SGXIO: Generic trusted I/O path for Intel SGX

April 7, 2017November 11, 2019 ~ Adrian Colyer ~ 2 Comments

SGXIO: Generic trusted I/O path for Intel SGX Weiser & Werner, CODASPY '17 Intel's SGX provides hardware-secured enclaves for trusted execution of applications in an untrusted environment. Previously we've looked at Haven, which uses SGX in the context of cloud infrastructure, SCONE which shows how to run docker containers under SGX, and Panoply which looks at ... Continue Reading

Detecting ROP with statistical learning of program characteristics

April 6, 2017November 11, 2019 ~ Adrian Colyer ~ 5 Comments

Detecting ROP with statistical learning of program characteristics Elsabagh et al., CODASPY '17 Return-oriented programming (ROP) attacks work by finding short instruction sequences in a process' executable memory (called gadgets) and chaining them together to achieve some goal of the attacker. For a quick introduction to ROP, see "The geometry of innocent flesh on the ... Continue Reading

A study of security vulnerabilities on Docker Hub

April 3, 2017November 11, 2019 ~ Adrian Colyer ~ 10 Comments

A study of security vulnerabilities on Docker Hub Shu et al., CODASPY '17 This is the first of five papers we'll be looking at this week from the ACM Conference on Data and Application Security and Privacy which took place earlier this month. Today's choice is a study looking at image vulnerabilities for container images ... Continue Reading

Deconstructing Xen

March 16, 2017November 11, 2019 ~ Adrian Colyer ~ 8 Comments

Deconstructing Xen Shi et al., NDSS 2017 Unfortunately, one of the most widely-used hypervisors, Xen, is highly susceptible to attack because it employs a monolithic design (a single point of failure) and comprises a complex set of growing functionality including VM management, scheduling, instruction emulation, IPC (event channels), and memory management. As of v4.0, Xen ... Continue Reading

Panoply: Low-TCB Linux applications with SGX enclaves

March 14, 2017November 11, 2019 ~ Adrian Colyer ~ 3 Comments

Panoply: Low-TCB Linux applications with SGX enclaves Shinde et al., NDSS, 2017 Intel's Software Guard Extensions (SGX) supports a kind of reverse sandbox. With the normal sandbox model you're probably used to, we download untrusted code and run it in a trusted environment that we control. SGX supports running trusted code that you wrote, but ... Continue Reading

When DNNs go wrong – adversarial examples and what we can learn from them

February 28, 2017November 11, 2019 ~ Adrian Colyer ~ 13 Comments

Yesterday we looked at a series of papers on DNN understanding, generalisation, and transfer learning. One additional way of understanding what's going on inside a network is to understand what can break it. Adversarial examples are deliberately constructed inputs which cause a network to produce the wrong outputs (e.g., misclassify an input image). We'll start ... Continue Reading

Does the online card payment landscape unwittingly facilitate fraud?

February 8, 2017November 11, 2019 ~ Adrian Colyer ~ 4 Comments

Does the online card payment landscape unwittingly facilitate fraud? Ali et al., IEEE Security & Privacy 2017 The headlines from this report caused a stir on the internet when the story broke in December of last year: there's an easy way to obtain all of the details from your Visa card needed to make online ... Continue Reading

Finding security bugs in web applications using a catalog of access control patterns

February 7, 2017November 11, 2019 ~ Adrian Colyer ~ Leave a comment

Finding security bugs in web applications using a catalog of access control patterns Near & Jackson, ICSE 2016 If you had a formal specification of the desired security attributes of your web application, and could map that to the source code, you'd be able to verify that it did indeed satisfy the specification. But let's ... Continue Reading

Password managers: attacks and defenses

February 6, 2017November 11, 2019 ~ Adrian Colyer ~ 17 Comments

Password managers: Attacks and defenses Silver et al. USENIX 2014 As a regular reader of The Morning Paper, I'm sure you're technically savvy enough to know not to use the same password across all the websites you use. To make good quality site-unique passwords practical therefore, you probably use a password manager. Maybe you remember ... Continue Reading

Click Trajectories: End-to-end analysis of the spam value chain

May 16, 2016 ~ Adrian Colyer ~ 4 Comments

Click Trajectories: End-to-end analysis of the spam value chain - Levchenko et al. IEEE Symposium on Security and Privacy, 2011 This week we're going to be looking at some of the less desirable corners of the internet: spam, malvertisements, click-jacking, typosquatting, and friends. To kick things off, today's paper gives an insight into the end-to-end ... Continue Reading

the morning paper

a random walk through Computer Science research, by Adrian Colyer
Made delightfully fast by strattic

Security