This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities—a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures.

Privacy and security in the context of the streaming systems largely have been overlooked. We now tackle this important problem in this paper. Our work focuses on contextaware security and user-centric privacy preservation in data stream management systems (DSMS) by exploiting security constraints (called security punctuations) that are dynamically embedded into data streams. The novelty of our proposed approach is that access control policies are not persistently stored in the DSMS but rather streamed together with the data. We present novel query operators, termed Security Shield (SS) and Security-Compliant Join (SCJoin) that are designed to make queries comply with the security policies of the streaming data while still guaranteeing near real-time response. As a proof of feasibility, we have implemented the security punctuation framework within a real DSMS. Our experimental results show that our proposed solution incurs low overhead.

Access control is a key security service at the foundation of information and system security. It has been extended with temporal constraints to support real-time considerations. Conformance testing of an access control implementation is crucial to ensure that it correctly enforces any required temporal and non-temporal policies for access control. We propose an approach for conformance testing of implementations required to enforce access control policies specified using Temporal Role Based Access Control (TRBAC) model. The proposed approach uses Timed Input Output Automata (TIOA) to model the behavior specified by a TRBAC policy. The TIOA model is then transformed to a deterministic se-FSA model that captures any temporal constraint by using two special events Set and Exp. Finally we adapt the W-method and use an integer programming based approach to construct a conformance test suite from the transformed model. The conformance test suite so generated provides complete fault coverage with respect to the proposed fault model for TRBAC specifications.

The problem of identity theft, that is, the act of impersonating others

An emerging approach to the problem of reducing the identity theft is represented by the adoption of biometric authentication systems. Such systems however present however several challenges, related to privacy, reliability, security of the biometric data. Inter-operability is also required among the devices used for the authentication. Moreover, very often biometric authentication in itself is not sufficient as a conclusive proof of identity and has to be complemented with multiple other proofs of identity like passwords, SSN, or other user identifiers. Multi-factor authentication mechanisms are thus required to enforce strong authentication based on the biometric and identifiers of other nature. In this paper we provide a two-phase authentication mechanism for federated identity management systems. The first phase consists of a two-factor biometric authentication based on zero knowledge proofs. We employ techniques from vector-space model to generate cryptographic biometric keys. These keys are kept secret, thus preserving the confidentiality of the biometric data, and at the same time exploit the advantages of a biometric authentication. The second authentication combines several authentication factors in conjunction with the biometric to provide a strong authentication. A key advantage of our approach is that any unanticipated combination of factors can be used. Such authentication system leverages the information of the user that are available from the federated identity management system.

WorkFlow Management Systems (WFMS) coordinate and streamline business processes. Acquiring workflow authorisations and managing workflow authorisation constraints is a challenging problem. CurrentWFMSs assume a centralised global workflow authorisation model. In this paper, we propose a distributed workflow authorisation model with no central authorisation manager for a mediator-free environment. We provide an on-demand task discovery protocol that enables domains to discover tasks available in other domains. We formulate the workflow authorisation problem as a constraint satisfaction problem to select access paths that satisfy all the workflow authorisation constraints.We propose the Workflow Minimal Authorisation Problem (WMAP), which selects minimal authorisations required to execute theworkflowtasks. In addition, we investigate access path overlaps to allow tasks in the same session to share authorisations and we present the Workflow Minimal Authorisation Problem with path Overlaps (WMAPO). Finally, we formulate integer programmes to solve both the WMAP and WMAPO. =

An important issue any organization or individual has to face when managing data containing sensitive information, is the risk that can be incurred when releasing such data. Even though data may be sanitized before being released, it is still possible for an adversary to reconstruct the original data using additional information thus resulting in privacy violations. To date, however, a systematic approach to quantify such risks is not available. In this paper we develop a framework, based on statistical decision theory, that assesses the relationship between the disclosed data and the resulting privacy risk. We model the problem of deciding which data to disclose, in terms of deciding which disclosure rule to apply to a database. We assess the privacy risk by taking into account both the entity identification and the sensitivity of the disclosed information. Furthermore, we prove that, under some conditions, the estimated privacy risk is an upper bound on the true privacy risk. Finally, we relate our framework with the k-anonymity disclosure method. The proposed framework makes the assumptions behind k-anonymity explicit, quantifies them, and extends them in several natural directions.

