Software Security

CompSci 725 S2C 08
Clark Thomborson
Handout 3: Suggestions for Oral Reports

Version 1.31, 1 August 2008

1.      Authentication, Audit, Authorisation (AU)

[AU Ba03] D. Baldwin, S. Shiu, “Enabling Shared Audit Data”, in Information Security Conference (ISC 2003), LNCS 2851, Springer, pp. 14-28, 2003.  DOI: 10.1007/10958513_2.  Abstract.

[AU Bh06] A. Bhargav-Spantzely, A. Squicciarini, E. Bertino, “Establishing and Protecting Digital Identity in Federation Systems”, in J. Computer Security 14(3), pp. 269-300, 2006Abstract.

[AU Ga08] S. Gajek, J. Schwenk, X. Chen, “On the Insecurity of Microsoft's Identity Metasystem CardSpace”, Horst Görtz Institute for IT Security Technical Report HGI TR-2008-003, Ruhr-Universität Bochum, 17 pp., 9 June 2008.  Available: http://www.nds.ruhr-uni-bochum.de/gajek/papers/GaScXu08_CardSpaceTR.pdf, 23 July 2008.  Abstract.

[AU Ga06] S. Gaw, E. Felten, “Password Management Strategies for Online Accounts”, in Proc. 2nd Symp. on Usable Privacy and Security (SOUPS ’06), ACM, pp. 44-55, 2006.  DOI: 10.1145/1143120.1143127.  Abstract.

[AU Ro06] L. Rostad, O. Edsberg, “A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs”, in 22nd Annual Computer Security Applications Conference (ACSAC ’06), IEEE, pp. 175-186, December 2006.  DOI: 10.1109/ACSAC.2006.8.  Abstract.

[AU Sc07] S. Schechter, R. Dhamija, A. Ozment, I. Fischer, “The Emperor’s New Security Indicators”, in IEEE Symp. on Security and Privacy (SP 2007), pp. 51-65, 2007.  DOI: 10.1109/SP.2007.35.  Abstract.

[AU St04] A. Stubblefield, D. Simon, “Inkblot Authentication”, Microsoft Research Technical Report MSR-TR-2004-85, 16 pp., August 2004.  Available: ftp://ftp.research.microsoft.com/pub/tr/TR-2004-85.pdf, 24 July 2008.  Abstract.

[AU Ya04] J. Yan, A. Blackwell, R. Anderson, A. Grant, “Password Memorability and Security: Empirical Results”, in IEEE Security & Privacy 2(5), pp. 25-31, 2004.  DOI: 10.1109/MSP.2004.81.  Abstract.

2.     Detection and Response (DR)

[DR Ca99] R. Canetti, R. Ostrovsky, “Secure Computation with Honest-Looking Parties (Extended Abstract): What If Nobody Is Truly Honest?”, in Proc 31st Annual ACM Symp. on Theory of Computing (STOC ’99), pp. 255-264, 1999.  DOI: 10.1145/301250.301313.  Abstract.

[DR Co07] G. Cormack, T. Lynam, “Online Supervised Spam Filter Evaluation”, ACM Trans. Inf. Syst. 25(3):11, 31 pp., July 2007.  DOI: 10.1145/1247715.1247717.  Abstract.

[DR Fr08] G. Frantzeskou, S. MacDonell, E. Stamatatos, S. Gritzalis, “Examining the Significance of High-Level Programming Features in Source Code”, Journal of Systems and Software 81(3), pp. 447-460, March 2008.  DOI: 10.1016/j.jss.2007.03.004.   Abstract.

[DR Ne07] S. Neuhaus, T. Zimmermann, C. Holler, A. Zeller, “Predicting Vulnerable Software Components”, in ACM Conf. on Computer and Communications Security (CCS 2007), pp. 529-540, 2007.  DOI: 10.1145/1315245.1315311.  Abstract.

[DR So07] Y. Song, M. Locasto, A. Stavrou, A. Keromytis, S. Stolfo, “On the Infeasibility of Modeling Polymorphic Shellcode”, in ACM Conf. on Computer and Communications Security (CCS 2007), pp. 541-551, 2007.  DOI: 10.1145/1315245.1315312.  Abstract.

3.      Trustworthy Systems (TS)

[TS Dh07] G. Dhillon, “Designing Information Systems Security: Interpretations from British National Health Services Hospital”, in 3rd Annual Symp. on Information Assurance, School of Business, SUNY at Albany, pp. 20-28, 2008.  Available: http://www.albany.edu/iasymposium/2007/8-dhillon.pdf, 23 July 2008.  Abstract.

[TS Dw07] J. Dwoskin, R. Lee, “Hardware-rooted Trust for Secure Key Management and Transient Trust”, in Conf. on Computer and Communications Security (CCS 2007), pp. 389-400, 2007.    DOI: 10.1145/1315245.1315294.  Abstract.

[TS Gr08] C. Grier, S. Tang, S. King, “Secure Web Browsing with the OP Web Browser”, in IEEE Symp. on Security and Privacy (SP 2008), pp. 402-416, 2008.  DOI: 10.1109/SP.2008.19.  Abstract.

[TS HI08] Health Information Strategy Action Committee, “Public Comment Draft: Authentication and Security Framework – Essentials and Recommendations”, draft number 10029.1/vPC, Ministry of Health, New Zealand, 48 pp., 9 July 2008.  Available: http://www.hisac.govt.nz/moh.nsf/pagescm/7442/$File/10029.1PC20080709.pdf, 28 July 2008.  Abstract.

