WESPr-18: The International Workshop on Evidence-based Security and Privacy in the Wild 2018

Nara Kasugano International Forum “IRAKA”, December 4, 2018 in conjunction with APEC 2018 in Nara, Japan

Online proceedings for workshop participants is now available.

APSEC 2018 Workshops WESPr , iMLSE, QuASoQ and WISE will have the joint social gathering. Please register yourself by *December 1st AOE* at http://bit.ly/2RgQFmS if you wish to join. 40-60 people are expected.

We are delighted to announce that Emiliano Tramontana will present an invited talk titled “Developing Secure and Privacy-Preserving Applications”, and Eduardo B. Fernandez will present a mini-tutorial titled “Evaluating the degree of security of a system built using security patterns”, and Kenji Taguchi will present an invited talk titled “Safety and Security Co-engineering – A new emerging discipline for safe and secure system development –”. 

[Workshop Program] (TBD)

9:30-9:45 Opening

9:45-10:30 Invited Talk 1:
Safety and Security Co-engineering – A new emerging discipline for safe and secure system development –
Kenji Taguchi (CAV Technologies, Co. Ltd.)

11:00-12:30 Paper 1
Using a variety of patterns in a secure software development methodology
Eduardo B. Fernandez and Nobukazu Yoshioka

An Assurance Case Approach for Software Code Security
Ryota Miyabayashi, Noritoshi Atsumi, Shuji Morisaki and Shuichiro Yamamoto

Restructuring Attack Trees to Identify Incorrect or Missing Relationships between Nodes
Cai Hua, Hironori Washizaki, Yoshiaki Fukazawa, Takao Okubo, Kaiya Haruhiko and Yoshioka Nobukazu,

14:00-14:45 Mini-tutorial
Evaluating the degree of security of a system built using security patterns
Eduardo B. Fernandez (Florida Atlantic University)

14:45-15:15 Paper 2 and Discussion
Threat analysis using STRIDE with STAMP/STPA
Tomoko Kaneko, Yuji Takahashi, Takao Okubo and Ryoichii Sasaki

16:00-16:45 Invited Talk 2
Developing Secure and Privacy-Preserving Applications
Emiliano Tramontana (Università di Catania)

16:45-17:30 Discussion and Closing

18:30- Social gathering

[Invited Talk and Mini-Tutorial]

Invited Talk: Safety and Security Co-engineering – A new emerging discipline for safe and secure system development –
Kenji Taguchi (CAV Technologies, Co. Ltd.)

Many industrial sectors, which manufacture safety intensive systems e.g., automotive, railway, etc., now face technical challenges on how to integrate and harmonize critical issues on safety in addition to security for their systems. After the stuxnet incident, any safety intensive systems, even not linked to any network are under the imminent threats for security vulnerabilities. We can say that any safety-related hazardous events (such as car crash, derailing, etc,.) could be caused by hardware/software failures and/or malicious attacks, thereby we need to identify and analyze potential hazards and/or threats, their combinations and their associated risks in a systematic way, and build new system development and assurance frameworks which ensure both safety and security in a harmonized way. This talk overviews some basic issues on safety and security integration and touches on hazard/threat analyses and process integration in system lifecycle.

Minitutorial: Evaluating the degree of security of a system built using security patterns
Eduardo B. Fernandez (Florida Atlantic University)

A variety of methodologies to build secure systems have been proposed. However, most of them do not say much about how to evaluate the degree of security of the final system. This makes it difficult to compare secure development approaches and if one adopts one of these approaches, it is hard to improve its security level. We have proposed a secure systems development methodology that uses security patterns. We present a way to demonstrate that a system built according to this methodology (or another methodology using patterns) is secure. We first give a summary of security patterns and of our methodology and then propose a metric for security for systems that have been built using patterns. We consider the use of threat enumeration and misuse patterns to perform this evaluation and we indicate how to take advantage of the Twin Peaks approach to arrive to a refined measure of security.

Eduardo B. Fernandez (Eduardo Fernandez-Buglioni) is a professor in the Department of Computer Science and Engineering at Florida Atlantic University in Boca Raton, Florida, USA. He has published numerous papers on authorization models, object-oriented analysis and design, cloud computing, and security patterns. He has written four books on these subjects, the most recent being a book on security patterns; he is working now on a book on Cloud and IoT security patterns. He has lectured all over the world at both academic and industrial meetings. He has created and taught several graduate and undergraduate courses and industrial tutorials. His current interests include security patterns, cloud computing security, and cyber-physical systems security and safety, including IoT. He holds a MS degree in Electrical Engineering from Purdue University and a Ph.D. in Computer Science from UCLA. He is a Senior Member of the IEEE, and a Member of ACM. He is an active consultant for industry, including assignments with IBM, Allied Signal, Panasonic, Motorola, Lucent, Huawei, and others. More information in: http://faculty.eng.fau.edu/fernande

