@article {munoz2022, title = {A Test Environment for Wireless Hacking in Domestic IoT Scenarios}, journal = {Mobile Networks and Applications}, year = {2022}, month = {2022/10/14}, publisher = {Springer}, keywords = {Domestic security, Hacking the IoT, IoT security, Network Security}, issn = {1383-469X}, doi = {10.1007/s11036-022-02046-x}, url = {https://doi.org/10.1007/s11036-022-02046-x}, author = {Mu{\~n}oz, Antonio and Carmen Fernandez-Gago and Roberto Lopez-villa} } @article {Flamini2022, title = {Towards Trustworthy Autonomous Systems: Taxonomies and Future Perspectives}, journal = {IEEE Transactions on Emerging Topics in Computing}, year = {2022}, publisher = {IEEE}, abstract = {

The class of Trustworthy Autonomous Systems (TAS) includes cyber-physical systems leveraging on self-x technologies that make them capable to learn, adapt to changes, and reason under uncertainties in possibly critical applications and evolving environments. In the last decade, there has been a growing interest in enabling artificial intelligence technologies, such as advanced machine learning, new threats, such as adversarial attacks, and certification challenges, due to the lack of sufficient explainability. However, in order to be trustworthy, those systems also need to be dependable, secure, and resilient according to well-established taxonomies, methodologies, and tools. Therefore, several aspects need to be addressed for TAS, ranging from proper taxonomic classification to the identification of research opportunities and challenges. Given such a context, in this paper address relevant taxonomies and research perspectives in the field of TAS. We start from basic definitions and move towards future perspectives, regulations, and emerging technologies supporting development and operation of TAS.

}, keywords = {Arti cial Intelligence, Cyber- Resilience, Cybersecurity, Dependability, Intelligent Systems, Trustworthy Autonomous Systems}, issn = {2168-6750}, doi = {https://doi.org/10.1109/TETC.2022.3227113}, url = {https://ieeexplore.ieee.org/abstract/document/9979717/authors$\#$authors}, author = {Francesco Flammini and Cristina Alcaraz and Emanuele Bellini and Stefano Marrone and Javier Lopez and Andrea Bondavalli} } @article {anto2021, title = {P2ISE: Preserving Project Integrity in CI/CD Based on Secure Elements}, journal = {Information}, volume = {12}, number = {357}, year = {2021}, month = {08/2021}, publisher = {MDPI}, issn = {2078-2489,}, author = {Mu{\~n}oz, Antonio and Farao, Aristeidis and Casas, Ryan and Xenakis, Christos} } @article {Alcaraz2021a, title = {Stakeholder Perspectives and Requirements on Cybersecurity in Europe}, journal = {Journal of Information Security and Applications}, volume = {61}, number = {102916}, year = {2021}, month = {09/2021}, publisher = {Elsevier}, keywords = {Cybersecurity, Requirements, Roadmap, Stakeholder engagement. Research \& innovation}, issn = {2214-2126}, doi = {https://doi.org/10.1016/j.jisa.2021.102916}, url = {https://www.sciencedirect.com/science/article/pii/S2214212621001381}, author = {Simone Fischer-H{\"u}bner and Cristina Alcaraz and Afonso Ferreira and Carmen Fernandez-Gago and Javier Lopez and Evangelos Markatos and Lejla Islami and Mahdi Akil} } @article {ferraris2020b, title = {A model-driven approach to ensure trust in the IoT}, journal = {Human-centric Computing and Information Sciences}, volume = {10}, number = {50}, year = {2020}, month = {12/2020}, publisher = {Springer}, abstract = {

The Internet of Things (IoT) is a paradigm that permits smart entities to be interconnected anywhere and anyhow. IoT opens new opportunities but also rises new issues.
In this dynamic environment, trust is useful to mitigate these issues. In fact, it is important that the smart entities could know and trust the other smart entities in order to collaborate with them.
So far, there is a lack of research when considering trust through the whole System Development Life Cycle (SDLC) of a smart IoT entity.
In this paper, we suggest a new approach that considers trust not only at the end of the SDLC but also at the start of it. More precisely, we explore the modeling phase proposing a model-driven approach extending UML and SysML considering trust and its related domains, such as security and privacy.
We propose stereotypes for each diagram in order to give developers a way to represent trust elements in an effective way.
Moreover, we propose two new diagrams that are very important for the IoT: a traceability diagram and a context diagram.
This model-driven approach will help developers to model the smart IoT entities according to the requirements elicited in the previous phases of the SDLC.
These models will be a fundamental input for the following and final phases of the SDLC.

