Sharif Digital Repository

Nowadays, security evaluation of software is a substantial matter in software world. Security level of software will be determined by wealth of data and operation which it provides for us. The security level is usually evaluated by a third party, named Software Security Certification Issuance Centers. It is important for software security evaluators to perform a sound and complete evaluation, which is a complicated process considering the increasing number of emerging threats. In this paper we propose a Threatened-based Software Security Evaluation method to improve the security evaluation process of software. In this method, we focus on existing threatened entities of software which in turn... 

The decentralized security management in a pervasive computing environment' requires apportioning the environment into several security domains. In each security domain' an administrator (we call it authority) is responsible for specifying the security policies of the domain. Overlapping of security domains results in the requirement of cooperative security management in the shared/ overlapping domains. To satisfy this requirement' we propose an abstract security model' as well as its supplementary calculus of composite authorities. The security model is based on deontic logic and is independent of the domains' heterogeneity. The model's policy language (we call it MASL) enables multiple... 

Rules are used as a way of managing and configuring firewalls to fulfill security requirements in most cases. Managers have to specify their organizational security policies using low level and order-dependent rules. Furthermore, dependency of firewalls to the network topology, frequent changes in network topology (specially in dynamic networks), and lack of a method for analysis and verification of specified security policy may reduce to inconsistencies and security holes. Existence of a higher level environment for security policy specification can rectify part of the problems. In this paper we present a language for high level and formal specification of security policy in firewalls.... 

This paper suggests a model and a definition for forward-secure authenticated key exchange (AKE) protocols, which can be satisfied without depending on the Diffie–Hellman assumption. The basic idea is to use keyevolving schemes (KES), where the long-term keys of the system get updated regularly and irreversibly. Protocols conforming to our model can be highly efficient, since they do not require the resource-intensive modular exponentiations of the Diffie–Hellman protocol. We also introduce a protocol, called FORSAKES, and prove rigorously that it is a forward-secure AKE protocol in our model. FORSAKES is a very efficient protocol, and can be implemented by merely using hash functions  

Many applications, such as e-passport, e-health, credit cards, and personal devices that utilize Radio frequency Identification (RFID) devices for authentication require strict security and privacy. However, RFID tags suffer from some inherent weaknesses due to restricted hardware capabilities and are vulnerable to eavesdropping, interception, or modification. The synchronization and untraceability characteristics are the major determinants of RFID authentication protocols. They are strongly related to privacy of tags and availability, respectively. In this paper, we analyze a new lightweight RFID authentication protocol, Song and Mitchell, in terms of privacy and security. We prove that not... 

In this paper, we consider to seek vulnerabilities and we conduct possible attacks on the crucial and essential parts of Android OSs architecture including the framework and the Android kernel layers. As a regard, we explain the Binder component of Android OS from security point of view. Then, we demonstrate how to penetrate into the Binder and control data exchange mechanism in Android OS by proposing a kernel level attack model based on the hooking method. As a result, by implementing the attack model, it is illustrated that the Android processes are detectable and the data can be extracted from any process and system calls. © 2016 IEEE  

Security techniques have been designed to obtain certain objectives. One of the most important objectives all security mechanisms try to achieve is the availability, which insures that network services are available to various entities in the network when required. But there has not been any certain parameter to measure this objective in network. In this paper we consider availability as a security parameter in ad-hoc networks. However this parameter can be used in other networks as well. We also present the connectivity coefficient of nodes in a network which shows how important is a node in a network and how much damage is caused if a certain node is compromised  

[No abstract available]  

In this paper we introduce two innovative image and video watermarking algorithms. The paper's main emphasis is on the use of chaotic maps to boost the algorithms' security and resistance against attacks. By encrypting the watermark information in a one dimensional chaotic map, we make the extraction of watermark for potential attackers very hard. In another approach, we select embedding positions by a two dimensional chaotic map which enables us to satisfactorily distribute watermark information throughout the host signal. This prevents concentration of watermark data in a corner of the host signal which effectively saves it from being a target for attacks that include cropping of the... 

The decentralized approach to security administration in new computing environments (e.g., pervasive computing and mobile environments) is based on apportioning the environment into multiple security domains. The security policies of each security domain are specified by an authority and enforced by a security agent. The requirements of cooperative administration in such Multi-Security-Domain (MSD) environments, for shared or subdomains, induced us to propose an MSD cooperation framework within a logical security policy language (called MASL) in this paper. MASL is a variation of deontic logic that enables multiple authorities to specify their domain policies, including obligations and... 

