Information Security Practice and Experience

Plaintext-Checkable Encryption (PCE) was first proposed by Canard et al. to check whether a ciphertext encrypts a given plaintext under the public key. This primitive is very useful in many applications, e.g., search on encrypted database and group signature with verifier-local revocation (GS-VLR). In the literature, existing PCE schemes only satisfies unlink notion that defines the adversary to get information about whether two challenge ciphertexts share the same plaintext or not, without given the challenge plaintexts. Using the tool of pairing-friendly smooth projective hash function (PF-SPHF), we propose the first PCE construction with the most desirable unlink-cca notion, which is stronger than unlink by additionally providing a decryption oracle. We prove it in the standard model based on the hard subset membership problem. Finally, by instantiating SPHF from DDH assumption, we obtain a PCE instantiation from SXDH assumption and show that it achieves not only the desired security but also efficient test computation complexity. Hence it will be very useful in practical applications.

Homomorphic Encryption (HE) is considered to be one of the most promising solutions to maintain secure data outsourcing because the user’s query is processed under encrypted state. Accordingly, many of existing literature related to HE utilizes additive and multiplicative property of HE to facilitate logistic regression which requires high precision for prediction. In consequence, they inevitably transform or approximate nonlinear function of the logistic regression to adjust to their scheme using simple polynomial approximation algorithms such as Taylor expansion. However, such an approximation can be used only in limited applications because they cause unwanted error in results if the function is highly nonlinear. In response, we propose a different approximation approach to constructing the highly accurate logistic regression for HE using binary approximation. Our novel approach originates from bitwise operations on encrypted bits to designing (1) real number representation, (2) division and (3) exponential function. The result of our experiment shows that our approach can be more generally applied and accuracy-guaranteed than the current literature.

Three-party key exchange, where two clients aim to agree a session key with the help of a trusted server, is prevalent in present-day systems. In this paper, we present a practical and secure three-party password-based authenticated key exchange protocol over ideal lattices. Aside from hash functions our protocol does not rely on external primitives in the construction and the security of our protocol is directly relied on the Ring Learning with Errors (RLWE) assumption. Our protocol attains provable security. A proof-of-concept implementation shows our protocol is indeed practical.

Kernel vulnerability attacks may allow attackers to execute arbitrary program code and achieve privilege escalation through credential overwriting, thereby avoiding security features. Major Linux protection methods include Kernel Address Space Layout Randomization, Control Flow Integrity, and Kernel Page Table Isolation. All of these mitigate kernel vulnerability affects and actual attacks. In addition, the No eXecute bit, Supervisor Mode Access Prevention, and Supervisor Mode Execution Prevention are CPU features for managing access permission and data execution in virtual memory. Although combinations of these methods can reduce the attack availability of kernel vulnerability based on the interaction between the user and kernel modes, kernel virtual memory corruption is still possible (e.g., the eBPF vulnerability executes the attack code only in the kernel mode).

To monitor kernel virtual memory, we present the Kernel Memory Observer (KMO), which has a secret inspection mechanism and offers an alternative design for virtual memory. It allows the detection of illegal data manipulation/writing in the kernel virtual memory. KMO identifies the kernel virtual memory corruption, monitors system call arguments, and enables unmapping from the direct mapping area. An evaluation of our method indicates that it can detect the actual kernel vulnerabilities leading to kernel virtual memory corruption. In addition, the results show that the overhead is 0.038 \(\upmu \)s to 2.505 \(\upmu \)s in terms of system call latency, and the application benchmark is 371.0 \(\upmu \)s to 1,990.0 \(\upmu \)s for 100,000 HTTP accesses.

According to Freedom on the Net 2017 report [15] more than 60% of World’s Internet users are not completely free from censorship. Solutions like Tor allow users to gain more freedom, bypassing these restrictions. For this reason they are continuously under deep observation to detect vulnerabilities that would compromise users anonymity. The aim of this work is showing that Tor is vulnerable to app deanonymization attacks on Android devices through network traffic analysis. While attacks against Tor anonymity have already gained considerable attention in the context of website fingerprinting in desktop environments, to the best of our knowledge this is the first work that addresses a similar problem on Android devices. For this purpose, we describe a general methodology for performing an attack that allows to deanonymize the apps running on a target smartphone using Tor. Then, we discuss a Proof-of-Concept, implementing the methodology, that shows how the attack can be performed in practice and allows to assess the deanonymization accuracy that it is possible to achieve. Moreover, we made the software of the Proof-of-Concept available, as well as the datasets used to evaluate it. In our extensive experimental evaluation, we achieved an accuracy of \(97\%\).

New computing paradigms, modern feature-rich programming languages and off-the-shelf software libraries enabled the development of new sophisticated malware families. Evidence of this phenomena is the recent growth of fileless malware attacks. Fileless malware or memory resident malware is an example of an Advanced Volatile Threat (AVT). In a fileless malware attack, the malware writes itself directly onto the main memory (RAM) of the compromised device without leaving any trace on the compromised device’s file system. For this reason, fileless malware presents a difficult challenge for traditional malware detection tools and in particular signature-based detection. Moreover, fileless malware forensics and reverse engineering are nearly impossible using traditional methods. The majority of fileless malware attacks in the wild take advantage of MS PowerShell, however, fileless malware are not limited to MS PowerShell. In this paper, we designed and implemented a fileless malware by taking advantage of new features in Javascript and HTML5. The proposed fileless malware could infect any device that supports Javascript and HTML5. It serves as a proof-of-concept (PoC) to demonstrate the threats of fileless malware in web applications. We used the proposed fileless malware to evaluate existing methods and techniques for malware detection in web applications. We tested the proposed fileless malware with several free and commercial malware detection tools that apply both static and dynamic analysis. The proposed fileless malware bypassed all the anti-malware detection tools included in our study. In our analysis, we discussed the limitations of existing approaches/tools and suggested possible detection and mitigation techniques.

We propose a new technique to construct physical Zero-Knowledge Proof (ZKP) protocols for games that require a single loop draw feature. This feature appears in Slitherlink, a puzzle by Nikoli. Our approach is based on the observation that a loop has only one hole and this property remains stable by some simple transformations. Using this trick, we can transform a simple big loop, visible to anyone, into the solution loop by using transformations that do not disclose any information about the solution. As a proof of concept, we apply this technique to construct the first physical ZKP protocol for Slitherlink.

The stochastic multi-armed bandit is a classical decision making model, where an agent repeatedly chooses an action (pull a bandit arm) and the environment responds with a stochastic outcome (reward) coming from an unknown distribution associated with the chosen action. A popular objective for the agent is that of identifying the arm with the maximum expected reward, also known as the best-arm identification problem. We address the inherent privacy concerns that occur in a best-arm identification problem when outsourcing the data and computations to a honest-but-curious cloud.

Our main contribution is a distributed protocol that computes the best arm while guaranteeing that (i) no cloud node can learn at the same time information about the rewards and about the arms ranking, and (ii) by analyzing the messages communicated between the different cloud nodes, no information can be learned about the rewards or about the ranking. In other words, the two properties ensure that the protocol has no security single point of failure. We rely on the partially homomorphic property of the well-known Paillier’s cryptosystem as a building block in our protocol. We prove the correctness of our protocol and we present proof-of-concept experiments suggesting its practical feasibility.

Any website can record its users’ mouse interactions within that site, an emerging practice used to learn about users’ regions of interests usually for personalization purposes. However, the dark side of such recording is that it is oblivious to the users as no permissions are solicited from the users prior to recording (unlike other resources like webcam or microphone). Since mouse dynamics may be correlated with users’ behavioral patterns, any website with nefarious intentions (“cat”) could thus try to surreptitiously infer such patterns, thereby compromising users’ privacy and making them prone to targeted attacks. In this paper, we show how users’ personal information, specifically their demographic characteristics, could leak in the face of such mouse movement eavesdropping. As a concrete case study along this line, we present CATCHA, a mouse analytic attack system that gleans potentially sensitive demographic attributes—age group, gender, and educational background—based on mouse interactions with a game CAPTCHA system (a simple drag-and-drop animated object game to tell humans and machines apart).

