Application of contract-based security assertion monitoring framework for telecommunications software engineering

Authors:
Alexander M. Hoole;Issa Traore;Isabelle Simplot-Ryl
Affiliations:
Department of Electrical and Computer Engineering, University of Victoria, P.O. Box 3055 STN CSC, Victoria, B.C. V8W 3P6, Canada;Department of Electrical and Computer Engineering, University of Victoria, P.O. Box 3055 STN CSC, Victoria, B.C. V8W 3P6, Canada;Lifl Cnrs Umr 8022, Inria Lille-Nord Europe, Université de Lille I, Cité Scientifique, F-59655 Villeneuve d'Ascq Cedex, France
Venue:
Mathematical and Computer Modelling: An International Journal
Year:
2011

Citing 20
Cited 0

A simple approach to specifying concurrent systems

Communications of the ACM
The temporal logic of reactive and concurrent systems

The temporal logic of reactive and concurrent systems
Composing specifications

ACM Transactions on Programming Languages and Systems (TOPLAS)
Programming by contract

Computer - Special issue: neural computing: companion issue to Spring 1996 IEEE Computational Science & Engineering
Requirements-based monitors for real-time systems

Proceedings of the 2000 ACM SIGSOFT international symposium on Software testing and analysis
Enforceable security policies

ACM Transactions on Information and System Security (TISSEC)
Applying "Design by Contract"

Computer
Contracts for ODP

ARTS '97 Proceedings of the 4th International AMAST Workshop on Real-Time Systems and Concurrent and Distributed Software: Transformation-Based Reactive Systems Development
BlueBoX: A policy-driven, host-based intrusion detection system

ACM Transactions on Information and System Security (TISSEC)
Execution monitoring of security-critical programs in distributed systems: a Specification-based approach

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Misuse and Abuse Cases: Getting Past the Positive

IEEE Security and Privacy
Building More Secure Software with Improved Development Processes

IEEE Security and Privacy
Software Security: Building Security In

Software Security: Building Security In
Dataflow Anomaly Detection

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Linux and open source in telecommunications

Linux Journal
Defining Misuse within the Development Process

IEEE Security and Privacy
The Security Development Lifecycle

The Security Development Lifecycle
An architecture for specification-based detection of semantic integrity violations in kernel dynamic data

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Misuse Cases: Use Cases with Hostile Intent

IEEE Software
Contract-Based Security Monitors for Service Oriented Software Architecture

APSCC '08 Proceedings of the 2008 IEEE Asia-Pacific Services Computing Conference

Quantified Score

Hi-index	0.98

Visualization

Abstract

Telecommunication software systems, containing security vulnerabilities, continue to be created and released to consumers. We need to adopt improved software engineering practices to reduce the security vulnerabilities in modern systems. Contracts can provide a useful mechanism for the identification, tracking, and validation of security vulnerabilities. In this work, we propose a new contract-based security assertion monitoring framework (CB_SAMF) that is intended to reduce the number of security vulnerabilities that are exploitable across multiple software layers, and to be used in an enhanced systems development life cycle (SDLC). We show how contract-based security assertion monitoring can be achieved in a live environment on Linux. Through security activities integrated into the SDLC we can identify potential security vulnerabilities in telecommunication systems, which in turn are used for the creation of contracts defining security assertions. Our contract model is then applied, as runtime probes, against two common security related vulnerabilities in the form of a buffer overflow and a denial of service.