Agenda
Tuesday, July 9 (Day 1)
Welcome Message
09:00AM - 09:30AM
Keynote 1: Virgil D. Gligor; Carnegie Mellon University
09:30AM - 10:30AM
Chaired by Dieter Gollmann (Hamburg University of Technology, Germany/Nanyang Technological University, Singapore)
Establishing and Maintaining Root of Trust on Commodity Computer Systems [PDF]
Suppose that a trustworthy program must be booted on a commodity system that may contain persistent malware. Establishing root of trust (RoT) assures the system has all and only the content chosen by a trusted verifier or the verifier discovers unaccounted content, with high probability. Hence, RoT establishment assures that verifiable boot takes place in a malware-free state, whp. Obtaining such an assurance is challenging because malware can survive in system states across repeated secure- and trusted-boot operations and act on behalf of a powerful remote adversary; e.g., anti-malware tools do not have malware-unmediated access to device controllers’ processors and memories nor prevent remote malware connections over the internet. I this presentation, I will illustrate both the theoretical and practical challenges of RoT establishment unconditionally; i.e., without secrets, privileged modules (e.g., TPMs, RoMs, HSMs), or adversary computation bounds. I will also illustrate the only unconditional solution to these challenges known in security or cryptography known to date.
Establishing root of trust is important because makes all persistent malware ephemeral and forces the adversary to repeat the malware-insertion attack, perhaps at some added cost. Nevertheless, some malware-controlled software can always be assumed to exist in commodity operating systems and applications. The inherent size and complexity of their components (aka the “giants”) render them vulnerable to successful attacks. In contrast, small and simple software components with rather limited function and high-assurance layered security properties (aka the “wimps”) can, in principle, be resistant to all attacks. Maintaining root of trust assures a user that a commodity computer’s wimps are isolated from, and safely co-exist with, adversary-controlled giants. However, regardless how secure program isolation may be (e.g., based on Intel’s SGX), I/O channel isolation must also be achieved despite the pitfalls of commodity architectures that encourage I/O hardware sharing, not isolation. In this presentation, I will also illustrate the challenges of I/O channel isolation and present and approach that enables the co-existence secure wimps with insecure giants, via an example of an experimental system; i.e., on-demand isolated I/O channels, which were designed and implemented at CMU’s CyLab.
Suppose that a trustworthy program must be booted on a commodity system that may contain persistent malware. Establishing root of trust (RoT) assures the system has all and only the content chosen by a trusted verifier or the verifier discovers unaccounted content, with high probability. Hence, RoT establishment assures that verifiable boot takes place in a malware-free state, whp. Obtaining such an assurance is challenging because malware can survive in system states across repeated secure- and trusted-boot operations and act on behalf of a powerful remote adversary; e.g., anti-malware tools do not have malware-unmediated access to device controllers’ processors and memories nor prevent remote malware connections over the internet. I this presentation, I will illustrate both the theoretical and practical challenges of RoT establishment unconditionally; i.e., without secrets, privileged modules (e.g., TPMs, RoMs, HSMs), or adversary computation bounds. I will also illustrate the only unconditional solution to these challenges known in security or cryptography known to date.
Establishing root of trust is important because makes all persistent malware ephemeral and forces the adversary to repeat the malware-insertion attack, perhaps at some added cost. Nevertheless, some malware-controlled software can always be assumed to exist in commodity operating systems and applications. The inherent size and complexity of their components (aka the “giants”) render them vulnerable to successful attacks. In contrast, small and simple software components with rather limited function and high-assurance layered security properties (aka the “wimps”) can, in principle, be resistant to all attacks. Maintaining root of trust assures a user that a commodity computer’s wimps are isolated from, and safely co-exist with, adversary-controlled giants. However, regardless how secure program isolation may be (e.g., based on Intel’s SGX), I/O channel isolation must also be achieved despite the pitfalls of commodity architectures that encourage I/O hardware sharing, not isolation. In this presentation, I will also illustrate the challenges of I/O channel isolation and present and approach that enables the co-existence secure wimps with insecure giants, via an example of an experimental system; i.e., on-demand isolated I/O channels, which were designed and implemented at CMU’s CyLab.
