Skip to main content

Über dieses Buch

This book constitutes the refereed proceedings of the 7th International Conference on Trust and Trustworthy Computing, TRUST 2014, held in Heraklion, Crete, Greece in June/July 2014. The 10 full papers and three short papers presented together with 9 poster abstracts were carefully reviewed and selected from 40 submissions. They are organized in topical sections such as TPM 2.0, trust in embedded and mobile systems; physical unclonable functions; trust in the web; trust and trustworthiness.



TPM 2.0

DAA-Related APIs in TPM 2.0 Revisited

In TPM 2.0, a single signature primitive is proposed to support various signature schemes including Direct Anonymous Attestation (DAA), U-Prove and Schnorr signature. This signature primitive is implemented by several APIs which can be utilized as a static Diffie-Hellman (SDH) oracle. In this paper, we measure the practical impact of the SDH oracle in TPM 2.0 and show the security strength of these signature schemes can be weakened by 13-bit. We propose a novel property of DAA called forward anonymity and show how to utilize these DAA-related APIs to break forward anonymity. Then we propose new APIs which not only remove the SDH oracle but also support the forward anonymity, thus significantly improve the security of DAA and the other signature schemes supported by TPM 2.0. We prove the security of our new APIs under the discrete logarithm assumption in the random oracle model. We prove that the proposed DAA schemes satisfied the forward anonymity property using the new APIs under the Decision Diffie-Hellman assumption. Our new APIs are almost as efficient as the original APIs in TPM 2.0 specification and can support LRSW-DAA and SDH-DAA together with U-Prove as the original APIs.
Li Xi, Kang Yang, Zhenfeng Zhang, Dengguo Feng

Continuous Tamper-Proof Logging Using TPM 2.0

Auditing system logs is an important means of ensuring systems’ security in situations where run-time security mechanisms are not sufficient to completely prevent potentially malicious activities. A fundamental requirement for reliable auditing is the integrity of the log entries. This paper presents an infrastructure for secure logging that is capable of detecting the tampering of logs by powerful adversaries residing on the device where logs are generated. We rely on novel features of trusted hardware (TPM) to ensure the continuity of the logging infrastructure across power cycles without help from a remote server. Our infrastructure also addresses practical concerns including how to handle high-frequency log updates, how to conserve disk space for storing logs, and how to efficiently verify an arbitrary subset of the log. Importantly, we formally state the tamper-proofness guarantee of our infrastructure and verify that our basic secure logging protocol provides the desired guarantee. To demonstrate that our infrastructure is practical, we implement a prototype and evaluate its performance.
Arunesh Sinha, Limin Jia, Paul England, Jacob R. Lorch

Trust in Embedded and Mobile Systems

Affordable Separation on Embedded Platforms

Soft Reboot Enabled Virtualization on a Dual Mode System
While security has become important in embedded systems, commodity operating systems often fail in effectively separating processes, mainly due to a too large trusted computing base. System virtualization can establish isolation already with a small code base, but many existing embedded CPU architectures have very limited virtualization hardware support, so that the performance impact is often non-negligible. Targeting both security and performance, we investigate an approach in which a few minor hardware additions together with virtualization offer protected execution in embedded systems while still allowing non-virtualized execution when secure services are not needed. Benchmarks of a prototype implementation on an emulated ARM Cortex A8 platform confirm that switching between those two execution forms can be done efficiently.
Oliver Schwarz, Christian Gehrmann, Viktor Do

Owner-Centric Protection of Unstructured Data on Smartphones

Modern smartphone apps tend to contain and use vast amounts of data that can be broadly classified as structured and unstructured. Structured data, such as an user’s geolocation, has predefined semantics that can be retrieved by well-defined platform APIs. Unstructured data, on the other hand, relies on the context of the apps to reflect its meaning and value, and is typically provided by the user directly into an app’s interface. Recent research has shown that third-party apps are leaking highly-sensitive unstructured data, including user’s banking credentials. Unfortunately, none of the current solutions focus on the protection of unstructured data.
In this paper, we propose an owner-centric solution to protect unstructured data on smartphones. Our approach allows the data owners to specify security policies when providing their untrusted data to third-party apps. It tracks the flow of information to enforce the owner’s policies at strategic exit points. Based on this approach, we design and implement a system, called DataChest. We develop several mechanisms to reduce user burden and keep interruption to the minimum, while at the same time preventing the malicious apps from tricking the user. We evaluate our system against a set of real-world malicious apps and a series of synthetic attacks to show that it can successfully prevent the leakage of unstructured data while incurring reasonable performance overhead.
Yajin Zhou, Kapil Singh, Xuxian Jiang

