INFORMATION SECURITY 2012

SVEIN ROGER ENGEN

Title: Preventing and Mitigating Client-Side Vulnerabilities of Smart Card Based e-ID Applications 

Abstract:

More and more companies are digitalizing their services. This is because they want to reach out to the constantly demanding customers. An efficient way for handling the authentication processes is to use service providers that offers authentication. Some service providers offer the use of smart-cards for user authentication.

In systems where the personal computer is used as a terminal for smart-card systems, software needs to be deployed on the client side. This software is used to communicate with the smart-card reader and eventually the smart-card. Malicious software may modify and/or intercept this communication.

The master thesis will use techniques such as architecture analysis, reverse engineering and de-compilation to discover possible vulnerabilities in the software used for communicating with the smart-card on the client's computer. These vulnerabilities will then be exploited, with the use of proof of concept implementations. Countermeasures on how to protect one-self against these exploits will be described. By finding possible vulnerabilities on the client side in a smart-card system, these vulnerabilities will become known and proper countermeasures can be applied. This will help service-providers to improve the security, making their product more secure for end-users.

KRISTIAN NORDHAUG 

Title: GPU accelerated NIDS

 
Abstract:

Network Intrusion Detection System (NIDS) analyzes network traffic for malicious activities and reports findings from events that intend to compromise the security of the computers and other equipment. An NIDS looks into both header and payload of the network packets to identify possible intrusion.

NIDS models that only use Central Processing Units (CPU) such as Snort, have in the last decade struggled with the CPU is the bottleneck of the system. Network traffic has been increasing more rapidly than the clock-speed of CPUs. The CPUs have gained more cores, but lack implementation for utilizing multi-core CPUs and are unable to cope with the bandwidth throughput we are starting to see in high-tech network infrastructure that they are set to protect. The massive flow of data packets overload the NIDS and lead to packet loss which make them pass by unchecked for malware and intrusion attempts, increasing the false-negative rate.

Using Graphics Processing Units (GPU) for general-purpose scientific and engineering computing have the last few years grown exponentially. This has happened mostly from the work Nvidia has put into their CUDA platform and programming model. Some of the most common area for use of GPU is fluid dynamics, seismic processing, molecular dynamics, computational chemistry, finance and supercomputing. GPU computing  is the short term used when ordering the GPU to take over and accelerate the computationally-intensive calculations normally done by the CPU, and instead let the CPU take care of the more sequential part of the application. They then work together solving tasks in a heterogeneous co-processing computing model. Programs need to be specifically designed to run optimized on a GPU, and special programming APIs have been designed explicitly for GPU computing, most well known is CUDA and OpenCL. In the recent year's modern GPUs have evolved from being the tool that displays high-end graphics for games, to be used in general-purpose scientific and engineering computing across a range of platforms.

The goal of this project is to harness the power within GPUs and use it to accellerate NIDS such as Snort, by use of CUDA technology.  Many papers have been released on the topic of GPU acceleration, but only a handfull for NIDS (such as PixelSnort (2006) and Gnort (2008)), with varying results. We believe this can be improved dramatically by further research in how different hardware components interact and how to exploit the components and their APIs in new ways for high-performance.

 ANDREAS TELLEFSEN

Title:  Government Cloud Computing: Specification and Prototypical Implementation of Cloud Computing Applications for Police and Law Enforcement

Abstract:

As the amount of information found at digital forensic crime scenes increase each year, conventional methods for evidence handling and analysis comes under pressure to perform at a sufficient level. New techniques are needed to meet this demand, and cloud computing is a possible solution. Little has been done to explore the possibilities of using cloud computing as a forensic tool, something that might solve many of the emerging and present problems for digital analysts.

Cloud computing uses the combined power of several host servers to create a resource pool, which might then be applied to several simultaneously running activities based on the need for computing power or storage. By creating a platform made to handle expansions and dynamically allocate resources, cloud computing might significantly improve ever changing systems like digital forensic testbeds or frameworks.

Developing law enforcement systems based on a cloud computing platform has several benefits. Using the cloud solution will provide law enforcement with a strong and versatile tool for the analysis of digital content, as well as first hand experience with using a cloud platform. In the long run, the cloud platform might be expanded to cater for the entire police force, meaning that abundant resources and powerful services can be made available for the entire law enforcement community, not just for a local department.

