1. Tuesday October 25, 2005 SoBeNeT project User group meeting 25/10/2005

2. Tuesday October 25, 2005 2 Agenda 14:00hIntroduction and overview of last year's activities 14:30hPresentation of selected results DistriNet: - Verifiable Contracts for Stack Inspection Based Sandboxing by Jan Smans - Protecting C and C++ programs from current and future code injection attacks by Yves Younan 15:10hPresentation of selected results COSIC: - Identification and Classification of Critical Software Modules in Modern Applications by Jan Cappaert 15:50hBreak 16:00hPresentation of selected results Ubizen: - The best plans don't survive first contact; Bad guys think differently by Eddy Vanlerberghe 16:40hDiscussion: feedback and opportunities for validation 17:00hConclusion 17:10hInformal gathering

3. Tuesday October 25, 2005 3 The project in a nutshell IWT SBO project (2003-2007) Context: availability of security components Goal: to enable the development of secure application software 4 Research tracks:  Programming and Composition  Software engineering  Tamper and analysis resistance  Shielding and interception

4. Tuesday October 25, 2005 4 The project’s user group 3E Agfa Alcatel Application Engineers (Banksys) Cryptomatic (De Post) EMC 2 Inno.com Johan Peeters bvba Microsoft L-SEC NBB OWASP-Belgium Philips PWC Siemens UZ Gasthuisberg Zetes User group  Channel for direct feedback on the execution of the project  Primary audience for dissemination  Possible channel for validation and valorization Composition:

5. Tuesday October 25, 2005 5 Project status End of second project year Project execution is mainly on schedule Substantial amount of results  Academic: scientific publications and involvement in (inter)national events  Broader: workshops and courses First steps of industrial validation

6. Tuesday October 25, 2005 6 Programming and Composition Track 1.1.1: Literature survey of causes and weaknesses  Webservices [Krisvdb] and PalmOS [Goovaerts] 1.1.2: Application case studies  E-finance [Lagaisse], E-publishing, KWS 1.2.1: Inventory of solution techniques  Formal software security [De Win] 1.2.2: Evaluation SoA programming languages  C# 1.2.3: Definition optimal programming model  Memory allocators for C/C++ [Younan]

7. Tuesday October 25, 2005 7 Programming and Composition Track 1.3.1: Composition model for security  Survey discussion [De Win], CAS for.NET [Smans] 1.3.2: Complex composition scenarios  Improving abstractions [Verhanneman], Generic XACML binding, Dependency scenarios [Desmet] 1.4.1: Definition basic security requirements 1.4.2: Support for contracts in component frameworks  Extending.NET for contracts [Jacobs] 1.4.3: Evaluation of component frameworks  Comparison J2EE, CORBA,.NET, WS, Mobile [Goovaerts]

8. Tuesday October 25, 2005 8 Software Engineering Track 2.1.1: Inventory of common security requirements  Literature study and case study driven 2.2.1: Study of industry best practice  Overview presented in workshop [Ubizen] 2.2.2: Study of mainstream SE processes  Focus on UP and XP to be presented in workshop, survey of relevant research [De Win]

9. Tuesday October 25, 2005 9 Tamper and Analysis Resistance Track 3.1.1: Survey of critical software modules  Analysis report [Cappaert] 3.2.1: Development of new software effective efforts  Description and testing of first ideas [Wyseur] All results are available on the project website (http://sobenet.cs.kuleuven.be)http://sobenet.cs.kuleuven.be

10. Tuesday October 25, 2005 10 Shielding and Interception Track 4.1.3: Study of interception in the software industry  Application to KWS case 4.1.6: Study of transfer mechanisms  Inventory of transfer mechanisms 4.1.7: Design of interception point coordination  SIAMM and SOSA 4.2.1: Study of formal approaches  ASM-based specification of application-level protocols for OO 4.2.2: Derivation of security requirements  Protocol conformance checker from ASM specification [Smans] 4.2.3: Study of attack methods  Survey of various attack methods [Ubizen] 4.2.4: Study of attack options  Survey of various attack options [Ubizen]

11. Tuesday October 25, 2005 11 Focus for Year 02 (revisited) Headlines Interrelations between point solutions in track I (Languages and composition) Maturing the application case studies – track I Intensifying the software engineering track – track II Cross-fertilization between the above and tracks III en IV respectively

12. Tuesday October 25, 2005 12 Headlines of Year 3 Composition model for security (COSMOS):  elaboration of new contract types  Integration with mainstream component frameworks Refinement of secure development process activities (leveraged, among others, by results of other tracks) Improved techniques for tamper and analysis resistance Security management and monitoring

13. Tuesday October 25, 2005 13 Agenda 14:00hIntroduction and overview of last year's activities 14:30hPresentation of selected results DistriNet: - Verifiable Contracts for Stack Inspection Based Sandboxing by Jan Smans - by Yves Younan 15:10hPresentation of selected results COSIC: - Identification and Classification of Critical Software Modules in Modern Applications by Jan Cappaert 15:50hBreak 16:00hPresentation of selected results Ubizen: - The best plans don't survive first contact; Bad guys think differently by Eddy Vanlerberghe 16:40hDiscussion: feedback and opportunities for validation 17:00hConclusion 17:10hInformal gathering

14. Tuesday October 25, 2005 14 Feedback and Validation User group poll  More focus on validation  Key target platforms: J2EE and.NET

15. Tuesday October 25, 2005 15 Future Events 28/10/2005SoBeNeT workshop “The role of security in software processes (UP, XP) and software architecture” 14/10/2005Hack.lu workshop “Web Application Vulnerability Assessment” 09/11/200512 th ACM Computer and Communication Security Conference (CCS) 21-25/11/2005IPA Herfstdagen over Security 12-16/12/2005Javapolis (security track) 20-24/02/2006Secure application development course 13-15/03/2006International Symposium on Secure Software Engineering (ISSSE)