Towards forensic-ready software systems

Pasquale, Liliana; Alrajeh, Dalal; Peersman, Claudia; Tun, Thein Than; Nuseibeh, Bashar; Rashid, Awais

doi:10.1145/3183399.3183426

Cited by 26 publications

(24 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, this approach suggests collecting digital evidence from existing logs that are found in operating systems, networks, and intrusion detection systems, without considering logs generated by software systems. Pasquale et al [26] tailor the concept of forensic readiness to software engineering as a property that encapsulates the capabilities of the software to conduct digital forensic processes that maximize digital evidence [27] and produces evidence that satisfies the legal scrutiny in a court of law [28]. Alrajeh et al [19] define a framework for evidence preservation requirements of forensic-ready systems.…”

Section: Background and Related Workmentioning

confidence: 99%

“…This framework ensures that only the minimum amount of data that is relevant to detect a security incident is collected. This work [19], [26] represents a first step towards implementing forensic-ready software systems. However, more effort is necessary to guide the implementation of logging statements inside software systems, to support the detection and investigation of software misuses.…”

Section: Background and Related Workmentioning

confidence: 99%

“…The ChangeStatus is the other step described in the final UML sequence diagram which corresponds when the manager approves the travel request and it executes inside the HRM software system just one method: save (C). Additionally, to determine where to log and what to log, we consider the requirements to make forensic-ready systems defined by Pasquale et al [26]: a) Relevance: Data preserved proactively should be relevant to potential incident cases and able to support or refute hypotheses explaining how incidents occurred; b) Minimality: Data preserved proactively should be minimal and should not include any information that is unnecessary for an investigation. For our incident example, considering relevance and minimality to make our HRM software system forensic-ready, we determined that the convenient location in HRM software system ( Fig.…”

Section: Fig 2 General Overview Of Our Approachmentioning

confidence: 99%

See 2 more Smart Citations

Towards Automated Logging for Forensic-Ready Software Systems

Rivera-Ortiz

Pasquale

2019

2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)

Self Cite

View full text Add to dashboard Cite

Security incidents can arise from the misuse of existing software systems. Thus, appropriate logging mechanisms should be implemented at the software level to support the detection and investigation of security incidents. However, due to insufficient logging, security incidents often go undetected for long periods. Moreover, even after a security incident is detected, there is not enough information to fully reconstruct how an incident occurred. Insufficient logging may be due to the limited security expertise of software developers, who may not know what are the most critical security incidents. Also, for large software systems and a multitude of potential misuse scenarios, it is cumbersome to identify when and what logging instructions should be implemented. In this paper, we propose a preliminary idea to automate the development of "forensic-ready" software systems. These systems can log a minimum amount of relevant data that can be used to detect and investigate potential security incidents. Our approach allows a security engineer to elicit a set of potential software misuse scenarios, expressed as annotated sequence diagrams. These diagrams are then used-together with a control flow graph of the software system-to identify the exact location where logging instructions should be placed and the information they should log. Finally, logging instructions can be injected into designated software system locations using Aspect-Oriented Programming. We illustrate our approach using an example of software misuse in a human resources management software system.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Section: Background and Related Workmentioning

confidence: 99%

Section: Fig 2 General Overview Of Our Approachmentioning

confidence: 99%

See 1 more Smart Citation

Towards Automated Logging for Forensic-Ready Software Systems

Rivera-Ortiz

Pasquale

2019

2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)

Self Cite

View full text Add to dashboard Cite

show abstract

“…The usage of data provenance can apply to security settings and provide evidence in digital forensic investigation. More examples for providing reference and evidence traces for auditing and forensic usage are summarized in Wang and Daniels [158], Pasquale et al [128] and Zhu et al [166] which also show that the traceability, dependability and reproducibility characteristics of data provenance can greatly support forensic usage by providing a chain of evidence and accountable tracing functionality. In Zhou et al [165] and Lee et al [93], the authors also summarized some uses of data provenance for tracing what has happened and who is accountable for certain actions in a network and distributed environment.…”

Section: Security Application Of Provenancementioning

confidence: 99%

Analysing system behaviour by automatic benchmarking of system-level provenance

Chan

2019

Proceedings of the 20th International Middleware Conference Doctoral Symposium

View full text Add to dashboard Cite

When referring to this work, full bibliographic details including the author, title, awarding institution and date of the thesis must be given. I am extremely grateful to many people for their help in completing my PhD. In particular, I would like to thank the following people: Thank you to my supervisors James Cheney, David Aspinall and Pramod Bhatotia for their advice, criticism, help, patience, and giving me the chance to work as a PhD under their supervision. Thank you to Ashish Gehani, Hassaan Irshad and researchers in SRI International for the helpful discussions in early PhD. Another thank you to Ashish Gehani and Hassaan Irshad, together with Thomas Pasquier, Margo Seltzer, Lucian Carata, Ripduman Sohan and researchers of SPADE, OPUS and CamFlow for helping me to test the ProvMark tools on their provenance systems and support me in the publication for ProvMark. Thank you to Myrto Arapinis and Ajitha Rajan for providing valuable opinions in the year review meeting. Thank you to Ajitha Rajan and Adam Bates, examiners of my viva, for providing valuable comments and suggestions on my PhD project and thesis.

show abstract

“…Therefore, developers should implement logging functionalities in software systems that ensure that only key information [10] relevant to security incidents is collected. Logs generated by a software system can provide digital evidence [11] that can explain how an incident occurred [12] and can endure legal scrutiny in a court of law [13,14]. A system able to produce such evidence is so-called forensic-ready [15].…”

Section: Introductionmentioning

confidence: 99%

Automated modelling of security incidents to represent logging requirements in software systems

Rivera-Ortiz

Pasquale

2020

Proceedings of the 15th International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

In 2017 the Open Web Application Security Project (OWASP) has identified insufficient logging and monitoring as one of the top ten security risks. Attackers can exploit insufficient logging in software systems to cause harm to an organisation while being undetected for long periods of time. Therefore, software systems used within an organisation should perform logging to collect data relevant to detect and/or diagnose potential security incidents. However, when implementing logging functionalities, software developers either do not log enough information or log too much information. In this paper, we provide an approach to help developers decide where to log and what to log for security purposes. Our approach allows a security engineer to replay potential security incidents on an instrumented version of the software system and generate automatically a model of such incidents. These are represented as a UML sequence diagram that contains the relevant method invocations occurring during and incident, without providing a representation of the entire software behaviour. Because our model refers to concrete system components, it provides immediate guidance to developers about what methods execution should be logged for security purposes.

show abstract

Towards forensic-ready software systems

Cited by 26 publications

References 21 publications

Towards Automated Logging for Forensic-Ready Software Systems

Towards Automated Logging for Forensic-Ready Software Systems

Analysing system behaviour by automatic benchmarking of system-level provenance

Automated modelling of security incidents to represent logging requirements in software systems

Contact Info

Product

Resources

About