During this theses an elaborate specification for a law enforcement cloud computing environment will be created, covering amongst other things legal, compliance and structural demands. A proof-of-concept implementation will also be created, complete with tools that might benefit a forensic analyst. It is our hope that the implementation might be used both to test the capabilities of new forensic software in a cloud environment, and be a useful tool for GuC and NISlab during real forensic casework.

CLAES LANNER

Title:  User Centric Identity Management system

Abstract:

People have identities and on the Internet they have a representation of them self ina digital Identity, that is issued/received from an Identity Management systems (IdMS).This project will examine an IdMS from a user centric view and look at the problems usershave with their Identities online, and how and IdMS could be constructed to reduce user problems.

Some of those user problems are:

• The number of Identities a user need grows
• It’s becoming unmanageable to handle all passwords to all the Identities
• Risk for Identity theft• Privacy: What kind of information might the Identity provider share with others ?
• How can the individual user do a risk based decision about what Identity to use on what site/resource ?

The benefits with this project would be to: a) improve the understanding of howapplications/web sites might be designed to yield trust, and b) design a strategy forensuring the security level c) design requirements for a usable, secure, inter-operable,user centric IdMS which can be used to benchmark available IdMS against and see wherewe have a gap.

The planned contribution from the Master Thesis would be to develop a new, usercentric, IdM model with a set of requirements and to benchmark that model againstpresent user centric IdMS, and to see if it’s possible to, and how to, bridge that gap.

RUNAR MOEN

Title: Incorporating secure software development 

Abstract:

Modern software have many of the same security vulnerabilities as software have had for a long time. One way to improve on this might be to inform the different roles in software development on why it is important to focus on security and general code quality, and give them information about where to learn more. The information will be presented for small to mid-sized projects, and specially web-applications. 
There exists a lot of information about how to secure software, mainly aimed at developers. There does also exists several methodologies for creating secure software, they are often seen as to heavy. To get a more complete handling of securing the software it is not enough to have security aware developers, management and the rest of the team does also need to consider security and make time for implementing and testing the security. 
This theses will contain the background used to produce three security awareness campaigns. One for management, one for analysts, architects and project leaders, and one for developers and QA personell. 

LARS ARNE SAND

Title: Malware Detection based on Function Call and Information-based Dependency Matching

Abstract:

Malicious software (malware) has been a constant threat to computer environments. Every year malware inflict staggering amount of damage and incur vast financial losses worldwide. Malware has changed drastically and its purpose, attack vectors and methods are no longer simple. Furthermore the attackers often utilize unknown vulnerabilities, evasion techniques and generator algorithms which drastically increase the impact, effectiveness and quantity of malware. Thus the task falls to security experts to develop tools and techniques to thwart this ever expanding threat. The challenge is to detect all attacks, regardless of evasion techniques, while keeping false alarms to a minimum.

There exist advanced methods of malware detection, which utilize statistical methods, clustering or learning. However, these algorithms often have high false positive rates or low detection accuracy. Due to these downsides, they are seldom deployed. Because of this, typical malware detection utilizes signature matching, since these systems are accurate and provide low false alarm rates. Furthermore users have high expectations for both reliability and speed, such that security measures which result in high overhead are rarely acceptable. The attackers spend many resources on finding new attacks as well as employing cutting-edge obfuscation techniques to evade detection. Previous work countered this by bringing detection to the lower levels of computer hierarchy, namely by function call analysis. Function call analysis can be performed both statically and dynamically. Static analysis is typically performed through source code analysis or disassembly, while dynamic analysis through function call tracing. This thesis focuses on the latter.

There are several ways of analyzing function call traces. Both sequential, non-sequential, use of arguments, resource use, n-gram, tainting etc. However in this thesis we focus on function calls and their inter-dependencies and thus sequences of function calls are used. The inter-dependencies are created using information about function call parameters and return values. Because of this we call this method information-based dependency matching. Furthermore it will analyze at what level function call analysis is best performed. Be it at a high level for program libraries or low level near system kernel. The goal is to gain a better understanding of pros and cons with regard to detection accuracy, obfuscation and throughput at the different layers.

