(Pro-)Seminar Engineering Responsible Information Systems

Aktuelles

Informationen:

  • Block Seminar: The  block seminar will take place on Tuesday 24.07.2018 and Wednesday 25.07.2018. We plan to have the presentations from 9:00 to approx. 15:00. The room is B 016.
  • Coming Deadline: 05.07.2018, 18:00 - Final draft of the thesis. 
  • Exam Registration:  Until 20.04.2018 you need to register for the exam (Proseminar or Seminar). Deregistration after this date is not possible.
  • Kickoff Date: 27.03.2018 at 14:00, in room B 016.
  • Seminar Topics: Below, the list of topics are presented, please send an Email with a list of top three topics to Prof. Jan Jürjens and Shayan Ahmadian.  The assignment of the topics is based on the "first come, first serve" principle. Some of the topics are already reserved (labeled with: This topic has been reserved by a participant). Currently, all the topics are reserved.

Vorlagen

 

Abstract

The participants will get to understand responsible information systems and the requirements on security-critical systems and its types of threats. Nowadays, machine learning, automation, and availability of vast amount of data enable the software systems to make more autonomous decisions. For instance, software might make decision in who get a loan, and which medical treatment a patient should take. The importance of these decisions makes fairness and nondiscrimination in software as important as software quality. Therefore, understanding "Engineering Responsible Information Systems" is pivotal in software design. In this (Pro)Seminar the participants get an overview of requirements engineering of data collection processes, and software models that comprise issues of responsible behaviors.

 

Moreover, the participants will get an overview of the existing techniques to avoid security risks and to repel threats. They will get to know of the special features of the management of security-related software projects, the benefit of security expenses and the relevant standards and regulations. Finally, they will have concentrated on model-based techniques for developing security-critical systems as well as analyzing and re-engineering of existing software, being able to evaluate gained practical experience and to get an overview of existing tools and its performance.

Guiding themes

The development and maintenance of responsible  and security-critical information systems are big challenges. There are many software-intense systems designed, implemented and in use that have serious security issues. We know from experience as well as from headlines about spectacular malfunction of systems or about successful attacks on them. The reasons are manifold. Sometimes the developers' required security awareness is missing, often the required knowledge for development processes, methods, techniques and tools is missing or they are not used as one supposes not to be able to afford a high time and cost expenditure with the current competitive pressure. In relation to the engineering or re-engineering of responsible and security-critical software systems the following questions need to be answered:

 

  • Which methods do exist for a comprehensive risk management with which experts are able to perform a complete analysis of the security and fairness risks of business processes and workflows and to derive proposals for appropriate treatments?
  • Which methods do exist for the engineering or re-engineering of security-critical software systems for the selection of suitable development processes and suitable tools as well as quality assurance?
  • Which tools do exist to automatically analyze e.g. business processes, UML specifications, source code and configuration files towards security?
  • Is it possible to intuitively specify security requirements with UML or CASE tools for example, such as AutoFocus? Do tools exist for simulation, consistency checking, code generation, verification and testing of security aspects?
  • Are the created models usable as documentation for certification against relevant standards?
  • Concerning responsible information systems, what are the protected information, and how is it possible to understand hidden information flows?

 

Blockseminar

This seminar will take place as a two- or three-day block seminar at the end of the semester.

      The dates for the block seminar are fixed.

       

      The block seminar will take place on Tuesday 24.07.2018 and Wednesday 25.07.2018.

       

      We plan to have the presentations from 9:00 to approx. 15:00.

       

      Seminar topics

      1. Privacy and Data Protection Impact Assessment

      This topic has been reserved by a participant.

      According to Article 35 of the General Data Protection Regulation (GDPR), the data controllers are obligated to conduct a privacy impact assessment to ensure the protection of sensitive data. Failure to properly protect sensitive data may affect data subjects (customers) negatively, and damage the reputation of data processors. Conducting the proposed PIA methodology implies that the design of a system is analyzed and where necessary appropriate security and privacy measures are suggested to technically improve a concrete system design.

