Learning-based methods have been widely applied in the field of Android malware detection. However, adversarial samples pose a serious challenge to such methods, as carefully constructed adversarial samples may evade detection by these detectors. To evaluate the robustness of the mainstream Android malware detection, in this paper, we propose a novel differentiated adversarial perturbation generation method in problem space. We first slice a large number of benign applications to get a set of code slices that preserve context semantics. An improved optimal perturbation screening method based on Hierarchical Attention Network is proposed to effectively select the optimal slice from the code slice set as the perturbation of the target attack model. We perform dynamic adaptive compute based on the target attack model to achieve the optimal adversarial perturbation. After adding perturbation to the target sample, the sample is repackaged and signed to verify the adversarial effect of the detection model. The experimental results on multiple malware datasets show that the adversarial samples generated by our method can significantly reduce the accuracy of the target detectors and achieve better adversarial attack effect compared with the existing methods.
{"title":"Dapadv: Differentiated adversarial perturbation generation method in problem space for android malware detection","authors":"Junwei Tang , Sijie Zhou , Tao Peng , Wenlong Tian","doi":"10.1016/j.cose.2026.104845","DOIUrl":"10.1016/j.cose.2026.104845","url":null,"abstract":"<div><div>Learning-based methods have been widely applied in the field of Android malware detection. However, adversarial samples pose a serious challenge to such methods, as carefully constructed adversarial samples may evade detection by these detectors. To evaluate the robustness of the mainstream Android malware detection, in this paper, we propose a novel differentiated adversarial perturbation generation method in problem space. We first slice a large number of benign applications to get a set of code slices that preserve context semantics. An improved optimal perturbation screening method based on Hierarchical Attention Network is proposed to effectively select the optimal slice from the code slice set as the perturbation of the target attack model. We perform dynamic adaptive compute based on the target attack model to achieve the optimal adversarial perturbation. After adding perturbation to the target sample, the sample is repackaged and signed to verify the adversarial effect of the detection model. The experimental results on multiple malware datasets show that the adversarial samples generated by our method can significantly reduce the accuracy of the target detectors and achieve better adversarial attack effect compared with the existing methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104845"},"PeriodicalIF":5.4,"publicationDate":"2026-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081598","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-01-23DOI: 10.1016/j.cose.2026.104842
Magdalena Glas , Christoph Nirschl , Bar Lanyado , Johan van Niekerk
Generative artificial intelligence (AI) tools are increasingly used in software development, improving the efficiency of software developers. However, this adoption introduces notable security challenges. AI/generated code is not secure by default, as it is often based on large-scale training data that includes open-source code of varying quality and trustworthiness. Developers using these tools may be unaware of the associated risks or may place excessive trust in the security of the output. This briefing paper outlines the key security risks associated with generative AI and offers human-centered strategies for mitigation. Since these risks arise not only from how generative AI models are built but also from how humans interact with them, we adopt a human-centric perspective. To this end, we provide recommendations for individuals, organizations, and educators to help harness the potential of generative AI in software development while effectively managing the associated security risks.