Invited Talk: Developing Secure and Privacy-Preserving Applications
Emiliano Tramontana (Università di Catania)

Generally, as users we trust services and applications and assume that personal data remain confidential within our personal mobile devices. We mostly believe that applications would not disclose data outside of our device, unless permission is asked. Moreover, we assume a benevolent behaviour of service providers on some server-side. Unexpectedly by most, there are many scenarios in which some personal data have been unknowingly collected by means of several mechanisms and attacks. Some seemingly innocuous mechanisms will be revealed that have played a part in performing data gathering. Best practices and patterns, as well as other state-of-the art countermeasures, can help reduce data disclosure, when they have been adopted to develop secure applications. Moreover, further code analyses can be helpful to assist developers in detecting whether all the desired security requirements have been properly put into place.

[Workshop Abstract]

Cloud Computing has led to a global shift in the computing world and the paradigm itself is evolving as new functions or technologies become available. Intelligent and interactive environments like Internet of Things (IoT) have found application in various domains. Billions of smart devices are connected to the internet and are producing huge amounts of data, increasing both complexity and uncertainty of humans, physical objects and machine-learning modules, especially on security and privacy, which we should manage. We need to tackle such difficulties on security and privacy for complex systems in an uncertain world with a dependable way such as an evidence of model-based reasoning, argumentation, traceability or/and big data. Security evidences make a system trusted and dependable in a big data era.

This workshop aims to bring together researchers and practitioners in the areas of evidence based modelling, security patterns, reasoning, argumentation, traceability, forensic in big data for secure and privacy-aware software development for complex and uncertain systems to exchange ideas and preliminary results. Especially, we would like to discuss how to utilize security evidence in security engineering at the workshop.

The objective of the workshop reveals (1) important problems to be tackled for Security and Privacy on Complex and Uncertain Systems and (2) research challenges through presentations and the discussion. The topic includes security and privacy models, pattern-based security and privacy modelling, knowledge base for secure, reasoning, argumentation, traceability, forensic in big data and/or privacy-aware software development, security and privacy modelling and reasoning tools, and experiences for secure and/or privacy-aware software development.

The topics of interests are as follows but not limited to them:

  • Secure architecture models and modelling for IoT, Cloud or Fog computing,
  • Reasoning and Argumentation on Security or/and Privacy model,
  • Pattern-based security and privacy modelling for IoT and Cloud computing,
  • Knowledge base for secure and/or privacy-aware software development for uncertain systems,
  • Perivacy-aware requirements models and modelling in a smart city,
  • Privacy-aware architecture models and modelling in uncertain environments,
  • Modelling tool for secure and privacy-aware software development for Cloud and Fog computing, or
  • Experiences for secure and/or privacy-aware software development with IoT.

Call for Papers

[Important Dates]

Submissions due: Oct. 5, 2018 11:59 PM AoE (extended) Sep. 25, 2018, 11:59 PM AoE
Paper Notification: Oct. 22, 2018 Oct. 15
Camera Ready due: Nov. 5, 2018 Nov. 1

[Submission and Publication]

We will have the following four types of submissions:

  1. Research Full papers, reporting innovative and original research. Full papers are limited to 8 pages.
  2. Industrial Full papers, presenting experience reports, industrial case studies, experiments, and experiences in practices showing important problems or useful knowledge for workshop attendees. Full papers are limited to 8 pages.
  3. Position papers and future-trends papers, describing ongoing research, new results, and future emerging trends either in practice or in theory. This type of submissions is limited to 4 pages.
  4. Tool demos from academic or industrial environments. Demos papers should include a link to the demo material are limited to 4 pages.

Every paper submission will be peer-reviewed by reviewers. Emphasis will be given on originality, usefulness, practicality, and/or new problems to be tackled. Papers must have overall quality and not have been previously published or be currently submitted elsewhere. If accepted, the paper must be presented as both oral talk and a poster at the workshop by one of the authors. Workshop paper submissions must be in English and conform to the IEEE Dual Column format. Accepted papers will be published as an CEUR-WS, which is indexed by DBLP.

Submission site: Please submit your paper via EasyChair.

[Workshop organizers]

Nobukazu Yoshioka, National Institute of Informatics, Japan
Hironori Washizaki, Waseda University / National Institute of Informatics / SYSTEM INFORMATION / eXmotion, Japan,
Eduardo B. Fernandez, Florida Atlantic University, USA
Shuichiro Yamamoto, Nagoya University, Japan
Tomoko Kaneko, Information-technology Promotion Agency, Japan

[Program committee]

Takao Okubo, Institute of Information Security, Japan
Shinpei Ogata, Shinshu University, Japan
Haruhiko Kaiya, Kanagawa University, Japan
Atsuo Hazeyama, Tokyo Gakugei University, Japan