Design theory methods and their applications to the science of security

Abstract

This Thesis introduces the research program Design Theory Framework for the Science of Security (DEFSYS) and presents its application to four areas of information security. The primary line of presented DEFSYS-activities concerns vulnerability research problems in software security, approached from a software (security) testing point of view, targeting the three areas of system security, injection attacks and security protocol testing. The secondary line of presented DEFSYS-activities evolves around the area of online privacy research, specifically targeting browser fingerprinting. In all applications of DEFSYS given this Thesis, we concentrate on pointing out how discrete mathematical models can be used synergistically together with combinatorial methods to address problems in information security. Two inherent properties of the employed combinatorial design structures play a significant role and provide benefits in all four presented applications within information security: guaranteed coverage (e.g., of tuples or sub-permutations) and – simultaneously – efficiency (e.g., given by reduced test set sizes). Our research on DEFSYS presented in this Thesis has been empirically supported and validated by our achieved combinatorial security testing results in all four given application areas of information security.