Break(30 mins)
10:30AM - 11:00AM
Session #1A: Binary Analysis and Hardening
11:00AM - 12:15PM
Chaired by Zheng Leong Chua (National University of Singapore, Singapore)
Control-Flow Carrying Code [PDF]
Yan Lin:School of Information Systems, Singapore Management University; Debin Gao:School of Information Systems, Singapore Management University; Xiaoyang Cheng:College of Cyber Science , Nankai University
Yan Lin:School of Information Systems, Singapore Management University; Debin Gao:School of Information Systems, Singapore Management University; Xiaoyang Cheng:College of Cyber Science , Nankai University
SoK: Using Dynamic Binary Instrumentation for Security (And How You May Get Caught Red Handed) [PDF]
Daniele Cono D'Elia:Sapienza University of Rome; Emilio Coppa:Sapienza University of Rome; Simone Nicchi:Sapienza University of Rome; Federico Palmaro:Prisma; Lorenzo Cavallaro:King's College London
Daniele Cono D'Elia:Sapienza University of Rome; Emilio Coppa:Sapienza University of Rome; Simone Nicchi:Sapienza University of Rome; Federico Palmaro:Prisma; Lorenzo Cavallaro:King's College London
DeClassifier: Class-Inheritance Inference Engine for Optimized C++ Binaries [PDF]
Rukayat Ayomide Erinfolami:Binghamton University; Aravind Prakash:Binghamton University
Rukayat Ayomide Erinfolami:Binghamton University; Aravind Prakash:Binghamton University
Session #1B: Cloud Security
11:00AM - 12:15PM
Chaired by Debin Gao (Singapore Management University, Singapore)
GraphSE^2: An Encrypted Graph Database for Privacy-Preserving Social Search [PDF]
Shangqi Lai:Monash University; Xingliang Yuan:Monash University; Shi-Feng Sun:Monash University; Joseph K. Liu:Monash University; Yuhong Liu:Santa Clara University; Dongxi Liu:Data61, CSIRO
Shangqi Lai:Monash University; Xingliang Yuan:Monash University; Shi-Feng Sun:Monash University; Joseph K. Liu:Monash University; Yuhong Liu:Santa Clara University; Dongxi Liu:Data61, CSIRO
Identity-Based Broadcast Encryption with Outsourced Partial Decryption for Hybrid Security Models in Edge Computing [PDF]
Jongkil kim:University of Wollongong, Australia; Seyit Camtepe:CSIRO, Australia; Willy Susilo:University of Wollongong, Australia; Surya Nepal:CSIRO, Australia; Joonsang Baek:University of Wollongong, Australia
Jongkil kim:University of Wollongong, Australia; Seyit Camtepe:CSIRO, Australia; Willy Susilo:University of Wollongong, Australia; Surya Nepal:CSIRO, Australia; Joonsang Baek:University of Wollongong, Australia
(Short paper) Unveiling Systematic Biases in Decisional Processes. An Application to Discrimination Discovery [PDF]
Laura Genga:Eindhoven University of Technology; Luca Allodi:Eindhoven University of Technology; Nicola Zannone:Eindhoven University of Technology
Laura Genga:Eindhoven University of Technology; Luca Allodi:Eindhoven University of Technology; Nicola Zannone:Eindhoven University of Technology
Lunch
12:15PM - 01:50PM
Session #2A: SGX-based Security
01:50PM - 03:20PM
Chaired by Sherman S. M. Chow (The Chinese University of Hong Kong, Hong Kong)
The SEVerESt Of Them All: Inference Attacks Against Secure Virtual Enclaves [PDF]
Jan Werner:University of North Carolina at Chapel Hill; Joshua Mason:University of Illinois Urbana-Champaign; Manos Antonakakis:Georgia Institute of Technology; Michalis Polychronakis:Stony Brook University; Fabian Monrose:University of North Carolina at Chapel Hill
Jan Werner:University of North Carolina at Chapel Hill; Joshua Mason:University of Illinois Urbana-Champaign; Manos Antonakakis:Georgia Institute of Technology; Michalis Polychronakis:Stony Brook University; Fabian Monrose:University of North Carolina at Chapel Hill
ObliDC: An SGX-based Oblivious Distributed Computing Framework with Formal Proof [PDF]
Pengfei WU:School of Software and Microelectronics, Peking University; Qingni SHEN:School of Software and Microelectronics, Peking University; Robert. H. DENG:School of Information System, Singapore Management University; Ximeng LIU:College of Mathematics and Computer Science, Fuzhou University; Yinghui ZHANG:National Engineering Laboratory for Wireless Security, Xi'an University of Posts and Telecommunications; Zhonghai WU:School of Software and Microelectronics, Peking University
Pengfei WU:School of Software and Microelectronics, Peking University; Qingni SHEN:School of Software and Microelectronics, Peking University; Robert. H. DENG:School of Information System, Singapore Management University; Ximeng LIU:College of Mathematics and Computer Science, Fuzhou University; Yinghui ZHANG:National Engineering Laboratory for Wireless Security, Xi'an University of Posts and Telecommunications; Zhonghai WU:School of Software and Microelectronics, Peking University
A Hybrid Approach to Secure Function Evaluation using SGX [PDF]
