The Honey Badger of BFT protocols

November 18, 2016November 11, 2019 ~ Adrian Colyer ~ 5 Comments

The Honey Badger of BFT Protocols Miller et al. CCS 2016 The surprising success of cryptocurrencies (blockchains) has led to a surge of interest in deploying large scale, highly robust, Byzantine fault tolerant (BFT) protocols for mission critical applications, such as financial transactions. In a ‘traditional’ distributed system consensus algorithm setting we assume a relatively ... Continue Reading

Twice the bits, twice the trouble: vulnerabilities induced by migrating to 64-bit platforms

November 17, 2016November 11, 2019 ~ Adrian Colyer ~ 2 Comments

Twice the bits, twice the trouble: vulnerabilities induced by migrating to 64-bit platforms Wressnegger et al. CCS 2016 64-bit is not exactly new anymore, but many codebases which started out as 32-bit have been ported to 64-bit. In this study, Wressnegger et al. reveal how a codebase originally written for 32-bit, and which is perfectly ... Continue Reading

Generic attacks on secure outsourced databases

November 16, 2016November 11, 2019 ~ Adrian Colyer ~ 2 Comments

Generic Attacks on Secure Outsourced Databases Kellaris et al. CCS 2016 Here’s a really interesting paper that helps to set some boundaries around what we can expect from encrypted databases in the cloud. Independently of the details of any one system (or encryption scheme), the authors look at what data it is possible to recover ... Continue Reading

Breaking web applications built on top of encrypted data

November 15, 2016November 11, 2019 ~ Adrian Colyer ~ 4 Comments

Breaking web applications built on top of encrypted data Grubbs et al. CCS 2016 Data security and privacy is one of the big issues of our time, and uploading data to cloud services tends to put that issue into sharp focus. Do I trust this SaaS service with my data? What happens if there's a ... Continue Reading

Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence

November 14, 2016November 11, 2019 ~ Adrian Colyer ~ Leave a comment

Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence Liao et al. CCS 2016 Last week we looked at a number of newly reported attack mechanisms covering a broad spectrum of areas including OAuth, manufacturing, automotive, and mobile PIN attacks. For some balance, today's paper choice looks at something to ... Continue Reading

Error handling of in-vehicle networks makes them vulnerable

November 11, 2016November 11, 2019 ~ Adrian Colyer ~ 3 Comments

Error handling of in-vehicle networks makes them vulnerable Cho & Shin, CCS 2016 In a previous edition of The Morning Paper we looked at how many production errors can be tracked back to error / exception handling. But today's paper is something special. It studies the properties of the Control Area Network (CAN) protocol used ... Continue Reading

When CSI meets public wifi: Inferring your mobile phone password via wifi signals

November 10, 2016November 11, 2019 ~ Adrian Colyer ~ 26 Comments

When CSI meets public wifi: Inferring your mobile phone password via wifi signals Li et al., CCS 2016 Not that CSI. CSI in this case stands for channel state information, which represents the state of a wireless channel in a signal transmission process. WindTalker is motivated from the observation that keystrokes on mobile devices will ... Continue Reading

Leave your phone at the door: side channels that reveal factory floor secrets

November 9, 2016November 11, 2019 ~ Adrian Colyer ~ 3 Comments

Leave your phone at the door: side channels that reveal factory floor secrets Hojjati et al. CCS '16 Here's another reminder of just how powerful modern phones are as espionage devices, packed full of sensors. The short version is that if you place a phone near a manufacturing device (CNC mill or 3D printer in ... Continue Reading

On formalism in specifications

November 8, 2016November 11, 2019 ~ Adrian Colyer ~ 4 Comments

On formalism in specifications Bertrand Meyer, IEEE Software 1985 Following yesterday’s paper that used formal specification methods to resolve ambiguities and uncover potential vulnerabilities in OAuth 2.0, today’s choice is a 1980’s classic from Bertrand Meyer on the merits of formal specification and what it adds beyond natural language descriptions. With thanks once more to ... Continue Reading

A comprehensive formal security analysis of OAuth 2.0

November 7, 2016November 11, 2019 ~ Adrian Colyer ~ 2 Comments

A comprehensive formal security analysis of OAuth 2.0 Fett et al. CCS '16 Formal methods may not be appropriate in all cases, but there are some places where the rigour they introduce can be a really good idea. Security is one of those places. In today's paper from CCS '16 Fett et al. create a ... Continue Reading

the morning paper

a random walk through Computer Science research, by Adrian Colyer
Made delightfully fast by strattic

Uncategorized