Auflistung nach Schlagwort "Security"
1 - 10 von 50
Treffer pro Seite
Sortieroptionen
- Konferenzbeitrag6th Workshop on Avionics Systems und Software Engineering (AvioSE'24)(Software Engineering 2024 (SE 2024), 2024) Reich, Marina; Annighoefer, Bjoern; Schweiger, Andreas
- ZeitschriftenartikelA Systematic Review of Identity and Access Management Requirements in Enterprises and Potential Contributions of Self-Sovereign Identity(Business & Information Systems Engineering: Vol. 66, No. 4, 2024) Glöckler, Jana; Sedlmeir, Johannes; Frank, Muriel; Fridgen, GilbertDigital identity and access management (IAM) poses significant challenges for companies. Cyberattacks and resulting data breaches frequently have their root cause in enterprises’ IAM systems. During the COVID-19 pandemic, issues with the remote authentication of employees working from home highlighted the need for better IAM solutions. Using a design science research approach, the paper reviews the requirements for IAM systems from an enterprise perspective and identifies the potential benefits of self-sovereign identity (SSI) – an emerging, passwordless paradigm in identity management that provides end users with cryptographic attestations stored in digital wallet apps. To do so, this paper first conducts a systematic literature review followed by an interview study and categorizes IAM system requirements according to security and compliance, operability, technology, and user aspects. In a second step, it presents an SSI-based prototype for IAM, whose suitability for addressing IAM challenges was assessed by twelve domain experts. The results suggest that the SSI-based authentication of employees can address requirements in each of the four IAM requirement categories. SSI can specifically improve manageability and usability aspects and help implement acknowledged best practices such as the principle of least privilege. Nonetheless, the findings also reveal that SSI is not a silver bullet for all of the challenges that today’s complex IAM systems face.
- KonferenzbeitragAccountable Trust Decisions: A Semantic Approach(Open Identity Summit 2020, 2020) Schlichtkrull, Anders; Mödersheim, SebastianThis paper is concerned with the question of how to obtain the highest possible assurance on trust policy decisions: when accepting an electronic transaction of substantial value or significant implications, we want to be sure that this did not happen because of a bug in a policy checker. Potential bugs include bugs in parsing documents, in signature checking, in checking trust lists, and in the logical evaluation of the policy. This paper focuses on the latter kind of problems and our idea is to validate the logical steps of the trust decision by another, complementary method. We have implemented this for the Trust Policy Language of the LIGHTest project and we use the completely independently developed FOL theorem prover RP_X as a complementary method.
- KonferenzbeitragAdapting the TPL Trust Policy Language for a Self-Sovereign Identity World(Open Identity Summit 2021, 2021) Alber, Lukas; More, Stefan; Mödersheim, Sebastian; Schlichtkrull, AndersTrust policies enable the automated processing of trust decisions for electronic transactions. We consider the Trust Policy Language TPL of the LIGHTest project [Mö19] that was designed for businesses and organizations to formulate their trust policies. Using TPL, organizations can decide if and how they want to rely on existing trust schemes like Europe’s eIDAS or trust scheme translations endorsed by them. While the LIGHTest project is geared towards classical approaches like PKI-based trust infrastructures and X.509 certificates, novel concepts are on the rise: one example is the self-sovereign identity (SSI) model that enables users better control of their credentials, offers more privacy, and supports decentralized solutions. Since SSI is based on distributed ledger (DL) technology, it is a question of how TPL can be adapted so that organizations can continue to enjoy the benefits of flexible policy descriptions with automated evaluation at a very high level of reliability. Our contribution is a first step towards integrating SSI and the interaction with a DL into a Trust Policy Language. We discuss this on a more conceptual level and also show required TPL modifications. We demonstrate that we can integrate SSI concepts into TPL without changing the syntax and semantics of TPL itself and have to add new formats and introduce a new built-in predicate for interacting with the DL. Another advantage of this is that the “business logic” aspect of a policy does not need to change, enable re-use of existing policies with the new trust model.
- KonferenzbeitragAnalyzing PeerFlow – A Bandwidth Estimation System for Untrustworthy Environments(SICHERHEIT 2020, 2020) Mitseva, Asya; Engel, Thomas; Panchenko, AndriyTor is the most popular low-latency anonymization network comprising over 7,000 nodes run by volunteers. To balance the user traffic load over the diverse resource capabilities of these nodes, Tor guides users to choose nodes in proportion to their available bandwidth. However, self-reported bandwidth values are not trustworthy. Recently, a new bandwidth measurement system, PeerFlow, has been proposed aiming to solve the Tor bandwidth estimation problem. In this work, we introduce the first practical analysis of PeerFlow. We proposed a set of strategies for the practical realization of probation periods in PeerFlow and showed that many Tor nodes cannot recover to their normal state after one measuring period. We also demonstrated that low-bandwidth adversaries gain significantly higher bandwidth estimates exceeding the theoretically defined security boundaries of PeerFlow.
