Dr Cliffe Schreuders

Traditional user-oriented access control models such as Mandatory Access Control (MAC) and Discretionary Access Control (DAC) cannot differentiate between processes acting on behalf of users and those behaving maliciously. Consequently, these models are limited in their ability to protect users from the threats posed by vulnerabilities and malicious software as all code executes with full access to all of a user's permissions. Application-oriented schemes can further restrict applications thereby limiting the damage from malicious code. However, existing application-oriented access controls construct policy using complex and inflexible rules which are difficult to administer and do not scale well to confine the large number of feature-rich applications found on modern systems. Here a new model, Functionality-Based Application Confinement (FBAC), is presented which confines applications based on policy abstractions that can flexibly represent the functional requirements of applications. FBAC policies are parameterised allowing them to be easily adapted to the needs of individual applications. Policies are also hierarchical, improving scalability and reusability while conveniently abstracting policy detail where appropriate. Furthermore the layered nature of policies provides defence in depth allowing policies from both the user and administrator to provide both discretionary and mandatory security. An implementation FBAC-LSM and its architecture are also introduced.

Traditional access control models and mechanisms struggle to contain the threats posed by malware and software vulnerabilities as these cannot differentiate between processes acting on behalf of users and those posing threats to users’ security as every process executes with the full set of the user’s privileges. Existing application confinement schemes attempt to address this by limiting the actions of particular processes. However, the management of these mechanisms requires security-specific expertise which users and administrators often do not possess. Further, these models do not scale well to confine the large number of applications found on functionality-rich contemporary systems. This paper describes how the principles of role-based access control (RBAC) can be applied to the problem of restricting an application’s behaviour. This approach provides a more flexible, scalable and easier to manage confinement paradigm that requires far less in terms of user expertise than existing schemes. Known as functionality-based application confinement (FBAC), this model significantly mitigates the usability limitations of existing approaches. We present a case study of a Linux-based implementation of FBAC known as FBAC-LSM and demonstrate the flexibility and scalability of the FBAC model by analysing policies for the confinement of four different web browsers.

This paper presents a new policy language, known as functionality-based application confinement policy language (FBAC-PL). FBAC-PL takes a unique approach to expressing application-oriented access control policies. Policies for restricting applications are defined in terms of the features applications provide, by means of parameterised and hierarchical policy abstractions known as functionalities. Policies also include metadata for management and the automation of policy specification. The result is a novel scheme for application confinement policy that reuses, encapsulates and abstracts policy details, and facilitates a priori policy specification: that is, without having to rely solely on learning modes for creating policies to restrict applications. This paper presents the policy language, and illustrates its use with examples. A Linux-based implementation, which uses FBAC-PL, has demonstrated that this approach can overcome policy complexity and usability issues of previous schemes. © 2011 IEEE.

By managing the authority assigned to each application, rule-based application-oriented access controls can significantly mitigate the threats posed by malicious code due to software vulnerabilities or malware. However, these policies are typically complex and difficult to develop. Learning modes can ease specification; however, they still require high levels of expertise to utilise correctly, and are most suited to confining nonmalicious software. This paper presents a novel approach to automating policy specification for rule-based application-oriented access controls. The functionality-based application confinement (FBAC) model provides reusable parameterised abstractions. A number of straightforward yet effective techniques are presented that use these functionality-based abstractions to create application policies a priori; that is, without running programs before policies are specified. These techniques automate the specification of policy details by analysing program dependencies, program management information, and filesystem contents. © 2011 IEEE.

A number of security mechanisms are available for improving the security of systems by restricting the actions of individual programs to activities that are authorised. However, configuring these systems to enforce end users’ own security goals is often beyond their expertise. Little research has investigated the usability issues associated with application-oriented access controls. This paper presents the results of a qualitative analysis of user perceptions of the usability of three application-oriented security systems: SELinux, AppArmor, and FBAC-LSM. Qualitative analysis identified a number of factors that affect the usability of application-restriction mechanisms. These themes are used to compare the usability of the three systems studied, and it is proposed that these factors can be used to inform the design of new systems and development of existing ones. Changes to the three security systems are also proposed to address or mitigate specific usability issues that were identified.