{"title":"Insecure by design? A human-centric security perspective on AI-assisted software development","authors":"Magdalena Glas , Christoph Nirschl , Bar Lanyado , Johan van Niekerk","doi":"10.1016/j.cose.2026.104842","DOIUrl":"10.1016/j.cose.2026.104842","url":null,"abstract":"<div><div>Generative artificial intelligence (AI) tools are increasingly used in software development, improving the efficiency of software developers. However, this adoption introduces notable security challenges. AI/generated code is not secure by default, as it is often based on large-scale training data that includes open-source code of varying quality and trustworthiness. Developers using these tools may be unaware of the associated risks or may place excessive trust in the security of the output. This briefing paper outlines the key security risks associated with generative AI and offers human-centered strategies for mitigation. Since these risks arise not only from how generative AI models are built but also from how humans interact with them, we adopt a human-centric perspective. To this end, we provide recommendations for individuals, organizations, and educators to help harness the potential of generative AI in software development while effectively managing the associated security risks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104842"},"PeriodicalIF":5.4,"publicationDate":"2026-01-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081602","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-01-22DOI: 10.1016/j.cose.2026.104835
Hosam Alamleh , Alessandro Cantelli-Forti
Crowdsourced location networks turn billions of consumer devices into a global sensor grid for locating lost items, but the same reach enables two systemic abuses: (i) location tracking via beacons that masquerade as “lost tags,” and (ii) data exfiltration by embedding short secrets in Bluetooth Low Energy (BLE) advertisements that are relayed forward without inspection. Using Apple’s Find My as a case study, we show that covert beacons reliably reach the cloud and then the attacker within minutes due to relay density. We also find that basic single-layer countermeasures such as packet dropping, TCP ACK/RST injection, fixed-delay insertion, or traffic flooding fail under realistic operational conditions. We contribute the first end-to-end experimental evaluation of deployable mitigations that require no vendor changes. Our defense-in-depth design combines: endpoint controls that correlate OS location-service access with immediate BLE advertising and enforce per-process advertising limits; a hybrid perimeter detector that correlates on-host BLE advertisement counts with outbound traffic to crowd-location backends; and physical controls for high-security areas, including exclusion zones of 35 m indoors and 200 m outdoors (line of sight), optionally supported by selective, low-duty RF jamming. For the longer term, we outline protocol changes that vendors can adopt, such as basic beacon admission control and authentication, shorter helper-retention timers, and helper-side quotas. While evaluated on Find My, these findings generalize to crowdsourced location systems built under similar design assumptions.
{"title":"Defending against BLE-based covert channels in crowdsourced location networks","authors":"Hosam Alamleh , Alessandro Cantelli-Forti","doi":"10.1016/j.cose.2026.104835","DOIUrl":"10.1016/j.cose.2026.104835","url":null,"abstract":"<div><div>Crowdsourced location networks turn billions of consumer devices into a global sensor grid for locating lost items, but the same reach enables two systemic abuses: (i) location tracking via beacons that masquerade as “lost tags,” and (ii) data exfiltration by embedding short secrets in Bluetooth Low Energy (BLE) advertisements that are relayed forward without inspection. Using Apple’s <em>Find My</em> as a case study, we show that covert beacons reliably reach the cloud and then the attacker within minutes due to relay density. We also find that basic single-layer countermeasures such as packet dropping, TCP ACK/RST injection, fixed-delay insertion, or traffic flooding fail under realistic operational conditions. We contribute the first end-to-end experimental evaluation of deployable mitigations that require no vendor changes. Our defense-in-depth design combines: endpoint controls that correlate OS location-service access with immediate BLE advertising and enforce per-process advertising limits; a hybrid perimeter detector that correlates on-host BLE advertisement counts with outbound traffic to crowd-location backends; and physical controls for high-security areas, including exclusion zones of 35 m indoors and 200 m outdoors (line of sight), optionally supported by selective, low-duty RF jamming. For the longer term, we outline protocol changes that vendors can adopt, such as basic beacon admission control and authentication, shorter helper-retention timers, and helper-side quotas. While evaluated on <em>Find My</em>, these findings generalize to crowdsourced location systems built under similar design assumptions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104835"},"PeriodicalIF":5.4,"publicationDate":"2026-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081599","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Most dynamic Intrusion Response Systems (IRSs) use models to characterize the attack patterns and the dynamics of the protected system. They are typically based on some mathematical framework and require a low-level modeling activity that is often difficult and error-prone, even for the experienced end-user. Furthermore, most of the model-based approaches proposed so far do not structurally include the notion of time, which is necessary to model non-instantaneous defense and attack actions. In this paper, we introduce a novel methodology for the automatic generation of IRSs based on Timed Competitive Stochastic Games from augmented Attack-Defense Trees (ADT), a formalism that is commonly used to represent attack patterns and to build IRSs based on a static mapping between attack and response. We formally and empirically prove that: (i) using a static mapping between attack and response or selecting the action with the immediate minimum cost to counter the attack without long-term planning leads to an underestimation of the defense cost; (ii) the total defense cost of a defense policy obtained with an IRS based on the proposed methodology is lower than or equal to the defense cost that can be obtained with an IRS based on static mapping; (iii) not considering time leads to an underestimation of the defense cost. We then perform experiments showing the scalability of the proposed approach in terms of planning time and memory usage.