}, keywords = {Internet of Things (IoT), SysML, System Development Life Cycle (SDLC), Trust, UML}, issn = {2192-1962 }, doi = {10.1186/s13673-020-00257-3}, author = {Davide Ferraris and Carmen Fernandez-Gago and Javier Lopez} } @article {ferraris2020, title = {A Trust Model for Popular Smart Home Devices}, journal = {International Journal of Information Security}, year = {2020}, publisher = {Springer}, abstract = {

Nowadays, smart home devices like Amazon Echo and Google Home have reached mainstream popularity.
Being in the homes of users, these devices are intrinsically intrusive, being able to access details such as users{\textquoteright} name, gender, home address, calendar appointments and others.
There are growing concerns about indiscriminate data collection and invasion of user privacy in smart home devices, but studies show that perceived benefits are exceeding perceived risks when it comes to consumers.
As a result, consumers are placing a lot of trust in these devices, sometimes without realizing it.
Improper trust assumptions and security controls can lead to unauthorized access and control of the devices, which can result in serious consequences.
In this paper, we explore the behaviour of devices such as Amazon Echo and Google Home in a smart home setting with respect to trust relationships and propose a trust model to improve these relationships among all the involved actors.
We have evaluated how trust was built and managed from the initial set up phase to the normal operation phase, during which we performed a number of interaction tests with different types of users (i.e. owner, guests).
As a result, we were able to assess the effectiveness of the provided security controls and identify potential relevant security issues.\  In order to address the identified issues, we defined a trust model and propose a solution based on it for further securing smart home systems.

}, keywords = {Internet of Things, privacy, security, Smart Home, Trust}, issn = {1615-5262}, doi = {10.1007/s10207-020-00519-2}, url = {https://link.springer.com/article/10.1007/s10207-020-00519-2}, author = {Davide Ferraris and Daniel Bastos and Carmen Fernandez-Gago and Fadi El-Moussa} } @article {kolar2019trust, title = {A Model Specification for the Design of Trust Negotiations}, journal = {Computers \& Security}, volume = {84}, year = {2019}, month = {04/2019}, pages = {288-300}, publisher = {Elsevier}, type = {Full article}, abstract = {

Trust negotiation is a type of trust management model for establishing trust between entities by a mutual exchange of credentials. This approach was designed for online environments, where the attributes of users, such as skills, habits, behaviour and experience are unknown. Required criteria of trust negotiation must be supported by a trust negotiation model in order to provide a functional, adequately robust and efficient application. Such criteria were identified previously. In this paper we are presenting a model specification using a UML-based notation for the design of trust negotiation. This specification will become a part of the Software Development Life Cycle, which will provide developers a strong tool for incorporating trust and trust-related issues into the software they create. The specification defines components and their layout for the provision of the essential functionality of trust negotiation on one side as well as optional, additional features on the other side. The extra features make trust negotiation more robust, applicable for more scenarios and may provide a privacy protection functionality.

}, keywords = {Policy, Software Development Life Cycle, Trust Model, Trust Negotiation, UML}, issn = {0167-4048}, doi = {10.1016/j.cose.2019.03.024}, url = {https://www.sciencedirect.com/science/article/pii/S0167404818310484}, author = {Martin Kolar and Carmen Fernandez-Gago and Javier Lopez} } @article {ferraris2019, title = {TrUStAPIS: A Trust Requirements Elicitation Method for IoT}, journal = {International Journal of Information Security }, year = {2019}, month = {01/2020}, pages = {111-127}, publisher = {Springer}, abstract = {

The Internet of Things (IoT) is an environment of interconnected entities, which are identifiable, usable and controllable via the Internet. Trust is useful for a system such as the IoT as the entities involved would like to know how the other entities they have to interact with are going to perform.
When developing an IoT entity, it will be desirable to guarantee trust during its whole life cycle. Trust domain is strongly dependent on other domains such as security and privacy.
To consider these domains as a whole and to elicit the right requirements since the first phases of the System Development Life Cycle (SDLC) is a key point when developing an IoT entity.
This paper presents a requirements elicitation method focusing on trust plus other domains such as security, privacy and usability that increase the trust level of the IoT entity developed. To help the developers to elicit the requirements, we propose a JavaScript Notation Object (JSON) template containing all the key elements that must be taken into consideration.
We emphasize on the importance of the concept of traceability. This property permits to connect all the elicited requirements guaranteeing more control on the whole requirements engineering process.

}, keywords = {Internet of Things (IoT), Requirements Engineering, System Development Life Cycle (SDLC), Trust, \\ JavaScript Notation Object (JSON)}, issn = {1615-5262}, doi = {10.1007/s10207-019-00438-x}, url = {https://link.springer.com/article/10.1007\%2Fs10207-019-00438-x}, author = {Davide Ferraris and Carmen Fernandez-Gago} } @article {NAFMONET2018, title = {Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation}, journal = {Mobile Networks and Applications (MONET)}, year = {2018}, month = {10/2018}, pages = {881-889}, publisher = {Springer US}, abstract = {
Crowdsourcing can be a powerful weapon against cyberattacks in 5G networks. In this paper we analyse this idea in detail, starting from the use cases in crowdsourcing focused on security, and highlighting those areas of a 5G ecosystem where crowdsourcing could be used to mitigate local and remote attacks, as well as to discourage criminal activities and cybercriminal behaviour. We pay particular attention to the capillary network, where an infinite number of IoT objects coexist. The analysis is made considering the different participants in a 5G IoT ecosystem. 
}, keywords = {5G security, Cybersecurity, digital witness, Proactive security}, issn = {1383-469X}, doi = {https://doi.org/10.1007/s11036-018-1146-4}, author = {Ana Nieto and Antonio Acien and Gerardo Fernandez} } @article {Ruben2017trust, title = {Modelling Privacy-Aware Trust Negotiations}, journal = {Computers \& Security}, volume = {77 }, year = {2018}, pages = {773-789}, publisher = {Elsevier}, abstract = {

Trust negotiations are mechanisms that enable interaction between previously unknown users. After exchanging various pieces of potentially sensitive information, the participants of a negotiation can decide whether or not to trust one another. Therefore, trust negotiations bring about threats to personal privacy if not carefully considered. This paper presents a framework for representing trust negotiations in the early phases of the Software Development Life Cycle (SDLC). The framework can help software engineers to determine the most suitable policies for the system by detecting conflicts between privacy and trust requirements. More precisely, we extend the SI* modelling language and provide a set of predicates for defining trust and privacy policies and a set of rules for describing the dynamics of the system based on the established policies. The formal representation of the model facilitates its automatic verification. The framework has been validated in a distributed social network scenario for connecting drivers with potential passengers willing to share a journey.

}, keywords = {Goal-Oriented Modelling, Policy, privacy, Requirements Engineering, Secure Software Engineering, Trust}, issn = {0167-4048}, doi = {10.1016/j.cose.2017.09.015}, author = {Ruben Rios and Carmen Fernandez-Gago and Javier Lopez} } @article {Fer_IS17, title = {Modelling Trust Dynamics in the Internet of Things}, journal = {Information Sciences}, volume = {396}, year = {2017}, pages = {72-82}, publisher = {Elsevier}, abstract = {

The Internet of Things (IoT) is a paradigm based on the interconnection of\ everyday objects. It is expected that the {\textquoteleft}things{\textquoteright} involved in the IoT paradigm\ will have to interact with each other, often in uncertain conditions. It is therefore\ of paramount importance for the success of IoT that there are mechanisms in\ place that help overcome the lack of certainty. Trust can help achieve this goal.\ In this paper, we introduce a framework that assists developers in including\ trust in IoT scenarios. This framework takes into account trust, privacy and\ identity requirements as well as other functional requirements derived from IoT\ scenarios to provide the different services that allow the inclusion of trust in the\ IoT.

}, keywords = {Dynamic Framework, Internet of Things, Trust}, issn = {0020-0255}, doi = {10.1016/j.ins.2017.02.039}, author = {Carmen Fernandez-Gago and Francisco Moyano and Javier Lopez} } @article {nunez2016eliciting, title = {Eliciting Metrics for Accountability of Cloud Systems}, journal = {Computers \& Security}, volume = {62}, year = {2016}, month = {08/2016}, pages = {149-164}, publisher = {Elsevier}, abstract = {

Cloud computing provides enormous business opportunities, but at the same time is a complex and challenging paradigm. The major concerns for users adopting the cloud are the loss of control over their data and the lack of transparency. Providing accountability to cloud systems could foster trust in the cloud and contribute toward its adoption. Assessing how accountable a cloud provider is becomes then a key issue, not only for demonstrating accountability, but to build it. To this end, we need techniques to measure the factors that influence on accountability. In this paper, we provide a methodology to elicit metrics for accountability in the cloud, which consists of three different stages. Since the nature of accountability at- tributes is very abstract and complex, in the first stage we perform a conceptual analysis of the accountability attributes in order to decompose them into concrete practices and mechanisms. Then, we analyze relevant control frameworks designed to guide the implementation of security and privacy mechanisms, and use them to identify measurable factors, related to the practices and mechanisms defined earlier. Lastly, specific metrics for these factors are derived. We also provide some strategies that we consider relevant for the empirical validation of the elicited accountability metrics.\ 

}, issn = {0167-4048}, doi = {10.1016/j.cose.2016.07.003}, author = {David Nu{\~n}ez and Carmen Fernandez-Gago and Jes{\'u}s Luna} } @article {JNCA16, title = {A Model-driven Approach for Engineering Trust and Reputation into Software Services}, journal = {Journal of Network and Computer Applications}, volume = {69}, year = {2016}, month = {04/2016}, pages = {134-151}, publisher = {Elsevier}, issn = {1084-8045}, author = {Francisco Moyano and Carmen Fernandez-Gago and Javier Lopez} } @article {CSI13, title = {Building Trust from Context Similarity Measures}, journal = {Computer Standards \& Interfaces, Special Issue on Security in Information Systems}, volume = {36}, year = {2014}, pages = {792-800}, publisher = {Elsevier}, abstract = {

\ Trust is an essential feature of any system where entities have to\ collaborate among them. Trust can assist entities making decisions\ about what is the best entity for establishing a certain collaboration.\ It would be desirable to simulate behaviour of users as in social environments\ where they tend to establish relationships or to trust users\ who have common interests or share some of their opinions, i.e., users\ who are similar to them to some extent. Thus, in this paper we first\ introduce the concept of context similarity among entities and from it\ we derive a similarity network which can be seen as a graph. Based\ on this similarity network we dene a trust model that allows us also\ to establish trust along a path of entities. A possible applications of\ our model are proximity-based trust establishment. We validate our model in this scenario.