Protecting end users from security threats is an extremely difficult, but increasingly critical, problem. Traditional security models that focused on separating users from each other have proven ineffective in an environment of widespread software vulnerabilities and rampant malware. However, alternative approaches that provide more finely grained security generally require greater expertise than typical end users can reasonably be expected to have, and consequently have had limited success. The functionality-based application confinement (FBAC) model is designed to allow end users with limited expertise to assign applications hierarchical and parameterised policy abstractions based upon the functionalities each program is intended to perform. To validate the feasibility of this approach and assess the usability of existing mechanisms, a usability study was conducted comparing an implementation of the FBAC model with the widely used Linux-based SELinux and AppArmor security schemes. The results showed that the functionality-based mechanism enabled end users to effectively control the privileges of their applications with far greater success than widely used alternatives. In particular, policies created using FBAC were more likely to be enforced and exhibited significantly lower risk exposure, while not interfering with the ability of the application to perform its intended task. In addition to the success of the functionality-based approach, the usability study also highlighted a number of limitations and problems with existing mechanisms. These results indicate that a functionality-based approach has significant potential in terms of enabling end users with limited expertise to defend themselves against insecure and malicious software.

A majority of home users rely on their Internet service providers (ISPs) to provide them with wireless equipment that is secure, and assume that they are appropriately protected from threats such as piggybacking and eavesdropping. In this paper we present the results of an empirical study comparing the security provided to home users by their ISPs. Passive wireless data collection was used to gather information on 7,847 unique wireless access points within Leeds, UK. Non-parametric inferential statistical analysis was used to compare the security provided by the corresponding ISPs, as identified via the SSID naming used by ISPs in the UK. The ISPs identified included BT, O2, Orange, Plus Net, Sky, TalkTalk, and Virgin Media. Statistically significant differences in the security of the networks were found between ISPs, which we contend can in part be explained by their upgrade policies. These results are contrasted with the security configuration provided by three of the largest ISPs to new customers. For example, BT (the largest ISP in the UK) was found to have a greater number of access points configured with the cryptographically broken Wireless Equivalent Privacy (WEP) encryption method in use, compared to most of the other large ISPs, and this is in contrast to the favourable security configuration of the routers that are provided to new customers. The paper concludes with recommendations for when ISPs provide Wi-Fi enabled routers to home users. Copyright © 2013 SCITEPRESS.

This paper presents the functionality-based application confinement (FBAC) access control model. FBAC is an application-oriented access control model, intended to restrict processes to the behaviour that is authorised by end users, administrators, and processes, in order to limit the damage that can be caused by malicious code, due to software vulnerabilities or malware. FBAC is unique in its ability to limit applications to finely grained access control rules based on high-level easy-to-understand reusable policy abstractions, its ability to simultaneously enforce application-oriented security goals of administrators, programs, and end users, its ability to perform dynamic activation and deactivation of logically grouped portions of a process's authority, its approach to process invocation history and intersection-based privilege propagation, its suitability to policy automation techniques, and in the resulting usability benefits. Central to the model are 'functionalities', hierarchical and parameterised policy abstractions, which can represent features that applications provide; 'confinements', which can model simultaneous enforcement of multiple sets of policies to enforce a diverse range of types of application restrictions; and 'applications', which represent the processes to be confined. The paper defines the model in terms of structure (which is described in five components) and function, and serves as a culmination of our work thus far, reviewing the evaluation of the model that has been conducted to date. © 2013 Springer-Verlag Berlin Heidelberg.

Why? Because you can't trust the programs you run to act as you expect. In most cases when you run programs they are authorised to do anything you can do. Malware and vulnerabilities in software can lead your programs to use your privileges to act maliciously. How does it work? BAC-LSM is a security extension for Linux. It restricts programs based on the features that you want them to perform. You specify high level goals such as "Web Browser", some application-specific information (which can usually be automated), and then FBAC-LSM stops the programs from misbehaving.