[TS Ju05] A. Juels, “Strengthening EPC Tags Against Cloning”, in Proc. of the 4th ACM Workshop on Wireless Security (WiSe ’05), pp. 67-76, 2005.  DOI: 10.1145/1080793.1080805.  Abstract.

[TS Ke03] R. Kennell, L. Jamieson, “Establishing the Genuity of Remote Computer Systems”, in Proc. 12th Conf on USENIX Security Symposium (SEC ’03), pp. 295-308, 2003.  Available: http://www.usenix.org/events/sec03/tech/kennell/kennell.pdf, 23 July 2008.  Abstract.

[TS Le05] R. Lee, P. Kwan, J. McGregor, J. Dwoskin, Z. Wang, “Architecture for Protecting Critical Secrets in Microprocessors”, in International Symposium on Computer Architecture 2005 (ISCA ’05), IEEE, pp. 2-13, 2005.  Abstract.

[TS Ro05] V. Roth, T. Straub, K. Richter, “Security and Usability Engineering with Particular Attention to Electronic Mail”, Int. J. Hum.-Comput. Stud. 63(1-2), pp. 51-73, 2005.  DOI: 10.1016/j.ijhcs.2005.04.015.  Abstract.

[TS Wh01] D. Wheeler, A. Conyers, J. Luo, A. Xiong, “Java Security Extensions for a Java Server in a Hostile Environment”, in 17th Annual Computer Security Applications Conference (ACSAC 2001), pp. 64-73, 2001.  DOI: 10.1109/ACSAC.2001.991522.   Abstract.

4.      Vulnerabilities and Attacks (VA)

[VA Br08] D. Brumley, P. Poosankam, D. Song, J. Zheng, “Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications”, in IEEE Symp. on Security and Privacy (SP 2008), pp. 143-157, 2008.  DOI: 10.1109/SP.2008.17.  Abstract.

[VA Dr08] S. Drimer, S. Murdoch, R. Anderson, “Thinking Inside the Box: System-Level Failures of Tamper Proofing”, in IEEE Symp. on Security and Privacy (SP 2008), pp. 143-157, 2008.  DOI: 10.1109/SP.2008.17.  Abstract.

[VA Fr07] J. Franklin, V. Paxson, “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants”, in ACM Conf. on Computer and Communications Security (CCS 2007), pp. 375-388, 2007.  DOI: 10.1145/1315245.1315292.  Abstract.

[VA Gu07] P. Gühring, “Concepts against Man-in-the-Browser Attacks”, 15 pp., web manuscript, published circa January 2007.  Available: http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf, 23 July 2008.   A preliminary version of this article was announced in Advances in Financial Cryptography, Number 3 (FC++3), 25 June 2006.  Abstract.

[VA Ja07] T. Jagatic, N. Johnson, M. Jakobsson, F. Menczer, “Social Phishing”, Commun. ACM 50(10), pp. 94-100, October 2007.  DOI: 10.1145/1290958.1290968.  Abstract.

[VA Ka07] C. Karlof, U. Shankar, J. Tygar, D. Wagner, “Dynamic Pharming Attacks and Locked Same-Origin Policies for Web Browsers”, in ACM Conf. on Computer and Communications Security (CCS 2007), pp. 58-71, 2007.  DOI: 10.1145/1315245.1315254.  Abstract.

[VA Ki06] S. King, P. Chen, Y.-M. Wang, C. Verbowski, H. Wang, J. Lorch, “SubVirt: Implementing Malware with Virtual Machines”, in IEEE Symp. on Security and Privacy (SP 2006), pp. 314-327, 2006.  DOI: 10.1109/SP.2006.38.  Abstract.

[VA Ma08] W. Mazurczyk, K. Szczypiorski, “Steganography of VoIP streams”, in Computing Research Repository (CoRR), arXiv:0805.2938v1, May 2008.  Abstract.

[VA Pa06] S. Di Paola, G. Fedon, “Subverting Ajax”, in 23rd Chaos Communication Congress (CCC 2006), presentation ID 1602, December 2006.  Available: http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf, 23 July 2008.  Abstract.

[VA Sh07] H. Shacham, “The Geometry of Hidden Flesh on the Bone: Return-into-libc without Function Calls”, in ACM Conf. on Computer and Communications Security (CCS 2007), pp. 552-561, 2007.  DOI: 10.1145/1315245.1315313.  Abstract.

[VA Ul04] U. Uludag, A. Jain, “Attacks on Biometric Systems: A Case Study in Fingerprints”, in Proc. Security, Steganography and Watermarking of Multimedia Contents (SPIE-EI 2004), vol. 5306, SPIE, pp. 622-633, 2004.  DOI: 10.1117/12.530907.  Author’s copy available: http://biometrics.cse.msu.edu/Publications/SecureBiometrics/UludagJain_BiometricAttacks_SPIE04.pdf, 23 July 2008.  Abstract.

[VA Yo06] J. Youll, “Fraud Vulnerabilities in SiteKey Security at Bank of America”, white paper, Challenge Response LLC (Cambridge MA, USA), 15 pp., 18 July 2006.  Available: http://cr-labs.com/publications/SiteKey-20060718.pdf, 23 July 2008.  Abstract.