}, issn = {0920-5489}, doi = {10.1016/j.csi.2013.12.012}, author = {Carmen Fernandez-Gago and Isaac Agudo and Javier Lopez} } @article {moyano2013re, title = {A Framework for Enabling Trust Requirements in Social Cloud Applications}, journal = {Requirements Engineering}, volume = {18}, year = {2013}, month = {Nov 2013}, pages = {321-341}, publisher = {Springer London}, abstract = {

Cloud applications entail the provision of a huge amount of heterogeneous, geographically-distributed resources managed and shared by many different stakeholders who often do not know each other beforehand. This raises numerous security concerns that, if not addressed carefully, might hinder the adoption of this promising computational model. Appropriately dealing with these threats gains special relevance in the social cloud context, where computational resources are provided by the users themselves. We argue that taking trust and reputation requirements into account can leverage security in these scenarios by incorporating the notions of trust relationships and reputation into them. For this reason, we propose a development framework onto which developers can implement trust-aware social cloud applications. Developers can also adapt the framework in order to accommodate their application-specific needs.

}, keywords = {architecture, framework, social cloud, Trust and reputation requirements}, issn = {0947-3602}, doi = {10.1007/s00766-013-0171-x}, author = {Francisco Moyano and Carmen Fernandez-Gago and Javier Lopez} } @article {MFLR13, title = {Secure sealed-bid online auctions using discreet cryptographic proofs}, journal = {Mathematical and Computer Modelling}, volume = {57}, year = {2013}, month = {Jun 2013}, pages = {2583{\textendash}2595}, publisher = {Elsevier}, abstract = {

This work describes the design and implementation of an auction system using secure multiparty computation techniques. Our aim is to produce a system that is practical under actual field constraints on computation, memory, and communication. The underlying protocol is privacy-preserving, that is, the winning bid is determined without information about the losing bids leaking to either the auctioneer or other bidders. Practical implementation of the protocol is feasible using circuit-based cryptographic proofs along with additively homomorphic bit commitment. Moreover, we propose the development of a\ Proof Certificatestandard. These certificates convey sufficient information to recreate the cryptographic proofs and verify them offline.

}, issn = {0895-7177}, doi = {http://dx.doi.org/10.1016/j.mcm.2011.07.027}, author = {Jose A. Montenegro and Michael J. Fischer and Javier Lopez and Rene Peralta} } @article {Alcaraz2011, title = {An Early Warning System based on Reputation for Energy Control Systems}, journal = {IEEE Transactions on Smart Grid}, volume = {2}, number = {4}, year = {2011}, month = {Nov 2011}, pages = {827-834}, publisher = {IEEE}, abstract = {

Most of energy control or SCADA (Supervisory Control and Data Acquisition) systems are very dependent on advanced technologies and on traditional security mechanisms for protecting the a system against anomalous events. Security mechanisms are not enough to be used in critical systems, since they can only detect anomalous events occurring at a certain moment in time. For this reason it becomes of paramount importance the usage of intelligent systems with capability for preventing anomalous situations and reacting against them on time. This type of systems are, for example, Early Warning Systems (EWS). In this paper, we propose an EWS based on Wireless Sensor Networks (WSNs) (under the ISA100.11a standard) and reputation for controling the network behaviour. The WSN are organized into clusters where a Cluster Head (CH) is designated. This CH will contain a Reputation Manager Module. The usability of this approach is also analyzed considering a Smart Grid scenario.} keywords = {Critical Information Infrastructures, Sensor Networks, Early Warning Systems, Reputation, SCADA Systems, Smart Grid.

}, keywords = {Early Warning Systems, Reputation, SCADA Systems, Smart Grid, wireless sensor networks}, issn = {1949-3053}, doi = {10.1109/TSG.2011.2161498}, author = {Cristina Alcaraz and Carmen Fernandez-Gago and Javier Lopez} } @article {rosado2010d, title = {Security Services Architecture for Secure Mobile Grid Systems}, journal = {Journal of Systems Architecture}, volume = {57}, year = {2011}, month = {2011}, pages = {240-258}, publisher = {Elsevier}, address = {Mobile Grid, is a full inheritor of the Grid with the additional feature that it supports mobile users and resources. Security is an important aspect in Grid based systems, and it is more complex to ensure this in a mobile platform owing to the limitation}, abstract = {

\ Mobile Grid, is a full inheritor of the Grid with the additional feature that it supports mobile users andresources. Security is an important aspect in Grid based systems, and it is more complex to ensure thisin a mobile platform owing to the limitations of resources in these devices. A Grid infrastructure that supportsthe participation of mobile nodes and incorporates security aspects will thus play a significant rolein the development of Grid computing. The idea of developing software through systematic developmentprocesses to improve software quality is not new. However, many information systems such as those ofGrid Computing are still not developed through methodologies which have been adapted to their mostdifferentiating features. The lack of adequate development methods for this kind of systems in whichsecurity is taken into account has encouraged us to build a methodology to develop them, offering adetailed guide for their analysis, design and implementation. It is important to use software V\&V techniques,according to IEEE Std. 1012 for Software Verification and Validation, to ensure that a software systemmeets the operational needs of the user. This ensures that the requirements for the system arecorrect, complete, and consistent, and that the life-cycle products correctly design and implement systemrequirements. This paper shows part of a development process that we are elaborating for the constructionof information systems based on Grid Computing, which are highly dependent on mobile devices inwhich security plays a highly important role. In the design activity of the process, we design a securityarchitecture which serves as a reference for any mobile Grid application that we wish to build since thissecurity architecture defines a complete set of security services which will be instantiated depending onthe requirements and features found in previous activities of the process. A V\&V task is also defined in thedesign activity to validate and verify both the architecture built and the traceability of the artifacts generatedin this activity. In this paper, we will present the service-oriented security architecture for MobileGrid Systems which considers all possible security services that may be required for any mobile Grid application.

