Engineering Secure Software and Systems

1. Front Matter

   PDF

2. Session 1. Attack Analysis and Prevention I

   1. BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks

      • Francesco Gadaleta, Yves Younan, Wouter Joosen

      Pages 1-17

   2. CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests

      • Philippe De Ryck, Lieven Desmet, Thomas Heyman, Frank Piessens, Wouter Joosen

      Pages 18-34

   3. Idea: Opcode-Sequence-Based Malware Detection

      • Igor Santos, Felix Brezo, Javier Nieves, Yoseba K. Penya, Borja Sanz, Carlos Laorden et al.

      Pages 35-43

3. Session 2. Attack Analysis and Prevention II

   1. Experiences with PDG-Based IFC

      • Christian Hammer

      Pages 44-60

   2. Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications

      • James Walden, Maureen Doyle, Robert Lenhof, John Murray

      Pages 61-69

   3. Idea: Towards Architecture-Centric Security Analysis of Software

      • Karsten Sohr, Bernhard Berger

      Pages 70-78

4. Session 3. Policy Verification and Enforcement I

   1. Formally-Based Black-Box Monitoring of Security Protocols

      • Alfredo Pironti, Jan Jürjens

      Pages 79-95

   2. Secure Code Generation for Web Applications

      • Martin Johns, Christian Beyerlein, Rosemaria Giesecke, Joachim Posegga

      Pages 96-113

   3. Idea: Reusability of Threat Models – Two Approaches with an Experimental Evaluation

      • Per Håkon Meland, Inger Anne Tøndel, Jostein Jensen

      Pages 114-122

5. Session 4. Policy Verification and Enforcement II

   1. Model-Driven Security Policy Deployment: Property Oriented Approach

      • Stere Preda, Nora Cuppens-Boulahia, Frédéric Cuppens, Joaquin Garcia-Alfaro, Laurent Toutain

      Pages 123-139

   2. Category-Based Authorisation Models: Operational Semantics and Expressive Power

      • Clara Bertolissi, Maribel Fernández

      Pages 140-156

   3. Idea: Efficient Evaluation of Access Control Constraints

      • Achim D. Brucker, Helmut Petritsch

      Pages 157-165

6. Session 5. Secure System and Software Development I

   1. Formal Verification of Application-Specific Security Properties in a Model-Driven Approach

      • Nina Moebius, Kurt Stenzel, Wolfgang Reif

      Pages 166-181

   2. Idea: Enforcing Consumer-Specified Security Properties for Modular Software

      • Giacomo A. Galilei, Vincenzo Gervasi

      Pages 182-191

   3. Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks

      • Ben Smith, Laurie Williams, Andrew Austin

      Pages 192-200

7. Session 6. Secure System and Software Development II

   1. Automatic Generation of Smart, Security-Aware GUI Models

      • David Basin, Manuel Clavel, Marina Egea, Michael Schläpfer

      Pages 201-217

   2. Report: Modular Safeguards to Create Holistic Security Requirement Specifications for System of Systems

      • Albin Zuccato, Nils Daniels, Cheevarat Jampathom, Mikael Nilson

      Pages 218-230

   3. Idea: A Feasibility Study in Model Based Prediction of Impact of Changes on System Quality

      • Aida Omerovic, Anette Andresen, Håvard Grindheim, Per Myrseth, Atle Refsdal, Ketil Stølen et al.

      Pages 231-240

8. Back Matter

   PDF

It is our pleasure to welcome you to the proceedings of the Second International Symposium on Engineering Secure Software and Systems. This unique event aimed at bringing together researchersfrom softwareen- neering and security engineering, which might help to unite and further develop the two communities in this and future editions. The parallel technical spons- ships from the ACM SIGSAC (the ACM interest group in security) and ACM SIGSOF (the ACM interest group in software engineering) is a clear sign of the importance of this inter-disciplinary research area and its potential. The di?culty of building secure software systems is no longer focused on mastering security technology such as cryptography or access control models. Other important factors include the complexity of modern networked software systems, the unpredictability of practical development life cycles, the intertw- ing of and trade-o? between functionality, security and other qualities, the d- culty of dealing with human factors, and so forth. Over the last years, an entire research domain has been building up around these problems. The conference program included two major keynotes from Any Gordon (Microsoft Research Cambridge) on the practical veri?cation of security pro- cols implementation and Angela Sasse (University College London) on security usability and an interesting blend of research, industry and idea papers.

• Java
• calculus
• model checking
• program rewriting
• security architecture
• security assurance
• security measurement
• security requirements
• threat modeling
• verification
• verification techniques

• Dipartimento Ingegneria e Scienza dell’Informazione, Università di Trento, Povo (Trento), Italy

  Fabio Massacci

• Department of Computer Science, Rice University, Houston, USA

  Dan Wallach

• Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Eindhoven, The Netherlands

  Nicola Zannone

Policies and ethics