Open Access. Powered by Scholars. Published by Universities.®
- Keyword
-
- Blockchain (4)
- Cloud computing (4)
- Smart contracts (4)
- Cryptography (3)
- Machine learning (3)
-
- Protocols (3)
- Access control (2)
- Accountability (2)
- Cryptocurrency (2)
- Data privacy (2)
- Decentralized apps (2)
- Encryption (2)
- Internet of Things (2)
- Safety verification (2)
- Searchable encryption (2)
- Semantics (2)
- Signature scheme (2)
- Vulnerability detection (2)
- 2-step commute probability (1)
- 3D CNN (1)
- AR (1)
- Abstract Syntax Tree (1)
- Access control policies (1)
- Access control testing (1)
- Active warden attack (1)
- Adversarial Attack (1)
- Android Malware Detection (1)
- Android application analysis (1)
- Android permissions (1)
- Android security (1)
Articles 1 - 30 of 52
Full-Text Articles in Computer Sciences
Differentiated Security Architecture For Secure And Efficient Infotainment Data Communication In Iov Networks, Jiani Fan, Lwin Khin Shar, Jiale Guo, Wenzhuo Yang, Dusit Niyato, Kwok-Yan Lam
Differentiated Security Architecture For Secure And Efficient Infotainment Data Communication In Iov Networks, Jiani Fan, Lwin Khin Shar, Jiale Guo, Wenzhuo Yang, Dusit Niyato, Kwok-Yan Lam
Research Collection School Of Computing and Information Systems
This paper aims to provide differentiated security protection for infotainment data commu- nication in Internet-of-Vehicle (IoV) networks. The IoV is a network of vehicles that uses various sensors, software, built-in hardware, and communication technologies to enable information exchange between pedestrians, cars, and urban infrastructure. Negligence on the security of infotainment data commu- nication in IoV networks can unintentionally open an easy access point for social engineering attacks. The attacker can spread false information about traffic conditions, mislead drivers in their directions, and interfere with traffic management. Such attacks can also cause distractions to the driver, which has a potential implication …
Hapticpuppet: A Kinesthetic Mid-Air Multidirectional Force-Feedback Drone-Based Interface, Martin Feick, Anthony Tang, Antonio Kruger
Hapticpuppet: A Kinesthetic Mid-Air Multidirectional Force-Feedback Drone-Based Interface, Martin Feick, Anthony Tang, Antonio Kruger
Research Collection School Of Computing and Information Systems
Providing kinesthetic force-feedback for human-scale interactions is challenging due to the relatively large forces needed. Therefore, robotic actuators are predominantly used to deliver this kind of haptic feedback; however, they offer limited flexibility and spatial resolution. In this work, we introduce HapticPuppet, a drone-based force-feedback interface which can exert multidirectional forces onto the human body. This can be achieved by attaching strings to different parts of the human body such as fingers, hands or ankles, which can then be affixed to multiple coordinated drones - puppeteering the user. HapticPuppet opens up a wide range of potential applications in virtual, augmented …
Towards Automated Safety Vetting Of Smart Contracts In Decentralized Applications, Yue Duan, Xin Zhao, Yu Pan, Shucheng Li, Minghao Li, Fengyuan Xu, Mu Zhang
Towards Automated Safety Vetting Of Smart Contracts In Decentralized Applications, Yue Duan, Xin Zhao, Yu Pan, Shucheng Li, Minghao Li, Fengyuan Xu, Mu Zhang
Research Collection School Of Computing and Information Systems
We propose VetSC, a novel UI-driven, program analysis guided model checking technique that can automatically extract contract semantics in DApps so as to enable targeted safety vetting. To facilitate model checking, we extract business model graphs from contract code that capture its intrinsic business and safety logic. To automatically determine what safety specifications to check, we retrieve textual semantics from DApp user interfaces. To exclude untrusted UI text, we also validate the UI-logic consistency and detect any discrepancies. We have implemented VetSC and applied it to 34 real-world DApps. Experiments have demonstrated that VetSC can accurately interpret smart contract code, …
Towards Automated Safety Vetting Of Smart Contracts In Decentralized Applications, Yue Duan, Xin Zhao, Yu Pan, Shucheng Li, Minghao Li, Fengyuan Xu, Mu Zhang
Towards Automated Safety Vetting Of Smart Contracts In Decentralized Applications, Yue Duan, Xin Zhao, Yu Pan, Shucheng Li, Minghao Li, Fengyuan Xu, Mu Zhang