{"title":"From attack trees to timed stochastic games: A novel intrusion response approach","authors":"Tommaso Caiazzi, Stefano Iannucci, Valerio Marini, Matteo Foschi, Riccardo Torlone","doi":"10.1016/j.cose.2026.104834","DOIUrl":"10.1016/j.cose.2026.104834","url":null,"abstract":"<div><div>Most dynamic Intrusion Response Systems (IRSs) use models to characterize the attack patterns and the dynamics of the protected system. They are typically based on some mathematical framework and require a low-level modeling activity that is often difficult and error-prone, even for the experienced end-user. Furthermore, most of the model-based approaches proposed so far do not structurally include the notion of time, which is necessary to model non-instantaneous defense and attack actions. In this paper, we introduce a novel methodology for the automatic generation of IRSs based on Timed Competitive Stochastic Games from augmented Attack-Defense Trees (ADT), a formalism that is commonly used to represent attack patterns and to build IRSs based on a static mapping between attack and response. We formally and empirically prove that: (i) using a static mapping between attack and response or selecting the action with the immediate minimum cost to counter the attack without long-term planning leads to an underestimation of the defense cost; (ii) the total defense cost of a defense policy obtained with an IRS based on the proposed methodology is lower than or equal to the defense cost that can be obtained with an IRS based on static mapping; (iii) not considering time leads to an underestimation of the defense cost. We then perform experiments showing the scalability of the proposed approach in terms of planning time and memory usage.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104834"},"PeriodicalIF":5.4,"publicationDate":"2026-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081601","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-01-22DOI: 10.1016/j.cose.2026.104841
Xiaodan Huang , Guosheng Zhao , Jian Wang , Kaiwen Lou , Zixuan Wan
With the increasing complexity of threats in cyberspace, Advanced Persistent Threats (APT) in Industrial Internet of Things (IIoT) environments exhibit stronger, hidden, and persistent characteristics. Existing APT detection methods underutilize node semantic attribute information and lack adaptive modeling capabilities for heterogeneous data, limiting the effectiveness of malicious intent detection. To address this, a framework for detecting APT attacks based on Semantic Heterogeneous Autoencoders with Pre-trained language model Embeddings (SHAPE) is proposed. SHAPE integrates the deep semantic features of nodes extracted by large language models with heterogeneous autoencoders tailored to specific node types, enabling the effective modeling of normal behavior patterns across various node types. Significant deviations of nodes from the semantic-level normal baseline are captured by quantifying the reconstruction error, thereby facilitating the detection of APT attacks. Experimental evaluation on the CICAPT-IIoT (2024) dataset demonstrates that SHAPE significantly outperforms all baseline models, improving the overall node AUC by approximately 5.8% relative to the best baseline; notably, for key node types, the AUC improves by 48.2%. These results validate the effectiveness of the semantic-heterogeneous joint analysis framework. This framework innovatively integrates deep semantic understanding of nodes with adaptive modeling of heterogeneous data, providing a novel paradigm for advanced threat hunting in complex network environments.
