Location-based services have been enduring a fast development for almost fifteen years. Due to the lack of proper privacy protection, especially in the early stage of the development, an enormous amount of user request records have been collected. This exposes potential threats to users' privacy as new contextual information can be extracted from such records. In this paper, we study query dependency which can be derived from users' request history, and investigate its impact on users' query privacy. To achieve our goal, we present an approach to compute the probability for a user to issue a query, by taking into account both user's query dependency and observed requests. We propose new metrics incorporating query dependency for query privacy, and adapt spatial generalisation algorithms in the literature to generate requests satisfying users' privacy requirements expressed in the new metrics. Through experiments, we evaluate the impact of query dependency on query privacy and show that our proposed metrics and algorithms are effective and efficient for practical applications.
{"title":"Exploring dependency for query privacy protection in location-based services","authors":"Xihui Chen, Jun Pang","doi":"10.1145/2435349.2435354","DOIUrl":"https://doi.org/10.1145/2435349.2435354","url":null,"abstract":"Location-based services have been enduring a fast development for almost fifteen years. Due to the lack of proper privacy protection, especially in the early stage of the development, an enormous amount of user request records have been collected. This exposes potential threats to users' privacy as new contextual information can be extracted from such records. In this paper, we study query dependency which can be derived from users' request history, and investigate its impact on users' query privacy. To achieve our goal, we present an approach to compute the probability for a user to issue a query, by taking into account both user's query dependency and observed requests. We propose new metrics incorporating query dependency for query privacy, and adapt spatial generalisation algorithms in the literature to generate requests satisfying users' privacy requirements expressed in the new metrics. Through experiments, we evaluate the impact of query dependency on query privacy and show that our proposed metrics and algorithms are effective and efficient for practical applications.","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116143914","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The dynamic features of the JavaScript language not only promote various means for users to interact with websites through Web browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.
{"title":"JStill: mostly static detection of obfuscated malicious JavaScript code","authors":"W. Xu, Fangfang Zhang, Sencun Zhu","doi":"10.1145/2435349.2435364","DOIUrl":"https://doi.org/10.1145/2435349.2435364","url":null,"abstract":"The dynamic features of the JavaScript language not only promote various means for users to interact with websites through Web browsers, but also pose serious security threats to both users and websites. On top of this, obfuscation has become a popular technique among malicious JavaScript code that tries to hide its malicious purpose and to evade the detection of anti-virus software. To defend against obfuscated malicious JavaScript code, in this paper we propose a mostly static approach called JStill. JStill captures some essential characteristics of obfuscated malicious code by function invocation based analysis. It also leverages the combination of static analysis and lightweight runtime inspection so that it can not only detect, but also prevent the execution of the obfuscated malicious JavaScript code in browsers. Our evaluation based on real-world malicious JavaScript samples as well as Alexa top 50,000 websites demonstrates high detection accuracy (all in our experiment) and low false positives of JStill. Meanwhile, JStill only incurs negligible performance overhead, making it a practical solution to preventing obfuscated malicious JavaScript code.","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127327029","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Despite advances in biometrics and other technologies, passwords remain the most commonly used means of authentication in computer systems. Users maintain different security levels for different passwords. In this study, we examine the degree of similarity among passwords of different security levels of a user. We conducted a laboratory experiment with 80 students from the University of Texas at Arlington (UTA). We asked the subjects to construct new passwords for websites of different security levels. We collected the lower-level passwords (e.g., passwords for online news sites) constructed by the subjects, combined them with a comprehensive wordlist, and performed dictionary attacks on their constructed passwords from the higher-level sites (e.g., banking websites). We could successfully crack almost one-third of their constructed passwords from the higher-level sites with this method. This suggests that, if a user's lower-level password is leaked, it can be used effectively by an attacker to crack some of the user's higher-level passwords.
