Thursday, November 26, 2009

A paper is out: Impact Estimation using Data Flows over Attack Graphs

In October I presented a part of my work to measure the security of a network at the NordSec 2009 conference. You can find the paper here. Any feedback is welcome.

Abstract

We propose a novel approach to estimating the impact of an attack using a data model and an impact model on top of an attack graph. The data model describes how data flows between nodes in the network -- how it is copied and processed by softwares and hosts -- while the impact model models how exploitation of vulnerabilities affects the data flows with respect to the confidentiality, integrity and availability of the data. In addition, by assigning a loss value to a compromised data set, we can estimate the cost of a successful attack. We show that our algorithm not only subsumes the simple impact estimation used in the literature but also improves it by explicitly modeling loss value dependencies between network nodes. With our model, the operator will be able to use less time when comparing different security patches to a network.

Wednesday, November 25, 2009

Off to a new topic: JavaFX Script and bidirectional bindings

I did try JavaFX/F3 two years ago and what I liked at that time was the possibility to bind variables so that updates could be propagated back and forth (bidircetional) to GUIs without having to implement a lot of listeners and call functions. However, this does not seem to work as nicely anymore (Netbeans with JavaFX kit 1.7). Only unidirectional bindings seem to work. That means that developers still need to create function to handle updates. More on the subject of bidirectional bindings can be found here and here.

(Though, I suggested on the mailing list once that JavaFX should have different levels of access to variables in order to provide encapsulation that otherwise was missing, and that was actually added! I don't know if it was on my suggestion or from somebody else since nobody commented on my email, but I gladly accept the honor of introducing that mechanism to JavaFX :-). So everything is not that bad with JavaFX...).

Nevertheless, the binding does not work as it did. Although, there is a rather undocumented keyword "inverse" that in certain circumstances can be used to create a bidirectional binding. But, in order to get around the limitations of "inverse", I have come up with the solution shown below, that at least, provides a nice separation between the bidirectional updating from GUI to model and back again. The idea is to use a binding class that mediates the updates between a "StackEntry" and the GUI using the "replace" keyword.


import javafx.scene.control.TextBox;
import javafx.stage.Stage;
import javafx.scene.Scene;


class StackEntry {
var title: String = "first" ;
var notes: String = "";
}

class StackEntryBinding {
var entry:StackEntry = null on replace {
title = entry.title;
notes = entry.notes;
};

var title: String = entry.title on replace {
println("new title={title}");
entry.title = title;
};
var notes: String = entry.notes on replace {
println("new notes={notes}");
entry.notes = notes;
};


}

var entry = StackEntry {};
var currentEntry:StackEntryBinding = StackEntryBinding {
entry: bind entry;
};

def foo = currentEntry;

def input = TextBox {
text: bind foo.title with inverse;
}

println("textBox={input.text}");

currentEntry.title = "second";

println("textBox={input.text}");

foo.title = "third";

println("currentEntry.entry.title={currentEntry.entry.title}");

input.text="fourth";

println("foo.title={foo.title}");

entry = StackEntry {};

println("currentEntry.entry.title={currentEntry.entry.title}");
println("textBox={input.text}");

Stage {
scene:Scene {
content: input
}

}

// The resulting output looks like this:

new title=first
new notes=
textBox=first
new title=second
textBox=second
new title=third
currentEntry.entry.title=third
new title=fourth
foo.title=fourth
new title=first
currentEntry.entry.title=first
textBox=first