These materials were primarily intended for internal recruitment purposes; however, these are made available in the interest informing future police-academia collaborations.

Linux is considered to be less prone to malware compared to other operating systems, and as a result Linux users rarely run anti-malware. However, many popular software applications released on other platforms cannot run natively on Linux. Wine is a popular compatibility layer for running Windows programs on Linux. The level of security risk that Wine poses to Linux users is largely undocumented. This project was conducted to assess the security implications of using Wine, and to determine if any specific types of malware or malware behavior have a significant effect on the malware being successful in Wine. Dynamic analysis (both automated and manual) was applied to 30 malware samples both in a Windows environment and Linux environment running Wine. Behavior analyzed included file system, registry, and network access, and the spawning of processes, and services. The behavior was compared to determine malware success in Wine. The study results provide evidence that Wine can pose serious security implications when used to run Windows software in a Linux environment. Five samples of Windows malware were run successfully through Wine on a Linux system. No significant relationships were discovered between the success of the malware and its high-level behavior or malware type. However, certain API calls could not be recreated in a Linux environment, and led to failure of malware to execute via Wine. This suggests that particular malware samples that utilize these API calls will never run completely successfully in a Linux environment. As a consequence, the success of some samples can be determined from observing the API calls when run within a Windows environment.

Under most widely-used security mechanisms the programs users run possess more authority than is strictly necessary, with each process typically capable of utilising all of the user's privileges. Consequently such security mechanisms often fail to protect against contemporary threats, such as previously unknown (‘zero-day’) malware and software vulnerabilities, as processes can misuse a user's privileges to behave maliciously. Application restrictions and sandboxes can mitigate threats that traditional approaches to access control fail to prevent by limiting the authority granted to each process. This developing field has become an active area of research, and a variety of solutions have been proposed. However, despite the seriousness of the problem and the security advantages these schemes provide, practical obstacles have restricted their adoption. This paper describes the motivation for application restrictions and sandboxes, presenting an in-depth review of the literature covering existing systems. This is the most comprehensive review of the field to date. The paper outlines the broad categories of existing application-oriented access control schemes, such as isolation and rule-based schemes, and discusses their limitations. Adoption of these schemes has arguably been impeded by workflow, policy complexity, and usability issues. The paper concludes with a discussion on areas for future work, and points a way forward within this developing field of research with recommendations for usability and abstraction to be considered to a further extent when designing application-oriented access controls.

This paper introduces Break Escape, a novel escape room inspired games-based learning framework that simulates cyber-physical security challenges. Unlike traditional cyber security educational approaches, Break Escape creates immersive experiences where learners must engage with both physical and digital security mechanisms within narrative-driven scenarios that are explicitly mapped to the Cyber Security Body of Knowledge (CyBOK). Break Escape draws inspiration from physical escape rooms, adapting their engaging puzzle solving mechanics to create virtual environments where physical and digital security elements are combined. The framework employs constructivist learning principles through scenarios that require critical analysis and practical application of technical security skills via puzzle chains. Players must apply knowledge of encryption, encoding, and engage in simulated physical security mechanisms to progress through scenarios. This approach aims to address the ``reflection gap'' identified in many existing cyber security games by requiring players to actively apply security knowledge rather than merely encountering security terminology during gameplay. Implemented using Phaser.js with browser-based deployment, the system features a flexible JSON-based scenario specification that enables educators to create custom content without programming knowledge. Each scenario is explicitly mapped to relevant CyBOK knowledge areas, helping learners recognise the relationship between their in-game actions and established cyber security principles. Preliminary evaluation using the Player Experience Inventory demonstrated high engagement scores (enjoyment M=6.25/7, immersion M=6.00/7).

Computer security students benefit from having hands-on experience with hacking tools and with access to vulnerable systems that they can attack and defend. However, vulnerable VMs are static; once they have been exploited by a student there is no repeatable challenge as the vulnerable boxes never change. A new novel solution, SecGen, has been created and deployed. SecGen solves the issue by creating vulnerable machines with randomised vulnerabilities and services, with constraints that ensure each scenario is catered to specific skills or concepts. SecGen was successfully deployed to generate VMs for a second year undergraduate team module. Future plans are discussed.

