Embodied vulnerabilities : responding to violent encounters through installation practices

This practice-led research was initiated in response to a series of violent encounters that occurred between my fragile installations and viewers. The central focus of this study was to recuperate my installation practice in the wake of such events. This led to the development of a ‘responsive practice’ methodology, which reframed the installation process through an ethical lens developed from Emmanuel Levinas’ ethical phenomenology. The central propositions of this research are the reconceptualisation of ‘violent encounters’ in terms of difference whereby I accept viewers responses, even those which are violent, destructive or damaging, and secondly that the process operates as a generative excess for practice through which recuperative strategies can be found and implemented. By re-examining this process as it unfolded in the three phases of the practical component, I developed strategies whereby violated, destroyed or damaged works could be recuperated through the processes of reconfiguration, reparation and regeneration. Therefore my installations embody and articulate vulnerability but also demonstrate resilience and renewal.

Validating denial of service vulnerabilities in web services

The loosely-coupled and dynamic nature of web services architectures has many benefits, but also leads to an increased vulnerability to denial of service attacks. While many papers have surveyed and described these vulnerabilities, they are often theoretical and lack experimental data to validate them, and assume an obsolete state of web services technologies. This paper describes experiments involving several denial of service vulnerabilities in well-known web services platforms, including Java Metro, Apache Axis, and Microsoft .NET. The results both confirm and deny the presence of some of the most well-known vulnerabilities in web services technologies. Specifically, major web services platforms appear to cope well with attacks that target memory exhaustion. However, attacks targeting CPU-time exhaustion are still effective, regardless of the victim’s platform.

Stress and coping among migrant labourers in urban Vietnam : an adaptation cycle and health vulnerabilities

Rural-urban migration continues to grow in many developing countries including Vietnam. The experience of stress and coping associated with this process may vary for people from different circumstances. However, there has been little research on migrants to date. This study adopts a qualitative approach to research on unregistered, male, migrant freelance labourers in urban Vietnam and to explore factors contributing to stress and coping among this population. The study revealed an array of stressors related to migrants' life experiences in urban space, including physical, financial and social factors. Coping was diverse, including problem-focused coping (PFC) and emotion-focused coping (EFC), pro-social and anti-social, active and passive. Less active and anti-social coping appeared common. Together, weak social network and lack of support from formal systems placed coping and adaptation in a cyclic relationship. The results highlight a multi-disciplinary approach to help cope and adapt effectively for these men.

Automatic generation of assertions to detect potential security vulnerabilities in C programs that use union and pointer types

Type unions, pointer variables and function pointers are a long standing source of subtle security bugs in C program code. Their use can lead to hard-to-diagnose crashes or exploitable vulnerabilities that allow an attacker to attain privileged access over classified data. This paper describes an automatable framework for detecting such weaknesses in C programs statically, where possible, and for generating assertions that will detect them dynamically, in other cases. Exclusively based on analysis of the source code, it identifies required assertions using a type inference system supported by a custom made symbol table. In our preliminary findings, our type system was able to infer the correct type of unions in different scopes, without manual code annotations or rewriting. Whenever an evaluation is not possible or is difficult to resolve, appropriate runtime assertions are formed and inserted into the source code. The approach is demonstrated via a prototype C analysis tool.