Joseph I. Choi:University of Florida; Dave (Jing) Tian:University of Florida; Grant Hernandez:University of Florida; Christopher Patton:University of Florida; Benjamin Mood:Point Loma Nazarene University; Thomas Shrimpton:University of Florida; Kevin R. B. Butler:University of Florida; Patrick Traynor:University of Florida
Joseph I. Choi:University of Florida; Dave (Jing) Tian:University of Florida; Grant Hernandez:University of Florida; Christopher Patton:University of Florida; Benjamin Mood:Point Loma Nazarene University; Thomas Shrimpton:University of Florida; Kevin R. B. Butler:University of Florida; Patrick Traynor:University of Florida
(Short paper) Running Language Interpreters Inside SGX: A Lightweight, Legacy-Compatible Script Code Hardening Approach [PDF]
Huibo Wang:University of Texas at Dallas; Erick Bauman:University of Texas at Dallas; Vishal Karande:University of Texas at Dallas; Yueqiang Cheng:Baidu USA Xlab; Zhiqiang Lin:The Ohio State University; Yinqian Zhang:The Ohio State University
Huibo Wang:University of Texas at Dallas; Erick Bauman:University of Texas at Dallas; Vishal Karande:University of Texas at Dallas; Yueqiang Cheng:Baidu USA Xlab; Zhiqiang Lin:The Ohio State University; Yinqian Zhang:The Ohio State University
Session #2B: Advanced Encryption Algorithms
01:50PM - 03:20PM
Chaired by Joseph K. Liu (Monash University, Australia)
Multi-Writer Searchable Encryption: An LWE-based Realization and Implementation [PDF]
Lei Xu:Nanjing University of Science and Technology; Xingliang Yuan:Monash University; Ron Steinfeld:Monash University; Cong Wang:City University of Hong Kong; Chungen Xu:Nanjing University of Science and Technology
Lei Xu:Nanjing University of Science and Technology; Xingliang Yuan:Monash University; Ron Steinfeld:Monash University; Cong Wang:City University of Hong Kong; Chungen Xu:Nanjing University of Science and Technology
Delegable Order-Revealing Encryption [PDF]
Yuan Li:Fudan University; Hongbing Wang:Singapore Management University; Yunlei Zhao:Fudan University
Yuan Li:Fudan University; Hongbing Wang:Singapore Management University; Yunlei Zhao:Fudan University
MPC Joins the Dark Side [PDF]
John Cartlidge:University of Bristol; Nigel P. Smart:KU Leuven and University of Bristol; Younes Talibi Alaoui:KU Leuven
John Cartlidge:University of Bristol; Nigel P. Smart:KU Leuven and University of Bristol; Younes Talibi Alaoui:KU Leuven
(Short paper) Flexibly and Securely Shape Your Data Disclosed to Others [PDF]
Qingqing Xie:Jiangsu University; Yantian Hou:Boise State University; Ke Cheng:Xidian University; Gaby G. Dagher:Boise State University; Liangmin Wang:Jiangsu University; Shucheng Yu:Stevens Institute of Technology
Qingqing Xie:Jiangsu University; Yantian Hou:Boise State University; Ke Cheng:Xidian University; Gaby G. Dagher:Boise State University; Liangmin Wang:Jiangsu University; Shucheng Yu:Stevens Institute of Technology
Break(30 mins)
03:20PM - 03:50PM
Session #3A: Web Attack Measurements
03:50PM - 05:40PM
Chaired by Jian Mao (Beihang University, China)
Waves of Malice: A Longitudinal Measurement of the Malicious File Delivery Ecosystem on the Web [PDF]
Colin Ife:University College London; Yun Shen:Symantec Research Labs; Steven Murdoch:University College London; Gianluca Stringhini:Boston University
Colin Ife:University College London; Yun Shen:Symantec Research Labs; Steven Murdoch:University College London; Gianluca Stringhini:Boston University
What Happens After You Leak Your Password: Understanding Credential Sharing on Phishing Sites [PDF]
Peng Peng:Virginia Tech; Chao Xu:Virginia Tech; Luke Quinn:Virginia Tech; Hang Hu:Virginia Tech; Bimal Viswanath:Virginia Tech; Gang Wang:Virginia Tech
Peng Peng:Virginia Tech; Chao Xu:Virginia Tech; Luke Quinn:Virginia Tech; Hang Hu:Virginia Tech; Bimal Viswanath:Virginia Tech; Gang Wang:Virginia Tech
A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists [PDF]
Benjamin Zi Hao Zhao:Data61, UNSW; Muhammad Ikram:Macquarie University, University of Michigan; Hassan Jameel Asghar:Data61, Macquarie University; Mohamed Ali Kaafar:Data61, Macquarie University; Abdelberi Chaabane:Nokia Bell Labs; Kanchana Thilakarathna:The University of Sydney
Benjamin Zi Hao Zhao:Data61, UNSW; Muhammad Ikram:Macquarie University, University of Michigan; Hassan Jameel Asghar:Data61, Macquarie University; Mohamed Ali Kaafar:Data61, Macquarie University; Abdelberi Chaabane:Nokia Bell Labs; Kanchana Thilakarathna:The University of Sydney
(Short paper) Mobile Friendly or Attacker Friendly? A Large-scale Security Evaluation of Mobile-first Websites [PDF]
Tom Van Goethem:imec-DistriNet, KU Leuven; Victor Le Pochat:imec-DistriNet, KU Leuven; Wouter Joosen:imec-DistriNet, KU Leuven
Tom Van Goethem:imec-DistriNet, KU Leuven; Victor Le Pochat:imec-DistriNet, KU Leuven; Wouter Joosen:imec-DistriNet, KU Leuven
