Guest Editorial: Advances in Applied Security

In this special issue, we have selected five papers from the 6th International Conference on Availability, Reliability and Security (ARES 2011)1 and its workshops to show the breadth of research. The ARES conference brings together researchers and practitioners in the area of security. ARES highlights the various aspects of security—with special focus on the crucial linkage between availability, reliability, dependability and security. In security research seeing different research areas helps researchers to draw from experiences in other domains. In many cases, excellent research papers are a combination of previously known weaknesses that have been transferred to a new application domain such as mobile devices. Applied security is different to other research domains since the generalization of a specific research question is in many cases not the challenge. Deriving the special case from general case is not straightforward and people often make mistakes in this process, for instance when implementing file synchronization[1] or mobile text chats[2]. Insecurity comes from details that people get wrong. We do not want to dismiss the results of theoretical research; however, there are already many journals and conferences publish this sort of research as Gollmann et. al. have pointed out in their editorial in the very first issue of Springer’s International Journal of Information Security [3]. In this issue, the first and second papers addresse organizational security and network security respectively, while the third and fourth ones focus on digital forensics, and the last studies system security. The authors of the paper titled “SPRINTResponsibilities: Design and Development of Security Policies in Process-aware Information Systems” describe how to separate security policies and process logic in Process-Aware Information Systems [4]. This is essential since sensitive information is accessed by different systems. The authors describe a data model to represent arbitrary process related security policies and show how to map these security policies to actual processes and process instances. Anonymity solutions such as mix nets are well established. The second paper titled “Doubly-Anonymous Crowds: Using Secret-Sharing to achieve Senderand Receiver-Anonymity” [5] extends the existing Crowd-approach by providing sender and adjustable receiver anonymity. The authors show that a certain level of anonymity can be given in finitely large networks and fully controled by the sender. Digital forensics is a topic of increasing importance. The authors of the paper titled “Advanced File Carving Approaches for Multimedia Files” specifically focus on file fragments [6]. Unlike signature-based approaches, the statistical methods used by the authors, allow findings sets of blocks which are likely to be part of files that are the same type (e.g. JPG images). The authors then try reassemble the block in the correct order and use several heuristics to judge how reliable a reassembly option is. The fourth paper titled “Hiding Information into OOXML Documents: New Steganographic Perspectives” [7] provides a look at digital forensics from another perspective: Steganography can be seen as essentially one form of Anti-Forensics. A lot of information can be hidden OOXML files by for instance the choice of compression algorithms or by inserting zero-sized images. In the last paper titled “A virtualized usage control bus system” [8], the authors show how usage control can be enforced across layers to control the flow of information accross multiple layers of abstraction. Especially, they introduce a bus system to support system-wide usage control enforcement, and then evaluate its security and performance.