Foundation of security

Maintaining security is an ongoing challenge due to the ever-changing scenarios in which software is deployed. Data is used and shared in increasingly complex ways, which legal frameworks lack means for adequately describing and regulating, which existing software technology is inadequate for dealing with securely, and which existing cryptographic techniques cannot sufficiently protect. As software becomes more deeply embedded in devices around the home, the office, and in society at large, and, at the other end of the spectrum, as large scale applications are deployed on clouds owned and maintained by third parties, the opportunities for attackers increases. Modern software typically contains of third party extensions and is deployed in an open and hostile environment. It remains a challenge to develop robust software platforms that balance the tension between allowing useful software extensions that can access system resources, and protecting the system itself from abuse. At present we lack fundamental understanding of the requirements and demands of such platforms. While technological solutions are essential to ameliorate the daily onslaught of attackers, more foundational approaches are required to develop more broad-scale and enduring protection.The first component of this research will establish an appropriate regulatory framework. Security policies are implicitly or explicitly expected from the regulatory framework applicable to the context for which the software is developed (e.g. access to medical data in an e-health context, access to fiscal data in an e-government context, etc.). Non-respect of the policies should bring about liability claims or generate criminal sanctions. Yet the role of regulatory mechanisms in the formulation and enforcement of security policies is still very unclear. Foundational models are required to make precise the role of regulation as a trust building instrument.The second component of this research will be into foundational approaches to secure software based on formal models of security policies and software platforms. In light of the proliferation of different deployment scenarios, such as cloud computing, embedded mobile devices, and web applications, existing security approaches are inadequate and new fundamental understanding of the new attacks that emerge in these settings and of possible countermeasures is required. Foundational models are required to provide precise semantics for security policy languages in order to verify that programs satisfy the desired policy in these diverse settings. Software tools are required to support the compliance of software to security policies. A third component of this research will be advanced cryptographic techniques. Cryptology is the science that studies mathematical techniques in order to provide secrecy, authenticity and related properties for digital information. Cryptology is a fundamental enabler for security, privacy and dependability in the Information Society. Cryptographic techniques can be found at the core of computer and network security, of digital identification and digital signatures, digital rights management systems, content retrieval, tamper detection, etc.ICRI mainly focuses on the first objective, where it performs research on security and trust. Legal relations are traditionally and to a large extent still evaluated on the basis of concepts such as trust (vertrouwensleer), confidence and good faith. Liabilities are determined by checking specific situations against the behaviour normally expected from a reasonable family father. Recent efforts to formulateeven high-levelsecurity requirements in the form of legal rules seem to have failed (e.g. the EU legal requirements for electronic signatures). The legal research will look for a more adequate definition of the relationship between rules and policies and the mutual roles of legal and technical mechanisms in the creation, implementation and enforcement of security policies.

Keywords:security, trust, basic concepts, foundat

Disciplines:Law