Tue

sday

Oct

ober

25,

200

5

SoBeNeT project User group meeting

25/10/2005

2

Tue

sday

Oct

ober

25,

200

5

Agenda

14:00h Introduction and overview of last year's activities

14:30h Presentation of selected results DistriNet:- Verifiable Contracts for Stack Inspection Based Sandboxing by Jan Smans

- Protecting C and C++ programs from current and future code injection attacks by Yves Younan

15:10h Presentation of selected results COSIC:- Identification and Classification of Critical Software Modules in Modern Applications by Jan Cappaert

15:50h Break

16:00h Presentation of selected results Ubizen:- The best plans don't survive first contact; Bad guys think differently by Eddy Vanlerberghe

16:40h Discussion: feedback and opportunities for validation

17:00h Conclusion

17:10h Informal gathering

3

Tue

sday

Oct

ober

25,

200

5

The project in a nutshell

IWT SBO project (2003-2007)Context: availability of security componentsGoal: to enable the development of secure

application software4 Research tracks:

Programming and Composition Software engineering Tamper and analysis resistance Shielding and interception

4

Tue

sday

Oct

ober

25,

200

5

The project’s user group

3E Agfa Alcatel Application Engineers (Banksys) Cryptomatic (De Post) EMC2

Inno.com Johan Peeters bvba

Microsoft L-SEC NBB OWASP-Belgium Philips PWC Siemens UZ Gasthuisberg Zetes

User group Channel for direct feedback on the execution of

the project Primary audience for dissemination Possible channel for validation and valorization

Composition:

5

Tue

sday

Oct

ober

25,

200

5

Project status

End of second project yearProject execution is mainly on scheduleSubstantial amount of results

Academic: scientific publications and involvement in (inter)national events

Broader: workshops and coursesFirst steps of industrial validation

6

Tue

sday

Oct

ober

25,

200

5

Programming and Composition Track

1.1.1: Literature survey of causes and weaknesses Webservices [Krisvdb] and PalmOS [Goovaerts]

1.1.2: Application case studies E-finance [Lagaisse], E-publishing, KWS

1.2.1: Inventory of solution techniques Formal software security [De Win]

1.2.2: Evaluation SoA programming languages C#

1.2.3: Definition optimal programming model Memory allocators for C/C++ [Younan]

7

Tue

sday

Oct

ober

25,

200

5

Programming and Composition Track

1.3.1: Composition model for security Survey discussion [De Win], CAS for .NET [Smans]

1.3.2: Complex composition scenarios Improving abstractions [Verhanneman], Generic XACML

binding, Dependency scenarios [Desmet]

1.4.1: Definition basic security requirements 1.4.2: Support for contracts in component frameworks

Extending .NET for contracts [Jacobs]

1.4.3: Evaluation of component frameworks Comparison J2EE, CORBA, .NET, WS, Mobile [Goovaerts]

8

Tue

sday

Oct

ober

25,

200

5

Software Engineering Track

2.1.1: Inventory of common security requirements Literature study and case study driven

2.2.1: Study of industry best practice Overview presented in workshop [Ubizen]

2.2.2: Study of mainstream SE processes Focus on UP and XP to be presented in workshop, survey of

relevant research [De Win]

9

Tue

sday

Oct

ober

25,

200

5

Tamper and Analysis Resistance Track

3.1.1: Survey of critical software modules Analysis report [Cappaert]

3.2.1: Development of new software effective efforts Description and testing of first ideas [Wyseur]

All results are available on the project website (http://sobenet.cs.kuleuven.be)

10

Tue

sday

Oct

ober

25,

200

5

Shielding and Interception Track

4.1.3: Study of interception in the software industry Application to KWS case

4.1.6: Study of transfer mechanisms Inventory of transfer mechanisms

4.1.7: Design of interception point coordination SIAMM and SOSA

4.2.1: Study of formal approaches ASM-based specification of application-level protocols for OO

4.2.2: Derivation of security requirements Protocol conformance checker from ASM specification

[Smans]

4.2.3: Study of attack methods Survey of various attack methods [Ubizen]

4.2.4: Study of attack options Survey of various attack options [Ubizen]

11

Tue

sday

Oct

ober

25,

200

5

Focus for Year 02 (revisited)

Headlines Interrelations between point solutions in track

I (Languages and composition)Maturing the application case studies – track I Intensifying the software engineering track –

track II

Cross-fertilization between the above and tracks III en IV respectively

12

Tue

sday

Oct

ober

25,

200

5

Headlines of Year 3

Composition model for security (COSMOS): elaboration of new contract types Integration with mainstream component

frameworksRefinement of secure development process

activities (leveraged, among others, by results of other tracks)

Improved techniques for tamper and analysis resistance

Security management and monitoring

13

Tue

sday

Oct

ober

25,

200

5

Agenda

14:00h Introduction and overview of last year's activities

14:30h Presentation of selected results DistriNet:- Verifiable Contracts for Stack Inspection Based Sandboxing by Jan Smans

- by Yves Younan

15:10h Presentation of selected results COSIC:- Identification and Classification of Critical Software Modules in Modern Applications by Jan Cappaert

15:50h Break

16:00h Presentation of selected results Ubizen:- The best plans don't survive first contact; Bad guys think differently by Eddy Vanlerberghe

16:40h Discussion: feedback and opportunities for validation

17:00h Conclusion

17:10h Informal gathering

14

Tue

sday

Oct

ober

25,

200

5

Feedback and Validation

User group pollMore focus on validationKey target platforms: J2EE and .NET

15

Tue

sday

Oct

ober

25,

200

5

Future Events28/10/2005 SoBeNeT workshop “The role of security in

software processes (UP, XP) and software architecture”

14/10/2005 Hack.lu workshop “Web Application Vulnerability Assessment”

09/11/2005 12th ACM Computer and Communication Security Conference (CCS)

21-25/11/2005 IPA Herfstdagen over Security

12-16/12/2005 Javapolis (security track)

20-24/02/2006 Secure application development course

13-15/03/2006 International Symposium on Secure Software Engineering (ISSSE)