CATCHA ’s algorithmic design follows the machine learning approach that predicts unknown demographic attributes based on a total of 64 mouse dynamics features extracted from within the CAPTCHA game, capturing users’ innate cognitive abilities and behavioral patterns. Based on a comprehensive data set of mouse movements with respect to a simple game CAPTCHA collected in an online environment, we show that CATCHA can identify the users’ demographics attributes with a high probability (almost all attributes with more than 85%), significantly better than random guessing (50%) and in a very short span of interaction time (about 14 s). We also provide a thorough statistical analysis and interpretation of differentiating features across the demographics attributes that make users susceptible to the CATCHA attack. Finally, we discuss potential extensions to our attack using other user interaction paradigms (e.g., other types of CAPTCHAs or typical web browsing interactions, and under longitudinal settings), and provide potential mitigation strategies to curb the impact of mouse movement eavesdropping.

The concept of “secure by design” is based on preventive software security and aims at avoiding vulnerabilities as soon as possible. However, finding vulnerabilities manually is a time-consuming and error-prone process. Thus, the use of code scanner tools becomes a good practice for developers. Unfortunately, existing code scanner tools produce too many false positives, which complicates the cycle development task.

In this paper, we present an approach to construct a code vulnerability scanner upon existing scanner tools. The aim of such a scanner, called code vulnerability meta-scanner (CVMS), is to be more efficient and reduce the number of false positives. Our experimental results show that none of the scanners strictly subsumes another, and none of them is better than all the others for all the vulnerabilities. So, we propose a method that combines their results with respect to their performances. We experimented our approach using three existing scanner tools (Fortify, Yag Suite and SpotBug). Then, we used the resulted CVMS to annotate a well-known Java application corpus, namely Qualitas Corpus. These experiment results demonstrated that the CVMS performs better than the scanners on which it is constructed.

If This Then That (IFTTT) is a free and widely used web-based platform where it is possible to create applet chains (Applets) of simple conditional statements that combine different web and smart services. In this paper we propose a methodology to express Usage Control (UCON) obligations in such a way that they can contain valid data in order to trigger such applet chains. The obligations that follow the response of access requests coming from UCON, become a trigger to the IFTTT platform and this enables a more abstract and non application specific mixture of them without each one losing their abstract structure. We will present the architecture and workflow of our approach, also together with a couple of use cases and the evaluation of an implementation of UCON together with a real IFTTT Applet.

The Physically Unclonable Function (PUF), which extracts a unique device identification based on variations in manufacturing processes, has recently attracted attention. IoT devices, including sensor monitors and wearables, have come into widespread use, and various kinds of devices have access to a range of services. Device authentication and management of key to encryption communication data are essential for a secure service. We can realize secure authentication based on device identification extracted by a PUF. For example, PUF is used as a key generator to avoid storing the encryption key in a device. However, existing PUFs require dedicated hardware or software (driver) to extract device identification. Thus, it may not be possible to apply existing PUFs to IoT devices in a situation where there are a variety of devices and many device manufacturers. We can use characteristic values of existing sensors in an IoT device as an alternative to PUF. In this paper, we expand an existing software PUF based to support characteristic values extract from a gyroscope, and evaluate the entropy and robustness. We found that the same device identifier can be reliably extracted from a gyroscope even under conditions of high and low temperature, and low-pressure. No changes in the characteristic values of the gyroscope due to degradation with age were found over a wearing period exceeding than three years. The device identifier has up to 81.2 bits entropy with no error-correcting mechanism. It has up to 57.7 bits entropy when error-correction of one bit is applied to each characteristic value by a Fuzzy extractor.