      Introductory literature:

      2. Security-Monitoring and Code Injection

      This topic has been reserved by a participant.

      Given a model of a secure system design, the system has to be implemented. There are different mechanisms to ensure and/or monitor, that certain security requirements are satisfied during the run-time of a system. Two possibilities are monitoring the code purely externally by watching access / transaction / ... logs or instrumenting the source code to connect it to assessing tools.

      Introductory literature:

      3. Security of VoIP Networks

      This topic has been reserved by a participant.

      Modern phone networks are built upon VoIP technologies instead of ISDN technologies. A number of SIP stack implementations as well as open source PBXs exist, namely Yate, Asterisk, Linux Call Router.
      In most cases, communication is transported unencryptedly, which means that the signalling data (SIP) as well as audio streams (RTP) can be read and utilized by everyone who has access to communication paths.
      In this seminar topic, the focus is on showing the security level provided by everyday PBXs and public phone providers. After that, approaches should be presented to secure the communication.

      Introductory literature:

      4. Privacy Design Strategies and Patterns

      This topic has been reserved by a participant.

      Privacy design strategies help IT architects to support privacy by design early in the software development life cycle, during concept development and analysis. These strategies also provide a useful classification of privacy design patterns and the underlying privacy enhancing technologies.

      Introductory literature:

      5. How to Write Security Requirements

      This topic has been reserved by a participant.

      Tackling security issues as early as possible in the development process, thus during requirements elicitation,  is identified as a key factor to reduce security risks and costly rectifications. In many cases requirements have to be phrased textually for different reasons, e.g. to ensure legal liability for contractual documents. There exists many guidelines and template systems on how to phrase high quality requirements of different types, but are they sufficient to fully cover security needs?

      Introductory literature:

      6. Glossary Models

      This topic has been reserved by a participant.

      One important part of each requirements documentation is a glossary defining all relevant terms. While this is often solved by a simple term-definition table with project specific terms, this is not enough to stay on top of things regarding possible misunderstandings. Terms can have different meanings in different contexts, even inside the same project, e.g. because they are imported by standards or other applicable documents. Furthermore, terms are interrelated, e.g. by references in their definitions. A means to represent these complex knowledge structures are Ontologies. While they are useful to build domain models, requirements engineering tools might strive for a more lightweight compromise. 

      Introductory literature:

      7. View-Extraction for Annotating Models with Security Properties

      This topic has been reserved by a participant.

      In recent research, many approaches for considering security in early development phases have been developed. One example is UMLsec which allows software-engineers to annotate UML models with security annotations and check those for conciseness [1]. Unfortunately, it has been shown that large models are already without such an security extension difficult to understand [2]. To keep large models readable and understandable UML supports the concepts of views visualizing excerpts of the large model in the background [3]. Especially when UML models are reverse-engineered from sourcecode those views haven’t been used. A solution is to reconstruct those views at reverse engineering [4]. 

      Introductory literature:

      8. Measuring Software Security

      This topic has been reserved by a participant.

      Measuring and optimizing the design quality of program implementations based metrics like LCOM5 [1] is a common practice in software development. Accompanying with the increasing relevance of software security comparable metrics for measuring the security of implementations are frequently published [2,3]. However, there are only very few works giving overviews on this important field of research [4].

      Introductory literature:

      • [1] Chidamber, Shyam and Kemerer, Chris: “A Metrics Suite for Object-Oriented Design”, in IEEE Transactions on Software Engineering, June, 1994, pp. 476-492: https://doi.org/10.1109/32.295895
      • [2] Wang, Wang, Guo, and Xia: "Security metrics for software systems", in Proceedings of the 47th Annual Southeast Regional Conference, March 2009, pp. 47:1-47:6: https://doi.org/10.1145/1566445.1566509
      • [3] Manadhata and Wing: "An Attack Surface Metric," in IEEE Transactions on Software Engineering, vol. 37, no. 3, May-June 2011, pp. 371-386: https://doi.org/10.1109/TSE.2010.60
      • [4] Chowdhury, Chan, and Zulkernine: "Security metrics for source code structures", in Proceedings of the fourth international workshop on Software engineering for secure systems, May 2008, pp 57-64: https://doi.org/10.1145/1370905.1370913

      9. Model-based Security and Data Minimization Conflicts Checking

      This topic has been reserved by a participant.