{"title":"SHAPE: An APT detection framework fusing semantic understanding and heterogeneous modeling","authors":"Xiaodan Huang , Guosheng Zhao , Jian Wang , Kaiwen Lou , Zixuan Wan","doi":"10.1016/j.cose.2026.104841","DOIUrl":"10.1016/j.cose.2026.104841","url":null,"abstract":"<div><div>With the increasing complexity of threats in cyberspace, Advanced Persistent Threats (APT) in Industrial Internet of Things (IIoT) environments exhibit stronger, hidden, and persistent characteristics. Existing APT detection methods underutilize node semantic attribute information and lack adaptive modeling capabilities for heterogeneous data, limiting the effectiveness of malicious intent detection. To address this, a framework for detecting APT attacks based on Semantic Heterogeneous Autoencoders with Pre-trained language model Embeddings (SHAPE) is proposed. SHAPE integrates the deep semantic features of nodes extracted by large language models with heterogeneous autoencoders tailored to specific node types, enabling the effective modeling of normal behavior patterns across various node types. Significant deviations of nodes from the semantic-level normal baseline are captured by quantifying the reconstruction error, thereby facilitating the detection of APT attacks. Experimental evaluation on the CICAPT-IIoT (2024) dataset demonstrates that SHAPE significantly outperforms all baseline models, improving the overall node AUC by approximately 5.8% relative to the best baseline; notably, for key node types, the AUC improves by 48.2%. These results validate the effectiveness of the semantic-heterogeneous joint analysis framework. This framework innovatively integrates deep semantic understanding of nodes with adaptive modeling of heterogeneous data, providing a novel paradigm for advanced threat hunting in complex network environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104841"},"PeriodicalIF":5.4,"publicationDate":"2026-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081597","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-01-18DOI: 10.1016/j.cose.2026.104838
Inoussa Mouiche, Sherif Saad
Quality-labeled data are essential for developing accurate AI models in cybersecurity, particularly for threat intelligence named entity recognition (TI-NER), which automates the extraction of threat indicators and entities from unstructured reports. While several annotated datasets exist, their isolated use hinders scalability due to inconsistent tagging schemes, label names, and non-standard entity categories. This paper introduces TI-NERmergerV2, a robust, semi-automated framework for integrating heterogeneous TI-NER datasets into a unified, high-quality corpus aligned with the structured threat information expression (STIX) standard (e.g, STIX 2.1). Building upon its predecessor, TI-NERmerger, which is limited by its reliance on strict string matching and a narrow cyber lookup space, TI-NERmergerV2 incorporates string normalization, fuzzy fallback matching, and alias expansion using the MITRE ATT&CK knowledge base to resolve lexical variation and annotation inconsistencies. We validate its effectiveness by comparing it with a manual integration of two public datasets (DNRTI and APTNER), producing a unified dataset called AAPTNER. TI-NERmergerV2 achieves over 94% alignment with the manual process, reducing months of expert effort to minutes. Evaluations using a RoBERTa-based NER model further confirm that TI-NERmergerV2 enhances annotation quality and effectively disambiguates key entity types in the resulting DNRTI-STIX2.1 and AAPTNER datasets. The framework generalizes across datasets that adopt STIX domain and observable objects, providing a scalable and reproducible foundation for cyber threat intelligence research. Both the framework and resulting datasets are publicly released to support broader efforts in standardizing and enriching TI-NER resources.