{"title":"A study of user password strategy for multiple accounts","authors":"Taiabul Haque, M. Wright, Shannon Scielzo","doi":"10.1145/2435349.2435373","DOIUrl":"https://doi.org/10.1145/2435349.2435373","url":null,"abstract":"Despite advances in biometrics and other technologies, passwords remain the most commonly used means of authentication in computer systems. Users maintain different security levels for different passwords. In this study, we examine the degree of similarity among passwords of different security levels of a user. We conducted a laboratory experiment with 80 students from the University of Texas at Arlington (UTA). We asked the subjects to construct new passwords for websites of different security levels. We collected the lower-level passwords (e.g., passwords for online news sites) constructed by the subjects, combined them with a comprehensive wordlist, and performed dictionary attacks on their constructed passwords from the higher-level sites (e.g., banking websites). We could successfully crack almost one-third of their constructed passwords from the higher-level sites with this method. This suggests that, if a user's lower-level password is leaked, it can be used effectively by an attacker to crack some of the user's higher-level passwords.","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125428446","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Cloud and distributed computing security and privacy","authors":"Lujo Bauer","doi":"10.1145/3260280","DOIUrl":"https://doi.org/10.1145/3260280","url":null,"abstract":"","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128113219","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Short papers: users and security economics","authors":"A. Squicciarini","doi":"10.1145/3260279","DOIUrl":"https://doi.org/10.1145/3260279","url":null,"abstract":"","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123525856","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Security is an important barrier to wide adoption of distributed systems for sensitive data storage and management. In particular, one unsolved problem is to ensure that customers data protection policies are honored, regardless of where the data is physically stored and how often it is accessed, modified, and duplicated. This issue calls for two requirements to be satisfied. First, data should be managed in accordance to both owners' preferences and to the local regulations that may apply. Second, although multiple copies may exist, a consistent view across copies should be maintained. Toward addressing these issues, in this work we propose innovative policy enforcement techniques for adaptive sharing of users' outsourced data. We introduce the notion of autonomous self-controlling objects (SCO), that by means of object-oriented programming techniques, encapsulate sensitive resources and assure their protection by means of adaptive security policies of various granularity, and synchronization protocols. Through extensive evaluation, we show that our approach is effective and efficiently manages multiple data copies.
{"title":"Adaptive data protection in distributed systems","authors":"A. Squicciarini, Giuseppe Petracca, E. Bertino","doi":"10.1145/2435349.2435401","DOIUrl":"https://doi.org/10.1145/2435349.2435401","url":null,"abstract":"Security is an important barrier to wide adoption of distributed systems for sensitive data storage and management. In particular, one unsolved problem is to ensure that customers data protection policies are honored, regardless of where the data is physically stored and how often it is accessed, modified, and duplicated. This issue calls for two requirements to be satisfied. First, data should be managed in accordance to both owners' preferences and to the local regulations that may apply. Second, although multiple copies may exist, a consistent view across copies should be maintained. Toward addressing these issues, in this work we propose innovative policy enforcement techniques for adaptive sharing of users' outsourced data. We introduce the notion of autonomous self-controlling objects (SCO), that by means of object-oriented programming techniques, encapsulate sensitive resources and assure their protection by means of adaptive security policies of various granularity, and synchronization protocols. Through extensive evaluation, we show that our approach is effective and efficiently manages multiple data copies.","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122223107","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P2P systems are inherently vulnerable to Sybil attacks, in which an attacker can have a large number of identities and use them to control a substantial fraction of the system. We propose Persea, a novel P2P system that is more robust against Sybil attacks than prior approaches. Persea derives its Sybil resistance by assigning IDs through a bootstrap tree, the graph of how nodes have joined the system through invitations. More specifically, a node joins Persea when it gets an invitation from an existing node in the system. The inviting node assigns a node ID to the joining node and gives it a chunk of node IDs for further distribution. For each chunk of ID space, the attacker needs to socially engineer a connection to another node already in the system. This hierarchical distribution of node IDs confines a large attacker botnet to a considerably smaller region of the ID space than in a normal P2P system. Persea uses a replication mechanism in which each (key,value) pair is stored in nodes that are evenly spaced over the network. Thus, even if a given region is occupied by attackers, the desired (key,value) pair can be retrieved from other regions. We compare our results with Kad, Whanau, and X-Vine and show that Persea is a better solution against Sybil attacks.
