%%% -*-BibTeX-*- %%% ==================================================================== %%% BibTeX-file{ %%% author = "Nelson H. F. Beebe", %%% version = "1.58", %%% date = "14 October 2017", %%% time = "10:26:49 MDT", %%% filename = "tissec.bib", %%% address = "University of Utah %%% Department of Mathematics, 110 LCB %%% 155 S 1400 E RM 233 %%% Salt Lake City, UT 84112-0090 %%% USA", %%% telephone = "+1 801 581 5254", %%% FAX = "+1 801 581 4148", %%% URL = "http://www.math.utah.edu/~beebe", %%% checksum = "60003 12281 63207 606214", %%% email = "beebe at math.utah.edu, beebe at acm.org, %%% beebe at computer.org (Internet)", %%% codetable = "ISO/ASCII", %%% keywords = "bibliography, BibTeX, ACM Transactions %%% on Information and System Security", %%% license = "public domain", %%% supported = "yes", %%% docstring = "This is a COMPLETE BibTeX bibliography for %%% the journal ACM Transactions on Information %%% and System Security (CODEN ATISBQ, ISSN %%% 1094-9224 (print), 1557-7406 (electronic)), %%% covering all journal issues from 1998--2016. %%% Publication ceased with volume 18, number 4, %%% in 2016, when the journal was renamed to %%% ACM Transactions on Privacy and Security (TOPS). %%% The new journal is covered in a separate %%% bibliography, tops.bib. %%% %%% At version 1.58, the COMPLETE journal %%% coverage looked like this: %%% %%% 1998 ( 5) 2005 ( 16) 2012 ( 14) %%% 1999 ( 15) 2006 ( 16) 2013 ( 16) %%% 2000 ( 12) 2007 ( 12) 2014 ( 13) %%% 2001 ( 14) 2008 ( 42) 2015 ( 16) %%% 2002 ( 17) 2009 ( 19) 2016 ( 6) %%% 2003 ( 17) 2010 ( 31) %%% 2004 ( 20) 2011 ( 32) %%% %%% Article: 333 %%% %%% Total entries: 333 %%% %%% The journal Web page can be found at: %%% %%% http://www.acm.org/pubs/tissec %%% %%% The journal table of contents page is at: %%% %%% http://www.acm.org/pubs/contents/journals/tissec/ %%% http://portal.acm.org/browse_dl.cfm?idx=J789 %%% %%% The initial draft was extracted from the %%% journal Web site. %%% %%% ACM copyrights explicitly permit abstracting %%% with credit, so article abstracts, keywords, %%% and subject classifications have been %%% included in this bibliography wherever %%% available. Article reviews have been %%% omitted, until their copyright status has %%% been clarified. %%% %%% URL keys in the bibliography point to %%% World Wide Web locations of additional %%% information about the entry. %%% %%% Numerous errors in the sources noted above %%% have been corrected. Spelling has been %%% verified with the UNIX spell and GNU ispell %%% programs using the exception dictionary %%% stored in the companion file with extension %%% .sok. %%% %%% BibTeX citation tags are uniformly chosen %%% as name:year:abbrev, where name is the %%% family name of the first author or editor, %%% year is a 4-digit number, and abbrev is a %%% 3-letter condensation of important title %%% words. Citation tags were automatically %%% generated by software developed for the %%% BibNet Project. %%% %%% In this bibliography, entries are sorted in %%% publication order, using ``bibsort -byvolume.'' %%% %%% The checksum field above contains a CRC-16 %%% checksum as the first value, followed by the %%% equivalent of the standard UNIX wc (word %%% count) utility output of lines, words, and %%% characters. This is produced by Robert %%% Solovay's checksum utility.", %%% } %%% ==================================================================== @Preamble{"\input bibnames.sty"} %%% ==================================================================== %%% Acknowledgement abbreviations: @String{ack-nhfb = "Nelson H. F. Beebe, University of Utah, Department of Mathematics, 110 LCB, 155 S 1400 E RM 233, Salt Lake City, UT 84112-0090, USA, Tel: +1 801 581 5254, FAX: +1 801 581 4148, e-mail: \path|beebe@math.utah.edu|, \path|beebe@acm.org|, \path|beebe@computer.org| (Internet), URL: \path|http://www.math.utah.edu/~beebe/|"} %%% ==================================================================== %%% Journal abbreviations: @String{j-TISSEC = "ACM Transactions on Information and System Security"} %%% ==================================================================== %%% Bibliography entries: @Article{Sandhu:1998:E, author = "Ravi Sandhu", title = "Editorial", journal = j-TISSEC, volume = "1", number = "1", pages = "1--2", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p1-sandhu/", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bergadano:1998:HDC, author = "Francesco Bergadano and Bruno Crispo and Giancarlo Ruffo", title = "High dictionary compression for proactive password checking", journal = j-TISSEC, volume = "1", number = "1", pages = "3--25", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p3-bergadano/", abstract = "The important problem of user password selection is addressed and a new proactive password-checking technique is presented. In a training phase, a decision tree is generated based on a given dictionary of weak passwords. Then, the decision tree is used to determine whether a user password should be accepted. Experimental results described here show that the method leads to a very high dictionary compression (up to 1000 to 1) with low error rates (of the order of 1\%). A prototype implementation, called ProCheck, is made available online. We survey previous approaches to proactive password checking, and provide an in-depth comparison.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "experimentation; management; performance; security", subject = "{\bf D.4.6} Software, OPERATING SYSTEMS, Security and Protection, Authentication. {\bf K.6.5} Computing Milieux, MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS, Security and Protection, Authentication.", } @Article{Bertino:1998:EBI, author = "Elisa Bertino and Sabrina {De Capitani Di Vimercati} and Elena Ferrari and Pierangela Samarati", title = "Exception-based information flow control in object-oriented systems", journal = j-TISSEC, volume = "1", number = "1", pages = "26--65", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p26-bertino/", abstract = "We present an approach to control information flow in object-oriented systems. The decision of whether an information flow is permitted or denied depends on both the authorizations specified on the objects and the process by which information is obtained and transmitted. Depending on the specific computations, a process accessing sensitive information could still be allowed to release information to users who are not allowed to directly access it. Exceptions to the permissions and restrictions stated by the authorizations are specified by means of exceptions associated with methods. Two kinds of exceptions are considered: {\em invoke exceptions,\/} applicable during a method execution and {\em reply exceptions\/} applicable to the information returned by a method. Information flowing from one object into another or returned to the user is subject to the different exceptions specified for the methods enforcing the transmission. We formally characterize information transmission and flow in a transaction and define the conditions for safe information flow. We define security specifications and characterize safe information flows. We propose an approach to control unsafe flows and present an algorithm to enforce it. We also illustrate an efficient implementation of our controls and present some experimental results evaluating its performance.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "security", subject = "{\bf H.2.7} Information Systems, DATABASE MANAGEMENT, Database Administration, Security, integrity, and protection. {\bf H.2.4} Information Systems, DATABASE MANAGEMENT, Systems, Object-oriented databases.", } @Article{Reiter:1998:CAW, author = "Michael K. Reiter and Aviel D. Rubin", title = "Crowds: anonymity for {Web} transactions", journal = j-TISSEC, volume = "1", number = "1", pages = "66--92", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p66-reiter/", abstract = "In this paper we introduce a system called Crowds for protecting users' anonymity on the world-wide-web. Crowds, named for the notion of ``blending into a crowd,'' operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members. Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request from a member who is merely forwarding the request on behalf of another. We describe the design, implementation, security, performance, and scalability of our system. Our security analysis introduces {\em degrees of anonymity\/} as an important tool for describing and proving anonymity properties.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "security", subject = "{\bf C.2.2} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, Network Protocols, Applications (SMTP, FTP, etc.). {\bf C.2.0} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, General, Security and protection (e.g., firewalls). {\bf K.4.1} Computing Milieux, COMPUTERS AND SOCIETY, Public Policy Issues, Privacy. {\bf K.4.4} Computing Milieux, COMPUTERS AND SOCIETY, Electronic Commerce, Security.", } @Article{Sandhu:1998:MRM, author = "Ravi Sandhu and Fang Chen", title = "The multilevel relational ({MLR}) data model", journal = j-TISSEC, volume = "1", number = "1", pages = "93--132", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p93-sandhu/", abstract = "Many multilevel relational models have been proposed; different models offer different advantages. In this paper, we adapt and refine several of the best ideas from previous models and add new ones to build the new Multilevel Relational (MLR) data model. MLR provides multilevel relations with element-level labeling as a natural extension of the traditional relational data model. MLR introduces several new concepts (notably, data-borrow integrity and the UPLEVEL statement) and significantly redefines existing concepts (polyinstantiation and referential integrity as well as data manipulation operations). A central contribution of this paper is proofs of soundness, completeness, and security of MLR. A new {\em data-based\/} semantics is given for the MLR data model by combining ideas from SeaView, belief-based semantics, and LDV. This new semantics has the advantages of both eliminating ambiguity and retaining upward information flow. MLR is secure, unambiguous, and powerful. It has five integrity properties and five operations for manipulating multilevel relations. Soundness, completeness, and security show that any of the five database manipulation operations will keep database states legal (i.e., satisfy all integrity properties), that every legal database state can be constructed, and that MLR is noninterfering. The expressive power of MLR also compares favorably with several other models.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "security", subject = "{\bf H.2.7} Information Systems, DATABASE MANAGEMENT, Database Administration, Security, integrity, and protection.", } @Article{Sandhu:1999:E, author = "Ravi Sandhu", title = "Editorial", journal = j-TISSEC, volume = "2", number = "1", pages = "1--2", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 10:21:44 MDT 2000", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-1/p1-sandhu/", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Nyanchama:1999:RGM, author = "Matunda Nyanchama and Sylvia Osborn", title = "The role graph model and conflict of interest", journal = j-TISSEC, volume = "2", number = "1", pages = "3--33", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p3-nyanchama/", abstract = "We describe in more detail than before the reference model for role-based access control introduced by Nyanchama and Osborn, and the role-graph model with its accompanying algorithms, which is one way of implementing role-role relationships. An alternative role insertion algorithm is added, and it is shown how the role creation policies of Fernandez et al. correspond to role addition algorithms in our model. We then use our reference model to provide a taxonomy for kinds of conflict. We then go on to consider in some detail privilege-privilege and role-role conflicts in conjunction with the role graph model. We show how role-role conflicts lead to a partitioning of the role graph into nonconflicting collections that can together be safely authorized to a given user. Finally, in an appendix, we present the role graph algorithms with additional logic to disallow roles that contain conflicting privileges.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "algorithms; management; security", subject = "{\bf D.4.6} Software, OPERATING SYSTEMS, Security and Protection, Access controls. {\bf K.6.5} Computing Milieux, MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS, Security and Protection. {\bf G.2.2} Mathematics of Computing, DISCRETE MATHEMATICS, Graph Theory, Graph algorithms.", } @Article{Ferraiolo:1999:RBA, author = "David F. Ferraiolo and John F. Barkley and D. Richard Kuhn", title = "A role-based access control model and reference implementation within a corporate intranet", journal = j-TISSEC, volume = "2", number = "1", pages = "34--64", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p34-ferraiolo/", abstract = "This paper describes NIST's enhanced RBAC model and our approach to designing and implementing RBAC features for networked Web servers. The RBAC model formalized in this paper is based on the properties that were first described in Ferraiolo and Kuhn [1992] and Ferraiolo et al. [1995], with adjustments resulting from experience gained by prototype implementations, market analysis, and observations made by Jansen [1988] and Hoffman [1996]. The implementation of RBAC for the Web (RBAC/Web) provides an alternative to the conventional means of administering and enforcing authorization policy on a server-by-server basis. RBAC/Web provides administrators with a means of managing authorization data at the enterprise level, in a manner consistent with the current set of laws, regulations, and practices.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "security; standardization", subject = "{\bf C.2.4} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, Distributed Systems. {\bf C.2.5} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, Local and Wide-Area Networks. {\bf D.4.6} Software, OPERATING SYSTEMS, Security and Protection, Access controls. {\bf D.4.7} Software, OPERATING SYSTEMS, Organization and Design, Distributed systems.", } @Article{Bertino:1999:SEA, author = "Elisa Bertino and Elena Ferrari and Vijay Atluri", title = "The specification and enforcement of authorization constraints in workflow management systems", journal = j-TISSEC, volume = "2", number = "1", pages = "65--104", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p65-bertino/", abstract = "In recent years, workflow management systems (WFMSs) have gained popularity in both research and commercial sectors. WFMSs are used to coordinate and streamline business processes. Very large WFMSs are often used in organizations with users in the range of several thousands and process instances in the range of tens and thousands. To simplify the complexity of security administration, it is common practice in many businesses to allocate a role for each activity in the process and then assign one or more users to each role---granting an authorization to roles rather than to users. Typically, security policies are expressed as constraints (or rules) on users and roles; {\em separation of duties\/} is a well-known constraint. Unfortunately, current role-based access control models are not adequate to model such constraints. To address this issue we (1) present a language to express both static and dynamic authorization constraints as clauses in a logic program; (2) provide formal notions of constraint consistency; and (3) propose algorithms to check the consistency of constraints and assign users and roles to tasks that constitute the workflow in such a way that no constraints are violated.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "security", subject = "{\bf H.2.0} Information Systems, DATABASE MANAGEMENT, General, Security, integrity, and protection**.", } @Article{Sandhu:1999:AMR, author = "Ravi Sandhu and Venkata Bhamidipati and Qamar Munawer", title = "The {ARBAC97} model for role-based administration of roles", journal = j-TISSEC, volume = "2", number = "1", pages = "105--135", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p105-sandhu/", abstract = "In role-based access control (RBAC), permissions are associated with roles' and users are made members of roles, thereby acquiring the roles; permissions. RBAC's motivation is to simplify administration of authorizations. An appealing possibility is to use RBAC itself to manage RBAC, to further provide administrative convenience and scalability, especially in decentralizing administrative authority, responsibility, and chores. This paper describes the motivation, intuition, and formal definition of a new role-based model for RBAC administration. This model is called ARBAC97 (administrative RBAC '97) and has three components: URA97 (user-role assignment '97), RPA97 (permission-role assignment '97), and RRA97 (role-role assignment '97) dealing with different aspects of RBAC administration. URA97, PRA97, and an outline of RRA97 were defined in 1997, hence the designation given to the entire model. RRA97 was completed in 1998. ARBAC97 is described completely in this paper for the first time. We also discusses possible extensions of ARBAC97.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "algorithms; management; security", subject = "{\bf C.2.4} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, Distributed Systems. {\bf D.4.6} Software, OPERATING SYSTEMS, Security and Protection, Access controls. {\bf D.4.7} Software, OPERATING SYSTEMS, Organization and Design, Distributed systems. {\bf G.2.2} Mathematics of Computing, DISCRETE MATHEMATICS, Graph Theory, Graph algorithms. {\bf H.2.0} Information Systems, DATABASE MANAGEMENT, General, Security, integrity, and protection**. {\bf K.6.5} Computing Milieux, MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS, Security and Protection.", } @Article{Reiter:1999:AMA, author = "Michael K. Reiter and Stuart G. Stubblebine", title = "Authentication metric analysis and design", journal = j-TISSEC, volume = "2", number = "2", pages = "138--158", month = may, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p138-reiter/", abstract = "Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an effort to bolster authentication, but the success of this approach may be unclear in the face of intersecting paths, ambiguities in the meaning of certificates, and interdependencies in the use of different keys. Thus, several authors have proposed metrics to evaluate the confidence afforded by a set of paths. In this paper we develop a set of guiding principles for the design of such metrics. We motivate our principles by showing how previous approaches failed with respect to these principles and what the consequences to authentication might be. We then propose a new metric that appears to meet our principles, and so to be a satisfactory metric of authentication.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Measurement; Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "metrics of authentication; public key infrastructure", subject = "Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Authentication}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Authentication}", } @Article{Schneier:1999:SAL, author = "Bruce Schneier and John Kelsey", title = "Secure Audit Logs to Support Computer Forensics", journal = j-TISSEC, volume = "2", number = "2", pages = "159--176", month = may, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p159-schneier/", abstract = "In many real-world applications, sensitive information must be kept it log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all log entries generated prior to the logging machine's compromise impossible for the attacker to read, and also impossible to modify or destroy undetectably.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "audit logs; auditing; authentication; computer forensics; hash chains; intrusion detection", subject = "Computer Systems Organization --- Computer-Communication Networks --- Distributed Systems (C.2.4); Computer Systems Organization --- Computer-Communication Networks (C.2); Computer Systems Organization --- Computer-Communication Networks --- General (C.2.0); Computer Systems Organization --- Computer-Communication Networks --- Network Protocols (C.2.2)", } @Article{Jaeger:1999:FCD, author = "Trent Jaeger and Atul Prakash and Jochen Liedtke and Nayeem Islam", title = "Flexible Control of Downloaded Executable Content", journal = j-TISSEC, volume = "2", number = "2", pages = "177--228", month = may, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p177-jaeger/", abstract = "We present a security architecture that enables system and application access control requirements to be enforced on applications composed from downloaded executable content. Downloaded executable content consists of messages downloaded from remote hosts that contain executables that run, upon receipt, on the downloading principal's machine. Unless restricted, this content can perform malicious actions, including accessing its downloading principal's private data and sending messages on this principal's behalf. Current security architectures for controlling downloaded executable content (e.g., JDK 1.2) enable specification of access control requirements for content based on its provider and identity. Since these access control requirements must cover every legal use of the class, they may include rights that are not necessary for a particular application of content. Therefore, using these systems, an application composed from downloaded executable content cannot enforce its access control requirements without the addition of application-specific security mechanisms. In this paper, we define an access control model with the following properties: (1) system administrators can define system access control requirements on applications and (2) application developers can use the same model to enforce application access control requirements without the need for ad hoc security mechanisms. This access control model uses features of role-based access control models to enable (1) specification of a single role that applies to multiple application instances; (2) selection of a content's access rights based on the content's application and role in the application; (3) consistency maintained between application state and content access rights; and (4) control of role administration. We detail a system architecture that uses this access control model to implement secure collaborative applications. Lastly, we describe an implementation of this architecture, called the Lava security architecture.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Management; Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access control models; authentication; authorization mechanisms; collaborative systems; role-based access control", subject = "Software --- Software Engineering --- Management (D.2.9): {\bf Software configuration management}; Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Access controls}; Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Invasive software}; Computing Milieux --- Management of Computing and Information Systems --- System Management (K.6.4): {\bf Centralization/decentralization}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Invasive software}", } @Article{Halevi:1999:PKC, author = "Shai Halevi and Hugo Krawczyk", title = "Public-Key Cryptography and Password Protocols", journal = j-TISSEC, volume = "2", number = "3", pages = "230--268", month = aug, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p230-halevi/", abstract = "We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses a pair of private and public keys while the client has only a weak human-memorizable password as its authentication key. We present and analyze several simple password authentication protocols in this scenario, and show that the security of these protocols can be formally proven based on standard cryptographic assumptions. Remarkably, our analysis shows optimal resistance to off-line password guessing attacks under the choice of suitable public key encryption functions. In addition to user authentication, we describe ways to enhance these protocols to provide two-way authentication, authenticated key exchange, defense against server's compromise, and user anonymity. We complement these results with a proof that strongly indicates that public key techniques are unavoidable for password protocols that resist off-line guessing attacks. \par As a further contribution, we introduce the notion of {\em public passwords\/} that enables the use of the above protocols in situations where the client's machine does not have the means to validate the server's public key. Public passwords serve as ``hand-held certificates'' that the user can carry without the need for special computing devices.