Research Collection School Of Computing and Information Systems
We propose VetSC, a novel UI-driven, program analysis guided model checking technique that can automatically extract contract semantics in DApps so as to enable targeted safety vetting. To facilitate model checking, we extract business model graphs from contract code that capture its intrinsic business and safety logic. To automatically determine what safety specifications to check, we retrieve textual semantics from DApp user interfaces. To exclude untrusted UI text, we also validate the UI-logic consistency and detect any discrepancies. We have implemented VetSC and applied it to 34 real-world DApps. Experiments have demonstrated that VetSC can accurately interpret smart contract code, …
Vulcurator: A Vulnerability-Fixing Commit Detector, Truong Giang Nguyen, Cong Thanh Le, Hong Jin Kang, Xuan-Bach D. Le, David Lo
Vulcurator: A Vulnerability-Fixing Commit Detector, Truong Giang Nguyen, Cong Thanh Le, Hong Jin Kang, Xuan-Bach D. Le, David Lo
Research Collection School Of Computing and Information Systems
Open-source software (OSS) vulnerability management process is important nowadays, as the number of discovered OSS vulnerabilities is increasing over time. Monitoring vulnerability-fixing commits is a part of the standard process to prevent vulnerability exploitation. Manually detecting vulnerability-fixing commits is, however, time-consuming due to the possibly large number of commits to review. Recently, many techniques have been proposed to automatically detect vulnerability-fixing commits using machine learning. These solutions either: (1) did not use deep learning, or (2) use deep learning on only limited sources of information. This paper proposes VulCurator, a tool that leverages deep learning on richer sources of information, …
Vpsl: Verifiable Privacy-Preserving Data Search For Cloud-Assisted Internet Of Things, Qiuyun Tong, Yinbin Miao, Ximeng Liu, Kim-Kwang Raymond Choo, Robert H. Deng
Vpsl: Verifiable Privacy-Preserving Data Search For Cloud-Assisted Internet Of Things, Qiuyun Tong, Yinbin Miao, Ximeng Liu, Kim-Kwang Raymond Choo, Robert H. Deng
Research Collection School Of Computing and Information Systems
Cloud-assisted Internet of Things (IoT) is increasingly prevalent used in various fields, such as the healthcare system. While in such a scenario, sensitive data (e.g., personal electronic medical records) can be easily revealed, which incurs potential security challenges. Thus, Symmetric Searchable Encryption (SSE) has been extensively studied due to its capability of supporting efficient search on encrypted data. However, most SSE schemes require the data owner to share the complete key with query users and take malicious cloud servers out of consideration. Seeking to address these limitations, in this paper we propose a Verifiable Privacy-preserving data Search scheme with Limited …
Soci: A Toolkit For Secure Outsourced Computation On Integers, Bowen Zhao, Jiaming Yuan, Ximeng Liu, Yongdong Wu, Hwee Hwa Pang, Robert H. Deng
Soci: A Toolkit For Secure Outsourced Computation On Integers, Bowen Zhao, Jiaming Yuan, Ximeng Liu, Yongdong Wu, Hwee Hwa Pang, Robert H. Deng
Research Collection School Of Computing and Information Systems
Secure outsourced computation is a key technique for protecting data security and privacy in the cloud. Although fully homomorphic encryption (FHE) enables computations over encrypted data, it suffers from high computation costs in order to support an unlimited number of arithmetic operations. Recently, secure computations based on interactions of multiple computation servers and partially homomorphic encryption (PHE) were proposed in the literature, which enable an unbound number of addition and multiplication operations on encrypted data more efficiently than FHE and do not add any noise to encrypted data; however, these existing solutions are either limited in functionalities (e.g., computation on …
Mando: Multi-Level Heterogeneous Graph Embeddings For Fine-Grained Detection Of Smart Contract Vulnerabilities, Huu Hoang Nguyen, Nhat Minh Nguyen, Chunyao Xie, Zahra Ahmadi, Daniel Kudenko, Thanh Nam Doan, Lingxiao Jiang
Mando: Multi-Level Heterogeneous Graph Embeddings For Fine-Grained Detection Of Smart Contract Vulnerabilities, Huu Hoang Nguyen, Nhat Minh Nguyen, Chunyao Xie, Zahra Ahmadi, Daniel Kudenko, Thanh Nam Doan, Lingxiao Jiang