On Usable Location Privacy for Android with Crowd-Recommendations

The boom of smart devices with location capabilities has also led to a boom of apps that use location data for many different purposes. While there are of course apps that require users’ precise locations, such as navigation apps, many apps would work equally well with less precision. Currently, apps that request location information are granted access to location data with maximum precision or not at all. In this work we present a location obfuscation approach for Android devices, which focuses on the usability aspects. Based on results of focus group discussions (n,=,19) we designed and implemented a solution that can be used by even unskilled users. When an app requests for location data the first time, the user configures accuracy of location data that is to be revealed to the app by selecting one of five precision levels. Unskilled users are supported by crowd-based recommendations.
Benjamin Henne, Christian Kater, Matthew Smith

Physical Unclonable Functions

Lightweight Anti-counterfeiting Solution for Low-End Commodity Hardware Using Inherent PUFs

This paper presents a lightweight anti-counterfeiting solution using intrinsic Physically Unclonable Functions (PUFs), which are already embedded in most commodity hardware platforms. The presented solution is particularly suitable for low-end computing devices without on-board security features. Our anti-counterfeiting approach is based on extracting a unique fingerprint for individual devices exploiting inherent PUF characteristics from the on-chip static random-access memory (SRAM), which in turn allows to bind software to a particular hardware platform. Our solution does not require additional hardware, making it flexible as well as cost efficient. In a first step, we statistically analyze the characteristics of the intrinsic PUF instances found in two device types, both based on a widely used ARM Cortex-M microcontroller. We show that the quality of the PUF characteristics is almost ideal. Subsequently, we propose a security architecture to protect the platform’s firmware by using a modified boot loader. In a proof of concept, we embed our solution on a state-of-the-art commodity system-on-a-chip platform equipped with an MCU similar to the ones previously analyzed.
André Schaller, Tolga Arul, Vincent van der Leest, Stefan Katzenbeisser

Evaluation of Bistable Ring PUFs Using Single Layer Neural Networks

This paper presents an analysis of a bistable ring physical unclonable function (BR-PUF) implemented on a field-programmable gate array (FPGA) using a single layer artificial neural network (ANN). The BR-PUF was proposed as a promising circuit-based strong PUF candidate, given that a simple model for its behaviour is unknown by now and hence modeling-based attacks would be hard. In contrast to this, we were able to find a strongly linear influence in the mapping of challenges to responses in this architecture. Further, we show how an alternative implementation of a bistable ring, the twisted bistable ring PUF (TBR-PUF), leads to an improved response behaviour. The effectiveness and a possible explaination of the improvements is demonstrated using our machine learning analysis approach.
Dieter Schuster, Robert Hesselbarth

Trust in the Web

Large-Scale Security Analysis of the Web: Challenges and Findings

As the web expands in size and adoption, so does the interest of attackers who seek to exploit web applications and exfiltrate user data. While there is a steady stream of news regarding major breaches and millions of user credentials compromised, it is logical to assume that, over time, the applications of the bigger players of the web are becoming more secure. However, as these applications become resistant to most prevalent attacks, adversaries may be tempted to move to easier, unprotected targets which still hold sensitive user data.
In this paper, we report on the state of security for more than 22,000 websites that originate in 28 EU countries. We first explore the adoption of countermeasures that can be used to defend against common attacks and serve as indicators of “security consciousness”. Moreover, we search for the presence of common vulnerabilities and weaknesses and, together with the adoption of defense mechanisms, use our findings to estimate the overall security of these websites. Among other results, we show how a website’s popularity relates to the adoption of security defenses and we report on the discovery of three, previously unreported, attack variations that attackers could have used to attack millions of users.
Tom van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, Wouter Joosen

Towards a Vulnerability Tree Security Evaluation of OpenStack’s Logical Architecture

Cloud computing’s rapid development has favored the emergence of many other technologies like OpenStack, which is the most popular open-source cloud management software. OpenStack has received a lot of praise lately thanks to its ease of use and its vibrant community, but it has also started garnering attention in the national vulnerability database. Furthermore, OpenStack has a logical architecture in which, the degree of interconnectedness within and between the components is a source of many security concerns. To prevent the damages that can be caused by the combination of these security issues, we proposed a vulnerability tree security analysis of OpenStack’s logical architecture that allowed us to generate ready-to-use vulnerability trees of the major services or components of the architecture. We also suggested an amendment of OpenStack’s vulnerability naming, because the current naming does not cope well with our proposal.
Doudou Fall, Takeshi Okuda, Youki Kadobayashi, Suguru Yamaguchi

