Proceedings of the 18th International Conference on Availability, Reliability and Security最新文献

{"title":"Enabling Qualified Anonymity for Enhanced User Privacy in the Digital Era","authors":"Vaios Bolgouras, Konstantinos Papadamou, Ioana Stroinea, Michail Papadakis, George Gugulea, Michael Sirivianos, C. Xenakis","doi":"10.1145/3600160.3605075","DOIUrl":"https://doi.org/10.1145/3600160.3605075","url":null,"abstract":"This paper presents a privacy-enhancing identity management platform designed to address the challenges associated with online identity verification and privacy protection. INCOGNITO offers a comprehensive solution by leveraging concepts such as Qualified Anonymity and cryptographic credentials, along with technologies including blockchain, Tor Network, and software stacks like Idemix. By employing these mechanisms, INCOGNITO aims to enable users to securely acquire and manage their identity attributes, while preserving their privacy and ensuring compliance with both regulatory bodies and Service Providers’ requirements. The platform facilitates the issuance and verification of cryptographic credentials, granting users access to online services based on fine-grained subsets of their identity attributes. Furthermore, the effectiveness and feasibility of the platform are demonstrated through two pilot projects focused on online multimedia content sharing and identifying bots or fake users in online social networks. These pilots showcase the practical applicability of INCOGNITO in solving identity-related challenges while safeguarding user privacy and security.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114201976","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Fingerprint forgery training: Easy to learn, hard to perform","authors":"Agata Kruzikova, Vashek Matyás","doi":"10.1145/3600160.3604990","DOIUrl":"https://doi.org/10.1145/3600160.3604990","url":null,"abstract":"Many services offer fingerprint authentication, including sensitive services such as mobile banking. This broad adoption could make an impression to the end-users that fingerprint authentication is secure. However, fingerprint authentication is vulnerable to various attacks performed even by not-very-sophisticated attackers, e.g., fingerprint forgery. Will participants perceive fingerprint authentication differently after relevant theory education and the creation of their fingerprint counterfeit to overcome misunderstandings, especially regarding security? How will they perceive the fingerprint forgery process? We prepared a hands-on seminar with fingerprint forgery simulation. We focused on the difference in perception before and after the theoretical lecture on biometrics and a practical seminar on forgery creation. We applied an uncommon approach, reconstructing the fingerprint from a photo of the actual finger rather than its print on some surface – to illustrate the case of an attack based merely on a “thumb-up” photograph. Our results show that 19% of participants (out of 221) were successful in spoofing, according to the NIST Biometric Image Software, and 27% of participants could register their counterfeit into the smartphone. Participants perceived fingerprint authentication as less secure after the simulation and reported their intention to use it less for mobile banking operations. They also perceived the forgery attack as easier to learn than before the simulation – but harder to perform. Our study implies that participants intend to change their behaviour based on their experience from our seminar, however, they did not consider two-factor authentication as an option.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114400098","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Why Mary Can Hack: Effectively Introducing High School Girls to Cybersecurity","authors":"Gabriele Costa, Silvia De Francisci, Serenella Valiani, Paolo Prinetto","doi":"10.1145/3600160.3605009","DOIUrl":"https://doi.org/10.1145/3600160.3605009","url":null,"abstract":"The gender gap is one of the main concerns in the IT sector, in general, and in cybersecurity, in particular. Although well known, the problem is multifaceted and some of its root causes may be found in the education system. In the last years, many initiatives have been proposed targeting high-school students that might be interested in cybersecurity. Many of these programs rely on capture-the-flag (CTF) competitions to gradually form technical skills in an entertaining way. Despite these efforts, however, the number of girls that attend and complete these programs is still often unsatisfactory. In this work, we present the most significant outcomes of CyberTrials, a CTF-based cybersecurity program for Italian high school girls that this year enrolled 941 students. The two main features of CyberTrials are its peculiar organization and its gaming platform, which introduces some crucial novelties w.r.t. other similar initiatives. Both these aspects are presented and discussed in this paper. The results show that our methodology could effectively engage the participants and that when properly organized, CTF-based events have the potential to catalyze the learning process.