@inproceedings{ kim12euro, author = "Sangman Kim and Michael Z. Lee and Alan M. Dunn and Owen S. Hofmann and Xuan Wang and Emmett Witchel and Donald E. Porter", title = {Improving Server Applications with System Transactions}, booktitle = {Proceedings of the 7th {ACM} European Conference on Computer Systems ({EuroSys})}, year = "2012", month = "April", url = {http://dl.acm.org.ezproxy.auckland.ac.nz/citation.cfm?id=2168839}, address = "Bern, Switzerland", annote = {Abstract. Server applications must process requests as quickly as possible. Because some requests depend on earlier requests, there is often a tension between increasing throughput and maintaining the proper semantics for dependent requests. Operating system transactions make it easier to write reliable, high-throughput server applications because they allow the application to execute non-interfering requests in parallel, even if the requests operate on OS state, such as file data.\par By changing less than 200 lines of application code, we improve performance of a replicated Byzantine Fault Tolerant (BFT) system by up to 88\% using server-side speculation, and we improve concurrent performance up to 80\% for an IMAP email server by changing only 40 lines. Achieving these results requires substantial enhancements to system transactions, including the ability to pause and resume transactions, and an API to commit transactions in a pre-defined order. }, } @inproceedings{ rossbach11sosp, author = "Christopher J. Rossbach and Jon Currey and Mark Silberstein and Baishakhi Ray and Emmett Witchel", title = {{PTask}: {O}perating System Abstractions To Manage GPUs as Compute Devices}, booktitle = {Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP)}, year = "2011", month = "October", address = "Cascais, Portugal", url = {http://dl.acm.org.ezproxy.auckland.ac.nz/citation.cfm?id=2043579}, annote = {Abstract. We propose a new set of OS abstractions to support GPUs and other accelerator devices as first class computing resources. These new abstractions, collectively called the \emph{PTask API}, support a dataflow programming model. Because a PTask graph consists of OS-managed objects, the kernel has sufficient visibility and control to provide system-wide guarantees like fairness and performance isolation, and can streamline data movement in ways that are impossible under current GPU programming models.\par Our experience developing the PTask API, along with a gestural interface on Windows 7 and a FUSE-based encrypted file system on Linux show that the PTask API can provide important systemwide guarantees where there were previously none, and can enable significant performance improvements, for example gaining a 5 improvement in maximum throughput for the gestural interface. }, } @inproceedings{Butt:2012:SCC:2382196.2382226, author = {Butt, Shakeel and Lagar-Cavilla, H. Andr{\'e}s and Srivastava, Abhinav and Ganapathy, Vinod}, title = {Self-service cloud computing}, booktitle = {Proceedings of the 2012 ACM conference on Computer and communications security}, series = {CCS '12}, year = {2012}, isbn = {978-1-4503-1651-4}, location = {Raleigh, North Carolina, USA}, pages = {253--264}, numpages = {12}, url = {http://doi.acm.org.ezproxy.auckland.ac.nz/10.1145/2382196.2382226}, doi = {10.1145/2382196.2382226}, acmid = {2382226}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {cloud computing, privacy, security, trust}, annote = {Abstract. Modern cloud computing infrastructures use virtual machine monitors (VMMs) that often include a large and complex administrative domain with privileges to inspect client VM state. Attacks against or misuse of the administrative domain can compromise client security and privacy. Moreover, these VMMs provide clients inflexible control over their own VMs, as a result of which clients have to rely on the cloud provider to deploy useful services, such as VM introspection-based security tools. \par We introduce a new self-service cloud (SSC) computing model that addresses these two shortcomings. SSC splits administrative privileges between a system-wide domain and per-client administrative domains. Each client can manage and perform privileged system tasks on its own VMs, thereby providing flexibility. The system-wide administrative domain cannot inspect the code, data or computation of client VMs, thereby ensuring security and privacy. SSC also allows providers and clients