Information security research at ADIT
ADIT's research focuses on getting the right information to the right people at the right time. Information security is an important part of this aim: for a system to be trusted, it must also be secure.
Our current research is focused on software security. We have recently concluded two VINNOVA-funded projects in the area, are the coordinators of the SHIELDS EU project, and have recently started FORTIS, which addresses security, both during development and at run-time, in automotive software systems.
We work extensively with external partners. Our current partners include Ericsson, Saab, Combitech, Sectra Communications, and the Swedish Defense Research Establishment (FOI). We are co-founders of the iTRUST information security competence center and in RBB, the newly established resource center for crime prevention, at Linköpings universitet.
The security and networks group is led by ADIT division leader Professor Nahid Shahmehri.
The main objective of SHIELDS is to increase software security by bridging the gap between security experts that software practitioners and by providing the software developers with the means to effectively prevent occurrences of known vulnerabilities when building software.
Additional information is available on the SHIELDS project website.
This project deals with the development of design techniques for fault-tolerant and secure embedded systems for automotive applications.
The research conducted at ADIT will address two security aspects: is how to prevent the introduction of security vulnerabilities in automotive software; and how to address security failures at run-time.
By creating a software security meta-process, we are developing the tools that software developers need to continuously improve their development processes, in order to prevent vulnerabilities from being introduced into the software they develop. Our approach differs from conventional approaches in that we do not prescribe a set of practices. Instead, our approach helps each user determine which practices they need.
Technical solutions and devices that will operate in the internet will use rather standardized hardware, and a dominant portion of their cost will be related to software development and software licenses. Attacks on standard hardware is rather easy. Therefore companies must improve the protection of their software investments against unauthorized use or reverse engineering of their products. One important ingredient in the effort to achieve security is the need for trusted platforms.
The purpose of this project is to develop a spam protection system that is distributed, open source, and lacks centralized control. Our hypothesis is that it is possible to exploit data from multiple network nodes to detect spam and spam sources faster and more accurately than can be done on a single node. There are commercial systems that operate this way, but they are closed and have a central point of failure (perhaps not from a technical perspective, but certainly from a business perspective). By exploiting recent advances in trust management, including our own results, it should be possible to create a completely decentralized system.
Investigation of security-related incidents often requires a forensic examination of data storage devices to recover deleted and fragmentary data files. Today's forensic tools perform well with respect to deleted files, but poorly when faced with fragmentary data. Our research in this area aims to devise tools and methods capable of finding and extracting fragmentary image data and image metadata, based on the statistical properties of the data.
Disk imaging tools, tools that create copies of hard drives or other storage media, are the foundation of forensic examination of digital evidence. It is critical that the tools create copies that are complete and accurate, and that they do not alter the source evidence. EnCase 6.8 and LinEn 6.1 are two tools from Guidance Software that are used by Swedish law enforcement to create forensically sound copies of evidence. On behalf of the Swedish National Laboratory of Forensic Science we have evaluated the disk imaging functionality of both tools in a thorough and systematic way.
Secure e-services has long been a research theme at ADIT. E-services that run on e.g. home gateways have posed many challenges for security research. The software that implements services is not entirely trusted: its access to data must be limited to authorized data; its resource consumption must be limited to protect other services; and it must be delivered securely. Data accessed or generated by e-services must similarly be protected. Our work on e-services, much of it in collaboration with e-service platform providers, has covered most of these aspects.
Usability is a key aspect of security mechanisms. We are currently working on usability issues related to the configuration of run-time security policies. We are developing the tool JPerm for setting up Java security policies at runtime, to study user behavior, and to test possibilities for user support when users are confronted with security alerts. This work is motivated by our previous work on secure execution environments for e-services.
As part of our home automation project with Ericsson, we have explored issues related to secure execution of potentially untrusted services. Our initial work in this area focused on the Java sandbox and resource control for e.g. threaded applications. During this process, we discovered the need for fine-grained usable run-time security policies.
In this project we studied tradeoffs between efficiency and security in group key management for multicast communication. Efficiency is judged in terms of group rekeying and key storage cost; security is judged in terms of backward secrecy, forward secrecy and resistance to collusion. Group key management schemes that support fine-tuning the tradeoff between security and efficiency can be used in a wide range of applications, and have the ability to adapt to e.g. changes in number of peers or security requirements.
E-service delivery is the starting point in e-service software management. It is the functional foundation for performing further software management tasks, e.g. installation, configuration, activation, and so on. This project focused on how to deliver e-service software to a large number of geographically distributed end users. Emphasis was placed on issues of efficiency, scalability, and security.
Digital Rights Management (DRM) technology is typically concerned with protecting the rights of the publisher, often at the expense of the consumer. In this project, we developed a prototype DRM technology that protected consumer rights, such as fair use and the principle of first sale, while also protecting the publisher's rights.
The main objective of ShareIT was to develop an end-to-end system that enables easy access to, and transfer of, personal content between local storage devices using home-to-home networks. An important goal was to contribute to, and promote adherence to standards such as TV Anytime and DVB, in order to enable interoperability between different content and service providers.
Incident prevention and response
Projects related to preventing and handling security incidents.
Role-based access control (RBAC) is an efficient way of organizing access control information, both from an administrative and system architectural point of view. To benefit from the advantages in a distributed system, several building blocks are necessary. We need a distributed infrastructure that can enforce access control and allows applications to communicate securely. Within this infrastructure, roles and access rights must be managed efficiently. To protect existing investments we must cater for legacy systems and demonstrate how existing applications can be integrated into the distributed infrastructure.
Page responsible: Nahid Shahmehri
Last updated: 2009-06-21