{"title":"FP -TESTER : Automated Testing of Browser Fingerprint Resilience","authors":"Antoine Vastel, Walter Rudametkin, Romain Rouvoy","doi":"10.1109/EuroSPW.2018.00020","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00020","url":null,"abstract":"Despite recent regulations and growing user awareness, undesired browser tracking is increasing. In addition to cookies, browser fingerprinting is a stateless technique that exploits a device's configuration for tracking purposes. In particular, browser fingerprinting builds on attributes made available from Javascript and HTTP headers to create a unique and stable fingerprint. For example, browser plugins have been heavily exploited by state-of-the-art browser fingerprinters as a rich source of entropy. However, as browser vendors abandon plugins in favor of extensions, fingerprinters will adapt. We present FP-TESTER, an approach to automatically test the effectiveness of browser fingerprinting countermeasure extensions. We implement a testing toolkit to be used by developers to reduce browser fingerprintability. While countermeasures aim to hinder tracking by changing or blocking attributes, they may easily introduce subtle side-effects that make browsers more identifiable, rendering the extensions counterproductive. FP-TESTER reports on the side-effects introduced by the countermeasure, as well as how they impact tracking duration from a fingerprinter's point-of-view. To the best of our knowledge, FP-TESTER is the first tool to assist developers in fighting browser fingerprinting and reducing the exposure of end-users to such privacy leaks.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130792939","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
C. Castelluccia, M. Cunche, D. Métayer, Victor Morel
{"title":"Enhancing Transparency and Consent in the IoT","authors":"C. Castelluccia, M. Cunche, D. Métayer, Victor Morel","doi":"10.1109/EuroSPW.2018.00023","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00023","url":null,"abstract":"The development of the IoT raises specific questions in terms of privacy, especially with respect to information to users and consent. We argue that (1) all necessary information about collected data and the collecting devices should be communicated electronically to all data subjects in their range and (2) data subjects should be able to reply also electronically and express their own privacy choices. In this position paper, we take some examples of technologies and initiatives to illustrate our position (including direct and registry-based communications) and discuss them in the light of the GDPR and the WP29 recommendations.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124778218","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"How to Squeeze a Crowd: Reducing Bandwidth in Mixing Cryptocurrencies","authors":"Alishah Chator, M. Green","doi":"10.1109/EuroSPW.2018.00012","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00012","url":null,"abstract":"Several popular cryptocurrencies incorporate privacy features that \"mix\" real transactions with cover traffic in order to obfuscate the public transaction graph. The underlying protocols, which include CryptoNote and Monero's RingCT, work by first identifying a real transaction output (TXO), sampling a number of cover outputs, and transmitting the entire resulting set to verifiers, along with a zero knowledge (or WI) proof that hides the identity of the real transaction. Unfortunately, many of these schemes suffer from a practical limitation: the description of the combined input set grows linearly with size of the anonymity set. In this work we propose a simple technique for efficiently sampling cover traffic from a finite (and public) set of known values, while deriving a compact description of the resulting transaction set. This technique, which is based on programmable hash functions, allows us to dramatically reduce transaction bandwidth when large cover sets are used.We refer to our construction as a recoverable sampling scheme, and note that it may be of independent interest for other privacy applications. We present formal security definitions; prove our constructions secure; and show how these constructions can be integrated with various currencies and different cover sampling distributions.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123612758","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Privacy Risk Analysis to Enable Informed Privacy Settings","authors":"S. De, D. Métayer","doi":"10.1109/EuroSPW.2018.00019","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00019","url":null,"abstract":"The work described in this paper is a contribution to enhancing individual control over personal data which is promoted, inter alia, by the new EU General Data Protection Regulation. We propose a method to enable better informed choices of privacy settings. The method relies on a privacy risk analysis parameterized by privacy settings. The user can express his choices, visualize their impact on the privacy risks through a user-friendly interface and, if needed, decide to revise them to reduce risks to an acceptable level.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"44 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128271654","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Oded Leiba, Yechiav Yitzchak, Ron Bitton, Asaf Nadler, A. Shabtai
{"title":"Incentivized Delivery Network of IoT Software Updates Based on Trustless Proof-of-Distribution","authors":"Oded Leiba, Yechiav Yitzchak, Ron Bitton, Asaf Nadler, A. Shabtai","doi":"10.1109/EuroSPW.2018.00011","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00011","url":null,"abstract":"The Internet of Things (IoT) network of connected devices currently contains more than 11 billion devices and is estimated to double in size within the next four years. The prevalence of these devices makes them an ideal target for attackers. To reduce the risk of attacks vendors routinely deliver security updates (patches) for their devices. The delivery of security updates becomes challenging due to the issue of scalability as the number of devices may grow much quicker than vendors' distribution systems. Previous studies have suggested a permissionless and decentralized blockchainbased network in which nodes can host and deliver security updates, thus the addition of new nodes scales out the network. However, these studies do not provide an incentive for nodes to join the network, making it unlikely for nodes to freely contribute their hosting space, bandwidth, and computation resources. In this paper, we propose a novel decentralized IoT software update delivery network in which participating nodes (referred to as distributors) are compensated by vendors with digital currency for delivering updates to devices. Upon the release of a new security update, a vendor will make a commitment to provide digital currency to distributors that deliver the update; the commitment will be made with the use of smart contracts, and hence will be public, binding, and irreversible. The smart contract promises compensation to any distributor that provides proof-of-distribution, which is unforgeable proof that a single update was delivered to a single device. A distributor acquires the proof-of-distribution by exchanging a security update for a device signature using the Zero-Knowledge Contingent Payment (ZKCP) trustless data exchange protocol. Eliminating the need for trust between the security update distributor and the security consumer (IoT device) by providing fair compensation, can significantly increase the number of distributors, thus facilitating rapid scale out.