Dissertations / Theses on the topic 'Security object'

Internet of Things (IoT) refers to an inter-connected world where physical devices are seamlessly integrated into the Internet and become active participants of business, information and social processes. This involves the inter-connection of a large number of heterogeneous networked entities and networks. Emergence of technologies such as Zigbee, Bluetooth low energy and embedded sensors has transformed simple physical devices into smart objectsthat can understand and react to their environment. Such smart objects form the building blocks for the Internet of Things. The communication infrastructure for these objects is based on an extension of the Internet protocol stack. Although the need for security is widely accepted, there is no clear consensus on how IP-based Internet security protocols can be applied to resource-constrained smart object networks. In this thesis  we develop a new secure and energyefficient communication model for the Constrained Application Protocol (CoAP), a light-weight communication protocol designed for smart object networks. We contribute to the standardization of the generic communication architecture by adding security and delegation components for smart objects that sleep for large amounts of time during their operational phase. This architecture ensures data integrity and authenticity over a multi-hop network topology. It also provides a mirroring mechanism that uses a proxy to serve data on behalf of sleeping smart objects, thereby allowing them to act as always-online web servers. A working prototype implementation of the architecture is also developed. The security features in the architecture presented in this thesis are based on using strong public-key cryptography. Contrary to popular belief, our performance evaluation shows that asymmetric public-key cryptography can be implemented on small 8-bit micro-controllers without modifying the underlying cryptographic algorithms.
Internet of Things (IoT, ”Föremålens Internet") syftar på en sammankopplad värld där fysiska apparater är sömlöst integrerade till Internet och blir aktiva deltagare i affärslivs-, informations- och sociala processer. Detta innefattar sammankopplingen av ett stort antal heterogeniskt nätverkade enheter och nätverk. Uppkomsten av teknologier som Zigbee, låg energi Bluetooth och inbyggda sensorer har förvandlat enkla fysiska apparater till smarta objekt som kan förstå och reagera till sin omgivning. Dessa smarta objekt utgör byggstenarna för Föremålens Internet. Kommunikationsinfrastrukturen för dessa objekt bygger på en utvidgning av internetprotokollstacken.  Även om behovet av säkerhet är allmänt känt, finns det inget konsensus om hur IP-baserade internetsäkerhetsprotokoll kan tillämpas i resursbegränsade smartobjektnätverk. I denna avhandling utvecklas en ny säker och energisnål kommunikationsmodell för Constrained Application Protocol (CoAP, “Begränsat applikationsprotokoll"), ett lätt kommunikationsprotokoll avsett för smartobjektnätverk. Avhandlingen bidrar till standardiseringen av den generiska kommunikationsarkitekturen genom att tillsätta säkerhets- och delegationskomponenter för smarta objekt som sover under en stor del av sin operativa fas. Denna arkitektur garanterar dataintegritet och autenticitet över en flerhopps nätverkstopologi. Arkitekturen bidrar också med en återspeglingsmekanism som använder sig av en proxyserver för att erbjuda data för sovande smarta objekts del, vilket låter dem agera som alltid-online webbservrar. I avhandlingen utvecklas också en fungerande prototypimplementation av arkitekturen. Säkerhetsegenskaperna i den arkitektur som presenteras i denna avhandling är baserade på användningen av stark publik-nyckel kryptering. I motsatts till den allmänna förväntningen, visar prestationsbedömningen i denna avhandling att asymmetrisk kryptering med publik nyckel kan tillämpas i 8-bitars mikrokontrollrar utan att ändra på de underliggande kryptografiska algoritmerna.

The Internet of Things (IoT) is seen as one of the next Internet revolutions. In a near future the majority of all connected devices to the Internet will be IoT devices. These devices will connect previously offline constrained systems, thus it is essential to ensure end-to-end security for such devices. Object Security is a concept where the actual packet or sensitive parts of the packet are encrypted instead of the radio channel. A compromised node in the network will with this mechanism still have the data encrypted ensuring full end-to-end security. This paper proposes an architecture for using the object security format COSE in a typical constrained short-range radio based IoT platform. The IoT platform utilizes Bluetooth Low Energy and the Constrained Application Protocol for data transmission via a capillary gateway. A proof-of-concept implementation based on the architecture validates that the security solution is implementable. An overhead comparison between current channel security guidelines and the proposed object security solution results in a similar size for each data packet. The thesis concludes that object security should be seen as an alternative for ensuring end-to-end security for the Internet of Things.

The main objective of this master’s thesis project was to investigate and find solutions to the problem of how to combine the SyncML synchronisation specification with object security and thus protection of personal information, such as contacts and calendar entries in mobile devices. SyncML is a new synchronisation specification agreed upon by major device developers (Ericsson, Palm, Motorola, etc.) and the major synchronisation server developers (Starfish, Puma, fusionOne, etc.). It is independent of transport (HTTP, WSP, or OBEX) platform, operating system, and application and simplifies synchronisation of personal information between dissimilar SyncML supportive devices. SyncML compliant devices are fully capable of synchronising information with a third party operated Internet based server and a desktop computer. This allows us to access, up-date and maintain information independent of Intranets or geographical position. However, synchronising and storing confidential personal information on an third party operated Internet based server entails weaknesses in our personal information security. Even if transport and storage security are used, how secure is the server where this information is stored since this server has the highest probability of being attacked. Can we really trust that an employee or other person with valid appropriated administrators access to the storage facility with the appropriate knowledge, working together with the third party server operator, won’t try to access our stored information? To prevent this, the personal information’s confidentiality must be guaranteed before the information leaves the device. When synchronising and exchanging personal information, the information is often marked according to a specific format. The three de-facto standard PIM formats are: (1) vCard (contact information), (2) vCalendar, and (3) iCalendar (calendar and scheduling information). These formats divide the personal information into properties. Each property is assigned to contain a small piece of the personal information entry (e.g. a telephone number, an e-mail address, the time when the calendar event begins, etc.). Furthermore to preserve the interoperability between different devices given by SyncML, authorised recipients must automatically be able to reverse the encryption process and decrypt the encrypted property value. Therefore general cryptographic formats are used (e.g. CMS, PGP and the newly developed XML Encryption). They add information needed by the recipients (e.g. algorithm used, padding method used on the plain text, etc.), encrypt the plaintext into cipher text, and decrypt the cipher text into plain text given the correct key.