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130052099","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"RiBAC: Strengthening Access Control Systems for Pandemic Risk Reduction while Preserving Privacy","authors":"S. Krenn, Jan Orlicky, Daniel Slamanig, T. Trpišovský","doi":"10.1145/3600160.3605039","DOIUrl":"https://doi.org/10.1145/3600160.3605039","url":null,"abstract":"Traditional (physical) access control systems are well-established mechanisms, allowing organizations to determine who should be able to access which physical space. This can either be a facility such as a critical infrastructure with a well-defined set of individuals, e.g., employees, or public spaces where everyone can be subject to access control. During the Covid-19 pandemic, additional features to reduce the risks of individuals when entering spaces became popular or even mandatory, including automatic scanning for protective wear (e.g., whether an individual wears a mask), body temperature checks, or digital health certificates, certifying that one has been negatively tested for, or vaccinated against, Covid-19. We refer to this as risk-based access control (RiBAC). In the Covid-19 pandemic largely due to the time pressure for implementing these measures, many of such RiBAC extensions to classical AC systems required manual intervention. This, besides posing health risks for the individuals performing these checks, yields a solution which is not scalable. Now that the Covid-19 pandemic no longer constitutes a public health emergency of international concern by the World Health Organization (WHO), it is time to reconsider RiBAC systems. Our main focus in this work is to investigate requirements for such systems and to discuss possible generic architectures for RiBAC systems. In order to be prepared for a future pandemic, the goal should be to implement such systems in a way such that they are scalable and risk-minimizing. We will specifically focus on privacy of the individuals subject to access control in RiBAC, while preserving the functionality of the system. Moreover, our focus is on the European setting where digital health certificates were considered as a central risk-reducing mechanism. In this context, we discuss the use of privacy-preserving cryptography in order to be able to have RiBAC systems that are privacy-preserving already in place for any potential future pandemic.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128838734","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"JITScanner: Just-in-Time Executable Page Check in the Linux Operating System","authors":"Pasquale Caporaso, Giuseppe Bianchi, F. Quaglia","doi":"10.1145/3600160.3605035","DOIUrl":"https://doi.org/10.1145/3600160.3605035","url":null,"abstract":"Modern malware has become increasingly sophisticated, posing a significant threat to cybersecurity. As a result, researchers and security professionals are constantly seeking more advanced methods to detect and analyze malware. Most of these methods are under the umbrella of dynamic analysis, which offers advantages over static analysis—it allows for the observation of the runtime behavior and the detection of obfuscated or encrypted code that may be used to evade detection. However, running executables in a controlled environment can be costly, often leading to a pragmatic compromise of running them with sandboxing only for a limited initial time. In this paper, we propose a different approach to dynamic executable analysis: we analyze the presence of malicious signatures in executable virtual pages of an application the moment they are materialized in RAM—possibly with a new content after an update. We specifically design and evaluate JITScanner, a Linux-oriented package based on a Loadable Kernel Module (LKM), which supports checking any executable page each time its fresh content located in RAM is accessed for instruction fetch enabling the detection of malicious updates to executable pages. The user-level component of the architecture communicates with the LKM via a scalable solution that exploits multi-processor/core technology. We also present experimental data that show the effectiveness of our solution and its promising potential.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128543997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Approach to harmonisation of technological solutions, operating procedures, preparedness and cross-sectorial collaboration opportunities for first aid response in cross-border mass-casualty incidents","authors":"Y. Yanakiev, Sergio López Bernal, Alberto Montarelo Navajo, N. Stoianov, Manuel Gil Pérez, Carmen Curto Martin","doi":"10.1145/3600160.3605060","DOIUrl":"https://doi.org/10.1145/3600160.3605060","url":null,"abstract":"This paper focuses on identifying possible approaches to harmonising technological solutions, operative procedures, preparedness and cross-sectorial collaboration in the case of cross-border Mass Casualty Incidents (MCI). It presents some of the results obtained in the framework of the VALKYRIES project (Harmonisation and Pre-Standardization of Equipment, Training and Tactical Coordinated Procedures for First Aid Vehicles Deployment on European Multi-Victim Disasters). The first part of the paper presents and analyses the current situation concerning the technological solutions in support of first aid responders, the usual operative procedures and protocols in place, the existing Education and Training (E&T) courses, and the status of cross-border and cross-sectorial cooperation. The second part of the paper summarises identified capability gaps and needs of the first responders (e.g., medical emergency services, firefighters, civil protection authorities, police, military units, and local authorities) in the technologies domain, operative procedures, preparedness and collaboration for effective implementation of their tasks in a cross-border MCI. The third part summarises the prioritised harmonisation opportunities in the above-discussed technological, procedural, E&T and collaboration domains. Finally, some conclusions and next steps are formulated.