Vulnerabilities in the courtroom

Book summary: In a constantly evolving context of performance management, accountability and risk assessment, police organisations and frontline police officers are required to pay careful attention to what has come to be known as ‘at risk people’, ‘vulnerable populations’ or ‘vulnerable people’. Vulnerable people have become a key focus of policy. Concurrently, there have been stronger demands on police, and a steep increase in police powers in relation to their interaction with vulnerable people. The premise of this protectionist and interventionist agenda is threefold: to protect the rights of vulnerable individuals proactively cater for their vulnerability within the justice system; and to secure police operations and protocols within strict guidelines. This collection unpacks ‘vulnerable people policing’ in theory and practice and guides the reader through the policing process as it is experienced by police officers, victims, offenders, witnesses and justice stakeholders. Each chapter features a single step of the policing process: from police recruit education through to custody, and the final transfer of vulnerable people to courts and sentencing. This edited collection provides analytical, theoretical and empirical insights on vulnerable people policing, and reflects on critical issues in a domain that is increasingly subject to speedy conversion from policy to practice, and heightened media and political scrutiny. It breaks down policing practices, operations and procedures that have vulnerable populations as a focus, bringing together original and innovative academic research and literature, practitioner experience and discussion of policy implications (from local and international perspectives). The particular nature of this collection highlights the multi-disciplinary nature of police work, sheds light on how specific, mandatory policies guide police officers steps in their interaction with vulnerable populations, and discusses the practicalities of police decision making at key points in this process.

The lag effects and vulnerabilities of temperature effects on cardiovascular disease mortality in a subtropical climate zone in China

This research quantifies the lag effects and vulnerabilities of temperature effects on cardiovascular disease in Changsha—a subtropical climate zone of China. A Poisson regression model within a distributed lag nonlinear models framework was used to examine the lag effects of cold- and heat-related CVD mortality. The lag effect for heat-related CVD mortality was just 0–3 days. In contrast, we observed a statistically significant association with 10–25 lag days for cold-related CVD mortality. Low temperatures with 0–2 lag days increased the mortality risk for those ≥65 years and females. For all ages, the cumulative effects of cold-related CVD mortality was 6.6% (95% CI: 5.2%–8.2%) for 30 lag days while that of heat-related CVD mortality was 4.9% (95% CI: 2.0%–7.9%) for 3 lag days. We found that in Changsha city, the lag effect of hot temperatures is short while the lag effect of cold temperatures is long. Females and older people were more sensitive to extreme hot and cold temperatures than males and younger people.

Development and preliminary validation of the Drinking Expectancy Sexual Vulnerabilities Questionnaire (DESV-Q): A purpose-specific instrument for rape-perception research

Background Alcohol expectancies likely play a role in people’s perceptions of alcohol-involved sexual violence. However, no appropriate measure exists to examine this link comprehensively. Objective The aim of this research was to develop an alcohol expectancy measure which captures young adults’ beliefs about alcohol’s role in sexual aggression and victimization. Method Two cross-sectional samples of young Australian adults (18–25 years) were recruited for scale development (Phase 1) and scale validation (Phase 2). In Phase 1, participants (N = 201; 38.3% males) completed an online survey with an initial pool of alcohol expectancy items stated in terms of three targets (self, men, women) to identify the scale’s factor structure and most effective items. A revised alcohol expectancy scale was then administered online to 322 young adults (39.6% males) in Phase 2. To assess the predictive, convergent, and discriminant validity of the scale, participants also completed established measures of personality, social desirability, alcohol use, general and context-specific alcohol expectancies, and impulsiveness. Results Principal axis factoring (Phase 1) and confirmatory factor analysis (Phase 2) resulted in a target-equivalent five-factor structure for the final 66-item Drinking Expectancy Sexual Vulnerabilities Questionnaire (DESV-Q). The factors were labeled: - (1) Sexual Coercion - (2) Sexual Vulnerability - (3) Confidence - (4) Self-Centeredness - (5) Negative Cognitive and Behavioral Changes The measure demonstrated effective items, high internal consistency, and satisfactory predictive, convergent, and discriminant validity. Conclusions The DESV-Q is a purpose-specific instrument that could be used in future research to elucidate people’s attributions for alcohol-involved sexual aggression and victimization.

A broadcast authentication and integrity augmentation for trusted differential GPS in marine navigation

In this paper we propose an efficient authentication and integrity scheme to support DGPS corrections using the RTCM protocol, such that the identified vulnerabilities in DGPS are mitigated. The proposed scheme is based on the TESLA broadcast protocol with modifications that make it suitable for the bandwidth and processor constrained environment of marine DGPS.

