Information Security Commons^™

Soteria: A Persuasive Esecurity Assistant, Punica Bhardwaj

Theses and Dissertations

“…security is only as good as the weakest link, and people are the weakest link in the chain.” – B Schneier, 2002 Humans are often referred to as the “weakest link” in the security chain because of the poor security decisions taken by them. There can be many reasons for these decisions, such as lack of understandability of the software, lack of education, and lack of relevant information required to do that particular action. In this Thesis, we focus on the lack of relevant information required at the time of performing the action. In order to provide the user with …

Iterated Random Oracle: A Universal Approach For Finding Loss In Security Reduction, Fuchun Guo, Willy Susilo, Yi Mu, Rongmao Chen, Jianchang Lai, Guomin Yang

Research Collection School Of Computing and Information Systems

The indistinguishability security of a public-key cryptosystem can be reduced to a computational hard assumption in the random oracle model, where the solution to a computational hard problem is hidden in one of the adversary’s queries to the random oracle. Usually, there is a finding loss in finding the correct solution from the query set, especially when the decisional variant of the computational problem is also hard. The problem of finding loss must be addressed towards tight(er) reductions under this type. In EUROCRYPT 2008, Cash, Kiltz and Shoup proposed a novel approach using a trapdoor test that can solve the …

Server-Aided Public Key Encryption With Keyword Search, Rongman Chen, Yi Mu, Guomin Yang, Fuchun Guo, Xinyi Huang, Xiaofen Wang, Yongjun Wang

Research Collection School Of Computing and Information Systems

Public key encryption with keyword search (PEKS) is a well-known cryptographic primitive for secure searchable data encryption in cloud storage. Unfortunately, it is inherently subject to the (inside) offline keyword guessing attack (KGA), which is against the data privacy of users. Existing countermeasures for dealing with this security issue mainly suffer from low efficiency and are impractical for real applications. In this paper, we provide a practical and applicable treatment on this security vulnerability by formalizing a new PEKS system named server-aided public key encryption with keyword search (SA-PEKS). In SA-PEKS, to generate the keyword ciphertext/trapdoor, the user needs to …

Attacking Android Smartphone Systems Without Permissions, Mon Kywe Su, Yingjiu Li, Kunal Petal, Michael Grace

Research Collection School Of Computing and Information Systems

Android requires third-party applications to request for permissions when they access critical mobile resources, such as users' personal information and system operations. In this paper, we present the attacks that can be launched without permissions. We first perform call graph analysis, component analysis and data-flow analysis on various parts of Android framework to retrieve unprotected APIs. Unprotected APIs provide a way of accessing resources without any permissions. We then exploit selected unprotected APIs and launch a number of attacks on Android phones. We discover that without requesting for any permissions, an attacker can access to device ID, phone service state, …

Semeo: A Semantic Equivalence Analysis Framework For Obfuscated Android Applications, Zhen Hu

Department of Computer Science and Engineering: Dissertations, Theses, and Student Research

Software repackaging is a common approach for creating malware. In this approach, malware authors inject malicious payloads into legitimate applications; then, to ren- der security analysis more difficult, they obfuscate most or all of the code. This forces analysts to spend a large amount of effort filtering out benign obfuscated methods in order to locate potentially malicious methods for further analysis. If an effective mechanism for filtering out benign obfuscated methods were available, the number of methods that must be analyzed could be reduced, allowing analysts to be more productive. In this thesis, we introduce SEMEO, a highly effective and …

Cryptographic Reverse Firewall Via Malleable Smooth Projective Hash Functions, Rongmao Chen, Guomin Yang, Guomin Yang, Willy Susilo, Fuchun Guo, Mingwu Zhang

Research Collection School Of Computing and Information Systems

Motivated by the revelations of Edward Snowden, postSnowden cryptography has become a prominent research direction in recent years. In Eurocrypt 2015, Mironov and Stephens-Davidowitz proposed a novel concept named cryptographic reverse firewall (CRF) which can resist exfiltration of secret information from an arbitrarily compromised machine. In this work, we continue this line of research and present generic CRF constructions for several widely used cryptographic protocols based on a new notion named malleable smooth projective hash function. Our contributions can be summarized as follows. – We introduce the notion of malleable smooth projective hash function, which is an extension of the …

Ciphertext-Policy Attribute-Based Encryption With Partially Hidden Access Structure And Its Application To Privacy-Preserving Electronic Medical Record System In Cloud Environment, Lixian Liu, Junzuo Lai, Robert H. Deng, Yingjiu Li