Research Collection School Of Computing and Information Systems
Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of code, developing techniques and tools for such graphs can be highly beneficial for detecting vulnerabilities in software for its reliability. However, existing heterogeneous graph techniques are still insufficient in handling complex graphs where the number of different types of nodes and edges is large and variable. This paper concentrates on the Ethereum smart contracts as a sample of software …
Right To Know, Right To Refuse: Towards Ui Perception-Based Automated Fine-Grained Permission Controls For Android Apps, Vikas Kumar Malviya, Chee Wei Leow, Ashok Kasthuri, Naing Tun Yan, Lwin Khin Shar, Lingxiao Jiang
Right To Know, Right To Refuse: Towards Ui Perception-Based Automated Fine-Grained Permission Controls For Android Apps, Vikas Kumar Malviya, Chee Wei Leow, Ashok Kasthuri, Naing Tun Yan, Lwin Khin Shar, Lingxiao Jiang
Research Collection School Of Computing and Information Systems
It is the basic right of a user to know how the permissions are used within the Android app’s scope and to refuse the app if granted permissions are used for the activities other than specified use which can amount to malicious behavior. This paper proposes an approach and a vision to automatically model the permissions necessary for Android apps from users’ perspective and enable fine-grained permission controls by users, thus facilitating users in making more well-informed and flexible permission decisions for different app functionalities, which in turn improve the security and data privacy of the App and enforce apps …
Social Access And Representation For Autistic Adult Livestreamers, Terrance Mok, Anthony Tang, Adam Mccrimmon, Lora Oehlberg
Social Access And Representation For Autistic Adult Livestreamers, Terrance Mok, Anthony Tang, Adam Mccrimmon, Lora Oehlberg
Research Collection School Of Computing and Information Systems
We interviewed 10 autistic livestreamers to understand their motivations for livestreaming on Twitch. Our participants explained that streaming helped them fulfill social desires by: supporting them in making meaningful social connections with others; giving them a safe space to practice social skills like “small talk”; and empowering them to be autistic role models and to share their true selves. This work offers an early report on how autistic individuals leverage livestreaming as a beneficial social platform while struggling with audience expectations.
Toward Intention Discovery For Early Malice Detection In Bitcoin, Ling Cheng, Feida Zhu, Yong Wang, Huiwen Liu
Toward Intention Discovery For Early Malice Detection In Bitcoin, Ling Cheng, Feida Zhu, Yong Wang, Huiwen Liu
Research Collection School Of Computing and Information Systems
Bitcoin has been subject to illicit activities more often than probably any other financial assets, due to the pseudo-anonymous nature of its transacting entities. An ideal detection model is expected to achieve all the three properties of (I) early detection, (II) good interpretability, and (III) versatility for various illicit activities. However, existing solutions cannot meet all these requirements, as most of them heavily rely on deep learning without satisfying interpretability and are only available for retrospective analysis of a specific illicit type.First, we present asset transfer paths, which aim to describe addresses' early characteristics. Next, with a decision tree based …
Secure Deterministic Wallet And Stealth Address: Key-Insulated And Privacy-Preserving Signature Scheme With Publicly Derived Public Key, Zhen Liu, Guomin Yang, Duncan S. Wong, Khoa Nguyen, Huaxiong Wang, Xiaorong Ke, Yining Liu
Secure Deterministic Wallet And Stealth Address: Key-Insulated And Privacy-Preserving Signature Scheme With Publicly Derived Public Key, Zhen Liu, Guomin Yang, Duncan S. Wong, Khoa Nguyen, Huaxiong Wang, Xiaorong Ke, Yining Liu
Research Collection School Of Computing and Information Systems
Deterministic Wallet (DW) and Stealth Address (SA) mechanisms have been widely adopted in the cryptocurrency community, due to their virtues on functionality and privacy protection, which come from a key derivation mechanism that allows an arbitrary number of derived keys to be generated from a master key. However, these algorithms suffer a vulnerability that, when one derived key is compromised somehow, the damage is not limited to the leaked derived key only, but to the master key and in consequence all derived keys are compromised. In this article, we introduce and formalize a new signature variant, called Key-Insulated and Privacy-Preserving …