Session #3B: Learning and Authentication
03:50PM - 05:40PM
Chaired by Jianying Zhou (Singapore University of Technology and Design, Singapore)
Undermining User Privacy on Mobile Devices Using AI
[PDF]
Berk Gulmezoglu:WPI; Andreas Zankl:Fraunhofer AISEC; Caner Tol:METU; Saad Islam:WPI; Thomas Eisenbarth:University of Lü beck; Berk Sunar:WPI
Berk Gulmezoglu:WPI; Andreas Zankl:Fraunhofer AISEC; Caner Tol:METU; Saad Islam:WPI; Thomas Eisenbarth:University of Lü beck; Berk Sunar:WPI
Robust Watermarking of Neural Network with Exponential Weighting
[PDF]
Ryota Namba:University of Tsukuba; Jun Sakuma:University of Tsukuba, RIKEN AIP
Ryota Namba:University of Tsukuba; Jun Sakuma:University of Tsukuba, RIKEN AIP
(Short paper) A Closer Look Tells More: A Facial Distortion Based Liveness Detection for Face Authentication
[PDF]
Yan Li:Advanced Digital Science Center; Zilong Wang:Xidian University; Yingjiu Li:Singapore Management University; Robert Deng:Singapore Management University; Binbin Chen:Advanced Digital Science Center; Weizhi Meng:Technical University of Denmark; Hui Li:Xidian University
Yan Li:Advanced Digital Science Center; Zilong Wang:Xidian University; Yingjiu Li:Singapore Management University; Robert Deng:Singapore Management University; Binbin Chen:Advanced Digital Science Center; Weizhi Meng:Technical University of Denmark; Hui Li:Xidian University
(Short paper) R2Q: A Risk Quantification Framework to Authorize Requests in Web-based Collaborations
[PDF]
Nirnay Ghosh:iTrust Centre for Research in Cyber Security, Singapore University of Technology and Design (SUTD), Singapore 487372.; Rishabh Singhal:JP Morgan & Chase Co., Mumbai, India; Sajal K Das:Department of Computer Science, Missouri University of Science and Technology, Rolla, MO 65409, USA
Nirnay Ghosh:iTrust Centre for Research in Cyber Security, Singapore University of Technology and Design (SUTD), Singapore 487372.; Rishabh Singhal:JP Morgan & Chase Co., Mumbai, India; Sajal K Das:Department of Computer Science, Missouri University of Science and Technology, Rolla, MO 65409, USA
Poster and Welcome Reception
05:40PM - 08:30PM
Wednesday, July 10 (Day 2)
Keynote 2: Surya Nepal; CSIRO Data61.
09:00AM - 10:00AM
Chaired by Zhenkai Liang (National University of Singapore, Singapore)
Security is the Weakest Link: Prevalent Culture of Victim Blaming in Cyberattacks
[PDF]
The effectiveness of cybersecurity measures is often questioned in the wake of hard-hitting security events. Despite much work being done in the field of cybersecurity and general cybersecurity awareness, cyber-attacks and data breaches are on the rise every year. Humans are considered the weakest link in the information security chain. However, most of the blame is put on the end users and their awareness of security and safe use of the cyber systems. It is often forgotten that these systems are also built by humans and they should also bear some responsibilities for introducing bugs and vulnerabilities that can be easily exploited by cyber attackers. This talk aims to highlight the current culture of blaming the victims prevalent in the cybersecurity research community, present the current research initiatives in human centric cybersecurity, and outline the potential future research areas.
The effectiveness of cybersecurity measures is often questioned in the wake of hard-hitting security events. Despite much work being done in the field of cybersecurity and general cybersecurity awareness, cyber-attacks and data breaches are on the rise every year. Humans are considered the weakest link in the information security chain. However, most of the blame is put on the end users and their awareness of security and safe use of the cyber systems. It is often forgotten that these systems are also built by humans and they should also bear some responsibilities for introducing bugs and vulnerabilities that can be easily exploited by cyber attackers. This talk aims to highlight the current culture of blaming the victims prevalent in the cybersecurity research community, present the current research initiatives in human centric cybersecurity, and outline the potential future research areas.
Break(30 mins)
10:00AM - 10:30AM
Session #4A: Mobile Security
10:30AM - 12:20PM
Chaired by Manuel Egele (Boston University, USA)
Exploiting Sound Masking for Audio Privacy in Smartphones
[PDF]
Yu-Chih Tung:University of Michigan; Kang G. Shin:University of Michigan
Yu-Chih Tung:University of Michigan; Kang G. Shin:University of Michigan
MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications
[PDF]
Shangcheng Shi:The Chinese University of Hong Kong; Xianbo Wang:The Chinese University of Hong Kong; Wing Cheong Lau:The Chinese University of Hong Kong