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "dictionary attacks; hand-held certificates; key exchange; passwords; public passwords; public-key protocols", subject = "Computer Systems Organization --- Computer-Communication Networks --- General (C.2.0): {\bf Security and protection (e.g., firewalls)}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Authentication}", } @Article{Xu:1999:DHP, author = "Jun Xu and Mukesh Singhal", title = "Design of a High-Performance {ATM} Firewall", journal = j-TISSEC, volume = "2", number = "3", pages = "269--294", month = aug, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p269-xu/", abstract = "A router-based packet-filtering firewall is an effective way of protecting an enterprise network from unauthorized access. However, it will not work efficiently in an ATM network because it requires the termination of end-to-end ATM connections at a packet-filtering router, which incurs huge overhead of SAR (Segmentation and Reassembly). Very few approaches to this problem have been proposed in the literature, and none is completely satisfactory. In this paper we present the hardware design of a high-speed ATM firewall that does not require the termination of an end-to-end connection in the middle. We propose a novel firewall design philosophy, called Quality of Firewalling (QoF), that applies security measures of different strength to traffic with different risk levels and show how it can be implemented in our firewall. Compared with the traditional firewalls, this ATM firewall performs exactly the same packet-level filtering without compromising the performance and has the same ``look and feel'' by sitting at the chokepoint between the trusted ATM LAN and untrusted ATM WAN. It is also easy to manage and flexible to use.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "asynchronous transfer mode; firewall; packet filtering; switch architecture; TCP/IP", subject = "Computer Systems Organization --- Performance of Systems (C.4): {\bf Performance attributes}; Computer Systems Organization --- Performance of Systems (C.4); Computer Systems Organization --- Computer-Communication Networks --- General (C.2.0); Computer Systems Organization --- Computer-Communication Networks --- Network Architecture and Design (C.2.1): {\bf Asynchronous Transfer Mode (ATM)}; Computer Systems Organization --- Computer-Communication Networks --- Internetworking (C.2.6): {\bf Routers}; Computer Systems Organization --- Computer-Communication Networks --- Local and Wide-Area Networks (C.2.5)", } @Article{Lane:1999:TSL, author = "Terran Lane and Carla E. Brodley", title = "Temporal sequence learning and data reduction for anomaly detection", journal = j-TISSEC, volume = "2", number = "3", pages = "295--331", month = aug, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p295-lane/", abstract = "The anomaly-detection problem can be formulated as one of learning to characterize the behaviors of an individual, system, or network in terms of temporal sequences of discrete data. We present an approach on the basis of instance-based learning (IBL) techniques. To cast the anomaly-detection task in an IBL framework, we employ an approach that transforms temporal sequences of discrete, unordered observations into a metric space via a similarity measure that encodes intra-attribute dependencies. Classification boundaries are selected from an {\em a posteriori\/} characterization of valid user behaviors, coupled with a domain heuristic. An empirical evaluation of the approach on user command data demonstrates that we can accurately differentiate the profiled user from alternative users when the available features encode sufficient information. Furthermore, we demonstrate that the system detects anomalous conditions {\em quickly\/} --- an important quality for reducing potential damage by a malicious user. We present several techniques for reducing data storage requirements of the user profile, including instance-selection methods and clustering. As empirical evaluation shows that a new greedy clustering algorithm reduces the size of the user model by 70\%, with only a small loss in accuracy.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "anomaly detection; clustering; data reduction; empirical evaluation; instance based learning; machine learning; user profiling", subject = "Software --- Operating Systems --- Security and Protection (D.4.6)", } @Article{Paulson:1999:IAI, author = "Lawrence C. Paulson", title = "Inductive analysis of the {Internet} protocol {TLS}", journal = j-TISSEC, volume = "2", number = "3", pages = "332--351", month = aug, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p332-paulson/", abstract = "Internet browsers use security protocols to protect sensitive messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higher-order logic and make no assumptions concerning beliefs of finiteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys are compromised. The proofs suggest minor changes to simplify the analysis. \par TLS, even at an abstract level, is much more complicated than most protocols verified by researchers. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Netherless, the resources needed to verify TLS are modest: six man-weeks of effort and three minutes of processor time.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Security; Verification", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "authentication; inductive method; Isabelle; proof tools; TLS", subject = "Theory of Computation --- Logics and Meanings of Programs --- Specifying and Verifying and Reasoning about Programs (F.3.1): {\bf Mechanical verification}; Computer Systems Organization --- Computer-Communication Networks --- Network Protocols (C.2.2): {\bf Protocol verification}", } @Article{Stubblebine:1999:UST, author = "Stuart G. Stubblebine and Paul F. Syverson and David M. Goldschlag", title = "Unlinkable serial transactions: protocols and applications", journal = j-TISSEC, volume = "2", number = "4", pages = "354--389", month = nov, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/articles/journals/tissec/1999-2-4/p354-stubblebine/p354-stubblebine.pdf; http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p354-stubblebine/", abstract = "We present a protocol for unlinkable serial transactions suitable for a variety of network-based subscription services. It is the first protocol to use cryptographic blinding to enable subscription services. The protocol prevents the service from tracking the behavior of its customers, while protecting the service vendor from abuse due to simultaneous or cloned use by a single subscriber. Our basic protocol structure and recovery protocol are robust against failure in protocol termination. We evaluate the security of the basic protocol and extend the basic protocol to include auditing, which further deters subscription sharing. We describe other applications of unlinkable serial transactions for pay-per-use trans subscription, third-party subscription management, multivendor coupons, proof of group membership, and voting.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Design; Security; Verification", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "anonymity; blinding; cryptographic protocols; unlinkable serial transactions", subject = "Computer Applications --- Administrative Data Processing (J.1); Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Access controls}; Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Cryptographic controls}; Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Authentication}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5); Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Authentication}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Unauthorized access (e.g., hacking, phreaking)}; Information Systems --- Information Storage and Retrieval --- Systems and Software (H.3.4): {\bf User profiles and alert services}; Information Systems --- Database Management --- Systems (H.2.4): {\bf Transaction processing}; Information Systems --- Information Storage and Retrieval --- Digital Libraries (H.3.7): {\bf User issues}", } @Article{Gabber:1999:SPC, author = "Eran Gabber and Phillip B. Gibbons and David M. Kristol and Yossi Matias and Alain Mayer", title = "On secure and pseudonymous client-relationships with multiple servers", journal = j-TISSEC, volume = "2", number = "4", pages = "390--415", month = nov, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p390-gabber/", abstract = "This paper introduces a cryptographic engine, Janus, which assists clients in establishing and maintaining secure and pseudonymous relationships with multiple servers. The setting is such that clients reside on a particular subnet (e.g., corporate intranet, ISP) and the servers reside anywhere on the Internet. The Janus engine allows each client-server relationship to use either weak or strong authentication on each interaction. At the same time, each interaction preserves privacy by neither revealing a clients true identity (except for the subnet) nor the set of servers with which a particular client interacts. Furthermore, clients do not need any secure long-term memory, enabling scalability and mobility. The interaction model extends to allow servers to send data back to clients via e-mail at a later date. Hence, our results complement the functionality of current network anonymity tools and remailers. The paper also describes the design and implementation of the Lucent Personalized Web Assistant (LPWA), which is a practical system that provides secure and pseudonymous relations with multiple servers on the Internet. LPWA employs the Janus function to generate site-specific person?, which consist of alias usernames, passwords, and e-mail addresses.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Algorithms; Experimentation; Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "anonymity; Janus function; mailbox; persistent relationship; privacy; pseudonym", subject = "Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Authentication}", } @Article{Hevia:1999:STD, author = "Alejandro Hevia and Marcos Kiwi", title = "Strength of Two {Data Encryption Standard} Implementations under Timing Attack", journal = j-TISSEC, volume = "2", number = "4", pages = "416--437", month = nov, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p416-hevia/", abstract = "We study the vulnerability of two implementations of the Data Encryption Standard (DES) cryptosystem under a timing attack. A timing attack is a method, recently proposed by Paul Kocher, that is designed to break cryptographic systems. It exploits the engineering aspects involved in the implementation of cryptosystems and might succeed even against cryptosystems that remain impervious to sophisticated cryptanalytic techniques. A timing attack is, essentially, a way of obtaining some users private information by carefully measuring the time it takes the user to carry out cryptographic operations. In this work, we analyze two implementations of DES. We show that a timing attack yields the Hamming weight of the key used by both DES implementations. Moreover, the attack is computationally inexpensive. We also show that all the design characteristics of the target system, necessary to carry out the timing attack, can be inferred from timing measurements.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "cryptanalysis; cryptography; data encryption standard; timing attack", subject = "Data --- Data Encryption (E.3): {\bf Data encryption standard (DES)**}; Computer Systems Organization --- Special-Purpose and Application-Based Systems (C.3)", } @Article{Frincke:2000:BCR, author = "Deborah Frincke", title = "Balancing Cooperation and Risk in Intrusion Detection", journal = j-TISSEC, volume = "3", number = "1", pages = "1--29", month = feb, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Schneider:2000:ESP, author = "Fred B. Schneider", title = "Enforceable Security Policies", journal = j-TISSEC, volume = "3", number = "1", pages = "30--50", month = feb, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Spinellis:2000:RMS, author = "Diomidis Spinellis", title = "Reflection as a Mechanism for Software Integrity Verification", journal = j-TISSEC, volume = "3", number = "1", pages = "51--62", month = feb, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Dolev:2000:XTE, author = "Shlomi Dolev and Rafail Ostrovsky", title = "Xor-Trees for Efficient Anonymous Multicast and Reception", journal = j-TISSEC, volume = "3", number = "2", pages = "63--84", month = may, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Osborn:2000:CRB, author = "Sylvia Osborn and Ravi Sandhu and Qamar Munawer", title = "Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies", journal = j-TISSEC, volume = "3", number = "2", pages = "85--106", month = may, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wool:2000:KME, author = "Avishai Wool", title = "Key Management for Encrypted Broadcast", journal = j-TISSEC, volume = "3", number = "2", pages = "107--134", month = may, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Molva:2000:SMS, author = "Refik Molva and Alain Pannetrat", title = "Scalable Multicast Security with Dynamic Recipient Groups", journal = j-TISSEC, volume = "3", number = "3", pages = "136--160", month = aug, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Cramer:2000:SSB, author = "Ronald Cramer and Victor Shoup", title = "Signature Schemes Based on the Strong {RSA} Assumption", journal = j-TISSEC, volume = "3", number = "3", pages = "161--185", month = aug, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Axelsson:2000:BRF, author = "Stefan Axelsson", title = "The Base-Rate Fallacy and the Difficulty of Intrusion Detection", journal = j-TISSEC, volume = "3", number = "3", pages = "186--205", month = aug, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ahn:2000:RBA, author = "Gail-Joon Ahn and Ravi Sandhu", title = "Role-based Authorization Constraints Specification", journal = j-TISSEC, volume = "3", number = "4", pages = "207--226", month = nov, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Lee:2000:FCF, author = "Wenke Lee and Salvatore J. Stolfo", title = "A Framework for Constructing Features and Models for Intrusion Detection Systems", journal = j-TISSEC, volume = "3", number = "4", pages = "227--261", month = nov, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{McHugh:2000:TID, author = "John McHugh", title = "Testing Intrusion detection systems: a critique of the 1998 and 1999 {DARPA} intrusion detection system evaluations as performed by {Lincoln Laboratory}", journal = j-TISSEC, volume = "3", number = "4", pages = "262--294", month = nov, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chang:2001:RTP, author = "Ho-Yen Chang and S. Felix Wu and Y. Frank Jou", title = "Real-Time Protocol Analysis for Detecting Link-State Routing Protocol Attacks", journal = j-TISSEC, volume = "4", number = "1", pages = "1--36", month = feb, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v4no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Park:2001:RBA, author = "Joon S. Park and Ravi Sandhu and Gail-Joon Ahn", title = "Role-based access control on the {Web}", journal = j-TISSEC, volume = "4", number = "1", pages = "37--71", month = feb, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Smith:2001:CPH, author = "Richard E. Smith", title = "Cost Profile of a Highly Assured, Secure Operating System", journal = j-TISSEC, volume = "4", number = "1", pages = "72--101", month = feb, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v4no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Shands:2001:SVE, author = "Deborah Shands and Jay Jacobs and Richard Yee and E. John Sebes", title = "Secure Virtual Enclaves: Supporting Coalition Use of Distributed Application Technologies", journal = j-TISSEC, volume = "4", number = "2", pages = "103--133", month = may, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Steiner:2001:SPB, author = "Michael Steiner and Peter Buhler and Thomas Eirich and Michael Waidner", title = "Secure Password-Based Cipher Suite for {TLS}", journal = j-TISSEC, volume = "4", number = "2", pages = "134--157", month = may, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Jaeger:2001:PSF, author = "Trent Jaeger and Jonathon E. Tidswell", title = "Practical Safety in Flexible Access Control Models", journal = j-TISSEC, volume = "4", number = "2", pages = "158--190", month = may, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bertino:2001:TTR, author = "Elisa Bertino and Piero Andrea Bonatti and Elena Ferrari", title = "{TRBAC}: a Temporal Role-based Access Control Model", journal = j-TISSEC, volume = "4", number = "3", pages = "191--223", month = aug, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ferraiolo:2001:PNS, author = "David F. Ferraiolo and Ravi Sandhu and Serban Gavrila and D. Richard Kuhn and Ramaswamy Chandramouli", title = "Proposed {NIST} standard for role-based access control", journal = j-TISSEC, volume = "4", number = "3", pages = "224--274", month = aug, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Kaliski:2001:UKS, author = "Burton S. Kaliski", title = "An unknown key-share attack on the {MQV} key agreement protocol", journal = j-TISSEC, volume = "4", number = "3", pages = "275--288", month = aug, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Rodeh:2001:APS, author = "Ohad Rodeh and Kenneth P. Birman and Danny Dolev", title = "The Architecture and Performance of Security Protocols in the {Ensemble Group Communication System}: Using Diamonds to Guard the Castle", journal = j-TISSEC, volume = "4", number = "3", pages = "289--319", month = aug, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bertino:2001:NTM, author = "Elisa Bertino and Barbara Catania and Elena Ferrari", title = "A Nested Transaction Model for Multilevel Secure Database Management Systems", journal = j-TISSEC, volume = "4", number = "4", pages = "321--370", month = nov, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Kihlstrom:2001:SGC, author = "Kim Potter Kihlstrom and L. E. Moser and P. M. Melliar-Smith", title = "The SecureRing group communication system", journal = j-TISSEC, volume = "4", number = "4", pages = "371--406", month = nov, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ning:2001:ABI, author = "Peng Ning and Sushil Jajodia and Xiaoyang Sean Wang", title = "Abstraction-based intrusion detection in distributed environments", journal = j-TISSEC, volume = "4", number = "4", pages = "407--452", month = nov, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Samarati:2001:AMP, author = "Pierangela Samarati and Michael K. Reiter and Sushil Jajodia", title = "An authorization model for a public key management service", journal = j-TISSEC, volume = "4", number = "4", pages = "453--482", month = nov, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bonatti:2002:ACA, author = "Piero Bonatti and Sabrina {De Capitani di Vimercati} and Pierangela Samarati", title = "An Algebra for Composing Access Control Policies", journal = j-TISSEC, volume = "5", number = "1", pages = "1--35", month = feb, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bernaschi:2002:RSE, author = "Massimo Bernaschi and Emanuele Gabrielli and Luigi V. Mancini", title = "{REMUS}: a Security-Enhanced Operating System", journal = j-TISSEC, volume = "5", number = "1", pages = "36--61", month = feb, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Atluri:2002:AMT, author = "Vijayalakshmi Atluri and Avigdor Gal", title = "An authorization model for temporal and derived data: securing information portals", journal = j-TISSEC, volume = "5", number = "1", pages = "62--94", month = feb, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Blaze:2002:TMI, author = "Matt Blaze and John Ioannidis and Angelos D. Keromytis", title = "Trust Management for {IPsec}", journal = j-TISSEC, volume = "5", number = "2", pages = "95--118", month = may, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 25 16:54:06 MDT 2001", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Dean:2002:AAI, author = "Drew Dean and Matt Franklin and Adam Stubblefield", title = "An Algebraic Approach to {IP} Traceback", journal = j-TISSEC, volume = "5", number = "2", pages = "119--137", month = may, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Rudys:2002:TLB, author = "Algis Rudys and Dan S. Wallach", title = "Termination in language-based systems", journal = j-TISSEC, volume = "5", number = "2", pages = "138--168", month = may, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Damiani:2002:FGA, author = "Ernesto Damiani and Sabrina {De Capitani di Vimercati} and Stefano Paraboschi and Pierangela Samarati", title = "A Fine-Grained Access Control System for {XML} Documents", journal = j-TISSEC, volume = "5", number = "2", pages = "169--202", month = may, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Michael:2002:SSB, author = "C. C. Michael and Anup Ghosh", title = "Simple, state-based approaches to program-based anomaly detection", journal = j-TISSEC, volume = "5", number = "3", pages = "203--237", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Viega:2002:TBS, author = "John Viega and J. T. Bloch and Tadayoshi Kohno and Gary McGraw", title = "Token-based scanning of source code for security problems", journal = j-TISSEC, volume = "5", number = "3", pages = "238--261", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "ITS4", } @Article{Loughry:2002:ILO, author = "Joe Loughry and David A. Umphress", title = "Information leakage from optical emanations", journal = j-TISSEC, volume = "5", number = "3", pages = "262--289", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bertino:2002:SSD, author = "Elisa Bertino and Elena Ferrari", title = "Secure and Selective Dissemination of {XML} Documents", journal = j-TISSEC, volume = "5", number = "3", pages = "290--331", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Koch:2002:GBF, author = "Manuel Koch and Luigi V. Mancini and Francesco Parisi-Presicce", title = "A graph-based formalism for {RBAC}", journal = j-TISSEC, volume = "5", number = "3", pages = "332--365", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bergadano:2002:UAT, author = "Francesco Bergadano and Daniele Gunetti and Claudia Picardi", title = "User authentication through keystroke dynamics", journal = j-TISSEC, volume = "5", number = "4", pages = "367--397", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Swift:2002:IGA, author = "Michael M. Swift and Anne Hopkins and Peter Brundrett and Cliff {Van Dyke} and Praerit Garg and Shannon Chan and Mario Goertzel and Gregory Jensenworth", title = "Improving the granularity of access control for {Windows 2000}", journal = j-TISSEC, volume = "5", number = "4", pages = "398--437", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Gordon:2002:EIS, author = "Lawrence A. Gordon and Martin P. Loeb", title = "The economics of information security investment", journal = j-TISSEC, volume = "5", number = "4", pages = "438--457", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Harbitter:2002:MAP, author = "Alan Harbitter and Daniel A. Menasc{\'e}", title = "A methodology for analyzing the performance of authentication protocols", journal = j-TISSEC, volume = "5", number = "4", pages = "458--491", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bacon:2002:MOR, author = "Jean Bacon and Ken Moody and Walt Yao", title = "A model of {OASIS} role-based access control and its support for active security", journal = j-TISSEC, volume = "5", number = "4", pages = "492--540", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Yu:2003:SSC, author = "Ting Yu and Marianne Winslett and Kent E. Seamons", title = "Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation", journal = j-TISSEC, volume = "6", number = "1", pages = "1--42", month = feb, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Halpern:2003:RBS, author = "Joseph Y. Halpern and Riccardo Pucella", title = "On the relationship between strand spaces and multi-agent systems", journal = j-TISSEC, volume = "6", number = "1", pages = "43--70", month = feb, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bertino:2003:LFR, author = "Elisa Bertino and Barbara Catania and Elena Ferrari and Paolo Perlasca", title = "A Logical Framework for Reasoning about Access Control Models", journal = j-TISSEC, volume = "6", number = "1", pages = "71--127", month = feb, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Li:2003:DLL, author = "Ninghui Li and Benjamin N. Grosof and Joan Feigenbaum", title = "Delegation logic: a logic-based approach to distributed authorization", journal = j-TISSEC, volume = "6", number = "1", pages = "128--171", month = feb, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chari:2003:BPD, author = "Suresh N. Chari and Pau-Chen Cheng", title = "{BlueBoX}: a policy-driven, host-based intrusion detection system", journal = j-TISSEC, volume = "6", number = "2", pages = "173--200", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Crampton:2003:ASF, author = "Jason Crampton and George Loizou", title = "Administrative scope: a foundation for role-based administrative models", journal = j-TISSEC, volume = "6", number = "2", pages = "201--231", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Karjoth:2003:ACI, author = "G{\"u}nter Karjoth", title = "Access control with {IBM Tivoli} access manager", journal = j-TISSEC, volume = "6", number = "2", pages = "232--257", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Park:2003:EMS, author = "Jung Min Park and Edwin K. P. Chong and Howard Jay Siegel", title = "Efficient multicast stream authentication using erasure codes", journal = j-TISSEC, volume = "6", number = "2", pages = "258--285", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wijesekera:2003:PPA, author = "Duminda Wijesekera and Sushil Jajodia", title = "A propositional policy algebra for access control", journal = j-TISSEC, volume = "6", number = "2", pages = "286--325", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Jaeger:2003:PMU, author = "Trent Jaeger and Xiaolan Zhang and Fidel Cacheda", title = "Policy management using access control spaces", journal = j-TISSEC, volume = "6", number = "3", pages = "327--364", month = aug, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:09 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Rogaway:2003:OBC, author = "Phillip Rogaway and Mihir Bellare and John Black", title = "{OCB}: a block-cipher mode of