      Departing from data minimization is considered as a necessary and foundational first step to engineer privacy-aware systems. Privacy breaches often do not come from loopholes in the applied privacy enhanced technologies, other threats are related to vulnerabilities in the underlying business processes and the architecture of the targeted system. A main sources for such vulnerabilities is conflicts between security and data minimization requirements which if they are propagated to the targeted system might endanger its users’ privacy. The key question is how to detect conflicts between security and data-minimization requirements using a mode-based approach?

      Introductory literature:

      10. Engineering Discrimination-aware Information Systems

      This topic has been reserved by a participant.

      Advances in machine learning and the availability of vast amounts of data have enabled the rise of autonomous decision-making software, which is now used in various industries. There is a risk that such patterns, or indeed any automated decision making procedure, can be used to unlawfully discriminate against persons based on their protected characteristics, either intentionally or unintentionally. For instance,  the UK Equality Act 2010 and the German General Equal Treatment Act (AGG) 2006,  define some legally protected characteristics, including age, gender, race, and sexual orientation. Often, to remain legally compliant, automated decision-making software avoids using protected characteristics as part of the input of the decision-making component. Unfortunately, these characteristics may still affect the analysis result: the actual input being used may contain data that resulted from processing protected characteristics, thus indirectly revealing signals about them. The key question is how to proactively uncover hidden information flows (i.e., as early as during system modeling phase)?

      Introductory literature:

       

      11. Malware detection and analysis tools

      This topic has been reserved by a participant.

      Malware has posed a threat to computer users for many years. With the global proliferation of smartphones and the ease of installing end-user applications from app stores, malware developers are now increasingly performing attacks on mobile platforms. Since sophisticated methods are used to obfuscate the intention of malware, its detection and analysis is especially challenging. This presentation gives an overview of current malware detection and analysis techniques.

       

      12. Supporting Software Fairness by Design with Model-Based Information Flow Analysis

      This topic has been reserved by a participant.

      Due to the proliferation of machine learning and data mining into the decision-making activities of modern enterprises, there is a growing concern that users can be discriminated by a decision algorithms. A promising approach to encounter discrimination during the design of a system with automated decision-making components is to analyze the system's design models to detect possible unknown sources of discrimination based on information flow. The goal of this topic is to explore a practical software-fairness scenario by specifying the necessary design model and studying the applicability of selected information-flow analysis approaches.

      Introductory literature:

       

       

      Leistungsnachweis

      The grade will be put together from the following parts:

      • a written manuscript of about 15 pages (Seminar) / 10 pages (Proseminar) length referring to the main part
      • a presentation of about 35 minutes (Seminar) / 30 minutes (Proseminar) plus discussion (limits: 30-40 minutes / 25-35 minutes)
      • active participation during the presentation of other participants
      • compliance with formal guidelines (in particular the timely and complete submission)
      • you will obtain further information during the first meeting

      The grade you receive will take into account the presentation, the written composition, the discussion after the presentations, and the reviews.

      Furthermore, compliance to the formal guidelines is vital (degradation of marks in case of non-compliance). Failing one part automatically leads to failing the whole seminar, and plagiarism in one part immediately leads to failing the seminar and will be reported to the audit committee.

      Feedback

      We are really interested in accompanying feedback to directly respond to change requests. Please express your comments subsequent to a lecture via e-mail or the anonymous contact form of our research group (in the latter case please mention the lecure the comment refers to). Many thanks!

      View-Extraction for Annotating Models with Security Properties