Lingyun Ying, Yao Cheng, Yemian Lu, Yacong Gu, Purui Su, D. Feng
Nowadays, the popular Android is so closely involved in people's daily lives that people rely on Android to perform critical operations and trust Android with sensitive information. It is of great importance to guarantee the usability and security of Android which, however, is such a huge system that a potential threat may arise from any part of it. In this paper, we focus on the Free Floating window (FF window) which is a category of windows that can appear freely above any other applications. It can share the screen space with other FF windows, dialogs, and activities. An FF window is flexible in both its appearance and behaviour features. We analyse the behaviour features of FF windows, including the priority in display layer and the capability of processing user-generated events. Three types of attacks via FF windows with delicate design in their appearance and behaviour features are demonstrated, i.e., DoS attack against Android system, GUI hijacking by targeting overlap, and input inference using FF windows as a side channel. To address the threat caused by FF windows, we design a priority framework for FF windows, which protects a sensitive activity/FF window declared by developers from being attacked by any malicious FF windows. A complementary solution is proposed to mitigate the confusion attack from malicious activities. Finally, we provide Android with suggestions on how to manage FF windows.
{"title":"Attacks and Defence on Android Free Floating Windows","authors":"Lingyun Ying, Yao Cheng, Yemian Lu, Yacong Gu, Purui Su, D. Feng","doi":"10.1145/2897845.2897897","DOIUrl":"https://doi.org/10.1145/2897845.2897897","url":null,"abstract":"Nowadays, the popular Android is so closely involved in people's daily lives that people rely on Android to perform critical operations and trust Android with sensitive information. It is of great importance to guarantee the usability and security of Android which, however, is such a huge system that a potential threat may arise from any part of it. In this paper, we focus on the Free Floating window (FF window) which is a category of windows that can appear freely above any other applications. It can share the screen space with other FF windows, dialogs, and activities. An FF window is flexible in both its appearance and behaviour features. We analyse the behaviour features of FF windows, including the priority in display layer and the capability of processing user-generated events. Three types of attacks via FF windows with delicate design in their appearance and behaviour features are demonstrated, i.e., DoS attack against Android system, GUI hijacking by targeting overlap, and input inference using FF windows as a side channel. To address the threat caused by FF windows, we design a priority framework for FF windows, which protects a sensitive activity/FF window declared by developers from being attacked by any malicious FF windows. A complementary solution is proposed to mitigate the confusion attack from malicious activities. Finally, we provide Android with suggestions on how to manage FF windows.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114964446","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we propose a hierarchical identity-based encryption (HIBE) scheme in the random oracle (RO) model based on the learning with rounding (LWR) problem over small modulus $q$. Compared with the previous HIBE schemes based on the learning with errors (LWE) problem, the ciphertext expansion ratio of our scheme can be decreased to 1/2. Then, we utilize the HIBE scheme to construct a deterministic hierarchical identity-based encryption (D-HIBE) scheme based on the LWR problem over small modulus. Finally, with the technique of binary tree encryption (BTE) we can construct HIBE and D-HIBE schemes in the standard model based on the LWR problem over small modulus.
{"title":"(Deterministic) Hierarchical Identity-based Encryption from Learning with Rounding over Small Modulus","authors":"Fuyang Fang, Bao Li, Xianhui Lu, Yamin Liu, Dingding Jia, Haiyang Xue","doi":"10.1145/2897845.2897922","DOIUrl":"https://doi.org/10.1145/2897845.2897922","url":null,"abstract":"In this paper, we propose a hierarchical identity-based encryption (HIBE) scheme in the random oracle (RO) model based on the learning with rounding (LWR) problem over small modulus $q$. Compared with the previous HIBE schemes based on the learning with errors (LWE) problem, the ciphertext expansion ratio of our scheme can be decreased to 1/2. Then, we utilize the HIBE scheme to construct a deterministic hierarchical identity-based encryption (D-HIBE) scheme based on the LWR problem over small modulus. Finally, with the technique of binary tree encryption (BTE) we can construct HIBE and D-HIBE schemes in the standard model based on the LWR problem over small modulus.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117061795","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Code diversification is an effective mitigation against return-oriented programming attacks, which breaks the assumptions of attackers about the location and structure of useful instruction sequences, known as "gadgets". Although a wide range of code diversification techniques of varying levels of granularity exist, most of them rely on the availability of source code, debug symbols, or the assumption of fully precise code disassembly, limiting their practical applicability for the protection of closed-source third-party applications. In-place code randomization has been proposed as an alternative binary-compatible diversification technique that is tolerant of partial disassembly coverage, in the expense though of leaving some gadgets intact, at the disposal of attackers. Consequently, the possibility of constructing robust ROP payloads using only the remaining non-randomized gadgets is still open. In this paper we present instruction displacement, a code diversification technique based on static binary instrumentation that does not rely on complete code disassembly coverage. Instruction displacement aims to improve the randomization coverage and entropy of existing binary-level code diversification techniques by displacing any remaining non-randomized gadgets to random locations. The results of our experimental evaluation demonstrate that instruction displacement reduces the number of non-randomized gadgets in the extracted code regions from 15.04% for standalone in-place code randomization, to 2.77% for the combination of both techniques. At the same time, the additional indirection introduced due to displacement incurs a negligible runtime overhead of 0.36% on average for the SPEC CPU2006 benchmarks.
