发布求助
文献互助 智能选刊 最新文献

2021 IEEE Secure Development Conference (SecDev)最新文献

筛选
英文 中文
Android Remote Unlocking Service using Synthetic Password: A Hardware Security-preserving Approach 基于合成密码的Android远程解锁服务:一种硬件安全保护方法
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00025
Sungmin Lee, Y. Jung, Jae-hwi Lee, Byoungyoung Lee, T. Kwon
{"title":"Android Remote Unlocking Service using Synthetic Password: A Hardware Security-preserving Approach","authors":"Sungmin Lee, Y. Jung, Jae-hwi Lee, Byoungyoung Lee, T. Kwon","doi":"10.1109/SecDev51306.2021.00025","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00025","url":null,"abstract":"Remote unlocking for Android devices may benefit both users and manufacturers. Users can continue using the device without factory-resetting when they unexpectedly forget their passphrases. Manufacturers can improve non-face-to-face customer services in the COVID-19 era. Nevertheless, not many manufacturers support remote unlocking services for Android devices. If the remote unlocking service is triggered by requests over-the-air, it may increase the attack surface of Android security. Android security is hardware-based (e.g., hardware-backed Keystore), so we seek to preserve this security level by designing a new remote unlocking service without modifying trusted execution environments. Our design supports two-factor authentication, distributed authority, trust-boundary minimization, and key management. Since a synthetic password used for remote unlocking is not exposed to the outside of an Android device, the manufacturer still cannot unlock the device without user consent. We identify 208 security threats in the proposed remote unlocking service using the STRIDE model and ensure that our design has countermeasures for all high-level security threats. After passing quality verification and penetration tests, the proposed remote unlocking service has been officially installed on commercial devices.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129925572","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Shhh!: 12 Practices for Secret Management in Infrastructure as Code 嘘!:以代码形式进行基础设施秘密管理的12个实践
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00024
A. Rahman, F. Barsha, P. Morrison
{"title":"Shhh!: 12 Practices for Secret Management in Infrastructure as Code","authors":"A. Rahman, F. Barsha, P. Morrison","doi":"10.1109/SecDev51306.2021.00024","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00024","url":null,"abstract":"Despite being beneficial in automated provisioning of computing infrastructure at scale, infrastructure as code (IaC) scripts are susceptible to containing secrets, such as hard-coded passwords. A derivation of practices related to secret management for IaC can help practitioners to secure their secrets, potentially aiding them to securely develop IaC scripts. The goal of the paper is to help practitioners in secure development of infrastructure as code (IaC) scripts by identifying practices for secret management in IaC. We conduct a grey literature review with 38 Internet artifacts to identify 12 practices. We identify practices that are applicable for all IaC languages, e.g., prioritized encryption, as well as language-specific practices, such as state separation for Terraform. Our findings can be beneficial for (i) practitioners who can apply the identified practices to secure secrets in IaC development, and (ii) researchers who can investigate how the secret management process can be improved to facilitate secure development of IaC scripts.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123380749","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Hands-on Tutorial: How Exploitable is Insecure C Code? 动手教程:不安全的C代码是如何被利用的?
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00015
David Svoboda
{"title":"Hands-on Tutorial: How Exploitable is Insecure C Code?","authors":"David Svoboda","doi":"10.1109/SecDev51306.2021.00015","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00015","url":null,"abstract":"C is still one of the most widely-used programming languages today, yet writing insecure code in C is frighteningly easy, and exploiting insecure code is also too easy. This tutorial aims to teach attendees about C from a security perspective, and includes an exercise in understanding how a simple C program works, and can be exploited when written insecurely.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"277 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114078258","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Automated Threat Analysis and Management in a Continuous Integration Pipeline 持续集成管道中的自动威胁分析和管理
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00021
Laurens Sion, D. Landuyt, Koen Yskout, Stef Verreydt, W. Joosen
{"title":"Automated Threat Analysis and Management in a Continuous Integration Pipeline","authors":"Laurens Sion, D. Landuyt, Koen Yskout, Stef Verreydt, W. Joosen","doi":"10.1109/SecDev51306.2021.00021","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00021","url":null,"abstract":"Security and privacy threat modeling is commonly applied to systematically identify and address design-level security and privacy concerns in the early stages of architecture and design. Identifying and resolving these threats should remain a continuous concern during the development lifecycle. Especially with contemporary agile development practices, a single-shot upfront analysis becomes quickly outdated. Despite it being explicitly recommended by experts, existing threat modeling approaches focus largely on early development phases and provide limited support during later implementation phases.In this paper, we present an integrated threat analysis toolchain to support automated, continuous threat elicitation, assessment, and mitigation as part of a continuous integration pipeline in the GitLab DevOps platform. This type of automation allows for continuous attention to security and privacy threats during development at the level of individual commits, supports monitoring and managing the progress in addressing security and privacy threats over time, and enables more advanced and fine-grained analyses such as assessing the impact of proposed changes in different code branches or merge/pull requests by analyzing the changes to the threat model.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"66 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116382268","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Towards Zero Trust: An Experience Report 迈向零信任:经验报告
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00027
Jason Lowdermilk, S. Sethumadhavan