{"title":"Persea: a sybil-resistant social DHT","authors":"M. N. Al-Ameen, M. Wright","doi":"10.1145/2435349.2435372","DOIUrl":"https://doi.org/10.1145/2435349.2435372","url":null,"abstract":"P2P systems are inherently vulnerable to Sybil attacks, in which an attacker can have a large number of identities and use them to control a substantial fraction of the system. We propose Persea, a novel P2P system that is more robust against Sybil attacks than prior approaches. Persea derives its Sybil resistance by assigning IDs through a bootstrap tree, the graph of how nodes have joined the system through invitations. More specifically, a node joins Persea when it gets an invitation from an existing node in the system. The inviting node assigns a node ID to the joining node and gives it a chunk of node IDs for further distribution. For each chunk of ID space, the attacker needs to socially engineer a connection to another node already in the system. This hierarchical distribution of node IDs confines a large attacker botnet to a considerably smaller region of the ID space than in a normal P2P system. Persea uses a replication mechanism in which each (key,value) pair is stored in nodes that are evenly spaced over the network. Thus, even if a given region is occupied by attackers, the desired (key,value) pair can be retrieved from other regions. We compare our results with Kad, Whanau, and X-Vine and show that Persea is a better solution against Sybil attacks.","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131760926","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Predicate evaluation on encrypted data is a challenge that modern cryptography is starting to address. The advantages of constructing logical primitives that are able to operate on encrypted data are numerous, such as allowing untrusted parties to take decisions without actually having access to the plaintext. Systems that offer these methods are grouped under the name of searchable encryption systems. One of the challenges that searchable encryption faces today is related to computational and bandwidth costs, because the mathematical operations involved are expensive. Recent algorithms such as Hidden Vector Encryption exhibit improved efficiency, but for large scale systems the optimizations are often not enough. Many problems that can be solved using searchable encryption are embarrassingly parallel. Using a prototype, we show that parallel solutions offer sufficient cost reduction so that large scale applications become feasible.
{"title":"Enhancing performance of searchable encryption in cloud computing","authors":"R. Rughinis","doi":"10.1145/2435349.2435369","DOIUrl":"https://doi.org/10.1145/2435349.2435369","url":null,"abstract":"Predicate evaluation on encrypted data is a challenge that modern cryptography is starting to address. The advantages of constructing logical primitives that are able to operate on encrypted data are numerous, such as allowing untrusted parties to take decisions without actually having access to the plaintext. Systems that offer these methods are grouped under the name of searchable encryption systems. One of the challenges that searchable encryption faces today is related to computational and bandwidth costs, because the mathematical operations involved are expensive. Recent algorithms such as Hidden Vector Encryption exhibit improved efficiency, but for large scale systems the optimizations are often not enough. Many problems that can be solved using searchable encryption are embarrassingly parallel. Using a prototype, we show that parallel solutions offer sufficient cost reduction so that large scale applications become feasible.","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130550749","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Non-use or incorrect use of security software is one major reason for privacy breaches of all scales. The problem is compounded by software, security policies, and user interfaces that are difficult to use and understand. Using widely accepted user interface analysis methods, we examine a popular free and open source disk encryption software package, and find that it is far from accessible to ordinary users. Using rigorous interface design principles, we derive several concrete changes that would make the software easier to use, and construct a new interface to test our theories. We evaluate the two interfaces through a randomized user study in a controlled laboratory setting, and determine that the new interface is significantly easier to understand and faster to use, especially for novice computer users. We observe not only measurable speed-ups of common tasks, but also improved user-reported ease of use ratings. Several of our design choices turn out to have been misguided, making some tasks more difficult in our modified interface, but fortunately our alterations are mutually independent, i.e. reverting some components to their original design does not nullify the benefit of other modifications. Our experience shows that even simple, intuitive, and logically consistent modifications to complex interfaces have dramatic positive usability effects, and can be easily applied to different pieces of security software in order to reduce the impediment to uptake by novice users.