to establish mutually trusted services that can check regulatory compliance while respecting client privacy. We have implemented SSC by modifying the Xen hypervisor. We demonstrate its utility by building user domains to perform privileged tasks such as memory introspection, storage intrusion detection, and anomaly detection. }, } @incollection{Khurshid12, year={2012}, isbn={978-3-642-29859-2}, booktitle={Runtime Verification}, volume={7186}, series={Lecture Notes in Computer Science}, editor={Khurshid, Sarfraz and Sen, Koushik}, doi={10.1007/978-3-642-29860-8_26}, title={Monitoring Data Structures Using Hardware Transactional Memory}, url={http://dx.doi.org.ezproxy.auckland.ac.nz/10.1007/978-3-642-29860-8_26}, publisher={Springer Berlin Heidelberg}, keywords={Data structure properties; Hardware transactional memory}, author={Butt, Shakeel and Ganapathy, Vinod and Baliga, Arati and Christodorescu, Mihai}, pages={345-359}, annote={Abstract. The robustness of software systems is adversely affected by programming errors and security exploits that corrupt heap data structures. In this paper, we present the design and implementation of TxMon, a system to detect such data structure corruptions. TxMon leverages the concurrency control machinery implemented by hardware transactional memory (HTM) systems to additionally enforce programmer-specified consistency properties on data structures at runtime. We implemented a prototype version of TxMon using an HTM system (LogTM-SE) and studied the feasibility of applying TxMon to enforce data structure consistency properties on several benchmarks. Our experiments show that TxMon is effective at monitoring data structure properties, imposing tolerable runtime performance overheads.}, } @inproceedings{Birgisson:2008:EAP:1455770.1455800, author = {Birgisson, Arnar and Dhawan, Mohan and Erlingsson, \'{U}lfar and Ganapathy, Vinod and Iftode, Liviu}, title = {Enforcing authorization policies using transactional memory introspection}, booktitle = {Proceedings of the 15th ACM conference on Computer and communications security}, series = {CCS '08}, year = {2008}, isbn = {978-1-59593-810-7}, location = {Alexandria, Virginia, USA}, pages = {223--234}, numpages = {12}, url = {http://doi.acm.org.ezproxy.auckland.ac.nz/10.1145/1455770.1455800}, doi = {10.1145/1455770.1455800}, acmid = {1455800}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {reference monitors, transactional memory}, annote={Abstract. Correct enforcement of authorization policies is a difficult task, especially for multi-threaded software. Even in carefully-reviewed code, unauthorized access may be possible in subtle corner cases. We introduce Transactional Memory Introspection (TMI), a novel reference monitor architecture that builds on Software Transactional Memory---a new, attractive alternative for writing correct, multi-threaded software.\par TMI facilitates correct security enforcement by simplifying how the reference monitor integrates with software functionality. TMI can ensure complete mediation of security-relevant operations, eliminate race conditions related to security checks, and simplify handling of authorization failures. We present the design and implementation of a TMI-based reference monitor and experiment with its use in enforcing authorization policies on four significant servers. Our experiments confirm the benefits of the TMI architecture and show that it imposes an acceptable runtime overhead. }, } @inproceedings{DBLP:conf/wisec/ChakradeoRTE13, author = {Saurabh Chakradeo and Bradley Reaves and Patrick Traynor and William Enck}, title = {{MAST}: {T}riage for market-scale mobile malware analysis}, booktitle = {Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks}, editor = {Levente Butty{\'a}n and Ahmad-Reza Sadeghi and Marco Gruteser}, publisher = {ACM}, year = {2013}, pages = {13-24}, url = {http://doi.acm.org.ezproxy.auckland.ac.nz/10.1145/2462096.2462100}, bibsource = {DBLP, http://dblp.uni-trier.de}, annote={Abstract. Malware is a pressing concern for mobile application market operators. While current mitigation techniques are keeping pace with the relatively infrequent presence of malicious code, the rapidly increasing rate of application development makes manual and resourceintensive automated analysis costly at market-scale. To address this resource imbalance, we present the Mobile Application Security Triage (MAST) architecture, a