Papers by Lotfi Ben Othmane
— Current standards for vehicle safety consider only accidental failures; they do not consider fa... more — Current standards for vehicle safety consider only accidental failures; they do not consider failures caused by malicious attackers. The standards implicitly assume that the sensors and Electronic Control Units (ECUs) of each vehicle compose a secure in-vehicle network because no external entity communicates with the nodes of the network. These standards assume that safety and security aspects are independent. Connecting vehicles to external entities, e.g., through Vehicle to Mobile (V2M), Vehicle to Vehicle (V2V), and Vehicle to Infrastructure (V2I), proved to be useful: it enables using Intelligent Transportation Systems (ITS) applications that improve our safety, efficiency, and comfort; but vulnerable to security threats. This paper provides an overview of AGORA framework: a framework generating secure and tested boilerplate code needed for ITS applications, demonstrates that safety and security aspects in motor vehicles are not independent, and proposes extending safety assur...
We propose a new paradigm—named the Pervasive Trust Foundation (PTF)—for computer security in Nex... more We propose a new paradigm—named the Pervasive Trust Foundation (PTF)—for computer security in Next Generation Networks, including the Future Internet. We start with a review of basic trust-related terms and concepts. We present motivation for using PTF as the basis for security in ISO OSI networks. The paper includes our five contributions. First, we define trust in the small (TIS) and trust in the large (TIL), where TIL is equivalent to PTF. Second, we list and contrast required and prohibited features of PTF-based systems. Third, we enumerate claims of benefits derived from using PTF. Fourth, we identify two major obstacles to PTF realization, and discuss multiple approaches to overcoming these obstacles. The more important of the two obstacles can be eliminated by showing an efficient implementation of PTF-based security. Fifth, we present an outline for the Basic Reference Model for PTF for Next Generation Networks. Summary and discussion of future work concludes the paper.
Specialized ad hoc networks of unmanned aerial vehicles (UAVs) have been playing increasingly imp... more Specialized ad hoc networks of unmanned aerial vehicles (UAVs) have been playing increasingly important roles in military and emergency applications. Common resource virtualization techniques mainly designed for stable networks fall short in providing optimal performance in these kinds of networks due to the highly dynamic and unstable nature of mobile ad hoc networks (MANETs). In this work, we propose application of Opportunistic Resource Utilization Networks (Oppnets), a novel type of MANETs, for UAV ad hoc networking. Oppnets provide middleware to facilitate building flexible and adaptive distributed systems that provide all kinds of resources or services to the requesting application via a helper mechanism. We simulated a military use case for Oppnets that involves detecting a suspicious watercraft, comparing performance of an Oppnet with a baseline case in which Oppnet is not used. The simulation results show that Oppnets are a promising framework for high-performance ad hoc UA...
Protecting confidentiality of shared sensitive data requires satisfying conflicting needs for dis... more Protecting confidentiality of shared sensitive data requires satisfying conflicting needs for disseminating data and preventing unauthorized data disclosures. We propose a solution named the active bundles scheme for protecting sensitive data from their disclosures to unauthorized parties during their dissemination. The scheme protects data throughout their entire lifecycle, from data creation through their dissemination to their evaporation or apoptosis (a partial or complete self-destruction, respectively). An active bundle packages together sensitive data, metadata, and a virtual machine (VM) specific to the bundle. Metadata contain information related to the use of data, including data access control and dissemination policies. A VM controls all activities of its active bundle, and enforces the policies specified by metadata. Implementing VMs in effective and efficient ways is the key issue for the scheme. There are seven main contributions of this Thesis. First, we propose the ...
Privacy and security in cloud computing is an important concern for both the public and private s... more Privacy and security in cloud computing is an important concern for both the public and private sector. Cloud computing allows the use of internet-based services to support business process and rental of ITservices on a utility-like basis. While cloud computing offers a massive concentration of resources, it poses risks for privacy preservation. The expected loss from a single breach can be significant and the heterogeneity of “users” represents an opportunity of multiple, collaborative threats. Problems associated with trusted 3 party managed Cloud Computing stem from loss of control, lack of trust (mechanisms) and multi-tenancy. Identity management (IDM) is one of the core components in cloud privacy and security and can help alleviate some of the problems associated with cloud computing. Cloud computing requires a user-centric access control where every user’s request for any provider is accompanied with the user identity and entitlement information. The system creates digital id...
