NAVEX: Precise and scalable exploit generation for dynamic web applications

September 10, 2018 ~ Adrian Colyer ~ 10 Comments

NAVEX: Precise and scalable exploit generation for dynamic web applications Alhuzali et al., USENIX Security 2018 NAVEX (https://github.com/aalhuz/navex) is a very powerful tool for finding executable exploits in dynamic web applications. It combines static and dynamic analysis (to cope with dynamically generated web content) to find vulnerable points in web applications, determine whether inputs to ... Continue Reading

Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies

September 5, 2018 ~ Adrian Colyer ~ 8 Comments

Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies from the Franken et al., USENIX Security 2018 This paper won a ‘Distinguished paper’ award at USENIX Security 2018, as well as the 2018 Internet Defense Prize. It’s an evaluation of the defense mechanisms built into browsers (and via extensions / add-ons) ... Continue Reading

Fear the reaper: characterization and fast detection of card skimmers

September 3, 2018 ~ Adrian Colyer ~ 16 Comments

Fear the reaper: characterization and fast detection of card skimmers Scaife et al., USENIX Security 2018 Until I can get my hands on a Skim Reaper I’m not sure I’ll ever trust an ATM or other exposed card reading device (e.g., at garages) again! Scaife et al. conduct a study of skimming devices found by ... Continue Reading

Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples

August 15, 2018 ~ Adrian Colyer ~ Leave a comment

Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples Athalye et al., ICML'18 There has been a lot of back and forth in the research community on adversarial attacks and defences in machine learning. Today’s paper examines a number of recently proposed defences and shows that most of them rely on ... Continue Reading

Oblix: an efficient oblivious search index

July 6, 2018 ~ Adrian Colyer ~ 9 Comments

Oblix: an efficient oblivious search index Mishra et al., IEEE Security & Privacy 2018 Unfortunately, many known schemes that enable search queries on encrypted data achieve efficiency at the expense of security, as they reveal access patterns to the encrypted data. In this paper we present Oblix, a search index for encrypted data that is ... Continue Reading

EnclaveDB: a secure database using SGX

July 5, 2018 ~ Adrian Colyer ~ 8 Comments

EnclaveDB: A secure database using SGX Priebe et al., IEEE Security & Privacy 2018 This is a really interesting paper (if you’re into this kind of thing I guess!) bringing together the security properties of Intel’s SGX enclaves with the Hekaton SQL Server database engine. The result is a secure database environment with impressive runtime ... Continue Reading

Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU

July 4, 2018 ~ Adrian Colyer ~ 7 Comments

Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU Frigo et al., IEEE Security & Privacy The general awareness of microarchitectural attacks is greatly increased since meltdown and spectre earlier this year. A lot of time and energy has been spent in defending against such attacks, with a threat model that assumes attacks originate from ... Continue Reading

The rise of the citizen developer: assessing the security impact of online app generators

July 2, 2018 ~ Adrian Colyer ~ 6 Comments

The rise of the citizen developer: assessing the security impact of online app generators Oltrogge et al., IEEE Security & Privacy 2018 "Low code", "no code", "citizen developers", call it what you will, there’s been a big rise in platforms that seek to make it easy to develop applications for non-export developers. Today’s paper choice ... Continue Reading

Secure coding practices in Java: challenges and vulnerabilities

June 27, 2018 ~ Adrian Colyer ~ 9 Comments

Secure coding practices in Java: challenges and vulnerabilities Meng et al., ICSE'18 TL;DR : don’t trust everything you read on Stack Overflow. Meng et al. conduct a study of Stack Overflow posts relating to secure coding practices in Java to find out the hot topics, what people struggle with, and whether or not the accepted ... Continue Reading

Automated localization for unreproducible builds

June 22, 2018 ~ Adrian Colyer ~ 1 Comment

Automated localization for unreproducible builds Ren et al., ICSE'18 Reproducible builds are an important component of integrity in the software supply chain. Attacks against package repositories and build environments may compromise binaries and produce packages with backdoors (see this report for a recent prominent example of compromised packages on DockerHub). If the same source files ... Continue Reading

the morning paper

a random walk through Computer Science research, by Adrian Colyer
Made delightfully fast by strattic

Security