{"title":"TI-NERmergerV2: Automating the integration of threat intelligence NER datasets via STIX standard","authors":"Inoussa Mouiche, Sherif Saad","doi":"10.1016/j.cose.2026.104838","DOIUrl":"10.1016/j.cose.2026.104838","url":null,"abstract":"<div><div>Quality-labeled data are essential for developing accurate AI models in cybersecurity, particularly for threat intelligence named entity recognition (TI-NER), which automates the extraction of threat indicators and entities from unstructured reports. While several annotated datasets exist, their isolated use hinders scalability due to inconsistent tagging schemes, label names, and non-standard entity categories. This paper introduces TI-NERmergerV2, a robust, semi-automated framework for integrating heterogeneous TI-NER datasets into a unified, high-quality corpus aligned with the structured threat information expression (STIX) standard (e.g, STIX 2.1). Building upon its predecessor, TI-NERmerger, which is limited by its reliance on strict string matching and a narrow cyber lookup space, TI-NERmergerV2 incorporates string normalization, fuzzy fallback matching, and alias expansion using the MITRE ATT&CK knowledge base to resolve lexical variation and annotation inconsistencies. We validate its effectiveness by comparing it with a manual integration of two public datasets (DNRTI and APTNER), producing a unified dataset called AAPTNER. TI-NERmergerV2 achieves over 94% alignment with the manual process, reducing months of expert effort to minutes. Evaluations using a RoBERTa-based NER model further confirm that TI-NERmergerV2 enhances annotation quality and effectively disambiguates key entity types in the resulting DNRTI-STIX2.1 and AAPTNER datasets. The framework generalizes across datasets that adopt STIX domain and observable objects, providing a scalable and reproducible foundation for cyber threat intelligence research. Both the framework and resulting datasets are publicly released to support broader efforts in standardizing and enriching TI-NER resources.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"163 ","pages":"Article 104838"},"PeriodicalIF":5.4,"publicationDate":"2026-01-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146038263","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-01-15DOI: 10.1016/j.cose.2026.104839
ALLADEAN CHIDUKWANI, SEBASTIAN ZANDER, POLYCHRONIS KOUTSAKIS
This study builds upon the foundational research of Chidukwani et al. (2022, 2024) to critically examine and validate cybersecurity assertions made by small and medium-sized enterprises (SMEs). Through a mixed-method multiple case study design, the research employed a comprehensive methodology to gain firsthand insights into SME cybersecurity postures. Central to this study is the introduction of the Validated Cybersecurity Posture Assessment Framework (VCPAF), a novel multi-layered methodology tailored to the SME context. VCPAF integrates self-reported assessments, expert-led interviews, technical vulnerability scanning, artifact and documentation review, and a triangulated scoring and gap analysis. This holistic and iterative approach enables a more accurate and context-sensitive validation of cybersecurity practices, bridging the gap between perceived and actual security postures.
Fieldwork included site visits, inspections, direct observations, and in-depth interviews with key personnel to validate initial survey responses from Chidukwani et al. (2024). Benchmarking against the NIST Cybersecurity Framework (CSF), the study revealed significant disparities between SMEs’ self-reported cybersecurity practices and evidence from expert assessments. SMEs consistently overstated their cybersecurity maturity, often conflating IT support with cybersecurity services. Overestimations were particularly notable across the NIST CSF’s five core functions: Identify, Protect, Detect, Respond, and Recover with critical weaknesses identified in asset management, patch management, network security, access control, monitoring, and incident response. Additionally, misunderstandings regarding IT provider responsibilities and regulatory obligations were found to exacerbate vulnerabilities.
We conclude that self-reporting alone is insufficient for accurately assessing SME cybersecurity posture. To close the gap between perceived and actual security practices, independent validation and tailored frameworks are critical. We advocate for sector-specific adaptations of established standards, transparent service provider agreements, and mandatory employee training. Additionally, introducing an industry standardised terminology and taxonomy similar to those used in healthcare insurance would simplify service offerings, and improve SME understanding of cybersecurity responsibilities.