{"title":"The usability of truecrypt, or how i learned to stop whining and fix an interface","authors":"Sumeet Gujrati, Eugene Y. Vasserman","doi":"10.1145/2435349.2435360","DOIUrl":"https://doi.org/10.1145/2435349.2435360","url":null,"abstract":"Non-use or incorrect use of security software is one major reason for privacy breaches of all scales. The problem is compounded by software, security policies, and user interfaces that are difficult to use and understand. Using widely accepted user interface analysis methods, we examine a popular free and open source disk encryption software package, and find that it is far from accessible to ordinary users. Using rigorous interface design principles, we derive several concrete changes that would make the software easier to use, and construct a new interface to test our theories. We evaluate the two interfaces through a randomized user study in a controlled laboratory setting, and determine that the new interface is significantly easier to understand and faster to use, especially for novice computer users. We observe not only measurable speed-ups of common tasks, but also improved user-reported ease of use ratings. Several of our design choices turn out to have been misguided, making some tasks more difficult in our modified interface, but fortunately our alterations are mutually independent, i.e. reverting some components to their original design does not nullify the benefit of other modifications. Our experience shows that even simple, intuitive, and logically consistent modifications to complex interfaces have dramatic positive usability effects, and can be easily applied to different pieces of security software in order to reduce the impediment to uptake by novice users.","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132411104","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Christoph Busold, Ahmed Taha, C. Wachsmann, A. Dmitrienko, Hervé Seudie, Majid Sobhani, A. Sadeghi
Smartphones have become very popular and versatile devices. An emerging trend is the integration of smartphones into automotive systems and applications, particularly access control systems to unlock cars (doors and immobilizers). Smartphone-based automotive solutions promise to greatly enhance the user's experience by providing advanced features far beyond the conventional dedicated tokens/transponders. We present the first open security framework for secure smartphone-based immobilizers. Our generic security architecture protects the electronic access tokens on the smartphone and provides advanced features such as context-aware access policies, remote issuing and revocation of access rights and their delegation to other users. We discuss various approaches to instantiate our security architecture based on different hardware-based trusted execution environments, and elaborate on their security properties. We implemented our immobilizer system based on the latest Android-based smartphone and a microSD smartcard. Further, we support the algorithmic proofs of the security of the underlying protocols with automated formal verification tools.
{"title":"Smart keys for cyber-cars: secure smartphone-based NFC-enabled car immobilizer","authors":"Christoph Busold, Ahmed Taha, C. Wachsmann, A. Dmitrienko, Hervé Seudie, Majid Sobhani, A. Sadeghi","doi":"10.1145/2435349.2435382","DOIUrl":"https://doi.org/10.1145/2435349.2435382","url":null,"abstract":"Smartphones have become very popular and versatile devices. An emerging trend is the integration of smartphones into automotive systems and applications, particularly access control systems to unlock cars (doors and immobilizers). Smartphone-based automotive solutions promise to greatly enhance the user's experience by providing advanced features far beyond the conventional dedicated tokens/transponders. We present the first open security framework for secure smartphone-based immobilizers. Our generic security architecture protects the electronic access tokens on the smartphone and provides advanced features such as context-aware access policies, remote issuing and revocation of access rights and their delegation to other users. We discuss various approaches to instantiate our security architecture based on different hardware-based trusted execution environments, and elaborate on their security properties. We implemented our immobilizer system based on the latest Android-based smartphone and a microSD smartcard. Further, we support the algorithmic proofs of the security of the underlying protocols with automated formal verification tools.","PeriodicalId":118139,"journal":{"name":"Proceedings of the third ACM conference on Data and application security and privacy","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2013-02-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133782912","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: