CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy最新文献

{"title":"Software security: is ok good enough?","authors":"J. Dickson","doi":"10.1145/1943513.1943518","DOIUrl":"https://doi.org/10.1145/1943513.1943518","url":null,"abstract":"Widely publicized breaches regularly occur involving insecure software. This is due to the fact that the vast majority of software in use today was not designed to withstand attacks encountered when deployed on hostile networks such as the Internet. What limited vulnerability statistics that exist confirm that most modern software includes coding flaws and design errors that put sensitive customer data at risk. Unfortunately, security officers and software project owners still struggle to justify investment to build secure software. Initial efforts to build justification models have not been embraced beyond the most security conscious organizations. Concepts like the \"Rugged Software\" are gaining traction, but have yet to make a deep impact. How does an organization - short of a breach - justify expending critical resources to build more secure software? Is it realistic to believe that an industry-driven solution such as the Payment Card Industry's Data Security Standard (PCI-DSS) can drive secure software investment before headlines prompt government to demand top-down regulation to \"fix\" the security of software?\u0000 This presentation will attempt to characterize the current landscape of software security from the perspective of a practitioner who regularly works with Fortune 500 chief security officers to build business cases for software security initiatives. Given the current status of software security efforts, and the struggles for business justification, industry would be well-served to look further afield to other competing models to identify future justification efforts. There is still much that can be learned from models outside the security and information technology fields. For example, the history of food safety provides lessons that the software security industry can draw from when developing justification models. We can also learn from building code adoption by earthquake-prone communities and draw comparisons to communities that have less rigorous building codes. Finally, we can learn much from certain financial regulations that have or have not improved confidence in our financial system.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"7 1","pages":"25-26"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75231848","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Enforcing physically restricted access control for remote data","authors":"Michael S. Kirkpatrick, Sam Kerr","doi":"10.1145/1943513.1943540","DOIUrl":"https://doi.org/10.1145/1943513.1943540","url":null,"abstract":"In a distributed computing environment, remote devices must often be granted access to sensitive information. In such settings, it is desirable to restrict access only to known, trusted devices. While approaches based on public key infrastructure and trusted hardware can be used in many cases, there are settings for which these solutions are not practical. In this work, we define physically restricted access control to reflect the practice of binding access to devices based on their intrinsic properties. Our approach is based on the application of physically unclonable functions. We define and formally analyze protocols enforcing this policy, and present experimental results observed from developing a prototype implementation. Our results show that non-deterministic physical properties of devices can be used as a reliable authentication and access control factor.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"15 1","pages":"203-212"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73256482","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Fair and dynamic proofs of retrievability","authors":"Qingji Zheng, Shouhuai Xu","doi":"10.1145/1943513.1943546","DOIUrl":"https://doi.org/10.1145/1943513.1943546","url":null,"abstract":"Cloud computing is getting increasingly popular, but has yet to be widely adopted arguably because there are many security and privacy problems that have not been adequately addressed. A specific problem encountered in the context of cloud storage, where clients outsource their data (files) to untrusted cloud storage servers, is to convince the clients that their data are kept intact at the storage servers. An important approach to achieve this goal is called Proof of Retrievability (POR), by which a storage server can convince a client --- via a concise proof --- that its data can be recovered. However, existing POR solutions can only deal with static data (i.e., data items must be fixed), and actually are not secure when used to deal with dynamic data (i.e., data items need be inserted, deleted, and modified). Motivated by the need to securely deal with dynamic data, we propose the first dynamic POR scheme for this purpose. Moreover, we introduce a new property, called fairness, which is necessary and also inherent to the setting of dynamic data because, without ensuring it, a dishonest client could legitimately accuse an honest cloud storage server of manipulating its data. Our solution is based on two new tools, one is an authenticated data structure we call range-based 2-3 trees (rb23Tree for short), and the other is an incremental signature scheme we call hash-compress-and-sign (HCS for short). These tools might be of independent value as well.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"85 1","pages":"237-248"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74582771","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The challenge of data and application security and privacy (DASPY): are we up to it","authors":"R. Sandhu","doi":"10.1145/1943513.1943515","DOIUrl":"https://doi.org/10.1145/1943513.1943515","url":null,"abstract":"This talk gives a personal perspective on the topic area of this new conference on data and application security and privacy, the difficult nature of the challenge we are confronting and possible research thrusts that may help us progress to an effective scientific discipline in this arena.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"71 1","pages":"1-2"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80143905","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Old, new, borrowed, blue --: a perspective on the evolution of mobile platform security architectures","authors":"Kari Kostiainen, E. Reshetova, Jan-Erik Ekberg, N. Asokan","doi":"10.1145/1943513.1943517","DOIUrl":"https://doi.org/10.1145/1943513.1943517","url":null,"abstract":"The recent dramatic increase in the popularity of \"smartphones\" has led to increased interest in smartphone security research. From the perspective of a security researcher the noteworthy attributes of a modern smartphone are the ability to install new applications, possibility to access Internet and presence of private or sensitive information such as messages or location. These attributes are also present in a large class of more traditional \"feature phones.\" Mobile platform security architectures in these types of devices have seen a much larger scale of deployment compared to platform security architectures designed for PC platforms. In this paper we start by describing the business, regulatory and end-user requirements which paved the way for this widespread deployment of mobile platform security architectures. We briefly describe typical hardware-based security mechanism that provide the foundation for mobile platform security. We then describe and compare the currently most prominent open mobile platform security architectures and conclude that many features introduced recently are borrowed, or adapted with a twist, from older platform security architectures. Finally, we identify a number of open problems in designing effective mobile platform security.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"94 1","pages":"13-24"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91017421","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"RASP: efficient multidimensional range query on attack-resilient encrypted databases","authors":"Keke Chen, Ramakanth Kavuluru, Shumin Guo","doi":"10.1145/1943513.1943547","DOIUrl":"https://doi.org/10.1145/1943513.1943547","url":null,"abstract":"Range query is one of the most frequently used queries for online data analytics. Providing such a query service could be expensive for the data owner. With the development of services computing and cloud computing, it has become possible to outsource large databases to database service providers and let the providers maintain the range-query service. With outsourced services, the data owner can greatly reduce the cost in maintaining computing infrastructure and data-rich applications. However, the service provider, although honestly processing queries, may be curious about the hosted data and received queries. Most existing encryption based approaches require linear scan over the entire database, which is inappropriate for online data analytics on large databases. While a few encryption solutions are more focused on efficiency side, they are vulnerable to attackers equipped with certain prior knowledge. We propose the Random Space Encryption (RASP) approach that allows efficient range search with stronger attack resilience than existing efficiency-focused approaches. We use RASP to generate indexable auxiliary data that is resilient to prior knowledge enhanced attacks. Range queries are securely transformed to the encrypted data space and then efficiently processed with a two-stage processing algorithm. We thoroughly studied the potential attacks on the encrypted data and queries at three different levels of prior knowledge available to an attacker. Experimental results on synthetic and real datasets show that this encryption approach allows efficient processing of range queries with high resilience to attacks.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"287 1","pages":"249-260"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77855940","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Virtual private social networks","authors":"M. Conti, A. Hasani, B. Crispo","doi":"10.1145/1943513.1943521","DOIUrl":"https://doi.org/10.1145/1943513.1943521","url":null,"abstract":"Social Networking Sites (SNSs) are having a significant impact on the social life of many people - even beyond the millions of people that use them directly. These websites usually allow users to present a profile of themselves through a long list of very detailed information. However, even when such SNSs have advanced privacy policies, users are often not aware of their settings and, on top of that, users cannot abstain from sharing a minimum set of information (e.g. name and location). Such a small set of information has been proven to be enough to completely re-identify a user [22, 25].\u0000 In this work we introduce the concept of Virtual Private Social Networks (VPSNs), a concept inspired by the one of Virtual Private Networks in traditional computer networks. We argue that VPSNs can mitigate the privacy issues of SNSs, building private social networks that leverage architecture publicly available for SNSs. Furthermore, we propose FaceVPSN, which is an implementation of VPSNs for Facebook, one of the most used SNSs. FaceVPSN is the first privacy threats mitigation solution that has a light and completely distributed architecture - no coordinator is required. Furthermore, it can be implemented without any particular collaboration from the SNS platform. Finally, experimental evaluation shows that FaceVPSN adds a limited overhead, which, we argue, is acceptable for the user.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"27 1","pages":"39-50"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83358749","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LeakProber: a framework for profiling sensitive data leakage paths","authors":"Junfeng Yu, Shengzhi Zhang, Peng Liu, Zhitang Li","doi":"10.1145/1943513.1943525","DOIUrl":"https://doi.org/10.1145/1943513.1943525","url":null,"abstract":"In this paper, we present the design, implementation, and evaluation of LeakProber, a framework that leverages the whole system dynamic instrumentation and the inter-procedural analysis to enable data propagation path profiling in production system. We integrate both the static analysis and runtime tracking to establish a holistic and practical approach to generating the sensitive data propagation graph (sDPG) with minimum runtime overhead. We evaluate our system on several data stealing attacks scenario for generating sDPG. The sDPG generated by our system captures multiple aspects of data accessing patterns and provides clear insights into the data leakage path. We also measure the performance of our system and find that it degrades the production system about 6% in the trace-on mode. When our prototype works in the trace-off mode, the runtime overhead is even lower, on an average of 1.5% across each benchmark we run. We believe that it is feasible to directly apply our prototype into production system environment.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"85 1","pages":"75-84"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76673972","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A language for provenance access control","authors":"Tyrone Cadenhead, V. Khadilkar, Murat Kantarcioglu, B. Thuraisingham","doi":"10.1145/1943513.1943532","DOIUrl":"https://doi.org/10.1145/1943513.1943532","url":null,"abstract":"Provenance is a directed acyclic graph that explains how a resource came to be in its current form. Traditional access control does not support provenance graphs. We cannot achieve all the benefits of access control if the relationships between the data and their sources are not protected. In this paper, we propose a language that complements and extends existing access control languages to support provenance. This language also provides access to data based on integrity criteria. We have also built a prototype to show that this language can be implemented effectively using Semantic Web technologies.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"81 1","pages":"133-144"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91304814","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Relationship-based access control: protection model and policy language","authors":"Philip W. L. Fong","doi":"10.1145/1943513.1943539","DOIUrl":"https://doi.org/10.1145/1943513.1943539","url":null,"abstract":"Social Network Systems pioneer a paradigm of access control that is distinct from traditional approaches to access control. Gates coined the term Relationship-Based Access Control (ReBAC) to refer to this paradigm. ReBAC is characterized by the explicit tracking of interpersonal relationships between users, and the expression of access control policies in terms of these relationships. This work explores what it takes to widen the applicability of ReBAC to application domains other than social computing. To this end, we formulate an archetypical ReBAC model to capture the essence of the paradigm, that is, authorization decisions are based on the relationship between the resource owner and the resource accessor in a social network maintained by the protection system. A novelty of the model is that it captures the contextual nature of relationships. We devise a policy language, based on modal logic, for composing access control policies that support delegation of trust. We use a case study in the domain of Electronic Health Records to demonstrate the utility of our model and its policy language. This work provides initial evidence to the feasibility and utility of ReBAC as a general-purpose paradigm of access control.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"50 1","pages":"191-202"},"PeriodicalIF":0.0,"publicationDate":"2011-02-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73926253","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}