UNO ANDRÈ JOHANSEN

Title: Keystroke Dynamics using a device with touch screen

Abstract:

The problem targeted by this master thesis arises from three areas. First, the increased dependency of online services makes internet more attractive to criminals. Second, people have a lot of passwords to remember. However this is easily solved by choosing easy to remember and guess passwords, use the same password at several locations or write down passwords in unsecure locations, witch all leads to lower security. Third, smartphones are widespread and often used to access important online services. Banking is one such service. To enhance security of the authentication process, one time passwords sent to the customers cellphone are often used. When using smartphone both to log on to the a service and to receive a one-time password, we end up with a less secure solution. After all, smart phones are small and easy to steal and misplace resulting in lower security. The problem are how we can mitigate these increased threats and vulnerabilities to make online authentication more secure.

A lot of research is done on keystroke dynamics(KD). KD is about how a user writes on a keyboard and it is common to use timing information to determine this behaviour. Most of this research is done on computers with conventional keyboards, where available timing information are accurate and precise. This master thesis is focused on authentication from a smartphone, having a touchscreen and running on android operating system. The aim is to determine if KD can be used to enhance security of online authentication in such environment.

We will use data collection, analysis and experiments to determine the performance of KD when using timing information gathered from a touch screen, and to find the impact some new features have on KD performance. Most smartphones having a touchscreen and running on android operating system have a built-in sensor detecting device movement. Device movement and where on the key the user hits/moves on the touch screen will be tested as new features in KD. This study is a step on the road to decide if KD is a feasible technology to enhance security of authenitaction on smartphones having a touchscreen.

EINAR KROKAN

Title: Modeling usability, accessibility and security when designing authentication solutions

Abstract:

Usability and security is often looked at as contradictions. When improving usability security suffers and when improving security the usability can be decreased. Accessibility for people with different kinds of disabilities is often not considered at all and is implemented after the solutions are finished and may result in insecure solutions. Universal design is a principle that has become more important and its purpose is that solutions should be designed in a way so all people should be able to use it. A new law in Norway from July 1 2011 states that new solutions should be created with universal design in mind.

In this paper we present a model for taking usability, accessibility and security into consideration when designing user interfaces. We extend a model where usability and accessibility is modelled by looking at different types of constraints a user might have together with external constraints (Obrenovic et. al, 2007). The user interface is viewed as two communication channels, one from the system to the user and one from the user to the system. Between the system and the user different constriction and disturbances of the information flow can happen. Different constrictions to the user, system, environment and social can affect how the information flows. This makes it possible to see if the designed interface is suitable for the given situation and a given set of users. The model is extended to take security into consideration by looking at security in a safety-critical view (Brostoff and Sasse, 2002) where the work by Reason (Reason, 1991) on human errors is used to model security. By using this model we hope that it is easier to end up with secure, useable systems that can be used by everyone. We also want to see if the model can give us more insight on how changes to any of the tree parameters will affect the other two. A case study on payment systems where credit cards together with pin codes is used for authentication are planned to be carried out.

An experiment on a prototype user interface for a pin entry method on payment terminals is then tested on two different groups, one with a visual impairments and one without. The usability, accessibility and security of the solution on both groups are compared to what we found using our model.

ANDERS KRISTIANSEN

Title: Cloud Computing - Security in Service Level Agreements

Abstract:

Service Level Agreements for computing infrastructure often verbose documents that are typically set aside once it is signed. As there are no standards for documenting SLAs, customers must manually explore the details of the potential provider, early stage SLAs might leave gaps in security defenses resulting in uncovered liabilities for the customers. A major current industrial trend in this area emerged around the paradigm of cloud computing. Cloud computing is essentially a new business model for operating IT resources by providing them as common utility services that are offered and consumed by multiple stakeholders. One of the first questions that invariably get raised about the Cloud is. . . ”is it secure?”

Topics covered by the project

From the presented topic three main perspectives is applicable; business, technological and judicial perspective. This project aims to adopt a combination of the technological and business perspective. This project aims to analyze the state of art on Service Level Agreements with regard to security in cloud computing and will be relevant for cloudbrokers, potential cloud customers, decision makers and other researchers. 

Problem description

For organizations and companies, security has been identified as one of the key factors for decisions about adopting cloud services. A recent survey made by YouGov on behalf of Kaspersky Lab reported that two thirds of all firms have security fears of cloud computing. In addition to security fears, data protection (60%) and a perceived lack of regulation (26%) were stated as an obstacle to cloud adoption. To mitigate the risks, Service Level Agreements is introduced; the SLA is the only legal document between the cloud provider and customer. The SLAs have no standardization, and they will vary from the type of service and platforms the cloud provider offers. The offered SLAs is often a part of key de cision factors when business choices are made. If you want to adopt a cloud computing strategy, you need to make sure you carry out due diligence on the service provider before you entrust this firm with your vital data, this make the SLAs important to analyze in detail. The problem arising from this; It is unclear to what extent the SLAs addressing customer’s security concerns in cloud based services?