tool that helps to direct scarce malware analysis resources towards the applications with the greatest potential to exhibit malicious behavior. MAST analyzes attributes extracted from just the application package using Multiple Correspondence Analysis (MCA), a statistical method that measures the correlation between multiple categorical (i.e., qualitative) data. We train MAST using over 15,000 applications from Google Play and a dataset of 732 known-malicious applications. We then use MAST to perform triage on three third-party markets of different size and malware composition 36,710 applications in total. Our experiments show that MAST is both effective and performant. Using MAST ordered ranking, malware-analysis tools can find 95\% of malware at the cost of analyzing 13\% of the non-malicious applications on average across multiple markets, and MAST triage processes markets in less than a quarter of the time required to perform signature detection. More importantly, we show that successful triage can dramatically reduce the costs of removing malicious applications from markets.}, } @INPROCEEDINGS{5958038, author={Jana, S. and Porter, D.E. and Shmatikov, V.}, booktitle={2011 IEEE Symposium on Security and Privacy (SP)}, title={{TxBox}: {B}uilding Secure, Efficient Sandboxes with System Transactions}, year={2011}, pages={329-344}, keywords={security of data;TOCTTOU attacks;TxBox;automatic recovery;building security;efficient sandboxes;kernel state;onaccess antivirus scanning;sand boxed program;sand boxing untrusted applications;security checks;security policies;system transaction;system transactions;Codecs;Instruments;Kernel;Malware;Monitoring; Semantics;sandbox;speculative execution;transaction}, url={http://dx.doi.org.ezproxy.auckland.ac.nz/10.1109/SP.2011.33}, ISSN={1081-6011}, annote={Abstract. {\sc TxBox} is a new system for sandboxing untrusted applications. It speculatively executes the application in a system transaction, allowing security checks to be parallelized and yielding significant performance gains for techniques such as on-access anti-virus scanning. {\sc TxBox} is not vulnerable to TOCTTOU attacks and incorrect mirroring of kernel state. Furthermore, {\sc TxBox} supports automatic recovery: if a violation is detected, the sandboxed program is terminated and all of its effects on the host are rolled back. This enables effective enforcement of security policies that span multiple system calls.}, } @article{10.1109/SP.2013.14, author = {Amir Houmansadr and Chad Brubaker and Vitaly Shmatikov}, title = {The Parrot Is Dead: {O}bserving Unobservable Network Communications}, journal ={2013 IEEE Symposium on Security and Privacy}, volume = {0}, issn = {1081-6011}, year = {2013}, pages = {65-79}, url = {http://dx.doi.org.ezproxy.auckland.ac.nz/10.1109/SP.2013.14}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, annote = {Abstract. In response to the growing popularity of Tor and other censorship circumvention systems, censors in non-democratic countries have increased their technical capabilities and can now recognize and block network traffic generated by these systems on a nationwide scale. New censorship-resistant communication systems such as Skype Morph, Stego Torus, and Censor Spoofer aim to evade censors' observations by imitating common protocols like Skype and HTTP.\par We demonstrate that these systems completely fail to achieve unobservability. Even a very weak, local censor can easily distinguish their traffic from the imitated protocols. We show dozens of passive and active methods that recognize even a single imitated session, without any need to correlate multiple network flows or perform sophisticated traffic analysis.\par We enumerate the requirements that a censorship-resistant system must satisfy to successfully mimic another protocol and conclude that ``unobservability by imitation" is a fundamentally flawed approach. We then present our recommendations for the design of unobservable communication systems. }, } @article{Brandimarte01052013, author = {Brandimarte, Laura and Acquisti, Alessandro and Loewenstein, George}, title = {Misplaced Confidences: {P}rivacy and the Control Paradox}, volume = {4}, number = {3}, pages = {340-347}, year = {2013}, doi = {10.1177/1948550612455931}, annote ={Abstract. We test the hypothesis that increasing individuals' perceived control over the release and access of private information--even information that allows them to be personally identified--will increase their willingness to disclose sensitive information. If their willingness to divulge increases sufficiently, such an increase in control can, paradoxically, end up leaving them more vulnerable. Our findings highlight how, if people respond in a sufficiently offsetting fashion, technologies designed to protect them can end up exacerbating the risks they face.