NAVEX: Precise and scalable exploit generation for dynamic web applications

September 10, 2018September 7, 2018 ~ adriancolyer ~ 10 Comments

NAVEX: Precise and scalable exploit generation for dynamic web applications Alhuzali et al., USENIX Security 2018 NAVEX (https://github.com/aalhuz/navex) is a very powerful tool for finding executable exploits in dynamic web applications. It combines static and dynamic analysis (to cope with dynamically generated web content) to find vulnerable points in web applications, determine whether inputs to … Continue reading NAVEX: Precise and scalable exploit generation for dynamic web applications

Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies

September 5, 2018August 31, 2018 ~ adriancolyer ~ 8 Comments

Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies from the Franken et al., USENIX Security 2018 This paper won a ‘Distinguished paper’ award at USENIX Security 2018, as well as the 2018 Internet Defense Prize. It’s an evaluation of the defense mechanisms built into browsers (and via extensions / add-ons) … Continue reading Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies

Fear the reaper: characterization and fast detection of card skimmers

September 3, 2018September 3, 2018 ~ adriancolyer ~ 16 Comments

Fear the reaper: characterization and fast detection of card skimmers Scaife et al., USENIX Security 2018 Until I can get my hands on a Skim Reaper I’m not sure I’ll ever trust an ATM or other exposed card reading device (e.g., at garages) again! Scaife et al. conduct a study of skimming devices found by … Continue reading Fear the reaper: characterization and fast detection of card skimmers

Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples

August 15, 2018August 9, 2018 ~ adriancolyer

Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples Athalye et al., ICML'18 There has been a lot of back and forth in the research community on adversarial attacks and defences in machine learning. Today’s paper examines a number of recently proposed defences and shows that most of them rely on … Continue reading Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples

Oblix: an efficient oblivious search index

July 6, 2018July 5, 2018 ~ adriancolyer ~ 9 Comments

Oblix: an efficient oblivious search index Mishra et al., IEEE Security & Privacy 2018 Unfortunately, many known schemes that enable search queries on encrypted data achieve efficiency at the expense of security, as they reveal access patterns to the encrypted data. In this paper we present Oblix, a search index for encrypted data that is … Continue reading Oblix: an efficient oblivious search index

EnclaveDB: a secure database using SGX

July 5, 2018July 1, 2018 ~ adriancolyer ~ 8 Comments

EnclaveDB: A secure database using SGX Priebe et al., IEEE Security & Privacy 2018 This is a really interesting paper (if you’re into this kind of thing I guess!) bringing together the security properties of Intel’s SGX enclaves with the Hekaton SQL Server database engine. The result is a secure database environment with impressive runtime … Continue reading EnclaveDB: a secure database using SGX

Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU

July 4, 2018July 1, 2018 ~ adriancolyer ~ 7 Comments

Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU Frigo et al., IEEE Security & Privacy The general awareness of microarchitectural attacks is greatly increased since meltdown and spectre earlier this year. A lot of time and energy has been spent in defending against such attacks, with a threat model that assumes attacks originate from … Continue reading Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU

The rise of the citizen developer: assessing the security impact of online app generators

July 2, 2018June 25, 2018 ~ adriancolyer ~ 6 Comments

The rise of the citizen developer: assessing the security impact of online app generators Oltrogge et al., IEEE Security & Privacy 2018 "Low code", "no code", "citizen developers", call it what you will, there’s been a big rise in platforms that seek to make it easy to develop applications for non-export developers. Today’s paper choice … Continue reading The rise of the citizen developer: assessing the security impact of online app generators

Secure coding practices in Java: challenges and vulnerabilities

June 27, 2018June 24, 2018 ~ adriancolyer ~ 9 Comments

Secure coding practices in Java: challenges and vulnerabilities Meng et al., ICSE'18 TL;DR : don’t trust everything you read on Stack Overflow. Meng et al. conduct a study of Stack Overflow posts relating to secure coding practices in Java to find out the hot topics, what people struggle with, and whether or not the accepted … Continue reading Secure coding practices in Java: challenges and vulnerabilities

Automated localization for unreproducible builds

June 22, 2018June 17, 2018 ~ adriancolyer ~ 1 Comment

Automated localization for unreproducible builds Ren et al., ICSE'18 Reproducible builds are an important component of integrity in the software supply chain. Attacks against package repositories and build environments may compromise binaries and produce packages with backdoors (see this report for a recent prominent example of compromised packages on DockerHub). If the same source files … Continue reading Automated localization for unreproducible builds