Tuesday October 25, 2005 Preview SoBeNeT- II project

Tuesday November 14, Agenda 16:00hIntroduction and project status 17:00hDiscussion: feedback and opportunities for validation 17:15h Preview of the SoBeNeT-II project 17:50hConclusion and wrap-up 18:00hInformal gathering and drinks

Tuesday November 14, The new project in a nutshell Natural follow-up of SoBeNeT project  Strategic, fundamental research for enabling secure software (IWT SBO)  Specific accents and focused efforts  Verification upgraded to become one of the project’s cornerstones (Towards “assurance”) Project consortium is identical  DistriNet, COSIC, Ubizen (Cybertrust)  Increased level of collaboration User group is continued –anyway!!!  Evolving group driven by collaborations, interests, company priorities

Tuesday November 14, Project structure and work plan 4 or 5 major tracks  Software development technologies for security  Software engineering for security  Techniques to protect sensitive parts in secure software  Assurance: Verification of security requirements and Attestation  Monitoring and management technology

Tuesday November 14, Security middleware Component Models Operating systems systems security Applications: drivers and validation means From SoBeNeT E-financeE-healthE-publishing SEC SODA Integrated approach to develop and deploy secure software Programming language technology Secure Software Engineering (Process, Artifacts, Automation…) Secure Deployment (Monitoring and management) Assurance ( verification, trusted computing, sealing…) 2 tracks

Tuesday November 14, Discussion 1/4 Software development technologies will focus on  State-of-the art programming languages  Standard platforms.NET WS* J2EE Not on traditional C/C++ programming Based on majority of the user group

Tuesday November 14, Discussion 2/4 Software engineering will focus on  Architecture driven design  Increased Automation (MDD)  Also address: Introducing metrics (hard) Broadening set of requirements (track 5) Not on Agile methods Backed by majority of the user group

Tuesday November 14, Discussion 3/4 Introduce efforts towards assurance  Attestation  Verification  WIN-WIN COSIC DISTRINET  Sealing Less relevant for the user group? Yet essential for world class results in the long run…

Tuesday November 14, Discussion 4/4 “Shielding and interception” has evolved to become secure deployment.  Includes focus on business management  Introduces new types of requirements Ability to do forensics Practice of audit, business continuity  Hence great synergy with track on secure software engineering Long term vision: integration with the overall life cycle management of security (methodology to be public – backed by Cybertrust)

Tuesday October 25, 2005 Track level details

Tuesday November 14, Track 1: software development technology (DistriNet) WP1: Identification of critical vulnerability classes  Ongoing monitoring of vulnerability trends  Proactive analysis of new technologies (e.g., AOSD, AJAX) WP2: Programming models  Definition of methodology for designing programming models  Supporting compositions of programming models WP3: Component models and composition  Component contracts  Load-time and run-time contract checking  Extending support for advanced composition (AOSD, DSL’s)  Secure composition of aspects WP4: Validation for web application and services  Demonstrate combinations of programming models for web applications  Define a library of reusable, composeable security services

Tuesday November 14, Track 2: Software engineering (DistriNet, Ubizen) WP1: Enablers  Supporting SoA security requirements  Creating security metrics  Up-to-date overview of vulnerabilities and requirements WP2: Architecture driven development  Architecture definition (method, patterns)  Feature interaction for security  Traceability of architectural decisions  Maintaining architectural integrity  Supporting architectural consistency WP3: Model driven development  Definition of notations that enable transformation and verification  Definition of DSL’s for specific security concerns  Exploration of transformation techniques  Support for traceability (from requirements to implementation)  Property-preserving refinements (e.g., for security principles)

Tuesday November 14, Track 3: Protection techniques (COSIC) WP1: Self-checking code  State-of-the-art study  Improvements (e.g., mutually checking software guards)  Proof-of-concept / implementation WP2: Self-modifying code  State-of-the-art study  Analysis and attacks  Improvements: code encryption  Implementation WP3: Obfuscation and white-box crypto interaction  Use of random functions to improve obfuscation techniques  Continuation of sobenet1 research WP4: Encrypted code execution and encrypted data processing  Homomorphic encryption

Tuesday November 14, Track 4: Verification (COSIC, DistriNet) WP1: Software attestation  Study of the state-of-the art software attestation  Currently only software based  Identification of problems  Research how to use (existing an new) software techniques and hardware to address these problems e.g. use of a TPM to solve the timing problem; use of smartcard WP2: Trusted computing platforms (use of TPM)  How to use trusted computing platforms to enhance software security ….

Tuesday November 14, Track 5: Management and monitoring (Ubizen, DistriNet) WP1: Requirements  Audit requirements and solutions  Business management requirements and solutions  Administration requirements and solutions WP2: Deployment architectures WP3: Patterns for software engineering track (ADD)

Tuesday October 25, 2005 Discussion Suggestions for improvement, focus, … ?