}, issn = {1383-7621}, author = {David G. Rosado and Eduardo Fernandez-Medina and Javier Lopez} } @article {rosado2011, title = {Systematic Design of Secure Mobile Grid Systems}, journal = {Journal of Network and Computer Applications}, volume = {34}, year = {2011}, month = {2011}, pages = {1168-1183}, publisher = {Elsevier}, abstract = {

\ Grid computing has arisen as an evolution of distributed systems mainly focused on the sharing of and remote access to resources in a uniform, transparent, secure, efficient and reliable manner. It is possible to join Grid technology and mobile technology in order to create one of the most promising technologies and developments to appear in recent years, in that they enrich one another and provide new solutions that solve many of the limitations and problems found in different technologies. Security is a very important factor in Mobile Grid Computing and is also difficult to achieve owing to the open nature of wireless networks and heterogeneous and distributed environments. Success in obtaining a secure system originates in incorporating security from the first stages of the development process. It has therefore been necessary to define a development process for this kind of systems in which security is incorporated in all stages of the development and the features and particularities of the Mobile Grid systems are taken into consideration. This paper presents one of the activities of this development process, the design activity, which consists of defining and designing a security software architecture. This architecture will be built from a security architecture, defined as reference architecture, in which security services, interfaces and operations are defined with the purpose of defining a reference security architecture which covers the majority of security requirements identified in the analysis activity. The design activity will build the system architecture that will be the input artefact for the subsequent activity in the process, which is the construction activity.

}, issn = {1084-8045}, author = {David G. Rosado and Eduardo Fernandez-Medina and Javier Lopez and Mario Piattini} } @article {rosado2009, title = {Towards a UML Extension of Reusable Secure Use Cases for Mobile Grid systems}, journal = {IEICE Trans. on Information and Systems}, volume = {E94-D}, year = {2011}, month = {Feb 2011}, pages = {243-254}, publisher = {IEICE}, abstract = {

The systematic processes exactly define the development cycle and help the development team follow the same development strategies and techniques, thus allowing a continuous improvement in the quality of the developed products. Likewise, it is important that the development process used integrates security aspects from the first stages at the same level as other functional and non-functional requirements. Grid systems allow us to build very complex information systems with different and remarkable features (interoperability between multiple security domains, cross-domain authentication and authorization, dynamic, heterogeneous and limited mobile devices, etc). With the development of wireless technology and mobile devices, the Grid becomes the perfect candidate for letting mobile users make complex works that add new computational capacity to the Grid. A methodology of development for secure mobile Grid systems is being defined. One of the activities of this methodology is the requirements analysis which is based in reusable use cases. In this paper, we will present a UML-extension for security use cases and Grid use case which capture the behaviour of this kind of systems. A detailed description of all these new use cases defined in the UML extension is necessary, describing the stereotypes, tagged values, constraints and graphical notation. We show an example of how to apply and use this extension for building the diagram of use cases and incorporating common security aspects for this kind of systems. Also, we will see how the diagrams built can be reused in the construction of others diagrams saving time and effort in this task.


}, issn = {0916-8532}, doi = {10.1587/transinf.E94.D.243}, author = {David G. Rosado and Eduardo Fernandez-Medina and Javier Lopez and Mario Piattini} } @article {rosado2010b, title = {Analysis of Secure Mobile Grid Systems: A Systematic Approach}, journal = {Information and Software Technology}, volume = {52}, year = {2010}, month = {May 2010}, pages = {517-536}, publisher = {Elsevier}, abstract = {

Developing software through systematic processes is becoming more and more important due to the growing complexity of software development. It is important that the development process used integrates security aspects from the first stages at the same level as other functional and non-functional requirements. Systems which are based on Grid Computing are a kind of systems that have clear differentiating features in which security is a highly important aspect. The Mobile Grid, which is relevant to both Grid and Mobile Computing, is a full inheritor of the Grid with the additional feature that it supports mobile users and resources. A development methodology for Secure Mobile Grid Systems is proposed in which the security aspects are considered from the first stages of the life-cycle and in which the mobile Grid technological environment is always present in each activity. This paper presents the analysis activity, in which the requirements (focusing on the grid, mobile and security requirements) of the system are specified and which is driven by reusable use cases through which the requirements and needs of these systems can be defined. These use cases have been defined through a UML-extension for security use cases and Grid use cases which capture the behaviour of this kind of systems. The analysis activity has been applied to a real case.

