Title :
SN2K Attacks and Honest Services
Author_Institution :
Dept. of Comput. Sci., Purdue Univ., West Lafayatte, IN, USA
Abstract :
In this paper, we define and illustrate a new form of attack in the context of software services: the software-based need-to-know (SN2K) attack. SN2K attacks can be carried out by dishonest provider of a software service so that it can maliciously gain access to sensitive information, even if the service does {em not need to know} such data in order to compute the functionalities offered by it. We prove that it is generally undecidable to detect whether a given implementation of a service is dishonest, i.e., it implements an SN2K attack. A certification scheme for honest services is also proposed; our scheme relies on program slicing and certain other aspects of static program analysis.
Keywords :
digital signatures; program diagnostics; SN2K attack; certification scheme; digital signature technique; honest service; malicious service provider; program slicing; software-based need-to-know attack; static program analysis; Application software; Certification; Computer applications; Computer crime; Computer science; Context-aware services; Data privacy; Data security; Information security; Mobile computing; Certification; Honest Services; Least-privilege Principle; Need-to-Know; Program Analysis; Slicing; Undecidability;
Conference_Titel :
Computer Software and Applications Conference, 2009. COMPSAC '09. 33rd Annual IEEE International
Conference_Location :
Seattle, WA
Print_ISBN :
978-0-7695-3726-9
DOI :
10.1109/COMPSAC.2009.174