Providing an environment that enables students to gain hands-on experience with security tools in rich and complex learning scenarios, while granting them the freedom to experiment with potentially harmful tools, is an issue for many universities and organisations. As is the challenge of enabling students the flexibility to work from home. This paper presents the results of a pilot study of our proposed solution based on oVirt. Opportunities for improvements are identified, and it is concluded that oVirt is a feasible platform on which to build a lab environment for teaching computer security.

Digital Forensics is a growth market; however, obtaining real world work experience as a student can be challenging due to the high levels of competition, legal, ethical, and confidential aspects of the work. This paper presents a solution to providing students practical work experience that will aid them in obtaining future employment in Forensics. Currently under development at Leeds Beckett University is a student led data recovery service, which will be provided to all staff and students, using mixed level groupings of students. This service is designed to provide a rich, interactive environment that enables students to gain hands-on experience in an unknown and dynamically changing environment. Plans have received positive support from both Faculty Leadership and students. The service is due to start in September 2016.

We present Hacktivity Cyber Security Labs, a novel technical framework and hosted lab infrastructure platform. Hacktivity uniquely addresses limitations in traditional cyber security education methods, particularly through extensive incorporation of randomisation of cyber security and hacking challenges, integration of automated chatbots, provisioning and managing of VMs and datacenter clusters, and integration with the Cyber Security Body of Knowledge (CyBOK) for curriculum alignment and individualised tracking of knowledge and experience. In this paper we present the technical design details of Hacktivity and our open-source backend framework, SecGen, and reflect on our experience of integrating it into security courses. By leveraging the SecGen framework for automatic problem generation, Hacktivity provides randomised challenges and hands-on tasks, enriching experiential learning for students. The close integration with CyBOK enables students to better understand the alignment of modules with knowledge areas and monitor and reflect on their learning progress. We present our experience of the platform’s effectiveness in teaching a wide range of technical cyber security topics. This paper introduces our innovative approach to teaching computer security, leveraging SecGen, an open-source software, multiple virtualisation data centres, and Hacktivity, a new virtualisation management and virtual learning environment.

Numerous factors such as sociodemographic characteristics contribute to cybercrime victimisation. Previous research suggests that neighbourhood plays a role in cybercrime perpetration. However, despite the theoretical importance and particular interest to law enforcement agencies and policymakers, local area variations in cybercrime victimisation have rarely been examined. Drawing on data from recorded cybercrime incidents within one of the largest police forces in England from a three-year period with a victim dataset of 5,270 individuals enhanced by the Census data, this research untangles the relationships between demographics of cybercrime victims and their resident area characteristics. The research considers four types of cybercrime victimisation: ‘Harassment/Unwanted Contact’, ‘Fraud/Theft/Handling’, ‘Sexual/Indecent Images’ and ‘other types of cybercrime’ (classifications used by the participating police force). Latent Class Analysis (LCA) was applied to rigorously analyse the relationship among the four different types of cybercrime victimisation with victim demographics and resident area-level characteristics. This research finds that each type of cybercrime yielded statistically distinct victim profiles. Vulnerabilities to cybercrime varied among male and female of different age groups, and importantly, the types of residential areas of the victims. Specifically, it is evident that females were much more likely to become cybercrime victims than males for two types of cybercrime: ‘Harassment/Unwanted Contact’, and ‘Sexual/Indecent Images’. Vulnerabilities associated with these two types of cybercrime decreased with the increase of age. Cybercrime victims of ‘Sexual/Indecent Images’ were likely to be 5-14 year-olds living in areas with a higher number of Level 2, Level 4 qualifications and full-time students. Both males and females were vulnerable to ‘Fraud/Theft/Handling’ cybercrime and their resident areas had a higher number of full-time students, Level 4 qualifications and Asians. Finally, victims of ‘other types of cybercrime’ were most likely to be male and their resident areas had a high number of Asians and full-time students. Our work demonstrates that it is possible to apply statistical analysis to routinely collected police data to gain insight into the cybercrime victimisation that occurs across crime types in relation to demographics and area-level variations. These results provide valuable insights into policing cybercrime in England and beyond.

