Detecting ROP with statistical learning of program characteristics

April 6, 2017July 31, 2017 ~ adriancolyer ~ 5 Comments

Detecting ROP with statistical learning of program characteristics Elsabagh et al., CODASPY '17 Return-oriented programming (ROP) attacks work by finding short instruction sequences in a process' executable memory (called gadgets) and chaining them together to achieve some goal of the attacker. For a quick introduction to ROP, see "The geometry of innocent flesh on the … Continue reading Detecting ROP with statistical learning of program characteristics

The curious case of the PDF converter that likes Mozart

April 5, 2017July 31, 2017 ~ adriancolyer ~ 6 Comments

The curious case of the PDF converter that likes Mozart: dissecting and mitigating the privacy risk of personal cloud apps Harkous et al., PoPET '16 This is the paper that preceded "If you can't beat them, join them" we looked at yesterday, and well worth interrupting our coverage of CODASPY '17 for. Harkous et al., … Continue reading The curious case of the PDF converter that likes Mozart

A study of security vulnerabilities on Docker Hub

April 3, 2017March 27, 2017 ~ adriancolyer ~ 10 Comments

A study of security vulnerabilities on Docker Hub Shu et al., CODASPY '17 This is the first of five papers we'll be looking at this week from the ACM Conference on Data and Application Security and Privacy which took place earlier this month. Today's choice is a study looking at image vulnerabilities for container images … Continue reading A study of security vulnerabilities on Docker Hub

Deconstructing Xen

March 16, 2017July 31, 2017 ~ adriancolyer ~ 8 Comments

Deconstructing Xen Shi et al., NDSS 2017 Unfortunately, one of the most widely-used hypervisors, Xen, is highly susceptible to attack because it employs a monolithic design (a single point of failure) and comprises a complex set of growing functionality including VM management, scheduling, instruction emulation, IPC (event channels), and memory management. As of v4.0, Xen … Continue reading Deconstructing Xen

Panoply: Low-TCB Linux applications with SGX enclaves

March 14, 2017July 31, 2017 ~ adriancolyer ~ 3 Comments

Panoply: Low-TCB Linux applications with SGX enclaves Shinde et al., NDSS, 2017 Intel's Software Guard Extensions (SGX) supports a kind of reverse sandbox. With the normal sandbox model you're probably used to, we download untrusted code and run it in a trusted environment that we control. SGX supports running trusted code that you wrote, but … Continue reading Panoply: Low-TCB Linux applications with SGX enclaves

MaMaDroid: Detecting Android malware by building Markov chains of behavorial models

March 9, 2017July 31, 2017 ~ adriancolyer ~ 1 Comment

MaMaDroid: Detecting Android malware by building Markov chains of behavioral models, Mariconti et al., NDSS 2017 Pick any security conference of your choosing, and you're sure to find plenty of papers examining the security of Android. It can paint a pretty bleak picture, but at the same time the Android ecosystem also seems to have … Continue reading MaMaDroid: Detecting Android malware by building Markov chains of behavorial models

Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web

March 7, 2017July 31, 2017 ~ adriancolyer ~ 47 Comments

Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web Lauinger et al., NDSS 2017 Just based on the paper title alone, if you had to guess what the situation is with outdated JavaScript libraries on the web, you'd probably guess it was pretty bad. It turns out it's … Continue reading Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web

Making smart contracts smarter

February 23, 2017July 31, 2017 ~ adriancolyer ~ 10 Comments

Making smart contracts smarter Luu et al., CCS 2016 This is the fourth in a series of papers from the ACM Queue Research for Practice 'Cryptocurrencies, Blockchains and Smart Contracts' selections, in which Luu at al. look at smart contracts in Ethereum. Smart contracts are a really intriguing idea and have generated a lot of … Continue reading Making smart contracts smarter

A first look at the usabilty of Bitcoin key management

February 22, 2017July 31, 2017 ~ adriancolyer ~ 2 Comments

A first look at the usability of Bitcoin key management Eskandari et al., USEC 2015 This is the third of five papers from the ACM Queue Research for Practice selections on 'Cryptocurrencies, Blockchains, and Smart Contracts.' And thankfully it's much easier to read and understand than yesterdays! The authors point out that a cryptocurrency intended … Continue reading A first look at the usabilty of Bitcoin key management

Does the online card payment landscape unwittingly facilitate fraud?

February 8, 2017July 31, 2017 ~ adriancolyer ~ 4 Comments

Does the online card payment landscape unwittingly facilitate fraud? Ali et al., IEEE Security & Privacy 2017 The headlines from this report caused a stir on the internet when the story broke in December of last year: there's an easy way to obtain all of the details from your Visa card needed to make online … Continue reading Does the online card payment landscape unwittingly facilitate fraud?