Friday, 2 January 2015

An attack on RSA given a small fraction of the private key bits

KENT, C. Draft proposal for tweakable narrow-block encryption. https://siswg.net/docs/LRW-AES-10-19-2004.pdf, 2004

S. Fogie, J. Grossman, R. Hansen, A. Rager, and P. D. Petkov. XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress, 2011.

D. Pogue. Remember all those passwords? no need. http://nyti.ms/10ZhXgq, 2013.[33] Roboform everywhere. http://www.roboform.com/everywhere.

BONEH, D., DURFEE, G., AND FRANKEL, Y. An attack on RSA given a small fraction of the private key bits. In Advances in Cryptology – ASIACRYPT ’98 (1998), pp. 25–34.

A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proc. of ACM Conference on Computer and Communications Security, 2008.

DYER, J. G., LINDEMANN, M., PEREZ, R., SAILER, R., VAN DOORN, L., SMITH, S. W., AND WEINGART, S. Building the IBM 4758 secure coprocessor. Computer 34 (Oct. 2001), 57–66.

GUTMANN, P. Secure deletion of data from magnetic and solid state memory. In Proc. 6th USENIX Security Symposium (July 1996), pp. 77–90.

LISKOV, M., RIVEST, R. L., AND WAGNER, D. Tweakable block ciphers. In Advances in Cryptology – CRYPTO 2002 (2002), pp. 31–46.

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In SOSP, pages 164–177, 2003.

A. Vasudevan and R. Yerraballi. Cobra: Fine-grained Malware Analysis using Stealth Localized-executions. In S&P (Oakland), pages 264–279, 2006.

C. Willems, T. Holz, and F. Freiling. Toward Automated Dynamic Malware Analysis Using
CWSandbox. IEEE Security and Privacy, 5(2), 2007.

Mining Specifications of Malicious Behavior

S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM Conference
on Computer and Communications Security, pages 28-35, April 1997.

M. Christodorescu, C. Kruegel, and S. Jha. Mining Specifications of Malicious Behavior. In ESEC/FSE, pages 5–14, 2007.

X. Jiang, X. Wang, and D. Xu. Stealthy Malware Detection Through VMM-Based ”Out-of-the-Box” Semantic View Reconstruction. In CCS, pages 128–138, 2007.

PETTERSSON, T. Cryptographic key recovery from Linux memory dumps. Presentation, Chaos Communication Camp, Aug. 2007.

ROGAWAY, P. Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In Advances in Cryptology – ASIACRYPT 2004 (2004), pp. 16–31.

VIDAS, T. The acquisition and analysis of random access memory. Journal of Digital Forensic Practice 1 (Dec. 2006), 315–323.

WYNS, P., AND ANDERSON, R. L. Low-temperature operation of silicon dynamic random-access memories. IEEE Transactions on Electron Devices 36 (Aug. 1989), 1423–1428.

P. Bacher, T. Holz, M. Kotter, and G. Wicherski.Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots, 2005.

X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual Playgrounds for Worm Behavior Investigation. In RAID, pages 1–21, 2005.

L. Martignoni, M. Christodorescu, and S. Jha. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In ACSAC, pages 431–441, 2007. 

Design of a secure timestamping service with minimal trust requirements,

H. Massias, X.S. Avila, and J.-J. Quisquater, "Design of a secure timestamping service with minimal
trust requirements," In 20th Symposium on Information Theory in the Benelux, May 1999.

S. Maffeis, J. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 125–140, 2010.


D. Bayer, S. Haber, W.S. Stornetta, "Improving the efficiency and reliability of digital time-stamping,"
In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993.

S.-T. Sun and K. Beznosov. The devil is in the (implementation) details: an empirical analysis of oauth sso systems. In Proceedings of ACM conference on Computer and communications security, 2012.

A. Back, "Hashcash - a denial of service counter-measure," 
http://www.hashcash.org/papers/hashcash.pdf, 2002

D. Silver, S. Jana, E. Chen, C. Jackson, and D. Boneh. Password managers: Attacks and defenses. In Proceedings of the 23rd Usenix Security Symposium, 2014.

W. Zeller and E. W. Felten. Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University, 2008.

LIE, D., THEKKATH, C. A., MITCHELL, M., LINCOLN, P., BONEH, D., MITCHELL, J., AND HOROWITZ, M. Architectural support for copy and tamper resistant software. In Symp. On Architectural Support for Programming Languages and Operating Systems (2000), pp. 168–177.

K. Borders, X. Zhao, and A. Prakash. Siren: Catching Evasive Malware (Short Paper). In S&P (Oakland), pages 78–85, 2006.

new password manager: Security analysis of web-based password managers

Z. Li,W. He, D. Akhawe, and D. Song. The emperor ?s new password manager: Security analysis of web-based password managers. Technical Report UCB/EECS-2014-138, EECS Department, University of California, Berkeley, Jul 2014.

P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In ACSAC, pages 289–300, 2006.