}, URL = {http://spp.sagepub.com.ezproxy.auckland.ac.nz/content/4/3/340.short}, eprint = {http://spp.sagepub.com/content/4/3/340.full.pdf+html}, journal = {Social Psychological and Personality Science} } @INPROCEEDINGS{6296102, author={Creese, S. and Goldsmith, M. and Nurse, J.R.C. and Phillips, E.}, booktitle={2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)}, title={A Data-Reachability Model for Elucidating Privacy and Security Risks Related to the Use of Online Social Networks}, year={2012}, pages={1124-1131}, url={http://dx.doi.org.ezproxy.auckland.ac.nz/10.1109/TrustCom.2012.22}, annote={Abstract. Privacy and security within Online Social Networks (OSNs) has become a major concern over recent years. As individuals continue to actively use and engage with these mediums, one of the key questions that arises pertains to what unknown risks users face as a result of unchecked publishing and sharing of content and information in this space. There are numerous tools and methods under development that claim to facilitate the extraction of specific classes of personal data from online sources, either directly or through correlation across a range of inputs. In this paper we present a model which specifically aims to understand the potential risks faced should all of these tools and methods be accessible to a malicious entity. The model enables easy and direct capture of the data extraction methods through the encoding of a data-reachability matrix for which each row represents an inference or data-derivation step. Specifically, the model elucidates potential linkages between data typically exposed on social-media and networking sites, and other potentially sensitive data which may prove to be damaging in the hands of malicious parties, i.e., fraudsters, stalkers and other online and offline criminals. In essence, we view this work as a key method by which we might make cyber risk more tangible to users of OSNs.}, keywords={data privacy;reachability analysis;security of data;social networking (online);data extraction methods;data-derivation step;data-reachability matrix;data-reachability model;malicious entity;online social networks;online sources;privacy risk;security risk;Accuracy;Data mining;Data models;Electronic mail;Privacy;Security;Social network services;Social-network risks;data-reachability model;information leakage;online social networks;privacy;security}, doi={10.1109/TrustCom.2012.22}, } @article{de2013unique, title={Unique in the Crowd: {T}he privacy bounds of human mobility}, author={de Montjoye, Yves-Alexandre and Hidalgo, C{\'e}sar A. and Verleysen, Michel and Blondel, Vincent D.}, journal={Scientific reports}, volume={3}, year={2013}, publisher={Nature Publishing Group}, url={http://www.nature.com/srep/2013/130325/srep01376/pdf/srep01376.pdf}, annote={Abstract. We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier's antennas, four spatio-temporal points are enough to uniquely identify 95\% of the individuals. We coarsen the data spatially and temporally to find a formula for the uniqueness of human mobility traces given their resolution and the available outside information. This formula shows that the uniqueness of mobility traces decays approximately as the 1/10 power of their resolution. Hence, even coarse datasets provide little anonymity. These findings represent fundamental constraints to an individual's privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals.}, } @inproceedings{Shin:2011:ESV:2076732.2076773, author = {Shin, Dongwan and Lopes, Rodrigo}, title = {An empirical study of visual security cues to prevent the {SSLstripping} attack}, booktitle = {Proceedings of the 27th Annual Computer Security Applications Conference}, series = {ACSAC '11}, year = {2011}, isbn = {978-1-4503-0672-0}, location = {Orlando, Florida}, pages = {287--296}, numpages = {10}, url = {http://doi.acm.org.ezproxy.auckland.ac.nz/10.1145/2076732.2076773}, doi = {10.1145/2076732.2076773}, acmid = {2076773}, publisher = {ACM}, address = {New York, NY, USA}, annote={Abstract. One of the latest attacks on secure socket layer (SSL), called the SSLstripping attack, was reported at the Blackhat conference in 2009. As a type of man-in-the-middle (MITM) attack, it has the potential to affect tens of millions of users of popular online social networking and financial websites protected by SSL. Interestingly, the attack exploits users' browsing habits, rather than a technical flaw in the protocol, to defeat the SSL security. In this paper we present a novel approach to addressing this attack by using visually augmented security. Specifically, motivated by typical traffic lights, we introduce a set of visual cues aimed at thwarting the attack. The visual cues, called security status light (SSLight), can be used to help users make better, more informed decisions when their sensitive information need to be submitted to the websites. A user study was conducted to investigate the effectiveness of our scheme, and its results show that our approach is more promising than the traditional pop-up method adopted by major web browsers. }, } @inproceedings{41323, title = {Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness}, author = {Devdatta Akhawe and Adrienne Porter Felt}, year = {2013}, booktitle = {USENIX Security Symposium}, note = {author's preprint}, url = {http://www.cs.berkeley.edu/~devdatta/papers/alice-in-warningland.pdf}, annote = {Abstract. We empirically assess whether browser security warnings are as ineffective as suggested by popular opinion and previous literature. We used Mozilla Firefox and Google Chrome's in-browser telemetry to observe over 25 million warning impressions in situ. During our field study, users continued through a tenth of Mozilla Firefox's malware and phishing warnings, a quarter of Google Chrome's malware and phishing warnings, and a third of Mozilla Firefox's SSL warnings. This demonstrates that security warnings can be effective in practice; security experts and system architects should not dismiss the goal of communicating security information to end users. We also find that user behavior varies across warnings. In contrast to the other warnings, users continued through 70.2\% of Google Chrome's SSL warnings. This indicates that the user experience of a warning can have a significant impact on user behavior. Based on our findings, we make recommendations for warning designers and researchers. }, } @incollection {Jackson07, author = {Jackson, Collin and Simon, Daniel and Tan, Desney and Barth, Adam}, affiliation = {Stanford University Stanford CA}, title = {An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks}, booktitle = {Financial Cryptography and Data Security}, series = {Lecture Notes in Computer Science}, editor = {Dietrich, Sven and Dhamija, Rachna}, publisher = {Springer Berlin / Heidelberg}, isbn = {978-3-540-77365-8}, url = {http://dx.doi.org.ezproxy.auckland.ac.nz/10.1007/978-3-540-77366-5_27}, keyword = {Computer Science}, pages = {281-293}, volume = {4886}, annote = {Abstract. In this usability study of phishing attacks and browser anti-phishing defenses, 27 users each classified 12 web sites as fraudulent or legitimate. By dividing these users into three groups, our controlled study measured both the effect of extended validation certificates that appear only at legitimate sites and the effect of reading a help file about security features in Internet Explorer 7. Across all groups, we found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack. Extended validation did not help users identify either attack. Additionally, reading the help file made users more likely to classify both real and fake web sites as legitimate when the phishing warning did not appear.}, year = {2007} } @INPROCEEDINGS{vanOvereem09, author={van Overeem, A. and van Oosten, J.