The area of this research is security in distributed environment such as cloud computing and network applications. Specific focus was design and implementation of high assurance network environment, comprising various secure and security-enhanced applications. “High Assurance” means that -               our system is guaranteed to be secure, -               it is verifiable to provide the complete set of security services, -               we prove that it always functions correctly, and -               we justify our claim that it can not be compromised without user neglect and/or consent.   We do not know of any equivalent research results or even commercial security systems with such properties. Based on that, we claim several significant research and also development contributions to the state–of–art of computer networks security. In the last two decades there were many activities and contributions to protect data, messages and other resources in computer networks, to provide privacy of users, reliability, availability and integrity of resources, and to provide other security properties for network environments and applications. Governments, international organizations, private companies and individuals are investing a great deal of time, efforts and budgets to install and use various security products and solutions. However, in spite of all these needs, activities, on-going efforts, and all current solutions, it is general belief that the security in today networks and applications is not adequate. At the moment there are two general approaches to network application’s security. One approach is to enforce isolation of users, network resources, and applications. In this category we have solutions like firewalls, intrusion–detection systems, port scanners, spam filters, virus detection and elimination tools, etc. The goal is to protect resources and applications by isolation after their installation in the operational environment. The second approach is to apply methodology, tools and security solutions already in the process of creating network applications. This approach includes methodologies for secure software design, ready–made security modules and libraries, rules for software development process, and formal and strict testing procedures. The goal is to create secure applications even before their operational deployment. Current experience clearly shows that both approaches failed to provide an adequate level of security, where users would be guaranteed to deploy and use secure, reliable and trusted network applications. Therefore, in the current situation, it is obvious that a new approach and a new thinking towards creating strongly protected and guaranteed secure network environments and applications are needed. Therefore, in our research we have taken an approach completely different from the two mentioned above. Our first principle is to use cryptographic protection of all application resources. Based on this principle, in our system data in local files and database tables are encrypted, messages and control parameters are encrypted, and even software modules are encrypted. The principle is that if all resources of an application are always encrypted, i.e. “enveloped in a cryptographic shield”, then -               its software modules are not vulnerable to malware and viruses, -               its data are not vulnerable to illegal reading and theft, -               all messages exchanged in a networking environment are strongly protected, and -               all other resources of an application are also strongly protected.   Thus, we strongly protect applications and their resources before they are installed, after they are deployed, and also all the time during their use. Furthermore, our methodology to create such systems and to apply total cryptographic protection was based on the design of security components in the form of generic security objects. First, each of those objects – data object or functional object, is itself encrypted. If an object is a data object, representing a file, database table, communication message, etc., its encryption means that its data are protected all the time. If an object is a functional object, like cryptographic mechanisms, encapsulation module, etc., this principle means that its code cannot be damaged by malware. Protected functional objects are decrypted only on the fly, before being loaded into main memory for execution. Each of our objects is complete in terms of its content (data objects) and its functionality (functional objects), each supports multiple functional alternatives, they all provide transparent handling of security credentials and management of security attributes, and they are easy to integrate with individual applications. In addition, each object is designed and implemented using well-established security standards and technologies, so the complete system, created as a combination of those objects, is itself compliant with security standards and, therefore, interoperable with exiting security systems. By applying our methodology, we first designed enabling components for our security system. They are collections of simple and composite objects that also mutually interact in order to provide various security services. The enabling components of our system are:  Security Provider, Security Protocols, Generic Security Server, Security SDKs, and Secure Execution Environment. They are all mainly engine components of our security system and they provide the same set of cryptographic and network security services to all other security–enhanced applications. Furthermore, for our individual security objects and also for larger security systems, in order to prove their structural and functional correctness, we applied deductive scheme for verification and validation of security systems. We used the following principle: “if individual objects are verified and proven to be secure, if their instantiation, combination and operations are secure, and if protocols between them are secure, then the complete system, created from such objects, is also verifiably secure”. Data and attributes of each object are protected and secure, and they can only be accessed by authenticated and authorized users in a secure way. This means that structural security properties of objects, upon their installation, can be verified. In addition, each object is maintained and manipulated within our secure environment so each object is protected and secure in all its states, even after its closing state, because the original objects are encrypted and their data and states stored in a database or in files are also protected. Formal validation of our approach and our methodology is performed using Threat Model. We analyzed our generic security objects individually and identified various potential threats for their data, attributes, actions, and various states. We also evaluated behavior of each object against potential threats and established that our approach provides better protection than some alternative solutions against various threats mentioned. In addition, we applied threat model to our composite generic security objects and secure network applications and we proved that deductive approach provides better methodology for designing and developing secure network applications. We also quantitatively evaluated the performance of our generic security objects and found that the system developed using our methodology performs cryptographic functions efficiently. We have also solved some additional important aspects required for the full scope of security services for network applications and cloud environment: manipulation and management of cryptographic keys, execution of encrypted software, and even secure and controlled collaboration of our encrypted applications in cloud computing environments. During our research we have created the set of development tools and also a development methodology which can be used to create cryptographically protected applications. The same resources and tools are also used as a run–time supporting environment for execution of our secure applications. Such total cryptographic protection system for design, development and run–time of secure network applications we call CryptoNET system. CrytpoNET security system is structured in the form of components categorized in three groups: Integrated Secure Workstation, Secure Application Servers, and Security Management Infrastructure Servers. Furthermore, our enabling components provide the same set of security services to all components of the CryptoNET system. Integrated Secure Workstation is designed and implemented in the form of a collaborative secure environment for users. It protects local IT resources, messages and operations for multiple applications. It comprises four most commonly used PC applications as client components: Secure Station Manager (equivalent to Windows Explorer), Secure E-Mail Client, Secure Web Browser, and Secure Documents Manager. These four client components for their security extensions use functions and credentials of the enabling components in order to provide standard security services (authentication, confidentiality, integrity and access control) and also additional, extended security services, such as transparent handling of certificates, use of smart cards, Strong Authentication protocol, Security Assertion Markup Language (SAML) based Single-Sign-On protocol, secure sessions, and other security functions. Secure Application Servers are components of our secure network applications: Secure E-Mail Server, Secure Web Server, Secure Library Server, and Secure Software Distribution Server. These servers provide application-specific services to client components. Some of the common security services provided by Secure Application Servers to client components are Single-Sign-On protocol, secure communication, and user authorization. In our system application servers are installed in a domain but it can be installed in a cloud environment as services. Secure Application Servers are designed and implemented using the concept and implementation of the Generic Security Server. It provides extended security functions using our engine components. So by adopting this approach, the same sets of security services are available to each application server. Security Management Infrastructure Servers provide domain level and infrastructure level services to the components of the CryptoNET architecture. They are standard security servers, known as cloud security infrastructure, deployed as services in our domain level could environment. CryptoNET system is complete in terms of functions and security services that it provides. It is internally integrated, so that the same cryptographic engines are used by all applications. And finally, it is completely transparent to users – it applies its security services without expecting any special interventions by users. In this thesis, we developed and evaluated secure network applications of our CryptoNET system and applied Threat Model to their validation and analysis. We found that deductive scheme of using our generic security objects is effective for verification and testing of secure, protected and verifiable secure network applications. Based on all these theoretical research and practical development results, we believe that our CryptoNET system is completely and verifiably secure and, therefore, represents a significant contribution to the current state-of-the-art of computer network security.
QC 20110427

Trabalho apresentado no âmbito do Mestrado em Engenharia Informática, como requisito parcial para obtenção do grau de Mestre em Engenharia Informática
The need for a security system to ensure the integrity of protected data leads to the development of access control systems, whose purpose is to prevent access to protected information or resources by unauthorized individuals. In this thesis, we develop and formalize a type and effect system that verifies the access control to objects in a simplified object-oriented language. Traditionally, access control is done only at run-time, using dynamic techniques, such as access control lists, that perform run-time verifications for credentials and privileges. However, these techniques increase the total execution time of an operation, potentially breaking system requirements such as usability or response time. Static approaches, based on static analysis or type systems, reduce the amount of run-time checks by doing some of those checks during compile-time, preventing the occurrence of errors before running the program and offering formal proofs of system correctness. The type system developed in this dissertation deals with the dynamic delegation of authorizations to access objects. An authorization includes the identification of the protected object and its access policy and is considered by the type system as a first class value. As such, object types are extended with policies that reflect the current privilege associated with the object, and typing an expression can produce an effect on policies. We name this new type as user type and the respective value as user view, which contain the object’s reference and a policy to access the object. We consider privileges over objects to be the methods that can be invoked. So, a policy states what methods are available to be called. When typing a method call by an user view, we are able to verify if it was authorized, that is, if the current policy says that the method is available. This mechanism allows the removal of common security specifications from class declarations, as visibility modifiers (public, private). Furthermore, we present a soundness result for our type system. We also implemented a typechecking algorithm for our type system, resulting in a tool to verify the integrity of protected objects in a system designed in the defined programming language.
This work was supported by a CITI research grant

During the last two decades, the interest for computer aided modeling and simulation of complex physical systems has witnessed a significant growth. The recent possibility to create acausal models, using components from different domains (e.g., electrical, mechanical, and hydraulic) enables new opportunities. Modelica is one of the most prominent equation-based object-oriented (EOO) languages that support such capabilities, including the ability to simulate both continuous- and discrete-time models, as well as mixed hybrid models. However, there are still many remaining challenges when it comes to language safety and simulation security. The problem area concerns detecting modeling errors at an early stage, so that faults can be isolated and resolved. Furthermore, to give guarantees for the absence of faults in models, the need for precise language specifications is vital, both regarding type systems and dynamic semantics.

This thesis includes five papers related to these topics. The first paper describes the informal concept of types in the Modelica language, and proposes a new concrete syntax for more precise type definitions. The second paper provides a new approach for detecting over- and under-constrained systems of equations in EOO languages, based on a concept called structural constraint delta. That approach makes use of type checking and a type inference algorithm. The third paper outlines a strategy for using abstract syntax as a middle-way between a formal and informal language specification. The fourth paper suggests and evaluates an approach for secure distributed co-simulation over wide area networks. The final paper outlines a new formal operational semantics for describing physical connections, which is based on the untyped lambda calculus. A kernel language is defined, in which real physical models are constructed and simulated.

Report code: LIU-TEK-LIC-2007:46. On the day of the defence date the status of article IV was: In Progress; The status of article V was: Manuscript.

Recently, there is a great interest in moving object tracking in the fields of security and surveillance. Object recognition under partial occlusion is the core of any object tracking system. This thesis presents an automatic and real-time color object-recognition system which is not only robust but also occlusion tolerant. The intended use of the system is to recognize and track external vehicles entered inside a secured area like a school campus or any army base. Statistical morphological skeleton is used to represent the visible shape of the vehicle. Simple curve matching and different feature based matching techniques are used to recognize the segmented vehicle. Features of the vehicle are extracted upon entering the secured area. The vehicle is recognized from either a digital video frame or a static digital image when needed. The recognition engine will help the design of a high performance tracking system meant for remote video surveillance.

Following the success of software engineering design patterns, security patterns are a promising approach to aid in the design and development of more secure software systems. At the same time, recent work on aspect-oriented programming (AOP) suggests that the cross-cutting nature of software security concerns makes it a good candidate for AOP techniques. This work uses a set of software metrics to evaluate and compare object-oriented and aspect-oriented implementations of five security patterns--Secure Base Action, Intercepting Validator, Authentication Enforcer, Authorization Enforcer, and Secure Logger. Results show that complete separation of concerns was achieved with the aspect-oriented implementations and the modularity of the base application was improved, but at a cost of increased complexity in the security pattern code. In most cases the cohesion, coupling, and size metrics were improved for the base application but worsened for the security pattern package. Furthermore, a partial aspect-oriented solution, where the pattern code is decoupled from the base application but not completely encapsulated by the aspect, demonstrated better modularity and reusability than a full aspect solution. This study makes several contributions to the fields of aspect-oriented programming and security patterns. It presents quantitative evidence of the effect of aspectization on the modularity of security pattern implementations. It augments four existing security pattern descriptions with aspect-oriented solution strategies, complete with new class and sequence diagrams based on proposed aspect-oriented UML extensions. Finally, it provides a set of role-based refactoring instructions for each security pattern, along with a proposal for three new basic generalization refactorings for aspects.