{"title":"Beyond self-reporting: Uncovering the operational realities of SME cybersecurity through expert assessment","authors":"ALLADEAN CHIDUKWANI, SEBASTIAN ZANDER, POLYCHRONIS KOUTSAKIS","doi":"10.1016/j.cose.2026.104839","DOIUrl":"10.1016/j.cose.2026.104839","url":null,"abstract":"<div><div>This study builds upon the foundational research of Chidukwani et al. (2022, 2024) to critically examine and validate cybersecurity assertions made by small and medium-sized enterprises (SMEs). Through a mixed-method multiple case study design, the research employed a comprehensive methodology to gain firsthand insights into SME cybersecurity postures. Central to this study is the introduction of the Validated Cybersecurity Posture Assessment Framework (VCPAF), a novel multi-layered methodology tailored to the SME context. VCPAF integrates self-reported assessments, expert-led interviews, technical vulnerability scanning, artifact and documentation review, and a triangulated scoring and gap analysis. This holistic and iterative approach enables a more accurate and context-sensitive validation of cybersecurity practices, bridging the gap between perceived and actual security postures.</div><div>Fieldwork included site visits, inspections, direct observations, and in-depth interviews with key personnel to validate initial survey responses from Chidukwani et al. (2024). Benchmarking against the NIST Cybersecurity Framework (CSF), the study revealed significant disparities between SMEs’ self-reported cybersecurity practices and evidence from expert assessments. SMEs consistently overstated their cybersecurity maturity, often conflating IT support with cybersecurity services. Overestimations were particularly notable across the NIST CSF’s five core functions: Identify, Protect, Detect, Respond, and Recover with critical weaknesses identified in asset management, patch management, network security, access control, monitoring, and incident response. Additionally, misunderstandings regarding IT provider responsibilities and regulatory obligations were found to exacerbate vulnerabilities.</div><div>We conclude that self-reporting alone is insufficient for accurately assessing SME cybersecurity posture. To close the gap between perceived and actual security practices, independent validation and tailored frameworks are critical. We advocate for sector-specific adaptations of established standards, transparent service provider agreements, and mandatory employee training. Additionally, introducing an industry standardised terminology and taxonomy similar to those used in healthcare insurance would simplify service offerings, and improve SME understanding of cybersecurity responsibilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"164 ","pages":"Article 104839"},"PeriodicalIF":5.4,"publicationDate":"2026-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081600","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-01-15DOI: 10.1016/j.cose.2026.104833
Bert Abrath, Lennert Franssens , Bjorn De Sutter, Bart Coppens
While multi-variant execution (MVX) has been demonstrated to provide precise and secretless mitigation against many classes of memory exploits at a low performance cost, achieving that low cost has so far always come at the price of a larger trusted computing base. For example, the ReMon MVX engine combines an in-process monitor with a cross-process monitor, and relies on a kernel-space broker to isolate the in-process monitor. This requires applying a special-purpose patch to the Linux kernel, which can be a significant hurdle for its use in practice.
In this paper, we present two alternative designs for that in-process monitor and its isolation. These designs build on security capabilities of modern processors and the mainline Linux kernel, without requiring any adaptation. A security analysis reveals that the novel designs are as secure as the existing ReMon design, and a performance evaluation reveals that no performance price needs to be paid.
{"title":"Secure and efficient application monitoring and replication without kernel patches","authors":"Bert Abrath, Lennert Franssens , Bjorn De Sutter, Bart Coppens","doi":"10.1016/j.cose.2026.104833","DOIUrl":"10.1016/j.cose.2026.104833","url":null,"abstract":"<div><div>While multi-variant execution (MVX) has been demonstrated to provide precise and secretless mitigation against many classes of memory exploits at a low performance cost, achieving that low cost has so far always come at the price of a larger trusted computing base. For example, the ReMon MVX engine combines an in-process monitor with a cross-process monitor, and relies on a kernel-space broker to isolate the in-process monitor. This requires applying a special-purpose patch to the Linux kernel, which can be a significant hurdle for its use in practice.</div><div>In this paper, we present two alternative designs for that in-process monitor and its isolation. These designs build on security capabilities of modern processors and the mainline Linux kernel, without requiring any adaptation. A security analysis reveals that the novel designs are as secure as the existing ReMon design, and a performance evaluation reveals that no performance price needs to be paid.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"163 ","pages":"Article 104833"},"PeriodicalIF":5.4,"publicationDate":"2026-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146038264","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-01-08DOI: 10.1016/j.cose.2026.104826
Xiao Tan , Qi Xie , Lidong Han , Shengbao Wang
Public auditing enables a third-party auditor delegated by the data owner to efficiently verify the integrity of data outsourced to a remote server, and thus suits for numerous applications in cloud storage. By a comprehensive survey on the literature, we found that none of existing public auditing schemes provide semantic security of data privacy, namely low-entropy data cannot preserve indistinguishability against the auditor. To capture this security weakness, we define the notion public auditing with semantic secure data privacy (PA-SSDP) by a formal adversarial model to guarantee that it is impossible for the auditor to learn any non-trivial information about the data, even if the audited file has only two possible versions. Then we propose a concrete PA-SSDP scheme with two variants of provable security under the new model, which offer improved data privacy and the same level of efficiency as most of related works. Besides, our schemes support some other useful features, such as server-side deduplication, dynamic data update, and batch auditing.