{"title":"Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement","authors":"Hyungjoon Koo, M. Polychronakis","doi":"10.1145/2897845.2897863","DOIUrl":"https://doi.org/10.1145/2897845.2897863","url":null,"abstract":"Code diversification is an effective mitigation against return-oriented programming attacks, which breaks the assumptions of attackers about the location and structure of useful instruction sequences, known as \"gadgets\". Although a wide range of code diversification techniques of varying levels of granularity exist, most of them rely on the availability of source code, debug symbols, or the assumption of fully precise code disassembly, limiting their practical applicability for the protection of closed-source third-party applications. In-place code randomization has been proposed as an alternative binary-compatible diversification technique that is tolerant of partial disassembly coverage, in the expense though of leaving some gadgets intact, at the disposal of attackers. Consequently, the possibility of constructing robust ROP payloads using only the remaining non-randomized gadgets is still open. In this paper we present instruction displacement, a code diversification technique based on static binary instrumentation that does not rely on complete code disassembly coverage. Instruction displacement aims to improve the randomization coverage and entropy of existing binary-level code diversification techniques by displacing any remaining non-randomized gadgets to random locations. The results of our experimental evaluation demonstrate that instruction displacement reduces the number of non-randomized gadgets in the extracted code regions from 15.04% for standalone in-place code randomization, to 2.77% for the combination of both techniques. At the same time, the additional indirection introduced due to displacement incurs a negligible runtime overhead of 0.36% on average for the SPEC CPU2006 benchmarks.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125558993","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Gabriele Costa, Paolo Gasti, A. Merlo, Shunt-Hsi Yu
Mobile code distribution relies on digital signatures to guarantee code authenticity. Unfortunately, standard signature schemes are not well suited for use in conjunction with program transformation techniques, such as aspect-oriented programming. With these techniques, code development is performed in sequence by multiple teams of programmers. This is fundamentally different from traditional single-developer/ single-user models, where users can verify end-to-end (i.e., developer-to-user) authenticity of the code using digital signatures. To address this limitation, we introduce FLEX, a flexible code authentication framework for mobile applications. FLEX allows semi-trusted intermediaries to modify mobile code without invalidating the developer's signature, as long as the modification complies with a "contract" issued by the developer. We introduce formal definitions for secure code modification, and show that our instantiation of FLEX is secure under these definitions. Although FLEX can be instantiated using any language, we design AMJ--a novel programming language that supports code annotations--and implement a FLEX prototype based on our new language.
{"title":"FLEX: A Flexible Code Authentication Framework for Delegating Mobile App Customization","authors":"Gabriele Costa, Paolo Gasti, A. Merlo, Shunt-Hsi Yu","doi":"10.1145/2897845.2897887","DOIUrl":"https://doi.org/10.1145/2897845.2897887","url":null,"abstract":"Mobile code distribution relies on digital signatures to guarantee code authenticity. Unfortunately, standard signature schemes are not well suited for use in conjunction with program transformation techniques, such as aspect-oriented programming. With these techniques, code development is performed in sequence by multiple teams of programmers. This is fundamentally different from traditional single-developer/ single-user models, where users can verify end-to-end (i.e., developer-to-user) authenticity of the code using digital signatures. To address this limitation, we introduce FLEX, a flexible code authentication framework for mobile applications. FLEX allows semi-trusted intermediaries to modify mobile code without invalidating the developer's signature, as long as the modification complies with a \"contract\" issued by the developer. We introduce formal definitions for secure code modification, and show that our instantiation of FLEX is secure under these definitions. Although FLEX can be instantiated using any language, we design AMJ--a novel programming language that supports code annotations--and implement a FLEX prototype based on our new language.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"197 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114923944","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Seyed Hossein Ahmadinejad, Philip W. L. Fong, R. Safavi-Naini
Modern social computing platforms (e.g., Facebook) are extensible. Third-party developers deploy extensions (e.g., Facebook applications) that augment the functionalities of the underlying platforms. Previous work demonstrated that permission-based protection mechanisms, adopted to control access to users' personal information, fail to control inference - the inference of private information from public information. We envision an alternative protection model in which user profiles undergo sanitizing transformations before being released to third-party applications. Each transformation specifies an alternative view of the user profile. Unlike permission-based protection, this framework addresses the need for inference control. This work lays the theoretical foundation for view-based protection in three ways. First, existing work in privacy- preserving data publishing focuses on structured data (e.g., tables), but user profiles are semi-structured (e.g., trees). In information-theoretic terms, we define privacy and utility goals that can be applied to semi-structured data. Our notions of privacy and utility are highly targeted, mirroring the set up of social computing platforms, in which users specify their privacy preferences and third-party applications focus their accesses on selected components of the user profile. Second, we define an algebra of trees in which sanitizing transformations previously designed for structured data (e.g., generalization, noise introduction, etc) are now formulated for semi-structured data in terms of tree operations. Third, we evaluate the usefulness of our model by illustrating how the privacy enhancement and utility preservation effects of a view (a sanitizing transformation) can be formally and quantitatively assessed in our model. To the best of our knowledge, ours is the first work to articulate precise privacy and utility goals of inference control mechanisms for third-party applications in social computing platforms.