The self-defending object (SDO) concept is an extension to the object-oriented programming paradigm, whereby those objects that encapsulate the protected resources of a security aware application (SAA), are made aware of, and responsible for, the defence of those resources. That defence takes two forms, the enforcement of mandatory access control on protected resources and the generation of the corresponding portion of the SAA's audit trail. The SDO concept acts as the philosophy that guides the application level mandatory access control within SAAs which ensures that the provided access control is both complete and non bypassable. Although SDOs accept responsibility for controlling access to the protected data and functionality that they encapsulate, an SDO delegates the responsibility for making authorisation decisions to an associated authorisation object. Thus, SDOs fulfill their access control obligations by initiating the authorisation check and then enforcing the decision made on their behalf. A simple, yet effective mechanism for enforcing that access control at the object level involves controlling the ability to invoke those SDO methods that access protected resources. In the absence of previous research on this approach to the enforcement of application level access control, the primary aim of this research was to demonstrate that the SDO concept is a viable paradigm for developing SAAs. That aim was achieved in two stages. The first stage targeted the provision of a 'proof of concept', that demonstrated that the SDO concept could be applied to the development of non-distributed SAAs. The second stage demonstrated its applicability to the development of distributed SAAs. In the second stage, two versions of a distributed prototype were developed, one based on a traditional (proprietary) distributed computing model, (Java RMI), and the second using the currently popular Web services model, to demonstrate the general applicability of the SDO concept. Having already demonstrated that the SDO concept could be applied to SAAs executing on a single machine, the major focus of that research was to devise a mechanism by which SDOs could be transferred between machines. The research then concentrated on determining what impacts the adoption of the SDO concept would have on SAA development. Experimentation carried out using the distributed prototypes demonstrated that (1) the adoption of the SDO does not restrict the use of inheritance hierarchies that include SDOs, (2) the restriction of the lifetime of SDOs can be supported, (3) usage rights enforcement can be employed, and (4) the use of cryptographic techniques to provide additional security guarantees is not affected. A key feature of the SDO concept, is that no major changes need to be made to current development tools or　methodologies, so its adoption is not hampered by significant financial or training impediments. This research demonstrated that the SDO concept is practical and constitutes a valuable extension to the object oriented paradigm that will help address the current lack of security in information systems. The SDO approach warrants additional research and adoption.

This dissertation is about the implementation and integration of the interactive markup language to the distributed component object model protocol with the application to modeling distributed file system security. Among the numerous researches in network security, the file system usually plays in the least important role of the spectrum. From the simple Disk Operating System (DOS) to modern Network Operating System (NOS), the file system relies only on one or more login passwords to protect it from being misused. Today the most thorough protection scheme for the file system is from virus protection and removal application, but it does not prevent a hostile but well-behaved program from deleting files or formatting hard disk. There are several network-monitoring systems that provide packet-level examination, although they suffer significant degradation in system performance. In order to accomplish this objective, the implementation and integration of an interactive markup language to the distributed component object model protocol is created. The framework is also associated with the network security model for protecting the file system against unfriendly users or programs. The research will utilize a comprehensive set of methods that include software signature, caller identification, backup for vital files, and encryption for selected system files. It is expected that the results of this work are sufficient so those component objects can be implemented to support the integration definitions defined in this dissertation. In addition, it is expected that the extensions and techniques defined in this work may have further utilization in similar theoretical and applied problem domains.

This thesis presents a body of work on the theme of millimetre-wave FMCW radar, for the purposes of security screening and remote sensing. First, the development of an optimised software radar signal processor will be outlined. Through use of threading and GPU acceleration, high data processing rates were achieved using standard PC hardware. The flexibility of this approach, compared to specialised hardware (e.g. DSP, FPGA etc…), allowed the processor to be rapidly adapted and has produced a significant performance increase in a number of advanced real-time radar systems. An efficient tracker was developed and was successfully deployed in live trials for the purpose of real-time wave detection in an autonomous boat control system. Automated radar operation and remote data telemetry functions were implemented in a terrain mapping radar to allow continuous monitoring of the Soufrière Hills volcano on the Caribbean island of Montserrat. This work concluded with the installation of the system 3 km from the volcano. Hardware modifications were made to enable coherent measurement in a number of existing radar systems, allowing phase sensitive measurements, including range-Doppler, to be performed. Sensitivity to displacements of less than 200 nm was demonstrated, which is limited by the phase noise of the system. Efficient compensation techniques are presented which correct for quadrature mixer imbalance, FMCW chirp non-linearity, and scanner drive distortions. In collaboration with the Home Office, two radar systems were evaluated for the stand-off detection of concealed objects. Automatic detection capability, based on polarimetric signatures, was developed using data gathered under controlled conditions. Algorithm performance was assessed through blind testing across a statistically significant number of subjects. A detailed analysis is presented, which evaluates the effect of clothing and object type on detection efficiency.

Web crawlers are a fundamental component of web application scanners and are used to explore the attack surface of web applications. Crawlers work as follows. First, for each page, they extract URLs and UI elements that may lead to new pages. Then, they use a depth-first or breadth-first tree traversal to explore new pages. In this approach, crawlers cannot distinguish between "terminate user account" and "next page" buttons and they will click on both without taking into account the consequences of their actions. The goal of this project is to devise a new family of crawlers that builds on client-side code analysis and expand with the inference of the semantic of UI element by using visual clues. The new crawler will be able to identify in real time types and semantics of the UI elements, and it will use the semantics to choose the right action. This project will include the development of a prototype and evaluation against a selection of real-size web applications.

Résumé : L’expansion des images sur le Web a provoqué le besoin de mettre en œuvre des méthodes de classement d’images précises pour plusieurs applications notamment la cybersécurité. L’extraction des caractéristiques est une étape primordiale dans la procédure du classement des images vu son impact direct sur la performance de la catégorisation finale des images et de leur classement. L’objectif de cette étude est d’analyser l’état de l’art des différents espaces de caractéristiques pour évaluer leur efficacité dans le contexte de la reconnaissance de forme pour les applications de cybersécurité. Les expériences ont montré que les descripteurs de caractéristiques HOG et GIST ont une performance élevée. Par contre, cette dernière se dégrade face aux transformations géométriques des objets dans les images. Afin d’obtenir des systèmes de classement d’image plus fiables basés sur ces descripteurs, nous proposons deux méthodes. Dans la première méthode (PrMI) nous nous concentrons sur l’amélioration de la propriété d’invariance du système de classement par tout en maintenant la performance du classement. Dans cette méthode, un descripteur invariant par rapport à la rotation dérivé de HOG est utilisé (RIHOG) dans une technique de recherche "top-down" pour le classement des images. La méthode (PrMI) proposée donne non seulement une robustesse face aux transformations géométriques des objets, mais aussi une performance élevée similaire à celle de HOG. Elle est aussi efficace en terme de coût de calcul avec une complexité de l’ordre de O(n). Dans la deuxième méthode proposée (PrMII), nous nous focalisons sur la performance du classement en maintenant la propriété d’invariance du système de classement. Les objets sont localisés d’une façon invariante aux changement d’échelle dans l’espace de caractéristiques de covariance par région. Ensuite elles sont décrites avec les descripteurs HOG et GIST. Cette méthode procure une performance de classement meilleure en comparaison avec les méthodes implémentées dans l’étude et quelques méthodes CBIR expérimentées sur les données Caltech-256 dans les travaux antérieurs. // Abstract : The tremendous growth of accessible online images (Web images), provokes the need to perform accurate image ranking for applications like cyber-security. Fea­ture extraction is an important step in image ranking procedures due to its direct impact on final categorization and ranking performance. The goal of this study is to analyse the state of the art feature spaces in order to evaluate their efficiency in the abject recognition context and image ranking framework for cyber-security applications. Experiments show that HOG and GIST feature descriptors exhibit high ranking performance. Whereas, these features are not rotation and scale invariant. In order to obtain more reliable image ranking systems based on these feature spaces, we proposed two methods. In the first method (PrMI) we focused on improving the invariance property of the ranking system while maintaining the ranking perfor­mance. In this method, a rotation invariant feature descriptor is derived from HOC (RIHOC). This descriptor is used in a top-down searching technique to caver the scale variation of the abjects in the images. The proposed method (PrMI) not only pro­ vides robustness against geometrical transformations of objects but also provides high ranking performance close to HOC performance. It is also computationally efficient with complexity around O(n). In the second proposed method (PrMII) we focused on the ranking performance while maintaining the invariance property of the ranking system. Objects are localized in a scale invariant fashion under a Region Covariance feature space, then they are described using HOC and CIST features. Finally to ob­ tain better evaluation over the performance of proposed method we compare it with existing research in the similar domain(CBIR) on Caltech-256. Proposed methods provide highest ranking performance in comparison with implemented methods in this study, and some of the CBIR methods on Caltech-256 dataset in previous works.