Shangcheng Shi:The Chinese University of Hong Kong; Xianbo Wang:The Chinese University of Hong Kong; Wing Cheong Lau:The Chinese University of Hong Kong
MagAttack: Guessing Application Launching and Operation via Smartphone
[PDF]
Yushi Cheng:Zhejiang University; Xiaoyu Ji:Zhejiang University; Wenyuan Xu:Zhejiang University; Hao Pan:Shanghai Jiao Tong University; Zhuangdi Zhu:Michigan State University; Chuang-Wen You:National Taiwan University; Yi-Chao Chen:University of Texas at Austin; Lili Qiu:University of Texas at Austin
Yushi Cheng:Zhejiang University; Xiaoyu Ji:Zhejiang University; Wenyuan Xu:Zhejiang University; Hao Pan:Shanghai Jiao Tong University; Zhuangdi Zhu:Michigan State University; Chuang-Wen You:National Taiwan University; Yi-Chao Chen:University of Texas at Austin; Lili Qiu:University of Texas at Austin
Towards Understanding Android System Vulnerabilities: Techniques and Insights
[PDF]
Daoyuan Wu:Singapore Management University; Debin Gao:Singapore Management University; Eric K. T. Cheng:The Hong Kong Polytechnic University; Yichen Cao:SOBUG, ShenZhen, China; Jintao Jiang:SOBUG, ShenZhen, China; Robert H. Deng:Singapore Management University
Daoyuan Wu:Singapore Management University; Debin Gao:Singapore Management University; Eric K. T. Cheng:The Hong Kong Polytechnic University; Yichen Cao:SOBUG, ShenZhen, China; Jintao Jiang:SOBUG, ShenZhen, China; Robert H. Deng:Singapore Management University
(Short paper) AndrEnsemble: Leveraging API Ensembles to Characterize Android Malware Families
[PDF]
Omid Mirzaei:Universidad Carlos III de Madrid; Guillermo Suarez-Tangil:King's College London; Jose M. de Fuentes:Universidad Carlos III de Madrid; Juan Tapiador:Universidad Carlos III de Madrid; Gianluca Stringhini:Boston University
Omid Mirzaei:Universidad Carlos III de Madrid; Guillermo Suarez-Tangil:King's College London; Jose M. de Fuentes:Universidad Carlos III de Madrid; Juan Tapiador:Universidad Carlos III de Madrid; Gianluca Stringhini:Boston University
Session #4B: Privacy
10:30AM - 12:20PM
Chaired by Lech Janczewski (University of Auckland, New Zealand)
EPISODE: Efficient Privacy-PreservIng Similar Sequence Queries on Outsourced Genomic DatabasEs
[PDF]
Thomas Schneider:TU Darmstadt; Oleksandr Tkachenko:TU Darmstadt
Thomas Schneider:TU Darmstadt; Oleksandr Tkachenko:TU Darmstadt
Revisiting Assumptions for Website Fingerprinting Attacks
[PDF]
Weiqi Cui:Oklahoma State University; Tao Chen:Oklahoma State University; Christian Fields:Oklahoma State University; Julianna Chen:Oklahoma State University; Anthony Sierra:Oklahoma State University; Eric Chan-Tin:Loyola University Chicago
Weiqi Cui:Oklahoma State University; Tao Chen:Oklahoma State University; Christian Fields:Oklahoma State University; Julianna Chen:Oklahoma State University; Anthony Sierra:Oklahoma State University; Eric Chan-Tin:Loyola University Chicago
Can I Opt Out Yet? GDPR and the Global Illusion of Cookie Control
[PDF]
Iskander Sanchez-Rola:DeustoTech, University of Deusto, Symantec Research Labs; Matteo Dell'Amico:Symantec Research Labs; Platon Kotzias:IMDEA Software Institute, Universidad Politecnica de Madrid; Davide Balzarotti:Eurecom; Leyla Bilge:Symantec Research Labs; Pierre-Antoine Vervier:Symantec Research Labs; Igor Santos:DeustoTech, University of Deusto
Iskander Sanchez-Rola:DeustoTech, University of Deusto, Symantec Research Labs; Matteo Dell'Amico:Symantec Research Labs; Platon Kotzias:IMDEA Software Institute, Universidad Politecnica de Madrid; Davide Balzarotti:Eurecom; Leyla Bilge:Symantec Research Labs; Pierre-Antoine Vervier:Symantec Research Labs; Igor Santos:DeustoTech, University of Deusto
"I Don't Think I Can Share My Health Information ..." : Understanding Users' Risk Perceptions about Personal Health Records Shared on Social Networking Services
[PDF]
Yuri Son:Samsung Electronics Co., Ltd.; Geumhwan Cho:Sungkyunkwan University; Hyoungshick Kim:Sungkyunkwan University; Simon Woo:SUNY Korea
Yuri Son:Samsung Electronics Co., Ltd.; Geumhwan Cho:Sungkyunkwan University; Hyoungshick Kim:Sungkyunkwan University; Simon Woo:SUNY Korea
Lunch
12:20PM - 02:00PM
Session #5A: Web Security
02:00PM - 03:20PM
Chaired by Gianluca Stringhini (Boston University, USA)
Purchased Fame: Exploring the Ecosystem of Private Blog Networks
[PDF]
Tom Van Goethem:imec-DistriNet, KU Leuven; Najmeh Miramirkhani:Stony Brook University; Wouter Joosen:imec-DistriNet, KU Leuven; Nick Nikiforakis:Stony Brook University
Tom Van Goethem:imec-DistriNet, KU Leuven; Najmeh Miramirkhani:Stony Brook University; Wouter Joosen:imec-DistriNet, KU Leuven; Nick Nikiforakis:Stony Brook University
TweetScore: Scoring Tweets via Social Attribute Relationships for Twitter Spammer Detection
[PDF]
Yihe Zhang:Unaffiliated; Hao Zhang:Unaffiliated; Xu Yuan:Unaffiliated; Nian-Feng Tzeng:Unaffiliated
