Victor Goeman, Dairo de Ruck, Ilse Bohé, Jorn Lapon, Vincent Naessens
{"title":"IoT Security Seminar: Raising Awareness and Sharing Critical Knowledge","authors":"Victor Goeman, Dairo de Ruck, Ilse Bohé, Jorn Lapon, Vincent Naessens","doi":"10.1145/3600160.3604986","DOIUrl":"https://doi.org/10.1145/3600160.3604986","url":null,"abstract":"The security of the Internet of Things (IoT) devices has become a major concern as the number of connected devices continues to increase. Despite this concern, there is a lack of training opportunities to educate IoT developers on security measures. While there are ample ICT and Network Management courses for developers, there is a lack of security courses scoped for this audience. One of the reasons is that raising cybersecurity awareness and increasing the security expertise of developers presents a significant challenge due to the complexity of IoT security. This work presents a cybersecurity seminar that tackles these challenges. It is aimed at various actors in the IoT device development cycle (e.g. software designers, developers and managers) to raise IoT security awareness and share critical knowledge. It cultivates the basics of both offensive and defensive security through a custom-built vulnerable IoT firmware image with vulnerabilities found in real-world IoT devices. This intentionally vulnerable image is accompanied by a detailed walkthrough explaining various exploitation and mitigation techniques. Our seminar has been held multiple times in both industry and academics and consistently received very positive feedback. It has been successful in educating participants about the importance of IoT security and providing them with additional knowledge and skills to take action in their own practices.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115655070","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A Study of Different Awareness Campaigns in a Company","authors":"Laura Gamisch, Daniela Pöhn","doi":"10.1145/3600160.3605006","DOIUrl":"https://doi.org/10.1145/3600160.3605006","url":null,"abstract":"Phishing is a major cyber threat to organizations that can cause financial and reputational damage, threatening their existence. The technical measures against phishing should be complemented by awareness training for employees. However, there is little validation of awareness measures. Consequently, organizations have an additional burden when integrating awareness training, as there is no consensus on which method brings the best success. This paper examines how awareness concepts can be successfully implemented and validated. For this purpose, various factors, such as requirements and possible combinations of methods, are taken into account in our case study at a small- and medium-sized enterprise (SME). To measure success, phishing exercises are conducted. The study suggests that pleasant campaigns result in better performance in the simulated phishing exercise. In addition, significant improvements and differences in the target groups could be observed. The implementation of awareness training with integrated key performance indicators can be used as a basis for other organizations.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127550367","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"RETRACT: Expressive Designated Verifier Anonymous Credentials","authors":"Heini Bergsson Debes, Thanassis Giannetsos","doi":"10.1145/3600160.3600191","DOIUrl":"https://doi.org/10.1145/3600160.3600191","url":null,"abstract":"Anonymous credentials (ACs) are secure digital versions of credentials that allow selective proof of possession of encoded attributes without revealing additional information. Attributes can include basic personal details (e.g., passport, medical records) and also claims about existing attributes (e.g., age > 18), which can be revealed without disclosing any concrete information. However, embedding all possible claims in a credential is impractical. To address this, we propose verifiers defining policies as high-level programs executed by holders on their credentials. We also propose making the proofs designated verifier to prevent the misuse or leakage of sensitive information by dishonest verifiers to any unwanted third party.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116832320","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
C. Anglano, M. Canonico, Andrea Cepollina, Davide Freggiaro, Alderico Gallo, Marco Guazzone
{"title":"Enabling the forensic study of application-level encrypted data in Android via a Frida-based decryption framework","authors":"C. Anglano, M. Canonico, Andrea Cepollina, Davide Freggiaro, Alderico Gallo, Marco Guazzone","doi":"10.1145/3600160.3605029","DOIUrl":"https://doi.org/10.1145/3600160.3605029","url":null,"abstract":"The forensic study of mobile apps that use application-level encryption requires the decryption of the data they generate. Such a decryption requires the knowledge of the encryption algorithm and key. Determining them requires, however, a quite complex analysis that is time-consuming, error prone, and often beyond the reach of many forensic examiners. In this paper, we tackle this problem by devising a framework able to automate the decryption of these data when third-party encryption libraries or platforms are used. Our framework is based on the use of dynamic instrumentation of app’s binary code by means of hooking, which enables it to export the plaintext of data after they have been decrypted by the app, as well as the corresponding encryption key and parameters. This framework has been conceived to be used only with test devices used for forensic study purposes, and not with devices that need to be forensically analyzed. We describe the architecture of the framework as well as the implementation of its components and of the hooks supporting three prominent and popular encryption libraries, namely SQLCipher, Realm and Jetpack Security. Also, we validate our framework by comparing its decryption results against those published in the literature for Wickr Me, Signal, Threema, and Element.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129721823","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jenno Verdonck, Kevin De Boeck, M. Willocx, Jorn Lapon, Vincent Naessens