Den säkerhetspolitiska debatten har under de senaste åren tillvaratagit ett bredare perspektiv av hot och risker. Undersökningen tar sin utgångspunkt i frågan om i vilken utsträckning detta kommit till uttryck i svenska försvarspropositioner?

 

Undersökningen kartlägger likheter och skillnader i tre försvarspropositioners uttryck av hot och säkerhet relaterat till det vidgade säkerhetsbegreppet under perioden 1982-2009. Vid kartläggningen undersöker jag med hjälp av Barry Buzan m.fl. analysramverk för det vidgade säkerhetsbegreppet vilka säkerhetspolitiska värden som uttrycktes vara viktiga att säkerställa. Undersökningen kartlägger även hotbilderna som uppfattades mot dessa värden och inom vilka arenor deras säkerhet bedömdes kunna säkerställas.

Analysen påvisar olikheter i de tre försvarspropositionernas säkerhetspolitiska uttryck. 1982 års försvarsproposition fokuserar på nationella säkerhetspolitiska värden som säkerställdes inom totalförsvarets ram. De följande försvarspropositionerna indikerar en förändring till förmån för regionala värden och gemensam säkerhet. Analysen påvisar även en radikal förändring av de uppfattade hotbildernas karaktär.

The recent security policy debate has included a broader view of threats and risks. This study is based on the question of to what extent this was reflected in the Swedish defence bills?

This study aims to identify similarities and differences regarding expressions of threat and security related to the broader concept of security in three defence bills over the period of 1982-2009. By use of the analytical framework of Mr Barry Buzan, I aim to make a survey of the expressed values of security, their perceived threats and the arenas in which their security were to be guaranteed.

The analysis indicates diversities regarding security policy expressions. The defence bill of 1982 focuses on national values, safeguarded within the framework of Total Defence. The following defence bills indicate a change in the perceived nature of the threats and in favour of regional values and common security.

The purpose of this thesis is to look into the differences between the theoretical frame-works of Realism and Feminism in general as well as their differences with regards to security and referent objects to security. With the differences noted applied upon the Humanitarian Intervention that took place in Kosovo 1999. That is how a shift in the referent objects could change outcome and success or failure in the case studied.

This is done by a theory testing study based upon literature within the topics of Realism and Feminism, by mainly Morgenthau (1993) with regards to Realism and Tickner (1992) with regards to Feminism. The reason for these authors in particular is due to their importance in the field and the fact that they are found liberally quoted in academic articles and other literature.

By shifting the referent object of security from e.g. territory (state), that Realism uses, to the individuals in general and the women in particular within the territory (state), like Feminism does, there is bound to be a change in outcome and success. The result of this thesis is that a different referent object offers a new perspective.

Avec l'augmentation des échanges de données et les évolutions technologiques et sociales récentes, les contenus multimédias prennent une place importante dans le trafic mondial. Aujourd'hui, les objets 3D sont utilisés dans un large nombre d'applications, par exemple, les applications médicales, les simulations, les jeux vidéo, l'animation et les effets spéciaux. La consommation d'objets 3D par le grand public est devenue un marché lucratif pouvant prendre la forme de plateformes de téléchargement d'objets 3D dans différents formats.Cette thèse, en collaboration avec la société STRATEGIES, concerne la protection des objets 3D, et plus particulièrement des maillages 3D contre des utilisations frauduleuses et illégales. Ces maillages 3D représentent de manière surfacique des modèles de chaussures et de maroquineries produits par les clients à l'aide des solutions numériques proposées par la société STRATEGIES. Dans un premier temps, nous proposons une nouvelle méthode d'insertion de données cachées bien plus efficace en termes de temps d'exécution sur des maillages de très grande taille que la méthode précédente développée en collaboration avec la société STRATÉGIES. Nous explorons également des approches de chiffrement sélectif pour le contrôle d'accès aux contenus de très haute qualité selon les besoins des utilisateurs. Dans ce contexte, nous proposons d'utiliser des approches de chiffrement sélectif sur les données géométriques des objets 3D afin de protéger le contenu visuel de ces derniers selon différents cas d'utilisation et différentes représentations de ces données.Dans un second axe de recherche, nous étudions l'application des processus de partage de secret au domaine des objets 3D. Le partage de secret est une approche cherchant à diviser un contenu secret entre plusieurs utilisateurs et autorisant certains sous-groupes d'utilisateurs à reconstruire le secret. Le partage de secret est un système de redondance permettant de reconstruire le secret même si certains utilisateurs ont perdu leurs informations. Le partage d'objet 3D secret est un domaine de recherche peu étudié permettant de protéger un objet 3D entre des collaborateurs. Nous proposons des nouvelles méthodes de partage d'objet 3D secret utilisant les approches de chiffrement sélectif et proposant des propriétés hiérarchiques où les utilisateurs possèdent des droits d'accès différents au contenu 3D en fonction de leur position dans une structure hiérarchique.Enfin, le troisième axe de recherche développé dans ces travaux de thèse porte sur l'analyse de la confidentialité visuelle des objets 3D sélectivement chiffrés plus ou moins fortement. En effet, en fonction du scénario, nos méthodes de chiffrement sélectif d'objets 3D fournissent des résultats pouvant être plus ou moins reconnaissables par les utilisateurs. Cependant, les métriques utilisées pour l'évaluation de la qualité des objets 3D ne permettent pas de distinguer deux objets 3D chiffrés sélectivement avec des niveaux de confidentialité différents. Pour cela, nous présentons la construction d’une base de données d'objets 3D chiffrés sélectivement afin de réaliser des évaluations subjectives de la confidentialité visuelle et tentons de construire une nouvelle métrique corrélée à des évaluations obtenues par le système visuel humain
With the increase of data exchange and latest technological and social developments, multimedia contents are becoming an important part of global trafic. Today, 3D objects are used in a large number of applications, for example, medical applications, simulations, video games, animation and special effects. 3D object usage by the general public has become a lucrative market that can take the form of 3D object downloading platforms with various 3D formats.This thesis, in collaboration with the company STRATEGIES, concerns the 3D object protection, and more particularly 3D meshes against fradulent and illegal uses. These 3D meshes represent surface models of shoes and leather goods produced by customers using digital solutions proposed by STRATEGIES. First, we propose a new method to insert secret data much more efficiently in terms of execution time on very large meshes than the previous method developed in collaboration with the company STRATEGIES. We are also exploring selective encryption approaches to control access to very high quality content according to user needs. In this context, we propose to use selective encryption approaches on the geometric data of 3D objects in order to protect the visual content of these objects according to different use cases and different data representations.In a second research axis, we study the application of secret sharing methods to the domain of 3D objects. Secret sharing is an approach that seeks to divide secret content between multiple users and allows certain subgroups of users to reconstruct the secret. Secret sharing is a redundancy system that allows you to reconstruct the secret even if some users have lost their information. Secret 3D object sharing is a poorly researched domain used to protect a 3D object between collaborators. We propose new secret 3D object sharing methods using selective encryption approaches and providing hierarchical properties where users have different access rights to 3D content based on their position in a hierarchical structure.Finally, the third research axis developed in this thesis deals with the analysis of the visual confidentiality of 3D objects selectively encrypted more or less strongly. Indeed, depending on the scenario, our 3D selective encryption methods provide results that can be more or less recognizable by users. However, the metrics used to evaluate the quality of 3D objects do not distinguish two selectively encrypted 3D objects with different levels of confidentiality. So, we present the construction of a databse of selectively encrypted 3D objects in order to realize subjective assessments of visual confidentiality and try to build a new metric correlated with evaluations obtained by the human visual system

Представлен обзор результатов работ, связанных с исследованиями технических средств охраны объектов различного назначения, которые проводились с участием авторов в течение ряда лет. Одним из таких средств являются электромагнитные заборы. Предложено использовать в системах формирования электромагнитного поля заданной формы в качестве излучателей микрополосковые фазированные антенные решетки (ФАР). Показаны основные направления совершенствования радиолучевых охранных средств с ФАР.

The phrase 'Internet of Things' refers to the pervasive instrumentation of physical objects with sensors and actuators, and the connection of those sensors and actuators to the Internet. These sensors and actuators are generally based on similar hardware as, and have similar capabilities to, wireless sensor network nodes. However, they operate in a completely different network environment: wireless sensor network nodes all generally belong to a single entity, whereas Internet of Things endpoints can belong to different, even competing, ones. This difference has profound implications for the design of security mechanisms in these environments. Wireless sensor network security is generally focused on defence against attack by external parties. On the Internet of Things, such an insider/outsider distinction is impossible; every entity is both an endpoint for legitimate communications, and a possible source of attack. We argue that that under such conditions, the centralised models that underpin current networking standards and protocols for embedded systems are simply not appropriate, because they require such an insider/outsider distinction. This thesis serves as an exposition in the design of decentralised security mechanisms, applied both to applications, which must perform access control, and networks, which must guarantee communications security. It contains three main contributions. The first is a threat model for Internet of Things networks. The second is BottleCap, a capability-based access control module, and an exemplar of decentralised security architecture at the application layer. The third is StarfishNet, a network-layer protocol for Internet of Things wireless networks, and a similar exemplar of decentralised security architecture at the network layer. Both are evaluated with microbenchmarks on prototype implementations; StarfishNet's association protocol is additionally validated using formal verification in the protocol verification tool Tamarin.