Yihe Zhang:Unaffiliated; Hao Zhang:Unaffiliated; Xu Yuan:Unaffiliated; Nian-Feng Tzeng:Unaffiliated
ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices
[PDF]
Marius Musch:TU Braunschweig; Marius Steffens:CISPA Helmholtz Center for Information Security; Ben Stock:CISPA Helmholtz Center for Information Security; Martin Johns:TU Braunschweig
Marius Musch:TU Braunschweig; Marius Steffens:CISPA Helmholtz Center for Information Security; Ben Stock:CISPA Helmholtz Center for Information Security; Martin Johns:TU Braunschweig
Session #5B: Fault Attacks and Side Channel Analysis
02:00PM - 03:20PM
Chaired by Virgil Gligor (Carnegie Mellon University, USA)
SoK: On DFA Vulnerabilities of Substitution-Permutation Networks
[PDF]
Mustafa Khairallah:Nanyang Technological University, Singapore; Xiaolu Hou:Acronis, Singapore; Zakaria Najm:Nanyang Technological University, Singapore; Jakub Breier:Underwriters Laboratories, Singapore; Shivam Bhasin:Nanyang Technological University, Singapore; Thomas Peyrin:Nanyang Technological University, Singapore
Mustafa Khairallah:Nanyang Technological University, Singapore; Xiaolu Hou:Acronis, Singapore; Zakaria Najm:Nanyang Technological University, Singapore; Jakub Breier:Underwriters Laboratories, Singapore; Shivam Bhasin:Nanyang Technological University, Singapore; Thomas Peyrin:Nanyang Technological University, Singapore
Practical Side-Channel Attacks against WPA-TKIP
[PDF]
Domien Schepers:Northeastern University; Aanjhan Ranganathan:Northeastern University; Mathy Vanhoef:New York University Abu Dhabi
Domien Schepers:Northeastern University; Aanjhan Ranganathan:Northeastern University; Mathy Vanhoef:New York University Abu Dhabi
Exploiting Determinism in lattice-based signatures - Practical Fault Attacks on pqm4 implementations of NIST candidates
[PDF]
Prasanna Ravi:Nanyang Technological University, Singapore; Mahabir Prasad Jhanwar:Nanyang Technological University, Singapore; James Howe:Nanyang Technological University, Singapore; Anupam Chattopadhyay:Nanyang Technological University, Singapore; Shivam Bhasin:Nanyang Technological University, Singapore
Prasanna Ravi:Nanyang Technological University, Singapore; Mahabir Prasad Jhanwar:Nanyang Technological University, Singapore; James Howe:Nanyang Technological University, Singapore; Anupam Chattopadhyay:Nanyang Technological University, Singapore; Shivam Bhasin:Nanyang Technological University, Singapore
Break(30 mins)
03:20PM - 03:50PM
Session #6A: IoT Security
03:50PM - 05:50PM
Chaired by Xiaoyu Ji (Zhejiang University, China)
Process-Aware Cyberattacks for Thermal Desalination Plants
[PDF]
Prashant Hari Narayan Rajput:New York University Abu Dhabi; Pankaj Rajput:New York University Abu Dhabi; Marios Sazos:New York University Abu Dhabi; Michail Maniatakos:New York University Abu Dhabi
Prashant Hari Narayan Rajput:New York University Abu Dhabi; Pankaj Rajput:New York University Abu Dhabi; Marios Sazos:New York University Abu Dhabi; Michail Maniatakos:New York University Abu Dhabi
Study of Misbinding Attacks on Secure Device Pairing
[PDF]
Mohit Sethi:NomadicLab, Ericsson Research, Finland; Aleksi Peltonen:Aalto University, Finland; Tuomas Aura:Aalto University, Finland
Mohit Sethi:NomadicLab, Ericsson Research, Finland; Aleksi Peltonen:Aalto University, Finland; Tuomas Aura:Aalto University, Finland
Alexa lied to me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants
[PDF]
Richard Mitev:Technische University Darmstadt; Markus Miettinen:Technische University Darmstadt; Ahmad-Reza Sadeghi:Technische University Darmstadt
Richard Mitev:Technische University Darmstadt; Markus Miettinen:Technische University Darmstadt; Ahmad-Reza Sadeghi:Technische University Darmstadt
(Short paper) HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices
[PDF]
Dominik Breitenbacher:Singapore University of Technology and Design; Ivan Homoliak:Singapore University of Technology and Design; Yan Lin Aung:Singapore University of Technology and Design; Nils Ole Tippenhauer:CISPA Helmholtz Center for Information Security; Yuval Elovici:Singapore University of Technology and Design
Dominik Breitenbacher:Singapore University of Technology and Design; Ivan Homoliak:Singapore University of Technology and Design; Yan Lin Aung:Singapore University of Technology and Design; Nils Ole Tippenhauer:CISPA Helmholtz Center for Information Security; Yuval Elovici:Singapore University of Technology and Design
(Short paper) A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States
[PDF]
Asuka Nakajima:NTT Secure Platform Laboratories; Takuya Watanabe:NTT Secure Platform Laboratories; Eitaro Shioji:NTT Secure Platform Laboratories; Mitsuaki Akiyama:NTT Secure Platform Laboratories; Maverick Woo:Carnegie Mellon University