In 2016, US NIST released the KMAC message authentication code, which is actually a keyed variant of the new-generation hash function standard SHA-3. Following the increasing use of SHA-3, it is highly anticipated that KMAC will also be increasingly widely used in various security applications. Due to the distinctions between sponge hash functions and Merkle-Damgård hash functions, white-box implementations of KMAC and HMAC are rather different. In this paper, we present an efficient white-box implementation of KMAC with strong resistance against both key extraction and code lifting attacks, which can still work with an updated user key. It has a storage complexity of about 107.7 MB, and has a running time of about 1.5 ms on a DELL Precision T5610 workstation, about 375 times slower than the original KMAC implementation without white-box protection. There are implementation variants with different trade-offs between security and performance. This is the first published white-box implementation of KMAC to the best of our knowledge, and our implementation methods can be applied to similar sponge constructions.

In 2003, Katz and Wang proposed the claw-free trapdoor full domain hash (CFT-FDH) which achieves a tight security for FDH signature schemes using the bit selector technique. However, it is noted that the CFT-FDH is not backward compatible with its original FDH counterpart, since the selected bit is hashed with the message, modifying the structure of the original signature. In this paper, we take a step further to propose a general framework that is able to achieve backward compatibility while maintaining the tight reduction of FDH signatures using the properties of trapdoor samplable relations and also Katz-Wang’s bit selector technique.

In AsiaCrypt 2017, Galbraith-Petit-Silva proposed a digital signature scheme based on the problem of computing the endomorphism ring of a supersingular elliptic curve. This problem is more standard than that of the De Feo-Jao-Plût SIDH scheme, since it lacks the auxiliary points which lead to the adaptive active attack of Galbraith-Petit-Shani-Ti. The GPS signature scheme applies the Fiat-Shamir or Unruh transformation to the raw identification protocol obtained from the endomorphism ring problem, and makes use of the Kohel-Lauter-Petit-Tignol quaternion isogeny path algorithm to find a new ideal. However, the GPS signature scheme is not very practical. In this paper, we take a first step towards quantifying the efficiency of the GPS signature scheme. We propose some improvements in the underlying algorithms for the GPS scheme, along with a new method which trades off key size for signature size to decrease the signature size from around 11 kB to 1 kB at the 128-bit security level by using multi-bit challenges. We also provide a concrete implementation of the GPS signature scheme using Sage and CoCalc.

We propose the identity-based signature (IBS) scheme resilient to ephemerals leakage and setup. The scheme is applicable to scenarios, where signers can not trust thoroughly the signing devices, and doubts about the fairness of randomness the hardware and the operating system generate are justified. Our construction is based on the lightweight IBS by Galindo and Garcia. We present a formal security model for IBS in which all values coming from randomness source in signing procedure are leaked or set by adversary. We argue that the original scheme is vulnerable to universal forgery in our security model. We give details on our modified construction and provide a formal security proof in Random Oracle Model, claiming that even such a strong adversary cannot forge a signature in our scheme.

Creating a distributed reputation system compliant with the GDPR Regulation faces a number of problems. Each record should be protected regarding its integrity and origin, while the record’s author should remain anonymous, as long as there is no justified legal reason to reveal his real identity. Thereby, the standard digital signatures cannot be applied to secure the records.

In this paper we propose a Privacy Aware Distributed Reputation Evaluation system, where each subject of evaluation holds its recommendation record. By application of a novel technique of domain signatures we are able to guarantee that (a) integrity of each entry is strongly protected; in particular, the evaluation subject cannot modify it, (b) the author of each entry is anonymous, however all entries of the same author on the same subject appear under the same pseudonym (so the Sybil attacks are repelled), (c) the entries corresponding to the same author but for different evaluation subjects are unlinkable, (d) only registered users can create valid entries, (e) the real identity of the author of an entry can be revealed by relevant authorities by running a multi-party protocol, (f) for each entry one can create a pseudorandom key in a deterministic way.

The first five features correspond directly to the requirements of the GDPR Regulation. In particular, they guard against profiling the users based on the entries created by them.

