Skip to main content
main-content

Über dieses Buch

This book constitutes the refereed proceedings of the Chinese Conference on Trusted Computing and Information Security, CTCIS 2019, held in Shanghai, China, in October 2019.

The 22 revised full papers presented were carefully reviewed and selected from 247 submissions. The papers are centered around cryptography, systems security, trusted computing, information security, network security, information hiding.

Inhaltsverzeichnis

Frontmatter

Generative Image Steganography Based on GANs

Abstract
According to the embedding method of secret information, steganography can be divided into: cover modification, selection and synthesis. In view of the problem that the cover modification will leave the modification trace, the cover selection is difficult and the load is too low, this paper proposes a generative image steganography scheme based on GANs, which combines with cover synthesis. Based on GAN, the scheme uses secret information as the driver and directly generates encrypted images for transmission, which can effectively resist the detection of steganalysis algorithms. The security of the scheme is based on the key of the encryption algorithm. Even if the attacker obtains the transmitted information, only the meaningless result will be obtained without the key. Experiments were carried out on the data set of CelebA, and the results verified the feasibility and security of the scheme.
Yaojie Wang, Xiaoyuan Yang, Hengkang Jin

Partial Blind Proxy Re-signature Scheme for Mobile Internet

Abstract
Aiming at the problems of limited computing power and high security requirements of mobile Internet mobile terminal devices, we propose a server-assisted verification partial blind proxy re-signature scheme. Partial blind proxy re-signature algorithm protects both the trustee’s privacy message and the agent’s legal rights. In the server-assisted authentication protocol, the verifier transfers the complex bilinear pairing operation task to the server through the interaction, thereby reducing the amount of computation of the verifier. The numerical experiments show that the verification efficiency of the new scheme is improved by at least 71% and 74%, respectively, compared with the Yang’s and Feng’s schemes.
Yanfang Lei, Zhijuan Jia, Lipeng Wang, Bei Gong, Yage Cheng, Junjun Fu

Information Flow-Based Security Construction for Compositional Interface Automata

Abstract
Information flow has been considered as a critical requirement to solve security related issues for complicated component-based system. However, security conditions are often fragile and general security properties may be not available to enforce the composition. Thus, this paper gives the computation model of interface automata (IA) and studies how the compositional interfaces behave to capture the information leakage with security process algebra (SPA) language. And we find that persistent bisimulation-based non deducibility property is preserved under composition, while it is not fully applicable to IA model. So several sufficient conditions for the property is developed to apply for composition of interface automata. Those conditions are given as theorems and proved efficiently to analyze security. Finally, we cite a classical instance to handle the composition and use an automatic verification software to test the correctness of our algorithms on compositional conditions.
Mingdi Xu, Zhaoyang Jin, Fan Zhang, Feng Cui

Provably Secure Server-Assisted Verification Threshold Proxy Re-signature Scheme

Abstract
Aiming at the problems of limited computing power and high security requirements of terminal equipment, which affects people’s good experience on some network resources, we proposes a provably secure server-assisted verification threshold proxy re-signature scheme. Threshold proxy re-signature can effectively disperse the power of the agent, and solve the security problem that the agent’s rights are too concentrated. In the server-assisted authentication protocol, the verifier transfers the complex bilinear pairing operation to the server through the interaction, reducing the computational complexity of the verifier. Under the standard model, the scheme can effectively resist collusion attacks and adaptive selection of message attacks. Performance analysis results show that compared with Yang’s scheme, the signature length of the new scheme is at least twice shorter and the verification efficiency is increased by at least 57%.
Guoning Lv, Yanfang Lei, Mingsheng Hu, Yage Cheng, Bei Gong, Junjun Fu

ReJection: A AST-Based Reentrancy Vulnerability Detection Method

Abstract
Blockchain is deeply integrated into the vertical industry, and gradually forms an application ecosphere of blockchain in various industries. However, the security incidents of blockchain occur frequently, and especially smart contracts have become the badly-disastered area. So avoiding security incidents caused by smart contracts has become an essential topic for blockchain developing. Up to now, there is not generic method for the security auditing of smart contracts and most researchers have to use existing vulnerability detection technology. To reduce the high false rate of smart contract vulnerability detection, we use ReJection, a detection method based on abstract syntax tree (AST), to focus on the reentrancy vulnerability with obvious harm and features in smart contracts. ReJection consists of four steps. Firstly, ReJection obtains the AST corresponding to the contract by the smart contract compiler solc. Then, AST is preprocessed to eliminate redundant information. Thirdly, ReJection traverses the nodes of the AST and records the notations related to reentrancy vulnerabilities during the traversal, such as Danger-Transfer function, Checks-Effects-Interactions pattern and mutex mechanism. Finally, ReJection uses record information and predefined rules to determine whether the reentrancy vulnerability is occurred. ReJection is implemented based on Slither, which is an open-source smart contract vulnerability detection tool. Furthermore, we also use the open-source smart contract code as the test program to compare experimental results to verify the effects with the ReJection and Slither. The result highlights that the ReJection has higher detection accuracy for reentrancy vulnerability.
Rui Ma, Zefeng Jian, Guangyuan Chen, Ke Ma, Yujia Chen

