发布求助
文献互助 智能选刊 最新文献

2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)最新文献

筛选
英文 中文
An (Un)Necessary Evil - Users' (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering (非)必要之恶——用户对智能手机应用程序权限的(非)确定性及其对隐私工程的影响
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-06-01 DOI: 10.1109/eurospw55150.2022.00023
Kerstin Bongard-Blanchy, Jean-Louis Sterckx, Arianna Rossi, Verena Distler, S. Rivas, Vincent Koenig
{"title":"An (Un)Necessary Evil - Users' (Un)Certainty about Smartphone App Permissions and Implications for Privacy Engineering","authors":"Kerstin Bongard-Blanchy, Jean-Louis Sterckx, Arianna Rossi, Verena Distler, S. Rivas, Vincent Koenig","doi":"10.1109/eurospw55150.2022.00023","DOIUrl":"https://doi.org/10.1109/eurospw55150.2022.00023","url":null,"abstract":"App permission requests are a control mechanism meant to help users oversee and safeguard access to data and resources on their smartphones. To decide whether to accept or deny such requests and make this consent valid, users need to understand the underlying reasons and judge the relevance of disclosing data in line with their own use of an app. This study investigates people's certainty about app permission requests via an online survey with 400 representative participants of the UK population. The results demonstrate that users are uncertain about the necessity of granting app permissions for about half of the tested permission requests. This implies substantial privacy risks, which are discussed in the paper, resulting in a call for user protecting interventions by privacy engineers.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"44 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115821821","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
BEERR: Bench of Embedded system Experiments for Reproducible Research 可重复性研究的嵌入式系统实验平台
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-06-01 DOI: 10.1109/eurospw55150.2022.00040
P. Olivier, X. Ngo, Aurélien Francillon
{"title":"BEERR: Bench of Embedded system Experiments for Reproducible Research","authors":"P. Olivier, X. Ngo, Aurélien Francillon","doi":"10.1109/eurospw55150.2022.00040","DOIUrl":"https://doi.org/10.1109/eurospw55150.2022.00040","url":null,"abstract":"Reproducing experiments is a key component to further research and knowledge. Testbeds provide a controlled and configurable environment in which experiments can be conducted in a repeatable and observable manner. In the field of system security, and binary analysis, several challenges hinder reproducible research, in particular when code is interacting tightly with low level hardware and physical devices. In those conditions, dynamic analysis techniques often require the physical device to correctly complete (hardware-in-the-loop). In recent years many re-hosting techniques have been developed and evaluating their respective performance requires to compare them with an hardware-in-the-loop evaluation. However, it is challenging to share, acquire or maintain the original devices. In this paper, we tackle this problem by proposing a new infrastructure, and online service called “Bench of Embedded system Experiments for Reproducible Research” (BEERR). It aims to both make physical devices available remotely and facilitate the setup and reproduction of published experiments.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130306661","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Building an Ontology for Cyber Defence Exercises 构建网络防御演习本体
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-06-01 DOI: 10.1109/eurospw55150.2022.00050
Gulkhara Babayeva, Kaie Maennel, O. Maennel
{"title":"Building an Ontology for Cyber Defence Exercises","authors":"Gulkhara Babayeva, Kaie Maennel, O. Maennel","doi":"10.1109/eurospw55150.2022.00050","DOIUrl":"https://doi.org/10.1109/eurospw55150.2022.00050","url":null,"abstract":"Over the course of recent years, the volume of cyber attacks has increased. The Cyber Defence Exercises (CDX) help organisations evaluate their security capacity by engaging in real-life cyber attack scenarios and improving the skills of the cybersecurity specialists and security measures to protect their critical systems from any potential cyber attacks. During such exercises, cybersecurity data is generated in structured and unstructured forms ranging from system-generated logs to situational reports. However, there is no united governance of all the generated data within the CDX context, which may lead to knowledge mismanagement. In this paper, we develop ontology-based structured knowledge management within the CDX environment to provide common understanding, integration, and sharing of data in this domain. The CDX ontology is developed with RDF and OWL languages assembling the data in an organised and machine-understandable format which will be very handy for computational linguistics. The validation of the ontology is conducted by ontology reasoning, competency questions, and, most importantly, expert evaluation. The CDX ontology passes the validation methods successfully and is thought to be a valuable asset for future research in its domain.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129817280","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Improving Software Quality in Cryptography Standardization Projects 提高加密标准化项目中的软件质量
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-06-01 DOI: 10.1109/eurospw55150.2022.00010
Matthias J. Kannwischer, P. Schwabe, D. Stebila, Thom Wiggers