{"title":"A hybrid anonymization pipeline to improve the privacy-utility balance in sensitive datasets for ML purposes","authors":"Jenno Verdonck, Kevin De Boeck, M. Willocx, Jorn Lapon, Vincent Naessens","doi":"10.1145/3600160.3600168","DOIUrl":"https://doi.org/10.1145/3600160.3600168","url":null,"abstract":"The modern world is data-driven. Businesses increasingly take strategic decisions based on customer data, and companies are founded with a sole focus of performing machine-learning driven data analytics for third parties. External data sources containing sensitive records are often required to build qualitative machine learning models and, hence, perform accurate and meaningful predictions. However, exchanging sensitive datasets is no sinecure. Personal data must be managed according to privacy regulation. Similarly, loss of strategic data can negatively impact the competitiveness of a company. In both cases, dataset anonymization can overcome the aforementioned obstacles. This work proposes a hybrid anonymization pipeline combining masking and (intelligent) sampling to improve the privacy-utility balance of anonymized datasets. The approach is validated via in-depth experiments on a representative machine learning scenario. A quantitative privacy assessment of the proposed hybrid anonymization pipeline is performed and relies on two well-known privacy metrics, namely re-identification risk and certainty. Furthermore, this work shows that the utility level of the anonymized dataset remains acceptable, and that the overall privacy-utility balance increases when complementing masking with intelligent sampling. The study further restrains the common misconception that dataset anonymization is detrimental to the quality of machine learning models. The empirical study shows that anonymous datasets – generated by the hybrid anonymization pipeline – can compete with the original (identifiable) ones when they are used as input for training a machine learning model.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128746253","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
K. Loupos, H. Niavis, Fotis Michalopoulos, George Misiakoulis, A. Skarmeta, Jesús Garcia, Angel Palomares, Hui Song, R. Dautov, Francesca Giampaolo, Rosella Mancilla, Francesca Costantino, D. Landuyt, Sam Michiels, Stefan More, C. Xenakis, Michail Bampatsikos, Ilias Politis, Konstantinos Krilakis, Sokratis Vavilis
{"title":"An inclusive Lifecycle Approach for IoT Devices Trust and Identity Management","authors":"K. Loupos, H. Niavis, Fotis Michalopoulos, George Misiakoulis, A. Skarmeta, Jesús Garcia, Angel Palomares, Hui Song, R. Dautov, Francesca Giampaolo, Rosella Mancilla, Francesca Costantino, D. Landuyt, Sam Michiels, Stefan More, C. Xenakis, Michail Bampatsikos, Ilias Politis, Konstantinos Krilakis, Sokratis Vavilis","doi":"10.1145/3600160.3605083","DOIUrl":"https://doi.org/10.1145/3600160.3605083","url":null,"abstract":"ERATOSTHENES is an EC, co-funded, research project strongly considering modern security challenges in the domain of Internet of Things in mind of their huge penetration into our day to day lives. There are a series of recent challenges that recently have been converted into obstacles or risk points that could block the secure operation of IoT networks in all day to day activities, from home to office, to leisure and security. These include examples such as the highly increased number of connected devices (at all network levels) that are on top forming inhomogeneous networks and systems of systems. Different vendor characteristics further increase the attack surface that is expected to further rise in the upcoming years. Such, highly critical, characteristics, dramatically increase the needs for confidentiality access control, user and things’ privacy, devices’ trustworthiness and compliance that require lifecycle considerations. The ERATOSTHENES project orchestrates a novel distributed, automated, auditable, yet privacy-respectful, Trust and Identity Management Framework and Reference Architecture with the ultimate scope to dynamically and holistically manage IoT devices in a lifecycle approach, strengthening trust, identities, and resilience in the entire IoT ecosystem while supporting the enforcement of the NIS directive, GDPR and Cybersecurity Act. This publication describes the ERATOSTHENES technical concept and reference architecture as well as design considerations, architecture characteristics, connectivity and interoperability.