发布求助
文献互助 智能选刊 最新文献

2014 IEEE Security and Privacy Workshops最新文献

筛选
英文 中文
Nail: A Practical Interface Generator for Data Formats 一个实用的数据格式接口生成器
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.31
Julian Bangert, N. Zeldovich
{"title":"Nail: A Practical Interface Generator for Data Formats","authors":"Julian Bangert, N. Zeldovich","doi":"10.1109/SPW.2014.31","DOIUrl":"https://doi.org/10.1109/SPW.2014.31","url":null,"abstract":"We present Nail, an interface generator that allows programmers to safely parse and generate protocols defined by a Parser-Expression based grammar. Nail uses a richer set of parser combinators that induce an internal representation, obviating the need to write semantic actions. Nail also provides solutions parsing common patterns such as length and offset fields within binary formats that are hard to process with existing parser generators.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"62 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131903744","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Finite State Machine Parsing for Internet Protocols: Faster Than You Think 互联网协议的有限状态机解析:比你想象的要快
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.34
R. Graham, Peter C. Johnson
{"title":"Finite State Machine Parsing for Internet Protocols: Faster Than You Think","authors":"R. Graham, Peter C. Johnson","doi":"10.1109/SPW.2014.34","DOIUrl":"https://doi.org/10.1109/SPW.2014.34","url":null,"abstract":"A parser's job is to take unstructured, opaque data and convert it to a structured, semantically meaningful format. As such, parsers often operate at the border between untrusted data sources (e.g., the Internet) and the soft, chewy center of computer systems, where performance and security are paramount. A firewall, for instance, is precisely a trust-creating parser for Internet protocols, permitting valid packets to pass through and dropping or actively rejecting malformed packets. Despite the prevalence of finite state machines (FSMs) in both protocol specifications and protocol implementations, they have gained little traction in parser code for such protocols. Typical reasons for avoiding the FSM computation model claim poor performance, poor scalability, poor expressibility, and difficult or time-consuming programming. In this research report, we present our motivations for and designs of finite state machines to parse a variety of existing Internet protocols, both binary and ASCII. Our hand-written parsers explicitly optimize around L1 cache hit latency, branch misprediction penalty, and program-wide memory overhead to achieve aggressive performance and scalability targets. Our work demonstrates that such parsers are, contrary to popular belief, sufficiently expressive for meaningful protocols, sufficiently performant for high-throughput applications, and sufficiently simple to construct and maintain. We hope that, in light of other research demonstrating the security benefits of such parsers over more complex, Turing-complete codes, our work serves as evidence that certain ``practical'' reasons for avoiding FSM-based parsers are invalid.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133992499","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 13
The Pitfalls of Protocol Design: Attempting to Write a Formally Verified PDF Parser 协议设计的陷阱:尝试编写一个正式验证的PDF解析器
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.36
Andreas Bogk, Marco Schopl
{"title":"The Pitfalls of Protocol Design: Attempting to Write a Formally Verified PDF Parser","authors":"Andreas Bogk, Marco Schopl","doi":"10.1109/SPW.2014.36","DOIUrl":"https://doi.org/10.1109/SPW.2014.36","url":null,"abstract":"Parsers for complex data formats generally present a big attack surface for input-driven exploitation. In practice, this has been especially true for implementations of the PDF data format, as witnessed by dozens of known vulnerabilities exploited in many real world attacks, with the Acrobat Reader implementation being the main target. In this report, we describe our attempts to use Coq, a theorem prover based on a functional programming language making use of dependent types and the Curry-Howard isomorphism, to implement a formally verified PDF parser. We ended up implementing a subset of the PDF format and proving termination of the combinator-based parser. Noteworthy results include a dependent type representing a list of strictly monotonically decreasing length of remaining symbols to parse, which allowed us to show termination of parser combinators. Also, difficulties showing termination of parsing some features of the PDF format readily translated into denial of service attacks against existing PDF parsers-we came up with a single PDF file that made all the existing PDF implementations we could test enter an endless loop.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130764484","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits 源自社会工程漏洞的非故意内部威胁分析