{"title":"Privacy and Utility of Inference Control Mechanisms for Social Computing Applications","authors":"Seyed Hossein Ahmadinejad, Philip W. L. Fong, R. Safavi-Naini","doi":"10.1145/2897845.2897878","DOIUrl":"https://doi.org/10.1145/2897845.2897878","url":null,"abstract":"Modern social computing platforms (e.g., Facebook) are extensible. Third-party developers deploy extensions (e.g., Facebook applications) that augment the functionalities of the underlying platforms. Previous work demonstrated that permission-based protection mechanisms, adopted to control access to users' personal information, fail to control inference - the inference of private information from public information. We envision an alternative protection model in which user profiles undergo sanitizing transformations before being released to third-party applications. Each transformation specifies an alternative view of the user profile. Unlike permission-based protection, this framework addresses the need for inference control. This work lays the theoretical foundation for view-based protection in three ways. First, existing work in privacy- preserving data publishing focuses on structured data (e.g., tables), but user profiles are semi-structured (e.g., trees). In information-theoretic terms, we define privacy and utility goals that can be applied to semi-structured data. Our notions of privacy and utility are highly targeted, mirroring the set up of social computing platforms, in which users specify their privacy preferences and third-party applications focus their accesses on selected components of the user profile. Second, we define an algebra of trees in which sanitizing transformations previously designed for structured data (e.g., generalization, noise introduction, etc) are now formulated for semi-structured data in terms of tree operations. Third, we evaluate the usefulness of our model by illustrating how the privacy enhancement and utility preservation effects of a view (a sanitizing transformation) can be formally and quantitatively assessed in our model. To the best of our knowledge, ours is the first work to articulate precise privacy and utility goals of inference control mechanisms for third-party applications in social computing platforms.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"75 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129643190","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Affordable cloud computing technologies allow users to efficiently store, and manage their Personal Health Records (PHRs) and share with their caregivers or physicians. This in turn improves the quality of healthcare services, and lower health care cost. However, serious security and privacy concerns emerge because people upload their personal information and PHRs to the public cloud. Data encryption provides privacy protection of medical information but it is challenging to utilize encrypted data. In this paper, we present a privacy-preserving disease treatment, complication prediction scheme (PDTCPS), which allows authorized users to conduct searches for disease diagnosis, personalized treatments, and prediction of potential complications. $PDTCPS$ uses a tree-based structure to boost search efficiency, a wildcard approach to support fuzzy keyword search, and a Bloom-filter to improve search accuracy and storage efficiency. In addition, our design also allows health care providers and the public cloud to collectively generate aggregated training models for disease diagnosis, personalized treatments and complications prediction. Moreover, our design provides query unlinkability and hides both search & access patterns. Finally, our evaluation results using two UCI datasets show that our scheme is more efficient and accurate than two existing schemes.
