Browser security : a requirements-based approach

A browser is a convenient way to access resources located remotely on computer networks. Security in browsers has become a crucial issue for users who use them for sensitive applications without knowledge ofthe hazards. This research utilises a structure approach to analyse and propose enhancements to browser security. Standard evaluation for computer products is important as it helps users to ensure that the product they use is appropriate for their needs. Security in browsers, therefore, has been evaluated using the Common Criteria. The outcome of this was a security requirements profile which attempts to formalise the security needs of browsers. The information collected during the research was used to produce a prototype model for a secure browser program. Modifications to the Lynx browser were made to demonstrate the proposed enhancements.

Integrating information security policy management with corporate risk management for strategic alignment

Information security policy defines the governance and implementation strategy for information security in alignment with the corporate risk policy objectives and strategies. Research has established that alignment between corporate concerns may be enhanced when strategies are developed concurrently using the same development process as an integrative relationship is established. Utilizing the corporate risk management framework for security policy management establishes such an integrative relationship between information security and corporate risk management objectives and strategies. There is however limitation in the current literature on presenting a definitive approach that fully integrates security policy management with the corporate risk management framework. This paper presents an approach that adopts a conventional corporate risk management framework for security policy development and management to achieve alignment with the corporate risk policy. A case example is examined to illustrate the alignment achieved in each process step with a security policy structure being consequently derived in the process. It is shown that information security policy management outcomes become both integral drivers and major elements of the corporate-level risk management considerations. Further study should involve assessing the impact of the use of the proposed framework in enhancing alignment as perceived in this paper.

Signal authentication and integrity schemes for next generation global navigation satellite systems

This paper describes a number of techniques for GNSS navigation message authentication. A detailed analysis of the security facilitated by navigation message authentication is given. The analysis takes into consideration the risk of critical applications that rely on GPS including transportation, finance and telecommunication networks. We propose a number of cryptographic authentication schemes for navigation data authentication. These authentication schemes provide authenticity and integrity of the navigation data to the receiver. Through software simulation, the performance of the schemes is quantified. The use of software simulation enables the collection of authentication performance data of different data channels, and the impact of various schemes on the infrastructure and receiver. Navigation message authentication schemes have been simulated at the proposed data rates of Galileo and GPS services, for which the resulting performance data is presented. This paper concludes by making recommendations for optimal implementation of navigation message authentication for Galileo and next generation GPS systems.

Requirements for enhancing trust, security and integrity of GNSS location services

The paper describes a number of requirements for enhancing the trust of location acquisition from Satellite Navigation Systems, particularly for those applications where the location is monitored through a remote GNSS receiver. We discuss how the trust of a location acquisition could be propagated to an application through the use of a proposed tamper-­resistant GNSS receiver which quantifies the trust of a location solution from the signaling used (ie. P(Y) code, Galileo SOL, PRS, CS) and provides a cryptographic proof of this to a remote application. The tamper­-resistance state of the receiver is also included in this cryptographic proof.

Automatic generation of assertions to detect potential security vulnerabilities in C programs that use union and pointer types

Type unions, pointer variables and function pointers are a long standing source of subtle security bugs in C program code. Their use can lead to hard-to-diagnose crashes or exploitable vulnerabilities that allow an attacker to attain privileged access over classified data. This paper describes an automatable framework for detecting such weaknesses in C programs statically, where possible, and for generating assertions that will detect them dynamically, in other cases. Exclusively based on analysis of the source code, it identifies required assertions using a type inference system supported by a custom made symbol table. In our preliminary findings, our type system was able to infer the correct type of unions in different scopes, without manual code annotations or rewriting. Whenever an evaluation is not possible or is difficult to resolve, appropriate runtime assertions are formed and inserted into the source code. The approach is demonstrated via a prototype C analysis tool.

Reinforcing bad behaviour : the misuse of security indicators on popular websites

Before making a security or privacy decision, Internet users should evaluate several security indicators in their browser, such as the use of HTTPS (indicated via the lock icon), the domain name of the site, and information from extended validation certificates. However, studies have shown that human subjects infrequently employ these indicators, relying on other indicators that can be spoofed and convey no cryptographic assurances. We identify four simple security indicators that accurately represent security properties of the connection and then examine 125 popular websites to determine if the sites' designs result in correctly displayed security indicators during login. In the vast majority of cases, at least some security indicators are absent or suboptimal. This suggests users are becoming habituated to ignoring recommended security indicators.