Asuka Nakajima:NTT Secure Platform Laboratories; Takuya Watanabe:NTT Secure Platform Laboratories; Eitaro Shioji:NTT Secure Platform Laboratories; Mitsuaki Akiyama:NTT Secure Platform Laboratories; Maverick Woo:Carnegie Mellon University
(Short paper) E-Spion: A System-Level Intrusion Detection System for IoT Devices
[PDF]
Anand Mudgerikar:Purdue University; Puneet Sharma:HPE; Elisa Bertino:Purdue University
Anand Mudgerikar:Purdue University; Puneet Sharma:HPE; Elisa Bertino:Purdue University
Session #6B: Applied Cryptography
03:50PM - 05:20PM
Chaired by Robert Deng (Singapore Management University, Singapore)
K2SN-MSS: An Efficient Post-Quantum Signature
[PDF]
Sabyasachi Karati:University of Calgary; Reihaneh Safavi-Naini:University of Calgary
Sabyasachi Karati:University of Calgary; Reihaneh Safavi-Naini:University of Calgary
Proper Usage of the Group Signature Scheme in ISO/IEC 20008-2
[PDF]
Ai Ishida:National Institute of Advanced Industrial Science and Technology; Yusuke Sakai:National Institute of Advanced Industrial Science and Technology; Keita Emura:National Institute of Information and Communications Technology; Goichiro Hanaoka:National Institute of Advanced Industrial Science and Technology; Keisuke Tanaka:Tokyo Institute of Technology
Ai Ishida:National Institute of Advanced Industrial Science and Technology; Yusuke Sakai:National Institute of Advanced Industrial Science and Technology; Keita Emura:National Institute of Information and Communications Technology; Goichiro Hanaoka:National Institute of Advanced Industrial Science and Technology; Keisuke Tanaka:Tokyo Institute of Technology
Practical Aggregate Signature from General Elliptic Curves, and Applications to Blockchain
[PDF]
Yunlei Zhao:Software School, Fudan University, Shanghai, China
Yunlei Zhao:Software School, Fudan University, Shanghai, China
(Short paper) Examining DES-based Cipher Suite Support within the TLS Ecosystem
[PDF]
Vanessa Frost:University of Florida; Dave Tian:University of Florida; Christie Ruales:University of Florida; Vijay Prakash:University of Florida; Kevin Butler:University of Florida; Patrick Traynor:University of Florida
Vanessa Frost:University of Florida; Dave Tian:University of Florida; Christie Ruales:University of Florida; Vijay Prakash:University of Florida; Kevin Butler:University of Florida; Patrick Traynor:University of Florida
Banquet
Thursday, July 11 (Day 3)
Keynote 3: Heiko Mantel; TU Darmstadt
09:00AM - 10:00AM
Chaired by Engin Kirda (Northeastern University, USA)
From Attacker Models to Reliable Security
[PDF]
Attack trees are a popular graphical notation for capturing threats to IT systems. They can be used to describe attacks in terms of attacker goals and attacker actions. By focusing on the viewpoint of a single attacker and on a particular attacker goal in the creation of an attack tree, one reduces the conceptual complexity of threat modeling substantially. Aspects not covered by attack trees, like the behavior of the system under attack, can then be described using other models to enable a security analysis based on a combination of the models.
Despite the high popularity of attack trees in security engineering for many years, some pitfalls in their use were identified only recently. In this talk, I will point out such difficulties, outline how attack trees can be used in combination with system models, and clarify the consequences of different combinations for security analysis results. After a security analysis of an abstract model, the insights gained need to be mapped to reality. I will introduce an automata-based model of run-time monitors and will show how defenses in this model can be realized at runtime with the CliSeAu system.
Attack trees are a popular graphical notation for capturing threats to IT systems. They can be used to describe attacks in terms of attacker goals and attacker actions. By focusing on the viewpoint of a single attacker and on a particular attacker goal in the creation of an attack tree, one reduces the conceptual complexity of threat modeling substantially. Aspects not covered by attack trees, like the behavior of the system under attack, can then be described using other models to enable a security analysis based on a combination of the models.
Despite the high popularity of attack trees in security engineering for many years, some pitfalls in their use were identified only recently. In this talk, I will point out such difficulties, outline how attack trees can be used in combination with system models, and clarify the consequences of different combinations for security analysis results. After a security analysis of an abstract model, the insights gained need to be mapped to reality. I will introduce an automata-based model of run-time monitors and will show how defenses in this model can be realized at runtime with the CliSeAu system.