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132312893","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The Impact of Uncle Rewards on Selfish Mining in Ethereum","authors":"Fabian Ritz, A. Zugenmaier","doi":"10.1109/EuroSPW.2018.00013","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00013","url":null,"abstract":"Many of today's crypto currencies use blockchains as decentralized ledgers and secure them with proof of work. In case of a fork of the chain, Bitcoin's rule for achieving consensus is selecting the longest chain and discarding the other chain as stale. It has been demonstrated that this consensus rule has a weakness against selfish mining in which the selfish miner exploits the variance in block generation by partially withholding blocks. In Ethereum, however, under certain conditions stale blocks don't have to be discarded but can be referenced from the main chain as uncle blocks yielding a partial reward. This concept limits the impact of network delays on the expected revenue for miners. But the concept also reduces the risk for a selfish miner to gain no rewards from withholding a freshly minted block. This paper uses a Monte Carlo simulation to quantify the effect of uncle blocks both to the profitability of selfish mining and the blockchain's security in Ethereum (ETH). A brief outlook about a recent Ethereum Classic (ETC) improvement proposal that weighs uncle blocks during the selection of the main chain will be given.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115580511","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Privacy Compliance Via Model Transformations","authors":"Thibaud Antignac, R. Scandariato, G. Schneider","doi":"10.1109/EuroSPW.2018.00024","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00024","url":null,"abstract":"Due to the upcoming, more restrictive regulations (like the European GDPR), designing privacy preserving architectures for information systems is becoming a pressing concern for practitioners. In particular, verifying that a design is compliant with the regulations might be a challenging task for engineers. This work presents an approach based on model transformations, which guarantee that an architectural design encompasses regulation-oriented principles such as purpose limitation, or accountability of the data controller. Our work improves the state of the art along two main dimensions. The approach we propose (i) embeds privacy principles coming from regulations, thus helping to bridge the gap between the technical and the legal worlds, (ii) systematize the embedding of the privacy principles coming from regulations, thus enabling a constructive approach to privacy by design.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116269235","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Blockchain as a Service (BaaS): Providers and Trust","authors":"Jatinder Singh, Johan David Michels","doi":"10.1109/EuroSPW.2018.00015","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00015","url":null,"abstract":"Distributed ledger technologies (DLTs) are receiving much attention. As discussion focuses on the potential applications of DLTs, Blockchain-as-a-Service (BaaS) offerings are emerging to provide the underlying supporting infrastructure. BaaS entails a service provider supplying and managing aspects of a DLT infrastructure to facilitate and bring efficiencies regarding the development, experimentation, deployment, and the ongoing management of DLT applications. However, much of the interest in DLTs stems from their potential to decentralise, disintermediate, and enable ‘trustless’ interactions. At first sight, BaaS – being offered by a provider – appears to run counter to this. In practice, whether BaaS raises substantive trust concerns depends on the nature of the offering, the application's specifics, and the participants' goals and risk appetite. This paper elaborates the nature of BaaS and explores the trust considerations it raises, particularly regarding the role of providers as part of a wider infrastructure.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131846240","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Decentralizing Digital Identity: Open Challenges for Distributed Ledgers","authors":"Paul Dunphy, L. Garratt, F. Petitcolas","doi":"10.1109/EuroSPW.2018.00016","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00016","url":null,"abstract":"Distributed Ledger Technology (DLT) has been proposed as a new way to incorporate decentralization into a wide range of digital infrastructures. Applications of DLT to digital identity are increasing in prevalence, with a recent survey reporting that 55% of DLT technologies in development track digital identity. However, while proofs of concept, open source software, and new ideas are readily available, it is still unclear the extent to which DLT can play a role to underpin new forms of digital identity. In this position paper, we situate this fast-moving application domain into the broader challenges faced in digital identity, with the aim to highlight the socio-technical nature of the challenge at hand, and to propose directions for future research.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123518206","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Vulnerability Detection on Mobile Applications Using State Machine Inference","authors":"Wesley van der Lee, S. Verwer","doi":"10.1109/EuroSPW.2018.00008","DOIUrl":"https://doi.org/10.1109/EuroSPW.2018.00008","url":null,"abstract":"Although the importance of mobile applications grows every day, recent vulnerability reports argue the application's deficiency to meet modern security standards. Testing strategies alleviate the problem by identifying security violations in software implementations. This paper proposes a novel testing methodology that applies state machine learning of mobile Android applications in combination with algorithms that discover attack paths in the learned state machine. The presence of an attack path evidences the existence of a vulnerability in the mobile application. We apply our methods to real-life apps and show that the novel methodology is capable of identifying vulnerabilities.","PeriodicalId":326280,"journal":{"name":"2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","volume":"71 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125974975","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}