}, booktitle={42nd Hawaii International Conference on System Sciences (HICSS '09)}, title={Towards a Pan {E}uropean {e-ID} Interoperability Infrastructure}, year={2009}, month=jan, pages={1-10}, publisher = {IEEE Computer Society}, keywords={European e-ID interoperability infrastructure;common identity providers;e-services;homogeneous interoperability;national identity management infrastructures;open systems;public administration;}, url={http://dx.doi.org.ezproxy.auckland.ac.nz/10.1109/HICSS.2009.466}, doi={10.1109/HICSS.2009.466}, ISSN={1530-1605}, annote = {Abstract. The proliferation of e-Services in most European Countries has been favorable to the emergence of common identity providers and national identity management infrastructures in these countries. The STORK project aims to interconnect all of these identity management infra-structures to form a Pan-European federated e-Identity space. In this paper we show that due to two different identity concepts in use by the European countries, this objective is a far from trivial challenge. Based on our analysis we present two scenarios: homogeneous interoperability for countries with alike identity concepts and heterogeneous interoperability for countries with different identity concepts. For the latter case we present three solution directions to overcome technical limitations and challenges. The STORK project is co-funded by the European Union and will deliver real solutions by implementing five demo projects. }, } @inproceedings{Sharif08, author = {Monirul I. Sharif and Andrea Lanzi and Jonathon T. Giffin and Wenke Lee}, title = {Impeding Malware Analysis Using Conditional Code Obfuscation}, booktitle = {Proceedings of the Network and Distributed System Security Symposium}, publisher = {The Internet Society}, year = {2008}, url = {http://www.isoc.org/isoc/conferences/ndss/08/papers/19_impeding_malware_analysis.pdf}, annote = {Abstract. Malware programs that incorporate trigger-based behavior initiate malicious activities based on conditions satisfied only by specific inputs. State-of-the-art malware analyzers discover code guarded by triggers via multiple path exploration, symbolic execution, or forced conditional execution, all without knowing the trigger inputs. We present a malware obfuscation technique that automatically conceals specific trigger-based behavior from these malware analyzers. Our technique automatically transforms a program by encrypting code that is conditionally dependent on an input value with a key derived from the input and then removing the key from the program. We have implemented a compiler-level tool that takes a malware source program and automatically generates an obfuscated binary. Experiments on various existing malware samples show that our tool can hide a significant portion of trigger based code. We provide insight into the strengths, weaknesses, and possible ways to strengthen current analysis approaches in order to defeat this malware obfuscation technique.}, } @article{Ransbotham09, author = {Sam Ransbotham and Sabyasachi Mitra}, title = {Choice and Chance: A Conceptual Model of Paths to Information Security Compromise}, journal = {Information Systems Research}, volume = {20}, number = {1}, year = {2009}, pages = {121-139}, url = {http://dx.doi.org.ezproxy.auckland.ac.nz/10.1287/isre.1080.0174}, annote = {Abstract. No longer the exclusive domain of technology experts, information security is now a management issue. Through a grounded approach using interviews, observations, and secondary data, we advance a model of the information security compromise process from the perspective of the attacked organization. We distinguish between deliberate and opportunistic paths of compromise through the Internet, labeled choice and chance, and include the role of countermeasures, the Internet presence of the firm, and the attractiveness of the firm for information security compromise. Further, using one year of alert data from intrusion detection devices, we find empirical support for the key contributions of the model. We discuss the implications of the model for the emerging research stream on information security in the information systems literature. } } @article{Rabin:1989:EDI:62044.62050, author = {Rabin, Michael O.}, title = {Efficient dispersal of information for security, load balancing, and fault tolerance}, journal = {J. ACM}, issue_date = {April 1989}, volume = {36}, number = {2}, month = apr, year = {1989}, issn = {0004-5411}, pages = {335--348}, numpages = {14}, url = {http://dx.doi.org.ezproxy.auckland.ac.nz/10.1145/62044.62050}, doi = {10.1145/62044.62050}, acmid = {62050}, publisher = {ACM}, address = {New York, NY, USA}, annote = { Abstract. An Information Dispersal Algorithm (IDA) is developed that breaks a file $F$ of length $L = |F|$ into $n$ pieces $F_i$, $l \leq i \leq n$, each of length $|F_i| = L/m$, so that every $m$ pieces suffice for reconstructing $F$. Dispersal and reconstruction are computationally