Identity Authentication Under Internet of Everything Based on Edge Computing

Abstract
With the rapid development of the Internet, the application of the Internet of things and big data is more and more extensive. The era of Internet of everything (IoE) has come, and the traditional cloud computing model has been unable to efficiently process the massive data generated by a large number of edge devices. Therefore, edge-type big data processing which is oriented to massive data computing generated by network edge devices—edge computing comes into being. However, due to the complexity of edge computing, data security and privacy issues become more prominent. Aiming at the security authentication of edge equipment under the Internet of everything, this paper designs an identity authentication framework under the Internet of everything based on edge computing. In the framework, multi-factor identity authentication is applied to solve the weakness of edge equipment security authentication. Moreover, the software defined network technology (SDN) is adopted to realize the global management of the deployment and application of a large number of edge equipment, which can effectively realize the effective security protection of the Internet of everything. In the end, the formalized verification of the identity authentication process of the designed framework is carried out.
Zixiao Kong, Jingfeng Xue, Yong Wang, Weijie Han, Xinyu Liu

STC: Improving the Performance of Virtual Machines Based on Task Classification

Abstract
Virtualization technology provides crucial support for cloud computing, and the virtual CPU (vCPU) scheduling in a virtualization system is one of the key factors to determine the system’s performance. However, due to the semantic gap in the virtualization system, the mainstream current scheduling policy does not take the tasks’ characteristics and spin lock into account, which leads to performance degradation in a virtual machine. This paper proposes a vCPU scheduling system STC (Virtual CPU Scheduling Based on Task Classification) in KVM to bridge the semantic gap. In STC, every virtual machine is configured with two types of vCPUs, among which the one with a shorter scheduling period is called the short vCPU (svCPU) and the ones with the default period are called the long vCPU (lvCPU). STC utilizes the Naïve Bayes classifier to classify the tasks, and the I/O-bound tasks are allocated to the svCPU, while the CPU-bound tasks are processed by lvCPUs. Correspondingly, in a host, two types of physical CPUs, the sCPU and lCPUs, are set to process the thread svCPU and lvCPUs. Moreover, lvCPUs adopt dispersive scheduling to alleviate Lock-Holder Preemption (LHP). STC improves the I/O response speed and saves the resources. Compared with the default algorithm, STC has achieved an 18% time delay decrease, a 17%–25% bandwidth improvement, and a 21% overhead decrease and ensured the fairness of the whole system.
Jiancheng Zhao, Zhiqiang Zhu, Lei Sun, Songhui Guo, Jin Wu

A Method for Realizing Covert Communication at Router Driving Layer

Abstract
The existing information hiding methods mainly focus on the analysis of the header field of the network protocol and the researches of VoIP. Well, the location of embedded covert data is easy to detect, its capacity is limited and the condition of covert communication is limited. In this paper, we propose a method which builds a covert channel between two routers for transmitting large-capacity information at the driver layer. The router is divided into sender and receiver, both of which mount our own driver and user application, intercept UDP packets generated during the user’s voice or video call with instant message software. We analyze the UDP characteristics and construct UDP meta-model, and then split the secret information into the payload part of the meta-model with CRC check. The forged UDP is sent out with the common UDP traffic. The receiver router intercepts and identifies the forged UDP packets by CRC check and utilizes the obtained forged UDP to restore the original information. Moreover, we exploited WeChat and QQ voice call to conduct numerous simulations of covert communication, and successfully transmitted the secret information transparently from a network-restricted area to a more relaxed area of network supervision, verifying the concealment of the method.
Jingsong Cui, Chi Guo, Manli Zhang, Qi Guo