Likelihood of Threats to Connected Vehicles
Int. J. Next Gener. Comput., 2014
Modern vehicles are connected vehicles whose electronic control units communicate through their i... more Modern vehicles are connected vehicles whose electronic control units communicate through their in-vehicle networks and they communicate with neighboring vehicles, road side units, personal devices, and service centers. This provides cyber-attackers with the opportunity to communicate with the vehicles and to stage attacks. This paper reports about a case study for estimating the likelihoods of threats for connected vehicles; it provides the results of a survey that we conducted to estimate the likelihoods of 7 threats to connected vehicles. The experts rated 6 threats as very unlikely and one as almost impossible. The levels of the rating scale that we used are: almost impossible, very unlikely, unlikely, likely, and highly likely. The survey shows that attacks on connected vehicles require fast attacks (before being discovered or a change in the attack context occurs) and be staged by experts who have deep knowledge about the targets. It also shows that developing such attacks doe...
Technical solutions fail if people experience difficulties using them. Sometimes these difficulti... more Technical solutions fail if people experience difficulties using them. Sometimes these difficulties force people to work around the security solutions in order to achieve legitimate goals. Improving usability undoubtedly helps, but this has not improved the situation as much as anticipated. In this paper we consider a variety of other reasons for non-uptake. We argue that this situation can only be addressed by considering the person as a member of the wider community and not as a solitary agent. This aligns with the traditional African wisdom of Ubuntu: i?œI am because we arei?œ. We propose improving the African Digital Security Culture (ADSC): collective knowledge, common practices, and intuitive common security and privacy behaviour, in a particular society. We suggest a set of approaches for developing and sustaining ADSC in a society, for as members of a society we learn most effectively from each other, not from books, the media or by carrying out searches using search engines.
2018 IEEE International Smart Cities Conference (ISC2), 2018
Connected vehicles are equipped with devices that enable them to communicate with external entiti... more Connected vehicles are equipped with devices that enable them to communicate with external entities, such as other vehicles. This capability is currently used to implement Cooperative Adaptive Cruise Control (CACC). This paper discusses the impact of security attacks on safety of using CACC. It reports about simulating the impact of four security attacks on the effectiveness of CACC in the context of a merging scenario of an abstract system. The simulation showed that attacks on the communication between the vehicles cause collisions with non-negligible proportion. The results suggest the need for strong security assurance for CACC applications.
This paper describes CARDEMO, a Traffic Management System (TMS) designed to assist TMS operators.... more This paper describes CARDEMO, a Traffic Management System (TMS) designed to assist TMS operators. The CARDEMO prototype applies an emergency response model to the city of Dublin, Ireland, and suggests a set of security controls for protecting critical assets (e.g., hospitals, schools, banks) from unexpected and harmful events that may occur in the city. Given an emergency situation, the system collects information about the amenities and traffic lights in the area, and uses the response model to recommend a set of security controls to mitigate possible threats.
The main challenges in information sharing are limitations of mechanisms for protecting confident... more The main challenges in information sharing are limitations of mechanisms for protecting confidentiality of sensitive data. An owner of the data may not be able to enumerate all entities that are allowed to access his data. The common approach to solve this problem is to attach privacy policies to the data. This approach assumes that the recipient’s hosts enforce the policies attached to the data. A solution that relaxes this assumption is to use active bundles which are containers with a payload of sensitive data, metadata, and a virtual machine (VM) specific to the active bundle. This paper investigates the question: Can data protect their own confidentiality? To answer this question we developed the ABTTP prototype. We assume trustworthy execution of VMs included in active bundles by requiring that hosts excuting VMs are Trusted Platform Modules enabled. Our ABTTP implementation uses a mobile agent framework. The prototype protects privacy of sensitive data through: (i) assuring e...
Traditional Cyber-physical Systems (CPSs) were not built with cybersecurity in mind. They operate... more Traditional Cyber-physical Systems (CPSs) were not built with cybersecurity in mind. They operated on separate Operational Technology (OT) networks. As these systems now become more integrated with Information Technology (IT) networks based on IP, they expose vulnerabilities that can be exploited by the attackers through these IT networks. The attackers can control such systems and cause behavior that jeopardizes the performance and safety measures that were originally designed into the system. In this paper, we explore the approaches to identify threats to CPSs and ensure the quality of the created threat models. The study involves interviews with eleven security experts working in security consultation companies, software engineering companies, an Original Equipment Manufacturer (OEM), and ground and areal vehicles integrators. We found through these interviews that the practitioners use a combination of various threat modeling methods, approaches, and standards together when they...
