Skip to main content
SpringerLink
Log in

Hardening Systems Against Data Corruption Attacks at Design Time

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14551))

Included in the following conference series:

  • 60 Accesses

Abstract

Despite advancements in security research, systems continue to be susceptible to all kinds of threats. To better support designers, we present a method and tool called Dubhe that can be employed during the design phase of development to harden systems against data corruption attacks. We highlight the benefits of this approach by applying it to an online seller of merchandise system to analyze various “what-if” scenarios with different defence objectives. Using our approach, Dubhe (1) analyzes the XML form of UML activity diagrams created to define the behavioural view of the system, (2) determines optimal locations for data sanitization using novel protection techniques and activity centrality concepts, and (3) communicates the results to the designers so that they can incorporate the suggestions back into their system designs. This example application of Dubhe shows that our approach can provide valuable security advice to designers to ensure that their systems are designed with protection against data corruption attacks, using only artifacts that designers would normally create during the design phase.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Dubhe is a star in the Ursa Major constellation. It is commonly referred to as a “pointer star” as it helps find Polaris, also known as the North Star.

References

  1. Apple: CVE-2023-32435. Available from MITRE, CVE-2023-32435 (2023). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32435

  2. Chen, S., Xu, J., Nakka, N., Kalbarczyk, Z., Iyer, R.K.: Defeating memory corruption attacks via pointer taintedness detection. In: 2005 International Conference on Dependable Systems and Networks, pp. 378–387. DSN 2005 (2005)

    Google Scholar 

  3. Cheng, L., et al.: Exploitation techniques and defenses for data-oriented attacks. In: 2019 IEEE Cybersecurity Development (SecDev), pp. 114–128. IEEE (2019)

    Google Scholar 

  4. Chowdhury, I., Chan, B., Zulkernine, M.: Security metrics for source code structures. In: 4th International Workshop on Software Engineering for Secure Systems, pp. 57–64. SESS 2008, ACM (2008)

    Google Scholar 

  5. Fiala, D., Mueller, F., Engelmann, C., Riesen, R., Ferreira, K., Brightwell, R.: Detection and correction of silent data corruption for large-scale high-performance computing. In: 2012 International Conference on High Performance Computing, Networking, Storage and Analysis, pp. 1–12 (2012)

    Google Scholar 

  6. Google: CVE-2023-3079. Available from MITRE, CVE-2023-3079 (2023). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3079

  7. Howard, M., Lipner, S.: The Security Development Lifecycle, vol. 8. Microsoft Press, Redmond (2006)

    Google Scholar 

  8. Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_32

    Chapter  Google Scholar 

  9. Jürjens, J., Shabalin, P.: Tools for secure systems development with uml: security analysis with ATPs. In: Cerioli, M. (ed.) FASE 2005. LNCS, vol. 3442, pp. 305–309. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31984-9_23

    Chapter  Google Scholar 

  10. Kang, S., Kim, S.: CIA-level driven secure SDLC framework for integrating security into SDLC process. J. Ambient. Intell. Humaniz. Comput. 13(10), 4601–4624 (2022)

    Article  Google Scholar 

  11. Kontouras, E., Tzes, A., Dritsas, L.: Set-theoretic detection of data corruption attacks on cyber physical power systems. J. Mod. Power Syst. Clean Energy 6, 872–886 (2018)

    Article  Google Scholar 

  12. Lee, M., Davis, C.: XMI extension for StarUML (2018). https://github.com/staruml/staruml-xmi

  13. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_33

    Chapter  Google Scholar 

  14. lxml Development Team: lxml: XML and HTML with python (2023). https://lxml.de/. version 4.9.3 [Software library]

  15. Microsoft: Microsoft outlook elevation of privilege vulnerability (2023). https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397

  16. MKLabs Co.,Ltd.: StarUML (2023). https://staruml.io. version 6.0 [Software]

  17. Nie, X., Chen, L., Wei, H., Zhang, Y., Cui, N., Shi, G.: KPDFI: efficient data flow integrity based on key property against data corruption attack. In: Computers & Security, pp. 103–183 (2023)

    Google Scholar 

  18. Object Management Group: Unified Modeling Language (2017). https://www.omg.org/spec/UML/2.5.1/PDF. version 2.5.1

  19. Ozkaya, M.: Are the UML modelling tools powerful enough for practitioners? a literature review. IET Softw. 13(5), 338–354 (2019)

    Article  Google Scholar 

  20. Rodríguez, A., Fernández-Medina, E., Piattini, M.: Capturing security requirements in business processes through a UML 2.0 activity diagrams profile. In: Roddick, J.F., et al. (eds.) ER 2006. LNCS, vol. 4231, pp. 32–42. Springer, Heidelberg (2006). https://doi.org/10.1007/11908883_6

    Chapter  Google Scholar 

  21. Samuel, J., Jaskolka, J., Yee, G.O.M.: Analyzing structural security posture to evaluate system design decisions. In: 21st IEEE International Conference on Software Quality, Reliability, and Security, QRS 2021, pp. 8–17 (2021)

    Google Scholar 

  22. Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: Sawyer, P., Paech, B., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73031-6_27

    Chapter  Google Scholar 

  23. Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy, pp. 48–62. IEEE (2013)

    Google Scholar 

  24. The Eclipse Foundation: Eclipse Papyrus (2023). https://www.eclipse.org/papyrus/. version 6.5.0 [Software]

  25. van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_5

    Chapter  Google Scholar 

  26. Yee, G.O.M.: Reducing the attack surface for private data. In: 13th International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2019, pp. 28–34 (2019)

    Google Scholar 

Download references

Acknowledgements

This research is supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) grant RGPIN-2019-06306.

Author information

Authors and Affiliations

  1. Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada

    John Breton, Jason Jaskolka & George O. M. Yee

  2. Aptusinnova Inc., Ottawa, ON, Canada

    George O. M. Yee

Authors
  1. John Breton
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jason Jaskolka
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. George O. M. Yee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to John Breton .

Editor information

Editors and Affiliations

  1. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  2. Toulouse III - Paul Sabatier University, Toulouse, France

    Florence Sèdes

  3. Université Laval, Québec, QC, Canada

    Nadia Tawbi

  4. University of Bordeaux, Bordeaux, France

    Toufik Ahmed

  5. Polytechnique Montréal, Montreal, QC, Canada

    Nora Boulahia-Cuppens

  6. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Breton, J., Jaskolka, J., Yee, G.O.M. (2024). Hardening Systems Against Data Corruption Attacks at Design Time. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57537-2_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57536-5

  • Online ISBN: 978-3-031-57537-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation