Software vulnerabilities are potential attack points in computing systems that can lead to considerable losses and severe security incidents.The way in which the information describing these vulnerabilities is handled is extremely important.Vulnerability data is very sensitive and therefore should be disclosed to the right people in the right circumstances.However,information sharing is currently mostly unidirectional;the present paper discusses a new approach for handling software vulnerability information:a cooperative system supported by a vulnerability classification.The system is composed by internal protocols that determine state transitions through which new vulnerability information is submitted,classified,verified,and made available via a Web Interface. Based on features like effects and nature,vulnerabilities in the collection can also be assigned a type.The proposed type system is a set of sub-classes that contain features of well-known vulnerability groups.Vulnerabilities can be linked together through these types and can be referenced as a group when retrieving or storing entries,hereby, speeding up the process.A voting mechanism allows a set of cooperating arbiters to review the information submitted from different sources.Approved descriptions of vulnerabilities can then be made available to the members of the cooperative system.The data model storing the vulnerability information is composed of a comprehensive set of features whose values are selected through decision trees.The leaves of the trees represent the most detailed qualities of a vulnerability.
\\noindent The vulnerability assessment of Windows CE devices started with 3 Aero 1550 Pocket PC devices by Compaq. Halfway through the semester, the project received the remaining equipment needed for penetration testing: wireless and ethernet cards to be used with two PocketPC iPaq devices by Compaq. Preliminary results implicate the existence of several vulnerabilities (one compromise and several Denial-of-Service vulnerabilities) that the team has not been able to analyze precisely. A problem area is the need to reverse engineer ActiveSync in order to clearly demonstrate the impact of the compromise, and to explore more powerful ways in which it could be exploited. Moreover, the team has identified several areas and hypotheses that should be investigated if this project is continued in the Spring 2001 semester.
Given an m x m image I and a smaller n x n image P, the computation of an (m
We investigate the outsourcing of numerical and scientific computations using the following framework: A customer who needs computations done but lacks the computational resources (computing power, appropriate software, or programming expertise) to do these locally, would like to use an external agent to perform these computations. This currently arises in many practical situations, including the financial services and petroleum services industries. The outsourcing is secure if it is done without revealing to the external agent either the actual data or the actual answer to the computations. THe general idea is for the customer to do some carefully designed local preprocessing (disguising) of the problem and/or data before sending it to the agent, and also some local postprocessing of the answer returned to extract the truse answer. The disguise process should be as lightweight as possible, e.g., take time proportional to the size of the input and answer. The disguise preprocessing that that the customer performs locally to “hide” the real computation can change the numerical properties of the computational performanc. We present a framewrok for disguising scientific copmutations and discuss their costs, numerical properties, and levels of security. These disguise techniques can be embedded in a very high level, easy-to-use system (problem solving environment) that hides their complexity.
We give a Monte Carlo algorithm that computes an unbiased estimate of the convolution of two vectors. The variance of our estimate is small for entries of the convolution that are large; this corresponds to the situation in which convolution is used in pattern matching or template matching, where one is only interested in the largest entries of the resulting convolution vector. Experiments performed with our algorithm confirm the theory and suggest that, in contexts where one cares about only the large entries in the convolution, the algorithm can be a faster alternative to performing an FFT-based convolution.
The outsourcing of numerical and scientific computations, as introduced in (Atallah et al., 2001) uses the following framework: A customer needs computations done but lacks the computational resources (computing power, appropriate software, or programming expertise) to do these locally. An external agent can do these computations. The outsourcing is secure if it is done without revealing to the external agent either the actual data or the actual answer to the computations. The idea is for the customer to do some carefully designed local preprocessing (disguising) of the problem and/or data before sending it to the agent, and also some local postprocessing (unveiling) of the answer returned to extract the true answer. In this paper we extend this concept to the case of more than one customer, introducing the notion of mutually secure outsourcing where two or more parties contribute their private data into the (disguised) common computation performed through the external agent; the customers are to know the result but not each other’s private data, and the external agent should know neither the provate data nor the result. We review the framework for disguising scientific computations and discuss their applicability, costs, and levels of security. We also introduce techniques for the disguise of programs in general, not just those for scientific computations.