C. Kruegel, W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. In ACSAC, pages 91–100, 2004.

M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-Aware Malware Detection. In S&P (Oakland), pages 32–46, 2005.

WEINMANN, R.-P., AND APPELBAUM, J. Unlocking FileVault. Presentation, 23rd Chaos Communication Congress, Dec. 2006.

SKOROBOGATOV, S. Low-temperature data remanence in static RAM. University of Cambridge Computer Laborary Technical Report No. 536, June 2002

FERGUSON, N. AES-CBC + Elephant diffuser: A disk encryption algorithm for Windows Vista. http://www.microsoft.com/downloads/details.aspx?FamilyID=131dae03-39ae-48be-a8d6-8b0034c92555, Aug. 2006.

CARRIER, B. D., AND GRAND, J. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation 1 (Dec. 2003), 50–60.

BAR-LEV, A. Linux, Loop-AES and optional smartcard based disk encryption. http://wiki.tuxonice.net/EncryptedSwapAndRoot, Nov. 2007.

D. Akhawe, P. Saxena, and D. Song. Privilege separation in html5 applications. In Proc. the 21st USENIX Security symposium, 2012.


The quest to replace passwords: A framework for comparative evaluation of web authentication schemes

J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. of IEEE Symp. on Security and Privacy, 2012

ARBAUGH, W., FARBER, D., AND SMITH, J. A secure and reliable bootstrap architecture. In Proc. IEEE Symp. on Security and Privacy (May 1997), pp. 65–71.

CANETTI, R., DODIS, Y., HALEVI, S., KUSHILEVITZ, E., AND SAHAI, A. Exposure-resilient functions and all-or-nothing transforms. In Advances in Cryptology – EUROCRYPT 2000 (2000), vol. 1807/2000, pp. 453–469.

ECKSTEIN, K., AND DORNSEIF, M. On the meaning of ‘physical access’ to a computing device: A vulnerability classification of

mobile computing devices. Presentation, NATO C3A Workshop on Network-Enabled Warfare, Apr. 2005.

IEEE 1619 SECURITY IN STORAGE WORKING GROUP. IEEE P1619/D19: Draft standard for cryptographic protection of data on block-oriented storage devices, July 2007.

M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated Classification and Analysis of Internet Malware. In RAID, 2007.

G. Hunt and D. Brubacher. Detours: BinaryInterception of Win32 Functions. In WINSYM, pages 135–143, 1999. 

N. Provos and T. Holz. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, Reading, 2007.

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In CCS, 2007. 

Thursday, 1 January 2015

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities

Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In NDSS, 2006.

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, 2003.

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In CCS, 2007.

SEAGATE CORPORATION. Drivetrust technology: A technical overview. http://www.seagate.com/docs/pdf/whitepaper/TP564DriveTrust Oct06.pdf.

NATIONAL CONFERENCE OF STATE LEGISLATURES. State security breach notification laws. http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm, Jan. 2008.

CHOW, J., PFAFF, B., GARFINKEL, T., AND ROSENBLUM, M. Shredding your garbage: Reducing data lifetime through secure deallocation. In Proc. 14th USENIX Security Symposium (Aug. 2005), pp. 331–346.

S. Son, K. S. McKinley, and V. Shmatikov. Rolecast: finding missing security checks when you do not know what checks are. In ACM SIGPLAN Notices, volume 46, pages 1069–1084. ACM, 2011.

V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward automated detection of logic vulnerabilities in web applications. In USENIX Security Symposium, 2010.

B. Adida, A. Barth, and C. Jackson. Rootkits for javascript environments. In Proc. of WOOT 2009, 2009. 

Architecture for protecting critical secrets in microprocessors

LEE, R. B., KWAN, P. C., MCGREGOR, J. P., DWOSKIN, J., AND WANG, Z. Architecture for protecting critical secrets in microprocessors. In Proc. Intl. Symposium on Computer Architecture (2005), pp. 2–13.

M. Blanchou and P. Youn. Password managers: Exposing passwords everywhere, Nov 2013. https://www.isecpartners.com/media/106983/password_managers_nov13.pdf


R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 365–379,
2012.

BARRY, P., AND HARTNETT, G. Designing Embedded Networking Applications: Essential Insights for Developers of Intel IXP4XX Network Processor Systems, first ed. Intel Press, May 2005, p. 47

DWOSKIN, J., AND LEE, R. B. Hardware-rooted trust for secure key management and transient trust. In Proc. 14th ACM Conference on Computer and Communications Security (Oct. 2007), pp. 389–400


GUTMANN, P. Data remanence in semiconductor devices. In Proc. 10th USENIX Security Symposium (Aug. 2001), pp. 39–54

SCHEICK, L. Z., GUERTIN, S. M., AND SWIFT, G. M. Analysis of radiation effects on individual DRAM cells. IEEE Transactions on Nuclear Science 47 (Dec. 2000), 2534–2538.