privacy and security research has been very active concerning online social networks (OSN) as a vast amount of personal information is used and published (by users) within OSNs. However, most people do not pay attenti...
详细信息
ISBN:
(纸本)9781450356329
privacy and security research has been very active concerning online social networks (OSN) as a vast amount of personal information is used and published (by users) within OSNs. However, most people do not pay attention on what personal information they provide during registration. Depending on what information is provided in (public) OSN profiles, that data might be misused by attackers e.g., for cross-site profile cloning. This paper assesses data provided by the user during the registration of OSNs. Therefore, it is investigated how OSN registration processes are typically modeled, which information is needed to create a profile in OSNs and which attack scenarios can occur based on the provided data. The results contribute to the understanding of OSN registration process design as well as requested data and to replicate and reuse processes for further privacy and security investigations.
While the control of individuals over their personal data is increasingly seen as an essential component of their privacy, the word "control" is usually used in a very vague way, both by lawyers and by compu...
详细信息
ISBN:
(纸本)9781450356329
While the control of individuals over their personal data is increasingly seen as an essential component of their privacy, the word "control" is usually used in a very vague way, both by lawyers and by computer scientists. This lack of precision may lead to misunderstandings and makes it difficult to check compliance. To address this issue, we propose a formal framework based on capacities to specify the notion of control over personal data and to reason about control properties. We illustrate our framework with social network systems and show that it makes it possible to characterize the types of control over personal data that they provide to their users and to compare them in a rigorous way.
Companies are often motivated to evaluate their environmental sustainability, and to make public pronouncements about their performance with respect to quantitative sustainability metrics. Public trust in these declar...
详细信息
ISBN:
(纸本)9781450356329
Companies are often motivated to evaluate their environmental sustainability, and to make public pronouncements about their performance with respect to quantitative sustainability metrics. Public trust in these declarations is enhanced if the claims are certified by a recognized authority. Because accurate evaluations of environmental impacts require detailed information about industrial processes throughout a supply chain, protecting the privacy of input data in sustainability assessment is of paramount importance. We introduce a new paradigm, called privacy-preserving certification, that enables the computation of sustainability indicators in a privacy-preserving manner, allowing firms to be classified based on their individual performance without revealing sensitive information to the certifier, other parties, or the public. In this work, we describe different variants of the certification problem, highlight the necessary security requirements, and propose a provably-secure novel framework that performs the certification operations under the management of an authorized, yet untrusted, party without compromising confidential information.
Bluetooth Low Energy is a ubiquitous technology, with applications in the fitness, healthcare and smart home sectors, to name but a few. In this paper, we present an open-source Profiler for classifying the protection...
详细信息
ISBN:
(纸本)9781450356329
Bluetooth Low Energy is a ubiquitous technology, with applications in the fitness, healthcare and smart home sectors, to name but a few. In this paper, we present an open-source Profiler for classifying the protection level of data residing on a BLE device. Preliminary results obtained by executing the tool against several devices show that some BLE devices allow unauthenticated reads and writes from third party devices. This could expose them to a number of attacks and compromise the privacy, or even the physical safety, of the device owner.
Industrial control systems (ICS) are used to control and manage critical infrastructures and protecting these complex system and their interfaces, which can be exploited by internal and external attackers, are a vital...
详细信息
ISBN:
(纸本)9781450356329
Industrial control systems (ICS) are used to control and manage critical infrastructures and protecting these complex system and their interfaces, which can be exploited by internal and external attackers, are a vital security task. Sensors, as an interface device, are used by ICS to collect information about the physical environment and should be guarded against cyber attacks. This paper investigates how sensors can be used as a communication channel by hackers to send a malicious command and control into the ICS. Further, we examine how abusing sensory channel would lead to a data pattern, which can be detected by a proper signature-based intrusion detection system (IDS).
With the increasing inter-connection of operation technology to the IT network, the security threat to the Industrial Control System (ICS) is increasing daily. Therefore, it is critical to utilize formal verification ...
详细信息
ISBN:
(纸本)9781450356329
With the increasing inter-connection of operation technology to the IT network, the security threat to the Industrial Control System (ICS) is increasing daily. Therefore, it is critical to utilize formal verification technique such as model checking to mathematically prove the correctness of security and safety requirements in the controller logic before it is deployed on the field. However, model checking requires considerable effort for regular ICS users and control technician to verify properties. This paper, provides a simpler approach to the model checking of temperature process control system by first starting with the control module design without formal verification. Second, identifying possible vulnerabilities in such design. Third, verifying the safety and security properties with a formal method.
This paper describes how a privacy policy framework can be extended with timing information to not only decide if requests for data are allowed at a given point in time, but also to decide for how long such permission...
详细信息
ISBN:
(纸本)9781450359887
This paper describes how a privacy policy framework can be extended with timing information to not only decide if requests for data are allowed at a given point in time, but also to decide for how long such permission is granted. Augmenting policy decisions with expiration information eliminates the need to reason about access permissions prior to every individual data access operation. This facilitates the application of privacy policy frameworks to protect multimedia streaming data where repeated re-computations of policy decisions are not a viable option. We show how timing information can be integrated into an existing declarative privacy policy framework. In particular, we discuss how to obtain valid expiration information in the presence of complex sets of policies with potentially interacting policies and varying timing information.
Relationship-based access control (ReBAC) policies can express intricate protection requirements in terms of relationships among users and resources (which can be modeled as a graph). Such policies are useful in domai...
详细信息
ISBN:
(纸本)9781450356329
Relationship-based access control (ReBAC) policies can express intricate protection requirements in terms of relationships among users and resources (which can be modeled as a graph). Such policies are useful in domains beyond online social networks. However, given the updating graph of user and resources in a system and expressive conditions in access control policy rules, it can be very challenging for security administrators to envision what can (or cannot) happen as the protection system evolves. In this paper, we introduce the security analysis problem for this class of policies, where we seek to answer security queries about future states of the system graph and authorizations that are decided accordingly. Towards achieving this goal, we propose a state-transition model of a ReBAC protection system, called RePM. We discuss about formulation of security analysis queries in RePM and present our initial results for a limited version of this model.
Android applications are vulnerable to reverse engineering which could result in tampering and repackaging of applications. Even though there are many off the shelf obfuscation tools that hardens Android applications,...
详细信息
ISBN:
(纸本)9781450356329
Android applications are vulnerable to reverse engineering which could result in tampering and repackaging of applications. Even though there are many off the shelf obfuscation tools that hardens Android applications, they are limited to basic obfuscation techniques. Obfuscation techniques that transform the code segments drastically are difficult to implement on Android because of the Android runtime verifier which validates the loaded code. In this paper, we introduce a novel obfuscation technique, Android Encryption based Obfuscation (AEON), which can encrypt code segments and perform runtime decryption during execution. The encrypted code is running outside of the normal Android virtual machine, in an embeddable Java source interpreter and thereby circumventing the scrutiny of Android runtime verifier. Our obfuscation technique works well with Android source code and Dalvik bytecode.
暂无评论