operation for efficient authenticated encryption", journal = j-TISSEC, volume = "6", number = "3", pages = "365--403", month = aug, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:09 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zhang:2003:RBF, author = "Longhua Zhang and Gail-Joon Ahn and Bei-Tseng Chu", title = "A rule-based framework for role-based delegation and revocation", journal = j-TISSEC, volume = "6", number = "3", pages = "404--441", month = aug, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:09 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Julisch:2003:CID, author = "Klaus Julisch", title = "Clustering intrusion detection alarms to support root cause analysis", journal = j-TISSEC, volume = "6", number = "4", pages = "443--471", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Persiano:2003:SPS, author = "Pino Persiano and Ivan Visconti", title = "A secure and private system for subscription-based remote services", journal = j-TISSEC, volume = "6", number = "4", pages = "472--500", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Barker:2003:FAC, author = "Steve Barker and Peter J. Stuckey", title = "Flexible access control policy specification with constraint logic programming", journal = j-TISSEC, volume = "6", number = "4", pages = "501--546", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ellison:2003:PKS, author = "Carl Ellison and Steve Dohrmann", title = "Public-key support for group collaboration", journal = j-TISSEC, volume = "6", number = "4", pages = "547--565", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Thompson:2003:CBA, author = "Mary R. Thompson and Abdelilah Essiari and Srilekha Mudumbai", title = "Certificate-based authorization policy in a {PKI} environment", journal = j-TISSEC, volume = "6", number = "4", pages = "566--588", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ateniese:2004:VED, author = "Giuseppe Ateniese", title = "Verifiable encryption of digital signatures and applications", journal = j-TISSEC, volume = "7", number = "1", pages = "1--20", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Levi:2004:UNC, author = "Albert Levi and M. Ufuk Caglayan and Cetin K. Koc", title = "Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure", journal = j-TISSEC, volume = "7", number = "1", pages = "21--59", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Kim:2004:TBG, author = "Yongdae Kim and Adrian Perrig and Gene Tsudik", title = "Tree-based group key agreement", journal = j-TISSEC, volume = "7", number = "1", pages = "60--96", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Montenegro:2004:CBI, author = "Gabriel Montenegro and Claude Castelluccia", title = "Crypto-based identifiers {(CBIDs)}: {Concepts} and applications", journal = j-TISSEC, volume = "7", number = "1", pages = "97--127", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Park:2004:UUC, author = "Jaehong Park and Ravi Sandhu", title = "The {UCON$_{ABC}$} usage control model", journal = j-TISSEC, volume = "7", number = "1", pages = "128--174", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Jaeger:2004:CAA, author = "Trent Jaeger and Antony Edwards and Xiaolan Zhang", title = "Consistency analysis of authorization hook placement in the {Linux} security modules framework", journal = j-TISSEC, volume = "7", number = "2", pages = "175--205", month = may, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bellare:2004:BPR, author = "Mihir Bellare and Tadayoshi Kohno and Chanathip Namprempre", title = "Breaking and provably repairing the {SSH} authenticated encryption scheme: a case study of the Encode-then-Encrypt-and-{MAC} paradigm", journal = j-TISSEC, volume = "7", number = "2", pages = "206--241", month = may, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Aiello:2004:JFK, author = "William Aiello and Steven M. Bellovin and Matt Blaze and Ran Canetti and John Ioannidis and Angelos D. Keromytis and Omer Reingold", title = "Just fast keying: {Key} agreement in a hostile {Internet}", journal = j-TISSEC, volume = "7", number = "2", pages = "242--273", month = may, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ning:2004:TTA, author = "Peng Ning and Yun Cui and Douglas S. Reeves and Dingbang Xu", title = "Techniques and tools for analyzing intrusion alerts", journal = j-TISSEC, volume = "7", number = "2", pages = "274--318", month = may, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Stubblefield:2004:KRA, author = "Adam Stubblefield and John Ioannidis and Aviel D. Rubin", title = "A key recovery attack on the 802.11b wired equivalent privacy protocol {(WEP)}", journal = j-TISSEC, volume = "7", number = "2", pages = "319--332", month = may, year = "2004", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/996943.996948", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this paper, we present a practical key recovery attack on WEP, the link-layer security protocol for 802.11b wireless networks. The attack is based on a partial key exposure vulnerability in the RC4 stream cipher discovered by Fluhrer, Mantin, and Shamir. This paper describes how to apply this flaw to breaking WEP, our implementation of the attack, and optimizations that can be used to reduce the number of packets required for the attack. We conclude that the 802.11b WEP standard is completely insecure, and we provide recommendations on how this vulnerability could be mitigated and repaired.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Carrier:2004:STP, author = "Brian Carrier and Clay Shields", title = "The session token protocol for forensics and traceback", journal = j-TISSEC, volume = "7", number = "3", pages = "333--362", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wedde:2004:MAA, author = "Horst F. Wedde and Mario Lischka", title = "Modular authorization and administration", journal = j-TISSEC, volume = "7", number = "3", pages = "363--391", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Strembeck:2004:IAE, author = "Mark Strembeck and Gustaf Neumann", title = "An integrated approach to engineer and enforce context constraints in {RBAC} environments", journal = j-TISSEC, volume = "7", number = "3", pages = "392--427", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Hess:2004:CTT, author = "Adam Hess and Jason Holt and Jared Jacobson and Kent E. Seamons", title = "Content-triggered trust negotiation", journal = j-TISSEC, volume = "7", number = "3", pages = "428--456", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Amir:2004:PGK, author = "Yair Amir and Yongdae Kim and Cristina Nita-Rotaru and Gene Tsudik", title = "On the performance of group key agreement protocols", journal = j-TISSEC, volume = "7", number = "3", pages = "457--488", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wright:2004:PAA, author = "Matthew K. Wright and Micah Adler and Brian Neil Levine and Clay Shields", title = "The predecessor attack: an analysis of a threat to anonymous communications systems", journal = j-TISSEC, volume = "7", number = "4", pages = "489--522", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Huang:2004:KCB, author = "Dijiang Huang and Deep Medhi", title = "A key-chain-based keying scheme for many-to-many secure group communication", journal = j-TISSEC, volume = "7", number = "4", pages = "523--552", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Shacham:2004:CSC, author = "Hovav Shacham and Dan Boneh and Eric Rescorla", title = "Client-side caching for {TLS}", journal = j-TISSEC, volume = "7", number = "4", pages = "553--575", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Walcott:2004:TMR, author = "Tom Walcott and Matt Bishop", title = "Traducement: a model for record security", journal = j-TISSEC, volume = "7", number = "4", pages = "576--590", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ning:2004:HRA, author = "Peng Ning and Dingbang Xu", title = "Hypothesizing and reasoning about attacks missed by intrusion detection systems", journal = j-TISSEC, volume = "7", number = "4", pages = "591--627", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Sandhu:2005:E, author = "Ravi Sandhu", title = "Editorial", journal = j-TISSEC, volume = "8", number = "1", pages = "1--1", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Atluri:2005:P, author = "Vijay Atluri", title = "Preface", journal = j-TISSEC, volume = "8", number = "1", pages = "2--2", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Barrantes:2005:RIS, author = "Elena Gabriela Barrantes and David H. Ackley and Stephanie Forrest and Darko Stefanovi{\'c}", title = "Randomized instruction set emulation", journal = j-TISSEC, volume = "8", number = "1", pages = "3--40", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Liu:2005:EPK, author = "Donggang Liu and Peng Ning and Rongfang Li", title = "Establishing pairwise keys in distributed sensor networks", journal = j-TISSEC, volume = "8", number = "1", pages = "41--77", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Liu:2005:IBM, author = "Peng Liu and Wanyu Zang and Meng Yu", title = "Incentive-based modeling and inference of attacker intent, objectives, and strategies", journal = j-TISSEC, volume = "8", number = "1", pages = "78--118", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ceselli:2005:MAI, author = "Alberto Ceselli and Ernesto Damiani and Sabrina {De Capitani Di Vimercati} and Sushil Jajodia and Stefano Paraboschi and Pierangela Samarati", title = "Modeling and assessing inference exposure in encrypted databases", journal = j-TISSEC, volume = "8", number = "1", pages = "119--152", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ye:2005:TPB, author = "Zishuang (Eileen) Ye and Sean Smith and Denise Anthony", title = "Trusted paths for browsers", journal = j-TISSEC, volume = "8", number = "2", pages = "153--186", month = may, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jul 7 12:29:10 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bhatti:2005:XGX, author = "Rafae Bhatti and Arif Ghafoor and Elisa Bertino and James B. D. Joshi", title = "{X-GTRBAC}: an {XML}-based policy specification framework and architecture for enterprise-wide access control", journal = j-TISSEC, volume = "8", number = "2", pages = "187--227", month = may, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jul 7 12:29:10 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Du:2005:PKP, author = "Wenliang Du and Jing Deng and Yunghsiang S. Han and Pramod K. Varshney and Jonathan Katz and Aram Khalili", title = "A pairwise key predistribution scheme for wireless sensor networks", journal = j-TISSEC, volume = "8", number = "2", pages = "228--258", month = may, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jul 7 12:29:10 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zhou:2005:APS, author = "Lidong Zhou and Fred B. Schneider and Robbert {Van Renesse}", title = "{APSS}: proactive secret sharing in asynchronous systems", journal = j-TISSEC, volume = "8", number = "3", pages = "259--286", month = aug, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Sep 17 15:42:03 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Dojen:2005:CLP, author = "Reiner Dojen and Tom Coffey", title = "The concept of layered proving trees and its application to the automation of security protocol verification", journal = j-TISSEC, volume = "8", number = "3", pages = "287--311", month = aug, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Sep 17 15:42:03 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Gunetti:2005:KAF, author = "Daniele Gunetti and Claudia Picardi", title = "Keystroke analysis of free text", journal = j-TISSEC, volume = "8", number = "3", pages = "312--347", month = aug, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Sep 17 15:42:03 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ferrari:2005:GES, author = "Elena Ferrari", title = "Guest editorial: {Special} issue on access control models and technologies", journal = j-TISSEC, volume = "8", number = "4", pages = "349--350", month = nov, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jan 10 07:44:45 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zhang:2005:FMP, author = "Xinwen Zhang and Francesco Parisi-Presicce and Ravi Sandhu and Jaehong Park", title = "Formal model and policy specification of usage control", journal = j-TISSEC, volume = "8", number = "4", pages = "351--387", month = nov, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jan 10 07:44:45 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bhatti:2005:XGA, author = "Rafae Bhatti and Basit Shafiq and Elisa Bertino and Arif Ghafoor and James B. D. Joshi", title = "{X-gtrbac} admin: a decentralized administration model for enterprise-wide access control", journal = j-TISSEC, volume = "8", number = "4", pages = "388--423", month = nov, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jan 10 07:44:45 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Hengartner:2005:ACP, author = "Urs Hengartner and Peter Steenkiste", title = "Access control to people location information", journal = j-TISSEC, volume = "8", number = "4", pages = "424--456", month = nov, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jan 10 07:44:45 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ateniese:2006:IPR, author = "Giuseppe Ateniese and Kevin Fu and Matthew Green and Susan Hohenberger", title = "Improved proxy re-encryption schemes with applications to secure distributed storage", journal = j-TISSEC, volume = "9", number = "1", pages = "1--30", month = feb, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Apr 29 09:23:50 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Malvestuto:2006:ASQ, author = "Francesco M. Malvestuto and Mauro Mezzini and Marina Moscarini", title = "Auditing sum-queries to make a statistical database secure", journal = j-TISSEC, volume = "9", number = "1", pages = "31--60", month = feb, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Apr 29 09:23:50 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Mutz:2006:ASC, author = "Darren Mutz and Fredrik Valeur and Giovanni Vigna and Christopher Kruegel", title = "Anomalous system call detection", journal = j-TISSEC, volume = "9", number = "1", pages = "61--93", month = feb, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Apr 29 09:23:50 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Futoransky:2006:FAS, author = "Ariel Futoransky and Emiliano Kargieman and Carlos Sarraute and Ariel Waissbein", title = "Foundations and applications for secure triggers", journal = j-TISSEC, volume = "9", number = "1", pages = "94--112", month = feb, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Apr 29 09:23:50 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Oh:2006:ERA, author = "Sejong Oh and Ravi Sandhu and Xinwen Zhang", title = "An effective role administration model using organization structure", journal = j-TISSEC, volume = "9", number = "2", pages = "113--137", month = may, year = "2006", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1151414.1151415", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Aug 26 08:10:38 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bella:2006:APF, author = "Giampaolo Bella and Lawrence C. Paulson", title = "Accountability protocols: {Formalized} and verified", journal = j-TISSEC, volume = "9", number = "2", pages = "138--161", month = may, year = "2006", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1151414.1151416", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Aug 26 08:10:38 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chandramouli:2006:BPA, author = "R. Chandramouli and S. Bapatla and K. P. Subbalakshmi and R. N. Uma", title = "Battery power-aware encryption", journal = j-TISSEC, volume = "9", number = "2", pages = "162--180", month = may, year = "2006", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1151414.1151417", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Aug 26 08:10:38 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Minimizing power consumption is crucial in battery power-limited secure wireless mobile networks. In this paper, we (a) introduce a hardware/software set-up to measure the battery power consumption of encryption algorithms through real-life experimentation, (b) based on the profiled data, propose mathematical models to capture the relationships between power consumption and security, and (c) formulate and solve security maximization subject to power constraints. Numerical results are presented to illustrate the gains that can be achieved in using solutions of the proposed security maximization problems subject to power constraints.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Gennaro:2006:FPB, author = "Rosario Gennaro and Yehuda Lindell", title = "A framework for password-based authenticated key exchange", journal = j-TISSEC, volume = "9", number = "2", pages = "181--234", month = may, year = "2006", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1151414.1151418", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Aug 26 08:10:38 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this paper, we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashing by Cramer and Shoup. We gain a number of benefits from this abstraction. First, we obtain a modular protocol that can be described using just three high-level cryptographic tools. This allows a simple and intuitive understanding of its security. Second, our proof of security is significantly simpler and more modular. Third, we are able to derive analogs to the Katz et al. protocol under additional cryptographic assumptions. Specifically, in addition to the DDH assumption used by Katz et al., we obtain protocols under both the quadratic and N-residuosity assumptions. In order to achieve this, we construct new smooth projective hash functions.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{VanOorschot:2006:COD, author = "Paul C. {Van Oorschot} and Stuart Stubblebine", title = "On countering online dictionary attacks with login histories and humans-in-the-loop", journal = j-TISSEC, volume = "9", number = "3", pages = "235--258", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{McDaniel:2006:MLS, author = "Patrick McDaniel and Atul Prakash", title = "Methods and limitations of security policy reconciliation", journal = j-TISSEC, volume = "9", number = "3", pages = "259--291", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Murata:2006:XAC, author = "Makoto Murata and Akihiko Tozawa and Michiharu Kudo and Satoshi Hada", title = "{XML} access control using static analysis", journal = j-TISSEC, volume = "9", number = "3", pages = "292--324", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Kogan:2006:PRS, author = "Noam Kogan and Yuval Shavitt and Avishai Wool", title = "A practical revocation scheme for broadcast encryption using smartcards", journal = j-TISSEC, volume = "9", number = "3", pages = "325--351", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Winsborough:2006:SAT, author = "William H. Winsborough and Ninghui Li", title = "Safety in automated trust negotiation", journal = j-TISSEC, volume = "9", number = "3", pages = "352--390", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Li:2006:SAR, author = "Ninghui Li and Mahesh V. Tripunitara", title = "Security analysis in role-based access control", journal = j-TISSEC, volume = "9", number = "4", pages = "391--420", month = nov, year = "2006", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1187441.1187442", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:51 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The administration of large role-based access control (RBAC) systems is a challenging problem. In order to administer such systems, decentralization of administration tasks by the use of delegation is an effective approach. While the use of delegation greatly enhances flexibility and scalability, it may reduce the control that an organization has over its resources, thereby diminishing a major advantage RBAC has over discretionary access control (DAC). We propose to use security analysis techniques to maintain desirable security properties while delegating administrative privileges. We give a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. We show that two classes of problems in the family can be reduced to similar analysis in the RT[$\leftarrow,\cap$] role-based trust-management language, thereby establishing an interesting relationship between RBAC and the RT framework. The reduction gives efficient algorithms for answering most kinds of queries in these two classes and establishes the complexity bounds for the intractable cases.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "delegation; role-based access control; role-based administration; trust management", } @Article{Mella:2006:CCU, author = "Giovanni Mella and Elena Ferrari and Elisa Bertino and Yunhua Koglin", title = "Controlled and cooperative updates of {XML} documents in {Byzantine} and failure-prone distributed systems", journal = j-TISSEC, volume = "9", number = "4", pages = "421--460", month = nov, year = "2006", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1187441.1187443", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:51 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This paper proposes an infrastructure and related algorithms for the controlled and cooperative updates of XML documents. Key components of the proposed system are a set of XML-based languages for specifying access-control policies and the path that the document must follow during its update. Such path can be fully specified before the update process begins or can be dynamically modified by properly authorized subjects while being transmitted. Our approach is fully distributed in that each party involved in the process can verify the correctness of the operations performed until that point on the document without relying on a central authority. More importantly, the recovery procedure also does not need the participation of a central authority. Our approach is based on the use of some special control information that is transmitted together with the document and a suite of protocols. We formally specify the structure of such control information and the protocols. We also analyze security and complexity of the proposed protocols.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "Byzantine and distributed systems; policy languages; updates; XML documents", } @Article{Kogan:2006:IER, author = "Noam Kogan and Tamir Tassa", title = "Improved efficiency for revocation schemes via {Newton} interpolation", journal = j-TISSEC, volume = "9", number = "4", pages = "461--486", month = nov, year = "2006", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1187441.1187444", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:51 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present a novel way to implement the secret-sharing-based family of revocation schemes of Naor and Pinkas [2003]. The basic scheme of [Naor and Pinkas 2000] uses Shamir's polynomial secret-sharing to revoke up to r users, where r is the degree of the secret-sharing polynomial, and it is information theoretically secure against coalitions of up to r collaborators. The nonrevoked users use Lagrange interpolation in order to compute the new key. Our basic scheme uses a novel modification of Shamir's polynomial secret-sharing: The secret equals the leading coefficient of the polynomial (as opposed to the free coefficient as in the original scheme) and the polynomial is reconstructed by Newton interpolation (rather than Lagrange interpolation). Comparing our scheme to one variant of the Naor--Pinkas scheme, we offer revocation messages that are shorter by a factor of almost 2, while the computation cost at the user end is smaller by a constant factor of approximately 13/2. Comparing to a second variant of the Naor--Pinkas scheme, our scheme offers a reduction of O ( r ) in the computation cost at the user end, without affecting any of the other performance parameters. We then extend our basic scheme to perform multiround revocation for stateless and stateful receivers, along the lines offered by Naor and Pinkas [2000] and Kogan et al. [2003]. We show that using Newton rather than Lagrange interpolants enables a significantly more efficient transmission of the new revocation message and shorter response time for each round. Pay TV systems that implement broadcast encryption techniques can benefit significantly from the improved efficiency offered by our revocation schemes.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "broadcast encryption; Newton interpolation; secret sharing; User revocation", } @Article{Ahn:2007:GES, author = "Gail-Joon Ahn", title = "Guest editorial: {Special} issue on access control models and technologies", journal = j-TISSEC, volume = "10", number = "1", pages = "1:1--1:??", month = feb, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1210263.1216576", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:58 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Damiani:2007:GRS, author = "Maria Luisa Damiani and Elisa Bertino and Barbara Catania and Paolo Perlasca", title = "{GEO-RBAC}: a spatially aware {RBAC}", journal = j-TISSEC, volume = "10", number = "1", pages = "2:1--2:??", month = feb, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1210263.1210265", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:58 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Securing access to data in location-based services and mobile applications requires the definition of spatially aware access-control systems. Even if some approaches have already been proposed either in the context of geographic database systems or context-aware applications, a comprehensive framework, general and flexible enough to deal with spatial aspects in real mobile applications, is still missing. In this paper, we make one step toward this direction and present GEO-RBAC, an extension of the RBAC model enhanced with spatial-and location-based information. In GEORBAC, spatial entities are used to model objects, user positions, and geographically bounded roles. Roles are activated based on the position of the user. Besides a physical position, obtained from a given mobile terminal or a cellular phone, users are also assigned a logical and device-independent position, representing the feature (the road, the town, the region) in which they are located. To enhance flexibility and reusability, we also introduce the concept of role schema, specifying the name of the role, as well as the type of the role spatial boundary and the granularity of the logical position. We then extend GEO-RBAC to support hierarchies, modeling permission, user, and activation inheritance, and separation of duty constraints. The proposed classes of constraints extend the conventional ones to deal with different granularities (schema/instance level) and spatial information. We conclude the paper with an analysis of several properties concerning the resulting model.