A Secure Multi-party Signature Scheme Based on Trust Mechanism

Abstract
Aiming at the problem of trust, we propose a secure multi-party signature scheme based on trust mechanism. In this scheme, we introduce a trust vector with time-stamped and form a trust matrix composed of multi-dimensional vectors to record the behavior of the participants periodically. Finally, a trusted evaluation mechanism is established for the participants. Under the premise of participant trustworthiness, a secure multi-party dynamic threshold signature scheme is constructed by secret sharing technology. The security analysis shows that the scheme can effectively suppress the vandalism of malicious participants. it is forward security and can resist mobile attacks. Performance analysis shows that the scheme has lower computational complexity and higher execution efficiency.
Yage Cheng, Mingsheng Hu, Lipeng Wang, Yanfang Lei, Junjun Fu, Bei Gong, Wei Ma

Virtual FPGA Placement with an Efficient Ant Colony Optimization

Abstract
Virtualization allows integrating Field Programmable Gate Arrays (FPGAs) into a resource pool at the infra-structure layer. So as to improve the FPGA resource utilization while ensuring the quality of service, a virtual FPGA (vFPGA) Scheduling algorithm has been presented in our early work. At the meantime, we noticed that the initial deployment of vFPGAs has obvious effect on resource utilization ratio. Finding an optimal deployment of vFPGAs onto FPGAs which can be summed up in virtual FPGA placement (VFP) problem is a NP-hard problem. With a widespread of reconfigurable cryptographic resource pool, regarded it as a combinatorial optimization problem have offered higher efficiency than linear programming (LP) problem. In this paper, an optimized ant colony optimization (ACO) algorithm, where given ants the ability to perceive resource status, is presented to achieve the VFP goal. Finally, CloudSim toolkit is extended to evaluate our solution through simulations on synthetic workloads. The obtained results show that our algorithm can reduce the number of active FPGAs by improving the resource utilization.
Yingxin Xu, Lei Sun, Songhui Guo, Haidong Liu

Identity-Based Threshold Group Signature Scheme of Blockchain Verification

Abstract
In the e-commerce scenario, the signature schemes generally have to meet four requirements: public verification, integrity, traceable and efficiency. To achieve the above goals, the paper proposes a identity-based threshold group signature scheme which can not only simplify the process of key management, but also allow to trace the user identities. To protect the user privacy, the scheme blinds the user identities and stores them on the blockchain to prevent the malicious members from tampering with the content. Security analysis shows that the proposed signature, whose difficulty is equivalent to solve the discrete logarithm problem, achieves a high level of anonymity and can resist impersonation attacks. Computational complexity analysis shows that the new method with low computation overhead and high communication efficiency can be effectively adapted to the electronic commerce scene.
Lipeng Wang, Mingsheng Hu, Zhijuan Jia, Yage Cheng, Junjun Fu, Yubo Wang, Bei Gong

ByteDroid: Android Malware Detection Using Deep Learning on Bytecode Sequences

Abstract
The explosive growth of the Android malware poses a great threat to users’ privacy and sensitive personal information. It is urgent to develop an effective and efficient Android malware detection system. Existing studies usually require the manual feature engineering for the feature extraction. In fact, the detection performance is heavily relied on the quality of the feature extraction. Additionally, the feature extraction becomes extremely difficult in the malware detection due to the fact that malware developers often deploy the obfuscation techniques. To address this issue, we focus on the Android malware detection using the deep neural networks without the human factors. In this paper, we propose ByteDroid, an Android malware detection scheme that processes the raw Dalvik bytecode using the deep learning. ByteDroid resizes the raw bytecode and constructs a learnable vector representation as the input to the neural network. Then, ByteDroid adopts a Convolutional Neural Networks (CNNs) to automatically extract the malware features and perform the classification. Our experiment results demonstrate that ByteDroid not only can effectively detect Android malware, but also has a great generalization performance given untrained malware. Moreover, ByteDroid maintains resilience to obfuscation techniques.
Kewen Zou, Xi Luo, Pengfei Liu, Weiping Wang, Haodong Wang

Research on Multidimensional System Security Assessment Based on AHP and Gray Correlation

Abstract
Aiming at the problems of the network security evaluation indexes, which are one-sided and difficult to be strictly quantified, this paper proposes the multidimensional system security evaluation method based on AHP and grey relational analysis. Under the guidance of the construction principle of system security evaluation model, this paper puts the source of factors affecting network security as the criterion of dimension Division, and constructs a multidimensional system security evaluation model for environmental security, network security and vulnerability security. On this basis, this paper combines AHP and grey relational analysis theory, and evaluate system security comprehensively and quantitatively. The multidimensional system security evaluation method based on AHP and grey relational analysis can consider the relationship between qualitative and quantitative factors in system security, and it is highly logical and flexible. This method also can effectively solve the problem that system security is difficult to evaluate objectively and quantitatively, and the system security evaluation can be pushed from a simple rough comparison to a comprehensive quantitative calculation stage.
Xiaolin Zhao, Hao Xu, Ting Wang, Xiaoyi Jiang, Jingjing Zhao