}, issn = {0950-5849}, doi = {10.1016/j.infsof.2010.01.002}, author = {David G. Rosado and Eduardo Fernandez-Medina and Javier Lopez and Mario Piattini} } @article {FerrerGomilla2009, title = {Certified electronic mail: Properties revisited}, journal = {Computers \& Security}, volume = {29}, number = {2}, year = {2010}, pages = {167 - 179}, abstract = {

Certified electronic mail is an added value to traditional electronic mail. In the definition of this service some differences arise: a message in exchange for a reception proof, a message and a non repudiation of origin token in exchange for a reception proof, etc. It greatly depends on whether we want to emulate the courier service or improve the service in the electronic world. If the definition of the service seems conflictive, the definition of the properties and requirements of a good certified electronic mail protocol is even more difficult. The more consensuated features are the need of a fair exchange and the existence of a trusted third party (TTP). Each author chooses the properties that considers the most important, and many times the list is conditioned by the proposal. Which kind of TTP must be used? Must it be verifiable, transparent and/or stateless? Which features must the communication channel fulfil? Which temporal requirements must be established? What kind of fairness is desired? What efficiency level is required? Are confidentiality or transferability of the proofs compulsory properties? In this paper we collect the definitions, properties and requirements related with certified electronic mail. The aim of the paper is to create a clearer situation and analyze how some properties cannot be achieved simultaneously. Each protocol designer will have to decide which properties are the most important in the environment in where the service is to be deployed.

}, keywords = {Certified electronic mail, Fairness, Non repudiation, Properties, Timeliness, Trusted third parties}, issn = {0167-4048}, doi = {DOI: 10.1016/j.cose.2009.06.009}, url = {http://www.sciencedirect.com/science/article/B6V8G-4WR19XR-1/2/eda89f747b077fc68fa061f213ddf6d5}, author = {Josep L. Ferrer-Gomilla and Jose A. Onieva and Magdalena Payeras and Javier Lopez} } @article {rofelopi, title = {Developing a Secure Mobile Grid System through a UML Extension}, journal = {Journal of Universal Computer Science}, volume = {16}, number = {17}, year = {2010}, month = {Sep 2010}, pages = {2333-2352}, publisher = {Springer}, abstract = {

The idea of developing software through systematic development processes toimprove software quality is not new. Nevertheless, there are still many information systemssuch as those of Grid Computing which are not developed through methodologies that areadapted to their most differentiating features. A systematic development process for Gridsystems that supports the participation of mobile nodes and incorporates security aspects intothe entire software lifecycle will thus play a significant role in the development of systemsbased on Grid computing. We are creating a development process for the construction ofinformation systems based on Grid Computing, which is highly dependent on mobile devices,in which security plays a highly important role. One of the activities in this process is that ofanalysis which is focused on ensuring that the system{\textquoteright}s security and functional requirements areelicited, specified and modelled. In our approach, this activity is driven by use cases andsupported by the reusable repository. This obtains, builds, defines and refines the use cases ofthe secure Mobile Grid systems which represent the functional and non-functional requirementsof this kind of systems. In this paper, we present the proposed development process throughwhich we introduce the main aspects of the UML profile defined for building use case diagramsin the mobile Grid context through which it is possible to represent specific mobile Gridfeatures and security aspects, showing in detail how to build use case diagrams for a real mobile Grid application by using our UML profile, denominated as GridUCSec-Profile.

}, issn = {0948-695x}, doi = {10.3217/jucs-016-17-2333}, author = {David G. Rosado and Eduardo Fernandez-Medina and Javier Lopez and Mario Piattini} } @article {JordiForne2009, title = {Pervasive Authentication and Authorization Infrastructures for Mobile Users}, journal = {Computer and Security}, volume = {29}, year = {2010}, pages = {501-514}, publisher = {elsevier}, abstract = {

Network and device heterogeneity, nomadic mobility, intermittent connectivity and, more generally, extremely dynamic operating conditions, are major challenges in the design of security infrastructures for pervasive computing. Yet, in a ubiquitous computing environment, limitations of traditional solutions for authentication and authorization can be overcome with a pervasive public key infrastructure (pervasive-PKI). This choice allows the validation of credentials of users roaming between heterogeneous networks, even when global connectivity is lost and some services are temporarily unreachable. Proof-of-concept implementations and testbed validation results demonstrate that strong security can be achieved for users and applications through the combination of traditional PKI services with a number of enhancements like: (i) dynamic and collaborative trust model, (ii) use of attribute certificates for privilege management, and (iii) modular architecture enabling nomadic mobility and enhanced with reconfiguration capabilities.

}, issn = {0167-4048}, doi = {10.1016/j.cose.2009.09.001}, author = {Jordi Forne and Francisca Hinajeros and Andres Marin and Florina Almenarez and Javier Lopez and Jose A. Montenegro and Marc Lacoste and Daniel Diaz} } @article {Agudo2010b, title = {A Scale Based Trust Model for Multi-Context Environments}, journal = {Computers and Mathematics with Applications}, volume = {60}, year = {2010}, month = {July}, pages = {209-216}, publisher = {Elsevier}, abstract = {

When interactions among users of a system have to take place, for example, over the internet, establishing trust relationships among these users becomes crucial. However, the way this trust is established depends to a certain extent on the context where the interactions take place. Most of the time, trust is encoded as a numerical value that might not be very meaningful for a not very experienced user. In this paper we propose a model that takes into account the semantic and the computational sides of trust. This avoids users having to deal directly with the computational side; they instead deal with meaningful labels such as Bad or Good in a given context.