Protocol engineering for protection against denial-of-service attacks

Denial-of-service attacks (DoS) and distributed denial-of-service attacks (DDoS) attempt to temporarily disrupt users or computer resources to cause service un- availability to legitimate users in the internetworking system. The most common type of DoS attack occurs when adversaries °ood a large amount of bogus data to interfere or disrupt the service on the server. The attack can be either a single-source attack, which originates at only one host, or a multi-source attack, in which multiple hosts coordinate to °ood a large number of packets to the server. Cryptographic mechanisms in authentication schemes are an example ap- proach to help the server to validate malicious tra±c. Since authentication in key establishment protocols requires the veri¯er to spend some resources before successfully detecting the bogus messages, adversaries might be able to exploit this °aw to mount an attack to overwhelm the server resources. The attacker is able to perform this kind of attack because many key establishment protocols incorporate strong authentication at the beginning phase before they can iden- tify the attacks. This is an example of DoS threats in most key establishment protocols because they have been implemented to support con¯dentiality and data integrity, but do not carefully consider other security objectives, such as availability. The main objective of this research is to design denial-of-service resistant mechanisms in key establishment protocols. In particular, we focus on the design of cryptographic protocols related to key establishment protocols that implement client puzzles to protect the server against resource exhaustion attacks. Another objective is to extend formal analysis techniques to include DoS- resistance. Basically, the formal analysis approach is used not only to analyse and verify the security of a cryptographic scheme carefully but also to help in the design stage of new protocols with a high level of security guarantee. In this research, we focus on an analysis technique of Meadows' cost-based framework, and we implement DoS-resistant model using Coloured Petri Nets. Meadows' cost-based framework is directly proposed to assess denial-of-service vulnerabil- ities in the cryptographic protocols using mathematical proof, while Coloured Petri Nets is used to model and verify the communication protocols using inter- active simulations. In addition, Coloured Petri Nets are able to help the protocol designer to clarify and reduce some inconsistency of the protocol speci¯cation. Therefore, the second objective of this research is to explore vulnerabilities in existing DoS-resistant protocols, as well as extend a formal analysis approach to our new framework for improving DoS-resistance and evaluating the performance of the new proposed mechanism. In summary, the speci¯c outcomes of this research include following results; 1. A taxonomy of denial-of-service resistant strategies and techniques used in key establishment protocols; 2. A critical analysis of existing DoS-resistant key exchange and key estab- lishment protocols; 3. An implementation of Meadows's cost-based framework using Coloured Petri Nets for modelling and evaluating DoS-resistant protocols; and 4. A development of new e±cient and practical DoS-resistant mechanisms to improve the resistance to denial-of-service attacks in key establishment protocols.

SELinux policy management framework for HIS

Health Information Systems (HIS) make extensive use of Information and Communication Technologies (ICT). The use of ICT aids in improving the quality and efficiency of healthcare services by making healthcare information available at the point of care (Goldstein, Groen, Ponkshe, and Wine, 2007). The increasing availability of healthcare data presents security and privacy issues which have not yet been fully addressed (Liu, Caelli, May, and Croll, 2008a). Healthcare organisations have to comply with the security and privacy requirements stated in laws, regulations and ethical standards, while managing healthcare information. Protecting the security and privacy of healthcare information is a very complex task (Liu, May, Caelli and Croll, 2008b). In order to simplify the complexity of providing security and privacy in HIS, appropriate information security services and mechanisms have to be implemented. Solutions at the application layer have already been implemented in HIS such as those existing in healthcare web services (Weaver et al., 2003). In addition, Discretionary Access Control (DAC) is the most commonly implemented access control model to restrict access to resources at the OS layer (Liu, Caelli, May, Croll and Henricksen, 2007a). Nevertheless, the combination of application security mechanisms and DAC at the OS layer has been stated to be insufficient in satisfying security requirements in computer systems (Loscocco et al., 1998). This thesis investigates the feasibility of implementing Security Enhanced Linux (SELinux) to enforce a Role-Based Access Control (RBAC) policy to help protect resources at the Operating System (OS) layer. SELinux provides Mandatory Access Control (MAC) mechanisms at the OS layer. These mechanisms can contain the damage from compromised applications and restrict access to resources according to the security policy implemented. The main contribution of this research is to provide a modern framework to implement and manage SELinux in HIS. The proposed framework introduces SELinux Profiles to restrict access permissions over the system resources to authorised users. The feasibility of using SELinux profiles in HIS was demonstrated through the creation of a prototype, which was submitted to various attack scenarios. The prototype was also subjected to testing during emergency scenarios, where changes to the security policies had to be made on the spot. Attack scenarios were based on vulnerabilities common at the application layer. SELinux demonstrated that it could effectively contain attacks at the application layer and provide adequate flexibility during emergency situations. However, even with the use of current tools, the development of SELinux policies can be very complex. Further research has to be made in order to simplify the management of SELinux policies and access permissions. In addition, SELinux related technologies, such as the Policy Management Server by Tresys Technologies, need to be researched in order to provide solutions at different layers of protection.