Research on Software Network Key Nodes Mining Methods Based on Complex Network

Abstract
Complex software system will bring a lot of software security problems, it is very meaningful to know how to more accurately abstract the software network model from the software system and efficiently find the key nodes in the software network. This research takes open source software as the research object, constructs a directed network model of software system, proposes a new weight calculation method, adds weights to the model to form a directed weighted network, and then regards the software network as a complex network. The defect mining and defect propagation cost are two node mining methods related to the weight and degree of the node. At the same time, the PageRank algorithm is improved to mine the key nodes. Finally, the robustness of the software system execution network model is carried out by different attack methods. The evaluation, through experimental verification and comparison, shows that the mining method proposed in this study can more accurately and efficiently mine key nodes in the software system.
Chun Shan, Peng Wang, Changzhen Hu, Xianwei Gao, Shanshan Mei

Research and Development of TPM Virtualization

Abstract
Combination of Cloud Computing and Trusted Computing is an important method to build a trusted cloud environment, and the most critical problem is the virtualization of TPM (Trusted Platform Module, TPM). But in view of the current research, TPM virtualization still not only does not meet the whole TCG specification, but also has a lot of security issues, and it is becoming the bottleneck of building a trusted cloud environment by combination of Cloud Computing and Trusted Computing. This paper introduces the basic concepts, types and basic requirements of TPM virtualization. The classification model of TPM virtualization is put forward by the I/O device virtualization technology. The main research work of the key technologies of TPM virtualization, such as architecture, key management, certification trust extension, migration and so on, are described in detail, moreover taking time as the clue, we can display a panoramic view of the evolution of related key technologies. Combined with the existing research results, the research direction and challenges of TPM virtualization under TCG architecture are discussed.
Liang Tan, Huan Xiao, Juan Wang

A Secure Certificateless Identity Authentication Scheme Based on Blockchain

Abstract
Centralized systems based on the trusted third-party are widely used in identity authentication. However, there is a single point of failure inherent in the centralized systems. As a natural decentralized architecture, blockchain can bring the advantages of decentralization, trustworthiness and immutability to the identity authentication systems. The existing blockchain-based identity authentication systems can solve the problem of single point of failure, but there are still problems such as certificate management. In this paper, we propose an identity authentication scheme based on blockchain and certificateless public key cryptography. The scheme implements a decentralized database by deploying smart contracts in the Ethereum blockchain, and uses the certificateless public key signature algorithm during the authentication process. Compared with other blockchain-based identity authentication systems, our scheme not only prevents the single point of failure, but also avoids the deficiency of certificate management, and resists impersonation attacks and man-in-the-middle attacks. The security analysis and performance analysis show the security and stability of our scheme.
Weijun Ao, Shaojing Fu, Chao Zhang, Ming Xu

A Trust-Based Security Research Method for Internet of Things Terminal

Abstract
The Internet of things has a broad application prospect, but under the environment of the Internet of things, terminals are facing extremely serious security threats. The existing security research focuses on authentication and encryption and other technologies, and the lightweight embedded equipment provides the possibility for the hardware security enhancement of the Internet of things terminal. Therefore, this paper introduces the basic concepts of trust and trustworthiness into the Internet of things terminal security improvement. By adding the trusted module to the Internet of things terminal equipment, it enhances the security of the Internet of things terminal from the perspective of active defense and trustworthiness, and obtains good results in practical application.
Zhe Liu, Bo Zhao, Jiyang Li

A QoS&SLA-Driven Multifaceted Trust Model for Cloud Computing

Abstract
Quality of Service (QoS) plays a vital role in cloud computing while Service Level Agreements (SLA) to a service contract is indispensable as well. Selecting a trusted cloud service based on service performance, thus, is raising fundamental concern. This work presents a QoS&SLA-driven multifaceted trust model for efficiently evaluating the trustworthiness of a cloud service in the light of its multiple differential service attributes. Owing to the uncertainty of QoS, the interval number theory is naturally introduced into our trust model. In the trust evaluation, moreover, an adaptive weight adjustment method that depends on connection number is exploited to dynamically accommodate their respective factors. The proposed trust model is the composition of two types of trust metrics, which are QoS trust and user satisfaction trust. QoS trust, specifically, that indicates the level of actual performance of the cloud service. User satisfaction trust virtually reflects to what extent actual service performance is in accord with SLA. Finally, we assess the proposed trust model based on real datasets derived from CloudHarmony, which makes the approach more objective and effective for cloud computing.
Runlian Zhang, Qingzhi Wang, Jinhua Cui, Xiaonian Wu

