The Experts below are selected from a list of 9990 Experts worldwide ranked by ideXlab platform
Hervé Debar - One of the best experts on this subject based on the ideXlab platform.
-
TLS Record Protocol: Security Analysis and Defense-in-Depth Countermeasures for HTTPS
2016Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the community efforts to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed that our proposals could thwart unknown attacks, since they would have blocked it.
-
tls record protocol security analysis and Defense in Depth countermeasures for https
Computer and Communications Security, 2015Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the efforts of the community to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed our proposals could thwart unknown attacks, since they would have blocked it.
-
AsiaCCS - TLS Record Protocol: Security Analysis and Defense-in-Depth Countermeasures for HTTPS
Proceedings of the 10th ACM Symposium on Information Computer and Communications Security, 2015Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the efforts of the community to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed our proposals could thwart unknown attacks, since they would have blocked it.
Olivier Levillain - One of the best experts on this subject based on the ideXlab platform.
-
TLS Record Protocol: Security Analysis and Defense-in-Depth Countermeasures for HTTPS
2016Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the community efforts to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed that our proposals could thwart unknown attacks, since they would have blocked it.
-
tls record protocol security analysis and Defense in Depth countermeasures for https
Computer and Communications Security, 2015Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the efforts of the community to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed our proposals could thwart unknown attacks, since they would have blocked it.
-
AsiaCCS - TLS Record Protocol: Security Analysis and Defense-in-Depth Countermeasures for HTTPS
Proceedings of the 10th ACM Symposium on Information Computer and Communications Security, 2015Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the efforts of the community to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed our proposals could thwart unknown attacks, since they would have blocked it.
Baptiste Gourdin - One of the best experts on this subject based on the ideXlab platform.
-
TLS Record Protocol: Security Analysis and Defense-in-Depth Countermeasures for HTTPS
2016Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the community efforts to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed that our proposals could thwart unknown attacks, since they would have blocked it.
-
tls record protocol security analysis and Defense in Depth countermeasures for https
Computer and Communications Security, 2015Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the efforts of the community to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed our proposals could thwart unknown attacks, since they would have blocked it.
-
AsiaCCS - TLS Record Protocol: Security Analysis and Defense-in-Depth Countermeasures for HTTPS
Proceedings of the 10th ACM Symposium on Information Computer and Communications Security, 2015Co-Authors: Olivier Levillain, Baptiste Gourdin, Hervé DebarAbstract:TLS and its main application HTTPS are an essential part of internet security. Since 2011, several attacks against the TLS Record protocol have been presented. To remediate these flaws, countermeasures have been proposed. They were usually specific to a particular attack, and were sometimes in contradiction with one another. All the proofs of concept targeted HTTPS and relied on the repetition of some secret element inside the TLS tunnel. in the HTTPS context, such secrets are pervasive, be they authentication cookies or anti-CSRF tokens. We present a comprehensive state of the art of attacks on the Record protocol and the associated proposed countermeasures. in parallel to the efforts of the community to find reliable long term solutions, we propose masking mechanisms to avoid the repetition of sensitive elements, at the transport or application level. We also assess the feasibility and efficiency of such Defense-in-Depth mechanisms. The recent POODLE vulnerability confirmed our proposals could thwart unknown attacks, since they would have blocked it.
Quanyan Zhu - One of the best experts on this subject based on the ideXlab platform.
-
Defense-in-Depth-Games
Advanced Sciences and Technologies for Security Applications, 2020Co-Authors: Stefan Rass, Stefan Schauer, Sandra König, Quanyan ZhuAbstract:in this chapter, we adopt a holistic cross-layer viewpoint towards a hierarchical structure of ICS and the attack models. The physical layer is comprised of devices, controllers and the plant whereas the cyber layer consists of routers, protocols, and security agents and manager. The physical layer controllers are often designed to be robust, adaptive, and reliable for physical disturbances or faults. With the possibility of malicious behavior from the network, it is also essential for us to design physical layer Defense that take into account the disturbances and delay resulting from routing and network traffic as well as the unexpected failure of network devices due to cyber-attacks. On the other hand, the cyber security policies are often designed without consideration of control performances. To ensure the continuous operability of the control system, it is equally important for us to design security policies that provide maximum level of security enhancement but minimum level of system overhead on the networked system. The physical and cyber aspects of control systems should be viewed holistically for analysis and design.
