Finding security bugs in web applications using a catalog of access control patterns Near & Jackson, ICSE 2016 If you had a formal specification of the desired security attributes of your web application, and could map that to the source code, you'd be able to verify that it did indeed satisfy the specification. But let's … Continue reading Finding security bugs in web applications using a catalog of access control patterns
Tag: Security
Papers relating to security, encryption, attacks and defenses.
Password managers: attacks and defenses
Password managers: Attacks and defenses Silver et al. USENIX 2014 As a regular reader of The Morning Paper, I'm sure you're technically savvy enough to know not to use the same password across all the websites you use. To make good quality site-unique passwords practical therefore, you probably use a password manager. Maybe you remember … Continue reading Password managers: attacks and defenses
SCONE: Secure Linux containers with Intel SGX
SCONE: Secure Linux Containers with Intel SGX Arnautov et al., OSDI 2016 We looked at Haven earlier this year, which demonstrated how Intel’s SGX could be used to shield an application from an untrusted cloud provider. Today’s paper choice, SCONE, looks at how to employ similar ideas in the context of containers. …existing container isolation … Continue reading SCONE: Secure Linux containers with Intel SGX
Twice the bits, twice the trouble: vulnerabilities induced by migrating to 64-bit platforms
Twice the bits, twice the trouble: vulnerabilities induced by migrating to 64-bit platforms Wressnegger et al. CCS 2016 64-bit is not exactly new anymore, but many codebases which started out as 32-bit have been ported to 64-bit. In this study, Wressnegger et al. reveal how a codebase originally written for 32-bit, and which is perfectly … Continue reading Twice the bits, twice the trouble: vulnerabilities induced by migrating to 64-bit platforms
Generic attacks on secure outsourced databases
Generic Attacks on Secure Outsourced Databases Kellaris et al. CCS 2016 Here’s a really interesting paper that helps to set some boundaries around what we can expect from encrypted databases in the cloud. Independently of the details of any one system (or encryption scheme), the authors look at what data it is possible to recover … Continue reading Generic attacks on secure outsourced databases
Breaking web applications built on top of encrypted data
Breaking web applications built on top of encrypted data Grubbs et al. CCS 2016 Data security and privacy is one of the big issues of our time, and uploading data to cloud services tends to put that issue into sharp focus. Do I trust this SaaS service with my data? What happens if there's a … Continue reading Breaking web applications built on top of encrypted data
Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence
Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence Liao et al. CCS 2016 Last week we looked at a number of newly reported attack mechanisms covering a broad spectrum of areas including OAuth, manufacturing, automotive, and mobile PIN attacks. For some balance, today's paper choice looks at something to … Continue reading Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence
Error handling of in-vehicle networks makes them vulnerable
Error handling of in-vehicle networks makes them vulnerable Cho & Shin, CCS 2016 In a previous edition of The Morning Paper we looked at how many production errors can be tracked back to error / exception handling. But today's paper is something special. It studies the properties of the Control Area Network (CAN) protocol used … Continue reading Error handling of in-vehicle networks makes them vulnerable
When CSI meets public wifi: Inferring your mobile phone password via wifi signals
When CSI meets public wifi: Inferring your mobile phone password via wifi signals Li et al., CCS 2016 Not that CSI. CSI in this case stands for channel state information, which represents the state of a wireless channel in a signal transmission process. WindTalker is motivated from the observation that keystrokes on mobile devices will … Continue reading When CSI meets public wifi: Inferring your mobile phone password via wifi signals
Leave your phone at the door: side channels that reveal factory floor secrets
Leave your phone at the door: side channels that reveal factory floor secrets Hojjati et al. CCS '16 Here's another reminder of just how powerful modern phones are as espionage devices, packed full of sensors. The short version is that if you place a phone near a manufacturing device (CNC mill or 3D printer in … Continue reading Leave your phone at the door: side channels that reveal factory floor secrets
the morning paper 