The main goal of this work is creating client-server application with image processing and cryptographic verification of image source and creation time. The work focuses on creating a mobile client application on the Android platform that securly takes photos by mobile device camera, processes captured images and provides a digital signature, timestamp and GPS location. The main part of the work is secure key exchange, encrypted communication, data and energy efficiency of the client-server application. The server application is implemented on the Java EE platform and processes the received image, performs object detection, object recognition in the image and provides a timestamp from a trusted server. Then taken photo can be considered as a trusted electronic document usable as valid evidence for the judical or administrative proceedings.

Thesis: S.M. in Technology and Policy, Massachusetts Institute of Technology, School of Engineering, Institute for Data, Systems, and Society, Technology and Policy Program, 2017.
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.
Cataloged from student-submitted PDF version of thesis.
Includes bibliographical references (pages 89-99).
To maximize the value of the Internet of Things (IoT), developers need to build devices that balance security with features, cost, and usability, relative to the threats that their particular devices will face. However, many IoT devices have thus far failed to achieve this balance. Various organizations have published copious security frameworks to help developers. Of these, frameworks that focus on desirable outcome metrics remain theoretically desirable yet infeasible to use in practice. The other frameworks, which focus on some aspect of the development process itself, are widely used despite a lack of methods for determining their utility. This work introduces six criteria useful for evaluating and comparing these process-based frameworks. Applying them to multiple security frameworks, we find that these frameworks often derive from inflexible conceptions of security, limiting the ability of developers to to vary their security designs. Even when developers are given options, they lack the tools necessary to balance security with other tradeoffs respective to the situations their products will be used in. To begin to address these shortcomings, we propose the Processes for Reasonably Secure Design (PRSD), a novel process-based security framework that helps developers comprehensively and systematically consider the security threats an IoT device may introduce to its surroundings, options for mitigating those threats, and the tradeoffs between those options. To demonstrate its worth, we apply it in multiple case studies. Further, using the six criteria, we evaluate PRSD and find that, in addition to providing useful and novel guidance, it has practical qualities that could make it suitable for many real development efforts.
by Zane Alexander Markel.
S.M. in Technology and Policy

Power-sharing arrangements have become the default tool of international actors to resolve a vast range of conflicts worldwide, with a particular concentration in sub-Saharan Africa. Traditionally used to end high-intensity civil wars, recently power sharing has increasingly been used to terminate an array of lower-intensity conflicts, such as election-related violence in Togo in 2006 and Kenya and Zimbabwe in 2008. The thin but emerging scholarship on post-election power sharing is largely negative, maintaining that the model is unlikely to deliver the institutional reforms necessary to resolve the underlying roots of electoral conflicts. Yet the cases of Kenya, and, to a lesser extent, Togo, appear to complicate this narrative, suggesting that post-election power sharing may be able to deliver some key but thorny institutional reforms, such as security sector reform. While the power-sharing model continues to be used worldwide and security reform is widely identified by scholars and practitioners as critical to durable peace, the existing literature has generally ignored the potential link between the two. As such, this dissertation seeks to answer the following questions: Does post-election power sharing lead to security sector reform? Which causal factors are most important in shaping security reform outcomes under post-election power sharing, and through what processes or mechanisms? The two-step integrated theoretical framework presented here forwards a structured contingency approach, positing that a combination of long- and short-term domestic and international factors will drive or stymie reform of the security sector under post-election power sharing in democratizing countries. In short, the theory argues that two main longterm factors, the nature of civil-military relations and the character of external involvement, combined with two short-term mechanisms, the design of the political agreement and the type of political strategy deployed by the parties, will be the most important factors shaping security reform outcomes under post-election power sharing. I demonstrate that post-election power sharing plays a significant role in the causal process of security reform and can deliver some institutional reforms, under certain conditions. The dissertation uses the method of structured, focused comparison to build and apply the theoretical propositions to the cases of Kenya, Togo, and Zimbabwe. Using process tracing and the logic of most-similar comparisons, I conduct two sets of cross- and within-case comparisons, utilizing elite interviews as the primary tool for data collection. I conducted over 100 interviews with key decision-makers in my case countries—including former prime ministers, cabinet ministers, top political party leaders, senior security officials, and international stakeholders.

We investigate the security and usability of Human-Interactive Security Protocols (HISPs); specifically, how digests of 4 or more digits can be compared between two or more sys- tems as conveniently as possible while ensuring that issues such as user complacency do not compromise security. We address the research question: given different association scenarios and modes of authentication in HISPs, how can we improve on existing, or design new, empirical channels that suit human and contextual needs to achieve acceptable effective security? We review the literature of HISPs, proposed empirical channels,and usability studies of HISPs; we follow by presenting the methodology of the research reported in this thesis. We then make a number of contributions discussing the effectiveness of empirical channels and address the design, analysis, and evaluation of these channels. In Chapter 4 we present a user study of pairwise device associations and discuss the factors affecting effective security of empirical channels in single-user scenarios. In Chapter 5 we present a user study of group device associations and discuss the factors affecting effective security of empirical channels in multi-user scenarios. In Chapter 7 we present a framework designed for researchers and system designers to reason about empirical channels in HISPs. The framework is grounded in experimental data, related research, and validated by experts. In Chapter 8 we present a methodology for analysing and evaluating the security and usability of HISPs. We validate the methodology by applying it in laboratory experiments of HISPs. Finally, in Chapter 6 we present a set of principles for designing secure and usable empirical channels. We demonstrate the effectiveness of these principles by proposing new empirical channels.

Parallèlement à la dernière réforme française du droit des sûretés, les sûretés réelles chinoises ont été rénovées par la loi sur les droits réels promulguée à la même période. En s’appuyant sur une étude compréhensive des normes législative et réglementaire autour du sujet, cette thèse, essentiellement basée sur le droit chinois, révèle qu’en matière de sûreté réelle, le droit chinois se nuance du droit français et analyse les raisons et les effets de ces différences au-dessous des termes ou notions similaires. Après l’étude comparative, la thèse arrive à la conclusion que le droit chinois des sûretés réelles nécessite un futur regroupement en dépit de la nouvelle loi sur les droits réels
During the same period, a reform of security law had completed in France, while the Chinese real rights law which has renovated security rights in rem was about to be promulgated in China. This thesis, based on Chinese law and drawing upon a comprehensive study of laws and administrative regulations on the subject, reveals the differences between Chinese and French law and analyze their cause and effect behind similar terms and notions. Grounded on the comparative study, the thesis draws the conclusion that the Chinese system of security rights in rem requires a further reform despite the arrival of new law

Thesis (PhD)--Macquarie University, Division of Information and Communication Sciences, Department of Computing, 2008.
Bibliography: p. 144-153.
Introduction -- Background -- Overview of watermarking -- Natural language watermarking -- Software watermarking -- Semi-blind and reversible database watermarking -- Blind and reversible database watermarking -- Conclusion and future research -- Bibliography.
Digital watermarking has generated significant research and commercial interest in the past decade. The primary factors contributing to this surge are widespread use of the Internet with improved bandwidth and speed, regional copyright loopholes in terms of legislation; and seamless distribution of multimedia content due to peer-to-peer file-sharing applications. -- Digital watermarking addresses the issue of establishing ownership over mul-timedia content through embedding a watermark inside the object. Ideally, this watermark should be detectable and/or extractable, survive attacks such as digital reproduction and content-specific manipulations such as re-sizing in the case of images, and be invisible to the end-user so that the quality of the content is not degraded significantly. During detection or extraction, the only requirements should be the secret key and the watermarked multimedia object, and not the original un-marked object or the watermark inserted. Watermarking scheme that facilitate this requirement are categorized as blind. In recent times, reversibility of watermark has also become an important criterion. This is due to the fact that reversible watermarking schemes can provided security against secondary watermarking attacks by using backtracking algorithms to identify the rightful owner. A watermarking scheme is said to be reversible if the original unmarked object can be regenerated from the watermarked copy and the secret key.
This research covers three multimedia content types: natural language documents, software, and databases; and discusses the current watermarking scenario, challenges, and our contribution to the field. We have designed and implemented a natural language watermarking scheme that uses the redundancies in natural languages. As a result, it is robust against general attacks against text watermarks. It offers additional strength to the scheme by localizing the attack to the modified section and using error correction codes to detect the watermark. Our first contribution in software watermarking is identification and exploitation of weaknesses in branch-based software watermarking scheme proposed in [71] and the software watermarking algorithm we present is an improvised version of the existing watermarking schemes from [71]. Our scheme survives automated debugging attacks against which the current schemes are vulnerable, and is also secure against other software-specific attacks. We have proposed two database watermarking schemes that are both reversible and therefore resilient against secondary watermarking attacks. The first of these database watermarking schemes is semi-blind and requires the bits modified during the insertion algorithm to detect the watermark. The second scheme is an upgraded version that is blind and therefore does not require anything except a secret key and the watermarked relation. The watermark has a 89% probability of survival even when almost half of the data is manipulated. The watermarked data in this case is extremely useful from the users' perspective, since query results are preserved (i.e., the watermarked data gives the same results for a query as the nmarked data). -- The watermarking models we have proposed provide greater security against sophisticated attacks in different domains while providing sufficient watermark-carrying capacity at the same time. The false-positives are extremely low in all the models, thereby making accidental detection of watermark in a random object almost negligible. Reversibility has been facilitated in the later watermarking algorithms and is a solution to the secondary watermarking attacks. We shall address reversibility as a key issue in our future research, along with robustness, low false-positives and high capacity.
Mode of access: World Wide Web.
xxiv, 156 p. ill. (some col.)