PrivLoc: Preventing Location Tracking in Geofencing Services

Location-based services are increasingly used in our daily activities. In current services, users however have to give up their location privacy in order to acquire the service.
The literature features a large number of contributions which aim at enhancing user privacy in location-based services. Most of these contributions obfuscate the locations of users using spatial and/or temporal cloaking in order to provide k-anonymity. Although such schemes can indeed strengthen the location privacy of users, they often decrease the service quality and do not necessarily prevent the possible tracking of user movements (i.e., direction, trajectory, velocity). With the rise of Geofencing applications, tracking of movements becomes more evident since, in these settings, the service provider is not only requesting a single location of the user, but requires the movement vectors of users to determine whether the user has entered/exited a Geofence of interest.
In this paper, we propose a novel solution, PrivLoc, which enables the privacy-preserving outsourcing of Geofencing and location-based services to the cloud without leaking any meaningful information about the location, trajectory, and velocity of the users. Notably, PrivLoc enables an efficient and privacy-preserving intersection of movement vectors with any polygon of interest, leveraging functionality from existing Geofencing services or spatial databases. We analyze the security and privacy provisions of PrivLoc and we evaluate the performance of our scheme by means of implementation. Our results show that the performance overhead introduced by PrivLoc can be largely tolerated in realistic deployment settings.
Jens Mathias Bohli, Dan Dobre, Ghassan O. Karame, Wenting Li

Trust and Trustworthiness

Hiding Transaction Amounts and Balances in Bitcoin

Bitcoin is gaining increasing adoption and popularity nowadays. In spite of its reliance on pseudonyms, Bitcoin raises a number of privacy concerns due to the fact that all of the transactions that take place in the system are publicly announced.
The literature contains a number of proposals that aim at evaluating and enhancing user privacy in Bitcoin. To the best of our knowledge, ZeroCoin (ZC) is the first proposal which prevents the public tracing of coin expenditure in Bitcoin by leveraging zero-knowledge proofs of knowledge and one-way accumulators. While ZeroCoin hardens the traceability of coins, it does not hide the amount per transaction, nor does it prevent the leakage of the balances of Bitcoin addresses. In this paper, we propose, EZC, an extension of ZeroCoin which (i) enables the construction of multi-valued ZCs whose values are only known to the sender and recipient of the transaction and (ii) supports the expenditure of ZCs among users in the Bitcoin system, without the need to convert them back to Bitcoins. By doing so, EZC hides transaction values and address balances in Bitcoin, for those users who opt-out from exchanging their coins to BTCs. We performed a preliminary assessment of the performance of EZC; our findings suggest that EZC improves the communication overhead incurred in ZeroCoin.
Elli Androulaki, Ghassan O. Karame

Integration of Data-Minimising Authentication into Authorisation Systems

Authentication and authorisation are essential ingredients for effective protection of data in distributed information systems. Currently, they are being treated as separate components with specified input and output relations. Traditional authorisation components require all of the users’ information that is possibly relevant to an authorisation decision and consequently the authentication components need to fully identify the users and collect all available information about them. This destroys all the potential privacy and security benefits of data-minimising authentication technologies such as private credential systems. In this paper, we discuss different ways to address this problem. More precisely, we sketch two possibilities of integrating data-minimising authentication into a traditional authorisation system such that the overall system becomes data-minimising.
Dhouha Ayed, Patrik Bichsel, Jan Camenisch, Jerry den Hartog

Evaluating Trustworthiness through Monitoring: The Foot, the Horse and the Elephant

This paper presents a framework for trust evaluation through monitoring, in particular, to address the question of how to derive trust from observations of certain properties. We propose a trust model based on subjective logic to represent trust through the notion of an opinion and to include aspects of uncertainty in a systematic fashion. Moreover, we analyze requirements for opinion generators and introduce novel parameterized generators that capture the requirements for opinion generators much better than current generators do. In addition, we show how a decision can be made based on trust monitoring within a certain context. The proposed trust evaluation framework is demonstrated with a case study of a Body Area Sensor Network. The results and examples show that the opinion generators can effectively work with various types of properties, including dependability, security and functionality related properties.
Vinh Bui, Richard Verhoeven, Johan Lukkien

Poster Abstracts

Extending Development Methodologies with Trustworthiness-By-Design for Socio-Technical Systems

(Extended Abstract)
Socio-Technical Systems (STS) include humans, organizations, and the information systems that they use to achieve certain goals [1]. They are increasingly relevant for society, since advances in ICT technologies, such as cloud computing, facilitate their integration in our daily life. Due to the difficulty in preventing malicious attacks, vulnerabilities, or the misuse of sensitive information, users might not trust these systems. Trustworthiness in general can be defined as the assurance that the system will per-form as expected, or meets certain requirements (cf., e.g. [2]). We consider trustworthiness as a multitude of quality attributes. As a means of constructive quality assurance, development methodologies should explicitly address the different challenges of building trustworthy software as well as evaluating trustworthiness, which is not supported by development methodologies, such as User-Centered Design (UCD) [3].
Nazila Gol Mohammadi, Torsten Bandyszak, Sachar Paulus, Per Håkon Meland, Thorsten Weyer, Klaus Pohl

