1st International IEEE Conference on Pervasive Services

Research Article

Mitigating Security Risks in Systems that Support Pervasive Services and Computing: Access-Driven Verification, Validation and Testing

  • @INPROCEEDINGS{10.1109/PERSER.2007.4283900,
        author={James  D. Arthur and  Richard  E. Nance and  Anil  Bazaz and Osman  Balci},
        title={Mitigating Security Risks in Systems that Support Pervasive Services and Computing: Access-Driven Verification, Validation and Testing},
        proceedings={1st International IEEE Conference on Pervasive Services},
        publisher={IEEE},
        proceedings_a={ICPS},
        year={2007},
        month={8},
        keywords={Constraints and Assumptions  Exploits  Pervasive Services  Process/ObjectModel  Security Risk  Testing  Validation  Verification  Vulnerabilities},
        doi={10.1109/PERSER.2007.4283900}
    }
    
  • James D. Arthur
    Richard E. Nance
    Anil Bazaz
    Osman Balci
    Year: 2007
    Mitigating Security Risks in Systems that Support Pervasive Services and Computing: Access-Driven Verification, Validation and Testing
    ICPS
    IEEE
    DOI: 10.1109/PERSER.2007.4283900
James D. Arthur1,*, Richard E. Nance2,*, Anil Bazaz3,*, Osman Balci1,*
  • 1: Department of Computer Science Virginia Polytechnic Institute and State University (Virginia Tech)
  • 2: Orca Computer, Inc.
  • 3: Software Protection Platform Team Microsoft Corporation
*Contact email: arthur@vt.edu, nance@vt.edu, abazaz@microsoft.com, balci@vt.edu

Abstract

Unique operational and environmental characteristics define pervasive services and computing; they, too, define an ideal atmosphere in which security risks flourish. Ever-present accessibility through the networked and wireless infrastructures, dependency on autonomous and often anonymous computing agents, and the ubiquitous nature of pervasive services make them both enticing and easy targets for ill-intentioned activities. To help mitigate that risk, we propose an adaptive, access-driven verification, validation and testing (VV&T) strategy that, through a Process/Object Model of Computation, (a) identifies those resources and software objects most susceptible to attack, (b) enumerates violable constraints and assumptions underlying those attacks, and (c) provides multi-level strategies incorporating resources, software objects, and constraints and assumptions to determine if, and to what extent, systems supporting pervasive computing are vulnerable to security exploits. The VV&T strategies are defined to accommodate various levels of access to the software development process and its artifacts.