Secure Hierarchical Deterministic Wallet Supporting Stealth Address, Xin Yin, Zhen Liu, Guomin Yang, Guoxing Chen, Haojin Zhu
Secure Hierarchical Deterministic Wallet Supporting Stealth Address, Xin Yin, Zhen Liu, Guomin Yang, Guoxing Chen, Haojin Zhu
Research Collection School Of Computing and Information Systems
Over the past decade, cryptocurrency has been undergoing a rapid development. Digital wallet, as the tool to store and manage the cryptographic keys, is the primary entrance for the public to access cryptocurrency assets. Hierarchical Deterministic Wallet (HDW), proposed in Bitcoin Improvement Proposal 32 (BIP32), has attracted much attention and been widely used in the community, due to its virtues such as easy backup/recovery, convenient cold-address management, and supporting trust-less audits and applications in hierarchical organizations. While HDW allows the wallet owner to generate and manage his keys conveniently, Stealth Address (SA) allows a payer to generate fresh address (i.e., …
Verifying Neural Networks Against Backdoor Attacks, Long Hong Pham, Jun Sun
Verifying Neural Networks Against Backdoor Attacks, Long Hong Pham, Jun Sun
Research Collection School Of Computing and Information Systems
Neural networks have achieved state-of-the-art performance in solving many problems, including many applications in safety/security-critical systems. Researchers also discovered multiple security issues associated with neural networks. One of them is backdoor attacks, i.e., a neural network may be embedded with a backdoor such that a target output is almost always generated in the presence of a trigger. Existing defense approaches mostly focus on detecting whether a neural network is ‘backdoored’ based on heuristics, e.g., activation patterns. To the best of our knowledge, the only line of work which certifies the absence of backdoor is based on randomized smoothing, which is …
Multimodal Private Signatures, Khoa Nguyen, Fuchun Guo, Willy Susilo, Guomin Yang
Multimodal Private Signatures, Khoa Nguyen, Fuchun Guo, Willy Susilo, Guomin Yang
Research Collection School Of Computing and Information Systems
We introduce Multimodal Private Signature (MPS) - an anonymous signature system that offers a novel accountability feature: it allows a designated opening authority to learn some partial information op about the signer’s identity id, and nothing beyond. Such partial information can flexibly be defined as op = id (as in group signatures), or as op = 0 (like in ring signatures), or more generally, as op = Gj (id), where Gj (·) is a certain disclosing function. Importantly, the value of op is known in advance by the signer, and hence, the latter can decide whether she/he wants to disclose …
Efficient Resource Allocation With Fairness Constraints In Restless Multi-Armed Bandits, Dexun Li, Pradeep Varakantham
Efficient Resource Allocation With Fairness Constraints In Restless Multi-Armed Bandits, Dexun Li, Pradeep Varakantham
Research Collection School Of Computing and Information Systems
Restless Multi-Armed Bandits (RMAB) is an apt model to represent decision-making problems in public health interventions (e.g., tuberculosis, maternal, and child care), anti-poaching planning, sensor monitoring, personalized recommendations and many more. Existing research in RMAB has contributed mechanisms and theoretical results to a wide variety of settings, where the focus is on maximizing expected value. In this paper, we are interested in ensuring that RMAB decision making is also fair to different arms while maximizing expected value. In the context of public health settings, this would ensure that different people and/or communities are fairly represented while making public health intervention …
Xss For The Masses: Integrating Security In A Web Programming Course Using A Security Scanner, Lwin Khin Shar, Christopher M. Poskitt, Kyong Jin Shim, Li Ying Leonard Wong
Xss For The Masses: Integrating Security In A Web Programming Course Using A Security Scanner, Lwin Khin Shar, Christopher M. Poskitt, Kyong Jin Shim, Li Ying Leonard Wong
