Enhancing the trust of location acquisition systems for critical applications and location-based security services

This paper identifies a number of critical infrastructure applications that are reliant on location services from cooperative location technologies such as GPS and GSM. We show that these location technologies can be represented in a general location model, such that the model components can be used for vulnerability analysis. We perform a vulnerability analysis on these components of GSM and GPS location systems as well as a number of augmentations to these systems.

Assessing the impact of refactoring on security-critical object-oriented designs

Refactoring focuses on improving the reusability, maintainability and performance of programs. However, the impact of refactoring on the security of a given program has received little attention. In this work, we focus on the design of object-oriented applications and use metrics to assess the impact of a number of standard refactoring rules on their security by evaluating the metrics before and after refactoring. This assessment tells us which refactoring steps can increase the security level of a given program from the point of view of potential information flow, allowing application designers to improve their system’s security at an early stage.

Tool-supported dataflow analysis of a security-critical embedded device

Defence organisations perform information security evaluations to confirm that electronic communications devices are safe to use in security-critical situations. Such evaluations include tracing all possible dataflow paths through the device, but this process is tedious and error-prone, so automated reachability analysis tools are needed to make security evaluations faster and more accurate. Previous research has produced a tool, SIFA, for dataflow analysis of basic digital circuitry, but it cannot analyse dataflow through microprocessors embedded within the circuit since this depends on the software they run. We have developed a static analysis tool that produces SIFA compatible dataflow graphs from embedded microcontroller programs written in C. In this paper we present a case study which shows how this new capability supports combined hardware and software dataflow analyses of a security critical communications device.

Quality metrics for assessing security-critical computer programs

Existing secure software development principles tend to focus on coding vulnerabilities, such as buffer or integer overflows, that apply to individual program statements, or issues associated with the run-time environment, such as component isolation. Here we instead consider software security from the perspective of potential information flow through a program’s object-oriented module structure. In particular, we define a set of quantifiable "security metrics" which allow programmers to quickly and easily assess the overall security of a given source code program or object-oriented design. Although measuring quality attributes of object-oriented programs for properties such as maintainability and performance has been well-covered in the literature, metrics which measure the quality of information security have received little attention. Moreover, existing securityrelevant metrics assess a system either at a very high level, i.e., the whole system, or at a fine level of granularity, i.e., with respect to individual statements. These approaches make it hard and expensive to recognise a secure system from an early stage of development. Instead, our security metrics are based on well-established compositional properties of object-oriented programs (i.e., data encapsulation, cohesion, coupling, composition, extensibility, inheritance and design size), combined with data flow analysis principles that trace potential information flow between high- and low-security system variables. We first define a set of metrics to assess the security quality of a given object-oriented system based on its design artifacts, allowing defects to be detected at an early stage of development. We then extend these metrics to produce a second set applicable to object-oriented program source code. The resulting metrics make it easy to compare the relative security of functionallyequivalent system designs or source code programs so that, for instance, the security of two different revisions of the same system can be compared directly. This capability is further used to study the impact of specific refactoring rules on system security more generally, at both the design and code levels. By measuring the relative security of various programs refactored using different rules, we thus provide guidelines for the safe application of refactoring steps to security-critical programs. Finally, to make it easy and efficient to measure a system design or program’s security, we have also developed a stand-alone software tool which automatically analyses and measures the security of UML designs and Java program code. The tool’s capabilities are demonstrated by applying it to a number of security-critical system designs and Java programs. Notably, the validity of the metrics is demonstrated empirically through measurements that confirm our expectation that program security typically improves as bugs are fixed, but worsens as new functionality is added.

Improvising a future in the performing arts : a new strategy to help performance studies students successfully shift between academic culture, professional culture, industry and career?

If there is one thing performance studies graduates should be good at, it is improvising – play and improvisation are central to the contemporary and cultural performance practices we teach and the methods by which we teach them. Objective, offer, acceptance, advancing, reversing, character, status, manipulation, impression management, relationship management – whether we know them from Keith Johnson’s theatre theories or Erving Goffman’s theatre theories, the processes by which we play out a story, scenario or social situation to our own benefit are familiar. We understand that identity, action, interaction and its personal, aesthetic, professional or political outcomes are unpredictable, and that we need to adapt to changeable and uncertain circumstances to achieve our aims. Intriguingly, though, in a Higher Education environment that increasingly emphasises employability, skills in play, improvisation and self-performance are never cited as critical graduate attributes. Is the ability to play, improve and produce spontaneous new self-performances learned in the academy worth articulating into an ability to play, improvise and product spontaneous new self-performances after graduates leave the academy and move into the role of a performing arts professional in industry? A study of the career paths of our performance studies graduates over the past decade suggests that addressing the challenges they face in moving between academic culture, professional culture, industry and career in terms of improvisation and play principles may be very productive. In articles on performing arts careers, graduates are typically advised to find a market for their work, and develop career self-management, management and marketing skills, together with an ability to find, make and maintain relationships and opportunities for themselves. Transitioning to career is cast as a challenging process, requiring these skills, because performing arts careers do not offer the security, status and stability of other careers. Our data confirms this. In our study, though, we found that strategies commonly used to build the resilience, self-reliance and persistence graduates require – talking about portfolio careers, parallel careers, and portable, transferable or translatable skills, for example – can engender panic as easily as they engender confidence. In this paper, I consider what happens when we re-articulate some of the skills scholars and industry stakeholders argue are critical in allowing graduates to shift successfully from academy to industry in terms of skills like improvisation, play and self-performance that are already familiar, meaningful and much-practiced amongst performance studies graduates.