Security in mobile handsets of telecommunication standards such as GSM, Project 25 and TETRA is very important, especially when governments and military forces use handsets and telecommunication devices. Although telecommunication could be quite secure by using encryption, coding, tunneling and exclusive channel, attackers create new ways to bypass them without the knowledge of the legitimate user. In this paper we introduce a new, simple and economical circuit to warn the user in cases where the message is not encrypted because of manipulation by attackers or accidental damage. This circuit not only consumes very low power but also is created to sustain telecommunication devices in aspect... 

Designing an efficient and secure electronic voting (e-voting) protocol without the presence of trusted authorities, known as decentralized voting protocols, is one of the most interesting and challenging problems in cryptography. In these protocols the outcome of the protocol is computed by voters collaborating with each other. We provide a rigorous proof of security of a decentralized e-voting protocol proposed by Khader et al. in the Universal Composability (UC) Framework. This protocol is the state-of-the-art decentralized e-voting protocol in terms of efficiency and security, whose security has only been justified against a set of desired properties required in e-voting protocols. For... 

The applications of available transfer capability (ATC) have received considerable attention in restructured power systems. System operators calculate and post ATC values for different time intervals considering power system operation issues, including security issues. On the other hand, competitive electricity market has added economic issues to transmission services such that they could have different price, type (recallable/non-recallable) and curtailment cost. The inclusion of economic issues in ATC calculation to obtain NATC and RATC has not been sufficiently addressed yet. This paper presents a method to calculate ATC on a weekly base in restructured power systems which incorporates... 

Spreading networks and increasing their complexity has complicated the task of security analysis. Accordingly, automatic verification approaches have received more attention recently. In this paper, we modeled a network including a set of hosts (clients and servers) using the process algebra CSP in order to verify the Transmission Control Protocol (TCP) behavior against an active intruder. The model is verified using the FDR tool and as a result, some attack scenarios violating the security are found. The scenarios showes how an intruder can compromise the server trust to its clients. As the model is modular, extendable, and scalable, more complex attack scenarios (combination of simple... 

In this paper, we present design and implementation of TCvisor, a new trusted hypervisor. To this end, TCvisor provides a secure storage with different isolated view per user by using para-passthrough and combined key. In this regard, virtualization technology of processors has been used for complete isolation from operating system. By combining TPM base key, user's password and geo function key, TCvisor provides a secure storage in an environment with split data. We have applied feature wise security analysis TCvisor's secure storage from software system layers point then we have compared performance of TCvisor to selected candidates of existing layers  

In an increasing competitive world, marketing survival can be depended simply on timely new information on customers and market trend. One of the most important strategies in CRM (Customer Relationship Management) is to capture enough information from customers and using this information carefully [Ryals, Tinsley]. Of course security of this information is very important in CRM data management [Bryan]. Data management is a method for scheduling and controlling data saving, recovering and processing. This activity has been done continually or periodically[Bryan]. Security level of this information depends on the security policy of the organization. CRM security policy is the directives and... 

Proxy ring (anonymous proxy) signatures allow an entity to delegate its signing capability to a group of entities (proxy group) such that only one of the members in the proxy group can generate a proxy signature on behalf of the delegator, while privacy of the proxy signer is protected. Identity-based versions of proxy ring signatures employ identity strings in place of randomly generated public keys. Our contribution is twofold. First, we formalize a security model for identity-based proxy ring signatures. We note that there exists no formal security model for identity-based proxy ring signatures prior to our work. Second, we present the first provably secure identity-based proxy ring... 

The 3rd Generation Partnership Project (3GPP) defined a new architecture, called Home eNode B (HeNB). HeNB is able to provide new services with higher data rate in a low cost. Security is a critical aspect of HeNB. In order to have HeNB secure access to core network, 3GPP defines an authentication protocol based on IKEv2. A number of security vulnerabilities such as HeNB masquerading have not been addressed and solved by 3GPP technical specification yet. In this paper an improved HeNB authentication protocol is introduced which does not allow an attacker to connect unauthorized network users using a mask. Finally, we evaluate our protocol performance and verify it by Automated Validation of... 

Based on the risk analysis done in the GSM network of Iran a methodology for cellular mobile network risk management is established. Primarily we focus on the importance of risk management in the GSM Network and then introduce very briefly the suggested method for managing risk in Iranian GSM security. GSM Security risk evaluation is a method for increasing the efficiency of security policy in the manner that security threats and vulnerabilities against the mobile network is identified and prioritized. © 2009 IEEE