Research Collection School Of Computing and Information Systems
Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top …
Test Mimicry To Assess The Exploitability Of Library Vulnerabilities, Hong Jin Kang, Truong Giang Nguyen, Bach Le, Corina S. Pasareanu, David Lo
Test Mimicry To Assess The Exploitability Of Library Vulnerabilities, Hong Jin Kang, Truong Giang Nguyen, Bach Le, Corina S. Pasareanu, David Lo
Research Collection School Of Computing and Information Systems
Modern software engineering projects often depend on open-source software libraries, rendering them vulnerable to potential security issues in these libraries. Developers of client projects have to stay alert of security threats in the software dependencies. While there are existing tools that allow developers to assess if a library vulnerability is reachable from a project, they face limitations. Call graphonly approaches may produce false alarms as the client project may not use the vulnerable code in a way that triggers the vulnerability, while test generation-based approaches faces difficulties in overcoming the intrinsic complexity of exploiting a vulnerability, where extensive domain knowledge …
On Measuring Network Robustness For Weighted Networks, Jianbing Zheng, Ming Gao, Ee-Peng Lim, David Lo, Cheqing Jin, Aoying Zhou
On Measuring Network Robustness For Weighted Networks, Jianbing Zheng, Ming Gao, Ee-Peng Lim, David Lo, Cheqing Jin, Aoying Zhou
Research Collection School Of Computing and Information Systems
Network robustness measures how well network structure is strong and healthy when it is under attack, such as vertices joining and leaving. It has been widely used in many applications, such as information diffusion, disease transmission, and network security. However, existing metrics, including node connectivity, edge connectivity, and graph expansion, can be suboptimal for measuring network robustness since they are inefficient to be computed and cannot directly apply to the weighted networks or disconnected networks. In this paper, we define the RR-energy as a new robustness measurement for weighted networks based on the method of spectral analysis. RR-energy can cope …
Self-Supervised Video Representation Learning By Uncovering Spatio-Temporal Statistics, Jiangliu Wang, Jianbo Jiao, Linchao Bao, Shengfeng He, Wei Liu, Yun-Hui Liu
Self-Supervised Video Representation Learning By Uncovering Spatio-Temporal Statistics, Jiangliu Wang, Jianbo Jiao, Linchao Bao, Shengfeng He, Wei Liu, Yun-Hui Liu
Research Collection School Of Computing and Information Systems
This paper proposes a novel pretext task to address the self-supervised video representation learning problem. Specifically, given an unlabeled video clip, we compute a series of spatio-temporal statistical summaries, such as the spatial location and dominant direction of the largest motion, the spatial location and dominant color of the largest color diversity along the temporal axis, etc. Then a neural network is built and trained to yield the statistical summaries given the video frames as inputs. In order to alleviate the learning difficulty, we employ several spatial partitioning patterns to encode rough spatial locations instead of exact spatial Cartesian coordinates. …
Enhancing Security Patch Identification By Capturing Structures In Commits, Bozhi Wu, Shangqing Liu, Ruitao Feng, Xiaofei Xie, Jingkai Siow, Shang-Wei Lin
Enhancing Security Patch Identification By Capturing Structures In Commits, Bozhi Wu, Shangqing Liu, Ruitao Feng, Xiaofei Xie, Jingkai Siow, Shang-Wei Lin
Research Collection School Of Computing and Information Systems
With the rapid increasing number of open source software (OSS), the majority of the software vulnerabilities in the open source components are fixed silently, which leads to the deployed software that integrated them being unable to get a timely update. Hence, it is critical to design a security patch identification system to ensure the security of the utilized software. However, most of the existing works for security patch identification just consider the changed code and the commit message of a commit as a flat sequence of tokens with simple neural networks to learn its semantics, while the structure information is …
Joint Pricing And Matching For City-Scale Ride Pooling, Sanket Shah, Meghna Lowalekar, Pradeep Varakantham
Joint Pricing And Matching For City-Scale Ride Pooling, Sanket Shah, Meghna Lowalekar, Pradeep Varakantham