In many cases students in higher education are driven by assessments and achievements rather than the “learning journey” that can be achieved through full engagement with provided material. Novel approaches are needed to improve engagement in and out of class time, and to achieve a greater depth of learning. Gamification, “the use of game design elements in nongame contexts”, has been applied to higher education to improve engagement, and research also suggests that serious games can be used for gamesbased learning, providing simulated learning environments and increasing motivation. This paper presents the design and evaluation of a gamified computer security module, with a unique approach to assessed learning activities. Learning activities (many developed as open educational resources (OER)) and an assessment structure were developed. A new free and open source software (FOSS) virtual learning environment (VLE) was implemented, which enables the use of three types of experience points (XP), and a semiautomated marking scheme for timely, clear, transparent, and feedbackoriented marking. The course and VLE were updated and evaluated over two years. Qualitative and descriptive results were positive and encouraging. However, ultimately the increased satisfaction was not found to have statistical significance on quantitative measurements of motivation, and the teaching workload of the gamified module was noteworthy.

Source Camera identification of digital images can be performed by matching the sensor pattern noise (SPN) of the images with that of the camera reference signature. This paper presents a non-decimated wavelet based source camera identification method for digital images. The proposed algorithm applies a non-decimated wavelet transform on the input image and split the image into its wavelet sub-bands. The coefficients within the resulting wavelet high frequency sub-bands are filtered to extract the SPN of the image. Cross correlation of the image SPN and the camera reference SPN signature is then used to identify the most likely source device of the image. Experimental results were generated using images of ten cameras to identify the source camera of the images. Results show that the proposed technique generates superior results to that of the state of the art wavelet based source camera identification.

The Sensor Pattern Noise (SPN) extracted from digital pictures can be interpreted as a unique sensor fingerprint for a digital camera and can be used to perform source identification of digital cameras. Scene details can contaminate SPN signatures. This paper presents a method to extract the SPN by applying non-decimated wavelet transform to digital pictures and then disinfect the contaminated SPN in order to improve the identification rate of the SPNs. The coefficients within the resulting wavelet high frequency sub-bands are filtered to extract the SPN of the image. By using non-decimated wavelet transform, we perform a two-step comparison technique that first isolates all the contaminated components of the SPN and neutralise these components from a contaminated SPN. The reinforced SPN is then matched against the corresponding components in the reference camera fingerprint. The two-step comparison technique provides a reinforced SPN of reduced contamination for the matching against the camera reference fingerprint. Experimental results were performed using images of ten cameras to identify the source camera of the images. Results show that the proposed technique generates superior results to that of the non-reinforced SPNs.

Cybercrime presents numerous issues for police organizations. A key challenge is to understand how best to impart relevant skills and knowledge about cybercrime throughout the organization to enable police officers to react appropriately to such incidents. This article is drawn from research undertaken as part of the CARI Project, a major study into the effectiveness of cybercrime investigation within a large UK police force funded by the Police Knowledge Fund. As part of the needs assessment for the above project, concerns were raised about the effectiveness of existing training arrangements in facilitating the development of cyber skills within police officers. The present research, based on survey data, explored the effectiveness of different training styles as perceived by those who had undertaken cyber training. The research found that officers perceived some modes of training as more effective than others and highlighted some of the organizational contexts that impact negatively on the delivery of effective cyber training. The findings are presented within a context, informed by existing literature, that acknowledges wider debates surrounding the pedagogy of police learning and the organizational challenges of developing cyber skills within police officers. The authors believe that the findings will have relevance to police training policy both in the UK and in the wider international context.

