Hijacking Bitcoin: routing attacks on cryptocurrencies

June 27, 2017June 21, 2017 ~ adriancolyer ~ 13 Comments

Hijacking Bitcoin: routing attacks on cryptocurrencies Apostolaki et al., IEEE Security and Privacy 2017 The Bitcoin network has more than 6,000 nodes, responsible for up to 300,000 daily transactions and 16 million bitcoins valued at roughly $17B. Given the amount of money at stake, Bitcoin is an obvious target for attackers. This paper introduces a … Continue reading Hijacking Bitcoin: routing attacks on cryptocurrencies

SoK: Cryptographically protected database search

June 26, 2017June 21, 2017 ~ adriancolyer

SoK: Cryptographically proctected database search Fuller et al., IEEE Security and Privacy 2017 This is a survey paper (Systematization of Knowledge, SoK) reviewing the current state of protected database search (encrypted databases). As such, it packs a lot of information into a relatively small space. As we've seen before, there are a wide-variety of cryptographic … Continue reading SoK: Cryptographically protected database search

Cloak and dagger: from two permissions to complete control of the UI feedback loop

June 23, 2017June 18, 2017 ~ adriancolyer ~ 1 Comment

Cloak and dagger: from two permissions to complete control of the UI feedback loop Fratantonio et al., IEEE Security and Privacy 2017 If you're using Android, then 'cloak and dagger' is going to make for scary reading. It's a perfect storm of an almost undetectable attack that can capture passwords, pins, and ultimately obtain all … Continue reading Cloak and dagger: from two permissions to complete control of the UI feedback loop

IoT goes nuclear: creating a ZigBee chain reaction

June 22, 2017June 18, 2017 ~ adriancolyer ~ 23 Comments

IoT goes nuclear: creating a ZigBee chain reaction Ronen et al., IEEE Security and Privacy 2017 You probably don't need another reminder about the woeful state of security in IoT, but today's paper choice may well give you further pause for thought about the implications. The opening paragraph sounds like something out of science fiction … Continue reading IoT goes nuclear: creating a ZigBee chain reaction

The password reset MitM attack

June 21, 2017June 18, 2017 ~ adriancolyer ~ 12 Comments

The password reset MitM attack Gelernter et al., IEEE Security and Privacy 2017 The Password Reset Man-in-the-Middle (PRMitM) attack is really very simple, but that doesn't mean it's not dangerous. It involves persuading the user to sign-up for an account for some service under the attacker's control (maybe there's an enticing free download for example), … Continue reading The password reset MitM attack

Why your encrypted database is not secure

June 16, 2017June 9, 2017 ~ adriancolyer ~ 3 Comments

Why your encrypted database is not secure Grubbs et al., HotOS'17 This is the third paper we've looked at so far in The Morning Paper on the topic of encrypted databases. The clear takeaway for me is that practical, provable security guarantees are very hard to deliver! Don't confuse better protection with unbreakable protection, and … Continue reading Why your encrypted database is not secure

SGXBounds: memory safety for shielded execution

June 6, 2017May 29, 2017 ~ adriancolyer ~ 3 Comments

SGXBounds: memory safety for shielded execution Kuvaiskii et al., EuroSys'17 We've previously looked at a number of Intel SGX-related papers in The Morning Paper, including SCONE, which today's paper builds on. SGX comes with a memory encryption engine and seeks to protect trusted applications from an untrusted operating system, providing confidentiality and integrity guarantees. SGX, … Continue reading SGXBounds: memory safety for shielded execution

Bolt: I know what you did last summer… in the cloud

May 24, 2017May 20, 2017 ~ adriancolyer ~ 3 Comments

Bolt: I know what you did last summer... in the cloud Delimitrou & Kozyrakis, ASPLOS'17 You get your run-of-the-mill noisy neighbours - the ones who occasionally have friends round and play music a little too loud until a little too late. And then in the UK at least you get what we used to call … Continue reading Bolt: I know what you did last summer… in the cloud

Who controls the Internet? Analyzing global threats using property traversal graphs

May 19, 2017May 13, 2017 ~ adriancolyer ~ 7 Comments

Who controls the Internet? Analyzing global threats using property traversal graphs Simeonovski et al., WWW'17 Who controls the Internet? How much influence do they have? And what would happen if one of those parties launched an attack or was compromised and used to launch an attack? Previous works have looked at the individual core services, … Continue reading Who controls the Internet? Analyzing global threats using property traversal graphs

SGXIO: Generic trusted I/O path for Intel SGX

April 7, 2017July 31, 2017 ~ adriancolyer ~ 2 Comments

SGXIO: Generic trusted I/O path for Intel SGX Weiser & Werner, CODASPY '17 Intel's SGX provides hardware-secured enclaves for trusted execution of applications in an untrusted environment. Previously we've looked at Haven, which uses SGX in the context of cloud infrastructure, SCONE which shows how to run docker containers under SGX, and Panoply which looks at … Continue reading SGXIO: Generic trusted I/O path for Intel SGX