{"title":"Privacy Preserving Disease Treatment & Complication Prediction System (PDTCPS)","authors":"Qinghan Xue, M. Chuah, Yingying Chen","doi":"10.1145/2897845.2897893","DOIUrl":"https://doi.org/10.1145/2897845.2897893","url":null,"abstract":"Affordable cloud computing technologies allow users to efficiently store, and manage their Personal Health Records (PHRs) and share with their caregivers or physicians. This in turn improves the quality of healthcare services, and lower health care cost. However, serious security and privacy concerns emerge because people upload their personal information and PHRs to the public cloud. Data encryption provides privacy protection of medical information but it is challenging to utilize encrypted data. In this paper, we present a privacy-preserving disease treatment, complication prediction scheme (PDTCPS), which allows authorized users to conduct searches for disease diagnosis, personalized treatments, and prediction of potential complications. $PDTCPS$ uses a tree-based structure to boost search efficiency, a wildcard approach to support fuzzy keyword search, and a Bloom-filter to improve search accuracy and storage efficiency. In addition, our design also allows health care providers and the public cloud to collectively generate aggregated training models for disease diagnosis, personalized treatments and complications prediction. Moreover, our design provides query unlinkability and hides both search & access patterns. Finally, our evaluation results using two UCI datasets show that our scheme is more efficient and accurate than two existing schemes.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130407252","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ahmed Taha, P. Metzler, Rubén Trapero, Jesus Luna, N. Suri
Security concerns are often mentioned amongst the reasons why organizations hesitate to adopt Cloud computing. Given that multiple Cloud Service Providers (CSPs) offer similar security services (e.g., "encryption key management") albeit with different capabilities and prices, the customers need to comparatively assess the offered security services in order to select the best CSP matching their security requirements. However, the presence of both explicit and implicit dependencies across security related services add further challenges for Cloud customers to (i) specify their security requirements taking service dependencies into consideration and (ii) to determine which CSP can satisfy these requirements. We present a framework to address these challenges. For challenge (i), our framework automatically detects conflicts resulting from inconsistent customer requirements. Moreover, our framework provides an explanation for the detected conflicts allowing customers to resolve these conflicts. To tackle challenge (ii), our framework assesses the security level provided by various CSPs and ranks the CSPs according to the desired customer requirements. We demonstrate the framework's effectiveness with real-world CSP case studies derived from the Cloud Security Alliance's Security, Trust and Assurance Registry.
{"title":"Identifying and Utilizing Dependencies Across Cloud Security Services","authors":"Ahmed Taha, P. Metzler, Rubén Trapero, Jesus Luna, N. Suri","doi":"10.1145/2897845.2897911","DOIUrl":"https://doi.org/10.1145/2897845.2897911","url":null,"abstract":"Security concerns are often mentioned amongst the reasons why organizations hesitate to adopt Cloud computing. Given that multiple Cloud Service Providers (CSPs) offer similar security services (e.g., \"encryption key management\") albeit with different capabilities and prices, the customers need to comparatively assess the offered security services in order to select the best CSP matching their security requirements. However, the presence of both explicit and implicit dependencies across security related services add further challenges for Cloud customers to (i) specify their security requirements taking service dependencies into consideration and (ii) to determine which CSP can satisfy these requirements. We present a framework to address these challenges. For challenge (i), our framework automatically detects conflicts resulting from inconsistent customer requirements. Moreover, our framework provides an explanation for the detected conflicts allowing customers to resolve these conflicts. To tackle challenge (ii), our framework assesses the security level provided by various CSPs and ranks the CSPs according to the desired customer requirements. We demonstrate the framework's effectiveness with real-world CSP case studies derived from the Cloud Security Alliance's Security, Trust and Assurance Registry.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"120 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128022860","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Vanhoef, Célestin Matte, M. Cunche, L. Cardoso, F. Piessens
We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy. First, we show that information elements in probe requests can be used to fingerprint devices. We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds. These can be used to improve the performance of our tracking algorithm. Finally, we present two attacks that reveal the real MAC address of a device, even if MAC address randomization is used. In the first one, we create fake hotspots to induce clients to connect using their real MAC address. The second technique relies on the new 802.11u standard, commonly referred to as Hotspot 2.0, where we show that Linux and Windows send Access Network Query Protocol (ANQP) requests using their real MAC address.
{"title":"Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms","authors":"M. Vanhoef, Célestin Matte, M. Cunche, L. Cardoso, F. Piessens","doi":"10.1145/2897845.2897883","DOIUrl":"https://doi.org/10.1145/2897845.2897883","url":null,"abstract":"We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy. First, we show that information elements in probe requests can be used to fingerprint devices. We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds. These can be used to improve the performance of our tracking algorithm. Finally, we present two attacks that reveal the real MAC address of a device, even if MAC address randomization is used. In the first one, we create fake hotspots to induce clients to connect using their real MAC address. The second technique relies on the new 802.11u standard, commonly referred to as Hotspot 2.0, where we show that Linux and Windows send Access Network Query Protocol (ANQP) requests using their real MAC address.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130429775","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose the notion of password-controlled encryption, a two-factor scheme involving a user-chosen password and the master public/secret key pair. The data owner obtains a secret key generated from a password and the master secret key of a key generation center (KGC) after authentication, and shares this password with encryptors and an emergency contact. In normal circumstances, the data owners can enforce access control by themselves. In emergency when the data owner is unavailable, any one with the same password can request for the decryption key from a KGC, without letting the KGC to know the password. At the same time, the KGC is held accountable if the key generation process is abused. Password-controlled encryption is especially applicable for protecting electronic medical record, which provides confidentiality with break-glass access, without relying on a key-escrow server or trusted hardware.
