The crux of voice (in)security: a brain study of speaker legitimacy detection

The crux of voice (in)security: a brain study of speaker legitimacy detection Neupane et al., NDSS'19 The key results of this paper are easy to understand, but the implications are going to take us a long time to unravel. Speech morphing (voice morphing) is the process of translating a speaker’s voice to sound like a … Continue reading The crux of voice (in)security: a brain study of speaker legitimacy detection

Securify: practical security analysis of smart contracts

Securify: practical security analysis of smart contracts Tsankov et al., CCS'18 Sometimes the perfect is the enemy of the good. When we’re talking about securing smart contracts, we need all the help we can get! Bugs can cost millions of dollars. Securify uses a set of expert heuristics (patterns) to help identify issues in smart … Continue reading Securify: practical security analysis of smart contracts

Towards usable checksums: automating the integrity verification of web downloads for the masses

Towards usable checksums: automating the integrity verification of web downloads for the masses Cherubini et al., CCS'18 If you tackled Monday’s paper on BEAT you deserve something a little easier to digest today, and ‘Towards usable checksums’ fits the bill nicely! There’s some great data-driven product management going on here as the authors set out … Continue reading Towards usable checksums: automating the integrity verification of web downloads for the masses

QSYM: a practical concolic execution engine tailored for hybrid fuzzing

QSYM: a practical concolic execution engine tailored for hybrid fuzzing Yun et al., USENIX Security 2018 There are two main approaches to automated test case generated for uncovering bugs and vulnerabilities: fuzzing and concolic execution. Fuzzing is good at quickly exploring the input space, but can get stuck when trying to get past more complex … Continue reading QSYM: a practical concolic execution engine tailored for hybrid fuzzing

NAVEX: Precise and scalable exploit generation for dynamic web applications

NAVEX: Precise and scalable exploit generation for dynamic web applications Alhuzali et al., USENIX Security 2018 NAVEX (https://github.com/aalhuz/navex) is a very powerful tool for finding executable exploits in dynamic web applications. It combines static and dynamic analysis (to cope with dynamically generated web content) to find vulnerable points in web applications, determine whether inputs to … Continue reading NAVEX: Precise and scalable exploit generation for dynamic web applications

Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies

Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies from the Franken et al., USENIX Security 2018 This paper won a ‘Distinguished paper’ award at USENIX Security 2018, as well as the 2018 Internet Defense Prize. It’s an evaluation of the defense mechanisms built into browsers (and via extensions / add-ons) … Continue reading Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies

Fear the reaper: characterization and fast detection of card skimmers

Fear the reaper: characterization and fast detection of card skimmers Scaife et al., USENIX Security 2018 Until I can get my hands on a Skim Reaper I’m not sure I’ll ever trust an ATM or other exposed card reading device (e.g., at garages) again! Scaife et al. conduct a study of skimming devices found by … Continue reading Fear the reaper: characterization and fast detection of card skimmers