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.39
F. Greitzer, Jeremy R. Strozer, Sholom G. Cohen, A. Moore, David A. Mundie, Jennifer Cowley
{"title":"Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits","authors":"F. Greitzer, Jeremy R. Strozer, Sholom G. Cohen, A. Moore, David A. Mundie, Jennifer Cowley","doi":"10.1109/SPW.2014.39","DOIUrl":"https://doi.org/10.1109/SPW.2014.39","url":null,"abstract":"Organizations often suffer harm from individuals who bear no malice against them but whose actions unintentionally expose the organizations to risk-the unintentional insider threat (UIT). In this paper we examine UIT cases that derive from social engineering exploits. We report on our efforts to collect and analyze data from UIT social engineering incidents to identify possible behavioral and technical patterns and to inform future research and development of UIT mitigation strategies.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114206363","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 83
Parsifal: A Pragmatic Solution to the Binary Parsing Problems Parsifal:二进制解析问题的实用解决方案
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.35
O. Levillain
{"title":"Parsifal: A Pragmatic Solution to the Binary Parsing Problems","authors":"O. Levillain","doi":"10.1109/SPW.2014.35","DOIUrl":"https://doi.org/10.1109/SPW.2014.35","url":null,"abstract":"Parsers are pervasive software basic blocks: as soon as a program needs to communicate with another program or to read a file, a parser is involved. However, writing robust parsers can be difficult, as is revealed by the amount of bugs and vulnerabilities related to programming errors in parsers. It is especially true for network analysis tools, which led the network and protocols laboratory of the French Network and Information Security Agency (ANSSI) to write custom tools. One of them, Parsifal, is a generic framework to describe parsers in OCaml, and gave us some insight into binary formats and parsers. After describing our tool, this article presents some use cases and lessons we learned about format complexity, parser robustness and the role the language used played.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126014008","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 13
P2U: A Privacy Policy Specification Language for Secondary Data Sharing and Usage 二级数据共享和使用的隐私策略规范语言
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.12
J. Iyilade, Julita Vassileva
{"title":"P2U: A Privacy Policy Specification Language for Secondary Data Sharing and Usage","authors":"J. Iyilade, Julita Vassileva","doi":"10.1109/SPW.2014.12","DOIUrl":"https://doi.org/10.1109/SPW.2014.12","url":null,"abstract":"Within the last decade, there are growing economic social incentives and opportunities for secondary use of data in many sectors, and strong market forces currently drive the active development of systems that aggregate user data gathered by many sources. This secondary use of data poses privacy threats due to unwanted use of data for the wrong purposes such as discriminating the user for employment, loan and insurance. Traditional privacy policy languages such as the Platform for Privacy Preferences (P3P) are inadequate since they were designed long before many of these technologies were invented and basically focus on enabling user-awareness and control during primary data collection (e.g. by a website). However, with the advent of Web 2.0 and Social Networking Sites, the landscape of privacy is shifting from limiting collection of data by websites to ensuring ethical use of the data after initial collection. To meet the current challenges of privacy protection in secondary context, we propose a privacy policy language, Purpose-to-Use (P2U), aimed at enforcing privacy while enabling secondary user information sharing across applications, devices, and services on the Web.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124025909","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 39
Resilience as a New Enforcement Model for IT Security Based on Usage Control 弹性:一种新的基于使用控制的IT安全实施模型
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.14
Sven Wohlgemuth