- KonferenzbeitragArchitecture-based Propagation Analyses Regarding Security(Software Engineering 2024 (SE 2024), 2024) Hahner, Sebastian; Walter, Maximilian; Heinrich, Robert; Reussner, Ralf
- KonferenzbeitragBetween Effort and Security: User Assessment of the Adequacy of Security Mechanisms for App Categories(Mensch und Computer 2019 - Tagungsband, 2019) Reuter, Christian; Häusser, Katja; Bien, Mona; Herbert, FranziskaWith the increasing popularity of the smartphone, the number of people using it for financial transactions such as online shopping, online banking or mobile payment is also growing. Apps used in these contexts store sensitive and valuable data, creating a need for security measures. It has not yet been researched to what extent certain authentication mechanisms, which can be information-, biometric- as well as token-based, are suitable for individual apps and the respective data. The goal of this work is to assess how perceived security and estimated effort of using such mechanisms, as well as the degree to which app data is considered worth protecting, influence users’ choices of appropriate measures to protect app categories. Therefore, we conducted a representative study (n=1024). On the one hand, our results show that a positive correlation between perceived security and effort exists for all investigated non-biometric authentication methods. On the other hand, the study sheds light on the differences between the investigated app categories and the users’ choice of the appropriate security mechanisms for the particular category. In contrast to perceived security having a positive influence on a user’s preference of mechanism, a relation can hardly be identified for effort. Moreover, app data sensitivity does not seem relevant for the users’ choice of security mechanism.
- KonferenzbeitragBuilding a runtime state tracing kernel(IMF 2008 – IT Incident Management & IT Forensics, 2008) Chakravarthy, Ananth; Vaidya, Vinay G.A process is run by executing a sequence of instuctions by the processor However it is probable that not all of the instructions are executed as there are hundreds of paths that can be taken by the executable to complete ist execution. The path chosen is dependent on a host of factors like the environment, user input, the platform etc. As such, at any given instant of time, the process might be in any of the possible states Sn after traversing states S1, S2, S3 .. where S1, S2, S3 .....Sn, Sn+1, Sn+2,..SM depict the total M states that can be taken by the executable. There is no mechanism currently inside the LINUX kernel to peek into the state of the process to find out which if these states is it currently in and what are the states it has "traversed" to reach the current state while is is executing. If such an effective tracing can be achieved, it would lead to better operating system security. Other advantages are better logs or even building a verifiable software system. This paper looks at the infrastructure that has been developed to realize such a functionality in the Linux kernel and thereby increase the security of the running process. Of particular mention is the framework that has been developed to peek into the state of a running process as it executes and the various mechanisms that could be used to ascertain the state of the running process.
- KonferenzbeitragChristian Doppler Laboratory on Security and Quality Improvement in the Production Systems Life Cycle(Software Engineering 2020, 2020) Winkler, Dietmar; Biffl, StefanThe size and complexity of software components in production systems engineering, such as manufacturing plants or automation systems, requires effective and efficient approaches for security and quality improvement. In industrial practice, engineers from different disciplines, such as electrical, mechanical, and software disciplines typically follow a plan-driven and sequential engineering process approach with parallel engineering activities within a heterogeneous set of methods and tools. Therefore, major challenges concern (a) insufficient data exchange capabilities between disciplines, (b) a lack of consistency evaluation capabilities across disciplines, tools, and engineering phases, (c) insufficient knowledge representation and exchange between disciplines and project stakeholders and (d) limited security considerations. The goal of the Christian Doppler Laboratory on Security and Quality Improvement in the Production Systems Life Cycle (CDL-SQI) is to address these challenges in cooperation with industry partners in the production systems domain. We build on requirements and use case explorations at industry partners and on best-practices from Business Informatics to develop concepts and prototype solutions for the target domain and evaluate these concepts and prototypes in close collaboration with industry partners We derive requirements, use cases, and test data from industry and provide concepts and prototypes to the industry partner and to related scientific communities.
- KonferenzbeitragCompliance: Umgang mit dem agilen Feind!?(Projektmanagement und Vorgehensmodelle 2019 - Neue Vorgehensmodelle in Projekten - Führung, Kulturen und Infrastrukturen im Wandel, 2019) Diebold, Philipp; Simon, FrankDass agile Entwicklungsvorgehen signifikante Vorteile aufzeigen können, ist mittlerweile flächendeckend akzeptiert. Dass dies allerdings noch lange nicht in allen Organisationen umgesetzt ist, muss nicht zwangsläufig ein Problem des fehlenden Wollens sein: Überall finden sich Parameter, die dagegen sprechen, Agilität mittels Scrum als reine Lehre umzusetzen. Können manche dieser Parameter ggfs. noch direkt durch die Organisation verändert werden, so existieren gerade aus dem Bereich der Compliance und dort insbesondere aus dem Fokusbereich der Security viele Parameter, die manche Agilität schlichtweg verbieten. Dies führt häufig entweder zu einer grundlegenden Ablehnung, zu einer nicht umsetzbaren Agilität (nicht können) oder zu einer nicht erlaubten Agilität (nicht dürfen). Deshalb schlagen wir hier einen modularen Agilitätsansatz auf Basis von 5 Schritten vor: Zuerst werden die Ziele, die immer hinter der Einführungsidee von Agilität stehen (sollten), analysiert. Schritt 2 und 3 listen dann die Projekt- und Organisationsparameter, die wesentlich über das Können und Dürfen entscheiden. In Schritt 4 werden dann die zielführenden, möglichen und erlaubten agilen Methodenbausteine zur Zielagilität ausgewählt, deren Transition dann im letzten Schritt 5 Schritt-für-Schritt geplant wird.