Cybercrime has become one of the most pressing developments for police organisations to engage with over recent years. One of the key challenges here is to understand how best to effectively impart relevant skills and knowledge about cybercrime throughout the organisation to enable police officers to react appropriately to such illicit behaviours. This paper is drawn from mixed-methods research undertaken as part of a major study into the effectiveness of cybercrime investigation within a large UK police force funded by College of Policing/Hefce. The research found that officers perceived some modes of training as considerably more effective than others and, similarly, highlighted some of the organisational contexts that impact negatively on the delivery of effective cyber training to police officers. The authors believe that the findings will have relevance to police training policies both in the UK and in the wider international context.

Capture the flag (CTF) has been applied with success in cybersecurity education, and works particularly well when learning offensive techniques. However, defensive security and incident response do not always naturally fit the existing approaches to CTF. We present Hackerbot, a unique approach for teaching computer security: students interact with a malicious attacker chatbot, who challenges them to complete a variety of security tasks, including defensive and investigatory challenges. Challenges are randomised using SecGen, and deployed onto an oVirt infrastructure. Evaluation data included system performance, mixed methods questionnaires (including the Instructional Materials Motivation Survey (IMMS) and the System Usability Scale (SUS)), and group interviews/focus groups. Results were encouraging, finding the approach convenient, engaging, fun, and interactive; while significantly decreasing the manual marking workload for staff. The cloud infrastructure deployment using SecGen/oVirt was a success, generating VMs with randomised challenges, and enabling students to work from home.

Computer security students benefit from hands-on experience applying security tools and techniques to attack and defend vulnerable systems. Virtual machines (VMs) provide an effective way of sharing targets for hacking. However, developing these hacking challenges is time consuming, and once created, essentially static. That is, once the challenge has been "solved" there is no remaining challenge for the student, and if the challenge is created for a competition or assessment, the challenge cannot be reused without risking plagiarism, and collusion. Security Scenario Generator (SecGen) can build complex VMs based on randomised scenarios, with a number of diverse use-cases, including: building networks of VMs with randomised services and in-thewild vulnerabilities and with themed content, which can form the basis of penetration testing activities; VMs for educational lab use; and VMs with randomised CTF challenges. SecGen has a modular architecture which can dynamically generate challenges by nesting modules, and a hints generation system, which is designed to provide scaffolding for novice security students to make progress on complex challenges. SecGen has been used for teaching at universities, and hosting a recent UK-wide CTF event.

Cybercrime has recently surpassed, in terms of volume, all other forms of crime in the United Kingdom, and has been acknowledged as a national priority. The purpose of this research is to analyse the police cyber-investigation lifecycle: from the experience of the public when reporting cybercrime to call takers, through to the attending officers, officer(s) in charge, and the many units and roles involved in supporting cybercrime investigations. A large scale needs assessment was conducted within one of the largest police forces in England and Wales, involving focus groups and interviews with police staff and strategic leads across key units and roles. The results of the needs assessment document the state of policing cybercrime in a UK police force, along with the improvements and needs that exist across the force and in specific units and roles. In total, 125 needs were identified and further coded based on a thematic analysis. Common themes identified include: knowledge/training, communication, recording, software, roles, governance, procedures, resources, consistency, staffing, national input, face-to-face, interactions with the public, new capabilities, and triage. The most common needs were related to training and knowledge, communications, quality of recording, software, governance, procedures, resourcing, and national input. Due to the nature of the findings, it is likely that some of these identified areas may parallel other police organisations’ experiences at national and international levels.

Cybercrime has recently surpassed, in terms of volume, all other forms of crime in the United Kingdom, and has been acknowledged as a national priority. The purpose of this research is to analyse the police cybcr-invcstigation lifccyclc: from the experience of the public when reporting cybercrime to call takers, through to the attending officers, ofEcer(s) in charge, and the many units and roles involved in supporting cybercrime investigations. A large-scale needs assessment was conducted within one of the largest police forces in-England and Wales, involving focus groups and interviews with police staff and strategic leads across key units and roles. The results of the needs assessment document the state of policing cybercrime in a UK police force, along with the improvements and needs that exist across the force and in specific units and roles. In total, 125 needs were identified and further coded based on a thematic analysis. Due to the nature of the findings, it is likely that some of these identified areas may parallel other police organisations' experiences at national and international levels.