BadNets: Identifying vulnerabilities in the machine learning model supply chain

October 13, 2017 ~ Adrian Colyer ~ 5 Comments

BadNets: Identifying vulnerabilities in the machine learning model supply chain Gu et al., ArXiv 2017 Yesterday we looked at the traditional software packages supply chain. In BadNets, Gu et al., explore the machine learning model supply chain. They demonstrate two attack vectors: (i) if model training is outsourced, then it’s possible for a hard to ... Continue Reading

CHAINIAC: Proactive software update transparency via collectively signed skipchains and verified builds

October 12, 2017 ~ Adrian Colyer ~ 1 Comment

CHAINIAC: Proactive software-update transparency via collectively signed skipchains and verified builds Nikitin et al., USENIX Security ‘17 So hopefully you’ve put in place some kind of software supply chain management process that will pick up the availability of new package versions, particularly of course those with fixes for discovered vulnerabilities, and ensure those updates are ... Continue Reading

TrustBase: an architecture to repair and strengthen certificate-based authentication

October 11, 2017 ~ Adrian Colyer ~ 1 Comment

TrustBase: an architecture to repair and strengthen certificate-based authentication O’Neill et al., USENIX Security 2017 We recently saw that the sorry state of DNSSEC makes it comparatively easy to be sent to the wrong address when looking up a hostname. If certificate-based authentication is messed up as well, then it’s double trouble as you can ... Continue Reading

Pretzel: email encryption and provider-supplied functions are compatible

October 10, 2017 ~ Adrian Colyer ~ Leave a comment

Pretzel: email encryption and provider-supplied functions are compatible Gupta et al., SIGCOMM’17 While emails today are often encrypted in transit, the vast majority of emails are exposed in plaintext to the mail servers that handle them. Given the sensitive information often contained in email correspondence, why is this? Publicly, email providers have stated that default ... Continue Reading

Detecting credential spearphishing attacks in enterprise settings

October 9, 2017 ~ Adrian Colyer ~ 2 Comments

Detecting credential spearphishing attacks in enterprise settings Ho et al., USENIX Security 2017 The Lawrence Berkeley National Laboratory (LBNL) have developed and deployed a new system for detecting credential spearphishing attacks (highly targeted attacks against individuals within the organisation). Like many anomaly detection systems there are challenges of keeping the false positive rate acceptable (not ... Continue Reading

CLKSCREW: Exposing the perils of security-oblivious energy management

September 21, 2017 ~ Adrian Colyer ~ 21 Comments

CLKSCREW: Exposing the perils of security-oblivious energy management Tang et al., USENIX Security '17 This is brilliant and terrifying in equal measure. CLKSCREW demonstrably takes the Trust out of ARM's TrustZone, and it wouldn't be at all surprising if it took the Secure out of SGX too (though the researchers didn't investigate that). It's the ... Continue Reading

A longitudinal, end-to-end view of the DNSSEC ecosystem

September 20, 2017 ~ Adrian Colyer ~ 5 Comments

A longitudinal, end-to-end view of the DNSSEC ecosystem Chung et al., USENIX Security 2017 DNS, the Domain Name System, provides a vital function on the Internet, mapping names to values. Unprotected, it's also an attractive target for hackers with attack vectors such DNS spoofing and cache poisoning. Thus about two decades ago a set of ... Continue Reading

Writing parsers like it is 2017

August 15, 2017 ~ Adrian Colyer ~ 15 Comments

Writing parsers like it is 2017 Chifflier & Couprie, SPW'17 With thanks to Glyn Normington for pointing this paper out to me. Earlier this year we looked at 'System programming in Rust: beyond safety' which made the case for switching from C to Rust as the default language of choice for system-level programming. Today's paper ... Continue Reading

ACIDRain: concurrency-related attacks on database backed web applications

August 7, 2017 ~ Adrian Colyer ~ 5 Comments

ACIDRain: Concurrency-related attacks on database-backed web applications Warszawski & Bailis, SIGMOD'17 Welcome back to a new term of The Morning Paper. To kick things off, we have 'ACID Rain' - a terrific paper from SIGMOD'17 that pulls together a number of threads we've studied previously: transaction processing, anomalies, and security. What ACIDRain demonstrates is that ... Continue Reading

An experimental security analysis of an industrial robot controller

June 28, 2017 ~ Adrian Colyer ~ 6 Comments

An experimental security analysis of an industrial robot controller Quarta et al., IEEE Security and Privacy 2017 This is an industrial robot: The International Federation of Robotics forecasts that, by 2018, approximately 1.3 million industrial robot units will be employed in factories globally, and the international market value for "robotized" systems is approximately 32 billion ... Continue Reading

the morning paper

a random walk through Computer Science research, by Adrian Colyer
Made delightfully fast by strattic

Security