The Community for Technology Leaders
2009 33rd Annual IEEE International Computer Software and Applications Conference (2009)
Seattle, Washington, USA
July 20, 2009 to July 24, 2009
ISSN: 0730-3157
ISBN: 978-0-7695-3726-9
pp: 445-450
ABSTRACT
In this paper, we define and illustrate a new form of attack in the context of software services: the software-based need-to-know (SN2K) attack. SN2K attacks can be carried out by dishonest provider of a software service so that it can maliciously gain access to sensitive information, even if the service does {\em not need to know} such data in order to compute the functionalities offered by it. We prove that it is generally undecidable to detect whether a given implementation of a service is dishonest, i.e., it implements an SN2K attack. A certification scheme for honest services is also proposed; our scheme relies on program slicing and certain other aspects of static program analysis.
INDEX TERMS
Need-to-Know, Least-privilege Principle, Honest Services, Program Analysis, Slicing, Undecidability, Certification
CITATION

A. Kundu, "SN2K Attacks and Honest Services," 2009 33rd Annual IEEE International Computer Software and Applications Conference(COMPSAC), Seattle, Washington, USA, 2009, pp. 445-450.
doi:10.1109/COMPSAC.2009.174
86 ms
(Ver 3.3 (11022016))