{"title":"Public auditing with semantic secure data privacy for low-entropy files in cloud storage","authors":"Xiao Tan , Qi Xie , Lidong Han , Shengbao Wang","doi":"10.1016/j.cose.2026.104826","DOIUrl":"10.1016/j.cose.2026.104826","url":null,"abstract":"<div><div>Public auditing enables a third-party auditor delegated by the data owner to efficiently verify the integrity of data outsourced to a remote server, and thus suits for numerous applications in cloud storage. By a comprehensive survey on the literature, we found that none of existing public auditing schemes provide semantic security of data privacy, namely low-entropy data cannot preserve indistinguishability against the auditor. To capture this security weakness, we define the notion <em>public auditing with semantic secure data privacy</em> (PA-SSDP) by a formal adversarial model to guarantee that it is impossible for the auditor to learn any non-trivial information about the data, even if the audited file has only two possible versions. Then we propose a concrete PA-SSDP scheme with two variants of provable security under the new model, which offer improved data privacy and the same level of efficiency as most of related works. Besides, our schemes support some other useful features, such as server-side deduplication, dynamic data update, and batch auditing.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"163 ","pages":"Article 104826"},"PeriodicalIF":5.4,"publicationDate":"2026-01-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145979825","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2026-01-08DOI: 10.1016/j.cose.2025.104812
Seonghwan Park , Hayoung Kang , Donghyun Kwon
In-process memory isolation is a fundamental building block for modern security solutions, enabling the protection of sensitive data within a single process. To achieve in-process memory isolation, prior work has proposed either instruction-level or domain-based schemes. Instruction-level schemes offer fine-grained access control but struggle to scale, whereas domain-based schemes scale to multiple compartments yet lack fine-grained access control. This characteristic leads to restricted applications for each scheme.
In this paper, we present Dom-V, a fine-grained and scalable in-process memory isolation technique that simultaneously supports instruction-level and domain-based schemes without requiring hardware modifications on RISC-V. Dom-V achieves this by leveraging the RISC-V Hypervisor extension, a ratified ISA extension. To demonstrate its effectiveness, we evaluate Dom-V across three representative use cases: shadow stack, encryption key protection, and JIT code page protection. Our experimental results indicate that Dom-V achieves secure and scalable in-process isolation with minimal performance overhead.
{"title":"Beyond address spaces: In-process memory isolation for RISC-V","authors":"Seonghwan Park , Hayoung Kang , Donghyun Kwon","doi":"10.1016/j.cose.2025.104812","DOIUrl":"10.1016/j.cose.2025.104812","url":null,"abstract":"<div><div>In-process memory isolation is a fundamental building block for modern security solutions, enabling the protection of sensitive data within a single process. To achieve in-process memory isolation, prior work has proposed either instruction-level or domain-based schemes. Instruction-level schemes offer fine-grained access control but struggle to scale, whereas domain-based schemes scale to multiple compartments yet lack fine-grained access control. This characteristic leads to restricted applications for each scheme.</div><div>In this paper, we present <span>Dom-V</span>, a fine-grained and scalable in-process memory isolation technique that simultaneously supports instruction-level and domain-based schemes without requiring hardware modifications on RISC-V. <span>Dom-V</span> achieves this by leveraging the RISC-V Hypervisor extension, a ratified ISA extension. To demonstrate its effectiveness, we evaluate <span>Dom-V</span> across three representative use cases: shadow stack, encryption key protection, and JIT code page protection. Our experimental results indicate that <span>Dom-V</span> achieves secure and scalable in-process isolation with minimal performance overhead.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"163 ","pages":"Article 104812"},"PeriodicalIF":5.4,"publicationDate":"2026-01-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145979895","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号