-
gadapt a sequential game theoretic framework for designing Defense in Depth strategies against advanced persistent threats
Decision and Game Theory for Security, 2016Co-Authors: Stefan Rass, Quanyan ZhuAbstract:We present a dynamic game framework to model and design Defense strategies for advanced persistent threats APTs. The model is based on a sequence of nested finite two-person zero-sum games, in which the APT is modeled as the attempt to get through multiple protective shells of a system towards conquering the target located in the center of the infrastructure. in each stage, a sub-game captures the attack and Defense interactions between two players, and its outcome determines the security level and the resilience against penetrations as well as the structure of the game in the next stage. By construction, interdependencies between protections at multiple stages are automatically accounted for by the dynamic game. The game model provides an analysis and design framework to develop effective protective layers and strategic Defense-in-Depth strategies against APTs. We discuss a few closed form solutions of our sequential APT-games, upon which design problems can be formulated to optimize the quality of security QoS across several layers. Numerical experiments are conducted in this work to corroborate our results.
-
GameSec - GADAPT: A Sequential Game-Theoretic Framework for Designing Defense-in-Depth Strategies Against Advanced Persistent Threats
Lecture Notes in Computer Science, 2016Co-Authors: Stefan Rass, Quanyan ZhuAbstract:We present a dynamic game framework to model and design Defense strategies for advanced persistent threats APTs. The model is based on a sequence of nested finite two-person zero-sum games, in which the APT is modeled as the attempt to get through multiple protective shells of a system towards conquering the target located in the center of the infrastructure. in each stage, a sub-game captures the attack and Defense interactions between two players, and its outcome determines the security level and the resilience against penetrations as well as the structure of the game in the next stage. By construction, interdependencies between protections at multiple stages are automatically accounted for by the dynamic game. The game model provides an analysis and design framework to develop effective protective layers and strategic Defense-in-Depth strategies against APTs. We discuss a few closed form solutions of our sequential APT-games, upon which design problems can be formulated to optimize the quality of security QoS across several layers. Numerical experiments are conducted in this work to corroborate our results.
Joseph H. Saleh - One of the best experts on this subject based on the ideXlab platform.
-
texas city refinery accident case study in breakdown of Defense in Depth and violation of the safety diagnosability principle in design
Engineering Failure Analysis, 2014Co-Authors: Joseph H. Saleh, Rachel A Haga, Francesca M. Favaro, Efstathios BakolasAbstract:Abstract in 2005 an explosion rocked the BP Texas City refinery, killing 15 people and injuring 180. The company incurred direct and indirect financial losses on the order of billions of dollars for victims’ compensation as well as significant property damage and loss of production. The internal BP accident investigation and the Chemical Safety Board investigation identified a number of factors that contributed to the accident. in this work, we first examine the accident pathogens or lurking adverse conditions at the refinery prior to the accident. We then analyze the sequence of events that led to the explosion, and we highlight some of the provisions for the implementation of Defense-in-Depth and their failures. Next we identify a fundamental failure mechanism in this accident, namely the absence of observability or ability to diagnose hazardous states in the operation of the refinery, in particular within the raffinate splitter tower and the blowdown drum of the isomerization unit. We propose a general safety–diagnosability principle for supporting accident prevention, which requires that all safety-degrading events or states that Defense-in-Depth is meant to protect against be diagnosable, and that breaches of safety barriers be unambiguously monitored and reported. The safety–diagnosability principle supports the development of a “living” or online quantitative risk assessment, which in turn can help re-order risk priorities in real time based on emerging hazards, and re-allocate defensive resources. We argue that the safety–diagnosability principle is an essential ingredient for improving operators’ situation awareness. Violation of the safety–diagnosability principle translates into a shrinking of the time window available for operators to understand an unfolding hazardous situation and intervene to abate it. Compliance with this new safety principle provides one way to improve operators’ sensemaking and situation awareness and decrease the conditional probability that an accident will occur following an adverse initiating event. We suggest that Defense-in-Depth be augmented with this principle, without which it can degenerate into an ineffective Defense-blind safety strategy.
-
Observability-in-Depth: An Essential Complement to the Defense-in-Depth Safety Strategy in the Nuclear industry
Nuclear Engineering and Technology, 2014Co-Authors: Francesca M. Favaro, Joseph H. SalehAbstract:Defense-in-Depth is a fundamental safety principle for the design and operation of nuclear power plants. Despite its general appeal, Defense-in-Depth is not without its drawbacks, which include its potential for concealing the occurrence of hazardous states in a system, and more generally rendering the latter more opaque for its operators and managers, thus resulting in safety blind spots. This in turn translates into a shrinking of the time window available for operators to identify an unfolding hazardous condition or situation and intervene to abate it. To prevent this drawback from materializing, we propose in this work a novel safety principle termed “observability-in-Depth”. We characterize it as the set of provisions technical, operational, and organizational designed to enable the monitoring and identification of emerging hazardous conditions and accident pathogens in real-time and over different time-scales. Observability-in-Depth also requires the monitoring of conditions of all safety barriers that implement Defense-in-Depth; and in so doing it supports sensemaking of identified hazardous conditions, and the understanding of potential accident sequences that might follow (how they can propagate). Observability-in-Depth is thus an information-centric principle, and its importance in accident prevention is in the value of the information it provides and actions or safety interventions it spurs. We examine several “event reports” from the U.S. Nuclear Regulatory Commission database, which illustrate specific instances of violation of the observability-in-Depth safety principle and the consequences that followed (e.g., unmonitored releases and loss of containments). We also revisit the Three Mile Island accident in light of the proposed principle, and identify causes and consequences of the lack of observability-in-Depth related to this accident sequence. We illustrate both the benefits of adopting the observability-in-Depth safety principle and the adverse consequences when this principle is violated or not implemented. This work constitutes a first step in the development of the observability-in-Depth safety principle, and we hope this effort invites other researchers and safety professionals to further explore and develop this principle and its implementation.
