First Workshop on
Quality of Protection
Milan, Italy - September 15, 2005.

Workshop co-located with ESORICS & METRICS


QoP 2005 Proceedings


Invited Speaker

Call for papers


QoP 2006

QoP 2007

QoP 2008

MetriSec 2009

QoP List of Accepted Papers

Swapna Gokhale and Robert Mullen. A Discrete Lognormal Model for Software Defects affecting QoP

Abstract: Many computer and network security crises arise due to the exploitation of software defects and are only remedied by their repair. Thus the effect of security related software defects and their occurrence rates is an important aspect of Quality of Protection (QoP). Existing arguments and evidence suggests that the distribution of occurrence rates of software defects is lognormal and that the first occurrence times of defects follows the Laplace transform of the lognormal.  We extend this research to hypothesize that the distribution of occurrence counts of security related defects follows the Discrete Lognormal. We find that the observed occurrence counts for three sets of defect data relating specifically to network security are consistent with our hypothesis.  The paper thus demonstrates how the existing concepts and techniques in software reliability engineering may be applied to study the occurrence phenomenon of security related defects that impact QoP.

Ernesto Damiani, Sabrina De Capitani di Vimercati, Sara Foresti, Pierangela Samarati and Marco Viviani. Measuring Inference Exposure in Outsourced Encrypted Databases

Abstract: Database outsourcing is becoming increasingly popular introducing a new paradigm, called database-as-a-service, where an encrypted client's database is stored at an external service provider. Existing proposals for querying encrypted database are based on the association, with each encrypted tuple, of additional indexing information obtained from the plaintext values of attributes that can be used in the queries. However, the relationship between indexes and data should not open the door to inference and linking attacks that can compromise the protection granted by encryption. In this paper, we present a simple yet robust indexing technique and investigate quantitative measures to model inference exposure. We present different techniques to compute an aggregate measure from the inference exposure associated with each single index. Our approach can take into account the importance of plaintext attributes associated with indexes and/or can allow the user to weight the inference exposure values upplied in relation to their relative ordering.

Simon Foley, Stefano Bistaelli, Barry O'Sullivan, John Herbert and Garret Swart. Multilevel Security and Quality of Protection

Abstract: Constraining how information may flow within a system is at the heart of many protection mechanisms and many security policies have direct  interpretations in terms of information flow and multilevel security style controls. However, while conceptually simple, multilevel security controls have been  difficult to achieve in practice.In this paper we explore how the traditional assurance measures that are used in the network multilevel security model can be re-interpreted and generalised to provide the basis of a framework for reasoning about the quality of protection provided by a secure system configuration.

Iliano Cervesato. Towards a Notion of  Quantitative Security Analysis

Abstract: The traditional Dolev-Yao model of security limits attacks to ``computationally feasible'' operations.  We depart from this model by assigning a cost to protocol actions, both of the Dolev-Yao kind as well as non traditional forms such as computationally-hard operations, guessing, principal subversion, and failure.  This quantitative approach enablesevaluating protocol resilience to various forms of denial of service, guessing attacks, and resource limitation.  While the methodology is general, we demonstrate it through a low-level variant of the MSR specification language.

Dogan Kesdogan and Lexi Pimenidis. The Lower Bound of Attacks on Anonymity Systems -- A Unicity Distance Approach

Abstract: During the last years a couple of attacks on generic anonymity protocols emerged, like e.g. the hitting-set attack. These attacks make use of informations gained by passively monitoring anonymizing networks to disclose the communication profile of the users. It has been proven that the longer a person, we call her Alice, communicates over an anonymizing infrastructure using the same set of peers (i.e. following a prefixed profile), the more likely it gets that a link between her and her peers can be detected. On the other hand, if she changes her peers dynamically, this is getting harder. In this work we are going to present a method to calculate a lower bound of observations that is needed to identify all peer partners of Alice (i.e. total break) by assuming a prefixed personal profile of Alice. We claim in this work that this number is comparable to the well known measure 'unicity distance' in the area of cryptography.

Davide Balzarotti, Mattia Monga and Sabrina Sicari. Assessing the risk of using vulnerable components

Abstract: This paper discusses how information about the architecture and the vulnerabilities affecting a distributed system can be used to quantitatively assess the risk to which the system is exposed.  Our approach to risk evaluation can be used to assess how much one should believe in system trustworthiness and to compare different solutions, providing a tool for deciding if the additional cost of a more secure component is worth to be afforded.

Judith E. Y. Rossebo, Mass Soldal Lund, Knut Eilif Husa and Atle Refsdal. A Conceptual Model for Service Availability

Abstract: Traditionally, availability has been seen as an atomic property asserting the average time a system is "up" or "down". In order to model and analyse the availability of computerized systems in a world where the dependency on and complexity of such systems are increasing, this notion of availability is no longer sufficient. This paper presents a conceptual model for availability designed to handle these challenges. The core of this model is a characterization of availability by means of accessibility properties and exclusivity properties, which is further specialized into measurable aspects of availability. We outline how this conceptual model may be refined to a framework for specifying and analysing availability requirements.

Valentina Casola, Antonino Mazzeo, Nicola Mazzocca and Massimiliano Rak. A SLA evaluation methodology in Service Oriented Architectures

Abstract: Cooperative services in Service Oriented Architectures (SOA) interact and delegate jobs to each other, when they need to respect a Service Level Agreement (SLA) they need to explicitly manage it amongst each other. SLAs and, above all, security-SLAs, are usually expressed in ambiguous ways and this implies that they need to be manually evaluated both in a mutual agreement to "qualify a service" and in the monitoring process. Due to this approach usually service composition cannot vary dynamically. In this paper we introduce a methodology which helps in security SLA automatic evaluation and comparison. The methodology founds on the adoption of policies both for service behavior and SLA description and on the definition of a metric function for evaluation and comparison of policies. We will illustrate the applicability of the proposed methodology in different context of great interests for e-government projects.