A role hierarchy defines semantics related to permission acquisitions and role activations through role-role relationships. It can be utilized for efficiently and effectively structuring functional roles of an organization having related access control needs. Temporal constraints on role enablings and role activations can have various implications on such a role hierarchy. The focus of this paper is the analysis of hybrid role hierarchies in the context of the Generalized Temporal Role Based Access Control (GTRBAC) model that allows specification of a comprehensive set of temporal constraints on role, user-role assignments and role-permission assignments. We introduce the notion of uniquely activable set (UAS) associated with a role hierarchy that indicates the access capabilities of a user resulting from his membership to a role in the hierarchy. Identifying such a role set is essential while making an authorization decision about whether or not a user should be allowed to activate a particular combination of roles in a single session. Furthermore, when separation-of-duty (SoD) constraints are present in the system, it is also essential to ensure that there are no role combinations that can be allowed to be activated in a single user session. In other words, knowledge about UAS can be used to facilitate enforcement of the principle of least privilege. Because of the separation of permission inheritance and role activation semantics in GTRBAC, a hybrid hierarchy that allows different hierarchy types to coexist, can give rise to a complex semantics and identifying what role combinations can be allowed to be activated in a session for a user may not be straight forward. We formally show how UAS can be determined for a hybrid hierarchy. Furthermore, within a hybrid hierarchy, various hierarchical relations may be derived between an arbitrary pair of roles. We present a set of inference rules that can be used to generate all the possible derived relations that can be inferred from a specified set of hierarchical relations and show that the set of these inference rules is sound and complete. Another key issue we address in this paper is that of the evolution of role hierarchies through hierarchical transformations. We present an analysis of hierarchy transformations with respect to role addition, deletion and partitioning, and show how various cases of these transformations allow the original permission acquisition and role activation semantics to be managed. The formal results presented here provide a basis for developing e

The 2006 IEEE Workshop on Web Services Security was held May 21, 2006, in Oakland, California, USA. The workshop provided a forum for the presentation, discussion, and dissemination of new results on security challenges presented by the Web Services. It was organized in conjunction with the 2006 IEEE Symposium on Security and Privacy.

The program committee selected 6 papers for inclusion into the proceedings. Each submission was reviewed by at least 3 members of the Program Committee. The Program Committee meeting was held electronically. We would like to thank all the authors for submitting to WSSS.

The one day workshop comprised of presentations, followed by discussions of the accepted papers.  In addition to the research program, the workshop featured 2 invited talks and panel discussion.

Conformance testing procedures for generating tests from the finite state model representation of Role Based Access Control (RBAC) policies are proposed and evaluated. A test suite generated using one of these procedures has excellent fault detection ability but is astronomically large. Two approaches to reduce the size of the generated test suite were investigated. One is based on a set of six heuristics and the other directly generates a test suite from the finite state model using random selection of paths in the policy model. A fault model specific to the implementations of RBAC systems was used to evaluate the fault detection effectiveness of the generated test suites; the model incorporates both mutation-based and malicious faults. Empirical studies revealed that adequacy assessment of test suites using faults that correspond to first-order mutations may lead to a false sense of confidence in the correctness of policy implementation. The second approach to test suite generation, combined with one or more heuristics, is most effective in the detection of both first-order mutation and malicious faults and generates a significantly smaller test suite than the one generated directly from the finite state models.

Performance of fingerprint recognition systems is heavily influenced by the quality of fingerprints provided by the user. Image quality analysis is traditionally performed using local and global structures of fingerprint images like ridge flow, analysis of ridge-valley structures, contrast ratios etc. With large scale deployment of fingerprint recognition in systems like US VISIT program, image quality issues of fingerprint images from extreme age groups becomes even a more important issue. The impact of image quality on performance of fingerprint recognition systems should be a positive one i.e. higher image quality should lead to better overall performance of the system, and removal of lower quality images should improve performance of the system. This research study studied the impact of fingerprint image quality of two different age groups: 18-25, and 62 and above on overall performance using two different matchers. The difference in image quality between the two age groups was analyzed, and then the impact of image quality on performance of fingerprint matchers between the two groups was analyzed. Image quality analysis was performed using NFIQ which is part of NIST Fingerprint Image Software (NFIS). Neurotechnologija VeriFinger and bozorth3 (NFIS) matchers were used to assess overall performance. For the purposes of the research study, overall performance was measured using False Non Matches.

Access hierarchies are useful in many applications and are modeled as a set of access classes organized by a partial order. A user who obtains access to a class in such a hierarchy is entitled to access objects stored at that class, as well as objects stored at its descendant classes. Efficient schemes for this framework assign only one key to a class and use key derivation to permit access to descendant classes. Ideally, the key derivation uses simple primitives such as cryptographic hash computations and modular additions. A straightforward key derivation time is then linear in the length of the path between the user’s class and the class of the object that the user wants to access.

Recently, work presented in [2] has given an efficient solution that significantly lowers this key derivation time, while using only hash functions and modular additions. Two fast-key-derivation techniques in that paper were given for trees, achieving O(log log n) and O(1) key derivation times, respectively, where n is the number of access classes. The present paper presents efficient key derivation techniques for hierarchies that are not trees, using a scheme that is very different from the above-mentioned paper. The construction we give in the present paper is recursive and uses the one-dimensional case solution as its base. It makes a novel use of the notion of the dimension d of an access graph, and provides a solution through which no key derivation requires more than 2d+1 hash function computations, even for “unbalanced” hierarchies whose depth is linear in their number of access classes n.

The significance of this result is strengthened by the fact that many access graphs have a low d value (e.g., trees correspond to the case d=2). Our scheme has the desirable property (as did [2] for trees) that addition and deletion of edges and nodes in the access hierarchy can be “contained” in the node and do not result in modification of keys at other nodes (no wholesale re-keying as changes are made to the access hierarchy).

Reconstructing the sequence of computer events that led to a particular event is an essential part of the digital investigation process.  The ability to quantify the accuracy of automatic event reconstruction systems is an essential step in standardizing the digital investigation process thereby making it resilient to tactics such as the Trojan Horse defense.  In this paper, we present findings from an empirical study to measure and compare the accuracy and effectiveness of a suite of such event reconstruction techniques.  We quantify (as applicable) the rates of false positives, false negatives, and scalability both in terms of computational burden and memory-usage.  Some of our findings are quite surprising in the sense of not matching a priori expectations, and whereas other findings qualitatively match the a priori expectations they were never before quantitatively put to the test to determine the boundaries of their applicability. For example, our results show that automatic event reconstruction systems proposed in literature have very high false-positive rates (up to 96\%).

The paper shows that information leaks are inherent in object models based on subtyping and inclusion polymorphism. Web services interact with other systems across organizational boundaries using such an object model. In the context of web services, information leaks pose serious security and privacy concerns. A safe web service is one which neither is a source of any information leak nor exploits any information leak. The paper defines properties of such a safety model and proposes mechanisms to enforce the safety requirements. Leaks inherent in the programming paradigm however cannot always be completely masked while keeping the desired interoperability and flexibility of services intact, especially in compositional scenarios. Therefore the paper also proposes use of processes of service certification and versioning aided by data flow analysis as measures against, and a cost estimation model in case of information leaks.