Security metrics for object-oriented designs

Several studies have developed metrics for software quality attributes of object-oriented designs such as reusability and functionality. However, metrics which measure the quality attribute of information security have received little attention. Moreover, existing security metrics measure either the system from a high level (i.e. the whole system’s level) or from a low level (i.e. the program code’s level). These approaches make it hard and expensive to discover and fix vulnerabilities caused by software design errors. In this work, we focus on the design of an object-oriented application and define a number of information security metrics derivable from a program’s design artifacts. These metrics allow software designers to discover and fix security vulnerabilities at an early stage, and help compare the potential security of various alternative designs. In particular, we present security metrics based on composition, coupling, extensibility, inheritance, and the design size of a given object-oriented, multi-class program from the point of view of potential information flow.

Assessing the impact of refactoring on security-critical object-oriented designs

Refactoring focuses on improving the reusability, maintainability and performance of programs. However, the impact of refactoring on the security of a given program has received little attention. In this work, we focus on the design of object-oriented applications and use metrics to assess the impact of a number of standard refactoring rules on their security by evaluating the metrics before and after refactoring. This assessment tells us which refactoring steps can increase the security level of a given program from the point of view of potential information flow, allowing application designers to improve their system’s security at an early stage.

Diesel engine condition monitoring and simulated diesel knock

This paper discusses diesel engine condition monitoring (CM) using acoustic emissions (AE) as well as some of the commonly encountered diesel engine problems. Also discussed are some of the underlying combustion related faults and the methods used in past studies to simulate diesel engine faults. The initial test involved an experimental simulation of two common combustion related diesel engine faults, namely diesel knock and misfire. These simulated faults represent the first step towards a comprehensive investigation and analysis into the characteristics of acoustic emission signals arising from combustion related diesel engine faults. Data corresponding to different engine running conditions was captured using in-cylinder pressure, vibration and acoustic emission transducers along with both crank angle encoder and top-dead centre (TDC) signals. Using these signals, it was possible to characterise the effect of different combustion conditions and hence, various diesel engine in-cylinder pressure profiles.

Engaging marketing students : student operated businesses in a simulated world

Engaged students are committed and more likely to continue their university studies. Subsequently, they are less resource intensive from a university’s perspective. This article details an experiential second-year marketing course that requires students to develop real products and services to sell on two organized market days. In the course, students participate as both consumers and marketers in a simulated world. The current article explores the effectiveness of this experiential assessment in terms of its ability to engage students. Comparing student engagement to a traditional lecture course and National Survey of Student Engagement benchmarks, the results suggest that the use of a simulated marketplace is capable of engaging students. Specifically, the assessment reported encourages more active learning and collaboration, is more academically challenging, and permits more student–faculty interaction than a traditional lecture-based course. The course structure outlined in this article permits the dynamics of a live marketing environment to be introduced into the classroom. The authors provide practical advice for educators seeking to design and implement engaging pedagogy.

Effect of simulated visual impairment on nighttime driving performance

PURPOSE: This study investigated the effects of simulated visual impairment on nighttime driving performance and pedestrian recognition under real-road conditions. METHODS: Closed road nighttime driving performance was measured for 20 young visually normal participants (M = 27.5 +/- 6.1 years) under three visual conditions: normal vision, simulated cataracts, and refractive blur that were incorporated in modified goggles. The visual acuity levels for the cataract and blur conditions were matched for each participant. Driving measures included sign recognition, avoidance of low contrast road hazards, time to complete the course, and lane keeping. Pedestrian recognition was measured for pedestrians wearing either black clothing or black clothing with retroreflective markings on the moveable joints to create the perception of biological motion ("biomotion"). RESULTS: Simulated visual impairment significantly reduced participants' ability to recognize road signs, avoid road hazards, and increased the time taken to complete the driving course (p < 0.05); the effect was greatest for the cataract condition, even though the cataract and blur conditions were matched for visual acuity. Although visual impairment also significantly reduced the ability to recognize the pedestrian wearing black clothing, the pedestrian wearing "biomotion" was seen 80% of the time. CONCLUSIONS: Driving performance under nighttime conditions was significantly degraded by modest visual impairment; these effects were greatest for the cataract condition. Pedestrian recognition was greatly enhanced by marking limb joints in the pattern of "biomotion," which was relatively robust to the effects of visual impairment.