Increasing trustworthiness of security critical applications using trusted computing

Download
2014
Uzunay, Yusuf
In this thesis work, we aim to increase the trustworthiness of security critical applications by utilizing trusted computing technologies. We focus on two case applications; authentication proxy systems and e-voting systems. Our first case application is authentication proxy systems which store users’ sensitive credentials and submit them to the servers of the service providers on their behalf. To increase the trustworthiness of authentication proxy systems, we propose Trust-in-the-Middle a trusted platform module based proxy system which ensures that user credentials are securely stored and submitted without disclosing them even if the proxy is compromised. We use remote attestation to guarantee that all critical operations on the proxy are performed securely and credentials are cryptographically protected when they are not in trusted platform module supported isolation. For our second case application, we propose Trusted3Ballot, a trusted computing based three-ballot e-voting system to increase the trustworthiness of poll-site e-voting systems. In our second proposal, we put forth an election process where security critical issues are processed in software applications attested by TPM. By integrating three-ballot voting mechanism into an electronic voting system secured by trusted platform module, we not only satisfy some contradictory requirements of voting such as providing individual and universal verifiability without causing vote trade, but also give users and the relevant parties the ability to attest the trustworthiness of the running software at each phase of the election. The analysis of Trusted3Ballot reveals that significant improvements to the three-ballot system are provided in terms of both security and usability.

Suggestions

A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions
Özdemir Sönmez, Ferda ; Günel Kılıç, Banu (2021-09-01)
Types and complexity of information security related vulnerabilities are growing rapidly and present numerous challenges to the enterprises. One of the key challenges is to identify the optimal set of precautions with limited budget. Despite the fact that majority of enterprises have a budget constraint for installing and maintaining the protection systems, the majority of the previous work only focus on prioritization of security targets and do not consider the preventative actions and budget constraints. ...
Security Qualitative Metrics for Open Web Application Security Project Compliance
Sönmez, Ferda Özdemir (Elsevier BV; 2019)
The focus of this study is to find out repeatable features for large-scale enterprise web application production process related to based on OWASP security requirement list. As a result of a rigorous work including domain analysis for Java language and development frameworks and the examination of a large set of technical documents, 230 security qualitative metrics are discovered, under six categories. These security qualitative metrics are beneficial for security analysts as well as other parties such as d...
An automated tool for information security management system
Erkan, Ahmet; Arifoğlu, Ali; Department of Information Systems (2006)
This thesis focuses on automation of processes of Information Security Management System. In accordance with two International Standards, ISO/IEC 27001:2005 and ISO/IEC 17799:2005, to automate the activities required for a documented ISMS as much as possible helps organizations. Some of the well known tools in this scope are analyzed and a comparative study on them including “InfoSec Toolkit”, which is developed for this purpose in the thesis scope, is given. “InfoSec Toolkit” is based on ISO/IEC 27001:2005...
Performance comparison of pattern discovery methods on web log data
Bayir, Murat Ali; Toroslu, İsmail Hakkı; Coşar, Ahmet (2006-03-11)
One of the popular trends in computer science has been development of intelligent web-based systems. Demand for such systems forces designers to make use of knowledge discovery techniques on web server logs. Web usage mining has become a major area of knowledge discovery on World Wide Web. Frequent pattern discovery is one of the main issues in web usage mining. These frequent patterns constitute the basic information source for intelligent web-based systems. In this paper; frequent pattern mining algorithm...
The Role of expertise on code review for security: an eye tracking study
Kaplan, Utku; Acartürk, Cengiz; Department of Cyber Security (2019)
To improve the quality of the software and find security vulnerabilities, code review is usually performed during software development activities. The experience of software developers reviewing the code may affect the quality of the code review. This study investigates whether differences between novices and experts in the detection of vulnerabilities in the code can be identified by eye tracking. Participants’ eye movements were recorded by an eye tracker while they investigated program codes for security...
Citation Formats
Y. Uzunay, “Increasing trustworthiness of security critical applications using trusted computing,” Ph.D. - Doctoral Program, Middle East Technical University, 2014.