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access-control model; GIS; location-based services", } @Article{Iwaihara:2007:RBA, author = "Mizuho Iwaihara and Ryotaro Hayashi and Somchai Chatvichienchai and Chutiporn Anutariya and Vilas Wuwongse", title = "Relevancy-based access control and its evaluation on versioned {XML} documents", journal = j-TISSEC, volume = "10", number = "1", pages = "3:1--3:??", month = feb, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1210263.1210266", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:58 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Integration of version and access control of XML documents has the benefit of regulating access to rapidly growing archives of XML documents. Versioned XML documents provide us with valuable information on dependencies between document nodes, but, at the same time, presenting the risk of undesirable data disclosure. In this article, we introduce the notion of relevancy-based access control, which realizes protection of versioned XML documents by various types of relevancy, such as version dependencies, schema similarities, and temporal proximity. We define a new path query language XVerPath over XML document versions, which can be utilized for specifying relevancy-based access-control policies. We also introduce the notion of relevancy class, for collectively and compactly specifying relevancy-based policies. Regarding efficient processing of access requests, we propose the packed version model, which realizes space-efficient difference-based archives of versioned XML documents and, at the same time, providing efficient evaluation of XVerPath queries. Experimental results show reasonable performance superiority over conventional methods, which do not utilize version differences.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access control; query language; security; version control; XML; XPath", } @Article{Zhou:2007:MNI, author = "Jingmin Zhou and Mark Heckman and Brennen Reynolds and Adam Carlson and Matt Bishop", title = "Modeling network intrusion detection alerts for correlation", journal = j-TISSEC, volume = "10", number = "1", pages = "4:1--4:??", month = feb, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1210263.1210267", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:58 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability. We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "alert correlation; alert fusion; capability; intrusion detection", } @Article{Li:2007:MER, author = "Ninghui Li and Mahesh V. Tripunitara and Ziad Bizri", title = "On mutually exclusive roles and separation-of-duty", journal = j-TISSEC, volume = "10", number = "2", pages = "5:1--5:??", month = may, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1237500.1237501", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:05 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Separation-of-duty (SoD) is widely considered to be a fundamental principle in computer security. A static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain number of users is required. Role-based access control (RBAC) is today's dominant access-control model. It is widely believed that one of RBAC's main strengths is that it enables the use of constraints to support policies, such as separation-of-duty. In the literature on RBAC, statically mutually exclusive roles (SMER) constraints are used to enforce SSoD policies. In this paper, we formulate and study fundamental computational problems related to the use of SMER constraints to enforce SSoD policies. We show that directly enforcing SSoD policies is intractable (coNP-complete), while checking whether an RBAC state satisfies a set of SMER constraints is efficient; however, verifying whether a given set of SMER constraints enforces an SSoD policy is also intractable (coNP-complete). We discuss the implications of these results. We show also how to generate SMER constraints that are as accurate as possible for enforcing an SSoD policy.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "computational complexity; constraints; role-based access control; separation-of-duty; verification", } @Article{Peng:2007:BZK, author = "Kun Peng and Colin Boyd and Ed Dawson", title = "Batch zero-knowledge proof and verification and its applications", journal = j-TISSEC, volume = "10", number = "2", pages = "6:1--6:??", month = may, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1237500.1237502", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:05 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The batch verification technique of Bellare et al. is extended to verification of several frequently employed zero-knowledge proofs. The new techniques are correct, sound, efficient, and can be widely applied. Specific applications are discussed in detail, including batch ZK proof and verification of validity of encryption (or reencryption) and batch ZK proof and verification of validity of decryption. Considerable efficiency improvements are gained in these two applications without compromising security. As a result, efficiency of the practical cryptographic systems (such as mix networks) based on these two applications is dramatically improved.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "batch proof and verification of decryption; batch proof and verification of reencryption; mix network", } @Article{Ahmed:2007:SVS, author = "Tanvir Ahmed and Anand R. Tripathi", title = "Specification and verification of security requirements in a programming model for decentralized {CSCW} systems", journal = j-TISSEC, volume = "10", number = "2", pages = "7:1--7:??", month = may, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1237500.1237503", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:05 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present, in this paper, a role-based model for programming distributed CSCW systems. This model supports specification of dynamic security and coordination requirements in such systems. We also present here a model-checking methodology for verifying the security properties of a design expressed in this model. The verification methodology presented here is used to ensure correctness and consistency of a design specification. It is also used to ensure that sensitive security requirements cannot be violated when policy enforcement functions are distributed among the participants. Several aspect-specific verification models are developed to check security properties, such as task-flow constraints, information flow, confidentiality, and assignment of administrative privileges.", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "finite state-based model checking; methodology for access-control policy design; role-based access control; Security policy specification", } @Article{Bhargavan:2007:SSW, author = "Karthikeyan Bhargavan and Ricardo Corin and C{\'e}dric Fournet and Andrew D. Gordon", title = "Secure sessions for {Web} services", journal = j-TISSEC, volume = "10", number = "2", pages = "8:1--8:??", month = may, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1237500.1237504", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:05 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We address the problem of securing sequences of SOAP messages exchanged between web services and their clients. The WS-Security standard defines basic mechanisms to secure SOAP traffic, one message at a time. For typical web services, however, using WS-Security independently for each message is rather inefficient; moreover, it is often important to secure the integrity of a whole session, as well as each message. To these ends, recent specifications provide further SOAP-level mechanisms. WS-SecureConversation defines security contexts, which can be used to secure sessions between two parties. WS-Trust specifies how security contexts are issued and obtained. We develop a semantics for the main mechanisms of WS-Trust and WS-SecureConversation, expressed as a library for TulaFale, a formal scripting language for security protocols. We model typical protocols relying on these mechanisms and automatically prove their main security properties. We also informally discuss some pitfalls and limitations of these specifications.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "Web services; XML security", } @Article{Abadi:2007:JFK, author = "Mart{\'\i}n Abadi and Bruno Blanchet and C{\'e}dric Fournet", title = "Just fast keying in the pi calculus", journal = j-TISSEC, volume = "10", number = "3", pages = "9:1--9:??", month = jul, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1266977.1266978", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:14 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. In this paper, we formally analyze this protocol in the applied pi calculus (partly in terms of observational equivalences and partly with the assistance of an automatic protocol verifier). We treat JFK's core security properties and also other properties that are rarely articulated and rigorously studied, such as plausible deniability and resistance to denial-of-service attacks. In the course of this analysis, we found some ambiguities and minor problems, such as limitations in identity protection, but we mostly obtain positive results about JFK. For this purpose, we develop ideas and techniques that should be more generally useful in the specification and verification of security protocols.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "IP security; key exchange; process calculus", } @Article{Bresson:2007:PSA, author = "Emmanuel Bresson and Olivier Chevassut and David Pointcheval", title = "Provably secure authenticated group {Diffie--Hellman} key exchange", journal = j-TISSEC, volume = "10", number = "3", pages = "10:1--10:??", month = jul, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1266977.1266979", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:14 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Authenticated key-exchange protocols allow two participants A and B, communicating over a public network and each holding an authentication means to exchange a shared secret value. Methods designed to deal with this cryptographic problem ensure A (resp. B ) that no other participants aside from B (resp. A ) can learn any information about the agreed value and often also ensure A and B that their respective partner has actually computed this value. A natural extension to this cryptographic method is to consider a pool of participants exchanging a shared secret value and to provide a formal treatment for it. Starting from the famous two-party Diffie--Hellman (DH) key-exchange protocol and from its authenticated variants, security experts have extended it to the multiparty setting for over a decade and, in the past few years, completed a formal analysis in the framework of modern cryptography. The present paper synthesizes this body of work on the provably-secure authenticated group DH key exchange.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "cryptography; Diffie--Hellman; Group Key Exchange", } @Article{vanOorschot:2007:IRS, author = "P. C. van Oorschot and Tao Wan and Evangelos Kranakis", title = "On interdomain routing security and pretty secure {BGP (psBGP)}", journal = j-TISSEC, volume = "10", number = "3", pages = "11:1--11:??", month = jul, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1266977.1266980", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:14 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "It is well known that the Border Gateway Protocol (BGP), the IETF standard interdomain routing protocol, is vulnerable to a variety of attacks, and that a single misconfigured or malicious BGP speaker could result in large-scale service disruption. In this paper, we present Pretty Secure BGP (psBGP) ---a proposal for securing BGP, including an architectural overview, design details for significant aspects, and preliminary security and operational analysis. psBGP differs from other security proposals (e. g. , S-BGP and soBGP) in that it makes use of a single-level PKI for AS number authentication, a decentralized trust model for verifying the propriety of IP prefix origin, and a rating-based stepwise approach for AS\_PATH (integrity) verification. psBGP trades off the strong security guarantees of S-BGP for presumed-simpler operation, e. g. , using a PKI with a simple structure, with a small number of certificate types, and of manageable size. psBGP is designed to successfully defend against various (nonmalicious and malicious) threats from uncoordinated BGP speakers, and to be incrementally deployed with incremental benefits.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "authentication; BGP; certificates; interdomain routing; public-key infrastructure; secure routing protocols; trust", } @Article{Squicciarini:2007:PTX, author = "A. Squicciarini and E. Bertino and Elena Ferrari and F. Paci and B. Thuraisingham", title = "{PP-trust-X}: a system for privacy preserving trust negotiations", journal = j-TISSEC, volume = "10", number = "3", pages = "12:1--12:??", month = jul, year = "2007", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1266977.1266981", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:14 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Trust negotiation is a promising approach for establishing trust in open systems, in which sensitive interactions may often occur between entities with no prior knowledge of each other. Although, to date several trust negotiation systems have been proposed, none of them fully address the problem of privacy preservation. Today, privacy is one of the major concerns of users when exchanging information through the Web and thus we believe that trust negotiation systems must effectively address privacy issues in order to be widely applicable. For these reasons, in this paper, we investigate privacy in the context of trust negotiations. We propose a set of privacy-preserving features for inclusion in any trust negotiation system, such as the support for the P3P standard, as well as a number of innovative features, such as a novel format for encoding digital credentials specifically designed for preserving privacy. Further, we present a variety of interoperable strategies to carry on the negotiation with the aim of improving both privacy and efficiency.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access control; attribute-based access control; automated trust negotiation; credentials; privacy; strategy", } @Article{Chakrabarti:2008:ETR, author = "Deepayan Chakrabarti and Yang Wang and Chenxi Wang and Jurij Leskovec and Christos Faloutsos", title = "Epidemic thresholds in real networks", journal = j-TISSEC, volume = "10", number = "4", pages = "1:1--1:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1284680.1284681", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "How will a virus propagate in a real network? How long does it take to disinfect a network given particular values of infection rate and virus death rate? What is the single best node to immunize? Answering these questions is essential for devising network-wide strategies to counter viruses. In addition, viral propagation is very similar in principle to the spread of rumors, information, and ``fads,'' implying that the solutions for viral propagation would also offer insights into these other problem settings. We answer these questions by developing a nonlinear dynamical system ( NLDS ) that accurately models viral propagation in any arbitrary network, including real and synthesized network graphs. We propose a general epidemic threshold condition for the NLDS system: we prove that the epidemic threshold for a network is exactly the inverse of the largest eigenvalue of its adjacency matrix. Finally, we show that below the epidemic threshold, infections die out at an exponential rate. Our epidemic threshold model subsumes many known thresholds for special-case graphs (e.g., Erd{\H{o}}s--R{\'e}nyi, BA powerlaw, homogeneous). We demonstrate the predictive power of our model with extensive experiments on real and synthesized graphs, and show that our threshold condition holds for arbitrary graphs. Finally, we show how to utilize our threshold condition for practical uses: It can dictate which nodes to immunize; it can assess the effects of a throttling policy; it can help us design network topologies so that they are more resistant to viruses.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "eigenvalue; epidemic threshold; viral propagation", } @Article{Joshi:2008:FFH, author = "James B. D. Joshi and Elisa Bertino and Arif Ghafoor and Yue Zhang", title = "Formal foundations for hybrid hierarchies in {GTRBAC}", journal = j-TISSEC, volume = "10", number = "4", pages = "2:1--2:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1284680.1284682", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A role hierarchy defines permission acquisition and role-activation semantics through role--role relationships. It can be utilized for efficiently and effectively structuring functional roles of an organization having related access-control needs. The focus of this paper is the analysis of hybrid role hierarchies in the context of the generalized temporal role-based access control (GTRBAC) model that allows specification of a comprehensive set of temporal constraints on role, user-role, and role-permission assignments. We introduce the notion of uniquely activable set (UAS) associated with a role hierarchy that indicates the access capabilities of a user resulting from his membership to a role in the hierarchy. Identifying such a role set is essential, while making an authorization decision about whether or not a user should be allowed to activate a particular combination of roles in a single session. We formally show how UAS can be determined for a hybrid hierarchy. Furthermore, within a hybrid hierarchy, various hierarchical relations may be derived between an arbitrary pair of roles. We present a set of inference rules that can be used to generate all the possible derived relations that can be inferred from a specified set of hierarchical relations and show that it is sound and complete. We also present an analysis of hierarchy transformations with respect to role addition, deletion, and partitioning, and show how various cases of these transformations allow the original permission acquisition and role-activation semantics to be managed. The formal results presented here provide a basis for developing efficient security administration and management tools.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "derived relation; role hierarchy", } @Article{Gassend:2008:CPR, author = "Blaise Gassend and Marten {Van Dijk} and Dwaine Clarke and Emina Torlak and Srinivas Devadas and Pim Tuyls", title = "Controlled physical random functions and applications", journal = j-TISSEC, volume = "10", number = "4", pages = "3:1--3:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1284680.1284683", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The cryptographic protocols that we use in everyday life rely on the secure storage of keys in consumer devices. Protecting these keys from invasive attackers, who open a device to steal its key, is a challenging problem. We propose controlled physical random functions (CPUFs) as an alternative to storing keys and describe the core protocols that are needed to use CPUFs. A physical random functions (PUF) is a physical system with an input and output. The functional relationship between input and output looks like that of a random function. The particular relationship is unique to a specific instance of a PUF, hence, one needs access to a particular PUF instance to evaluate the function it embodies. The cryptographic applications of a PUF are quite limited unless the PUF is combined with an algorithm that limits the ways in which the PUF can be evaluated; this is a CPUF. A major difficulty in using CPUFs is that you can only know a small set of outputs of the PUF---the unknown outputs being unrelated to the known ones. We present protocols that get around this difficulty and allow a chain of trust to be established between the CPUF manufacturer and a party that wishes to interact securely with the PUF device. We also present some elementary applications, such as certified execution.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "certified execution; physical random function; physical security; physical unclonable function; trusted computing", } @Article{Bouganim:2008:DAC, author = "Luc Bouganim and Fran{\c{c}}ois Dang Ngoc and Philippe Pucheral", title = "Dynamic access-control policies on {XML} encrypted data", journal = j-TISSEC, volume = "10", number = "4", pages = "4:1--4:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1284680.1284684", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The erosion of trust put in traditional database servers and in Database Service Providers and the growing interest for different forms of selective data dissemination are different factors that lead to move the access-control from servers to clients. Different data encryption and key dissemination schemes have been proposed to serve this purpose. By compiling the access-control rules into the encryption process, all these methods suffer from a static way of sharing data. With the emergence of hardware security elements on client devices, more dynamic client-based access-control schemes can be devised. This paper proposes a tamper-resistant client-based XML access-right controller supporting flexible and dynamic access-control policies. The access-control engine is embedded in a hardware-secure device and, therefore, must cope with specific hardware resources. This engine benefits from a dedicated index to quickly converge toward the authorized parts of a potentially streaming XML document. Pending situations (i. e. , where data delivery is conditioned by predicates, which apply to values encountered afterward in the document stream) are handled gracefully, skipping, whenever possible the pending elements and reassembling relevant parts when the pending situation is solved. Additional security mechanisms guarantee that (1) the input document is protected from any form of tampering and (2) no forbidden information can be gained by replay attacks on different versions of the XML document and of the access-control rules. Performance measurements on synthetic and real datasets demonstrate the effectiveness of the approach. Finally, the paper reports on two experiments conducted with a prototype running on a secured hardware platform.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access-control; data confidentiality; smartcard; ubiquitous data management", } @Article{vanOorschot:2008:PMU, author = "P. C. van Oorschot and Julie Thorpe", title = "On predictive models and user-drawn graphical passwords", journal = j-TISSEC, volume = "10", number = "4", pages = "5:1--5:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1284680.1284685", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In commonplace text-based password schemes, users typically choose passwords that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force dictionary attacks. This leads us to ask whether other types of passwords (e. g. , graphical) are also vulnerable to dictionary attack because of users tending to choose memorable passwords. We suggest a method to predict and model a number of such classes for systems where passwords are created solely from a user's memory. We hypothesize that these classes define weak password subspaces suitable for an attack dictionary. For user-drawn graphical passwords, we apply this method with cognitive studies on visual recall. These cognitive studies motivate us to define a set of password complexity factors (e. g. , reflective symmetry and stroke count), which define a set of classes. To better understand the size of these classes and, thus, how weak the password subspaces they define might be, we use the ``Draw-A-Secret'' (DAS) graphical password scheme of Jermyn et al. [1999] as an example. We analyze the size of these classes for DAS under convenient parameter choices and show that they can be combined to define apparently popular subspaces that have bit sizes ranging from 31 to 41---a surprisingly small proportion of the full password space (58 bits). Our results quantitatively support suggestions that user-drawn graphical password systems employ measures, such as graphical password rules or guidelines and proactive password checking.