-
augmenting Defense in Depth with the concepts of observability and diagnosability from control theory and discrete event systems
Reliability Engineering & System Safety, 2011Co-Authors: Efstathios Bakolas, Joseph H. SalehAbstract:Abstract Defense-in-Depth is a fundamental principle/strategy for achieving system safety. First conceptualized within the nuclear industry, Defense-in-Depth is the basis for risk-informed decisions by the U.S. Nuclear Regulatory Commission, and is recognized under various names in other industries (e.g., layers of protection in the Chemical industry). Accidents typically result from the absence or breach of Defenses or violation of safety constraints. Defense-in-Depth is realized by a diversity of safety barriers and a network of redundancies. However, this same redundancy and the intrinsic nature of Defense-in-Depth – the multiple lines of Defense or “protective layers” along a potential accident sequence – may enhance mechanisms concealing the occurrence of incidents, or that the system has transitioned to a hazardous state (accident pathogens) and that an accident is closer to being released. Consequently, the ability to safely operate the system may be hampered and the efficiency of Defense-in-Depth may be degraded or worse may backfire. Several accidents reports identified hidden failures or degraded observability of accidents pathogens as major contributing factors. in this work, we begin to address this potential theoretical deficiency in Defense-in-Depth by bringing concepts from Control Theory and Discrete Event Systems to bear on issues of system safety and accident prevention. We introduce the concepts of controllability, observability, and diagnosability, and frame the current understanding of system safety as a “control problem” handled by Defense-in-Depth and safety barriers (or safety constraints). Observability and diagnosability are information-theoretic concepts, and they provide important complements to the energy model of accident causation from which the Defense-in-Depth principle derives. We formulate a new safety-diagnosability principle for supporting accident prevention, and propose that Defense-in-Depth be augmented with this principle, without which Defense-in-Depth can degenerate into a Defense-blind safety strategy. Finally, we provide a detailed discussion and illustrative modeling of the sequence of events that lead to the BP Texas City Refinery accident in 2005 and emphasize how a safety-diagnosable architecture of the refinery could have supported the prevention of this accident or mitigated its consequences. We hope the theoretical concepts here introduced and the safety-diagnosability principle become useful additions to the intellectual toolkit of risk analysts and safety professionals and stimulate further interaction/collaboration between the control and safety communities.
-
Safety in the mining industry and the unfinished legacy of mining accidents: Safety levers and Defense-in-Depth for addressing mining hazards
Safety Science, 2011Co-Authors: Joseph H. Saleh, Amy M. CummingsAbstract:Mining remains one of the most hazardous occupations worldwide and underground coal mines are especially notorious for their high accident rates. in this work, we provide an overview of the broad and multi-faceted topic of safety in the mining industry. After reviewing some statistics of mining accidents in the United States, we focus on one pervasive and deadly failure mode in mines, namely explosions. The repeated occurrence of mine explosions, often in similar manner, is the loud unfinished legacy of mining accidents and their occurrence in the 21st century is inexcusable and should constitute a strong call for action for all stakeholders in this industry to settle this problem. We analyze one such recent mine disaster in which deficiencies in various safety barriers failed to prevent the accident initiating event from occurring, then subsequent lines of Defense failed to block this accident scenario from unfolding and to mitigate its consequences. We identify the technical, organizational, and regulatory deficiencies that failed to prevent the escalation of the mine hazards into an accident, and the accident into a "disaster". This case study provides an opportunity to illustrate several concepts that help describe the phenomenology of accidents, such as initiating events, precursor or lead indicator, and accident pathogen. Next, we introduce the safety principle of Defense-in-Depth, which is the basis for regulations and risk-informed decisions by the US Nuclear Regulatory Commission, and we examine its relevance and applicability to the mining system in support of accident prevention and coordinating actions on all the safety levers, technical, organizational, and regulatory to improve mining safety. The mining system includes the physical confines and characteristics of the mine, the equipment in the mine, the individuals and the organization that operate the mine, as well as the processes and regulatory constraints under which the mine operates. We conclude this article with the proposition for the establishment of Defense-in-Depth as the guiding safety principle for the mining industry and we indicate possible benefits for adopting this structured hazard-centric system approach to mining safety.