{"title":"Towards Zero Trust: An Experience Report","authors":"Jason Lowdermilk, S. Sethumadhavan","doi":"10.1109/SecDev51306.2021.00027","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00027","url":null,"abstract":"Risk from supply chain attacks have gained prominence. In response to these attacks, regulators have suggested building systems on the principles of “zero-trust”, an aspirational motto that urges system designers to take measures to minimize trust. But, to what degree can one minimize trust in realistic systems? The answer to this question, of course, depends on the context. In this paper, we explore this question in the context of a satellite ground station front end processor – a critical component in satellite ground stations, in both standalone and cloud settings. Based on our design and implementation experience that spanned 18 months, we observe that it is possible to achieve a significant reduction in trust as measured by the lines of code. We also find that minimizing the lines of code improves productivity and the performance of our design. Finally, we find trust can be minimized to a greater extent for standalone systems than cloud systems.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124487439","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Tutorial: Making C Programs Safer with Checked C 教程:使用Checked C使C程序更安全
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00018
Jie Zhou, M. Hicks, Yudi Yang, J. Criswell
{"title":"Tutorial: Making C Programs Safer with Checked C","authors":"Jie Zhou, M. Hicks, Yudi Yang, J. Criswell","doi":"10.1109/SecDev51306.2021.00018","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00018","url":null,"abstract":"Despite its well-known lack of memory safety, C is still widely used to write both new code and to maintain legacy software. Extensive efforts to make C safe have not seen wide adoption due to poor performance and a lack of backward compatibility. Checked C is an open-source, safe extension to C that addresses these problems. This hands-on tutorial will introduce attendees to Checked C and provide guidance in the use of 3C, a semi-automatic tool that converts legacy C code to Checked C.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125093409","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
[Title page i] [标题页i]
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/secdev51306.2021.00001
{"title":"[Title page i]","authors":"","doi":"10.1109/secdev51306.2021.00001","DOIUrl":"https://doi.org/10.1109/secdev51306.2021.00001","url":null,"abstract":"","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"138 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116415877","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Compressing Network Attack Surfaces for Practical Security Analysis 压缩网络攻击面用于实际安全分析
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00020
D. Everson, Long Cheng
{"title":"Compressing Network Attack Surfaces for Practical Security Analysis","authors":"D. Everson, Long Cheng","doi":"10.1109/SecDev51306.2021.00020","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00020","url":null,"abstract":"Testing or defending the security of a large network can be challenging because of the sheer number of potential ingress points that need to be investigated and evaluated for vulnerabilities. In short, manual security testing and analysis do not easily scale to large networks. While it has been shown that clustering can simplify the problem somewhat, the data structures and formats returned by the latest network mapping tools are not conducive to clustering algorithms. In this paper we introduce a hybrid similarity algorithm to compute the distance between two network services and then use those calculations to support a clustering algorithm designed to compress a large network attack surface by orders of magnitude. Doing so allows for new testing strategies that incorporate outlier detection and smart consolidation of test cases to improve accuracy and timeliness of testing. We conclude by presenting two case studies using an organization’s network attack surface data to demonstrate the effectiveness of this approach.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"134 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117320743","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
[Title page iii] [标题页iii]
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/secdev51306.2021.00002
{"title":"[Title page iii]","authors":"","doi":"10.1109/secdev51306.2021.00002","DOIUrl":"https://doi.org/10.1109/secdev51306.2021.00002","url":null,"abstract":"","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"68 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131854247","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Analyzing OpenAPI Specifications for Security Design Issues 分析安全设计问题的OpenAPI规范
2021 IEEE Secure Development Conference (SecDev) Pub Date : 2021-10-01 DOI: 10.1109/SecDev51306.2021.00019
C. Cheh, Binbin Chen
{"title":"Analyzing OpenAPI Specifications for Security Design Issues","authors":"C. Cheh, Binbin Chen","doi":"10.1109/SecDev51306.2021.00019","DOIUrl":"https://doi.org/10.1109/SecDev51306.2021.00019","url":null,"abstract":"Modern web and mobile applications rely on an ever increasing set of services defined by their respective API (Application Programming Interface) specifications. The complexity of today’s APIs, in terms of scale and inter-dependency, poses a challenge for security analyses as it requires much manual effort to conduct a check for design flaws. In this work, we leverage the standardized OpenAPI specification as input and propose a semi-automatic approach to infer various key information about that API specification’s security issues. Our case study based on the OpenAPI specification of the Open Bank Project (consisting of 304 API calls and 402 data fields) shows that our approach can: 1) identify sensitive and insensitive data fields, 2) identify insecure or high-risk API calls that may leak sensitive data, and 3) calculate the exposure level of each data field and API call. In particular, we identified 31 sensitive data fields, 29 insufficiently protected API calls that access a subset of those sensitive data, and 34 high-risk API calls that may result in sensitive data exposure. Furthermore, our exposure level calculation shows that transactions-related fields generally have higher exposure level, hence requiring more scrutiny.","PeriodicalId":154122,"journal":{"name":"2021 IEEE Secure Development Conference (SecDev)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134008170","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信