An automated tool for assessing security-critical designs and programs

This paper describes in detail our Security-Critical Program Analyser (SCPA). SCPA is used to assess the security of a given program based on its design or source code with regard to data flow-based metrics. Furthermore, it allows software developers to generate a UML-like class diagram of their program and annotate its confidential classes, methods and attributes. SCPA is also capable of producing Java source code for the generated design of a given program. This source code can then be compiled and the resulting Java bytecode program can be used by the tool to assess the program's overall security based on our security metrics.

An extensible simulation framework for critical infrastructure security

We introduce the Network Security Simulator (NeSSi2), an open source discrete event-based network simulator. It incorporates a variety of features relevant to network security distinguishing it from general-purpose network simulators. Compared to the predecessor NeSSi, it was extended with a three-tier plugin architecture and a generic network model to shift its focus towards simulation framework for critical infrastructures. We demonstrate the gained adaptability by different use cases

Security ceremonies : including humans in cryptographic protocols

Whether by using electronic banking, by using credit cards, or by synchronising a mobile telephone via Bluetooth to an in-car system, humans are a critical part in many cryptographic protocols daily. We reduced the gap that exists between the theory and the reality of the security of these cryptographic protocols involving humans, by creating tools and techniques for proofs and implementations of human-followable security. After three human research studies, we present a model for capturing human recognition; we provide a tool for generating values called Computer-HUman Recognisable Nonces (CHURNs); and we provide a model for capturing human perceptible freshness.

Cyber security of networked critical infrastructures [Guest Editorial]

A new era of cyber warfare has appeared on the horizon with the discovery and detection of Stuxnet. Allegedly planned, designed, and created by the United States and Israel, Stuxnet is considered the first known cyber weapon to attack an adversary state. Stuxnet's discovery put a lot of attention on the outdated and obsolete security of critical infrastructure. It became very apparent that electronic devices that are used to control and operate critical infrastructure like programmable logic controllers (PLCs) or supervisory control and data acquisition (SCADA) systems lack very basic security and protection measures. Part of that is due to the fact that when these devices were designed, the idea of exposing them to the Internet was not in mind. However, now with this exposure, these devices and systems are considered easy prey to adversaries.

Mobility and security: the perceived benefits of citizenship for resettled young people from refugee backgrounds

In recent decades, the meaning and value of formal state citizenship has shifted dramatically. In the same period, scholarship on citizenship has drawn attention to the proliferation of alternative forms of sub-, supra- and transnational citizenship, at times obscuring the ongoing importance of formal state citizenship. For refugees, however, formal state citizenship remains a critical and widely shared goal. Drawing on interviews with 51 young people from refugee backgrounds in Melbourne, Australia, this article explores the intersecting themes of mobility and security that were identified by participants as the most important benefits of acquiring formal state citizenship in the country of resettlement. In contrast to the insecurity of forced migration, formal state citizenship provides a privileged mobility that enables refugee-background youth to maintain and create transnational identities and attachments and to be protected while doing so, while also granting a secure status within the nation state and insurance against further displacement in an uncertain future. In offering these forms of mobility and security, formal state citizenship contributes to a sense of ontological security among refugee-background youth, providing an important foundation for building national and transnational futures.

A note on sampling chironomids for RNA-based studies of natural populations that retains critical morphological vouchers

The rapid uptake of transcriptomic approaches in freshwater ecology has seen a wealth of data produced concerning the ways in which organisms interact with their environment on a molecular level. Typically, such studies focus either at the community level and so don’t require species identifications, or on laboratory strains of known species identity or natural populations of large, easily identifiable taxa. For chironomids, impediments still exist for applying these technologies to natural populations because they are small-bodied and often require time-consuming secondary sorting of stream material and morphological voucher preparation to confirm species diagnosis. These procedures limit the ability to maintain RNA quantity and quality in such organisms because RNA degrades rapidly and gene expression can be altered rapidly in organisms; thereby limiting the inclusion of such taxa in transcriptomic studies. Here, we demonstrate that these limitations can be overcome and outline an optimised protocol for collecting, sorting and preserving chironomid larvae that enables retention of both morphological vouchers and RNA for subsequent transcriptomics purposes. By ensuring that sorting and voucher preparation are completed within <4 hours after collection and that samples are kept cold at all times, we successfully retained both RNA and morphological vouchers from all specimens. Although not prescriptive in specific methodology, we anticipate that this paper will assist in promoting transcriptomic investigations of the sublethal impact on chironomid gene expression of changes to aquatic environments.