Guest Editor's Preface

This Special Issue is based on original research ideas, which were initially expressed in papers published in the Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS-2010). ESORICS-2010 was held on September 2010 in Athens, Greece. The symposium has a tradition that goes back for two decades. It brings together the international research community in a top quality event that covers all the areas of computer security, ranging from theory to applications. ESORICS-2010 received 201 submissions, which went through a careful review process. As a result of this process, 42 papers were selected for the final program (21% acceptance rate). To further promote the fast-evolving research in security, a few research papers were selected, among those published in the proceedings of ESORICS-2010, for a Special Issue in the Journal of Computer Security. These papers were significantly extended and went through another rigorous review. As a result, the Special Issue finally includes four papers. The papers reflect different aspects of security, ranging from RFID privacy and PKI-based systems, to information flow, and the IO2BO threat. A brief description of them is provided below. In their paper, entitled “On bounding problems of quantitative information flow”, H. Yasuoka and T. Terauchi investigate the hardness of precisely checking the quantitative information flow of a program. More precisely, the authors study the “bounding problem” of quantitative information flow, defined as follows: Given a program M and a positive real number q, decide if the quantitative information flow of M is less than or equal to q. Authors prove that the bounding problem is not a k-safety property for any k (even when q is fixed, for the Shannon-entropy-based definition with the uniform distribution), and thus is not amenable to the self-composition technique that has been successfully applied to checking non-interference. They also prove complexity theoretic hardness results for the case when the program is restricted to loop-free Boolean programs. C. Zhang, T. Wang, T. Wei, Y. Chen and W. Zou, in their paper, entitled “Using type analysis in compiler to mitigate integer-overflow-to-buffer-overflow threat”, deal with one of the top two causes of software vulnerabilities in operating systems, i.e., the integer overflow and, in specific, the Integer Overflow to Buffer Overflow (IO2BO) vulnerability. Authors present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and a dataflow analysis framework to identify potential IO2BO vulnerabilities. Then uses backward slicing to find out related vulnerable arithmetic operations and instruments programs with