efficient. The sum of the lengths $|F_i|$ is $(n/m)L$. Since $n/m$ can be chosen to be close to $1$, the IDA is space efficient. IDA has numerous applications to secure and reliable storage of information in computer networks and even on single disks, to fault-tolerant and efficient transmission of information in networks, and to communications between processors in parallel computers. For the latter problem provably time-efficient and highly fault-tolerant routing on the $n$-cube is achieved, using just constant size buffers. }, } @incollection{Knall11, year={2011}, isbn={978-3-642-22960-2}, booktitle={Electronic Government and the Information Systems Perspective}, volume={6866}, series={Lecture Notes in Computer Science}, editor={Andersen, Kim Normann and Francesconi, Enrico and Gr\"onlund, \AAke and Engers, Tom M.}, doi={10.1007/978-3-642-22961-9_8}, title={Secure and Privacy-Preserving Cross-Border Authentication: {The} {STORK} Pilot `{SaferChat}'}, url={http://dx.doi.org.ezproxy.auckland.ac.nz/10.1007/978-3-642-22961-9_8}, publisher={Springer Berlin Heidelberg}, keywords={e-ID; interoperability; authentication; privacy; security; e-Learning; Moodle; STORK}, author={Knall, Thomas and Tauber, Arne and Zefferer, Thomas and Zwattendorfer, Bernd and Axfjord, Arnaldur and Bjarnason, Haraldur}, pages={94-106}, annote={Abstract. Secure user authentication, provision of identity attributes, privacy preservation, and cross-border applicability are key requirements of security and privacy sensitive ICT based services. The EU large scale pilot STORK provides a European cross-border authentication framework that satisfies these requirements by establishing interoperability between existing national eID infrastructures. To allow for privacy preservation, the developed framework supports the provision of partial identity information and pseudonymization. In this paper we present the pilot application SaferChat that has been developed to evaluate and demonstrate the functionality of the STORK authentication framework. SaferChat makes use of age claim based authentication mechanisms that allow for an online environment where kids and teenagers are able to communicate with their peers in a safe way. We first identify relevant prerequisites for the SaferChat pilot application and then give an introduction to the basic architecture of the STORK authentication framework. We finally show how this framework has been integrated into the SaferChat pilot application to meet the identified requirements and to implement a secure and privacy preserving cross-border user authentication mechanism. }, } @inproceedings{Ateniese:2007:PDP:1315245.1315318, author = {Ateniese, Giuseppe and Burns, Randal and Curtmola, Reza and Herring, Joseph and Kissner, Lea and Peterson, Zachary and Song, Dawn}, title = {Provable data possession at untrusted stores}, booktitle = {Proceedings of the 14th ACM conference on Computer and communications security}, series = {CCS '07}, year = {2007}, isbn = {978-1-59593-703-2}, location = {Alexandria, Virginia, USA}, pages = {598--609}, numpages = {12}, url = {http://doi.acm.org.ezproxy.auckland.ac.nz/10.1145/1315245.1315318}, doi = {10.1145/1315245.1315318}, acmid = {1315318}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {archival storage, homorphic verifiable tags, pdp, provable data possession, storage security}, annote = {Abstract. We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking supports large data sets in widely-distributed storage systems. We present two provably-secure PDP schemes that are more efficient than previous solutions, even when compared with schemes that achieve weaker guarantees. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation. }, } @misc{Miller06, author = {Granville Miller and Laurie Williams}, title = {Personas: {M}oving Beyond Role-Based Requirements Engineering}, year = {circa 2006}, url = {http://agile.csc.ncsu.edu/SEMaterials/Personas.pdf}, howpublished = {Internet manuscript}, note = {10 pp.