A comprehensive formal security analysis of OAuth 2.0 Fett et al. CCS '16 Formal methods may not be appropriate in all cases, but there are some places where the rigour they introduce can be a really good idea. Security is one of those places. In today's paper from CCS '16 Fett et al. create a … Continue reading A comprehensive formal security analysis of OAuth 2.0
Tag: Security
Papers relating to security, encryption, attacks and defenses.
Preemptive intrusion detection: theoretical framework and real-world measurements
Preemptive intrusion detection: theoretical framework and real-world measurements Cao et al, HotSoS 2015 Phuong Cao (the first author of this paper) got in touch following my review of DeepDive to say "Thanks for the review on DeepDive. I was inspired by that paper to apply factor graph on detecting intrusions at an early stage..." Preemptive … Continue reading Preemptive intrusion detection: theoretical framework and real-world measurements
Protection in programming languages
Protection in programming languages Morris Jr., CACM 1973 This is paper 5/7 on Liskov's list. Experienced programmers will attest that hostility is not a necessary precondition for catastrophic interference between programs. So what can we do to ensure that program modules are appropriately protected and isolated? We still need to allow modules to cooperate and … Continue reading Protection in programming languages
Reflections on trusting trust
Reflections on Trusting Trust Ken Thompson, 1984 (Turing Award Lecture) Another Turing Award lecture to close out the week, this time from Ken Thompson who asks: To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software. … Continue reading Reflections on trusting trust
AI^2: Training a big data machine to defend
AI2: Training a big data machine to defend Veeramachaneni et al. IEEE International conference on Big Data Security, 2016 Will machines take over? The lesson of today’s paper is that we’re better off together. Combining AI with HI (human intelligence, I felt like we deserved an acronym of our own ;) ) yields much better … Continue reading AI^2: Training a big data machine to defend
Hacking Blind
Hacking Blind Bittau et al. IEEE Symposium on Security and Privacy, 2014 (With thanks to Chris Swan for pointing this paper out to me a few months ago…) The ingenuity of attackers continues to amaze. Today’s paper presents an interesting trade-off: security or availability, pick one! (*) The work you put in to make sure … Continue reading Hacking Blind
Multi-context TLS (mcTLS): Enabling secure in-network functionality in TLS
Multi-Context TLS (mcTLS): Enabling secure in-network functionality in TLS Naylor et al. SIGCOMM 2015 We're rushing to deploy HTTPS everywhere - and about time - but this has interesting implications for middleboxes since it's hard for them to do their job when traffic is encrypted end-to-end. Say you want to add caching, compression, an intrusion … Continue reading Multi-context TLS (mcTLS): Enabling secure in-network functionality in TLS
Shielding applications from an untrusted cloud with Haven
Shielding applications from an untrusted cloud with Haven Baumann et al. OSDI 2014 Our objective is to run existing server applications in the cloud with a level of trust and security roughly equivalent to a user operating their own hardware in a locked cage at a colocation facility. We're all familiar with the idea of … Continue reading Shielding applications from an untrusted cloud with Haven
The landscape of domain name typosquatting: techniques and countermeasures
The landscape of domain name typosquatting: techniques and countermeasures - Spaulding et al. arXiv upload 9 Mar 2016. We round up our series of posts on internet deceptions by looking at domain squatting. My "favourite" advanced technique is bitsquatting, which turns out to be a great demonstration of the inevitable failures that occur with sufficient … Continue reading The landscape of domain name typosquatting: techniques and countermeasures
Understanding malvertising through ad-injecting browser extensions
Understanding malvertising through ad-injecting browser extensions- Xing et al., WWW 2015. Be careful what browser extensions you install. Some ad networks have started to offer browser extension developers an opportunity to monetise their work, and in this study Xing et al. show that of the 292 Chrome browser extensions in their survey which inject ads, … Continue reading Understanding malvertising through ad-injecting browser extensions
the morning paper 