{"title":"Password-Controlled Encryption with Accountable Break-Glass Access","authors":"Zhang Tao, Sherman S. M. Chow, Jinyuan Sun","doi":"10.1145/2897845.2897869","DOIUrl":"https://doi.org/10.1145/2897845.2897869","url":null,"abstract":"We propose the notion of password-controlled encryption, a two-factor scheme involving a user-chosen password and the master public/secret key pair. The data owner obtains a secret key generated from a password and the master secret key of a key generation center (KGC) after authentication, and shares this password with encryptors and an emergency contact. In normal circumstances, the data owners can enforce access control by themselves. In emergency when the data owner is unavailable, any one with the same password can request for the decryption key from a KGC, without letting the KGC to know the password. At the same time, the KGC is held accountable if the key generation process is abused. Password-controlled encryption is especially applicable for protecting electronic medical record, which provides confidentiality with break-glass access, without relying on a key-escrow server or trusted hardware.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117327169","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ronghai Yang, Guanchen Li, W. Lau, Kehuan Zhang, Pili Hu
Motivated by the prevalence of OAuth-related vulnerabilities in the wild, large-scale security testing of real-world OAuth 2.0 implementations have received increasing attention lately [31,37,42]. However, these existing works either rely on manual discovery of new vulnerabilities in OAuth 2.0 implementations or perform automated testing for specific, previously-known vulnerabilities across a large number of OAuth implementations. In this work, we propose an adaptive model-based testing framework to perform automated, large-scale security assessments for OAuth 2.0 implementations in practice. Key advantages of our approach include (1) its ability to identify existing vulnerabilities and discover new ones in an automated manner; (2) improved testing coverage as all possible execution paths within the scope of the model will be checked and (3) its ability to cater for the implementation differences of practical OAuth systems/ applications, which enables the analyst to offload the manual efforts for large-scale testing of OAuth implementations. We have designed and implemented OAuthTester to realize our proposed framework. Using OAuthTester, we examine the implementations of 4 major Identity Providers as well as 500 top-ranked US and Chinese websites which use the OAuth-based Single-Sign-On service provided by the formers. Our empirical findings demonstrate the efficacy of adaptive model-based testing on OAuth 2.0 deployments at scale. More importantly, OAuthTester not only manages to rediscover various existing vulnerabilities but also identify several previously unknown security flaws and new exploits for a large number of eal-world applications implementing OAuth 2.0.
{"title":"Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations","authors":"Ronghai Yang, Guanchen Li, W. Lau, Kehuan Zhang, Pili Hu","doi":"10.1145/2897845.2897874","DOIUrl":"https://doi.org/10.1145/2897845.2897874","url":null,"abstract":"Motivated by the prevalence of OAuth-related vulnerabilities in the wild, large-scale security testing of real-world OAuth 2.0 implementations have received increasing attention lately [31,37,42]. However, these existing works either rely on manual discovery of new vulnerabilities in OAuth 2.0 implementations or perform automated testing for specific, previously-known vulnerabilities across a large number of OAuth implementations. In this work, we propose an adaptive model-based testing framework to perform automated, large-scale security assessments for OAuth 2.0 implementations in practice. Key advantages of our approach include (1) its ability to identify existing vulnerabilities and discover new ones in an automated manner; (2) improved testing coverage as all possible execution paths within the scope of the model will be checked and (3) its ability to cater for the implementation differences of practical OAuth systems/ applications, which enables the analyst to offload the manual efforts for large-scale testing of OAuth implementations. We have designed and implemented OAuthTester to realize our proposed framework. Using OAuthTester, we examine the implementations of 4 major Identity Providers as well as 500 top-ranked US and Chinese websites which use the OAuth-based Single-Sign-On service provided by the formers. Our empirical findings demonstrate the efficacy of adaptive model-based testing on OAuth 2.0 deployments at scale. More importantly, OAuthTester not only manages to rediscover various existing vulnerabilities but also identify several previously unknown security flaws and new exploits for a large number of eal-world applications implementing OAuth 2.0.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130526906","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: