Trust negotiation is a promising approach for establishing trust in open systems such as the Internet, where sensitive interactions sometimes occur among entities with no prior knowledge of each other. The authors provide a model for trust negotiation systems and delineate the features of ideal trust negotiation systems.

Third-party architectures for data publishing over the Internet today are receiving growing attention, due to their scalability properties and to the ability of efficiently managing large number of subjects and great amount of data. In a third-party architecture, there is a distinction between the Owner and the Publisher of information. The Owner is the producer of information, whereas Publishers are responsible for managing (a portion of) the Owner information and for answering subject queries. A relevant issue in this architecture is how the Owner can ensure a secure and selective publishing of its data, even if the data are managed by a third-party, which can prune some of the nodes of the original document on the basis of subject queries and access control policies. An approach can be that of requiring the Publisher to be trusted with regard to the considered security properties. However, the serious drawback of this solution is that large Web-based systems cannot be easily verified to be secure and can be easily penetrated. For these reasons, in this paper, we propose an alternative approach, based on the use of digital signature techniques, which does not require the Publisher to be trusted. The security properties we consider are authenticity and completeness of a query response, where completeness is intended with regard to the access control policies stated by the information Owner. In particular, we show that, by embedding in the query response one digital signature generated by the Owner and some hash values, a subject is able to locally verify the authenticity of a query response. Moreover, we present an approach that, for a wide range of queries, allows a subject to verify the completeness of query results.

The heterogeneous nature and independent administration of geographically dispersed resources in Grid, demand the need for access control using fine-grained policies. In this paper, we investigate the problem of fine-grained access control in the context of resource allocation in Grid, as we believe it is the first and key step in developing access control methods specifically tailored for Grid systems. To perform this access control, we design a security component (to be part of a meta-scheduler service) that finds the list of nodes where a user is authorized to run his/her jobs. The security component is designed in an effort to reduce the number of rules that need to be evaluated for each user request. We believe such a fine-grained policy-based access control would help the adoption of Grid to a higher extent into new avenues such as Desktop Grids, as the resource owners are given higher flexibility in controlling access to their resources. Similarly, Grid users get a higher flexibility in choosing the resources in which their jobs must execute.

We develop a framework for specifying and reasoning about policies for sharing resources in coalitions, focussing here on a particular, common type of contract in which coalition members agree to make available some total amount of specified resource over a given time period. The main part of the framework is a policy language with two basic elements:

A key challenge in Web services security is the design of effective access control schemes that can adequately meet the unique security challenges posed by the Web services paradigm. Despite the recent advances in Web based access control approaches applicable to Web services, there remain issues that impede the development of effective access control models for Web services environment. Amongst them are the lack of context-aware models for access control, and reliance on identity or capability-based access control schemes. In this paper, we motivate the design of an access control scheme that addresses these issues, and propose an extended, trust-enhanced version of our XML-based Role Based Access Control (X-RBAC) framework that incorporates context-based access control. We outline the configuration mechanism needed to apply our model to the Web services environment, and also describe the implementation architecture for the system.

Trust negotiation is a promising approach for establishing trust in open systems, where sensitive interactions may often occur between entities with no prior knowledge of each other.  Although several proposals today exist of systems for the mannagement of trust negotiation none of them address in a comprehensive way the problem of privacy preservation.  Privacy is today one of the major concerns of users exchanging information through the Web and thus we believe that trust negotiation systems must effectively address privacy issuesto be widely acceptable.  For these reasons, in this paper we investigate privacyin the context of trust negotiations.  More precisely, we propise a set of privacy preserving features to be included in any trust negotiation system, such as the support for the P3P standard, as well as different formats to encode credentials.

Software vulnerabilities exist and will continue to do so. Every week, a new vulnerability gains popular attention, is discussed at length in mailing lists, and hopefully gets patched by the vendor before exploits and attack tools start appearing. But there is little evidence that we are learning from our mistakes. Sharing of vulnerability information through public databases has been possible for quite sometime now. If it is not lack of information, what is it that is preventing us from learning from our past? Are there any lessons to be learned at all? A good start towards answering such questions would be to analyze vulnerabilities in widely deployed, critical but buggy software artifacts. In this paper, we look at vulnerabilities in five such software artifacts and examine two of their attributes. Among other statistics, our analysis suggests that the discovery of a vulnerability in a software artifact may influence the discovery of more vulnerabilities of the same type in that artifact. Thus, there may be some learning occurring, but it is by the penetration community rather than the software engineers. This paper argues that measuring vulnerability occurrences may have predictive value and that this concept of retrospective metric is an interesting approach to expressing assurance.

The importance of software security is undeniable given the impact of software on our lives. Assurance about the security properties of a software artifact should ultimately translate into a quantitative measure of vulnerabilities. In this paper, we present the idea of vulnerability likelihood as a probabilistic approach to software assurance. Gaining assurance early in the software development cycle is of immense value in directing future efforts. So we first discuss vulnerability likelihood in the context of vulnerability prediction in software artifacts. We propose four types of program properties that can be observed in software artifacts to potentially determine their vulnerability likelihood. Then we discuss vulnerability likelihood in the context of vulnerability detection. We propose a technique to quantify the assurance in the solutions of checkers for vulnerability detection that use static analysis. And finally, we illustrate the importance of vulnerability likelihood in a software development methodology to measurably increase software assurance.

Contributory group key agreement protocols generate group keys based on contributions of all group members. Particularly appropriate for relatively small collaborative peer groups, these protocols are resilient to many types of attacks. Unlike most group key distribution protocols, contributory group key agreement protocols offer strong security properties, such as key independence and perfect forward secrecy. This paper presents the first robust contributory key agreement protocol resilient to any sequence of group changes. The protocol, based on the Group Diffie-Hellman contributory key agreement, uses the services of a group communication system supporting Virtual Synchrony semantics. We prove that it provides both Virtual Synchrony and the security properties of Group Diffie-Hellman, in the presence of any sequence of (potentially cascading) node failures, recoveries, network partitions and heals.  We implemented a secure group communication service, Secure Spread, based on our robust key agreement protocol and Spread group communication system. To illustrate its practicality, we compare the costs of establishing a secure group with the proposed protocol and a protocol based on centralized

Group key agreement is a fundamental building block for secure peer group communication systems. Several group key management techniques were proposed in the last decade, all assuming the existence of an underlying group communication infrastructure to provide reliable and ordered message delivery as well as group membership information. Despite analysis, implementation and deployment of some of these techniques, the actual costs associated with group key management have been poorly understood so far. This resulted in an undesirable tendency: on the one hand, adopting sub-optimal security for reliable group communication, while, on the other hand, constructing excessively costly group key management protocols.  This paper presents a thorough performance evaluation of five notable distributed key management techniques (for collaborative peer groups) integrated with a reliable group communication system. An in-depth comparison and analysis of the five techniques is presented based on experimental results obtained in actual local-and wide-area networks. The extensive performance measurement experiments conducted for all methods offer insights into their scalability and practicality. Furthermore, our analysis of the experimental results highlights several observations which are not obvious from the theoretical analysis.

In this paper we investigate and provide solutions for security threats in the context of hybrid networks consisting of a cellular base station and mobile devices equipped with dual cellular and ad-hoc (802.11b) cards. The cellular connection is used for receiving services (i.e. Internet access) from the base station, while the ad-hoc links are used to improve the quality of the connection. We provide detailed descriptions of several attacks that arbitrarily powerful adversaries, whether outsiders or insiders, can mount against well-behaved members of the network. We introduce a secure routing protocol called JANUS, that focuses on the establishment of secure routes between the base station and mobile devices, and the secure routing of the data. We show that our protocol is secure against the attacks described and experimentally compare the message over-head introduced by JANUS and UCAN.

The formidable dissemination capability allowed by the current network technology makes it increasingly important to devise new methods to ensure authenticity and integrity. Nowadays it is common practice to distribute documents in compressed form. In this paper, we propose a simple variation on the classic LZ-77 algorithm that allows one to hide, within the compressed document,enough information to warrant its authenticity and integrity. The design is based on the unpredictability of a certain class of pseudo-random number generators,in such a way that the hidden data cannot be retrieved in a reasonable amount of time by an attacker (unless the secret bit-string key is known).Since it can still be decompressed by the original LZ-77 algorithm,the embedding is completely

We provide here an overview of the new and rapidly emerging research area of privacy preserving data mining. We also propose a classification hierarchy that sets the basis for analyzing the work which has been performed in this context. A detailed review of the work accomplished in this area is also given, along with the coordinates of each work to the classification hierarchy. A brief evaluation is performed, and some initial conclusions are made.