http://www.computer.org/tdsc The IEEE Transactions on Dependable and Secure Computing is a new quarterly that will publish archival research results focusing on research into foundations, methodologies, and mechanisms that support the achievement_through design, modeling, and evaluation_of systems and networks that are dependable and secure to the desired degree without compromising performance. The focus also includes measurement, modeling, and simulation techniques, and foundations for jointly evaluating, verifying, and designing for performance, security, and dependability constraints. en-us Wed, 4 Jan 2012 11:00:01 GMT http://csdl.computer.org/common/images/logos/tdsc.gif List of recently published journal articles http://www.computer.org/tdsc http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.64 In this paper, we introduce the first application of the belief propagation algorithm on trust and reputation management systems. We approach the reputation management problem as an inference problem and describe it as computing marginal likelihood distributions from complicated global functions of many variables. However, we observe that computing the marginal probability functions is computationally prohibitive for large scale systems. Therefore, we propose to utilize the belief propagation algorithm to efficiently (in linear complexity) compute these marginal probability distributions; resulting an iterative probabilistic and belief propagation-based approach (BP-ITRM). BP-ITRM models the reputation system on a factor graph. By using a factor graph, we obtain a qualitative representation of how the consumers (buyers) and service providers (sellers) are related on a graphical structure. Further, by using such a factor graph, global functions factor into products of simpler local functions, each of which depends on a subset of the variables. We prove that BP-ITRM iteratively reduces the error in the reputation values of service providers due to the malicious raters with a high probability. Further, comparison of BP-ITRM with some well-known and commonly used reputation management indicates the superiority of the proposed scheme both in terms of robustness against attacks and efficiency. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.64 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.61 We propose and implement an innovative remote attestation framework called DR@FT for efficiently measuring a target system based on an information flow-based integrity model. With this model, the high integrity processes of a system are first measured and verified, and these processes are then protected from accesses initiated by low integrity processes. Towards dynamic systems with frequently changed system states, our framework verifies the latest state changes of a target system instead of considering the entire system information. Our attestation evaluation adopts a graph-based method to represent integrity violations, and the graph-based policy analysis is further augmented with a ranked violation graph to support high semantic reasoning of attestation results. As a result, DR@FT provides efficient and effective attestation of a system's integrity status, and offers intuitive reasoning of attestation results for security administrators. Our experimental results demonstrate the feasibility and practicality of DR@FT. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.61 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.57 Most network applications such as pervasive computing,grid computing and P2P networks can be viewed as multiagent systems which are open,anonymous and dynamic in nature.Such nature make multiagent systems vulnerable to potential threats.One way to minimize threats is to evaluate the trust and reputation of interacting agents.Many models have done so,but they fail to properly evaluate trust when malicious agents start to behave in an unpredictable way.Not only that they are also ineffective in providing quick response to a malicious agent's oscillating behavior.Another aspect which is becoming critical for sustaining good service quality,is the even distribution of workload among the service providing agents.Most models have not yet addressed this issue.To cope with the strategically altering behavior of malicious agents and to allocate workload as evenly as possible among them;we present in this paper a dynamic trust computation model called SecuredTrust where we analyze the different factors related to trust and then propose a comprehensive quantitative model for evaluating such trust.We also propose a novel load balancing algorithm based on the different factors defined in our model.Simulation results show our model compared to other existing models are effective against malicious agent and at the same time efficiently distribute workload among the service providing agents under stable condition. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.57 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.53 In 2010,Sun et al. proposed a security architecture to ensure unconditional anonymity for honest users and traceability of misbehaving users for network authorities in wireless mesh networks(WMNs).It strives to resolve the conflicts between the anonymity and traceability objectives.The key component of Sun et al.'s security architecture is a ticket-based anonymity scheme.In this paper, we attack Sun et al. scheme's traceability.Our analysis showed that trusted authority(TA) can not trace the misbehavior client(CL) even it double-time deposits the same ticket. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.53 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.65 Due to the unattended nature of wireless sensor networks, an adversary can physically capture and compromise sensor nodes and then mount a variety of attacks with the compromised nodes. To minimize the damage incurred by the compromised nodes, the system should detect and revoke them as soon as possible. To mitigate the limitations of the existing schemes, we propose a zone-based node compromise detection and revocation scheme in wireless sensor networks. The main idea behind our scheme is to use sequential hypothesis testing to detect suspect regions in which compromised nodes are likely placed. In these suspect regions, the network operator performs software attestation against sensor nodes, leading to the detection and revocation of the compromised nodes. Through quantitative analysis and simulation experiments, we show that the proposed scheme detects the compromised nodes with a small number of samples while reducing false positive and negative rates, even if a substantial fraction of the nodes in the zone are compromised. Additionally, we model the detection problem using a game theoretic analysis, derive the optimal strategies for the attacker and the defender, and show that the attacker's gain from node compromise is greatly limited by the defender when both the attacker and the defender follow their optimal strategies. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.65 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.63 Direct Anonymous Attestation (DAA) is a scheme that enables the remote authentication of a Trusted Platform Module (TPM) while preserving the user's privacy. In the DAA scheme, a TPM can be revoked only if the DAA private key in the hardware has been extracted and published widely so that verifiers obtain the corrupted private key. If the unlinkability requirement is relaxed, a TPM suspected of being compromised can be revoked even if the private key is not known. However, with the full unlinkability requirement intact, if a TPM has been compromised but its private key has not been distributed to verifiers, the TPM cannot be revoked. Furthermore, a TPM cannot be revoked from the issuer, if the TPM is found to be compromised after the DAA issuing has occurred. In this paper, we present a new DAA scheme called Enhanced Privacy ID (EPID) scheme that addresses the above limitations. While still providing unlinkability, our scheme provides a method to revoke a TPM even if the TPM private key is unknown. This expanded revocation property makes the scheme useful for other applications such as for driver's license. Our EPID scheme is efficient and provably secure in the same security model as DAA. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.63 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.62 Several models for incorporating spatial constraints into role-based access control (RBAC) have been proposed, and researchers are now focusing on the challenge of ensuring such policies are enforced correctly. However, existing approaches have a major shortcoming, as they assume the server is trustworthy and require complete disclosure of sensitive location information by the user. In this work, we propose a novel framework and a set of protocols to solve this problem. Specifically, in our scheme, a user provides a service provider with role and location tokens along with a request. The service provider consults with a role authority and a location authority to verify the tokens and evaluate the policy. However, none of the servers learn the requesting user's identity, role, or location. In this paper, we define the protocols and the policy enforcement scheme, and present a formal proof of a number of security properties. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.62 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.60 In this work we suggest hardware and software components that enable the creation of a self-stabilizing OS\VMM on top of an off-the-shelf, non-self-stabilizing processor. A simple "watchdog" hardware that is called a periodic reset monitor (PRM) provides a basic solution. The solution is extended to stabilization enabling hardware (SEH) which removes any real time requirement from the OS\VMM. A stabilization enabling system that extends the SEH with software components provides the user (an OS\VMM designer) with a self-stabilizing processor abstraction. The method uses only a modest addition of hardware, which is external to the microprocessor. We demonstrate our approach on the XScale core by Intel. Moreover, we suggest methods for the adaptation of existing system code to be self-stabilizing. One method allows capturing and enforcing the configuration used by the program, thus reducing the work of the self-stabilizing algorithm designer to considering only the dynamic (non-configurational) parts of the state. Another method is suggested for ensuring that, eventually, addresses of branch commands are examined using a sanity check segment. This method is then used to ensure that a sanity check is performed before critical operations. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.60 http://opac.ieeecomputersociety.org/opac?year=2012&volume=9&issue=01&acronym=tdsc IEEE Transactions on Dependable and Secure Computing http://www.computer.org/portal/site/tdsc/ http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.59 Internet services and applications have become an inextricable part of our life enabling us to manage personal information and communicate from anywhere. To accommodate this increase in application and data complexity, web services have moved to a multi-tiered design where the web server runs the application front-end logic and the data are outsourced to a database or file server. Here, we present, DoubleGuard, an IDS system that models the network behavior of user sessions across both the front-end web server and the back-end database. By monitoring both web and subsequent database requests, we are able to ferret-out attacks that independent IDS would not be able to identify. Furthermore, we quantify the limitations of any multi-tier IDS in terms of training sessions and functionality coverage. We implemented DoubleGuard using Apache Web server with MySQL and light-weight virtualization. We collected and processed real-world traffic over a period of 15 days of our system deployment in both dynamic and static web applications. Finally, using DoubleGuard we were able to expose a wide range of attacks with 100% accuracy while maintaining 0% false positives for static web services and 0.6% false positives for dynamic web services. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.59 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.56 Silence suppression, an essential feature of speech communications over the Internet, saves bandwidth by disabling voice packet transmissions when silence is detected. However silence suppression enables an adversary to recover talk patterns from packet timing. In this paper, we investigate privacy leakage through the silence suppression feature. More specifically, we propose a new class of traffic analysis attacks to encrypted speech communications with the goal of detecting speakers of encrypted speech communications. These attacks are based on packet timing information only and the attacks can detect speakers of speech communications made with different codecs. We evaluate the proposed attacks with extensive experiments over different type of networks including commercial anonymity networks and campus networks. The experiments show that the proposed traffic analysis attacks can detect speakers of encrypted speech communications with high accuracy based on traces of 15 minutes long on average. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.56 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.52 In this paper, we propose game-theoretic mechanisms to encourage truthful data sharing for distributed data mining. One proposed mechanism uses the classic Vickrey-Clarke-Groves (VCG) mechanism, and the other relies on the Shapley value. Neither relies on the ability to verify the data of the parties participating in the distributed data mining protocol. Instead, we incentivize truth telling based solely on the data mining result. This is especially useful for situations where privacy concerns prevent verification of the data. Under reasonable assumptions, we prove that these mechanisms are incentive compatible for distributed data mining. In addition, through extensive experimentation, we show that they are applicable in practice. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.52 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.51 Mobile Ad hoc Networks (MANET) have been highly vulnerable to attacks due to the dynamic nature of its network infrastructure. Among these attacks, routing attacks have received considerable attention since it could cause the most devastating damage to MANET. Even though there exist several intrusion response techniques to mitigate such critical attacks, existing solutions typically attempt to isolate malicious nodes based on binary or naive fuzzy response decisions. However, binary responses may result in the unexpected network partition, causing additional damages to the network infrastructure, and nai}ve fuzzy responses could lead to uncertainty in countering routing attacks in MANET. In this paper, we propose a risk-aware response mechanism to systematically cope with the identified routing attacks. Our risk-aware approach is based on an extended Dempster-Shafer mathematical theory of evidence introducing a notion of importance factors. In addition, our experiments demonstrate the effectiveness of our approach with the consideration of several performance metrics. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.51 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.50 Malicious software typically resides stealthily on a user's computer and interacts with the user’s computing resources. Our goal in this work is to improve the trustworthiness of a host and its system data. Specifically, we provide a new mechanism that ensures the correct origin or provenance of critical system information and prevents adversaries from utilizing host resources. We define data-provenance integrity as the security property stating that the source where a piece of data is generated cannot be spoofed or tampered with. We describe a cryptographic provenance verification approach for ensuring system properties and system-data integrity at kernel-level. Its two concrete applications are demonstrated in the keystroke integrity verification and malware traffic detection. Specifically, we first design and implement an efficient cryptographic protocol that enforces keystroke integrity by utilizing on-chip Trusted Computing Platform (TPM). The protocol prevents the forgery of fake key events by malware under reasonable assumptions. Then, we demonstrate our provenance verification approach by realizing a lightweight framework for restricting outbound malware traffic. This traffic-monitoring framework helps identify network activities of stealthy malware, and lends itself to a powerful personal firewall for examining all outbound traffic of a host, which cannot be bypassed. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.50 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.49 Compromised machines are one of the key security threats on the Internet. Given that spamming provides a key economic incentive for attackers to recruit the large number of compromised machines, we focus on the detection of the compromised machines in a network that are involved in the spamming activities, commonly known as spam zombies. We develop an effective spam zombie detection system named SPOT by monitoring outgoing messages of a network. SPOT is designed based on a powerful statistical tool called Sequential Probability Ratio Test, which has bounded false positive and false negative error rates. Our evaluation studies based on a two-month email trace collected in a large U.S. campus network show that SPOT is an effective and efficient system in automatically detecting compromised machines in a network. For example, among the 440 internal IP addresses observed in the email trace, SPOT identifies 132 of them as being associated with compromised machines. Out of the 132 IP addresses identified by SPOT, 126 can be either independently confirmed (110) or highly likely (16) to be compromised. Moreover, only 7 internal IP addresses associated with compromised machines in the trace are missed by SPOT. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.49 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.48 Consensus is one of the key problems in fault-tolerant distributed computing. Although the solvability of consensus is now a well-understood problem, comparing different algorithms in terms of efficiency is still an open problem. In this paper, we address this question for round-based consensus algorithms using communication predicates, on top of a partial synchronous system that alternates between good and bad periods (synchronous and non-synchronous periods). Communication predicates together with the detailed timing information of the underlying partially synchronous system provide a convenient and powerful framework for comparing different consensus algorithms and their implementations. This approach allows us to quantify the required length of a good period to solve a given number of consensus instances. With our results, we can observe several interesting issues, such as the number of rounds of an algorithm is not necessarily a good metric for its performance. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.48 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.42 Despite the conventional wisdom that proactive security is superior to reactive security, we show that reactive security can be competitive with proactive security as long as the reactive defender learns from past attacks instead of myopically overreacting to the last attack. Our game-theoretic model follows common practice in the security literature by making worst-case assumptions about the attacker: we grant the attacker complete knowledge of the defender's strategy and do not require the attacker to act rationally. In this model, we bound the competitive ratio between a reactive defense algorithm (which is inspired by online learning theory) and the best fixed proactive defense. Additionally, we show that, unlike proactive defenses, this reactive strategy is robust to a lack of information about the attacker's incentives and knowledge. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.42 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.32 Content distribution via network coding has received a lot of attention lately. However, direct application of network coding may be insecure. In particular, attackers can inject "bogus" data to corrupt the content distribution process so as to hinder the information dispersal or even deplete the network resource. Therefore, content verification is an important and practical issue when network coding is employed. When random linear network coding is used, it is infeasible for the source of the content to sign all the data, and hence the traditional "hash-and-sign" methods are no longer applicable. Recently, a new on-the-fly verification technique is proposed by Krohn et al. %for rateless erasure codes (IEEE S&P '04), which employs a classical homomorphic hash function. However, this technique is difficult to be applied to network coding because of high computational and communication overhead. We explore this issue further by carefully analyzing different types of overhead, and propose methods to help reducing both the computational and communication cost, and provide provable security at the same time. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.32 http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.30 Radio Frequency Identification (RFID) has been developed as an important technique for many high security and high in-tegrity settings. In this paper, we study survivability issues for RFID. We first present an RFID survivability experiment to define a foundation to measure the degree of survivability of an RFID system under varying attacks. Then we model a series of malicious scenarios using stochastic process algebras and study the different effects of those attacks on the ability of the RFID system to provide critical services even when parts of the system have been damaged. Our simulation model relates its statistic to the attack strategies and security recovery. The model helps system designers and security specialists to identify the most devastating attacks given the attacker's capacities and the system's recovery abilities. The goal is to improve the system survivability given possible attacks. Our model is the first of its kind to formally represent and simulate attacks on RFID systems and to quantitatively measure the degree of survivability of an RFID system under those attacks. http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.30 http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.57 As VLSI technology enters the nanoscale regime, a major design reliability concern arises from electromigration which refers to the transport of material caused by ion movement in interconnects. Since the lifetime of an interconnect drastically depends on the current flowing through it, the electromigration problem aggravates with increasingly growing thinner wires. To mitigate the electromigration effects, interconnect current density needs to be reduced. Assigning wires to thick metals increases wire volume and thus reduces the current density. However, over-stretching thick-metal assignment may hurt routability. Thus, it is highly desirable to minimize the thick-metal usage subject to the reliability constraint. In this paper, the minimum cost reliability driven routing, which consists of Steiner tree construction and layer assignment, is considered. The problem is proven to be NP-hard and a highly effective iterative rounding-based integer linear programming algorithm is proposed. In addition, a unified routing technique is proposed to directly handle multiple current levels, which is critical in analog VLSI design. Further, the new algorithm is extended to handle blockage. Our experiments demonstrate that the new algorithm significantly outperforms the state-of-the-art work with up to 14.7% wire reduction. In addition, the new algorithm can save 11.4% wires over a heuristic algorithm for handling multiple currents. http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.57 http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.52 Byzantine-fault-tolerant replication enhances the availability and reliability of Internet services that store critical state and preserve it despite attacks or software errors. However, existing Byzantine-fault-tolerant storage systems either assume a static set of replicas, or have limitations in how they handle reconfigurations (e.g., in terms of the scalability of the solutions or the consistency levels they provide). This can be problematic in long-lived, large-scale systems where system membership is likely to change during the system lifetime. In this paper we present a complete solution for dynamically changing system membership in a large-scale Byzantine-fault-tolerant system. We present a service that tracks system membership and periodically notifies other system nodes of membership changes. The membership service runs mostly automatically, to avoid human configuration errors; is itself Byzantine-fault tolerant and reconfigurable; and provides applications with a sequence of consistent views of the system membership. We demonstrate the utility of this membership service by using it in a novel distributed hash table called dBQS that provides atomic semantics even across changes in replica sets. dBQS is interesting in its own right because its storage algorithms extend existing Byzantine quorum protocols to handle changes in the replica set, and because it differs from previous DHTs by providing Byzantine fault tolerance and offering strong semantics. http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.52 http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.42 Recently, Bertino, Shang and Wagstaff proposed a time-bound hierarchical key management scheme for secure broadcasting. Their scheme is built on elliptic curve cryptography and implemented with tamper-resistant devices. In this paper, we present two collusion attacks on Bertino-Shang-Wagstaff scheme. The first attack does not need to compromise any decryption device, while the second attack requires to compromise single decryption device only. Both attacks are feasible and effective. http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.42