

Android Apps can exchange messages to make a re-use of some functionalities provided by components in other applications

For example, a review app for restaurants can ask the map application to display the location of the restaurant

Problem: The Android passing message system which enables the Inter-App communication may be attacked if it is used incorrectly. The messages can be sniffed, modified, or stolen.

Approach: Analysis of Android applications and automatic detection of known vulnerabilities related to the Inter-App communication

Your task:

Give an overview and classification of attacks to the Inter-App communication

Evaluate at least two analysis tools using your classification

Security Risks in Android’s Inter-App Communication Supervisor: Goran Piskachev

Literature:

Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application

communication in Android. In Proceedings of the 9th international conference on Mobile systems, applications, and

services (MobiSys '11). ACM, New York, NY, USA, 239-252

Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon.

2013. Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic

security analysis. In Proceedings of the 22nd USENIX conference on Security (SEC'13). USENIX Association,

Berkeley, CA, USA, 543-558.

7

Surveying Requirements Specification Approaches

for Information Flow SecuritySupervisor: Christopher Gerking

Software Engineering14

Literature Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements

engineering methods. Requirements Engineering 15(1), 7–40 (2010)

Meland, P.H., Tøndel, I.A., Jaatun, M.G.: Security requirements for the rest of us: A survey. IEEE Software

25(1), 20–27 (2008)

Mellado, D., Blanco, C., Sánchez, L.E., Fernández-Medina, E.: A systematic review of security

requirements engineering. Computer Standards Interfaces 32(4), 153–165 (2010)

Secure Information Flow of Cyber-Physical Systems (CPS) is critical

Problem: How to specify Information Flow Requirements?

Your Task: review existing Approaches for Security Requirements Specification,

asses their Applicability in the Context of Information Flow Security for CPS

8

Relaxing Information Flow Restrictions

by means of Information DeclassificationSupervisor: Christopher Gerking

Software Engineering15

Literature Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security

and Privacy. pp. 11–20. IEEE Computer Society (1982)

Zdancewic, S.: Challenges for information-flow security. In: Workshop on the Programming Language

Interference and Dependence (PLID’04) (2004)

Sabelfeld, A., Sands, D.: Declassification: Dimensions and principles. Journal of Computer Security 17(5),

517–548 (2009)

Classical Noninterference Policy too strict in Practice

Problem: How to relax Information Flow Restrictions?

Your Task: study the Theory of Noninterference, give an Overview of existing Approaches

for Declassification, demonstrate Advantages and Shortcomings in the context of CPS

9

A Survey of Static Code Analysis techniques for PLC ProgramsSupervisor: Faezeh Ghassemi

Static code analysis (SCA) is analyzing the code without executing it

There are plenty of SCA tools and techniques for languages like Java and C

Not many tools/ approaches for PLC programming languages

Your task

Make a survey of existing static analysis tools and methods for PLC programming languages and

explain their capabilities as well as advantages and disadvantages

Literature

H. Prahofer; F. Angerer; R. Ramler; F. Grillenberger, "Static Code Analysis of

IEC 61131-3 Programs: Comprehensive Tool Support and Experiences from

Large-Scale Industrial Application," in IEEE Transactions on Industrial

Informatics , vol.PP, no.99, pp.1-1 doi: 10.1109/TII.2016.2604760

S. Stattelmann, S. Biallas, B. Schlich and S. Kowalewski, "Applying static

code analysis on industrial controller code," Proceedings of the 2014 IEEE

Emerging Technology and Factory Automation (ETFA), Barcelona, 2014, pp.

1-4. doi: 10.1109/ETFA.2014.7005254

faezeh.ghassemi@iem.fraunhofer.de

10

SECURE TROPOS – Integrating Security and Systems

Engineering Supervisor: Thorsten Koch

Problem

Security is a crucial issue for information systems. However, in Software Engineering security is mainly considered as

non-function requirements after the definition of the systems. This approach often leads to problems, which translate to

security vulnerabilities.

Approach

The methodology Secure Tropos is proposed to model and analyze security requirements alongside functional

requirements. It provides a requirements analysis process that drives system designers from the acquisition of

requirements up to their verification to consider security during the whole development process.

Your Task

Describe the methodology Secure Tropos

Especially focus on the possibilities to analyze the specified security requirements

Literature

Mouratidis, H.; Giorgini, P.; Manson, G.: Integrating Security and Systems engineering: Towards the Modelling of

Secure Information Systems in CAiSE 2003 [http://dx.doi.org/10.1007/3-540-45017-3_7]

[http://www.troposproject.org/node/301]

11

Topic Selection

Doodle poll

Choose exactly three topics

Each topic will be drawn from all applicants

Poll will be opened today at 6 p.m. and will be closed on Monday,

October 24th at 4 p.m.

Write a mail if you would like to work in a “group”

Names of both students

Topic number

Important: Both students have to mark this topic in the doodle poll!

You will be informed via e-mail which topic you are assigned

Please confirm this mail until Tuesday, October 25th at 6 p.m.