}, issn = {0898-1221}, doi = {10.1016/j.camwa.2010.02.009}, author = {Isaac Agudo and Carmen Fernandez-Gago and Javier Lopez} } @article {vivas2009, title = {A security framework for a workflow-based grid development platform.}, journal = {Computer Standards and Interfaces}, volume = {32}, number = {5-6}, year = {2010}, month = {Oct 2010}, pages = {230-245}, publisher = {Elsevier}, abstract = {

This paper describes the security framework that is to be developed for the generic grid platform created for the project GREDIA. This platform is composed of several components that need to be secured. The platform uses the OGSA standards, so that the security framework will follow GSI, the portion of Globus that implements security. Thus, we will show the security features that GSI already provides and we will outline which others need to be created or enhanced.

}, issn = {0920-5489}, doi = {http://dx.doi.org/10.1016/j.csi.2009.04.001}, author = {Jose L. Vivas and Carmen Fernandez-Gago and Andres Benjumea and Javier Lopez} } @article {JavierLopezMunoz2010, title = {Trust Management Systems for Wireless Sensor Networks: Best practices}, journal = {Computer Communications}, volume = {33}, number = {9}, year = {2010}, pages = {0140-3664}, publisher = {Elsevier}, abstract = {

Wireless sensor networks (WSNs) have been proven a useful technology for perceiving information about the physical world and as a consequence has been used in many applications such as measurement of temperature, radiation, flow of liquids, etc. The nature of this kind of technology, and also their vulnerabilities to attacks make the security tools required for them to be considered in a special way. The decision making in a WSN is essential for carrying out certain tasks as it aids sensors establish collaborations. In order to assist this process, trust management systems could play a relevant role. In this paper, we list the best practices that we consider are essential for developing a good trust management system for WSN and make an analysis of the state of the art related to these practices.

}, issn = {0140-3664}, doi = {10.1016/j.comcom.2010.02.006}, author = {Javier Lopez and Rodrigo Roman and Isaac Agudo and Carmen Fernandez-Gago} } @article {Agudo2009, title = {Concurrent access control for multi-user and multi-processor systems based on trust relationships}, journal = {Concurrency and Computation: Practice and Experience}, volume = {21}, year = {2009}, month = {July}, pages = {1389-1403}, publisher = {John Wiley \& Sons}, abstract = {

Concurrent access control is an old problem in many fields in Computer Science. It has been solved in many languages and systems, using mechanisms like monitors or priority queues. Nowadays computers implement multi-core capabilities. This means that they are virtually capable of execution of processes in parallel. This requires new techniques and open new issues in the field of concurrent access control. Moreover, most operating systems are multi-user; thus, we have to focus on a multi-processor multi-user scenario. Trust becomes a paramount aspect when building distributed applications; the same applies on a lower scale in modern computers. We propose the use of a trust graph that keeps record of the trust relationships of the system and helps in deciding on concurrent access requests. The information encoded in the graph will be used both in order to decide on the access requests and to order granted requests in terms of their associated trust level

}, issn = {1532-0626}, doi = {10.1002/cpe.1430}, author = {Isaac Agudo and Carmen Fernandez-Gago and Javier Lopez} } @article {rosado2009c, title = {Obtaining Security Requirements for a Mobile Grid System}, journal = {International Journal of Grid and High Performance Computing}, volume = {1}, year = {2009}, month = {Jan 2009}, pages = {1-17}, publisher = {IGI-Global}, abstract = {

Mobile Grid includes the characteristics of the Grid systems together with the peculiarities of Mobile Computing, withthe additional feature of supporting mobile users and resources ina seamless, transparent, secure and efficient way. Security ofthese systems, due to their distributed and open nature, isconsidered a topic of great interest. We are elaborating amethodology of development to build secure mobile grid systemsconsidering security on all life cycle. In this paper we present thepractical results applying our methodology to a real case,specifically we apply the part of security requirements analysis toobtain and identify security requirements of a specific applicationfollowing a set of tasks defined for helping us in the definition,identification and specification of the security requirements onour case study. The methodology will help us to build a securegrid application in a systematic and iterative way.

}, issn = {1938-0259}, doi = {10.4018/IJGHPC}, author = {David G. Rosado and Eduardo Fernandez-Medina and Javier Lopez} } @article {Alcaraz2008a, title = {Gesti{\'o}n segura de redes SCADA}, journal = {Nuevas tendencias en gesti{\'o}n de redes, Nov{\'a}tica}, number = {196}, year = {2008}, month = {December}, pages = {20-25}, publisher = {CEPIS}, abstract = {

En el momento que se introduce en el mercado nuevas tecnolog\ías basadas en entornos distribuidos comienzan a surgir en paralelo nuevos problemas de seguridad en los sistemas SCADA (Supervisory Control and Data Acquisition), los cuales monitorizan y gestionan otras infraestructuras de gran complejidad y escala. Un fallo o una interrupci\ón en uno de sus componentes podr\ía suponer un impacto negativo sobre la funcionalidad de otras infraestructuras, por lo que se hace necesario realizar frecuentes an\álisis de seguridad para as\í mantener actualizado el conocimiento y proveer recomendaciones y/o soluciones para mitigar o evitar futuras ocurrencias, garantizando una gesti\ón de red fiable y siempre disponible.