This thesis inquires into the meaning of the right to security of person. This right is found in many international, regional and domestic human rights instruments. However, academic discourse reveals disagreement about the meaning of the right. The thesis first considers case law from the European Convention on Human Rights, the South African Bill of Rights and the Canadian Charter. The analysis shows that courts too disagree about the meaning of the right to security of person. The thesis then takes a theoretical approach to understanding the meaning of the right. It is argued that the concept of ‘security’ establishes that the right imposes both positive and negative duties but that ‘security’ does not determine which interests are protected by the right. For this, we need consider the meaning of the ‘person’. The notion of personhood as understood in the ‘capabilities approach’ of Amartya Sen and Martha Nussbaum is then introduced. It is suggested that this theory could be used to identify the interests protected by the right. Next, the theoretical developments are applied to the legal context in order to illustrate the variety of interests the right to security of person would protect and the type of duties it would impose. As a result, it is argued that the idea of ‘security of person’ is too broad to form the subject matter of an individual legal right. This raises a question over the relationship between security of person and human rights law. It is proposed that instead of recognising an individual legal right to security of person, human rights law as a whole could be seen as a mechanism to secure the person, the capabilities approach determining what it takes to fulfil a right and thereby secure the person.

In this thesis, we investigate the applicability of the process algebraic formal method Communicating Sequential Processes (CSP) [Hoa85] to the development and analysis of safetycritical systems. We also investigate how these tasks might be aided by mechanical verification, which is provided in the form of the proof tool Failures-Divergences Refinement (FDR) [Ros94]. Initially, we build upon the work of [RWW94, Ros95], in which CSP treatments of the security property of non-interference are described. We use one such formulation to define a property called protection, which unifies our views of safety and security. As well as applying protection to the analysis of safety-critical systems, we develop a proof system for this property, which in conjunction with the opportunity for automated analysis provided by FDR, enables us to apply the approach to problems of a sizable complexity. We then describe how FDR can be applied to the analysis of mutual exclusion, which is a specific form of non-interference. We investigate a number of well-known solutions to the problem, and illustrate how such mutual exclusion algorithms can be interpreted as CSP processes and verified with FDR. Furthermore, we develop a means of verifying the faulttolerance of such algorithms in terms of protection. In turn, mutual exclusion is used to describe safety properties of geographic data associated with Solid State Interlocking (SSI) railway signalling systems. We show how FDR can be used to describe these properties and model interlocking databases. The CSP approach to compositionality allows us to decompose such models, thus reducing the complexity of analysing safety invariants of SSI geographic data. As such, we describe how the mechanical verification of Solid State Interlocking geographic data, which was previously considered to be an intractable problem for the current generation of mechanical verification tools, is computationally feasible using FDR. Thus, the goals of this thesis are twofold. The first goal is to establish a formal encapsulation of a theory of safety-critical systems based upon the relationship which exists between safety and security. The second goal is to establish that CSP, together with FDR, can be applied to the modelling of Solid State Interlocking geographic databases. Furthermore, we shall attempt to demonstrate that such modelling can scale up to large-scale systems.

Many security protocols are built as the composition of an application-layer protocol and a secure transport protocol, such as TLS. There are many approaches to proving the correctness of such protocols. One popular approach is verification by abstraction, in which the correctness of the application-layer protocol is proven under the assumption that the transport layer satisfies certain properties, such as confidentiality. Following this approach, we adapt the strand spaces model in order to analyse application-layer protocols that depend on an underlying secure transport layer, including unilaterally authenticating secure transport protocols, such as unilateral TLS. Further, we develop proof rules that enable us to prove the correctness of application-layer protocols that use either unilateral or bilateral secure transport protocols. We then illustrate these rules by proving the correctness of WebAuth, a single-sign-on protocol that makes extensive use of unilateral TLS. In this thesis we also present a full proof of the model's soundness. In particular, we prove that, subject to a suitable independence assumption, if there is an attack against the application-layer protocol when layered on top of a particular secure transport protocol, then there is an attack against the abstracted model of the application-layer protocol. In contrast to existing work in this area, the independence assumption consists of eight statically-checkable conditions, meaning that it can be checked statically, rather than having to consider all possible runs of the protocol. Lastly, we extend the model to allow protocols that consist of an arbitrary number of layers to be proven correct. In this case, we prove the correctness of the intermediate layers using the high-level strand spaces model, by abstracting away from the underlying transport-layers. Further, we extend the above soundness results in order to prove that the multi-layer approach is sound. We illustrate the effectiveness of our technique by proving the correctness of a couple of simple multi-layer protocols.

Smartphones are highly-capable mobile computing devices that have dramatically changed how people do business, interact with online services, and receive entertainment. Smartphone functionality is enhanced by an ecosystem of apps seemingly covering the entire gamut of functionality. While smartphone apps have undoubtedly provided immeasurable benefit to users, they also contribute their fair share of drawbacks, such as increases in security risks and the erosion of user privacy. In this thesis, I focus on the Android smartphone operating system, and pave the way for improving the security and privacy of its app ecosystem. Chapter 3 starts by doing a comprehensive study on how Android apps have evolved over a three-year period, both in terms of their dangerous permission usage and the vulnerabilities they contain. It uncovers a trend whereby apps are using increasing numbers of dangerous permissions over time and at the same time becoming increasingly vulnerable to attack by adversaries. By analysing the Google Play Store, Android's official app marketplace, Chapter 4 shows that many general-purpose apps can be replaced with functionallysimilar alternatives to the benefit of the user. This confirms that users still wield power to improve their own security and privacy. Chapter 5 combines this insight with real-world data from approximately 30,000 smartphones to understand the actual risk that the average user faces as a result of their use of apps, and takes an important first step in measuring the improvements that can be made. Users, however, are not always aware of the risks they face and thus Chapter 6 demonstrates the feasibility of a classification system that can transparently and unobtrusively identify and alert users to the presence of apps of concern on their devices. This classification system identifies apps from features in the network traffic they generate, without itself analysing the payload of their traffic, thus maintaining a high threshold of privacy. While the work presented in this thesis has uncovered undesirable trends in app evolution, and shows that a large fraction of users are exposed to non-trivial risk from the apps they use, in many cases there is suficient diversity in the offerings of general-purpose apps in the Google Play Store to empower users to mitigate the risks coming from the apps they use. This work takes us a step further in keeping users safe as they navigate and enjoy app ecosystems.

With the development and growth of mobile technologies, mobile phones enable users to perform a number of different tasks with their devices: from sending simple text messages, checking e-mails and browsing the internet, to running elaborated applications. Nowadays, the mobile phone platform creates great opportunities for businesses, especially due to its capabilities and population coverage: the number of mobile subscriptions approaches global population figures. In order to explore such opportunities, most banks have already launched their mobile applications and/or re-designed mobile version of their websites. One of the benefits of using mobile banking is the possibility for users to carry out bank transactions, such online payments or transfers, at anytime and anywhere. Expectations for the adoption of mobile banking were high; however, it represents about 20% of mobile phone users at the present. One factor has been recognised as being a strong reason for users not to adopt mobile banking: their concerns about security. This dissertation focuses on the relationship between the trust users have in mobile banking and the security risks that the use of mobile devices potentially pose. A questionnaire was created in order to gather users’ perception of security about mobile banking, and its results compared with recognised security issues.

This is a study of how IT-Security experts build trust and cooperate within and across organisations. The key research questions are 1) how do these specialists learn to trust others, and 2) why their preferences and strategies evolved the way they did. Using qualitative interviews and quantitative network analysis, the project finds that in this microcosm of risk-aware specialists, cooperation is rational due to complexity and uncertainty, while social control mechanisms are overly costly. In order to ascertain who is trustworthy and skilled, IT-Security specialists take precautions and then screen and probe potential co-operators thoroughly by querying and triangulating multiple information sources. Experts believe that generally, trusting individuals is possible, while they tend not to trust organisations as such, due to their complexity, and their political and economic incentives. Thus, when having to rely on organisations, security experts combine bureaucratic means, like standard compliance and performing audits, with their preferred approach based on interpersonal trust, networks, and individual assessment. Nevertheless, IT-Security experts efficiently manage assessment means and comprehensiveness. The in-depth network study of a security team finds that advice is given based on shared experience and nationality, while friendship nominations are value-driven: besides a strong tendency to not nominate anyone, the smaller group of those who see value in official certifications and education tend to nominate fewer friends, distinctly shunning those who consider these signals unimportant. This finding speaks to the growing institutionalisation and professionalisation of IT-Security caused by sector growth and state in- volvement. Most interviewees oppose this development, which is seen to water down security objectives. This thesis is based on primary data: expert interviews with specialists from over 30 countries, and longitudinal network data from an IT-Security team. The interviews explore how trust and cooperation are established, while the network data are used to quantitatively investigate network evolution.