Challenges in Establishing Trustworthy Collaborations for Timely Responses to Emergency Animal Disease Incidents

(Extended Abstract)
Developing and deploying authentication and authorization mechanisms and policies to control the flow of sensitive confidential information being shared between multiple organisations during a collaboration already represent technical and legal challenges.
John Žic

Authentication System Using Encrypted Discrete Biometrics Data

Biometric authentication has attracted attention because it has different characteristics from passwords. Biometric inputs are analog data and have a fixed fluctuation. Digitization is one possible measure to cope with the problems. Widening the quantization in step-size fashion to discriminate a personal distance is another possible measure. This paper proposes a biometric authentication system integrating these two measures. As biometric data are private, they are encrypted and saved on a server. Even if the server is attacked and the data are leaked, the private information concerning the biometric data is kept secret.
Kazuo Ohzeki, YuanYu Wei, Masaaki Kajihara, Masahiro Takatsuka, Yutaka Hirakawa, Toru Sugimoto

On the Development of Automated Forensic Analysis Methods for Mobile Devices

We live in a connected world where mobile devices are used by humans as valuable tools. The use of mobile devices leaves traces that can be treasured assets for a forensic analyst. Our aim is to investigate methods and exercise techniques that will merge all these valuable information in a way that will be efficient for a forensic analyst, producing graphical representations of the underlying data structures. We are using a framework able to collect and merge data from various sources and employ algorithms from a wide range of interdisciplinary areas to automate post-incident forensic analysis on mobile devices.
Panagiotis Andriotis, Theo Tryfonas, George Oikonomou, Shancang Li, Zacharias Tzermias, Konstantinos Xynos, Huw Read, Vassilis Prevelakis

A Trusted Knowledge Management System for Multi-layer Threat Analysis

In recent years, we have seen a surge of cybersecurity incidents ranging fromwidespread attacks (e.g., large-scale attacks against infrastructures or end points [1]) to new technological advances (i.e., new generations of malicious code are increasingly stealthy, powerful and pervasive [2]). Facing these incidents, the European Union, Japan, the United States or China have developed national cybersecurity programs, including training of professionals, development of roadmaps for new tools and services, and organization of national interest groups on the topic. There is thus a shared need for a better understanding of this kind of large-scale threats. Some of the basic requirements to better understand these large-scale incidents include handling large volumes of data collected from distributed probes and performing efficient cross-layer analysis.
Thanasis Petsas, Kazuya Okada, Hajime Tazaki, Gregory Blanc, Paweł Pawliński

Diagraming Approach to Structure the Security Lessons: Evaluation Using Cognitive Dimensions

Currently, the lessons learned from the security incidents are documented in add-hoc means such as lengthy security reports, free-style textual news letters, emails or informal meetings. This makes it difficult to effectively communicate security lessons among peers and organisations. The diagraming approach such as the Generic Security Template (G.S.T.) has been proposed to address this problem. This paper extends the work by evaluating its usability using the Cognitive Dimensions and identifies some aspects that need to be improved.
Ying He, Chris Johnson, Maria Evangelopoulou, Zheng-Shuai Lin

TRACER: A Platform for Securing Legacy Code

Static Analysis, Software Security, Trusted Applications, Legacy software.
Kostantinos Stroggylos, Dimitris Mitropoulos, Zacharias Tzermias, Panagiotis Papadopoulos, Fotios Rafailidis, Diomidis Spinellis, Sotiris Ioannidis, Panagiotis Katsaros

Facilitating Trust on Data through Provenance

Research on trusted computing focuses mainly on the security and integrity of the execution environment, from hardware components to software services. However, this is only one facet of the computation, the other being the data. If our goal is to produce trusted results, a trustworthy execution environment is not enough: we also need trustworthy data. Provenance of data plays a pivotal role in ascertaining trustworthiness of data. In our work, we explore how to use state-of-the-art systems techniques to capture and reconstruct provenance, thus enabling us to build trust on both newly generated and existing data.
Manolis Stamatogiannakis, Paul Groth, Herbert Bos

Early Warning Intrusion Detection System

Early Warning Intrusion Detection System (EWIS) is a distributed global scoped Internet threat monitoring system with the potential of detecting large scale malicious events as early as possible.
The system’s architecture includes a network of distributed low-interaction sensors and a central server [1]. The sensors are small computing platforms [2] that by design are easy to deploy in a distributed fashion to a large number of partner organizations. They are preconfigured to be robust and secure and thus integrate non-intrusively to a network infrastructure. Each sensor collects network activity flows of potentially malicious intent from dark Internet address spaces and then relays this information to the central server for logging and further analysis.
Panos Chatziadam, Ioannis G. Askoxylakis, Nikolaos E. Petroulakis, Alexandros G. Fragkiadakis


Weitere Informationen

Premium Partner