KAMER VISHI

Title: Group Biometrics in Sport Event Identity Management

Abstract:

Increasing the number of major sport events in Innlandet region is a major concern of developing tourist industry. Innlandet has a higher degree of low paying tourists and less of high-paying conferences according to SSB-Norway statistics (Statistisk SentralByrå).

Hosting major sport events is an important leg for a sustainable tourist industry in order to increase the number of tourists. Improving the logistics supply chain of housing, transport, food and voluntary workers is of vital importance for offering new services to the athletes and organisers.

Birken is the biggest sport event in Innlandet which includes three annual races of skiing, cycling and running participated of nearly twenty thousand national and international athletes. Thus, it provides an opportunity to assess the current experiences with the event, and for making a gap analysis between the current processes used and the new services that could be offered with the help of advanced technology and improved logistics supply chain.Based on gap analysis mentioned before: RFID (Radio Frequency Identification), NFC (Near Field Communication) and Biometrics are the technologies that can be used in sport event Identity Management (IDM).

We are particularly focused on biometrics as an Identity Management solution in sport events. Major sporting events such as Birken races, could provide such an opportunity. These mass public events require special security measures to be achieved while enhancing visitors’ convenience. As these events are particularly visible to the public and gather a significant number of visitors they are vulnerable to terrorist threats. The use of biometrics is one way to combine high security and convenience. In addition to this, citizens can experience the positive aspects of biometrics and become familiar with using this technology. Biometrics offer additional protections that are unavailable or weaker through more traditional authentication or identification technologies.
These include:
 • Convenience
• Accountability
• Security
Biometrics can obviate the carrying of identifying tokens or cards that can be lost, misplaced, or – more saliently – stolen.

Identity management is an important factor in many different contexts such as in pre- and post-event travel, Birken enrollment, housing arrangements, transfer of equipment and belongings (e.g. between Rena and Lillehammer ).

In order to achieve biometric identity management in sport event, we will analyze the current approaches of biometric feature extraction and template creation for individuals as well as fusion of modalities (multi-modal biometrics). We have started with suggesting the fusion of multi-modalities, particularly the fusion of fingerprint and vein characteristics. Furthermore, we suggest the three level framework as a methodology for fusing these two modalities in order to obtain a template for group biometrics, the performance of the eventually designed template will be measured by using metrics such as False Acceptance Rate (FAR) and False Rejection Rate (FRR).

Ultimately, the following results are expected:
 1. Scenarios: describing the situations where individual and group biometrics is necessary for sport event identity management
 2. The group biometrics template
 3. The test results for implementing the group biometrics template.

Student's URL: http://www.stud.hig.no/~091340

BENJAMIN ADOLPHI

Title: Cross-Platform Evaluation of App Hardening

Abstract:

Mobile devices have become very popular in the recent years. This can be seen from the fact that in 2011, the number of smart-phones sold worldwide for the first time surpassed the number of PCs sold. With mobile devices becoming more and more popular and at the same time increasing their functionality, malware authors have realized the potential of mobile platforms. This can be seen from the drastic increase of malware on these platforms. The first mobile platform malware was detected in 2004. In October 2011, only 7 years later, the number of known malware variants on mobile platforms has gone up to more than 4000.

In an attempt to increase security for their users, many popular mobile platforms restrict the capabilities of applications. The idea is to make it more difficult for malware authors to create malware with enough capabilities to be useful. However, by trying to restrict what malware can do, mobile platform vendors equally restrict those anti-malware tools. This causes the problem that while malware authors are only limited by their creativity to circumvent the restrictions of the platforms, serious anti-malware tools have to play by the rules. Traditional anti-malware tools need system-wide access to resources like the file system or the network interface in case of a anti-virus program or a firewall, respectively. This is, however, not provided to programs on all mobile platforms. In order to get a better understanding of these restrictions, the master thesis will investigate to what extent malware and anti-malware tools are restricted.