Break(30 mins)
10:00AM - 10:30AM
Session #7: Hardware and Systems
10:30AM - 12:20PM
Chaired by Yusung Wu (National Chiao Tung University, Taiwan)
Pinpoint Rowhammer: Suppressing Unwanted Bit Flips on Rowhammer Attacks
[PDF]
Sangwoo Ji:POSTECH; Youngjoo Ko:POSTECH; Saeyoung Oh:POSTECH; Jong Kim:POSTECH
Sangwoo Ji:POSTECH; Youngjoo Ko:POSTECH; Saeyoung Oh:POSTECH; Jong Kim:POSTECH
RIP-RH: Preventing Rowhammer-based Inter-Process Attacks
[PDF]
Carsten Bock:TU Darmstadt; Ferdinand Brasser:TU Darmstadt; David Gens:TU Darmstadt; Ahmad-Reza Sadeghi:TU Darmstadt
Carsten Bock:TU Darmstadt; Ferdinand Brasser:TU Darmstadt; David Gens:TU Darmstadt; Ahmad-Reza Sadeghi:TU Darmstadt
eHIFS: An Efficient History Independent File System
[PDF]
Biao Gao:Institute of Information Engineering; Bo Chen:Department of Computer Science, Michigan Technological University; Shijie Jia:Institute of Information Engineering, CAS; Luning Xia:Institute of Information Engineering
Biao Gao:Institute of Information Engineering; Bo Chen:Department of Computer Science, Michigan Technological University; Shijie Jia:Institute of Information Engineering, CAS; Luning Xia:Institute of Information Engineering
(Short paper) Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Data Entry
[PDF]
Tyler Kaczmarek:University of California, Irvine; Ercan Ozturk:University of California, Irvine; Gene Tsudik:University of California, Irvine
Tyler Kaczmarek:University of California, Irvine; Ercan Ozturk:University of California, Irvine; Gene Tsudik:University of California, Irvine
(Short paper) Design procedure of knowledge base for practical attack graph generation
[PDF]
Masaki Inokuchi:Security Research Laboratories, NEC Corporation; Yoshinobu Ohta:Security Research Laboratories, NEC Corporation; Shunichi Kinoshita:Security Research Laboratories, NEC Corporation; Tomohiko Yagyu:Security Research Laboratories, NEC Corporation; Orly Stan:Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev; Ron Bitton:Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev; Yuval Elovici:Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev; Asaf Shabtai:Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev
Masaki Inokuchi:Security Research Laboratories, NEC Corporation; Yoshinobu Ohta:Security Research Laboratories, NEC Corporation; Shunichi Kinoshita:Security Research Laboratories, NEC Corporation; Tomohiko Yagyu:Security Research Laboratories, NEC Corporation; Orly Stan:Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev; Ron Bitton:Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev; Yuval Elovici:Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev; Asaf Shabtai:Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev
Lunch
Social Event
Friday, July 12 (Day 4)
Session #8: Blockchain Security
09:00AM - 10:15AM
Chaired by Aravind Prakash (SUNY Binghamton, USA)
On the Difficulty of Hiding the Balance of Lightning Network Channels
[PDF]
Jordi Herrera-Joancomarti:Universitat Autonoma de Barcelona; Guilllermo Navarro-Arribas:Universitat Autonoma de Barcelona; Alejandro Ranchal-Pedrosa:Telecom SudParis; Joaquin Garcia-Alfaro:Telecom SudParis, CNRS SAMOVAR; Cristina Perez-Sola:Universitat Rovira i Virgili
Jordi Herrera-Joancomarti:Universitat Autonoma de Barcelona; Guilllermo Navarro-Arribas:Universitat Autonoma de Barcelona; Alejandro Ranchal-Pedrosa:Telecom SudParis; Joaquin Garcia-Alfaro:Telecom SudParis, CNRS SAMOVAR; Cristina Perez-Sola:Universitat Rovira i Virgili
A New Blind ECDSA Scheme for Bitcoin Transaction Anonymity
[PDF]
Xun Yi:RMIT University, Australia; Kwok-Yan Lam:Nanyang Technological University, Singapore
Xun Yi:RMIT University, Australia; Kwok-Yan Lam:Nanyang Technological University, Singapore
On The Unforkability of Monero
[PDF]
Dimaz Ankaa Wijaya:Monash University; Joseph Liu:Monash University; Ron Steinfeld:Monash University; Dongxi Liu:Data61, CSIRO, Australia; Jiangshan Yu:Monash University
Dimaz Ankaa Wijaya:Monash University; Joseph Liu:Monash University; Ron Steinfeld:Monash University; Dongxi Liu:Data61, CSIRO, Australia; Jiangshan Yu:Monash University
Break(30 mins)
10:15AM - 10:45AM
Session #9: Fuzzing
10:45AM - 11:50AM
Chaired by William Robertson (Northeastern University, USA)
Ptrix: Efficient Hardware-Assisted Fuzzing for COTS Binary
[PDF]
Yaohui Chen:Northeastern University; Dongliang Mu:Penn State University; Zhichuang Sun:Northeastern University; Jun Xu:Stevens Institute of Technology; Wenguo Shen:Samsung Research American; Xinyu Xing:Penn State University; Long Lu:Northeastern University; Bing Mao:Nanjing University
Yaohui Chen:Northeastern University; Dongliang Mu:Penn State University; Zhichuang Sun:Northeastern University; Jun Xu:Stevens Institute of Technology; Wenguo Shen:Samsung Research American; Xinyu Xing:Penn State University; Long Lu:Northeastern University; Bing Mao:Nanjing University
An Empirical Study of Prioritizing JavaScript Engine Crashes via Machine Learning
[PDF]
Sunnyeo Park:KAIST; Dohyeok Kim:KAIST; Sooel Son:KAIST
Sunnyeo Park:KAIST; Dohyeok Kim:KAIST; Sooel Son:KAIST
(Short paper) A Feature-Oriented Corpus for understanding, Evaluating and Improving Fuzz Testing
[PDF]
Xiaogang Zhu:Swinburne University of Technology; Xiaotao Feng:Swinburne University of Technology; Tengyun Jiao:Swinburne University of Technology; Sheng Wen:Swinburne University of Technology; Jingling Xue:The University of New South Wales; Seyit Camtepe:CSIRO Data61; Yang Xiang:Swinburne University of Technology
Xiaogang Zhu:Swinburne University of Technology; Xiaotao Feng:Swinburne University of Technology; Tengyun Jiao:Swinburne University of Technology; Sheng Wen:Swinburne University of Technology; Jingling Xue:The University of New South Wales; Seyit Camtepe:CSIRO Data61; Yang Xiang:Swinburne University of Technology