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "dictionary attack; Draw-a-Secret; graphical dictionary; Graphical passwords; memorable passwords; modeling user choice; password complexity factors", } @Article{Awerbuch:2008:ODS, author = "Baruch Awerbuch and Reza Curtmola and David Holmer and Cristina Nita-Rotaru and Herbert Rubens", title = "{ODSBR}: an on-demand secure {Byzantine} resilient routing protocol for wireless ad hoc networks", journal = j-TISSEC, volume = "10", number = "4", pages = "6:1--6:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1284680.1341892", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Ah hoc networks offer increased coverage by using multihop communication. This architecture makes services more vulnerable to internal attacks coming from compromised nodes that behave arbitrarily to disrupt the network, also referred to as Byzantine attacks. In this work, we examine the impact of several Byzantine attacks performed by individual or colluding attackers. We propose ODSBR, the first on-demand routing protocol for ad hoc wireless networks that provides resilience to Byzantine attacks caused by individual or colluding nodes. The protocol uses an adaptive probing technique that detects a malicious link after log n faults have occurred, where n is the length of the path. Problematic links are avoided by using a route discovery mechanism that relies on a new metric that captures adversarial behavior. Our protocol never partitions the network and bounds the amount of damage caused by attackers. We demonstrate through simulations ODSBR's effectiveness in mitigating Byzantine attacks. Our analysis of the impact of these attacks versus the adversary's effort gives insights into their relative strengths, their interaction, and their importance when designing multihop wireless routing protocols.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "ad hoc wireless networks; Byzantine failures; on-demand routing; security", } @Article{Ray:2008:E, author = "Indrakshi Ray", title = "Editorial", journal = j-TISSEC, volume = "11", number = "1", pages = "1:1--1:??", month = feb, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330295.1330296", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:35 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Lee:2008:TAS, author = "Adam J. Lee and Marianne Winslett and Jim Basney and Von Welch", title = "The {Traust Authorization Service}", journal = j-TISSEC, volume = "11", number = "1", pages = "2:1--2:??", month = feb, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330295.1330297", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:35 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In recent years, trust negotiation has been proposed as a novel authorization solution for use in open-system environments, in which resources are shared across organizational boundaries. Researchers have shown that trust negotiation is indeed a viable solution for these environments by developing a number of policy languages and strategies for trust negotiation that have desirable theoretical properties. Further, existing protocols, such as TLS, have been altered to interact with prototype trust negotiation systems, thereby illustrating the utility of trust negotiation. Unfortunately, modifying existing protocols is often a time-consuming and bureaucratic process that can hinder the adoption of this promising technology. \par In this paper, we present Traust, a third-party authorization service that leverages the strengths of existing prototype trust negotiation systems. Traust acts as an authorization broker that issues access tokens for resources in an open system after entities use trust negotiation to satisfy the appropriate resource access policies. The Traust architecture was designed to allow Traust to be integrated either directly with newer trust-aware applications or indirectly with existing legacy applications; this flexibility paves the way for the incremental adoption of trust negotiation technologies without requiring widespread software or protocol upgrades. We discuss the design and implementation of Traust, the communication protocol used by the Traust system, and its performance. We also discuss our experiences using Traust to broker access to legacy resources, our proposal for a Traust-aware version of the GridFTP protocol, and Traust's resilience to attack.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "attribute-based access control; credentials; trust negotiation", } @Article{Zhang:2008:TUB, author = "Xinwen Zhang and Masayuki Nakae and Michael J. Covington and Ravi Sandhu", title = "Toward a {Usage-Based Security Framework} for {Collaborative Computing Systems}", journal = j-TISSEC, volume = "11", number = "1", pages = "3:1--3:??", month = feb, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330295.1330298", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:35 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Collaborative systems such as Grids provide efficient and scalable access to distributed computing capabilities and enable seamless resource sharing between users and platforms. This heterogeneous distribution of resources and the various modes of collaborations that exist between users, virtual organizations, and resource providers require scalable, flexible, and fine-grained access control to protect both individual and shared computing resources. In this article we propose a usage control (UCON) based security framework for collaborative applications, by following a layered approach with policy, enforcement, and implementation models, called the PEI framework. In the policy model layer, UCON policies are specified with predicates on subject and object attributes, along with system attributes as conditional constraints and user actions as obligations. General attributes include not only persistent attributes such as role and group memberships but also mutable usage attributes of subjects and objects. Conditions in UCON can be used to support context-based authorizations in ad hoc collaborations. In the enforcement model layer, our novel framework uses a hybrid approach for subject attribute acquisition with both push and pull modes. By leveraging attribute propagations between a centralized attribute repository and distributed policy decision points, our architecture supports decision continuity and attribute mutability of the UCON policy model, as well as obligation evaluations during policy enforcement. As a proof-of-concept, we implement a prototype system based on our proposed architecture and conduct experimental studies to demonstrate the feasibility and performance of our approach.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access control; Authorization; collaborative computing; security architecture; UCON; usage control", } @Article{Mazzoleni:2008:XPI, author = "Pietro Mazzoleni and Bruno Crispo and Swaminathan Sivasubramanian and Elisa Bertino", title = "{XACML Policy Integration Algorithms}", journal = j-TISSEC, volume = "11", number = "1", pages = "4:1--4:??", month = feb, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330295.1330299", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:35 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "XACML is the OASIS standard language specifically aimed at the specification of authorization policies. While XACML fits well with the security requirements of a single enterprise (even if large and composed by multiple departments), it does not address the requirements of virtual enterprises in which several autonomous subjects collaborate by sharing their resources to provide better services to customers. In this article we highlight such limitation, and we propose an XACML extension, the policy integration algorithms, to address them. In the article we also present the implementation of a system that makes use of the policy integration algorithms to securely replicate information in a P2P-like environment. In our solution, the data replication process considers the policies specified by both the owners of the data shared and the peers sharing data storage.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "content distributed networks; distributed systems; security policies integration; SOA; Web services; XACML", } @Article{Lee:2008:CPK, author = "Jooyoung Lee and Douglas R. Stinson", title = "On the Construction of Practical Key Predistribution Schemes for Distributed Sensor Networks Using Combinatorial Designs", journal = j-TISSEC, volume = "11", number = "2", pages = "1:1--1:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330332.1330333", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this paper, we discuss the use of combinatorial set systems (combinatorial designs) in the design of key predistribution schemes (KPSs) for sensor networks. We show that the performance of a KPS can be improved by carefully choosing a certain class of set systems as ``key ring spaces''. Especially, we analyze KPSs based on a type of combinatorial design known as a {$<$}it{$>$}transversal design{$<$}/it{$>$}. We employ two types of transversal designs, which are represented by the set of all linear polynomials and the set of quadratic polynomials (over some finite field), respectively. These KPSs turn out to have significant efficiency in a shared-key discovery phase without degrading connectivity and resiliency.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "key predistribution; security; wireless sensor networks", } @Article{Mano:2008:RRI, author = "Chad D. Mano and Andrew Blaich and Qi Liao and Yingxin Jiang and David A. Cieslak and David C. Salyers and Aaron Striegel", title = "{RIPPS}: {Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts Through Network Traffic Conditioning}", journal = j-TISSEC, volume = "11", number = "2", pages = "2:1--2:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330332.1330334", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Wireless network access has become an integral part of computing both at home and at the workplace. The convenience of wireless network access at work may be extremely beneficial to employees, but can be a burden to network security personnel. This burden is magnified by the threat of inexpensive wireless access points being installed in a network without the knowledge of network administrators. These devices, termed {$<$}it{$>$}Rogue Wireless Access Points{$<$}/it{$>$}, may allow a malicious outsider to access valuable network resources, including confidential communication and other stored data. For this reason, wireless connectivity detection is an essential capability, but remains a difficult problem. We present a method of detecting wireless hosts using a local RTT metric and a novel packet payload slicing technique. The local RTT metric provides the means to identify physical transmission media while packet payload slicing conditions network traffic to enhance the accuracy of the detections. Most importantly, the packet payload slicing method is transparent to both clients and servers and does not require direct communication between the monitoring system and monitored hosts.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "network security; rogue systems; traffic conditioning", } @Article{Wright:2008:PLA, author = "Matthew K. Wright and Micah Adler and Brian Neil Levine and Clay Shields", title = "Passive-Logging {Attacks Against Anonymous Communications Systems}", journal = j-TISSEC, volume = "11", number = "2", pages = "3:1--3:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330332.1330335", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Using analysis, simulation, and experimentation, we examine the threat against anonymous communications posed by passive-logging attacks. In previous work, we analyzed the success of such attacks under various assumptions. Here, we evaluate the effects of these assumptions more closely. First, we analyze the Onion Routing-based model used in prior work in which a fixed set of nodes remains in the system indefinitely. We show that for this model, by removing the assumption of uniformly random selection of nodes for placement in the path, initiators can greatly improve their anonymity. Second, we show by simulation that attack times are significantly lower in practice than bounds given by analytical results from prior work. Third, we analyze the effects of a dynamic membership model, in which nodes are allowed to join and leave the system; we show that all known defenses fail more quickly when the assumption of a static node set is relaxed. Fourth, intersection attacks against peer-to-peer systems are shown to be an additional danger, either on their own or in conjunction with the predecessor attack. Finally, we address the question of whether the regular communication patterns required by the attacks exist in real traffic. We collected and analyzed the Web requests of users to determine the extent to which basic patterns can be found. We show that, for our study, frequent and repeated communication to the same Web site is common.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "anonymity; anonymous communication; intersection attack; predecessor attack; privacy", } @Article{Cheon:2008:PST, author = "Jung Hee Cheon and Nicholas Hopper and Yongdae Kim and Ivan Osipkov", title = "Provably {Secure Timed-Release Public Key Encryption}", journal = j-TISSEC, volume = "11", number = "2", pages = "4:1--4:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330332.1330336", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A timed-release cryptosystem allows a sender to encrypt a message so that only the intended recipient can read it only after a specified time. We formalize the concept of a secure timed-release public-key cryptosystem and show that, if a third party is relied upon to guarantee decryption after the specified date, this concept is equivalent to identity-based encryption; this explains the observation that all known constructions use identity-based encryption to achieve timed-release security. We then give several provably-secure constructions of timed-release encryption: a generic scheme based on any identity-based encryption scheme, and two more efficient schemes based on the existence of cryptographically admissible bilinear mappings. The first of these is essentially as efficient as the Boneh--Franklin Identity-Based encryption scheme, and is provably secure and authenticated in the random oracle model; the final scheme is not authenticated but is provably secure in the standard model (i. e. , without random oracles).", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "authenticated encryption; key-insulated encryption; timed-release", } @Article{Pang:2008:VCR, author = "Hweehwa Pang and Kian-Lee Tan", title = "Verifying Completeness of Relational Query Answers from Online Servers", journal = j-TISSEC, volume = "11", number = "2", pages = "5:1--5:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330332.1330337", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The number of successful attacks on the Internet shows that it is very difficult to guarantee the security of online servers over extended periods of time. A breached server that is not detected in time may return incorrect query answers to users. In this article, we introduce authentication schemes for users to verify that their query answers from an online server are complete (i. e. , no qualifying tuples are omitted) and authentic (i. e. , all the result values are legitimate). We introduce a scheme that supports range selection, projection as well as primary key-foreign key join queries on relational databases. We also present authentication schemes for single- and multi-attribute range aggregate queries. The schemes complement access control mechanisms that rewrite queries dynamically, and are computationally secure. We have implemented the proposed schemes, and experiment results showed that they are practical and feasible schemes with low overheads.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "query answer verification; secure database systems", } @Article{Brandt:2008:EUP, author = "Felix Brandt and Tuomas Sandholm", title = "On the Existence of Unconditionally Privacy-Preserving Auction Protocols", journal = j-TISSEC, volume = "11", number = "2", pages = "6:1--6:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1330332.1330338", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We investigate whether it is possible to preserve privacy in sealed-bid auctions to a maximal extent. In particular, this paper focuses on {$<$}it{$>$}unconditional full privacy{$<$}/it{$>$}, i. e. , privacy that relies neither on trusted third parties (like auctioneers), nor on computational intractability assumptions (like the hardness of factoring). These constraints imply a scenario in which bidders exchange messages according to some predefined protocol in order to jointly determine the auction outcome without revealing any additional information. It turns out that the first-price sealed-bid auction can be emulated by an unconditionally fully private protocol. However, the protocol's round complexity is exponential in the bid size, and there is no more efficient protocol. On the other hand, we prove the impossibility of privately emulating the second-price sealed-bid auction for more than two bidders. This impossibility holds even when relaxing various privacy constraints such as allowing the revelation of all but one losing bid (while maintaining anonymity) or allowing the revelation of the second highest bidder's identity.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "auctions; multiparty computation", } @Article{Tsudik:2008:E, author = "Gene Tsudik", title = "Editorial", journal = j-TISSEC, volume = "11", number = "3", pages = "11:1--11:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1341731.1341732", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zhang:2008:FIC, author = "Qing Zhang and Ting Yu and Peng Ning", title = "A Framework for Identifying Compromised Nodes in Wireless Sensor Networks", journal = j-TISSEC, volume = "11", number = "3", pages = "12:1--12:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1341731.1341733", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Sensor networks are often subject to physical attacks. Once a node's cryptographic key is compromised, an attacker may completely impersonate it and introduce arbitrary false information into the network. Basic cryptographic mechanisms are often not effective in this situation. Most techniques to address this problem focus on detecting and tolerating false information introduced by compromised nodes. They cannot pinpoint exactly where the false information is introduced and who is responsible for it. \par In this article, we propose an application-independent framework for accurately identifying compromised sensor nodes. The framework provides an appropriate abstraction of application-specific detection mechanisms and models the unique properties of sensor networks. Based on the framework, we develop alert reasoning algorithms to identify compromised nodes. The algorithm assumes that compromised nodes may collude at will. We show that our algorithm is optimal in the sense that it identifies the largest number of compromised nodes without introducing false positives. We evaluate the effectiveness of the designed algorithm through comprehensive experiments.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "intrusion detection; sensor networks", } @Article{DiPietro:2008:RSN, author = "Roberto {Di Pietro} and Luigi V. Mancini and Alessandro Mei and Alessandro Panconesi and Jaikumar Radhakrishnan", title = "Redoubtable Sensor Networks", journal = j-TISSEC, volume = "11", number = "3", pages = "13:1--13:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1341731.1341734", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We give, for the first time, a precise mathematical analysis of the connectivity and security properties of sensor networks that make use of the random predistribution of keys. We also show how to set the parameters---pool and key ring size---in such a way that the network is not only connected with high probability via secure links but also provably resilient, in the following sense: We formally show that any adversary that captures sensors at random with the aim of compromising a constant fraction of the secure links must capture at least a constant fraction of the nodes of the network. In the context of wireless sensor networks where random predistribution of keys is employed, we are the first to provide a mathematically precise proof, with a clear indication of parameter choice, that two crucial properties---connectivity via secure links and resilience against malicious attacks---can be obtained simultaneously. We also show in a mathematically rigorous way that the network enjoys another strong security property. The adversary cannot partition the network into two linear size components, compromising all the links between them, unless it captures linearly many nodes. This implies that the network is also fault tolerant with respect to node failures. Our theoretical results are complemented by extensive simulations that reinforce our main conclusions.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "connectivity; probabilistic key sharing; random graphs; Wireless sensor network", } @Article{Chang:2008:DAP, author = "Katharine Chang and Kang G. Shin", title = "Distributed Authentication of Program Integrity Verification in Wireless Sensor Networks", journal = j-TISSEC, volume = "11", number = "3", pages = "14:1--14:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1341731.1341735", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Security in wireless sensor networks has become important as they are being developed and deployed for an increasing number of applications. The severe resource constraints in each sensor make it very challenging to secure sensor networks. Moreover, sensors are usually deployed in hostile and unattended environments and hence are susceptible to various attacks, including node capture, physical tampering, and manipulation of the sensor program. Park and Shin [2005] proposed a soft tamper-proofing scheme that verifies the integrity of the program in each sensor device, called the program integrity verification (PIV), in which sensors authenticate PIV servers (PIVSs) using centralized and trusted third-party entities, such as authentication servers (ASs). This article presents a distributed authentication protocol of PIVSs (DAPP) without requiring the commonly used ASs. DAPP uses the Blundo scheme [Blundo et al. 1992] for sensors and PIVSs to establish pairwise keys and for PIVSs to authenticate one another. We also present a protocol for PIVSs to cooperatively detect and revoke malicious PIVSs in the network. We implement and evaluate both DAPP and PIV on Mica2 Motes and laptops, showing that DAPP reduces the sensors' communication traffic in the network by more than 90\% and the energy consumption on each sensor by up to 85\%, as compared to the case of using a centralized AS for authenticating PIVSs. We also analyze the security of DAPP under various attack models, demonstrating its capability in dealing with diverse types of attacks.