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128092712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Actions Speak Louder Than Passwords: Dynamic Identity for Machine-to-Machine Communication","authors":"Wil Liam Teng, K. Rasmussen","doi":"10.1145/3600160.3600165","DOIUrl":"https://doi.org/10.1145/3600160.3600165","url":null,"abstract":"Machine-to-Machine (M2M) communication is communication between computers without a human user involved. This is a very common paradigm whenever automated tasks are executed routinely, e.g., backup data to a cloud storage, update a local database cache, fetch the latest updates for software, etc. One challenge in this setting is that the credentials to establish secure connections between machines during execution must be available to the machines without any human interaction. Typically that means the credentials must reside on the machine itself, in the form of a secret such as a password, API key, single sign-on token, etc. In practice the secret is often embedded directly into an automatically executed script, but regardless it needs to be stored either in the clear or encrypted with another secret that is available to the machine during execution. This exposes the credentials to anyone who can gain access to the machine. In this paper we present ActionID, a scheme that mitigates the problem of credential exposure by making a desired sequence of actions for execution as part of the machine’s identity. This way, even if the credentials are exposed, they are only temporarily valid for one particular action sequence that cannot be changed for future executions. We introduce a trusted third party who issues new identities, validates new action requests, and acts as a centralised location for managing access control policies for an arbitrary number of clients and servers. In addition to yielding strong security guarantees, it also simplifies the management of complex access control for an organisation. We present detailed protocols for ActionID, along with a thorough security analysis. We implement ActionID as a Python library to show the ease of integration into existing applications, and to demonstrate the performance of the scheme, which is on par with SSH.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121728149","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Willi Lazarov, Tomas Stodulka, Tiina Schafeitel-Tähtinen, Marko Helenius, Zdenek Martinasek
{"title":"Interactive Environment for Effective Cybersecurity Teaching and Learning","authors":"Willi Lazarov, Tomas Stodulka, Tiina Schafeitel-Tähtinen, Marko Helenius, Zdenek Martinasek","doi":"10.1145/3600160.3605007","DOIUrl":"https://doi.org/10.1145/3600160.3605007","url":null,"abstract":"Cybersecurity affects all users to some extent, and it is essential to raise awareness about potential cybersecurity risks and improve practical skills from an early stage of their education. This paper addresses these aspects and discusses the research, design, and implementation of a platform for effective cybersecurity teaching and learning. Our main contribution is the creation of an interactive environment with the easy-to-use execution and management of educational and training scenarios. Our solution is tailored for multi-level education, as well as small to medium-sized institutions, and we have validated its effectiveness through several test sessions conducted with university and high school students. In addition, the paper presents selected preliminary results from the testing performed and an overall evaluation of the environment.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134210680","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Simon Ott, Monika Kamhuber, Joana Pecholt, Sascha Wessel
{"title":"Universal Remote Attestation for Cloud and Edge Platforms","authors":"Simon Ott, Monika Kamhuber, Joana Pecholt, Sascha Wessel","doi":"10.1145/3600160.3600171","DOIUrl":"https://doi.org/10.1145/3600160.3600171","url":null,"abstract":"With more computing workloads being shifted to the cloud, verifying the integrity of remote software stacks through remote attestation becomes an increasingly important topic. During remote attestation, a prover provides attestation evidence to a verifier, backed by a hardware trust anchor. While generating this information, which is essentially a list of hashes, is easy, examining the trustworthiness of the overall platform based on the provided list of hashes without context is difficult. Furthermore, as different trust anchors use different formats, interaction between devices using different attestation technologies is a complex problem. To address this problem, we propose a universal, hardware-agnostic device-identity and attestation framework. Our framework focuses on easing attestation by having provers present meaningful metadata to verify the integrity of the attestation evidence. We implemented and evaluated the framework for Trusted Platform Modules (TPM), AMD SEV-SNP attestation, and ARM PSA Entity Attestation Tokens (EATs).","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134448764","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sandra König, A. Shaaban, Tamara Hadjina, Klemen Gregorc, Albert Kutej
{"title":"Identification and Evaluation of Cyber-Physical Threats on Interdependent Critical Infrastructures","authors":"Sandra König, A. Shaaban, Tamara Hadjina, Klemen Gregorc, Albert Kutej","doi":"10.1145/3600160.3605026","DOIUrl":"https://doi.org/10.1145/3600160.3605026","url":null,"abstract":"Increasing interdependencies between critical infrastructures and digitization increase the vulnerability to cyber-attacks and cyber-physical attacks. Incidents have multiple direct and indirect consequences, including cascading effects, and a formal analysis is strongly recommended to understand these effects. This paper shows how threat identification and impact evaluation for interdependent critical infrastructures can be supported by two existing tools. The approach is illustrated with an example based on a running EU project.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133954387","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}