Upload
georgina-blair
View
214
Download
0
Embed Size (px)
Citation preview
Tue
sday
Oct
ober
25,
200
5
SoBeNeT project User group meeting
25/10/2005
2
Tue
sday
Oct
ober
25,
200
5
Agenda
14:00h Introduction and overview of last year's activities
14:30h Presentation of selected results DistriNet:- Verifiable Contracts for Stack Inspection Based Sandboxing by Jan Smans
- Protecting C and C++ programs from current and future code injection attacks by Yves Younan
15:10h Presentation of selected results COSIC:- Identification and Classification of Critical Software Modules in Modern Applications by Jan Cappaert
15:50h Break
16:00h Presentation of selected results Ubizen:- The best plans don't survive first contact; Bad guys think differently by Eddy Vanlerberghe
16:40h Discussion: feedback and opportunities for validation
17:00h Conclusion
17:10h Informal gathering
3
Tue
sday
Oct
ober
25,
200
5
The project in a nutshell
IWT SBO project (2003-2007)Context: availability of security componentsGoal: to enable the development of secure
application software4 Research tracks:
Programming and Composition Software engineering Tamper and analysis resistance Shielding and interception
4
Tue
sday
Oct
ober
25,
200
5
The project’s user group
3E Agfa Alcatel Application Engineers (Banksys) Cryptomatic (De Post) EMC2
Inno.com Johan Peeters bvba
Microsoft L-SEC NBB OWASP-Belgium Philips PWC Siemens UZ Gasthuisberg Zetes
User group Channel for direct feedback on the execution of
the project Primary audience for dissemination Possible channel for validation and valorization
Composition:
5
Tue
sday
Oct
ober
25,
200
5
Project status
End of second project yearProject execution is mainly on scheduleSubstantial amount of results
Academic: scientific publications and involvement in (inter)national events
Broader: workshops and coursesFirst steps of industrial validation
6
Tue
sday
Oct
ober
25,
200
5
Programming and Composition Track
1.1.1: Literature survey of causes and weaknesses Webservices [Krisvdb] and PalmOS [Goovaerts]
1.1.2: Application case studies E-finance [Lagaisse], E-publishing, KWS
1.2.1: Inventory of solution techniques Formal software security [De Win]
1.2.2: Evaluation SoA programming languages C#
1.2.3: Definition optimal programming model Memory allocators for C/C++ [Younan]
7
Tue
sday
Oct
ober
25,
200
5
Programming and Composition Track
1.3.1: Composition model for security Survey discussion [De Win], CAS for .NET [Smans]
1.3.2: Complex composition scenarios Improving abstractions [Verhanneman], Generic XACML
binding, Dependency scenarios [Desmet]
1.4.1: Definition basic security requirements 1.4.2: Support for contracts in component frameworks
Extending .NET for contracts [Jacobs]
1.4.3: Evaluation of component frameworks Comparison J2EE, CORBA, .NET, WS, Mobile [Goovaerts]
8
Tue
sday
Oct
ober
25,
200
5
Software Engineering Track
2.1.1: Inventory of common security requirements Literature study and case study driven
2.2.1: Study of industry best practice Overview presented in workshop [Ubizen]
2.2.2: Study of mainstream SE processes Focus on UP and XP to be presented in workshop, survey of
relevant research [De Win]
9
Tue
sday
Oct
ober
25,
200
5
Tamper and Analysis Resistance Track
3.1.1: Survey of critical software modules Analysis report [Cappaert]
3.2.1: Development of new software effective efforts Description and testing of first ideas [Wyseur]
All results are available on the project website (http://sobenet.cs.kuleuven.be)
10
Tue
sday
Oct
ober
25,
200
5
Shielding and Interception Track
4.1.3: Study of interception in the software industry Application to KWS case
4.1.6: Study of transfer mechanisms Inventory of transfer mechanisms
4.1.7: Design of interception point coordination SIAMM and SOSA
4.2.1: Study of formal approaches ASM-based specification of application-level protocols for OO
4.2.2: Derivation of security requirements Protocol conformance checker from ASM specification
[Smans]
4.2.3: Study of attack methods Survey of various attack methods [Ubizen]
4.2.4: Study of attack options Survey of various attack options [Ubizen]
11
Tue
sday
Oct
ober
25,
200
5
Focus for Year 02 (revisited)
Headlines Interrelations between point solutions in track
I (Languages and composition)Maturing the application case studies – track I Intensifying the software engineering track –
track II
Cross-fertilization between the above and tracks III en IV respectively
12
Tue
sday
Oct
ober
25,
200
5
Headlines of Year 3
Composition model for security (COSMOS): elaboration of new contract types Integration with mainstream component
frameworksRefinement of secure development process
activities (leveraged, among others, by results of other tracks)
Improved techniques for tamper and analysis resistance
Security management and monitoring
13
Tue
sday
Oct
ober
25,
200
5
Agenda
14:00h Introduction and overview of last year's activities
14:30h Presentation of selected results DistriNet:- Verifiable Contracts for Stack Inspection Based Sandboxing by Jan Smans
- by Yves Younan
15:10h Presentation of selected results COSIC:- Identification and Classification of Critical Software Modules in Modern Applications by Jan Cappaert
15:50h Break
16:00h Presentation of selected results Ubizen:- The best plans don't survive first contact; Bad guys think differently by Eddy Vanlerberghe
16:40h Discussion: feedback and opportunities for validation
17:00h Conclusion
17:10h Informal gathering
14
Tue
sday
Oct
ober
25,
200
5
Feedback and Validation
User group pollMore focus on validationKey target platforms: J2EE and .NET
15
Tue
sday
Oct
ober
25,
200
5
Future Events28/10/2005 SoBeNeT workshop “The role of security in
software processes (UP, XP) and software architecture”
14/10/2005 Hack.lu workshop “Web Application Vulnerability Assessment”
09/11/2005 12th ACM Computer and Communication Security Conference (CCS)
21-25/11/2005 IPA Herfstdagen over Security
12-16/12/2005 Javapolis (security track)
20-24/02/2006 Secure application development course
13-15/03/2006 International Symposium on Secure Software Engineering (ISSSE)