The recent years have brought an influx of privacy conscious applications, that enable strong security guarantees for end-users via end-to-end or client-side encryption. Unfortunately, this application paradigm is not...
详细信息
ISBN:
(纸本)9781450380843
The recent years have brought an influx of privacy conscious applications, that enable strong security guarantees for end-users via end-to-end or client-side encryption. Unfortunately, this application paradigm is not easily transferable to web-based cloud applications. The reason for this lies within adversary's enhanced control over client-side computing through application provided JavaScript. In this paper, we propose CRYPTOMEMBRANES - a set of native client-side components that allow the development of web applications which provide a robust isolation layer between the client-side encrypted user data and the potentially untrusted JavaScript, while maintaining full interoperability with current client-side development practices. In addition, to enable a realistic transition phase, we show how CRYPTOMEMBRANES can be realized for currently existing web browsers via a standard browser extension.
Website fingerprinting (WFP) aims to infer information about the content of encrypted and anonymized connections by observing patterns of data flows based on the size and direction of packets. By collecting traffic tr...
详细信息
ISBN:
(纸本)9781450370899
Website fingerprinting (WFP) aims to infer information about the content of encrypted and anonymized connections by observing patterns of data flows based on the size and direction of packets. By collecting traffic traces at a malicious Tor entry node - one of the weakest adversaries in the attacker model of Tor - a passive eavesdropper can leverage the captured meta-data to reveal the websites visited by a Tor user. As recently shown, WFP is significantly more effective and realistic than assumed. Concurrently, former WFP defenses are either infeasible for deployment in real-world settings or defend against specific WFP attacks only. To limit the exposure of Tor users to WFP, we propose novel lightweight WFP defenses, TrafficSliver, which successfully counter today's WFP classifiers with reasonable bandwidth and latency overheads and, thus, make them attractive candidates for adoption in Tor. Through user-controlled splitting of traffic over multiple Tor entry nodes, TrafficSliver limits the data a single entry node can observe and distorts repeatable traffic patterns exploited by WFP attacks. We first propose a network-layer defense, in which we apply the concept of multipathing entirely within the Tor network. We show that our network-layer defense reduces the accuracy from more than 98% to less than 16% for all state-of-the-art WFP attacks without adding any artificial delays or dummy traffic. We further suggest an elegant client-side application-layer defense, which is independent of the underlying anonymization network. By sending single HTTP requests for different web objects over distinct Tor entry nodes, our application-layer defense reduces the detection rate of WFP classifiers by almost 50 percentage points. Although it offers lower protection than our network-layer defense, it provides a security boost at the cost of a very low implementation overhead and is fully compatible with today's Tor network.
Ethereum has emerged as the most popular smart contract platform, with hundreds of thousands of contracts stored on the blockchain and covering diverse application scenarios, such as auctions, trading platforms, or el...
详细信息
ISBN:
(纸本)9781450370899
Ethereum has emerged as the most popular smart contract platform, with hundreds of thousands of contracts stored on the blockchain and covering diverse application scenarios, such as auctions, trading platforms, or elections. Given the financial nature of smart contracts, security vulnerabilities may lead to catastrophic consequences and, even worse, can hardly be fixed as data stored on the blockchain, including the smart contract code itself, are immutable. An automated security analysis of these contracts is thus of utmost interest, but at the same time technically challenging. This is as e.g., Ethereum's transaction-oriented programming mechanisms feature a subtle semantics, and since the blockchain data at execution time, including the code of callers and callees, are not statically known. In this work, we present eThor, the first sound and automated static analyzer for EVM bytecode, which is based on an abstraction of the EVM bytecode semantics based on Horn clauses. In particular, our static analysis supports reachability properties, which we show to be sufficient for capturing interesting security properties for smart contracts (e.g., single-entrancy) as well as contract-specific functional properties. Our analysis is proven sound against a complete semantics of EVM bytecode, and a large-scale experimental evaluation on real-world contracts demonstrates that eThor is practical and outperforms the state-of-the-art static analyzers: specifically, eThor is the only one to provide soundness guarantees, terminates on 94% of a representative set of real-world contracts, and achieves an F-measure (which combines sensitivity and specificity) of 89%.
The proceedings contain 85 papers. The topics discussed include: proofs or remote execution and mitigation of TOCTOU attacks;global communication guarantees in the presence of adversaries;the Lazarus effect: healing c...
ISBN:
(纸本)9781450367509
The proceedings contain 85 papers. The topics discussed include: proofs or remote execution and mitigation of TOCTOU attacks;global communication guarantees in the presence of adversaries;the Lazarus effect: healing compromised devices in the Internet of small things;AuthCTC: defending against waveform emulation attack in heterogeneous IoT environments;DeepPower: non-intrusive and deep learning-based detection of IoT malware using power side channels;your smart home can’t keep a secret: towards automated fingerprinting of IoT Traffic;PassTag: a graphical-textual hybrid fallback authentication system;provable-security model for strong proximity-based attacks: with application to contactless payments;skeptic: automatic, justified and privacy-preserving password composition policy selection;preparing network intrusion detection deep learning models with minimal data using adversarial domain adaptation;creating character-based templates for log data to enable security event classification;and in-network filtering of distributed denial-of-service traffic with near-optimal rule selection.
privacy preservation is a big concern for various sectors. To protect individual user data, one emerging technology is differential privacy. However, it still has limitations for datasets with frequent queries, such a...
详细信息
The proceedings contain 45 papers. The topics discussed include: minimizing privilege assignment errors in cloud services;secure storage with replication and transparent deduplication;server-based manipulation attacks...
ISBN:
(纸本)9781450356329
The proceedings contain 45 papers. The topics discussed include: minimizing privilege assignment errors in cloud services;secure storage with replication and transparent deduplication;server-based manipulation attacks against machine learning models;smartprovenance: a distributed, blockchain based dataProvenance system;cross-app tracking via nearby Bluetooth low energy devices;privacy-preserving certification of sustainability metrics;capacity: an abstract model of control over personal data;remote attestation for low-end prover devices with post-quantum capabilities;IoTVerif: an automated tool to verify SSL/TLS certificate validation in Android MQTT client applications;keyboard emanations in remote voice calls: password leakage and noise(less) masking defenses;identifying relevant information cues for vulnerability assessment using CVSS;malware analysis of imaged binary samples by convolutional neural network with attention mechanism;automated generation of attack graphs using NVD;an empirical study of differentially-private analytics for high-speed network data;a low energy profile: analysing characteristic security on BLE peripherals;secure display for FIDO transaction confirmation;and SeCore:continuous extrospection with high visibility on multi-core ARM platforms.
暂无评论