TY - GEN
T1 - Characterizing dynamics of information leakage in security-sensitive software process
AU - Kanzaki, Yuichiro
AU - Igaki, Hiroshi
AU - Nakamura, Masahide
AU - Monden, Akito
AU - Matsumoto, Ken Ichi
PY - 2005/12/1
Y1 - 2005/12/1
N2 - Minimizing information leakage is a crucial problem in DRM software development processes, where security information (e.g., device keys and S-BOX of CPRM systems) must be rigorously managed. This paper presents a method to evaluate the risk of information leakage in a software process for security-sensitive applications. A software process is modeled as a series of sub-processes, each of which produces new work products from input products. Since a process is conducted usually by multiple developers, knowledge of work products is shared among the developers. Through the collaboration, a developer may tell others the knowledge of products that are not related to the process. We capture the transfer of such irrelevant product knowledge as the information leakage in a software process. In this paper, we first formulate the problem of information leakage by introducing a formal software process model. Then, we propose a method to derive the probability that each developer d knows each work product p at a given process of software development. The probability reflects the possibility that someone leaked the knowledge of p to d, unless it is equal to 1.0. We also conduct a quantitative case study to demonstrate how the information leakage varies depending on the assignment of developers.
AB - Minimizing information leakage is a crucial problem in DRM software development processes, where security information (e.g., device keys and S-BOX of CPRM systems) must be rigorously managed. This paper presents a method to evaluate the risk of information leakage in a software process for security-sensitive applications. A software process is modeled as a series of sub-processes, each of which produces new work products from input products. Since a process is conducted usually by multiple developers, knowledge of work products is shared among the developers. Through the collaboration, a developer may tell others the knowledge of products that are not related to the process. We capture the transfer of such irrelevant product knowledge as the information leakage in a software process. In this paper, we first formulate the problem of information leakage by introducing a formal software process model. Then, we propose a method to derive the probability that each developer d knows each work product p at a given process of software development. The probability reflects the possibility that someone leaked the knowledge of p to d, unless it is equal to 1.0. We also conduct a quantitative case study to demonstrate how the information leakage varies depending on the assignment of developers.
UR - http://www.scopus.com/inward/record.url?scp=84871642041&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84871642041&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84871642041
SN - 1920682260
SN - 9781920682262
T3 - Conferences in Research and Practice in Information Technology Series
SP - 145
EP - 151
BT - ACSW Frontiers 2005 - Third Australasian Workshop on Grid Computing and e-Research, AusGrid 2005 and the Third Australasian Information Security Workshop, AISW 2005
T2 - 3rd Australasian Workshop on Grid Computing and e-Research, AusGrid 2005 and 3rd Australasian Information Security Workshop, AISW 2005
Y2 - 31 January 2005 through 1 February 2005
ER -