A Lossless Data Hiding Scheme in Public Key Encrypted Domain Based on Homomorphic Key-Switching

Abstract
This paper proposes a lossless data hiding in encrypted domain (RDH-ED) scheme. To realize the data extraction directly from the encrypted domain without the private key, a key-switching based least-significant-bit (KS-LSB) data hiding method has been designed. In application, the user first encrypts the plaintext and uploads ciphertext to the server. Then the server performs KS-LSB to obtain the marked ciphertext. Additional data can be extracted directly from the marked ciphertext by the server without the private key, which enables the (trusted or untrusted) third party to manage ciphertext flexibly under the premise of keeping the plaintext secret. The Experimental results demonstrate that the embedding capacity is 1bit per bit of plaintext. Data hiding would not affect the accuracy and the security of encryption.
Yan Ke, Minqing Zhang, Tingting Su, Jia Liu

A Detection Approach for Buffer Overflow Vulnerability Based on Data Control Flow Graph

Abstract
Buffer overflow vulnerability is currently one of the major security problems for programming languages written in C/C ++. To address this issue, existing studies have proposed varied detection techniques to eliminate buffer overflow vulnerability. However, these approaches are still far from finding an ideal solution to completely reduce buffer overflow vulnerability. This paper presents a detection approach for buffer overflow vulnerability based on Data Control Flow Graph (DCFG). The proposed approach first uses the dangerous function identification method to determine the dangerous points and the type of dangerous functions. We then construct the constraint rules of the dangerous function at the dangerous point to establish the constraint system. Finally, the constraint system is solved to obtain the result of the vulnerability determination. To explore this approach, we performed an extensive experiment and compared empirically with existing vulnerability detection tools. The result shows that the proposed method has a good effect on buffer overflow vulnerability detection, and can effectively improve detection efficiency.
Jinfu Chen, Qihao Bao, Qingchen Zhang, Jinchang Hu, Patrick Kwaku Kudjo

Outsourced Data Integrity Auditing for Efficient Batch Dynamic Updates

Abstract
Cloud storage is becoming more and more popular as it provides a good solution for people with insufficient storage space. Provable Data Possession (PDP) is a model that allows to verify the outsourced data’s integrity without downloading it. However, existing dynamic data possession verification schemes not only suffer from low efficiency of batch auditing for multi-block Data, but also lack effective mechanism to update multiple blocks at the same time. In this paper, we propose a new dynamic provable data possession scheme for secure cloud data auditing. The scheme leverages BLS signatures and RMHT to support batch auditing and then optimizes batch auditing scenarios with four algorithms to support efficient batch updates. The theoretical analysis show the security of our scheme, and the experimental results show that the scheme has advantages over the existing dynamic integrity audit scheme in terms of computing time and communication cost.
Kunyao Deng, Ming Xu, Shaojing Fu

Secure Personal Health Records Sharing Based on Blockchain and IPFS

Abstract
Personal Health Records (PHR) system has attracted intensive attention due to its universal accessibility and low cost in economics. Because of high cost of storing data and access control, most PHR systems adopt centralized management, where an authoritative management center controls the entire system and PHR data is stored in a trusted third-party service provider. However, there are some disadvantages, such as fully trusting to a control center, suffering from a single point of failure, and data deleting. In this paper, we propose a novel distributed framework based on blockchain and IPFS (Inter Planetary File System), and a suite of mechanisms for data access control to PHR data. Smart Contracts are designed on the blockchain, and all data operations are treated as transactions. The symmetric cryptographic algorithm is used to encrypt the PHR data, and then all encrypted data is stored on IPFS nodes securely in distributed environment. The ciphertext-policy attribute-based encryption (CP-ABE) is used to encrypt the symmetric secret keys, and the corresponding ciphertext is stored and published in IPNS (Inter Planetary Name Space), so as to achieve fine-grained access control. Analytical and experimental results are presented, which show that our framework has ability to provide authenticity, confidentiality, fine-grained access control, forward secrecy, and traceability simultaneously.
Xuguang Wu, Yiliang Han, Minqing Zhang, Shuaishuai Zhu

Backmatter

Weitere Informationen

Premium Partner

    Bildnachweise