{"title":"Improving Software Quality in Cryptography Standardization Projects","authors":"Matthias J. Kannwischer, P. Schwabe, D. Stebila, Thom Wiggers","doi":"10.1109/eurospw55150.2022.00010","DOIUrl":"https://doi.org/10.1109/eurospw55150.2022.00010","url":null,"abstract":"The NIST post-quantum cryptography (PQC) standardization project is probably the largest and most ambitious cryptography standardization effort to date, and as such it makes an excellent case study of cryptography standardization projects. It is expected that with the end of round 3 in early 2022, NIST will announce the first set of primitives to advance to standardization, so it seems like a good time to look back and see what lessons can be learned from this effort. In this paper, we take a look at one specific aspect of the NIST PQC project: software implementations. We observe that many implementations included as a mandatory part of the submission packages were of poor quality and ignored decades-old standard techniques from software engineering to guarantee a certain baseline quality level. As a consequence, it was not possible to readily use those implementations in experiments for post-quantum protocol migration and software optimization efforts without first spending a significant amount of time to clean up the submitted reference implementations. We do not mean to criticize cryptographers who submitted proposals, including software implementations, to NIST PQC: after all, it cannot reasonably be expected from every cryptographer to also have expertise in software engineering. Instead, we suggest how standardization bodies like NIST can improve the software-submission process in future efforts to avoid such issues with submitted software. More specifically, we present PQClean, an extensive (continuous-integration) testing framework for PQC software, which now also contains “clean” implementations of the NIST round 3 candidate schemes. We argue that the availability of such a framework-either in an online continuous-integration setup, or just as an offline testing system-long before the submission deadline would have resulted in much better implementations included in NIST PQC submissions and overall would have saved the community and probably also NIST a lot of time and effort.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"130 4","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120833660","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
Outsourcing MPC Precomputation for Location Privacy 位置隐私的MPC预计算外包
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-06-01 DOI: 10.1109/EuroSPW55150.2022.00060
I. Oleynikov, Elena Pagnin, A. Sabelfeld
{"title":"Outsourcing MPC Precomputation for Location Privacy","authors":"I. Oleynikov, Elena Pagnin, A. Sabelfeld","doi":"10.1109/EuroSPW55150.2022.00060","DOIUrl":"https://doi.org/10.1109/EuroSPW55150.2022.00060","url":null,"abstract":"Proximity testing is at the core of sev-eral Location-Based Services (LBS) offered by, e.g., Uber, Facebook, and BlaBlaCar, as it determines closeness to a target. Unfortunately, modern LBS demand not only that clients disclose their locations in plain, but also to trust that the services will not abuse this information. These requirements are unfounded as there are ways to perform proximity testing without revealing one's location. We propose POLAR, a protocol that imple-ments privacy-preserving proximity testing for LBS. POLAR is suitable for clients running mo-bile devices, and relies on a careful combination of three well-established multiparty computation protocols and lightweight cryptography. A point of originality is the inclusion of two servers into the proximity testing. The servers may aid multiple pairs of clients and contribute towards enhancing privacy, improving efficiency, and reducing the run-ning time of clients' procedures.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125723331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers 没有时间停机:了解受管理DNS提供商客户的攻击后行为
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-05-25 DOI: 10.48550/arXiv.2205.12765
Muhammad Yasir Muzayan Haq, M. Jonker, R. V. Rijswijk-Deij, K. Claffy, L. Nieuwenhuis, Abhishta Abhishta
{"title":"No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers","authors":"Muhammad Yasir Muzayan Haq, M. Jonker, R. V. Rijswijk-Deij, K. Claffy, L. Nieuwenhuis, Abhishta Abhishta","doi":"10.48550/arXiv.2205.12765","DOIUrl":"https://doi.org/10.48550/arXiv.2205.12765","url":null,"abstract":"We leverage large-scale DNS measurement data on authoritative name servers to study the reactions of domain owners affected by the 2016 DDoS attack on Dyn. We use industry sources of information about domain names to study the influence of factors such as industry sector and website popularity on the willingness of domain managers to invest in high availability of online services. Specifically, we correlate business characteristics of domain owners with their resilience strategies in the wake of DoS attacks affecting their domains. Our analysis revealed correlations between two properties of domains - industry sector and popularity - and post-attack strategies. Specifically, owners of more popular domains were more likely to re-act to increase the diversity of their authoritative DNS service for their domains. Similarly, domains in certain industry sectors were more likely to seek out such diversity in their DNS service. For example, domains categorized as General News were nearly 6 times more likely to re-act than domains categorized as Internet Services. Our results can inform managed DNS and other network service providers regarding the potential impact of downtime on their customer portfolio.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-05-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128600210","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
SRv6: Is There Anybody Out There? SRv6:外面有人吗?