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "distributed authentication; node revocation; program integrity verification; wireless sensor networks", } @Article{Xie:2008:MDA, author = "Liang Xie and Sencun Zhu", title = "Message Dropping Attacks in Overlay Networks: Attack Detection and Attacker Identification", journal = j-TISSEC, volume = "11", number = "3", pages = "15:1--15:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1341731.1341736", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Overlay multicast networks are used by service providers to distribute contents such as Web pages, static and streaming multimedia data, or security updates to a large number of users. However, such networks are extremely vulnerable to message-dropping attacks by malicious or selfish nodes that intentionally drop the packets they are required to forward to others. It is difficult to detect such attacks both efficiently and effectively and to further identify the attackers, especially when members in the overlay switch between online/offline statuses frequently. In this article, we consider various attacking strategies of an attacker and propose an optimal sampling-based scheme to detect such attacks in the overlay network. We analyze the detection problem from a game-theoretical viewpoint and show that our scheme outperforms a random sampling-based scheme in terms of detection rate. In addition, based on a reputation system, we propose a sampling-based path-resolving scheme to identify compromised or selfish nodes. Unlike other existing approaches, our schemes do not assume global knowledge of the overlay hierarchy and work for dynamic overlay networks as well. Extensive analysis and simulation results show that besides being band width efficient, our schemes have high detection and identification rates and low false-positive rates.", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "attack detection; attacker identification; message dropping attacks; Overlay networks", } @Article{Traynor:2008:NMH, author = "Patrick Traynor and Michael Chien and Scott Weaver and Boniface Hicks and Patrick McDaniel", title = "Noninvasive Methods for Host Certification", journal = j-TISSEC, volume = "11", number = "3", pages = "16:1--16:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1341731.1341737", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Determining whether a user or system is exercising appropriate security practices is difficult in any context. Such difficulties are particularly pronounced when uncontrolled or unknown platforms join public networks. Commonly practiced techniques used to vet these hosts, such as system scans, have the potential to infringe on the privacy of users. In this article, we show that it is possible for clients to prove both the presence and proper functioning of security infrastructure without allowing unrestricted access to their system. We demonstrate this approach, specifically applied to antivirus security, by requiring clients seeking admission to a network to positively identify the presence or absence of malcode in a series of puzzles. The implementation of this mechanism and its application to real networks are also explored. In so doing, we demonstrate that it is not necessary for an administrator to be invasive to determine whether a client implements required security practices.", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "assurance; certification; malware; network security", } @Article{Avoine:2008:CIT, author = "Gildas Avoine and Pascal Junod and Philippe Oechslin", title = "Characterization and Improvement of Time-Memory Trade-Off Based on Perfect Tables", journal = j-TISSEC, volume = "11", number = "4", pages = "17:1--17:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1380564.1380565", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Cryptanalytic time-memory trade-offs have been studied for 25 years and have benefited from several improvements since the original work of Hellman. The ensuing variants definitely improve the original trade-off but their real impact has never been evaluated in practice. We fill this lack by analyzing the {\em perfect\/} form of classic tables, distinguished point-based tables, and rainbow tables. We especially provide a thorough analysis of the latter variant, whose performances have never been formally calculated yet. Our analysis leads to the concept of a {\em characteristic\/} that enables to measure the intrinsic quality of a trade-off. We finally introduce a new technique based on {\em checkpoints\/} that still reduces the cryptanalysis time by ruling out false alarms probabilistically. Our analysis yields the exact gain of this approach and establishes its efficiency when applied on rainbow tables.", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "cryptography; Hellman's time-memory trade-off; password cracking; rainbow tables", } @Article{Yang:2008:SSH, author = "Yi Yang and Xinran Wang and Sencun Zhu and Guohong Cao", title = "{SDAP}: a Secure Hop-by-Hop Data Aggregation Protocol for Sensor Networks", journal = j-TISSEC, volume = "11", number = "4", pages = "18:1--18:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1380564.1380568", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Hop-by-hop data aggregation is a very important technique for reducing the communication overhead and energy expenditure of sensor nodes during the process of data collection in a sensor network. However, because individual sensor readings are lost in the per-hop aggregation process, compromised nodes in the network may forge false values as the aggregation results of other nodes, tricking the base station into accepting spurious aggregation results. Here a fundamental challenge is how can the base station obtain a good approximation of the fusion result when a fraction of sensor nodes are compromised?\par To answer this challenge, we propose SDAP, a Secure Hop-by-hop Data Aggregation Protocol for sensor networks. SDAP is a general-purpose secure data aggregation protocol applicable to multiple aggregation functions. The design of SDAP is based on the principles of {\em divide-and-conquer\/} and {\em commit-and-attest}. First, SDAP uses a novel probabilistic grouping technique to dynamically partition the nodes in a tree topology into multiple logical groups (subtrees) of similar sizes. A commitment-based hop-by-hop aggregation is performed in each group to generate a group aggregate. The base station then identifies the suspicious groups based on the set of group aggregates. Finally, each group under suspect participates in an attestation process to prove the correctness of its group aggregate. The aggregate by the base station is calculated over all the group aggregates that are either normal or have passed the attestation procedure. Extensive analysis and simulations show that SDAP can achieve the level of efficiency close to an ordinary hop-by-hop aggregation protocol while providing high assurance on the trustworthiness of the aggregation result. Last, prototype implementation on top of TinyOS shows that our scheme is practical on current generation sensor nodes such as Mica2 motes.", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "commit-and-attest; data aggregation; hop-by-hop; probabilistic grouping; sensor network security", } @Article{Radosavac:2008:AFM, author = "Svetlana Radosavac and George Moustakides and John S. Baras and Iordanis Koutsopoulos", title = "An Analytic Framework for Modeling and Detecting Access Layer Misbehavior in Wireless Networks", journal = j-TISSEC, volume = "11", number = "4", pages = "19:1--19:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1380564.1380567", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The widespread deployment of wireless networks and hot spots that employ the IEEE 802.11 technology has forced network designers to put emphasis on the importance of ensuring efficient and fair use of network resources. In this work we propose a novel framework for detection of intelligent adaptive adversaries in the IEEE 802.11 MAC by addressing the problem of detection of the worst-case scenario attacks. Utilizing the nature of this protocol we employ sequential detection methods for detecting greedy behavior and illustrate their performance for detection of least favorable attacks. By using robust statistics in our problem formulation, we attempt to utilize the precision given by parametric tests, while avoiding the specification of the adversarial distribution. This approach establishes the lowest performance bound of a given Intrusion Detection System (IDS) in terms of detection delay and is applicable in online detection systems where users who pay for their services want to obtain the information about the best and the worst case scenarios and performance bounds of the system. This framework is meaningful for studying misbehavior due to the fact that it does not focus on specific adversarial strategies and therefore is applicable to a wide class of adversarial strategies.", acknowledgement = ack-nhfb, articleno = "19", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "MAC layer; min-max robust detection; protocol misbehavior; wireless networks", } @Article{Ryu:2008:EID, author = "Young U. Ryu and Hyeun-Suk Rhee", title = "Evaluation of Intrusion Detection Systems Under a Resource Constraint", journal = j-TISSEC, volume = "11", number = "4", pages = "20:1--20:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1380564.1380566", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "An intrusion detection system plays an important role in a firm's overall security protection. Its main purpose is to identify potentially intrusive events and alert the security personnel to the danger. A typical intrusion detection system, however, is known to be imperfect in detection of intrusive events, resulting in high false-alarm rates. Nevertheless, current intrusion detection models unreasonably assume that upon alerts raised by a system, an information security officer responds to all alarms without any delay and avoids damages of hostile activities. This assumption of responding to all alarms with no time lag is often impracticable. As a result, the benefit of an intrusion detection system can be overestimated by current intrusion detection models. In this article, we extend previous models by including an information security officer's alarm inspection under a constraint as a part of the process in determining the optimal intrusion detection policy. Given a potentially hostile environment for a firm, in which the intrusion rates and costs associated with intrusion and security officers' inspection can be estimated, we outline a framework to establish the optimal operating points for intrusion detection systems under security officers' inspection constraint. The optimal solution to the model will provide not only a basis of better evaluation of intrusion detection systems but also useful insights into operations of intrusion detection systems. The firm can estimate expected benefits for running intrusion detection systems and establish a basis for increase in security personnel to relax security officers' inspection constraint.", acknowledgement = ack-nhfb, articleno = "20", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "computer security; intrusion detection; optimal inspection rates; optimal operating points", } @Article{Halpern:2008:UFO, author = "Joseph Y. Halpern and Vicky Weissman", title = "Using First-Order Logic to Reason about Policies", journal = j-TISSEC, volume = "11", number = "4", pages = "21:1--21:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1380564.1380569", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A policy describes the conditions under which an action is permitted or forbidden. We show that a fragment of (multi-sorted) first-order logic can be used to represent and reason about policies. Because we use first-order logic, policies have a clear syntax and semantics. We show that further restricting the fragment results in a language that is still quite expressive yet is also tractable. More precisely, questions about entailment, such as ``May Alice access the file?'', can be answered in time that is a low-order polynomial (indeed, almost linear in some cases), as can questions about the consistency of policy sets.", acknowledgement = ack-nhfb, articleno = "21", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "digital rights management", } @Article{Liu:2008:ARL, author = "Donggang Liu and Peng Ning and An Liu and Cliff Wang and Wenliang Kevin Du", title = "Attack-Resistant Location Estimation in Wireless Sensor Networks", journal = j-TISSEC, volume = "11", number = "4", pages = "22:1--22:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1380564.1380570", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Many sensor network applications require sensors' locations to function correctly. Despite the recent advances, location discovery for sensor networks in {\em hostile environments\/} has been mostly overlooked. Most of the existing localization protocols for sensor networks are vulnerable in hostile environments. The security of location discovery can certainly be enhanced by authentication. However, the possible node compromises and the fact that location determination uses certain physical features (e.g., received signal strength) of radio signals make authentication not as effective as in traditional security applications. This article presents two methods to tolerate malicious attacks against range-based location discovery in sensor networks. The first method filters out malicious beacon signals on the basis of the ``consistency'' among multiple beacon signals, while the second method tolerates malicious beacon signals by adopting an iteratively refined voting scheme. Both methods can survive malicious attacks even if the attacks bypass authentication, provided that the benign beacon signals constitute the majority of the beacon signals. This article also presents the implementation and experimental evaluation (through both field experiments and simulation) of all the secure and resilient location estimation schemes that can be used on the current generation of sensor platforms (e.g., MICA series of motes), including the techniques proposed in this article, in a network of MICAz motes. The experimental results demonstrate the effectiveness of the proposed methods, and also give the secure and resilient location estimation scheme most suitable for the current generation of sensor networks.", acknowledgement = ack-nhfb, articleno = "22", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "localization; security; sensor networks", } @Article{Ganeriwal:2008:STS, author = "Saurabh Ganeriwal and Christina P{\"o}pper and Srdjan {\v{C}}apkun and Mani B. Srivastava", title = "Secure Time Synchronization in Sensor Networks", journal = j-TISSEC, volume = "11", number = "4", pages = "23:1--23:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1380564.1380571", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Time synchronization is critical in sensor networks at many layers of their design. It enables better duty-cycling of the radio, accurate and secure localization, beamforming, and other collaborative signal processing tasks. These benefits make time-synchronization protocols a prime target of malicious adversaries who want to disrupt the normal operation of a sensor network. In this article, we analyze attacks on existing time synchronization protocols for wireless sensor networks and we propose a secure time synchronization toolbox to counter these attacks. This toolbox includes protocols for secure pairwise and group synchronization of nodes that either lie in the neighborhood of each other or are separated by multiple hops. We provide an in-depth analysis of the security and the energy overhead of the proposed protocols. The efficiency of these protocols has been tested through an experimental study on Mica2 motes.", acknowledgement = ack-nhfb, articleno = "23", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "delay; message authentication code; sensor networks; time synchronization", } @Article{Barker:2008:SBA, author = "Steve Barker and Marek J. Sergot and Duminda Wijesekera", title = "Status-Based Access Control", journal = j-TISSEC, volume = "12", number = "1", pages = "1:1--1:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1410234.1410235", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Despite their widespread adoption, Role-based Access Control (RBAC) models exhibit certain shortcomings that make them less than ideal for deployment in, for example, distributed access control. In the distributed case, standard RBAC assumptions (e.g., of relatively static access policies, managed by human users, with complete information available about users and job functions) do not necessarily apply. Moreover, RBAC is restricted in the sense that it is based on one type of ascribed status, an assignment of a user to a role. In this article, we introduce the status-based access control (SBAC) model for distributed access control. The SBAC model (or family of models) is based on the notion of users having an action status as well as an ascribed status. A user's action status is established, in part, from a history of events that relate to the user; this history enables changing access policy requirements to be naturally accommodated. The approach can be implemented as an autonomous agent that reasons about the events, actions, and a history (of events and actions), which relates to a requester for access to resources, in order to decide whether the requester is permitted the access sought. We define a number of algebras for composing SBAC policies, algebras that exploit the language that we introduce for SBAC policy representation: identification-based logic programs. The SBAC model is richer than RBAC models and the policies that can be represented in our approach are more expressive than the policies admitted by a number of monotonic languages that have been hitherto described for representing distributed access control requirements. Our algebras generalize existing algebras that have been defined for access policy composition. We also describe an approach for the efficient implementation of SBAC policies.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "algebras; distributed security; logic; status-based access control", } @Article{Xu:2008:DSB, author = "Shouhuai Xu and Srdjan {\v{C}}apkun", title = "Distributed and Secure Bootstrapping of Mobile Ad Hoc Networks: Framework and Constructions", journal = j-TISSEC, volume = "12", number = "1", pages = "2:1--2:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1410234.1410236", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Secure bootstrapping of mobile ad hoc networks (MANETs) is a challenging problem in scenarios in which network users (or nodes) do not share trust relationships prior to the network deployment. In recent years, a number of schemes have been proposed to solve this problem, assuming either no or limited trust between the nodes prior to their deployment. Despite numerous proposals, there is no common understanding of the proposed schemes and of the trade-offs that they provide. This has consequences for both researchers and practitioners, who do not have a clear idea how to compare the schemes and how to select a scheme for a given application. In this article, we present a framework that helps in understanding and comparing schemes for secure bootstrapping of MANETs. The framework is general because it is policy-neutral and can accommodate many existing bootstrapping schemes. The proposed framework can equally serve as a good basis for the development of new MANET bootstrapping schemes; we show how the development of the framework leads to two new (classes of) distributed bootstrapping schemes. Within the framework, we not only investigate and characterize the properties of the relevant bootstrapping schemes, but also give methods for practitioners to select the relevant system parameters in the Random Walk and the (Restricted) Random Waypoint mobility models.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "MANETs; secure communication; security bootstrapping", } @Article{Boldyreva:2008:NMS, author = "Alexandra Boldyreva and Craig Gentry and Adam O'Neill and Dae Hyun Yum", title = "New Multiparty Signature Schemes for Network Routing Applications", journal = j-TISSEC, volume = "12", number = "1", pages = "3:1--3:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1410234.1410237", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We construct two new multiparty digital signature schemes that allow multiple signers to sequentially and non-interactively produce a compact, fixed-length signature. First, we introduce a new primitive that we call {\em ordered multisignature\/} (OMS) scheme, which allows signers to attest to a common message as well as the order in which they signed. Our OMS construction substantially improves computational efficiency and scalability over any existing scheme with suitable functionality. Second, we design a new identity-based sequential aggregate signature scheme, where signers can attest to different messages and signature verification does not require knowledge of traditional public keys. The latter property permits savings on bandwidth and storage as compared to public-key solutions. In contrast to the only prior scheme to provide this functionality, ours offers improved security that does not rely on synchronized clocks or a trusted first signer. We provide formal security definitions and support the proposed schemes with security proofs under appropriate computational assumptions. We focus on applications of our schemes to secure network routing, but we believe that they will find other applications as well.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "aggregate signatures; digital signatures; identity-based signatures; multisignatures; network security; pairings", } @Article{Wang:2008:GBA, author = "Wei Wang and Thomas E. Daniels", title = "A Graph Based Approach Toward Network Forensics Analysis", journal = j-TISSEC, volume = "12", number = "1", pages = "4:1--4:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1410234.1410238", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this article we develop a novel graph-based approach toward network forensics analysis. Central to our approach is the evidence graph model that facilitates evidence presentation and automated reasoning. Based on the evidence graph, we propose a hierarchical reasoning framework that consists of two levels. Local reasoning aims to infer the functional states of network entities from local observations. Global reasoning aims to identify important entities from the graph structure and extract groups of densely correlated participants in the attack scenario. This article also presents a framework for interactive hypothesis testing, which helps to identify the attacker's nonexplicit attack activities from secondary evidence. We developed a prototype system that implements the techniques discussed. Experimental results on various attack datasets demonstrate that our analysis mechanism achieves good coverage and accuracy in attack group and scenario extraction with less dependence on hard-coded expert knowledge.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "evidence graph; hierarchical reasoning; network forensics", } @Article{Halpern:2008:SMS, author = "Joseph Y. Halpern and Kevin R. O'Neill", title = "Secrecy in Multiagent Systems", journal = j-TISSEC, volume = "12", number = "1", pages = "5:1--5:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1410234.1410239", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce a general framework for reasoning about secrecy requirements in multiagent systems. Our definitions extend earlier definitions of secrecy and nondeducibility given by Shannon and Sutherland. Roughly speaking, one agent maintains secrecy with respect to another if the second agent cannot rule out any possibilities for the behavior or state of the first agent. We show that the framework can handle probability and nondeterminism in a clean way, is useful for reasoning about asynchronous systems as well as synchronous systems, and suggests generalizations of secrecy that may be useful for dealing with issues such as resource-bounded reasoning. We also show that a number of well-known attempts to characterize the absence of information flow are special cases of our definitions of secrecy.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "information flow; secrecy", } @Article{Yao:2008:PIR, author = "Danfeng Yao and Keith B. Frikken and Mikhail J. Atallah and Roberto Tamassia", title = "Private Information: To Reveal or not to Reveal", journal = j-TISSEC, volume = "12", number = "1", pages = "6:1--6:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1410234.1410240", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article studies the notion of quantitative policies for trust management and gives protocols for realizing them in a disclosure-minimizing fashion. Specifically, Bob values each credential with a certain number of points, and requires a minimum total threshold of points before granting Alice access to a resource. In turn, Alice values each of her credentials with a privacy score that indicates her degree of reluctance to reveal that credential. Bob's valuation of credentials and his threshold are private. Alice's privacy-valuation of her credentials is also private. Alice wants to find a subset of her credentials that achieves Bob's required threshold for access, yet is of as small a value to her as possible. We give protocols for computing such a subset of Alice's credentials without revealing any of the two parties' above-mentioned private information. Furthermore, we develop a fingerprint method that allows Alice to independently and easily recover the optimal knapsack solution, once the computed optimal value is given, but also enables verification of the integrity of the optimal value. The fingerprint method is useful beyond the specific authorization problem studied, and can be applied to any integer knapsack dynamic programming in a private setting.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "authorization; policies; secure multi-party computation", } @Article{Wright:2008:GES, author = "Rebecca N. Wright and {Sabrina De Capitanidi Vimercati}", title = "Guest Editorial: Special Issue on Computer and Communications Security", journal = j-TISSEC, volume = "12", number = "2", pages = "7:1--7:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455518.1455519", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Lee:2008:ESC, author = "Adam J. Lee and Marianne Winslett", title = "Enforcing Safety and Consistency Constraints in Policy-Based Authorization Systems", journal = j-TISSEC, volume = "12", number = "2", pages = "8:1--8:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455518.1455520", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In trust negotiation and other forms of distributed proving, networked entities cooperate to form proofs of authorization that are justified by collections of certified attribute credentials. These attributes may be obtained through interactions with any number of external entities and are collected and validated over an extended period of time. Although these collections of credentials in some ways resemble partial system snapshots, current trust negotiation and distributed proving systems lack the notion of a consistent global state in which the satisfaction of authorization policies should be checked. In this article, we argue that unlike the notions of consistency studied in other areas of distributed computing, the level of consistency required during policy evaluation is predicated solely upon the security requirements of the policy evaluator. As such, there is little incentive for entities to participate in complicated consistency preservation schemes like those used in distributed computing, distributed databases, and distributed shared memory. We go on to show that the most intuitive notion of consistency fails to provide basic safety guarantees under certain circumstances and then propose several more refined notions of consistency that provide stronger safety guarantees. We provide algorithms that allow each of these refined notions of consistency to be attained in practice with minimal overheads and formally prove several security and privacy properties of these algorithms. Lastly, we explore the notion of strategic design trade-offs in the consistency enforcement algorithm space and propose several modifications to the core algorithms presented in this article. These modifications enhance the privacy-preservation or completeness properties of these algorithms without altering the consistency constraints that they enforce.