}, annote = {Abstract. A primary vehicle for understanding the user in the context of the requirements for a system has been the role. For example, the role is captured through the use of actors in the use case diagram and use case descriptions. Recently, personas have been used in conjunction with scenarios in participatory design to go deeper into examining the different types of people who could play a role. A persona is an archetype of a fictional user representing a specific group of typical users. This paper expands the use of personas to scenario-based requirements engineering. Personas and scenarios are being used together for specifying requirements at Microsoft. The result of this combination has been a more comprehensive understanding of the target customers' behaviors to drive and refine our scenarios and subsequently our product development. }, } @techreport{Kurtz13, author = {Andreas Kurtz and Felix Freiling and Daniel Metz}, title = {Usability vs. Security: {T}he Everlasting Trade-Off in the Context of {A}pple {iOS} Mobile Hotspots}, institution = {University of Erlangen, Department of Computer Science}, number = {CS-2013-02 (author's preprint)}, month = jun, year = 2013, note = {10 pp.}, url = {https://www1.cs.fau.de/filepool/projects/hotspot/hotspot.pdf}, annote = {Abstract. Passwords have to be secure and usable at the same time, a trade-off that is long known. There are many approaches to avoid this trade-off, e.g., to advice users on generating strong passwords and to reject user passwords that are weak. The same usability/security trade-off arises in scenarios where passwords are generated by machines but exchanged by humans, as is the case in pre-shared key (PSK) authentication. We investigate this trade-off by analyzing the PSK authentication method used by Apple iOS to set up a secure WPA2 connection when using an iPhone as a Wi-Fi mobile hotspot. We show that Apple iOS generates weak default passwords which makes the mobile hotspot feature of Apple iOS susceptible to brute force attacks on the WPA2 handshake. More precisely, we observed that the generation of default passwords is based on a word list, of which only 1.842 entries are taken into consideration. In addition, the process of selecting words from that word list is not random at all, resulting in a skewed frequency distribution and the possibility to compromise a hotspot connection in less than 50 seconds. Spot tests show that other mobile platforms are also affected by similar problems. We conclude that more care should be taken to create secure passwords even in PSK scenarios. } } @inproceedings{Gong:2012:ESN:2398776.2398792, author = {Gong, Neil Zhenqiang and Xu, Wenchang and Huang, Ling and Mittal, Prateek and Stefanov, Emil and Sekar, Vyas and Song, Dawn}, title = {Evolution of social-attribute networks: {M}easurements, modeling, and implications using {G}oogle+}, booktitle = {Proceedings of the 2012 ACM Conference on Internet Measurement}, series = {IMC '12}, year = {2012}, isbn = {978-1-4503-1705-4}, location = {Boston, Massachusetts, USA}, pages = {131--144}, numpages = {14}, url = {http://doi.acm.org.ezproxy.auckland.ac.nz/10.1145/2398776.2398792}, doi = {10.1145/2398776.2398792}, acmid = {2398792}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {google+, heterogeneous network measurement and modeling, node attributes, social network evolution, social network measurement}, annote = {Abstract. Understanding social network structure and evolution has important implications for many aspects of network and system design including provisioning, bootstrapping trust and reputation systems via social networks, and defenses against Sybil attacks. Several recent results suggest that augmenting the social network structure with user attributes (e.g., location, employer, communities of interest) can provide a more fine-grained understanding of social networks. However, there have been few studies to provide a systematic understanding of these effects at scale.\par We bridge this gap using a unique dataset collected as the Google+ social network grew over time since its release in late June 2011. We observe novel phenomena with respect to both standard social network metrics and new attribute-related metrics (that we define). We also observe interesting evolutionary patterns as Google+ went from a bootstrap phase to a steady invitation-only stage before a public release.\par Based on our empirical observations, we develop a new generative model to jointly reproduce the social structure and the node attributes. Using theoretical analysis and empirical evaluations, we show that our model can accurately reproduce the social and attribute structure of real social networks. We also demonstrate that our model provides more accurate predictions for practical application contexts. }, }