Eleventh International Conference on Information Systems Security
(ICISS 2015)
16-20 December 2015, Jadavpur University, Kolkata, India









Proceedings being published as LNCS 9478





























Title: Cloud Security- A Cryptographic Approach



Sushmita Ruj, Indian Statistical Institute, Kolkata, India

Length: 3 hours



Clouds are increasingly being used to store personal and sensitive information like health records and important documents. We address the problem of storing sensitive information in the cloud, so that the cloud service provider cannot tamper with the stored data. We will address two problems: access control of stored data, auditing data stored in untrusted cloud servers for integrity verification. We will discuss cryptographic solutions to solve each of these problems. The purpose of this tutorial is to expose the audience to threats of untrusted cloud servers and cryptographic solutions to mitigate the attacks. We will look into practical ways of solving problems in cloud security, both theory and implementation. Along the way we will look into case study from healthcare and security in mobile cloud computing. Many open problems and future directions of work will be discussed.


Title: Common Criteria-a tool to get assurance on an IT security product

Subhendu Das
, Common Criteria Test Laboratory, ERTL(E), STQC, DeitY, Govt. of India, KOLKATA

It is necessary that the user of an IT product should have requisite level of trust and confidence on the security services being offered by the product. Additionally the IT product offering security functionalities should have sufficient self-protection and resilience to external attacks from its operational environment. To achieve this, it is necessary not only to evaluate the security functionalities of the product but also to assess how good the functionalities have been defined, designed and implemented. The Common Criteria standard is the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the International Community. Common Criteria is an internationally recognized standard for the evaluation of the security of IT products. It is a highly prescriptive framework in which the userscan specify their security requirements, the vendors canmake claims about the security attributes of their products and the testing laboratories can evaluate the products to determine whether the claims made the vendors are actually available in the system. ISO community has also adopted ‘Common Criteria Standard’ as ISO 15408. In order to realize the benefits that use of the CC offers it is essential that practitioners fully understand the CC concepts on IT security, approach for specifying those and methodology for their assessment. ERTL (E), Kolkata, as on today, is the only laboratory in the country, engaged in evaluation of IT product according to the Common Criteria standard. In this tutorial, the delegates will get acquainted with the Common Criteria Standard and its use in defining and as well as in evaluating the security requirements of a product.


Title: Program Analysis and Reasoning for Hard to Detect Software Vulnerabilities

Suresh C. Kothari, Iowa State University, USA

Software is everywhere and so are software vulnerabilities, affecting individuals, companies and nations. Deliberately planted software vulnerabilities (“malware”) have ravaged nuclear reactors and unintended software vulnerabilities (“bugs”) have recently caused all American Airlines planes to be grounded for hours. Software vulnerabilities elude regression testing because their occurrence often depends on intricate sequences of low-probability events. The alternatives, such as completely automated program analysis and/or formal verification, are riddled with intractable problems that pose practical barriers to achieving scalability and accuracy. This tutorial is aimed at the audience interested in learning about sophisticated software vulnerabilities with dire consequences, and a novel practical approach to detect them. We will present a rigorous framework that integrates automated program analysis and human reasoning. We will demonstrate a suite of supporting tools with unique capabilities that enable human analysts to quickly identify and understand the relevant parts of large software, gather evidence, and perform reasoning experiments in order to discover sophisticated vulnerabilities. This tutorial is based on our research with three Defense Advanced Projects Research Agency (DARPA) projects1 and our practical experience of applying the research. Discovering sophisticated vulnerabilities in large software is like finding a needle in haystack not knowing what the needle looks like. About 50% of the tutorial will be demonstrations to elaborate the process of discovering vulnerabilities and validating large software. The representative examples will pertain to reliability issues for operating system kernels and sophisticated malware attacks through Android apps.

Title: Secure Multi-party Computation

Ashish Choudhury
International Institute of Information Technology, Bangalore, India

Secure multi-party computation (MPC) is one of the fundamental problems is distributed cryptography. In a nutshell, an MPC protocol allows a set of n mutually distrusting parties with private inputs to jointly compute an agreed upon function of their inputs by keeping the inputs as private as possible. The problem was first formulated by Yao in the two-party setting in his seminal work and later generalized to the n-party setting by other researchers. The MPC problem abstracts any secure distributed computing task, such as secure e-voting, secure e-auction, privacypreserving data mining, etc. Probably over the past three decades, it is one of the widely studied research topics in cryptography and several interesting results have been achieved, dealing with synchronous communication setting, asynchronous communication setting, tolerating threshold adversary, non-threshold adversary, adaptive corruption, providing conditional and unconditional security, with robustness and non-robustness. Applied MPC has also received tremendous attention in the recent past. The aim of this tutorial is to give an introduction to this exciting and fundamental area of research. Protocols for the two-party setting and multi-party setting setting will be discussed in detail.



SRISP © All Rights Reserved