Research Collection School Of Computing and Information Systems

With the development of cloud computing, more and more sensitive data are uploaded to cloud by companies or individuals, which brings forth new challenges for outsourced data security and privacy. Ciphertext-policy attribute-based encryption (CP-ABE) provides fine-grained access control of encrypted data in the cloud; in a CP-ABE scheme, an access structure, also referred to as ciphertext-policy, is sent along with a ciphertext explicitly, and anyone who obtains a ciphertext can know the access structure associated with the ciphertext. In certain applications, access structures contain very sensitive information and must be protected from everyone except the users whose private key attributes …

An Interview With The Scorpion: Walter O’Brien, Walter O'Brien

The STEAM Journal

An interview with Walter O'Brien (hacker handle: "Scorpion"), known as a businessman, information technologist, executive producer, and media personality who is the founder and CEO of Scorpion Computer Services, Inc. O'Brien is also the inspiration for and executive producer of the CBS television series, Scorpion.

Who's In And Who's Out?: What's Important In The Cyber World?, Tony M. Kelly

HON499 projects

The aim of this paper is to offer an introduction to the exploding field of cybersecurity by asking what are the most important concepts or topics that a new member of the field of cybersecurity should know. This paper explores this question from three perspectives: from the realm of business and how the cyber world is intertwined with modern commerce, including common weaknesses and recommendations, from the academic arena examining how cybersecurity is taught and how it should be taught in a classroom or laboratory environment, and lastly, from the author’s personal experience with the cyber world. Included information includes …

Personal Privacy: A Study To Determine Views On Privacy As It Relates To Technology Acceptance, Keith A. Wuotinen

Master's Theses and Doctoral Dissertations

This descriptive correlation study sought to learn the relationships, if any, between a person’s concern for privacy and their acceptance of technology, in conjunction with the control factors of the Big Five personality factors. The study employed a modified Concern for Information Privacy (CFIP) scale and a modified Technology Acceptance Model (TAM) approach in conjunction with the Big Five personality factors using a 51-question survey.

The study surveyed students at Eastern Michigan University in Ypsilanti, Michigan, who were enrolled in the College of Technology. The results indicated that there was a significant positive relationship between the CFIP and the TAM. …

Automated Verification Of Timed Security Protocols With Clock Drift, Li Li, Jun Sun

Research Collection School Of Computing and Information Systems

Time is frequently used in security protocols to provide better security. For instance, critical credentials often have limited lifetime which improves the security against brute-force attacks. However, it is challenging to correctly use time in protocol design, due to the existence of clock drift in practice. In this work, we develop a systematic method to formally specify as well as automatically verify timed security protocols with clock drift. We first extend the previously proposed timed applied ππ -calculus as a formal specification language for timed protocols with clock drift. Then, we define its formal semantics based on timed logic rules, …

Intrinsic Functions For Securing Cmos Computation: Variability, Modeling And Noise Sensitivity, Xiaolin Xu

Doctoral Dissertations

A basic premise behind modern secure computation is the demand for lightweight cryptographic primitives, like identifier or key generator. From a circuit perspective, the development of cryptographic modules has also been driven by the aggressive scalability of complementary metal-oxide-semiconductor (CMOS) technology. While advancing into nano-meter regime, one significant characteristic of today's CMOS design is the random nature of process variability, which limits the nominal circuit design. With the continuous scaling of CMOS technology, instead of mitigating the physical variability, leveraging such properties becomes a promising way. One of the famous products adhering to this double-edged sword philosophy is the Physically …

Early Packet Rejection Using Dynamic Binary Decision Diagram, Vasiqullah Molvizadah

Theses

A firewall is a hardware or software device that performs inspection on a given incoming/outgoing packets and decide whether to allow/deny the packet from entering/leaving the system. Firewall filters the packets by using a set of rules called firewall policies. The policies define what type of packets should be allowed or discarded. These policies describe the field values that the packet header must contain in order to match a policy in the firewall. The decision for any given packet is made by finding the first matching firewall policy, if any.

In a traditional firewall, the packet filter goes through each …

An Efficient Privacy-Preserving Outsourced Calculation Toolkit With Multiple Keys, Ximeng Liu, Robert H. Deng, Kim-Kwang Raymond Choo, Jian Weng

Research Collection School Of Computing and Information Systems

In this paper, we propose a toolkit for efficient and privacy-preserving outsourced calculation under multiple encrypted keys (EPOM). Using EPOM, a large scale of users can securely outsource their data to a cloud server for storage. Moreover, encrypted data belonging to multiple users can be processed without compromising on the security of the individual user's (original) data and the final computed results. To reduce the associated key management cost and private key exposure risk in EPOM, we present a distributed two-trapdoor public-key cryptosystem, the core cryptographic primitive. We also present the toolkit to ensure that the commonly used integer operations …

Privacy-Preserving Outsourced Calculation On Floating Point Numbers, Ximeng Liu, Robert H. Deng, Wenxiu Ding, Rongxing Lu

Research Collection School Of Computing and Information Systems

In this paper, we propose a framework for privacy-preserving outsourced calculation on floating point numbers (POCF). Using POCF, a user can securely outsource the storing and processing of floating point numbers to a cloud server without compromising on the security of the (original) data and the computed results. In particular, we first present privacy-preserving integer processing protocols for common integer operations. We then present an approach to outsourcing floating point numbers for storage in a privacy-preserving way, and securely processing commonly used floating point number operations on-the-fly. We prove that the proposed POCF achieves the goal of floating point number …

A Study On A Feasible No-Root Approach On Android, Yao Cheng, Yingjiu Li, Deng, Robert H., Lingyun Ying, Wei He

Research Collection School Of Computing and Information Systems

Root is the administrative privilege on Android, which is however inaccessible on stock Android devices. Due to the desire for privileged functionalities and the reluctance of rooting their devices, Android users seek for no-root approaches, which provide users with part of root privileges without rooting their devices. Existing no-root approaches require users to launch a separate service via Android Debug Bridge (ADB) on an Android device, which would perform user-desired tasks. However, it is unusual for a third-party Android application to work with a separate native service via sockets, and it requires the application developers to have extra knowledge such …

An Efficient And Expressive Ciphertext-Policy Attribute-Based-Encryption Scheme With Partially Hidden Access Structures, Hui Cui, Deng, Robert H., Guowei Wu, Junzuo Lai

Research Collection School Of Computing and Information Systems

A promising solution to protect data privacy in cloud storage services is known as ciphertext-policy attribute-based encryption (CP-ABE). However, in a traditional CP-ABE scheme, a ciphertext is bound with an explicit access structure, which may leak private information about the underlying plaintext in that anyone having access to the ciphertexts can tell the attributes of the privileged recipients by looking at the access structures. A notion called CP-ABE with partially hidden access structures [14, 15, 18, 19, 24] was put forth to address this problem, in which each attribute consists of an attribute name and an attribute value and the …

Editorial: Trust Management For Multimedia Big Data, Zheng Yan, Jun Liu, Deng, Robert H., Francisco Herrera

Research Collection School Of Computing and Information Systems

No abstract provided.

Achieving Ind-Cca Security For Functional Encryption For Inner Products, Shiwei Zhang, Yi Mu, Guomin Yang

Research Collection School Of Computing and Information Systems

Functional encryption allows the authorised parties to reveal partial information of the plaintext hidden in a ciphertext while in conventional encryption decryption is all-or-nothing. Focusing on the functionality of inner product evaluation (i.e. given vectors xxxx and yyyy, calculate ⟨xx,yy⟩⟨xx,yy⟩), Abdalla et al. (PKC 2015) proposed a functional encryption scheme for inner product functionality (FE-IP) with s-IND-CPA security. In some recent works by Abdalla et al. (eprint: Report 2016/11) and Agrawal et al. (CRYPTO 2016), IND-CPA secure FE-IP schemes have also been proposed. In order to achieve Indistinguishable under Chosen Ciphertext Attacks (IND-CCA security) for FE-IP, in this paper, we …

On The Security Of Two Identity-Based Conditional Proxy Re-Encryption Schemes, Kai He, Jian Weng, Robert H. Deng, Joseph K. Liu

Research Collection School Of Computing and Information Systems

Proxy re-encryption allows a semi-trusted proxy with a re-encryption key to convert a delegator's ciphertext into a delegatee's ciphertext, and the semi-trusted proxy cannot learn anything about the underlying plaintext. If a proxy re-encryption scheme is indistinguishable against chosen-ciphertext attacks, its initialized ciphertext should be non-malleable. Otherwise, there might exist an adversary who can break the chosen-ciphertext security of the scheme. Recently, Liang et al. proposed two proxy re-encryption schemes. They claimed that their schemes were chosen-ciphertext secure in the standard model. However, we find that the original ciphertext in their schemes are malleable. Thus, we present some concrete attacks …

One-Round Attribute-Based Key Exchange In The Multi-Party Setting, Yangguang Tian, Guomin Yang, Yi Mu, Kaitai Liang, Yong Yu

Research Collection School Of Computing and Information Systems

Attribute-based authenticated key exchange (AB-AKE) is a useful primitive that allows a group of users to establish a shared secret key and at the same time enables fine-grained access control. A straightforward approach to design an AB-AKE protocol is to extend a key exchange protocol using attribute-based authentication technique. However, insider security is a challenge security issue for AB-AKE in the multi-party setting and cannot be solved using the straightforward approach. In addition, many existing key exchange protocols for the multi-party setting (e.g., the well-known Burmester-Desmedt protocol) require multiple broadcast rounds to complete the protocol. In this paper, we propose …