}, keywords = {An{\'a}lisis de Seguridad, Gesti{\'o}n de red SCADA, Supervisory Control and Data Acquisition Systems}, issn = {0211-2124}, url = {http://www.ati.es/novatica/indice.html$\#$196}, author = {Cristina Alcaraz and Gerardo Fernandez and Rodrigo Roman and Angel Balastegui and Javier Lopez} } @article {Alcaraz2008b, title = {Secure Management of SCADA Networks}, journal = {Novatica, New Trends in Network Management}, volume = {9}, number = {6}, year = {2008}, month = {December}, pages = {22-28}, publisher = {Cepis UPGRADE}, abstract = {

When a Supervisory Control and Data Acquisition (SCADA) system monitors and manages other complex infrastructures through the use of distributed technologies, it becomes a critical infrastructure by itself: A failure or disruption in any of its components could implicate a serious impact on the performance of the other infrastructures. The connection with other systems makes a SCADA system more vulnerable against attacks, generating new security problems. As a result, it is essential to perform diverse security analysis frequently in order to keep an updated knowledge and to provide recommendations and/or solutions to mitigate or avoid anomalous events. This will facilitate the existence of a suitable, reliable, and available control network.

}, keywords = {SCADA network management, Security Analysis, Supervisory Control and Data Acquisition Systems}, issn = {1684-5285}, url = {http://www.upgrade-cepis.org/issues/2008/6/up9-6Alcaraz.pdf}, author = {Cristina Alcaraz and Gerardo Fernandez and Rodrigo Roman and Angel Balastegui and Javier Lopez} } @article {Dix07, title = {Temporal Logics of Knowledge and their Applications in Security}, journal = {First Workshop in Information and Computer Security (ICS{\textquoteright}06)}, volume = {186}, year = {2007}, pages = {27-42}, publisher = {Elsevier}, address = {Timisoara, Romania}, abstract = {

\ Temporal logics of knowledge are useful for reasoning about situations where the knowledge of an agent or component is important, and where change in this knowledge may occur over time. Here we investigate the application of temporal logics of knowledge to the specification and verification of security protocols. We show how typical assumptions relating to authentication protocols can be specified. We consider verification methods for these logics, in particular, focusing on proofs using clausal resolution. Finally we present experiences from using a resolution based theorem prover applied to security protocols specified in temporal logics of knowledge.

}, keywords = {security, temporal resolution}, issn = {1571-0661}, doi = {"DOI: 10.1016/j.entcs.2006.11.043"}, author = {Clare Dixon and Carmen Fernandez-Gago and Michale Fisher and Wiebe van der Hoek} } @article {Fernandez2005, title = {First-Order Temporal Verification in Practice}, journal = {Journal of Automated Reasoning}, volume = {34}, year = {2005}, pages = {295-321}, publisher = {Springer}, abstract = {

First-order temporal logic, the extension of first-order logic with operators dealing with time, is a powerful and expressive formalism with many potential applications. This expressive logic can be viewed as a framework in which to investigate problems specified in other logics. The monodic fragment of first-order temporal logic is a useful fragment that possesses good computational properties such as completeness and sometimes even decidability. Temporal logics of knowledge are useful for dealing with situations where the knowledge of agents in a system is involved. In this paper we present a translation from temporal logics of knowledge into the monodic fragment of first-order temporal logic. We can then use a theorem prover for monodic first-order temporal logic to prove properties of the translated formulas. This allows problems specified in temporal logics of knowledge to be verified automatically without needing a specialized theorem prover for temporal logics of knowledge. We present the translation, its correctness, and examples of its use.

}, issn = {0168-7433}, doi = {dx.doi.org/10.1007/s10817-005-7354-1}, author = {Carmen Fernandez-Gago and Ullrich Hustadt and Clare Dixon and Michale Fisher and Boris Konev} } @article {Winfield2005, title = {On the Formal Specification of Emergent Behaviours of Swarm Robotics Systems}, journal = {International Journal of Advanced Robotics Systems}, volume = {2}, year = {2005}, pages = {363-371}, publisher = {SAGE Publishing}, abstract = {

It is a characteristic of swarm robotics that specifying overall emergent swarm behaviours in terms of the low-level behaviours of individual robots is very difficult. Yet if swarm robotics is to make the transition from the laboratory to real-world engineering realisation we need such specifications. This paper explores the use of temporal logic to formally specify, and possibly also prove, the emergent behaviours of a robotic swarm. The paper makes use of a simplified wireless connected swarm as a case study with which to illustrate the approach. Such a formal approach could be an important step toward a disciplined design methodology for swarm robotics.

}, keywords = {Swarm Robotics, temporal resolution}, issn = {1729-8806}, doi = {dx.doi.org/10.5772/5769}, author = {Alan Winfield and Jin Sa and Carmen Fernandez-Gago and Clare Dixon and Michale Fisher} }