Friday December 7, 2007 SoBeNeT project 5 th User group meeting 07/12/2007

Friday December 7, Agenda 16:00hWelcoming 16:10hProject overview and status 16:40hCLASP, SDL and TouchPoints compared 17:00hSoProTo – A software protection tool 17:20hRun-time enforcement of security policies on the.NET framework 17:40hDiscussion and wrap-up 18:00hDrink

Friday December 7, Overview 1.Project context 2.Overview of main results 3.Valorization program 4.Outlook on finalization

Friday December 7, I. Context: project in a nutshell IWT SBO project ( )  Extended until April 2008 Context: availability of security components (still evolving but relatively mature) Goal: to enable the development of secure software applications 4 Research tracks:  Programming and Composition Technology  Software engineering – “full life cycle”  Tamper and analysis resistance  Shielding and interception

Friday December 7, The project’s user group 3E Agfa Alcatel Application Engineers Cryptomatic EMC 2 Inno.com Johan Peeters bvba Microsoft L-SEC NBB OWASP-Belgium Philips PWC Siemens UZ Gasthuisberg Zetes User group  Channel for direct feedback on the execution of the project  Primary audience for dissemination  Possible channel for validation and valorization Composition:

Friday December 7, Evolution of the user group (Wouter: update - remove ?) Frequent contacts with active members, have also led to collaborative research projects Still new members showing up  Custodix  Cronos  … Hard to organize plenary meetings 

Friday December 7, II. Project of fourth project year Significant amount of results  Academic: scientific publications at all levels several completed PhD’s involvement in national and international events  Broader dissemination: workshops and courses Project execution is on schedule  Taking into account the project extension  Priorities were fine-tuned during execution Industrial validation:  Spin-off projects  Opportunities for feedback  Continuous interest in practical validation !

Friday December 7, Looking Back… Year 1 Project support activities  Vulnerability study and classification  Inception of case studies Feasibility study of engineering application-level security with AOSD Study of techniques for tamper and analysis resistance Study of interception techniques

Friday December 7, Headlines of Year 2 Model for addressing code injection vulnerabilities Interrelations between point solutions in track I (Languages and composition)  E.g., security contracts as a language extension and a vehicle for reasoning on composition  Focus on component frameworks Activating the software engineering track  Study activities (incl. workshops) Architecture for management and monitoring Survey of attack methods and options in application protocols First industrial validations

Friday December 7, Headlines of Year 3 Release of dnmalloc Support for different types of security contracts  CAS, data dependencies, concurrency Fine-tuning of modularized access control Study of AOP security implications Refinement of secure development process activities (leveraged, among others, by results of other tracks) Improved techniques for tamper and analysis resistance Security management and monitoring applied to the.Net platform

Friday December 7, Headlines Y4: Track 1 General model for security contracts (PhD)  Language specification and static verification based on Spec# Access Control Interfaces (PhD)  Security-tuned composition mechanism based on AOSD technology AOPS, a permission system for dealing with AOP risks Security architecture for third-party applications on mobile devices

Friday December 7, Headlines Y4: Track 2 In-depth study and comparison of SDL, CLASP and Touchpoints has resulted in the activity matrix Analysis and systematic support for security principles in process activities Towards automated transition from requirements -> architecture Survey of security patterns

Friday December 7, Headlines Y4: Track 3 New techniques and attacks  Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings [SAC 2007]  Remote attestation on legacy operating systems with trusted platform modules [REM 2007]  Software Security Through Targeted Diversification [CoBaSSA 2007] SoProTo - Software Protection Tool  White-box cryptography  Obfuscation transformations

Friday December 7, Headlines Y4: Track 4 Application protocol checker Integration of protocol checker in application-level firewall

Friday December 7, Some numbers Over 100 publications in 4 years (>10 researchers involved) 3 PhD’s completed, more coming up (Co-)organization of >10 dissemination events  Project specific workshops  International conferences and workshops >5 spin-off projects with industrial partners Intensive contacts with >10 partners from user group

Friday December 7, III. Valorization A number of results are applicable in practical settings  C/C++ memory allocator  Protocol checking for web applications  SSE process comparison  Library of analysis / tamper resistance techniques National and international contact networks Several spin-of projects have been created

Friday December 7, Some of the spin-off projects Pecman Bcrypt EHIP II (possibly starting in 2008)

Friday December 7, Pecman: Personal Content Management Project summary  A user-centric solution enabling uniform storage and manipulation of personal data as well as universal access to this data Security-specific expectations  Security service bus: an architectural approach for crosscutting security enforcement  User-level policies, and their translation to system-level policies

Friday December 7, BCRYPT: Belgian Fundamental Research on Cryptology and Information Security Project summary  Interuniversity Attraction Pole (IAP) Concrete expectations  Fundamental research: discrete mathematics, cryptographic algorithms and protocols, watermarking, secure software, and secure hardware.  Application areas: secure documents, ultra low power crypto for sensor networks, ambient intelligence and RFID, mobile terminals, DRM and trusted computing

Friday December 7, Industry segments System Integrators and consultants (software development on a project base) Product development companies  Traditional Embedded systems  Telecom  Other  (boundaries are vague) Other stakeholders in software applications: business owner, system manager

Friday December 7, Upcoming events December 18-19, 2007Remote EnTrusting by RUn-time Software auThentication (RE-TRUST) - Workshop, Leuven March 3-7, 2008Secure Application Development course, Leuven July 22, 2008Advanced Applications for the Electronic Identity Card (ADAPID) – Workshop, Leuven July 23-25, 2008The 8th Privacy Enhancing Technologies Symposium (PETS 2008), Leuven To be announcedOWASP event on secure software development processes

Friday December 7, IV. Outlook Finalization headlines  Provably correct inliner  Improvement of verification techniques  Validation of AOP permission system  SoProTo Extended analysis front-end Self-encrypting code module Opportunities for validation ? Incubation of SoBeNeT II (SEC SODA)

Friday December 7, SECSODA Stands for SECure of SOftware in Distributed Applications … IWT SBO Proposal  Due January 2008  Project:

Friday December 7, Research Themes Programming and Composition Technology Software Engineering 4 Security Tamper and Analysis Resistance Verification Application case studies Extensions of practical technologies and methodologies (WS, SOA,.NET, …) mailto: {bartd,

Friday December 7, 2007 Thank you! Questions?

Friday December 7, Agenda 16:00hWelcoming 16:10hProject overview and status 16:40hCLASP, SDL and TouchPoints compared 17:00hSoProTo – A software protection tool 17:20hRun-time enforcement of security policies on the.NET framework 17:40hDiscussion and wrap-up 18:00hDrink