Andy Ozment. Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models

Abstract: The insecurity of commercial software is due in part to the lack of useful metrics of software ecurity. However, the software engineering tools historically used to examine faults can also be used to examine vulnerabilities. This work proposes that \emph{security} growth modeling can provide a useful absolute and relative metric of software security: an estimate of the total number of vulnerabilities in a product. Unfortunately, obtaining accurate vulnerability data in order to model software security is difficult. The challenges of the collection process are considered and a set of vulnerability characterization criterion are proposed. Fifty-four months of vulnerability data for OpenBSD 2.2 were collected, and ten reliability growth models were applied to this data. Seven of the models tested had successful prequential likelihood (accuracy) and goodness-of-fit results. Security growth modeling thus shows promise in providing a measurement for security. However, some impediments to its use remain: these challenges and several avenues of potential research are discussed.

Miles McQueen, Wayne Boyer, Mark Flynn and George Beitel. Time-to-compromise Model for Cyber Risk Reduction Estimation

Abstract: We propose a new model for estimating the time to compromise a system component that is visible to an attacker. The model provides an estimate of the expected value of the time-to-compromise as a function of known and visible vulnerabilities, and attacker skill level. The time-to-compromise random process model is a composite of three subprocesses associated with attacker ac-tions aimed at the exploitation of vulnerabilities. In a case study, the model was used to aid in a risk reduction estimate between a baseline Supervisory Control and Data Acquisition (SCADA) system and the baseline system enhanced through a specific set of control system security remedial actions. For our case study, the total number of system vulnerabilities was reduced by 86% but the dominant attack path was through a component where the number of vulner-abilities was reduced by only 42% and the time-to-compromise of that compo-nent was increased by only 13% to 30% depending on attacker skill level.

Reine Lundin, Stefan Lindskog, Anna Brunstrom and Simone Fischer-Hu"bner. Using Guesswork as a Measure for Confidentiality of Selectively Encrypted Messages

Abstract: In this paper, we start to investigate the security implications of selective encryption.We do this by using the measure guesswork, which gives us the expected number of guesses that an attacker must perform in a brute force attack to reveal an encrypted message. The concept of reduction chains, is used to describe how the search (message) space changes for the attacker with different encryption levels. The characteristic of the proposed measure is investigated for zero-order languages.

ALATA ERIC, DACIER MARC, DESWARTE Yves, KAANICHE MOHAMED, KORTCHINSKY KOSTYA, NICOMETTE VINCENT, PHAM VAN-HAU and POUGET FABIEN. Collection and analysis of attack data based on honeypots deployed on the Internet

Abstract: The CADHo project (Collection and Analysis of Data from Honeypots) is an ongoing research action funded by the French ACI "Securite' & Informatique” [1]. It aims at building an environment to better understand threats on the Internet and also at providing models to analyze the observed phenomena. Our approach consists in deploying and sharing with the scientific community a distributed platform based on honeypots that gathers data suitable to analyze the attack processes targeting machines connected to the Internet. This distributed platform, called Leurre'.com and administrated by Institut Eure'com, offers each partner collaborating to this initiative access to all collected data in order to carry out statistical analyzes and modeling activities. So far, about thirty honeypots have been operational for several months in twenty countries of the five continents. This paper presents a brief overview of this distributed platform and examples of results derived from the data. It also outlines the approach investigated to model observed attack processes and to describe the intruders behaviors once they manage to get access to a target machine.

Günter Karjoth, Birgit Pfitzmann, Matthias Schunter and Michael Waidner. Service-oriented Assurance - Comprehensive Security by Explicit Assurances

Abstract: Flexibility to adapt to changing business needs is a core requirement of today's enterprises.  This is addressed by decomposing business processes into services that can be provided by scalable service-oriented architectures.  Service-oriented architectures enable requesters to dynamically discover and use sub-services.  Today, service selection does not consider security. In this paper, we introduce the concept of Service Oriented Assurance (SOAS), in which services articulate their offered security assurances as well as assess the security of their sub-services.  Products and services with well-specified and verifiable assurances provide guarantees about their security properties.  As a consequence, SOAS enables discovery of the sub-services with the ``right'' level of security.  Applied to business installations, it enables enterprises to perform a well-founded security/price trade-off for the services used in their business processes.

Andrea Atzeni and Antonio Lioy. Why to adopt a security metric? A little survey

Abstract: Security is a hot topic among recent computer system issues. Many security experts advocate the urgent need to improve and increase the investment on security, as well as the necessity to protect user privacy. On the other hand, the same security experts admit the difficulty to quantify security. This paper tries to highlight the motivation to improve measurement security techniques, and discusses whether the status quo is promising enough to justify security investments in the hope of significant gains.

Dogan Kesdogan, Lexi Pimenidis and Tobias Ko"lsch. Intersection Attacks on Web-Mixes: Bringing the Theory into Praxis

Abstract: In the past, different intersection attacks on Chaum Mixes have been proposed and shown to work well in simulation environments. In this work we describe intersection attacks that have been performed on data from anonymized proxy log files. This approach creates all new problems that arise in real systems, where real-world users do not behave like those in the idealized model. E.g. the attack algorithm has to cope with a fixed number of observations. From the performed first experiments on the ``dirty'' real world data we get valuable insight into theory and practice of real anonymizers.