One potential way for a security solution to overcome the restrictions of the platforms is called app hardening. This protection mechanism does not try to prevent a system from being infected. It operates under the assumption that the system is already infected. Its goal is to enable a user to securely deal with sensitive information, even if the system is infected, by limiting the protection to the program that deals with the sensitive information. This is done for example by monitoring the program and terminating it, if it behaves in a unexpected way, e.g. because malware is attempting an infection. A big advantage of the app hardening solution is, that it can detect malware without knowing of its existence, because it does not look for specific kinds of malware. App hardening approaches look for behavior of applications that is not expected on an uninfected system and is therefore able to detect previously unknown malware.

One example of an already existing app hardening implementation comes from the company Promon AS, which has implemented app hardening on the Windows desktop platform. This master thesis shall investigate if the app hardening approach of Promon can also work on mobile platforms.

KNUT PETTER ÅSTEBØL

Title: redHash - A new approach for fuzzy hashing

Abstract:

Effective investigation of crime is important to reduce crime in any society. During the last decades there has been an explosive growth in the usage of information systems. Criminal activities often generate electronic evidences in some ways and agencies need effective methods to do digital forensics.

As the amount of digital data seized in a case may be enormous, it's important that the investigators have effective and efficient methods to reduce the number of files subject to manual inspection. The number of files is reduced by automatically identifying known files, both known-to-be-bad and known-to-be-good files are identified. Hash digests (fingerprints) of the files are compared to hash digests in a reference database to identify known files. Working that way, only unknown files are subject to manual investigation.

 Currently there exist good methods, such as cryptographic hash functions, for identifying identical files. It is much more difficult to identify similar files and good methods for identifying similar files are missing. Using cryptographic hash functions, similar files may get complete different hash digests. Criminals may therefore avoid automatic detection by changing negligible parts of the file, circumventing automatic recognition may seriously delay the investigator. Fuzzy hashing is a kind of hash algorithm used to detect similar files. Using fuzzy hashing, similar files get similar hash digests. Current fuzzy hashing methods do not withstand active attacks where the attacker is trying to circumvent automatic recognition.

There has been much research to find methods for identifying similar files. It exists methods for detecting similar files, where the files have a specific content, such as perceptual hashing for image and text fingerprinting for text documents. Within digital forensics there is need for similar detection working independently of the content of the file. Fuzzy hashing is an approach working independently of the content of the file, where similar files will have similar hash digests. There have been some proposals for fuzzy hashing. The most well-known proposals are called block based CTPH, and sdhash. A challenge for the investigator is the increase in methods and tools for doing anti-forensics. A fuzzy hashing method must therefore be robust against anti-forensics. The fuzzy hashing methods block-based hashing and CTPH do not withstand anti-forensics attacks.

The contributions from this master thesis will be an implementation and a security analysis of redHash. The security analysis will decide if redHash fulfils the requirements for a secure fuzzy hash function.

DAVID ORMBAKKEN HENRIKSEN

Title:  Managing signatures for network intrusion detection systems in a distributed environment - A study of a signature management system

Abstract:

Looking at recent year’s research, concerned with network intrusion detection systems (NIDS), there has been done a lot of research, but only a small amount of this research actually addresses the human side of intrusion detection work. The fact of the matter is that an NIDS’s successfulness in detecting intrusions depends largely on the human interaction in the configuration, analyze and response phase.

The well-known problem with signature based NIDS is the huge number of false-positives that they generate. Looking past the technological solutions to this problem (were there have been done a lot of work) and looking at what IDS-operators can do to address this problem, two things come to mind: configuration of network variables and tuning of signatures. Configuring network variables is mainly a one time job, while managing signatures is an ongoing process, which becomes more resource demanding each year. The acknowledged open source NIDS Snort used ca. 3000 signatures in 2005 and in 2010 the number of signatures had increased to ca. 15000, which is an increase of 5 times in 5 years and there is nothing that indicates that this won’t keep up. Then imaging the additional complexity added when managing more than one NIDS, where all the NIDS have their own customized signature set. In addition customizing the rule set requires deep knowledge and skills. It becomes clear that manual management of signatures is a challenging task.

This master thesis will try to identify the different parts of the manual process of signature management and propose improvements to this process. A proof-of-concept implementation, based on the proposed improvements, will be developed and measured for degree of enhanced usability and efficiency. It is our hope that this research, if applied, could simplify the life of a NIDS-operator.