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124492005","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Adoption of Information Security Practices in Large-Scale Agile Software Development: A Case Study in the Finance Industry","authors":"Sascha Nägele, Lorena Korn, F. Matthes","doi":"10.1145/3600160.3600170","DOIUrl":"https://doi.org/10.1145/3600160.3600170","url":null,"abstract":"Agile development methods have pervaded software engineering and are increasingly applied in large projects and organizations. At the same time, security threats and restrictive legislation regarding security and privacy are steadily rising. These two trends of agile software development at scale and increasingly important security requirements are often at odds with each other. Academic literature widely acknowledges the challenges therefrom and discusses approaches to integrate these two partly conflicting trends. However, several researchers point out a need for empirical studies and evaluations of these approaches in practice. To fill this research gap, we conducted a case study in the finance industry. We identified 27 agile security approaches in academic literature. Based on these theoretical findings, we carried out observations, document analysis, and unstructured interviews to identify which approaches the case company applies. We then conducted semi-structured interviews with 10 experts and a survey with 62 participants to evaluate 14 approaches. One of the key results is that role and knowledge approaches, such as dedicated security roles and communities, are especially important in scaled agile development environments. In addition, the most beneficial security activities are easy-to-integrate, such as a security tagging system, peer security code reviews, security stories, and threat poker. We also contribute evaluation criteria as well as drivers and obstacles for the adoption of agile security approaches that can be used for further research and practice.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116726772","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Attack on “A Privacy-Preserving Online Ride-Hailing System Without Involving a Third Trusted Server”","authors":"S. Vivek","doi":"10.1145/3600160.3605040","DOIUrl":"https://doi.org/10.1145/3600160.3605040","url":null,"abstract":"Recently, Xie, Guo, and Jia (IEEE Transactions on Information Forensics and Security, vol. 16, pp. 3068-3081, 2021) proposed a privacy-preserving Online Ride-Hailing (ORH) protocol that does not make use of a trusted third-party server. The primary goal of such privacy-preserving ORH protocols is to ensure the privacy of riders’ and drivers’ location data w.r.t. the ORH Service Provider (SP). In this work, we demonstrate a passive attack by the SP in the protocol of Xie, Guo, and Jia that enables it to completely recover the location of the rider as well as that of the responding drivers in each and every ride request query. The running time of our attack is independent of the security parameter.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115964251","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The Age of fighting machines: the use of cyber deception for Adversarial Artificial Intelligence in Cyber Defence","authors":"David Lopes Antunes, Salvador Llopis Sanchez","doi":"10.1145/3600160.3605077","DOIUrl":"https://doi.org/10.1145/3600160.3605077","url":null,"abstract":"Cyber deception has emerged as a valuable technique in the field of cybersecurity, closely linked with adversarial Artificial Intelligence. In an era of pervasive automation, it is getting prominence as a research topic aimed at understanding how novel machine learning algorithms can be deceived using adversarial attacks that exploit vulnerabilities of their models. To this end, the paper describes the state-of-the-art of cyber deception for adversarial AI purposes, focusing on its benefits, challenges, and advanced techniques. In addition, this exploratory research attempts to extend its applicability to the fact that an appropriate and timely discovery of adversarial plans and associated actions may enhance own cyber resilience by introducing analytical findings of the adversary's intent into decision-making for cyber situational awareness. The study of adversarial thinking is as old as history and is one of the most relevant subjects rapidly incorporated into the operational planning process – a methodology to understand the operational environment. Adversarial knowledge is used for adapting own cyber defences in response to the cyber threat landscape.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126388630","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Securing cloud-based military systems with Security Chaos Engineering and Artificial Intelligence","authors":"Martin Bedoya, Sara Palacios, Daniel Díaz-López, P. Nespoli, Estefania Laverde, Sebastián Suárez","doi":"10.1145/3600160.3605076","DOIUrl":"https://doi.org/10.1145/3600160.3605076","url":null,"abstract":"Recently, system security represents a big challenge for many organizations, and it must be specifically handled when a system is intended to be deployed in a cloud environment. Cloud environments provide multiple security services that run over a Shared Responsibility Model that requires the participation of the cloud provider and the customer. Thus, this paper proposes an architecture based on Artificial Intelligence to support the finding of system threats and errors in an early stage and on Security Chaos Engineering methodology to reliably test the existence of such errors. This proposed architecture may help orientate better system designs and contribute to building holistic security. A particular use case is described to show how the proposal can be applied to a system that supports services for a military-related organization.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126755133","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}