Security metrics for object-oriented class designs

Measuring quality attributes of object-oriented designs (e.g. maintainability and performance) has been covered by a number of studies. However, these studies have not considered security as much as other quality attributes. Also, most security studies focus at the level of individual program statements. This approach makes it hard and expensive to discover and fix vulnerabilities caused by design errors. In this work, we focus on the security design of an object oriented application and define a number of security metrics. These metrics allow designers to discover and fix security vulnerabilities at an early stage, and help compare the security of various alternative designs. In particular, we propose seven security metrics to measure Data Encapsulation (accessibility) and Cohesion (interactions) of a given object-oriented class from the point of view of potential information flow.

Crash Risk Assessment with Cooperative Systems

Crash risk is the statistical probability of a crash. Its assessment can be performed through ex post statistical analysis or in real-time with on-vehicle systems. These systems can be cooperative. Cooperative Vehicle-Infrastructure Systems (CVIS) are a developing research avenue in the automotive industry worldwide. This paper provides a survey of existing CVIS systems and methods to assess crash risk with them. It describes the advantages of cooperative systems versus non-cooperative systems. A sample of cooperative crash risk assessment systems is analysed to extract vulnerabilities according to three criteria: market penetration, over-reliance on GPS and broadcasting issues. It shows that cooperative risk assessment systems are still in their infancy and requires further development to provide their full benefits to road users.

Intrusion detection techniques in wireless local area networks

This research investigates wireless intrusion detection techniques for detecting attacks on IEEE 802.11i Robust Secure Networks (RSNs). Despite using a variety of comprehensive preventative security measures, the RSNs remain vulnerable to a number of attacks. Failure of preventative measures to address all RSN vulnerabilities dictates the need for a comprehensive monitoring capability to detect all attacks on RSNs and also to proactively address potential security vulnerabilities by detecting security policy violations in the WLAN. This research proposes novel wireless intrusion detection techniques to address these monitoring requirements and also studies correlation of the generated alarms across wireless intrusion detection system (WIDS) sensors and the detection techniques themselves for greater reliability and robustness. The specific outcomes of this research are: A comprehensive review of the outstanding vulnerabilities and attacks in IEEE 802.11i RSNs. A comprehensive review of the wireless intrusion detection techniques currently available for detecting attacks on RSNs. Identification of the drawbacks and limitations of the currently available wireless intrusion detection techniques in detecting attacks on RSNs. Development of three novel wireless intrusion detection techniques for detecting RSN attacks and security policy violations in RSNs. Development of algorithms for each novel intrusion detection technique to correlate alarms across distributed sensors of a WIDS. Development of an algorithm for automatic attack scenario detection using cross detection technique correlation. Development of an algorithm to automatically assign priority to the detected attack scenario using cross detection technique correlation.