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "consistency; credentials; distributed proving; trust negotiation", } @Article{Golle:2008:DCS, author = "Philippe Golle and Frank McSherry and Ilya Mironov", title = "Data Collection with Self-Enforcing Privacy", journal = j-TISSEC, volume = "12", number = "2", pages = "9:1--9:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455518.1455521.", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Consider a pollster who wishes to collect private, sensitive data from a number of distrustful individuals. How might the pollster convince the respondents that it is trustworthy? Alternately, what mechanism could the respondents insist upon to ensure that mismanagement of their data is detectable and publicly demonstrable?\par We detail this problem, and provide simple data submission protocols with the properties that (a) leakage of private data by the pollster results in evidence of the transgression and (b) the evidence cannot be fabricated without breaking cryptographic assumptions. With such guarantees, a responsible pollster could post a ``privacy-bond,'' forfeited to anyone who can provide evidence of leakage. The respondents are assured that appropriate penalties are applied to a leaky pollster, while the protection from spurious indictment ensures that any honest pollster has no disincentive to participate in such a scheme.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "data collection; privacy", } @Article{Cadar:2008:EAG, author = "Cristian Cadar and Vijay Ganesh and Peter M. Pawlowski and David L. Dill and Dawson R. Engler", title = "{EXE}: Automatically Generating Inputs of Death", journal = j-TISSEC, volume = "12", number = "2", pages = "10:1--10:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455518.1455522", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on each symbolic (i.e., input-derived) memory location. If a statement uses a symbolic value, EXE does not run it, but instead adds it as an input-constraint; all other statements run as usual. If code conditionally checks a symbolic expression, EXE forks execution, constraining the expression to be true on the true branch and false on the other. Because EXE reasons about all possible values on a path, it has much more power than a traditional runtime tool: (1) it can force execution down any feasible program path and (2) at dangerous operations (e.g., a pointer dereference), it detects if the current path constraints allow {\em any\/} value that causes a bug. When a path terminates or hits a bug, EXE automatically generates a test case by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP. Because EXE's constraints have no approximations, feeding this concrete input to an uninstrumented version of the checked code will cause it to follow the same path and hit the same bug (assuming deterministic code).\par EXE works well on real code, finding bugs along with inputs that trigger them in: the BSD and Linux packet filter implementations, the dhcpd DHCP server, the pcre regular expression library, and three Linux file systems.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "attack generation; bug finding; constraint solving; dynamic analysis; symbolic execution; test case generation", } @Article{Wang:2008:FBB, author = "Xiaofeng Wang and Zhuowei Li and Jong Youl Choi and Jun Xu and Michael K. Reiter and Chongkyung Kil", title = "Fast and Black-box Exploit Detection and Signature Generation for Commodity Software", journal = j-TISSEC, volume = "12", number = "2", pages = "11:1--11:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455518.1455523", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In biology, a {\em vaccine\/} is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production. Inspired by this idea, we propose a {\em packet vaccine\/} mechanism that randomizes address-like strings in packet payloads to carry out fast exploit detection and signature generation. An exploit with a randomized jump address behaves like a vaccine: it will likely cause an exception in a vulnerable program's process when attempting to hijack the control flow, and thereby expose itself. Taking that exploit as a template, our signature generator creates a set of new vaccines to probe the program in an attempt to uncover the necessary conditions for the exploit to happen. A signature is built upon these conditions to shield the underlying vulnerability from further attacks. In this way, packet vaccine detects exploits and generates signatures in a black-box fashion, that is, not relying on the knowledge of a vulnerable program's source and binary code. Therefore, it even works on the commodity software obfuscated for the purpose of copyright protection. In addition, since our approach avoids the expense of tracking the program's execution flow, it performs almost as fast as a normal run of the program and is capable of generating a signature of high quality within seconds or even subseconds. We present the design of the packet vaccine mechanism and an example of its application. We also describe our proof-of-concept implementation and the evaluation of our technique using real exploits.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "black-box defense; exploit detection; signature generation; vaccine injection; worm", } @Article{Antonatos:2008:PMW, author = "Spiros Antonatos and Periklis Akritidis and Vinh The Lam and Kostas G. Anagnostakis", title = "Puppetnets: Misusing {Web} Browsers as a Distributed Attack Infrastructure", journal = j-TISSEC, volume = "12", number = "2", pages = "12:1--12:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455518.1455524.", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Most of the recent work on Web security focuses on preventing attacks that directly harm the browser's host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious or subverted Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation, and reconnaissance scans. We show that attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "distributed attacks; malicious software; Web security", } @Article{Xie:2008:TMS, author = "Mengjun Xie and Heng Yin and Haining Wang", title = "Thwarting {E}-mail Spam Laundering", journal = j-TISSEC, volume = "12", number = "2", pages = "13:1--13:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455518.1455525", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Laundering e-mail spam through open-proxies or compromised PCs is a widely-used trick to conceal real spam sources and reduce spamming cost in the underground e-mail spam industry. Spammers have plagued the Internet by exploiting a large number of spam proxies. The facility of breaking spam laundering and deterring spamming activities close to their sources, which would greatly benefit not only e-mail users but also victim ISPs, is in great demand but still missing. In this article, we reveal one salient characteristic of proxy-based spamming activities, namely packet symmetry, by analyzing protocol semantics and timing causality. Based on the packet symmetry exhibited in spam laundering, we propose a simple and effective technique, DBSpam, to online detect and break spam laundering activities inside a customer network. Monitoring the bidirectional traffic passing through a network gateway, DBSpam utilizes a simple statistical method, Sequential Probability Ratio Test, to detect the occurrence of spam laundering in a timely manner. To balance the goals of promptness and accuracy, we introduce a noise-reduction technique in DBSpam, after which the laundering path can be identified more accurately. Then DBSpam activates its spam suppressing mechanism to break the spam laundering. We implement a prototype of DBSpam based on {\em libpcap}, and validate its efficacy on spam detection and suppression through both theoretical analyses and trace-based experiments.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "proxy; Spam; SPRT", } @Article{Liang:2009:AIE, author = "Zhenkai Liang and Weiqing Sun and V. N. Venkatakrishnan and R. Sekar", title = "{Alcatraz}: An Isolated Environment for Experimenting with Untrusted Software", journal = j-TISSEC, volume = "12", number = "3", pages = "14:1--14:37", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455526.1455527", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this article, we present an approach for realizing a {\em safe execution environment (SEE)\/} that enables users to ``try out'' new software (or configuration changes to existing software) without the fear of damaging the system in any manner. A key property of our SEE is that it faithfully reproduces the behavior of applications, as if they were running natively on the underlying (host) operating system. This is accomplished via {\em one-way isolation\/}: processes running within the SEE are given read-access to the environment provided by the host OS, but their write operations are prevented from escaping outside the SEE. As a result, SEE processes cannot impact the behavior of host OS processes, or the integrity of data on the host OS. SEEs support a wide range of tasks, including: study of malicious code, controlled execution of untrusted software, experimentation with software configuration changes, testing of software patches, and so on. It provides a convenient way for users to inspect system changes made within the SEE. If these changes are not accepted, they can be rolled back at the click of a button. Otherwise, the changes can be committed so as to become visible outside the SEE. We provide consistency criteria that ensure semantic consistency of the committed results. We develop two different implementation approaches, one in {\em user-land\/} and the other in the {\em OS kernel}, for realizing a safe-execution environment. Our implementation results show that most software, including fairly complex server and client applications, can run successfully within our SEEs. It introduces low performance overheads, typically below 10 percent.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "Isolation; one-way isolation", } @Article{Yao:2009:CAR, author = "Danfeng Yao and Roberto Tamassia", title = "Compact and Anonymous Role-Based Authorization Chain", journal = j-TISSEC, volume = "12", number = "3", pages = "15:1--15:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455526.1455528", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce a decentralized delegation model called anonymous role-based cascaded delegation. In this model, a delegator can issue authorizations on behalf of her role without revealing her identity. This type of delegation protects the sensitive membership information of a delegator and hides the internal structure of an organization. To provide an efficient storage and transmission mechanism for credentials used in anonymous role-based cascaded delegation, we present a new digital signature scheme that supports both signer anonymity and signature aggregation. Our scheme has compact role signatures that make it especially suitable for ubiquitous computing environments, where users may have mobile computing devices with narrow communication bandwidth and small storage units.", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "aggregate signature; anonymity; Delegation", } @Article{Bethencourt:2009:NTP, author = "John Bethencourt and Dawn Song and Brent Waters", title = "New Techniques for Private Stream Searching", journal = j-TISSEC, volume = "12", number = "3", pages = "16:1--16:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455526.1455529", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A system for private stream searching, introduced by Ostrovsky and Skeith, allows a client to provide an untrusted server with an encrypted search query. The server uses the query on a stream of documents and returns the matching documents to the client while learning nothing about the nature of the query. We present a new scheme for conducting private keyword search on streaming data which requires $O(m)$ server to client communication complexity to return the content of the matching documents, where $m$ is an upper bound on the size of the documents. The required storage on the server conducting the search is also $O(m)$. The previous best scheme for private stream searching was shown to have $O(m \log m)$ communication and storage complexity. Our solution employs a novel construction in which the user reconstructs the matching files by solving a system of linear equations. This allows the matching documents to be stored in a compact buffer rather than relying on redundancies to avoid collisions in the storage buffer as in previous work. This technique requires a small amount of metadata to be returned in addition to the documents; for this the original scheme of Ostrovsky and Skeith may be employed with $O(m \log m)$ communication and storage complexity. We also present an alternative method for returning the necessary metadata based on a unique encrypted Bloom filter construction. This method requires $O(m \log(t / m))$ communication and storage complexity, where $t$ is the number of documents in the stream. In this article we describe our scheme, prove it secure, analyze its asymptotic performance, and describe a number of extensions. We also provide an experimental analysis of its scalability in practice. Specifically, we consider its performance in the demanding scenario of providing a privacy preserving version of the Google News Alerts service.", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "Bloom filter; private information retrieval; private stream searching; public key program obfuscation", } @Article{Crosby:2009:OLR, author = "Scott A. Crosby and Dan S. Wallach and Rudolf H. Riedi", title = "Opportunities and Limits of Remote Timing Attacks", journal = j-TISSEC, volume = "12", number = "3", pages = "17:1--17:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455526.1455530", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Many algorithms can take a variable amount of time to complete depending on the data being processed. These timing differences can sometimes disclose confidential information. Indeed, researchers have been able to reconstruct an RSA private key purely by querying an SSL Web server and timing the results. Our work analyzes the limits of attacks based on accurately measuring network response times and jitter over a local network and across the Internet. We present the design of filters to significantly reduce the effects of jitter, allowing an attacker to measure events with 15--100$\mu$s accuracy across the Internet, and as good as 100ns over a local network. Notably, security-related algorithms on Web servers and other network servers need to be carefully engineered to avoid timing channel leaks at the accuracy demonstrated in this article.", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "Information leakage; jitter; timing attacks", } @Article{Atallah:2009:DEK, author = "Mikhail J. Atallah and Marina Blanton and Nelly Fazio and Keith B. Frikken", title = "Dynamic and Efficient Key Management for Access Hierarchies", journal = j-TISSEC, volume = "12", number = "3", pages = "18:1--18:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455526.1455531", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Hierarchies arise in the context of access control whenever the user population can be modeled as a set of partially ordered classes (represented as a directed graph). A user with access privileges for a class obtains access to objects stored at that class and all descendant classes in the hierarchy. The problem of key management for such hierarchies then consists of assigning a key to each class in the hierarchy so that keys for descendant classes can be obtained via efficient key derivation.\par We propose a solution to this problem with the following properties: (1) the space complexity of the public information is the same as that of storing the hierarchy; (2) the private information at a class consists of a single key associated with that class; (3) updates (i.e., revocations and additions) are handled {\em locally\/} in the hierarchy; (4) the scheme is provably secure against collusion; and (5) each node can derive the key of any of its descendant with a number of symmetric-key operations bounded by the length of the path between the nodes. Whereas many previous schemes had some of these properties, ours is the first that satisfies all of them. The security of our scheme is based on pseudorandom functions, without reliance on the Random Oracle Model.\par Another substantial contribution of this work is that we are able to lower the key derivation time at the expense of modestly increasing the public storage associated with the hierarchy. Insertion of additional, so-called shortcut, edges, allows to lower the key derivation to a small constant number of steps for graphs that are total orders and trees by increasing the total number of edges by a small asymptotic factor such as $O(\log^* n)$ for an $n$-node hierarchy. For more general access hierarchies of dimension $d$, we use a technique that consists of adding dummy nodes and dimension reduction. The key derivation work for such graphs is then linear in $d$ and the increase in the number of edges is by the factor $O(\log^{d - 1} n)$ compared to the one-dimensional case.\par Finally, by making simple modifications to our scheme, we show how to handle extensions proposed by Crampton [2003] of the standard hierarchies to ``limited depth'' and reverse inheritance.", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "Efficient key derivation; hierarchical access control; key management", } @Article{Ligatti:2009:RTE, author = "Jay Ligatti and Lujo Bauer and David Walker", title = "Run-Time Enforcement of Nonsafety Policies", journal = j-TISSEC, volume = "12", number = "3", pages = "19:1--19:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1455526.1455532", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A common mechanism for ensuring that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is attempting to execute a dangerous action, it takes remedial steps to ensure that only safe code actually gets executed.\par This article improves our understanding of the space of policies enforceable by monitoring the run-time behaviors of programs. We begin by building a formal framework for analyzing policy enforcement: we precisely define policies, monitors, and enforcement. This framework allows us to prove that monitors enforce an interesting set of policies that we call the infinite renewal properties. We show how to construct a program monitor that provably enforces any reasonable infinite renewal property. We also show that the set of infinite renewal properties includes some nonsafety policies, that is, that monitors can enforce some nonsafety (including some purely liveness) policies. Finally, we demonstrate concrete examples of nonsafety policies enforceable by practical run-time monitors.", acknowledgement = ack-nhfb, articleno = "19", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "liveness; monitoring; policy enforcement; safety; security automata; security policies", } @Article{Li:2009:RPA, author = "Ninghui Li and Qihua Wang and Mahesh Tripunitara", title = "Resiliency Policies in Access Control", journal = j-TISSEC, volume = "12", number = "4", pages = "20:1--20:??", month = apr, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1513601.1513602", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu May 14 13:53:50 MDT 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce the notion of resiliency policies in the context of access control systems. Such policies require an access control system to be resilient to the absence of users. An example resiliency policy requires that upon removal of any $s$ users, there should still exist $d$ disjoint sets of users such that the users in each set together possess certain permissions of interest. Such a policy ensures that even when emergency situations cause some users to be absent, there still exist independent teams of users that have the permissions necessary for carrying out critical tasks. The Resiliency Checking Problem determines whether an access control state satisfies a given resiliency policy. We show that the general case of the problem and several subcases are intractable (NP hard), and identify two subcases that are solvable in linear time. For the intractable cases, we also identify the complexity class in the polynomial hierarchy to which these problems belong. We discuss the design and evaluation of an algorithm that can efficiently solve instances of nontrivial sizes that belong to the intractable cases of the problem. Furthermore, we study the consistency problem between resiliency policies and static separation of duty policies. Finally, we combine the notions of resiliency and separation of duty to introduce the resilient separation of duty policy, which is useful in situations where both fault-tolerance and fraud-prevention are desired.", acknowledgement = ack-nhfb, articleno = "20", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access control; fault-tolerant; policy design", } @Article{Burmester:2009:UCR, author = "Mike Burmester and Tri Van Le and Breno {De Medeiros} and Gene Tsudik", title = "Universally Composable {RFID} Identification and Authentication Protocols", journal = j-TISSEC, volume = "12", number = "4", pages = "21:1--21:??", month = apr, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1513601.1513603", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu May 14 13:53:50 MDT 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "As the number of RFID applications grows, concerns about their security and privacy become greatly amplified. At the same time, the acutely restricted and cost-sensitive nature of RFID tags rules out simple reuse of traditional security/privacy solutions and calls for a new generation of extremely lightweight identification and authentication protocols.\par This article describes a universally composable security framework designed especially for RFID applications. We adopt RFID-specific setup, communication, and concurrency assumptions in a model that guarantees strong security, privacy, and availability properties. In particular, the framework supports modular deployment, which is most appropriate for ubiquitous applications. We also describe a set of simple, efficient, secure, and anonymous (untraceable) RFID identification and authentication protocols that instantiate the proposed framework. These protocols involve minimal interaction between tags and readers and place only a small computational load on the tag, and a light computational burden on the back-end server. We show that our protocols are provably secure within the proposed framework.", acknowledgement = ack-nhfb, articleno = "21", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "authentication and key-exchange protocols; RFID security; universal composability", } @Article{Cabuk:2009:ICC, author = "Serdar Cabuk and Carla E. Brodley and Clay Shields", title = "{IP} Covert Channel Detection", journal = j-TISSEC, volume = "12", number = "4", pages = "22:1--22:29", month = apr, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1513601.1513604", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu May 14 13:53:50 MDT 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95\%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10\%. We then provide effective offline search mechanisms that identify the noisy channels.", acknowledgement = ack-nhfb, articleno = "22", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "channel detection; information hiding; network covert channels", } @Article{Meadows:2009:IAT, author = "Catherine Meadows", title = "Introduction to {ACM TISSEC} special issue on {CCS 2005}", journal = j-TISSEC, volume = "13", number = "1", pages = "1:1--1:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609957", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Li:2009:ATN, author = "Jiangtao Li and Ninghui Li and William H. Winsborough", title = "Automated trust negotiation using cryptographic credentials", journal = j-TISSEC, volume = "13", number = "1", pages = "2:1--2:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609958", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zhuang:2009:KAE, author = "Li Zhuang and Feng Zhou and J. D. Tygar", title = "Keyboard acoustic emanations revisited", journal = j-TISSEC, volume = "13", number = "1", pages = "3:1--3:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609959", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Abadi:2009:CFI, author = "Mart{\'\i}n Abadi and Mihai Budiu and {\'U}lfar Erlingsson and Jay Ligatti", title = "Control-flow integrity principles, implementations, and applications", journal = j-TISSEC, volume = "13", number = "1", pages = "4:1--4:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609960", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Etalle:2009:MCW, author = "Sandro Etalle and William H. Winsborough", title = "Maintaining control while delegating trust: Integrity constraints in trust management", journal = j-TISSEC, volume = "13", number = "1", pages = "5:1--5:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609961", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Carminati:2009:EAC, author = "Barbara Carminati and Elena Ferrari and Andrea Perego", title = "Enforcing access control in {Web}-based social networks", journal = j-TISSEC, volume = "13", number = "1", pages = "6:1--6:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609962", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Juels:2009:DSP, author = "Ari Juels and Stephen A. Weis", title = "Defining strong privacy for {RFID}", journal = j-TISSEC, volume = "13", number = "1", pages = "7:1--7:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609963", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zhu:2009:CAC, author = "Ye Zhu and Riccardo Bettati", title = "Compromising anonymous communication systems using blind source separation", journal = j-TISSEC, volume = "13", number = "1", pages = "8:1--8:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609964", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Sang:2009:ESP, author = "Yingpeng Sang and Hong Shen", title = "Efficient and secure protocols for privacy-preserving set operations", journal = j-TISSEC, volume = "13", number = "1", pages = "9:1--9:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609965", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Dorrendorf:2009:CRN, author = "Leo Dorrendorf and Zvi Gutterman and Benny Pinkas", title = "Cryptanalysis of the random number generator of the {Windows} operating system", journal = j-TISSEC, volume = "13", number = "1", pages = "10:1--10:32", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1609956.1609966", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The PseudoRandom Number Generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudorandomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published.