System and Software Security

Security systems are often designed in response to specific needs using a range of techniques (including cryptography) in order to achieve the stated security requirements. Using systematic approaches in design and evaluation of security of a system provides higher assurance about the performance of that system. Malicious software aim at subverting security of the systems and gaining unauthorized privileges. Detection of malicious software and protection against them is particularly challenging due to the complexity of today’s software systems.

Digital Rights Management

Digital Rights Management (DRM) systems ensure the ownership rights of content authors, owner, distributor and users are preserved during the life time of a digital object. Compared to a traditional access control system, DRM systems not only provide a finer level of access control but also ensure protection is provided throughout the lifetime of the object. The protection for data is provided by making access according to the stated policy of the rights holder. Modern DRM systems use a *license* to encapsulate the policy attached to a data object. This allows separation of the distribution channels for licenses and the actual data: data objects are encrypted and super-distributed, and users pay for a set of access rights (e.g., play 5 times). A license is a written in a machine readable and enforceable rights expression language (e.g, XrML, ODRL). The content player takes the encrypted object and the license and plays the content ensuring the stated rights are enforced. DRM systems have found wide application in entertainment, game industry and document management for businesses.

We are researching user centered methods of secure content distribution and in particular providing support for content sharing. This includes secure sharing within an organization, across organizations and in homes. We have developed a testbed for implementing and experimenting new designs based on well established frameworks (MPGE 21 and OMA).

Privacy Rights Management

ISPIA provides security solutions that rely on in depth mathema

Information privacy can be seen as individuals’ control on their personal information. People must be able to determine who, when, how, and to what extent information about them is accessible to others. Organizations publish a privacy policy stating what they will do with the collected data. Privacy management systems allow organizations and individuals to express their privacy policy and preferences, respectively, and ensure that access to data conforms with the stated policy. Privacy rights management use formal languages to express privacy policies and preferences. To enforce policies rule-base approach and license based approach has been used. An example policy language and enforcement system is P3P, a language proposed by WWW Consortium, and E-P3P.

We are researching user-centered privacy protecting systems for organisations. Users are able to express their preferences that are submitted together with their private data to organizations. The system ensures that their preferences are enforced with the organization and as data moves from one organization to the other.


Biometrics refers to a study of physical and behavioral characteristics with the purpose of person identification. In recent years, the area of biometrics has witnessed a tremendous growth, partly as a result of a pressing need for increased security, and partly as a response to the new technological advances and discoveries. Availability of much more affordable storage and the high resolution image biometric capturing devices have contributed to accumulating very large datasets of biometric data and made person identification and verification tasks easier than ever. On the other hand, it also created significant challenges driven by the higher than ever volumes and the complexity of the data, that can no longer be resolved through acquisition of more memory, faster processors or optimization of existing algorithms. These developments justified the need for radically new concepts for massive data storage, processing and synthesis, which is the scope of research in ISPIA partner, Biometric Tehcnologies Laboratory, University of Calgary.

Malicious Software

There is an unprecedented amount of computer viruses, worms, Trojan horses, spyware, and other malicious software roaming the Internet. Reactive defenses won't win the war: we are proactively looking at new threats and how to stop them, and examining new ways to stop old threats. Some of our recent work has identified times when the Internet is especially vulnerable to attack, new ways that malicious software might obscure its code, and new configurations and uses for hijacked computers.

Security Evaluation and Testing

An important part of Information Security is testing all systems that work with certain information for potential security problems. A particular challenge for testing methods is so-called emergent behaviour between systems that are not intended by the developers of these systems (usually not even imagined), but that can occur under certain circumstances (that are not known by developers or testers).

Our research in this area uses concepts from machine learning and multi-agent systems to search for unwanted emergent behaviour that poses a security problem for one or several systems. Based on a high-level description of an unwanted behavior (like "User with these access rights should not access some particular information"), a learning system interacts with the system to be tested, posing as users and/or other systems, analyzing the behavior of the tested system, and determining how close this behavior is to the unwanted behavior. It then creates new interaction strategies that have a chance to bring the tested system nearer to the unwanted behavior. This is repeated until the unwanted behavior is revealed.