Research Collection School Of Computing and Information Systems
Central to efficient ride-pooling are two challenges: (1) how to `price' customers' requests for rides, and (2) if the customer agrees to that price, how to best `match' these requests to drivers. While both of them are interdependent, each challenge's individual complexity has meant that, historically, they have been decoupled and studied individually. This paper creates a framework for batched pricing and matching in which pricing is seen as a meta-level optimisation over different possible matching decisions. Our key contributions are in developing a variant of the revenue-maximizing auction corresponding to the meta-level optimization problem, and then providing a scalable …
Shunted Self-Attention Via Multi-Scale Token Aggregation, Sucheng Ren, Daquan Zhou, Shengfeng He, Jiashi Feng, Xinchao Wang
Shunted Self-Attention Via Multi-Scale Token Aggregation, Sucheng Ren, Daquan Zhou, Shengfeng He, Jiashi Feng, Xinchao Wang
Research Collection School Of Computing and Information Systems
Recent Vision Transformer (ViT) models have demonstrated encouraging results across various computer vision tasks, thanks to its competence in modeling long-range dependencies of image patches or tokens via self-attention. These models, however, usually designate the similar receptive fields of each token feature within each layer. Such a constraint inevitably limits the ability of each self-attention layer in capturing multi-scale features, thereby leading to performance degradation in handling images with multiple objects of different scales. To address this issue, we propose a novel and generic strategy, termed shunted selfattention (SSA), that allows ViTs to model the attentions at hybrid scales per …
Message-Locked Searchable Encryption: A New Versatile Tool For Secure Cloud Storage, Xueqiao Liu, Guomin Yang, Willy Susilo, Joseph Tonien, Rongmao Chen, Xixiang Lv
Message-Locked Searchable Encryption: A New Versatile Tool For Secure Cloud Storage, Xueqiao Liu, Guomin Yang, Willy Susilo, Joseph Tonien, Rongmao Chen, Xixiang Lv
Research Collection School Of Computing and Information Systems
Message-Locked Encryption (MLE) is a useful tool to enable deduplication over encrypted data in cloud storage. It can significantly improve the cloud service quality by eliminating redundancy to save storage resources, and hence user cost, and also providing defense against different types of attacks, such as duplicate faking attack and brute-force attack. A typical MLE scheme only focuses on deduplication. On the other hand, supporting search operations on stored content is another essential requirement for cloud storage. In this article, we present a message-locked searchable encryption (MLSE) scheme in a dual-server setting, which achieves simultaneously the desirable features of supporting …
Natural Attack For Pre-Trained Models Of Code, Zhou Yang, Jieke Shi, Junda He, David Lo
Natural Attack For Pre-Trained Models Of Code, Zhou Yang, Jieke Shi, Junda He, David Lo
Research Collection School Of Computing and Information Systems
Pre-trained models of code have achieved success in many important software engineering tasks. However, these powerful models are vulnerable to adversarial attacks that slightly perturb model inputs to make a victim model produce wrong outputs. Current works mainly attack models of code with examples that preserve operational program semantics but ignore a fundamental requirement for adversarial example generation: perturbations should be natural to human judges, which we refer to as naturalness requirement. In this paper, we propose ALERT (Naturalness Aware Attack), a black-box attack that adversarially transforms inputs to make victim models produce wrong outputs. Different from prior works, this …
Press A To Jump: Design Strategies For Video Game Learnability, Lev Poretski, Anthony Tang
Press A To Jump: Design Strategies For Video Game Learnability, Lev Poretski, Anthony Tang
Research Collection School Of Computing and Information Systems