Personal computing devices are becoming more and more popular. These devices are able to collaborate with each other using wireless communication technologies, and then support many applications. Some interesting examples of these are healthcare, context-aware computing, and sports training. In any such applications, security is of vital importance. Firstly, sensitive personal data is always collected in these applications, thus confidentiality is usually required. Secondly, authenticity and integrity of data or instructions are always critical; incorrect data or instructions are not only useless, but also harmful in some cases. This thesis analyses the security requirements of personal networks, and develops a number of multi-channel security protocols. With the help of out-of-band channels, especially no-spoofing and no-blocking out-of-band channels, these protocols can bootstrap security in personal networks. In particular, three kinds of security protocols have been studied: protocols that use human-controlled channels, protocols that use visible light communications, and protocols that use intra-body communications. Interesting trade-offs have been discovered among communication, computation and security, resulting from different channel implementations and protocols.

We investigate using Human Interactive Security Protocols (HISPs) to secure payments. We start our research by conducting extensive investigations into the payment industry. After interacting with different payment companies and banks, we present two case studies: online payment and mobile payment. We show how to adapt HISPs for payments by establishing the reverse authentication method. In order to properly and thoroughly evaluate different payment examples, we establish two attack models which cover the most commonly seen attacks against payments. We then present our own payment solutions which aim at solving the most urgent security threats revealed in our case studies. Demonstration implementations are also made to show our advantages. In the end we show how to extend the use of HISPs into other domains.

Cette these presente les principes de gestion de la securite d'un systeme d'exploitation distribue a objets suivant deux axes : distribution des traitements, du stockage et de la gestion des donnees en general et distribution de la responsabilite de gestion des droits basee sur la cooperation entre plusieurs responsables securite. Les objets securises sont appeles des entites. Pour realiser le controle des droits, rose utilise des capacites qui ne sont utilisables que par une seule entite (capacites nominatives) et qui ne sont pas falsifiable (capacites signees). Les protocoles lies a chaque etape de la vie d'une capacite (creation, propagation, utilisation et revocation) sont etudies. La securite repose partiellement sur la synchronisation des horloges des differents sites du systeme reparti. Nous etudions plusieurs possibilites de limitation temporelle des droits (date donnee, intervalle et execution unique pendant un intervalle). Les ecarts de synchronisation des horloges sont pris en compte par ces contraintes temporelles et les possibilites d'attaques sont analysees en consequence. Nous proposons une solution optimisee en terme de performance et d'espace memoire occupe au probleme de distribution des cles publiques. Ces cles sont employees pour l'authentification des entites et la signature des capacites. Elles doivent etre accessibles a l'ensemble des entites du systeme. Chaque etape de la vie des cles publiques (changement de cle, generation, distribution, stockage, invalidation et utilisation) est analysee. Nous presentons les principes d'implantation et la modelisation du systeme rose realisee avec l'outil asa+. La modelisation statique permet de rendre compte de l'organisation sous forme de modules et de flots d'informations. Le modele dynamique decrit le comportement des modules et des messages echanges. Enfin, nous presentons quelques simulations du modele.

Authenticated key exchange protocols are ubiquitous in modern-day life. They are used to secure numerous types of data exchange, ranging from online banking to instant messaging conversations. In this thesis, we extend the state of the art for authenticated key exchange security, following the three themes of realistic, strong and provable. First, we tackle the theme of provable security. We develop generic techniques, applicable to a wide range of security models, to assist in proofs of security of cryptographic schemes. Specifically, a "game hopping" proof is a powerful technique to prove strong statements about the security of a protocol. However, the proof technique often involves esoteric and repetitive steps. We demystify the methodology and prove generic theorems to reduce the length and complexity of a wide class of game hopping proofs. Next, we use this new framework to analyse strong and previously unstudied formal security guarantees of authenticated key exchange protocols. These protocols are able to achieve strong security guarantees because they share and update state across sessions. Using our framework, we are able to push the state of the art by defying the folklore of what was previously thought provable of authenticated key exchange protocols. Specifically, it was previously thought that no protocol can achieve a security guarantee about communication with a peer if the peer was already fully compromised. We show that this is not true by formally defining a new concept, which we name post-compromise security. We capture an intuitive "self-healing" property of protocols. We then construct and formally prove protocols can achieve this strong security notion. Finally, we leverage all of this work to analyse realistic protocols. Signal, which is used to encrypt messages in WhatsApp, Facebook Messenger and Google Allo amongst others, is one such protocol we consider. Despite being used by billions of people, Signal was completely unstudied in the academic literature prior to this work. Two reasons for this were that Signal had no documentation at the time and it did not fit into existing models: it shares state across sessions and has over ten different types of key, most of which continually update. Despite its complexity, we are able to use the other work in this thesis to give the first ever analysis and proof of security of Signal. Overall, this thesis aims to bridge the gap between theory and practice in the current state of the art of authenticated key exchange protocols.

While it is widely agreed that contemporary computer security is insufficient to meet the challenges faced, the remedies for its failures are far less obvious. Vast resources have been placed into technical solutions to little effect, prompting some to employ the constructs of economics to frame this problem as one to be 'managed', rather than 'solved'. However, to date economically-inspired decision support approaches have focused disproportionately on post-deployment security investment. With the preponderance of security issues stemming from the introduction of vulnerabilities during design and development, models that span the system development lifecycle are essential to efficiently address the root of many security issues. In addition, the need to impact system security at a fundamental level requires integration with existing security-development processes and standards. This dissertation presents an approach to secure software development that is derived from an economically-inspired understanding of security. After demonstrating how existing security guidance can give rise to inefficient decisions, models for security investment are developed that incorporate investments made in software security during system inception and development relative to those made during deployment and operations. By employing these models, conditions are identified whereby software security improves the return on (security) investment, and provide theoretical and empirical evidence to support the adoption of software security. This is followed by an exploration of how economic considerations can drive existing secure software engineering processes, culminating in a case study that illustrates the application of these principles to an ongoing system development effort.

A multitude of wireless technologies are used by air traffic communication systems during different flight phases. From a conceptual perspective, all of them are insecure as security was never part of their design and the evolution of wireless security in aviation did not keep up with the state of the art. Recent contributions from academic and hacking communities have exploited this inherent vulnerability and demonstrated attacks on some of these technologies. However, these inputs revealed that a large discrepancy between the security perspective and the point of view of the aviation community exists. In this thesis, we aim to bridge this gap and combine wireless security knowledge with the perspective of aviation professionals to improve the safety of air traffic communication networks. To achieve this, we develop a comprehensive new threat model and analyse potential vulnerabilities, attacks, and countermeasures. Since not all of the required aviation knowledge is codified in academic publications, we examine the relevant aviation standards and also survey 242 international aviation experts. Besides extracting their domain knowledge, we analyse the awareness of the aviation community concerning the security of their wireless systems and collect expert opinions on the potential impact of concrete attack scenarios using insecure technologies. Based on our analysis, we propose countermeasures to secure air traffic communication that work transparently alongside existing technologies. We discuss, implement, and evaluate three different approaches based on physical and data link layer information obtained from live aircraft. We show that our countermeasures are able to defend against the injection of false data into air traffic control systems and can significantly and immediately improve the security of air traffic communication networks under the existing real-world constraints. Finally, we analyse the privacy consequences of open air traffic control protocols. We examine sensitive aircraft movements to detect large-scale events in the real world and illustrate the futility of current attempts to maintain privacy for aircraft owners.