In order to facilitate practical applications we propose to maintain a pseudorandom sample of all entries concerning a given evaluation subject. We show how to guarantee that the sample is fairly chosen despite the fact that the sample is kept by the evaluation subject. We present a few strategies enabling to mimic some important probability distributions for choosing the sample.

The 5.7 million small to medium enterprises (SMEs) in the U.K. play a vital role in the national economy, contributing 51% of the private sector. However, the cyber threats for SMEs are increasing with four in ten of businesses experiencing a cyber attack in the last twelve months. One significant treatment of this growing concern is in the implementation of long-established information security standards and best-practices. Yet, most SMEs are not undergoing the certification process, even though the current threats are now widely published by the government. In this paper, we look at the disconnect of cyber threats faced by SMEs considering their current security postures and perceptions. We also identify the influencing factors needed to improve security behaviours and engagements with information security best-practices. We then propose a new foundational composite cybersecurity rating scheme, which is aimed at SMEs in the U.K., but it also has the potential to be scaled internationally. The focus of our scheme is to ascertain and measure the security behaviours, perceptions and risk propensity of each SME, as well as their technical systems. To that end, we define our \(5\times 5\) matrices based scheme by combining the measurements ascertained from the behavioural as well as technical audits. The preliminary evaluation results demonstrate that this approach provides a higher level of insight, engagement and accuracy as to an SME’s individual security posture.

In recent years, social networks have gained special attention to share information and to maintain a relationship with other people. As the data produced from such platforms are being analyzed, the privacy preservation methods must be applied before making the data publicly available. The anonymization techniques consider one-time releases and do not re-publish the dynamic social network data. The relationship between individuals changes with time so it may breach user privacy in dynamic social networks. In this paper, we propose an anonymization approach to preserve the user identity from all the published time-series dataset of a social network.

Multiple instances of the social network may allow the adversary to identify the user by joining the information together. The existing anonymization methods for a single instance of a social network are not enough to preserve user privacy across multiple instances. Moreover, it requires all instances together for the social graph anonymization process. We proposed a method that anonymizes the current instance of the social graph and publishes it as soon as the instance is available. The proposed anonymization technique modifies the current social graph irrespective of further instances. The average relative error calculates the deviation in query results for different privacy levels. The experimental results highlight that the proposed approach generates fewer dummy nodes.

We present a novel computational technique to check whether a matrix-vector product is correct with a relatively high probability. While the idea could be related to verifiable delegated computations, most of the literature in this line of work focuses on provably secure functional aspects and do not provide clear computational techniques to verify whether a product \(xA = y\) is correct where x, A and y are not given nor computed by the party which requires validity checking: this is typically the case for some cryptographic lattice-based signature schemes. This paper focuses on the computational aspects and the improvement on both speed and memory when implementing such a verifier, and use a practical example: the Diagonal Reduction Signature (DRS) scheme as it was one of the candidates in the recent National Institute of Standards and Technology Post-Quantum Cryptography Standardization Calls for Proposals competition. We show that in the case of DRS, we can gain a factor of 20 in verification speed.

Let G be a finite non-abelian group. Let \(A_1,\cdots , A_k\) be non-empty subsets of G, where \(k\ge 2\) is an integer such that \(A_i\cap A_j = \emptyset \) for integers \(i,j= 1,\cdots , k\) \((i \ne j)\). We say that \((A_1, \cdots , A_k)\) is a complete decomposition of G if the product of subsets \(A_{i_1} \cdots A_{i_k} = \{a_{i_1}...a_{i_k} | a_{i_j}\in A_{i_j}; j=1,\cdots , k\}\) coincides with G where the \(A_{i_j}\) are all distinct and \(\{A_{i_1},\cdots , A_{i_k}\}= \{A_1,\cdots , A_k\}\). The complete decomposition search problem in G is defined as recovering \(B \subseteq G\) from given A and G such that \(AB=G\). The aim of this paper is twofold. The first aim is to propose the complete decomposition search problem in G. The other objective is to provide a key exchange protocol based on the complete decomposition search problem using generalized quaternion group \(Q_{2^n}\) as the platform group for integer \(n \ge 3\). In addition, we show some constructions of complete decomposition of generalized quaternion group \(Q_{2^n}\). Further, we propose an algorithm that can solve computational complete decomposition search problem and show that the algorithm takes exponential time to break the scheme.