Learnability is a core aspect of software usability. Video games are not an exception, as game designers need to teach players how to play their creations. We analyzed 40 contemporary video games to identify how video games approach learning experiences. We found that games have advanced far beyond using simple tutorials or demonstration screens and adopt a range of repeatable and reusable design strategies using visual cues to facilitate learning. We provide a detailed descriptive framework of these design strategies, elucidating how and when they can be used, and describing how the visual cues are used to build them. Our …
Probabilistic Path Prioritization For Hybrid Fuzzing, Lei Zhao, Pengcheng Cao, Yue Duan, Heng Yin, Jifeng Xuan
Probabilistic Path Prioritization For Hybrid Fuzzing, Lei Zhao, Pengcheng Cao, Yue Duan, Heng Yin, Jifeng Xuan
Research Collection School Of Computing and Information Systems
Hybrid fuzzing that combines fuzzing and concolic execution has become an advanced technique for software vulnerability detection. Based on the observation that fuzzing and concolic execution are complementary in nature, state-of-the-art hybrid fuzzing systems deploy “optimal concolic testing” and “demand launch” strategies. Although these ideas sound intriguing, we point out several fundamental limitations in them, due to unrealistic or oversimplified assumptions. Further, we propose a novel “discriminative dispatch” strategy and design a probabilistic hybrid fuzzing system to better utilize the capability of concolic execution. Specifically, we design a Monte Carlo-based probabilistic path prioritization model to quantify each path’s difficulty, and …
Smile: Secure Memory Introspection For Live Enclave, Lei Zhou, Xuhua Ding, Zhang Fengwei
Smile: Secure Memory Introspection For Live Enclave, Lei Zhou, Xuhua Ding, Zhang Fengwei
Research Collection School Of Computing and Information Systems
SGX enclaves prevent external software from accessing their memory. This feature conflicts with legitimate needs for enclave memory introspection, e.g., runtime stack collection on an enclave under a return-oriented-programming attack. We propose SMILE for enclave owners to acquire live enclave contents with the assistance of a semi-trusted agent installed by the host platform’s vendor as a plug-in of the System Management Interrupt handler. SMILE authenticates the enclave under introspection without trusting the kernel nor depending on the SGX attestation facility. SMILE is enclave security preserving as breaking of SMILE does not undermine enclave security. It allows a cloud server to …
Active Warden Attack: On The (In)Effectiveness Of Android App Repackage-Proofing, Haoyu Ma, Shijia Li, Debin Gao, Daoyuan Wu, Qiaowen Jia, Chunfu Jia
Active Warden Attack: On The (In)Effectiveness Of Android App Repackage-Proofing, Haoyu Ma, Shijia Li, Debin Gao, Daoyuan Wu, Qiaowen Jia, Chunfu Jia
Research Collection School Of Computing and Information Systems
App repackaging has raised serious concerns to the Android ecosystem with the repackage-proofing technology attracting attention in the Android research community. In this paper, we first show that existing repackage-proofing schemes rely on a flawed security assumption, and then propose a new class of active warden attack that intercepts and falsifies the metrics used by repackage-proofing for detecting the integrity violations during repackaging. We develop a proof-of-concept toolkit to demonstrate that all the existing repackage-proofing schemes can be bypassed by our attack toolkit. On the positive side, our analysis further identifies a new integrity metric in the Android ART runtime …
Sanitizable Access Control System For Secure Cloud Storage Against Malicious Data Publishers, Willy Susilo, Peng Jiang, Jianchang Lai, Fuchun Guo, Guomin Yang, Robert H. Deng
Sanitizable Access Control System For Secure Cloud Storage Against Malicious Data Publishers, Willy Susilo, Peng Jiang, Jianchang Lai, Fuchun Guo, Guomin Yang, Robert H. Deng
Research Collection School Of Computing and Information Systems
Cloud computing is considered as one of the most prominent paradigms in the information technology industry, since it can significantly reduce the costs of hardware and software resources in computing infrastructure. This convenience has enabled corporations to efficiently use the cloud storage as a mechanism to share data among their employees. At the first sight, by merely storing the shared data as plaintext in the cloud storage and protect them using an appropriate access control would be a nice solution. This is assuming that the cloud is fully trusted for not leaking any information, which is impractical as the cloud …