recluze

SACMAT’08 Proceedings have been posted online at ACM. Visit here to see our “Model-based Behavioral Attestation Framework”.

(Incidentally, Security Engineering Research Group blog is also up at http://serg.imsciences.edu.pk)

If you’ve been working on research papers, you must realize how difficult it is to keep track of latest papers and upcoming conferences. So, here’s the solution. Use Google Alerts to set up alerts for yourself. Here’s a screenshot of my settings. I’ve set up alerts for IEEE, ACM and Usenix for “remote attestation” so that whenever there appears a new paper, I’ll see it. (The CFP thing also works fine. I’ve managed to find many conferences this way.) If you can think of any more alerts, do let me know.

It’s been a while since I wrote something abstract here. I hardly get the time to write something that’s not a paper or part of a (research) proposal. I’m writing this now because of one reason: I’m looking for people who can work with me. Because I’m not teaching full-time, I can’t find students who’d commit to work with me. So, I’m floating some ideas. If you think you might be interested in working on them with me, mail me (or comment here).

1. I’ve worked on “common sense and folksonomy” for some time now. This work is in the background now that I’m working on security but I still have quite a few ideas which can not only be researched but also implemented and tested. So, this can be useful if you’re looking for some work related to web search or collaborative systems.
2. Usage control: This is what I’m focusing on nowadays. Usage contol deals with access decisions on a client platform. Imagine a scenario where you release some artwork to your agent. The agent can pass the artwork to others but only art galleries can view the image. You can also restrict the usage to a certain amount of time or to a number of views. This seems like Digital Rights Management but it’s much more than that; it’s also especially relevant to systems like those involved in e-government - an area where Pakistan needs a vast human resource.
3. Remote Attestation: This is an extremely rich field of security. An important aspect of Trusted Computing, remote attestation deals with the questions: “can the remote platform be trusted?”, “will it behave in the future as I expect it to?” and “are there any softwares on the remote platform which can misuse my resources?”. Put remote attestation and usage control together and you have one air-tight security mechanism. My work in this area goes beyond just theoretical research. I’ve done some practical implementations and I have a few ideas about how to proceed.

All these areas have lots of work in them. What’s needed is some human resource to do the work!

I’ve been working on the Shibboleth project, trying to implement the identity management framework and trying to extend it. You’ll have to wait for a paper or thesis for more details about the work we’re actually doing.

In essence, the Shibboleth (shib) Identity Provider (IdP) authenticates a user and releases certain attributes of the user to the Service Provider (SP). The standard implementation of the IdP can extract attributes from the filesystem, an LDAP server or an RDBMS. If you want to retrieve attributes from some obscure place (like your application specializing in dynamically generating some attributes), you need to write your own data connector. Here are the steps you need to take in order to create a new data connector: (I’m assuming you’re using the IdP provided by Internet2 — written in Java)

1. Add a dataconnector to shibboleth-2.0-attribute-resolver-dc.xsd in src/main/resources/schema
2. Add resolver-new-connector.xml where resolver-ldap.xml is (this is only for the tests through)
3. Add new-connectorfactorybean.java where ldapconnectorfactorybean.java is.
4. Add new-connectorbeandefinitionparser.java where ldapconnectorbeandefinitionparser.java is.
5. Add new-dataconnector.java to common.attribute.resovler.provider.dataconnector
6. Register the new bean parsers… this one’s a little tricky… See code for details.

After that, you need to write the relevant XML in conf/attribute-resolver.xml and conf/attribute-filter.xml to release the new attribute. Also, you need to write an attribute map on the SP side to map the new attribute to a header.

I’m sure this doesn’t make much sense right now but we’ll be releasing the code of our data connector pretty soon inshaallah and you’ll be able to see the whole thing work. Stay tuned.

A simple XPath example using JAXP only:

package serg.xslt;import java.io.*;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.*;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.*;
import org.w3c.dom.traversal.NodeIterator;
import org.xml.sax.InputSource;
import com.sun.org.apache.xpath.internal.CachedXPathAPI;

public class PathSelector {
public static void main(String arg[]) throws Exception {

 	String filename = null;
 	String xpath = null;
 	filename = arg[0];
 	// xpath = arg[1];
	xpath = “//book/following-sibling::*”;
	// set up a dom tree

 	InputSource in = new InputSource(new FileInputStream(filename));
 	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 	Document doc = dbf.newDocumentBuilder().parse(in);
	System.out.println(”Querying Dom using : ” + xpath);
 	CachedXPathAPI path = new CachedXPathAPI();
 	NodeIterator nl = path.selectNodeIterator(doc, xpath);
 	// the actual XPath selector
	Transformer trans = TransformerFactory.newInstance().newTransformer();
 	trans.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, “yes”);

	System.out.println(”");

 	Node n;

 	while ((n = nl.nextNode()) != null) {
 		trans.transform(new DOMSource(n), new StreamResult(
 				new OutputStreamWriter(System.out)));
 	}

 	System.out.println(”");
 }
}

After creating a successful environment for web services in Eclipse, it’s time to take things to another level by writing a service that actually does something. Here, we create a web service (still a simple one) which takes the salaries of employees, including allowances, and calculates their taxes. The client sends an XML document and receives the same document back except the taxes are now filled in. Later in our SOA course, we’ll see how these documents can be encrypted and signed to ensure integrity and privacy. Anyway, let’s get on with the web service.

Read the rest of this entry »

After working for almost a week with outdated and severely complicated yet unhelpful tutorials for web services using Eclipse (Europa), I decided to put together a simple, step-by-step, to-the-point tutorial on how to use a simple, small web service. It’s mostly a screencast with some explanations.

Read it here in PDF.

Mirror post on: http://serg.imsciences.edu.pk

We’ve just submitted a contribution to SACMAT08. For those of you who don’t know it, SACMAT is the conference for access control. There are many big names in the program committee and its one of the most prestigious conferences for computer security. Regardless of acceptance (and of the fact that I’m only the third author in the paper), I’m glad of the submission. It was a really nice experience preparing a paper for that big a conference. Now, we wait for the notification.

If you’ve been hit by the Trojan masquerading as an avi — “Funny UST Scandal.avi.exe”, you need to read this post.

Remove Funny UST Scandal Manually

It takes just a bit of work but it’s lovely. I worked for a day through Symantec and Kaspersky antivirus and couldn’t get anywhere. With this manual methods, I removed the annoying thing in 10 minutes.

UML is an essential tool in SE today. I’m especially interested in finding ways of introducing MDE to students and for that UML and OCL are an essential requirement.

I’ve been reading “Applying UML and Patterns”, 2nd Ed by Larman and I really like it. The site offers good resources, especially in the “diagrams” section. You can download Visio sources of the UML diagrams used in the book which are really helpful in creating presentations for courses.

You can find them here.