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-05-09 DOI: 10.48550/arXiv.2205.04193
Victor-Alexandru Pădurean, Oliver Gasser, R. Bush, A. Feldmann
{"title":"SRv6: Is There Anybody Out There?","authors":"Victor-Alexandru Pădurean, Oliver Gasser, R. Bush, A. Feldmann","doi":"10.48550/arXiv.2205.04193","DOIUrl":"https://doi.org/10.48550/arXiv.2205.04193","url":null,"abstract":"Segment routing is a modern form of source-based routing, i.e., a routing technique where all or part of the routing decision is predetermined by the source or a hop on the path. Since initial standardization efforts in 2013, segment routing seems to have garnered substantial industry and operator support. Especially segment routing over IPv6 (SRv6) is advertised as having several advantages for easy deployment and flexibility in operations in networks. Many people, however, argue that the deployment of segment routing and SRv6 in particular poses a significant security threat if not done with the utmost care. In this paper we conduct a first empirical analysis of SRv6 deployment in the Internet. First, we analyze SRv6 behavior in an emulation environment and find that different SRv6 implementations have the potential to leak information to the outside. Second, we search for signs of SRv6 deployment in publicly available route collector data, but could not find any traces. Third, we run large-scale traceroute campaigns to investigate possible SRv6 deployments. In this first empirical study on SRv6 we are unable to find traces of SRv6 deployment even for companies that claim to have it deployed in their networks. This lack of leakage might be an indication of good security practices being followed by network operators when deploying SRv6.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-05-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131422114","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Investigating the concentration of High Yield Investment Programs in the United Kingdom 调查英国高收益投资项目的集中情况
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-04-21 DOI: 10.1109/EuroSPW55150.2022.00017
Sharad Agarwal, Marie Vasek
{"title":"Investigating the concentration of High Yield Investment Programs in the United Kingdom","authors":"Sharad Agarwal, Marie Vasek","doi":"10.1109/EuroSPW55150.2022.00017","DOIUrl":"https://doi.org/10.1109/EuroSPW55150.2022.00017","url":null,"abstract":"Ponzi schemes that offer absurdly high rates of return by relying on more and more people paying into the scheme have been documented since at least the mid-1800s. Ponzi schemes have shifted online in the Internet age, and some are re-branded as HYIPs or High Yield Investment Programs. This paper focuses on understanding HYIPs' continuous presence and presents various possible reasons behind their existence in today's world. A look into the countries where these schemes purport to exist, we find that 62.89% of all collected HYIPs claim to be in the United Kingdom (UK), and a further 55.56% are officially registered in the UK as a ‘limited company’ with a registration number provided by the UK Companies House, a UK agency that registers companies. We investigate other factors influencing these schemes, including the HYIPs' social media platforms and payment processors. The lifetime of the HYIPs helps to understand the success/failure of the investment schemes and helps indicate the schemes that could attract more investors. Using Cox proportional regression analysis, we find that having a valid UK address significantly affects the lifetime of an HYIP.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"66 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126768674","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
bAdvertisement: Attacking Advanced Driver-Assistance Systems Using Print Advertisements 广告:利用平面广告攻击高级驾驶辅助系统
2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) Pub Date : 2022-02-21 DOI: 10.1109/eurospw55150.2022.00045
Ben Nassi, Jacob Shams, Raz Ben-Netanel, Y. Elovici
{"title":"bAdvertisement: Attacking Advanced Driver-Assistance Systems Using Print Advertisements","authors":"Ben Nassi, Jacob Shams, Raz Ben-Netanel, Y. Elovici","doi":"10.1109/eurospw55150.2022.00045","DOIUrl":"https://doi.org/10.1109/eurospw55150.2022.00045","url":null,"abstract":"In this paper, we present bAdvertisement, a novel attack method against advanced driver-assistance systems (ADASs). bAdvertisement is performed as a supply chain attack via a compromised computer in a printing house, by embedding a “phantom” object in a print advertisement. When the compromised print advertisement is observed by an ADAS in a passing car, an undesired reaction is triggered from the ADAS. We analyze state-of-the-art object detectors and show that they do not take color or context into account in object detection. Our validation of these findings on Mobileye 630 PRO shows that this ADAS also fails to take color or context into account. Then, we show how an attacker can take advantage of these findings to execute an attack on a commercial ADAS, by embedding a phantom road sign in a print advertisement, which causes a car equipped with Mobileye 630 PRO to trigger a false notification to slow down. Finally, we discuss multiple countermeasures which can be deployed in order to mitigate the effect of our proposed attack.","PeriodicalId":275840,"journal":{"name":"2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122560533","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
首页 上一页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信