The decomposition of an application into independent microservices increases the attack surface, and makes it difficult to monitor each microservice in order to secure and control their network traffic. The adoption of microservices, together with new trends in software development that aim to quickly deliver software in short software development iterations often leaves software engineers with little time to give attention to the security of such applications. Consequently, it is not uncommon for many software development teams to release software without performing full-scale security testing. Although various tools and techniques are available to assist software engineers with the development of secure microservices throughout their life cycle, there is limited guidance on how these tools and techniques can be integrated into the software engineer’s daily software development tasks. The aim of this paper is to identify and review tools and techniques that software engineers can use as part of security-focused activities incorporated into the software development process, so that security is given early attention during the development of microservices.

We need Phishing Awareness Tools to train employees because existing anti-phishing filters are not 100% capable of detecting phishing attacks, especially zero-day attacks. Current awareness tools can make phishing campaigns targeting the employees, but they contain an only limited number of predefined email templates. In this work, we designed a framework and built a tool generating new phishing emails automatically from a graph database perspective. Then, we conducted a three-round experiment. We sent the automatically-generated emails to some uninformed members of our community. On average, 72.85% of victims opened the emails, the click-through rate was 54.05% among who opened the emails, and all recipients who completed the survey stated that the content of emails was meaningful. In this experiment, we also showed which parts of the email are more luring and what the result might be if emails are carefully-crafted or from a person of authority.

The aim of collaborative intrusion detection networks (CIDNs) is to provide better detection performance over a single IDS, through allowing IDS nodes to exchange data or information with each other. Nevertheless, CIDNs may be vulnerable to insider attacks, and there is a great need for deploying appropriate trust management schemes to protect CIDNs in practice. In this work, we advocate the effectiveness of intrusion sensitivity-based trust management model and describe an engineering way to automatically allocate the sensitivity values by using a support vector machine (SVM) classifier. To explore the allocation performance, we compare our classifier with several traditional supervised algorithms in the evaluation. We further investigate the performance of our enhanced trust management scheme in a real network environment under adversarial scenarios, and the experimental results indicate that our approach can be more effective in detecting insider attacks as compared with similar approaches.

Password-based authentication remains the main method of user authentication in computer systems. In case of a leak of the user database, the obfuscated storage of passwords is the last remaining protection of credentials. The strength of a password determines how hard it is to crack a password hash for uncovering the plain text password. Internet users often ignore recommended password guidelines and choose weak passwords that are easy to guess. In addition, service providers do not warn users that their chosen passwords are not secure enough. In this work we present a semi-automatic password cracking algorithm that orders and executes user-chosen password cracking attacks based on their efficiency. With our new approach, we are able to accelerate the cracking of password hashes and to demonstrate that weak passwords are still a serious security risk. The intention of this work is to point out that the usage of weak passwords holds great dangers for both the user and the service provider.

Many SIEM products have been produced. However, there is no comprehensive methodology to evaluate them. We present a novel and comprehensive three-dimensional methodology to evaluate SIEM products. We consider a SIEM product as a set of dimensions, namely capability, architectural component, and common feature, then subdivide each dimension-according to its definition-into sub-dimensions. Afterward, we develop multiple criteria for evaluating each sub-dimension. The dimensions can have a different impact and importance on SIEM product, to determine the magnitude of the impact and importance of each dimension we use a factor called the impact factor. We also consider some impact factors for the impact and importance of each sub-dimension and each criterion. Since there are different methods, algorithms, and standards for developing the criteria, so we provide maturity levels for each criterion. The results of the evaluations show that this methodology can evaluate the criteria coverage, completeness and correctness of criteria, and determine the superiority of criteria in the SIEM products as well.