{"title":"Resilience as a New Enforcement Model for IT Security Based on Usage Control","authors":"Sven Wohlgemuth","doi":"10.1109/SPW.2014.14","DOIUrl":"https://doi.org/10.1109/SPW.2014.14","url":null,"abstract":"Security and privacy are not only general requirements of a society but also indispensable enablers for innovative IT infrastructure applications aiming at increased, sustainable welfare and safety of a society. A critical activity of these IT applications is spontaneous information exchange. This information exchange, however, creates inevitable, unknown dependencies between the participating IT systems, which, in turn threaten security and privacy. With the current approach to IT security, security and privacy follow changes and incidents rather than anticipating them. By sticking to a given threat model, the current approach fails to consider vulnerabilities which arise during a spontaneous information exchange. With the goal of improving security and privacy, this work proposes adapting an IT security model and its enforcement to current and most probable incidents before they result in an unacceptable risk for the participating parties or failure of IT applications. Usage control is the suitable security policy model, since it allows changes during run-time without conceptually raising additional incidents.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115295716","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
The Weird Machines in Proof-Carrying Code 携带证明代码中的奇怪机器
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.37
Julien Vanegue
{"title":"The Weird Machines in Proof-Carrying Code","authors":"Julien Vanegue","doi":"10.1109/SPW.2014.37","DOIUrl":"https://doi.org/10.1109/SPW.2014.37","url":null,"abstract":"We review different attack vectors on Proof-Carrying Code (PCC) related to policy, memory model, machine abstraction, and formal system. We capture the notion of weird machines in PCC to formalize the shadow execution arising in programs when their proofs do not sufficiently capture and disallow the execution of untrusted computations. We suggest a few ideas to improve existing PCC systems so they are more resilient to memory attacks.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"2010 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127343727","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 18
Understanding Insider Threat: A Framework for Characterising Attacks 理解内部威胁:描述攻击的框架
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.38
Jason R. C. Nurse, Oliver Buckley, P. Legg, M. Goldsmith, S. Creese, Gordon R. T. Wright, M. Whitty
{"title":"Understanding Insider Threat: A Framework for Characterising Attacks","authors":"Jason R. C. Nurse, Oliver Buckley, P. Legg, M. Goldsmith, S. Creese, Gordon R. T. Wright, M. Whitty","doi":"10.1109/SPW.2014.38","DOIUrl":"https://doi.org/10.1109/SPW.2014.38","url":null,"abstract":"The threat that insiders pose to businesses, institutions and governmental organisations continues to be of serious concern. Recent industry surveys and academic literature provide unequivocal evidence to support the significance of this threat and its prevalence. Despite this, however, there is still no unifying framework to fully characterise insider attacks and to facilitate an understanding of the problem, its many components and how they all fit together. In this paper, we focus on this challenge and put forward a grounded framework for understanding and reflecting on the threat that insiders pose. Specifically, we propose a novel conceptualisation that is heavily grounded in insider-threat case studies, existing literature and relevant psychological theory. The framework identifies several key elements within the problem space, concentrating not only on noteworthy events and indicators- technical and behavioural- of potential attacks, but also on attackers (e.g., the motivation behind malicious threats and the human factors related to unintentional ones), and on the range of attacks being witnessed. The real value of our framework is in its emphasis on bringing together and defining clearly the various aspects of insider threat, all based on real-world cases and pertinent literature. This can therefore act as a platform for general understanding of the threat, and also for reflection, modelling past attacks and looking for useful patterns.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115492153","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 177
Ethics in Data Sharing: Developing a Model for Best Practice 数据共享中的伦理:开发最佳实践模型
2014 IEEE Security and Privacy Workshops Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.43
S. Dietrich, J. V. D. Ham, A. Pras, R. V. Rijswijk-Deij, Darren Shou, A. Sperotto, A. Wynsberghe, L. Zuck
{"title":"Ethics in Data Sharing: Developing a Model for Best Practice","authors":"S. Dietrich, J. V. D. Ham, A. Pras, R. V. Rijswijk-Deij, Darren Shou, A. Sperotto, A. Wynsberghe, L. Zuck","doi":"10.1109/SPW.2014.43","DOIUrl":"https://doi.org/10.1109/SPW.2014.43","url":null,"abstract":"As an outcome of a seminar on the 'Ethics in Data Sharing', we sketch a model of best practice for sharing data in research. We illustrate this model with two current and timely real-life cases from the context of computer and network security.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130301430","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信