Towards Automated Threat Modeling of Cyber-Physical Systems
2021 International Conference on Software Engineering & Computer Systems and 4th International Conference on Computational Science and Information Management (ICSECS-ICOCSIM)
Cyber-Physical System (CPS) seamlessly integrates the computation, communication, and physical co... more Cyber-Physical System (CPS) seamlessly integrates the computation, communication, and physical components of the system. Often, a CPS controls physical objects through computation and communication and uses of real-time feedback. Threat models of such systems must consider their hardware, network, infrastructure, software, and human aspects and the interactions of these aspects. Commonly, threat modeling of such systems is based on the given system’s architecture. In terms of components and interactions among these components, the architecture of a given CPS may change over time, making the threat model of the CPS rapidly obsolete-i.e., incomplete and invalid threat model. This paper poses the question: Can we automate threat modeling of a given CPS? A positive answer to the question helps to implement continuous up-to-date security assessments of CPSs-for different versions of the given system. It presents an approach to maintain the threat model of given CPSs up-to-date and reports about applying the proposed approach on Apollo Auto 3.5, an autonomous vehicle software. Unfortunately, the scalability limitation of the used architecture recovery technique prevents the recovering the Apollo Auto architecture and, consequently, the automated identification of the system’s threat model.
Threats to Validity in Empirical Software Security Research
Empirical Research for Software Security
2018 IEEE International Smart Cities Conference (ISC2)
Organizations use fleet monitoring systems for e.g., vehicle tracking, driver behavior analysis, ... more Organizations use fleet monitoring systems for e.g., vehicle tracking, driver behavior analysis, and efficient fleet management. Current systems are designed for commercial use and are of high cost. We present a prototype of a low-cost fleet monitoring system that could be used for non-commercial applications. The system is composed of a device, a service application, and a Web application. The device reads data such as speed and fuel from the internal network of the connected vehicle and the location of the vehicle and sends them to a remote service. The remote service processes and stores the data. The users use a Web application to view the data about their vehicles in real-time.
Special issue on risk and security of smart systems
Journal of Information Security and Applications
On the Performance of Detecting Injection of Fabricated Messages into the CAN Bus
IEEE Transactions on Dependable and Secure Computing
There have been several public demonstrations of attacks on connected vehicles showing the abilit... more There have been several public demonstrations of attacks on connected vehicles showing the ability of an attacker to take control of a targeted vehicle by injecting messages into their CAN bus. In this paper, using injected speed reading and RPM reading messages in in-motion vehicle, we examine the ability of the Pearson correlation and the unsupervised learning methods k-means clustering and HMM to differentiate 'no-attack' and 'under-attack' states of the given vehicle. We found that the Pearson correlation distinguishes the two states, the k-means clustering method has an acceptable accuracy but high false positive rate and HMM detects attacks with acceptable detection rate but has a high false positive in detecting attacks from speed readings when there is no attack. The accuracy of these unsupervised learning methods are comparable to the ones of the supervised learning methods used by CAN bus IDS suppliers. In addition, the paper shows that studying CAN anomaly detection techniques using off-vehicle test facilities may not properly evaluate the performance of the detection techniques. The results suggest using other features besides the data content of the CAN messages and integrate knowledge about how the ECU collaborate in building effective techniques for the detection of injection of fabricated message attacks.
IEEE Transactions on Services Computing
With advances in cloud computing and the emergence of service marketplaces, the popularity of com... more With advances in cloud computing and the emergence of service marketplaces, the popularity of composite services marks a paradigm shift from single-domain monolithic systems to cross-domain distributed services, which raises important privacy and security concerns. Access control becomes a challenge in such systems because authentication, authorization and data disclosure may take place across endpoints that are not known to clients. The clients lack options for specifying policies to control the sharing of their data and have to rely on service providers which provide limited selection of security and privacy preferences. This lack of awareness and loss of control over data sharing increases threats to a client's data and diminishes trust in these systems.
2018 IEEE Cybersecurity Development (SecDev)
SecDevOps is a paradigm for integrating the software development and operation processes consider... more SecDevOps is a paradigm for integrating the software development and operation processes considering security and compliance requirements. Organizations are reluctant to transform their development and operation processes to SecDevOps because of the expectation of incompatibility between security and DevOps. This paper reports about a study performed at IBM on transformation of five Business Intelligence (BI) projects to SecDevOps. The study revealed that main security concerns for the automation of the deployment process are: separation of duties, enforcement of access controls, manual security tests, audit, security guidelines, management of security issues, and participation of the security team. The majors recommended best practices for a transformation of current processes to SecDevOps are: good documentation and logging, strong collaboration and communication, automation of the process, and enforcement of separation of duties. Based on the study, we believe that separation of duties is the main aspect to be considered when planning to automate deployment processes. The results of the study are being used by IBM BI Unit and may be used by other organizations when planning to migrate to SecDevOps, especially for BI projects.
2016 IEEE Cybersecurity Development (SecDev), 2016
Node.js heavily relies on shared variables. Their manipulation can cause service interruption, co... more Node.js heavily relies on shared variables. Their manipulation can cause service interruption, confidential data leakage, and service behavior change. Such attacks can be performed out of third-party libraries without detection by the service. Identification of such attacks requires analysis of both, application and libraries code.
Uploads
Papers by Lotfi Ben Othmane