This thesis addresses multi-scale approaches for improving food security with nutritional health. It argues that four key themes: scale, nutrition, trade, and governance are not given adequate attention in food security and nutrition studies. A multi-scale framework links the overriding thematic structure, bridges gaps, and enriches analysis. It facilitates a blended approach of analysis for food security and nutrition studies, public policy, and critical geography. Nutrition is at the centre of the inquiry and addresses the triple burden of malnutrition: hunger, micronutrient malnutrition, and obesity. Nutrition is hampered by an incomplete understanding of dietary diversity. Trade and governance are complimentary and cover dynamic commodity exchanges which might develop along with improved programme delivery. At the structural core of the work are four research papers which interact with established and emergent food security indicators and data for: the international system, nations, Indian states, and districts within Karnataka. Each paper uses specific methodological tools which are most compatible with the unique characteristics of the relevant scale. The first paper applies benchmarking and compares international FAO food security indictors with the EIU and other best practice sources to argue for improved data. In order to inform malnutrition beyond hunger, the second paper inputs FAOSTAT national food balance sheet data into a dietary food supply model of key nutritional food groups for medium activity individuals. The third paper employs Indiastat data to construct a food potential model representative of major components of the Indian food system, and compares it with production information for pulse varieties for inclusion in the NFSA. The fourth paper creates a nutritional HDI, compares it against the production of cereals and pulses, and considers weather conditions. Results illustrate that the FAO does not give proper attention to including governance indicators or capturing dietary diversity beyond hunger. Food balance sheet data shows that the majority of the world lacks the proper supply of key food groups to sustain a medium activity lifestyle, with fruit & vegetable deficits equally present in developed and developing nations. In India, states with the lowest food potential are located in the north and east of the country while some neighbouring states contain pulse production advantages. Further opportunities exist to use digital technologies to improve the administration of the programme. Similarly, northern districts of Karnataka require more direct NFSA intervention while the southern and coastal districts have the potential for increased production and trade of pulses. Implications for this study are centred on the development of future food security and nutritional health studies, policy, and administration. When possible, food security and nutrition studies can broaden their conclusions by expanding their base of indicators and data to take into account multi-disciplinary information. Possibilities for richer studies are evident through the development of more robust governance and dietary diversity indicators. These could focus on measurable programme results and take into account the impact of food groups and nutritional supply on various types of malnutrition. Multi-scale analysis might inspire cross-boundary policy formulation and assist in the development and trade of food system resources. The administration of food security programmes might improve with further study and the use of technology as a tool for delivery. This thesis clarifies how multi-scale approaches to food security and nutrition can be advanced through conceptual, methodological, and empirical work combining critical engagement, data analysis, and public policy.

What is driving the European Union (EU) to integrate in matters of security and defence? Why has the EU since the 1990s, and in fits and starts, built up defence institutions, published strategic documents, or launched security missions around the world? This dissertation suggests an answer to these questions that hinges on there being a security community in Europe within which states do not feel threatened by one another. Understanding the level of trust EU states have in one other as well as its bearing on the way they engage in negotiations about the management of their security is of fundamental importance when attempting to make sense of the emergence of the EU as a security actor. States within Europe's security community and during the period covered by this thesis (1990-2016) suffered numerous external security shocks. These ranged from shifts in the geopolitical landscape surrounding them, to terrorist attacks to immigration crises. Shocks of this nature exposed the externalities of non-cooperation to policymaking elites in EU Member States, ultimately pushing them to seek the elevation of crisis management to the EU level. The outcome of the intergovernmental negotiations that followed each external shock depended on the degree of strategic interest overlap across EU states. This thesis makes evident that as EU integration in other fields progressed a form of spillover occurred where strategic interests converged and a common security and defence policy became an ever more attractive proposition. The narrative suggested in the following pages also explains why EU Member States have sometimes been forced to attend to their security and defence affairs alone. This occurred when they were faced with a crisis with little impact on the strategic interests of other members of the security community. The complicated interactions between the EU and the North Atlantic Treaty Organization (NATO), in turn, can also be seen through this theoretical lens and with the Alliance shielding Europeans from shocks or from the management of their consequences, therefore disincentivizing further EU integration in the field of security. By taking the perspective of EU member states and looking at specific shocks and the reactions they produced the following pages provide an innovative take on a much-studied but poorly-understood subject. They also seek to bring together two relevant but almost entirely disconnected sets of literatures: broader international relations theory and empirical works on European security.

This thesis explores issues of procedural fairness across the major statutory counterterrorism powers which require the Closed Material Procedure (CMP) in judicial review. It also considers the Justice and Security Act 2013 which applies to civil proceedings of any nature engaging national security concerns on a discretionary basis. The analysis construes procedural fairness broadly by considering its application both in the curial context and inside the relevant administrative organisations. It argues that procedural fairness in the CMP should be understood as part of the routine risk-management responsibilities of administration and administrative law, as opposed to an initiative which is 'exceptional' by virtue of its national security subject matter. Procedural fairness in the CMP could be invigorated by taking seriously the presence of risk and risk assessment in the application of the statutory powers by the executive and in the operation of the CMP itself. This thesis also argues that the extension of the CMP to damages actions under the Justice and Security Act 2013 raises greater normative problems than actions in the existing province of the CMP. This is because such claims, whilst not the sole province of the Act, concern executive accountability for tortious actions, as opposed to judicial review of executive riskmanagement of terrorism. The analysis concludes with two critical recommendations for improving procedural fairness in law and administration in the relevant subject matters; but ultimately recognises that these are but a first step in a broader project which requires the development of an interdisciplinary substantive theory of necessary secrecy.

In practicable multi-level secure systems it is necessary occasionally to transfer information in violation of security policy. Machines for doing this reliably and securely are called cross domain solutions; systems incorporating them are cross domain systems. Data owners, especially in classified environments, tend to distrust other data owners, other systems and networks, their own users, and developers of cross domain solutions. Hence, data owners demand rigorous testing before they will allow their information into a cross domain system. The interests of data owners are represented by certifiers and accreditors, who test newly developed cross domain solutions and newly installed cross domain systems, respectively. Accreditors have the authority to grant approval to operate and the responsibility for accepting residual risk. Certification and accreditation have always been expensive and time consuming, but there are hidden inefficiencies and unexploited opportunities to predict the actions of accreditors and to control the cost of certification. Some case studies of successful and unsuccessful security certifications and accreditations were analysed using grounded theory methodology. It was discovered that inefficiency arises from conflation of the principle of defence in depth with the practice of independent verification and validation, resulting in an irresistible appearance of cost savings to managers with a possible explanation in the relative maturity of different levels of software engineering organisations with respect to policy, process, and procedures. It was discovered that there is a simple rule relating certifier findings to developer responses that predicts the duration of penetration testing and can be used to bound the schedule. An abstract model of cross domain system accreditation was developed that is sufficiently powerful to reason about collateral, compartmented, and international installations. It was discovered that the behaviour of accreditors satisfies the criteria for reliable signalling in the presence of asymmetric information due to Akerlof, Spence, and Stiglitz.

This study argues that the Hashemite Kingdom of Jordan survived the years between the signing of the Baghdad Pact in 1955 and the outbreak of the June 1967 war due primarily to the cohesion of its National Security Establishment (NSE), a ruling coalition of security and foreign policy professionals from the monarchy, the political elite, and the military. By examining the national security policymaking process in Jordan between 1955 and 1967, this study shows that NSE members often disagreed over the means of protecting Jordanian national security, but agreed on the ultimate end of security policy: the preservation of the Hashemite monarchy and the protection of the territorial integrity of Jordan. This thesis examines in detail the foreign and domestic challenges to Jordanian national security during the kingdom's most turbulent period. The thesis makes extensive use of primary sources from the British, American, and Jordanian archives, Arabic and English language memoirs, and interviews with surviving Jordanian decisionmakers. In addition, the study builds on the work of previous scholars by making use of the published literature on Jordan. The first three chapters are organised thematically, while the remaining chapters are organised chronologically.

For over a decade, we have heard alarming statements about the spread of cyber weapons from senior policymakers and experts. Yet, the dynamics of cyber proliferation are still under-studied and under-theorized. This study offers a theoretical and empirical account of what causes the spread and restraint of cyber weapons and argues that the world is not at the brink of mass cyber proliferation. Whilst almost forty states are exploring and pursuing the development of cyber weapons, I indicate that only few have so far acquired a meaningful capability. This is due both to supply and demand factors. On the supply-side, most states have a latent capacity to develop relatively simple offensive cyber capabilities, but are unable to develop sophisticated cyber weapons. Moreover, the incentives for knowledge transfer and thus exporting offensive cyber capabilities between states are weak. On the demand-side, I show that national security considerations do not provide the best explanation of variance. Instead, domestic politics and prestige considerations are paramount. Moreover, and unlike nuclear proliferation, I argue that it is not the possession of cyber weapons but the intention of possession signalled through visible initiatives which matters. Ultimately, I note that cyber weapons can have strategic value - but only under certain conditions.

While research has been done in the past on evaluating standardised security protocols, most notably TLS, there is still room for improvement. Modern security protocols need to be rigorously and thoroughly analysed, ideally before they are widely deployed, so as to minimise the impact of often creative, powerful adversaries. We explore the potential vulnerabilities of modern security protocols specified in current standards, including TLS 1.2, TLS 1.3, and SSH. We introduce and formalise the threat of Actor Key Compromise (AKC), and show how this threat can and cannot be avoided in the protocol design stage. We find AKC-related and other serious security flaws in protocols from the ISO/IEC 11770 standard, find realistic exploits, and harden the protocols to ensure strong security properties. Based on our work, the ISO/IEC 11770 working group is releasing an updated version of the standard that incorporates our suggested improvements. We analyse the unilaterally and mutually authenticated modes of the TLS 1.3 Handshake and Record protocols according to revision 06 of their specification draft. We verify session key secrecy and perfect forward secrecy in both modes with respect to a powerful symbolic attacker and an unbounded number of threads. Subsequently, we model and verify the standard authenticated key exchange requirements in revision 10. We analyse a proposal for its extension and uncover a flaw in it, which directly impacts the draft of revision 11.