M(2)-Abks: Attribute-Based Multi-Keyword Search Over Encrypted Personal Health Records In Multi-Owner Setting, Yinbin Miao, Jianfeng Ma, Ximeng Liu, Fushan Wei, Zhiquan Liu, Xu An Wang

Research Collection School Of Computing and Information Systems

Online personal health record (PHR) is more inclined to shift data storage and search operations to cloud server so as to enjoy the elastic resources and lessen computational burden in cloud storage. As multiple patients' data is always stored in the cloud server simultaneously, it is a challenge to guarantee the confidentiality of PHR data and allow data users to search encrypted data in an efficient and privacy-preserving way. To this end, we design a secure cryptographic primitive called as attribute-based multi-keyword search over encrypted personal health records in multi-owner setting to support both fine-grained access control and multi-keyword search …

A Provably Secure Aggregate Signature Scheme For Healthcare Wireless Sensor Networks, Limin Shen, Jianfeng Ma, Ximeng Liu, Meixia Miao

Research Collection School Of Computing and Information Systems

Wireless sensor networks (WSNs) are being used in a wide range of applications for healthcare monitoring, like heart rate monitors and blood pressure monitors, which can minimize the need for healthcare professionals. In medical system, sensors on or in patients produce medical data which can be easily compromised by a vast of attacks. Although signature schemes can protect data authenticity and data integrity, when the number of users involved in the medical system becomes huge, the bandwidth and storage cost will rise sharply so that existing signature schemes are inapplicability for WSNs. In this paper, we propose an efficient aggregate …

Efficient Tag Path Authentication Protocol With Less Tag Memory, Hongbing Wang, Yingjiu Li, Zongyang Zhang, Yunlei Zhao

Research Collection School Of Computing and Information Systems

Logistical management has been advanced rapidly in these years, taking advantage of the broad connectivity of the Internet. As it becomes an important part of our lives, it also raises many challenging issues, e.g., the counterfeits of expensive goods pose a serious threat to supply chain management. As a result, path authentication becomes especially important in supply chain management, since it helps us maintain object pedigree and supply chain integrity. Meanwhile, tag path authentication must meet a series of security requirements, such as authentication, privacy, and unlinkability. In addition, the authentication protocol must be efficient.In 2011, the first tag path …

A Novel Covert Channel Detection Method In Cloud Based On Xsrm And Improved Event Association Algorithm, Lina Wang, Weijie Liu, Neeraj Kumar, Debiao He, Cheng Tan, Debin Gao

Research Collection School Of Computing and Information Systems

Covert channel is a major threat to the information system security and commonly found in operating systems, especially in cloud computing environment. Owing to the characteristics in cloud computing environment such as resources sharing and logic boundaries, covert channels become more varied and difficult to find. Focusing on those problems, this paper presents a universal method for detecting covert channel automatically. To achieve a global detection, we leveraged a virtual machine event record mechanism in hypervisor to gather necessary metadata. Combining the shared resources matrix methodology with events association mechanism, we proposed a distinctive algorithm that can accurately locate and …

Ownership-Hidden Group-Oriented Proofs Of Storage From Pre-Homomorphic Signatures, Yujue Wang, Qianhong Wu, Bo Qin, Xiaofeng Chen, Xinyi Huang, Jungang Lou

Research Collection School Of Computing and Information Systems

In this paper, we study the problem of secure cloud storage in a multi-user setting such that the ownership of outsourced files can be hidden against the cloud server. There is a group manager for initiating the system, who is also responsible for issuing private keys for the involved group members. All authorized members are able to outsource files to the group’s storage account at some cloud server. Although the ownership of outsourced file is preserved against the cloud server, the group manager could trace the true identity of any suspicious file for liability investigation. To address this issue, we …

Chapter Five: The San Bernardino Iphone Case, Tracy Mitrano

Tracy Mitrano

Chapter Four: Information Security, Tracy Mitrano

Tracy Mitrano

No abstract provided.

Chapter One: Free Speech, Tracy Mitrano

Tracy Mitrano

No abstract provided.

Virtual Values For Taint And Information Flow Analysis, Prakasam Kannan, Thomas Austin, Mark Stamp, Tim Disney, Cormac Flanagan

Faculty Publications, Computer Science

Security controls such as taint analysis and information flow analysis can be powerful tools to protect against many common attacks. However, incorporating these controls into a language such as JavaScript is challenging. Native implementations require the support of all JavaScript VMs. Code rewriting requires developers to reason about the entire abstract syntax of JavaScript. In this paper, we demonstrate how virtual values may be used to more easily integrate these security controls. Virtual values provide hooks to alter the behavior of primitive operations, allowing programmers to create the desired security controls in a more declarative fashion, facilitating more rapid prototyping. …