Tues

day

Oct

ober

25,

200

5

Preview SoBeNeT- II project

2

Tues

day

Nov

embe

r 14,

200

6

Agenda

16:00h Introduction and project status

17:00h Discussion: feedback and opportunities for validation

17:15h Preview of the SoBeNeT-II project

17:50h Conclusion and wrap-up

18:00h Informal gathering and drinks

3

Tues

day

Nov

embe

r 14,

200

6

The new project in a nutshell

Natural follow-up of SoBeNeT project Strategic, fundamental research for enabling

secure software (IWT SBO) Specific accents and focused efforts Verification upgraded to become one of the

project’s cornerstones (Towards “assurance”)Project consortium is identical

DistriNet, COSIC, Ubizen (Cybertrust) Increased level of collaboration

User group is continued –anyway!!! Evolving group driven by collaborations, interests,

company priorities

4

Tues

day

Nov

embe

r 14,

200

6

Project structure and work plan

4 or 5 major tracksSoftware development technologies for

securitySoftware engineering for securityTechniques to protect sensitive parts in

secure softwareAssurance: Verification of security

requirements and AttestationMonitoring and management technology

5

Tues

day

Nov

embe

r 14,

200

6

Security middleware

Component Models

Operating systems systems security

Applications: drivers and validation means From SoBeNeT

E-finance E-health E-publishing

SEC SODA

Integrated approach to develop and deploy secure software

Programming language technology

Sec

ure

Sof

twar

e E

ngin

eerin

g(P

roce

ss, A

rtifa

cts,

Aut

omat

ion…

)

Sec

ure

Dep

loym

ent

(Mon

itorin

g an

d m

anag

emen

t)

Ass

uran

ce (

verif

icat

ion,

tru

sted

com

putin

g, s

ealin

g…)

2 tracks

6

Tues

day

Nov

embe

r 14,

200

6

Discussion 1/4

Software development technologies will focus on State-of-the art programming languages Standard platforms

• .NET• WS*• J2EE

Not on traditional C/C++ programming

Based on majority of the user group

7

Tues

day

Nov

embe

r 14,

200

6

Discussion 2/4

Software engineering will focus onArchitecture driven design Increased Automation (MDD)Also address:

• Introducing metrics (hard)• Broadening set of requirements (track 5)

Not on Agile methods

Backed by majority of the user group

8

Tues

day

Nov

embe

r 14,

200

6

Discussion 3/4

Introduce efforts towards assuranceAttestationVerificationWIN-WIN COSIC DISTRINETSealing

Less relevant for the user group? Yet essential for world class results in the long run…

9

Tues

day

Nov

embe

r 14,

200

6

Discussion 4/4

“Shielding and interception” has evolved to become secure deployment. Includes focus on business management Introduces new types of requirements

• Ability to do forensics• Practice of audit, business continuity

Hence great synergy with track on secure software engineering

Long term vision: integration with the overall life cycle management of security (methodology to be public – backed by Cybertrust)

Tues

day

Oct

ober

25,

200

5

Track level details

11

Tues

day

Nov

embe

r 14,

200

6

Track 1: software development technology (DistriNet)

WP1: Identification of critical vulnerability classes Ongoing monitoring of vulnerability trends Proactive analysis of new technologies (e.g., AOSD, AJAX)

WP2: Programming models Definition of methodology for designing programming models Supporting compositions of programming models

WP3: Component models and composition Component contracts Load-time and run-time contract checking Extending support for advanced composition (AOSD, DSL’s) Secure composition of aspects

WP4: Validation for web application and services Demonstrate combinations of programming models for web

applications Define a library of reusable, composeable security services

12

Tues

day

Nov

embe

r 14,

200

6

Track 2: Software engineering (DistriNet, Ubizen)

WP1: Enablers Supporting SoA security requirements Creating security metrics Up-to-date overview of vulnerabilities and requirements

WP2: Architecture driven development Architecture definition (method, patterns) Feature interaction for security Traceability of architectural decisions Maintaining architectural integrity Supporting architectural consistency

WP3: Model driven development Definition of notations that enable transformation and verification Definition of DSL’s for specific security concerns Exploration of transformation techniques Support for traceability (from requirements to implementation) Property-preserving refinements (e.g., for security principles)

13

Tues

day

Nov

embe

r 14,

200

6

Track 3: Protection techniques (COSIC)

WP1: Self-checking code State-of-the-art study Improvements (e.g., mutually checking software guards) Proof-of-concept / implementation

WP2: Self-modifying code State-of-the-art study Analysis and attacks Improvements: code encryption Implementation

WP3: Obfuscation and white-box crypto interaction Use of random functions to improve obfuscation techniques Continuation of sobenet1 research

WP4: Encrypted code execution and encrypted data processing Homomorphic encryption

14

Tues

day

Nov

embe

r 14,

200

6

Track 4: Verification (COSIC, DistriNet)

WP1: Software attestation Study of the state-of-the art software attestation Currently only software based Identification of problems Research how to use (existing an new) software techniques

and hardware to address these problems• e.g. use of a TPM to solve the timing problem; use of smartcard

WP2: Trusted computing platforms (use of TPM) How to use trusted computing platforms to enhance software

security ….

15

Tues

day

Nov

embe

r 14,

200

6

Track 5: Management and monitoring (Ubizen, DistriNet)

WP1: RequirementsAudit requirements and solutionsBusiness management requirements and

solutionsAdministration requirements and solutions

WP2: Deployment architecturesWP3: Patterns for software engineering

track (ADD)

Tues

day

Oct

ober

25,

200

5

Discussion

Suggestions for improvement, focus, … ?