\par We examined the binary code of a distribution of Windows 2000. This investigation was done without any help from Microsoft.We reconstructed the algorithm used by the pseudorandom number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a nontrivial attack: Given the internal state of the generator, the previous state can be computed in 223 steps. This attack on forward security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. After our analysis was published, Microsoft acknowledged that Windows XP is vulnerable to the same attack.\par We also analyzed the way in which the generator is used by the operating system and found that it amplifies the effect of the attack: The generator is run in user mode rather than in kernel mode; therefore, it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called. Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system-generated entropy only after generating 128KB of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128KB of the past and future output of the generator.\par The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator, which can then be used to predict all random values, such as SSL keys, used by a process in all its past and future operations. This attack is more severe and more efficient than known attacks in which an attack", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{diVimercati:2010:GES, author = "Sabrina de Capitani di Vimercati and Paul Syverson", title = "Guest editorial: Special issue on computer and communications security", journal = j-TISSEC, volume = "13", number = "2", pages = "11:1--11:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1698750.1698751", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Jiang:2010:SMD, author = "Xuxian Jiang and Xinyuan Wang and Dongyan Xu", title = "Stealthy malware detection and monitoring through {VMM}-based ``out-of-the-box'' semantic view reconstruction", journal = j-TISSEC, volume = "13", number = "2", pages = "12:1--12:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1698750.1698752", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Hopper:2010:HMA, author = "Nicholas Hopper and Eugene Y. Vasserman and Eric Chan-TIN", title = "How much anonymity does network latency leak?", journal = j-TISSEC, volume = "13", number = "2", pages = "13:1--13:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1698750.1698753", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bisht:2010:CDC, author = "Prithvi Bisht and P. Madhusudan and V. N. Venkatakrishnan", title = "{CANDID}: Dynamic candidate evaluations for automatic prevention of {SQL} injection attacks", journal = j-TISSEC, volume = "13", number = "2", pages = "14:1--14:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1698750.1698754", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ponec:2010:NPA, author = "Miroslav Ponec and Paul Giura and Joel Wein and Herv{\'e} Br{\"o}nnimann", title = "New payload attribution methods for network forensic investigations", journal = j-TISSEC, volume = "13", number = "2", pages = "15:1--15:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1698750.1698755", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Moran:2010:SBV, author = "Tal Moran and Moni Naor", title = "Split-ballot voting: Everlasting privacy with distributed trust", journal = j-TISSEC, volume = "13", number = "2", pages = "16:1--16:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1698750.1698756", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Lysyanskaya:2010:AEC, author = "Anna Lysyanskaya and Roberto Tamassia and Nikos Triandopoulos", title = "Authenticated error-correcting codes with applications to multicast authentication", journal = j-TISSEC, volume = "13", number = "2", pages = "17:1--17:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1698750.1698757", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wang:2010:DVT, author = "Xiaofeng Wang and Philippe Golle and Markus Jakobsson and Alex Tsow", title = "Deterring voluntary trace disclosure in re-encryption mix-networks", journal = j-TISSEC, volume = "13", number = "2", pages = "18:1--18:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1698750.1698758", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Biskup:2010:EE, author = "Joachim Biskup and Javier Lopez", title = "Editorial: {ESORICS 2007}", journal = j-TISSEC, volume = "13", number = "3", pages = "19:1--19:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1805975", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "19", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Becker:2010:LSM, author = "Moritz Y. Becker and Sebastian Nanz", title = "A logic for state-modifying authorization policies", journal = j-TISSEC, volume = "13", number = "3", pages = "20:1--20:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1805976", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Administering and maintaining access control systems is a challenging task, especially in environments with complex and changing authorization requirements. A number of authorization logics have been proposed that aim at simplifying access control by factoring the authorization policy out of the hard-coded resource guard. However, many policies require the authorization state to be updated after a granted access request, for example, to reflect the fact that a user has activated or deactivated a role. Current authorization languages cannot express such state modifications; these still have to be hard-coded into the resource guard. We present a logic for specifying policies where access requests can have effects on the authorization state. The logic is semantically defined by a mapping to Transaction Logic. Using this approach, updates to the state are factored out of the resource guard, thus enhancing maintainability and facilitating more expressive policies that take the history of access requests into account. We also present a sound and complete proof system for reasoning about sequences of access requests. This gives rise to a goal-oriented algorithm for finding minimal sequences that lead to a specified target authorization state.", acknowledgement = ack-nhfb, articleno = "20", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access control; Authorization; Hoare logic; policy", } @Article{Barthe:2010:SMP, author = "Gilles Barthe and Tamara Rezk and Alejandro Russo and Andrei Sabelfeld", title = "Security of multithreaded programs by compilation", journal = j-TISSEC, volume = "13", number = "3", pages = "21:1--21:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1895977", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "End-to-End security of mobile code requires that the code neither intentionally nor accidentally propagates sensitive information to an adversary. Although mobile code is commonly multithreaded low-level code, there lack enforcement mechanisms that ensure information security for such programs. The modularity is three-fold: we give modular extensions of sequential semantics, sequential security typing, and sequential security-type preserving compilation that allow us enforcing security for multithreaded programs. Thanks to the modularity, there are no more restrictions on multithreaded source programs than on sequential ones, and yet we guarantee that their compilations are provably secure for a wide class of schedulers.", acknowledgement = ack-nhfb, articleno = "21", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "compilers; Noninterference; schedulers; type systems", } @Article{Ciriani:2010:CFE, author = "Valentina Ciriani and Sabrina {De Capitani Di Vimercati} and Sara Foresti and Sushil Jajodia and Stefano Paraboschi and Pierangela Samarati", title = "Combining fragmentation and encryption to protect privacy in data storage", journal = j-TISSEC, volume = "13", number = "3", pages = "22:1--22:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1805978", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The impact of privacy requirements in the development of modern applications is increasing very quickly. Many commercial and legal regulations are driving the need to develop reliable solutions for protecting sensitive information whenever it is stored, processed, or communicated to external parties. To this purpose, encryption techniques are currently used in many scenarios where data protection is required since they provide a layer of protection against the disclosure of personal information, which safeguards companies from the costs that may arise from exposing their data to privacy breaches. However, dealing with encrypted data may make query processing more expensive.\par In this article, we address these issues by proposing a solution to enforce the privacy of data collections that combines data fragmentation with encryption. We model privacy requirements as confidentiality constraints expressing the sensitivity of attributes and their associations. We then use encryption as an underlying (conveniently available) measure for making data unintelligible while exploiting fragmentation as a way to break sensitive associations among attributes. We formalize the problem of minimizing the impact of fragmentation in terms of number of fragments and their affinity and present two heuristic algorithms for solving such problems. We also discuss experimental results, comparing the solutions returned by our heuristics with respect to optimal solutions, which show that the heuristics, while guaranteeing a polynomial-time computation cost are able to retrieve solutions close to optimum.", acknowledgement = ack-nhfb, articleno = "22", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "encryption; fragmentation; Privacy", } @Article{Thuraisingham:2010:ES, author = "Bhavani Thuraisingham", title = "Editorial: {SACMAT 2007}", journal = j-TISSEC, volume = "13", number = "3", pages = "23:1--23:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1805979", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "23", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ni:2010:PAR, author = "Qun Ni and Elisa Bertino and Jorge Lobo and Carolyn Brodie and Clare-Marie Karat and John Karat and Alberto Trombeta", title = "Privacy-aware role-based access control", journal = j-TISSEC, volume = "13", number = "3", pages = "24:1--24:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1805980", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this article, we introduce a comprehensive framework supporting a privacy-aware access control mechanism, that is, a mechanism tailored to enforce access control to data containing personally identifiable information and, as such, privacy sensitive. The key component of the framework is a family of models (P-RBAC) that extend the well-known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. We formally define the notion of privacy-aware permissions and the notion of conflicting permission assignments in P-RBAC, together with efficient conflict-checking algorithms. The framework also includes a flexible authoring tool, based on the use of the SPARCLE system, supporting the high-level specification of P-RBAC permissions. SPARCLE supports the use of natural language for authoring policies and is able to automatically generate P-RBAC permissions from these natural language specifications. In the article, we also report performance evaluation results and contrast our approach with other relevant access control and privacy policy frameworks such as P3P, EPAL, and XACML.", acknowledgement = ack-nhfb, articleno = "24", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "model; Privacy; purpose; Role-based access control", } @Article{Lee:2010:CDP, author = "Adam J. Lee and Kazuhiro Minami and Marianne Winslett", title = "On the consistency of distributed proofs with hidden subtrees", journal = j-TISSEC, volume = "13", number = "3", pages = "25:1--25:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1805981", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Previous work has shown that distributed authorization systems that fail to sample a consistent snapshot of the underlying system during policy evaluation are vulnerable to a number of attacks. Unfortunately, the consistency enforcement solutions presented in previous work were designed for systems in which only CA-certified evidence is used during the decision-making process, all of which is available to the decision-making node at runtime. In this article, we generalize previous results and present light-weight mechanisms through which consistency constraints can be enforced in proof systems in which the full details of a proof may be unavailable to the querier due to information release policies, and the existence of certificate authorities for certifying evidence is unlikely; these types of distributed proof systems are likely candidates for use in pervasive computing and sensor network environments. We present modifications to one such distributed proof system that enable three types of consistency constraints to be enforced while still respecting the same confidentiality and integrity policies as the original proof system. We then discuss how these techniques can be adapted and applied to other, less restrictive, distributed proof systems. Further, we detail a performance analysis that illustrates the modest overheads of our consistency enforcement schemes.", acknowledgement = ack-nhfb, articleno = "25", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "Consistency; distributed proving; pervasive computing", } @Article{Hicks:2010:LSA, author = "Boniface Hicks and Sandra Rueda and Luke {St. Clair} and Trent Jaeger and Patrick McDaniel", title = "A logical specification and analysis for {SELinux MLS} policy", journal = j-TISSEC, volume = "13", number = "3", pages = "26:1--26:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805874.1805982", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/linux.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib; http://www.math.utah.edu/pub/tex/bib/unix.bib", abstract = "The SELinux mandatory access control (MAC) policy has recently added a multilevel security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of the SELinux MLS model makes it impractical to manually evaluate that a given policy meets certain specific properties. To address this issue, we have modeled the SELinux MLS model, using a logical specification and implemented that specification in the Prolog language. Furthermore, we have developed some analyses for testing information flow properties of a given policy as well as an algorithm to determine whether one policy is compliant with another. We have implemented these analyses in Prolog and compiled our implementation into a tool for SELinux MLS policy analysis, called PALMS. Using PALMS, we verified some important properties of the SELinux MLS reference policy, namely that it satisfies the simple security condition and $\star$-property defined by Bell and LaPadula. We also evaluated whether the policy associated to a given application is compliant with the policy of the SELinux system in which it would be deployed.", acknowledgement = ack-nhfb, articleno = "26", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "multilevel security; policy analysis; policy compliance; SELinux", } @Article{Vaidya:2010:RMP, author = "Jaideep Vaidya and Vijayalakshmi Atluri and Qi Guo", title = "The role mining problem: a formal perspective", journal = j-TISSEC, volume = "13", number = "3", pages = "27:1--27:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1895983", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role-based access control. A key problem related to this is the notion of goodness/interestingness --- when is a role good/interesting? In this article, we define the {\em Role Mining Problem\/} (RMP) as the problem of discovering an optimal set of roles from existing user permissions. The main contribution of this article is to formally define RMP and analyze its theoretical bounds. In addition to the above basic RMP, we introduce two different variations of the RMP, called the {\em $\delta$-Approx RMP\/} and the {\em minimal-noise RMP\/} that have pragmatic implications. We reduce the known ``Set Basis Problem'' to RMP to show that RMP is an NP-complete problem. An important contribution of this article is also to show the relation of the RMP to several problems already identified in the data mining and data analysis literature. By showing that the RMP is in essence reducible to these known problems, we can directly borrow the existing implementation solutions and guide further research in this direction. We also develop a heuristic solution based on the previously proposed FastMiner algorithm, which is very accurate and efficient.", acknowledgement = ack-nhfb, articleno = "27", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "RBAC; role engineering; role mining", } @Article{Carminati:2010:FEA, author = "Barbara Carminati and Elena Ferrari and Jianneng Cao and Kian Lee Tan", title = "A framework to enforce access control over data streams", journal = j-TISSEC, volume = "13", number = "3", pages = "28:1--28:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1805974.1805984", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Although access control is currently a key component of any computational system, it is only recently that mechanisms to guard against unauthorized access to streaming data have started to be investigated. To cope with this lack, in this article, we propose a general framework to protect streaming data, which is, as much as possible, independent from the target stream engine. Differently from RDBMSs, up to now a standard query language for data streams has not yet emerged and this makes the development of a general solution to access control enforcement more difficult. The framework we propose in this article is based on an expressive role-based access control model proposed by us. It exploits a query rewriting mechanism, which rewrites user queries in such a way that they do not return tuples/attributes that should not be accessed according to the specified access control policies. Furthermore, the framework contains a deployment module able to translate the rewritten query in such a way that it can be executed by different stream engines, therefore, overcoming the lack of standardization. In the article, besides presenting all the components of our framework, we prove the correctness and completeness of the query rewriting algorithm, and we present some experiments that show the feasibility of the developed techniques.", acknowledgement = ack-nhfb, articleno = "28", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", keywords = "access control; Data stream; secure query rewriting", } @Article{Kate:2010:PBO, author = "Aniket Kate and Greg M. Zaverucha and Ian Goldberg", title = "Pairing-Based Onion Routing with Improved Forward Secrecy", journal = j-TISSEC, volume = "13", number = "4", pages = "29:1--29:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880023", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article presents new protocols for onion routing anonymity networks. We define a provably secure privacy-preserving key agreement scheme in an identity-based infrastructure setting, and use it to design new onion routing circuit constructions. These constructions, based on a user's selection, offer immediate or eventual forward secrecy at each node in a circuit and require significantly less computation and communication than the telescoping mechanism used by the Tor project. Further, the use of an identity-based infrastructure also leads to a reduction in the required amount of authenticated directory information.", acknowledgement = ack-nhfb, articleno = "29", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Pennington:2010:SBI, author = "Adam G. Pennington and John Linwood Griffin and John S. Bucy and John D. Strunk and Gregory R. Ganger", title = "Storage-Based Intrusion Detection", journal = j-TISSEC, volume = "13", number = "4", pages = "30:1--30:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880024", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. For example, examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. Further, an Intrusion Detection System (IDS) embedded in a storage device continues to operate even after client operating systems are compromised. We describe and evaluate a prototype storage IDS, built into a disk emulator, to demonstrate both feasibility and efficiency of storage-based intrusion detection.", acknowledgement = ack-nhfb, articleno = "30", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bobba:2010:ABM, author = "Rakesh Bobba and Omid Fatemieh and Fariba Khan and Arindam Khan and Carl A. Gunter and Himanshu Khurana and Manoj Prabhakaran", title = "Attribute-Based Messaging: Access Control and Confidentiality", journal = j-TISSEC, volume = "13", number = "4", pages = "31:1--31:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880025", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Attribute-Based Messaging (ABM) enables messages to be addressed using attributes of recipients rather than an explicit list of recipients. Such messaging offers benefits of efficiency, exclusiveness, and intensionality, but faces challenges in access control and confidentiality. In this article we explore an approach to intraenterprise ABM based on providing access control and confidentiality using information from the same attribute database exploited by the addressing scheme. We show how to address three key challenges. First, we demonstrate a manageable access control system based on attributes. Second, we demonstrate use of attribute-based encryption to provide end-to-end confidentiality. Third, we show that such a system can be efficient enough to support ABM for mid-size enterprises.", acknowledgement = ack-nhfb, articleno = "31", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Li:2010:AIS, author = "Feifei Li and Marios Hadjieleftheriou and George Kollios and Leonid Reyzin", title = "Authenticated Index Structures for Aggregation Queries", journal = j-TISSEC, volume = "13", number = "4", pages = "32:1--32:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880026", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Query authentication is an essential component in Outsourced DataBase (ODB) systems. This article introduces efficient index structures for authenticating aggregation queries over large datasets. First, we design an index that features good performance characteristics for static environments. Then, we propose more involved structures for the dynamic case. Our structures feature excellent performance for authenticating queries with multiple aggregate attributes and multiple selection predicates. Furthermore, our techniques cover a large number of aggregate types, including distributive aggregates (such as SUM, COUNT, MIN, and MAX), algebraic aggregates (such as the AVG), and holistic aggregates (such as MEDIAN and QUANTILE). We have also addressed the issue of authenticating aggregation queries efficiently when the database is encrypted to protect data confidentiality.", acknowledgement = ack-nhfb, articleno = "32", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Sarkar:2010:SGC, author = "Palash Sarkar", title = "A Simple and Generic Construction of Authenticated Encryption with Associated Data", journal = j-TISSEC, volume = "13", number = "4", pages = "33:1--33:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880027", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We revisit the problem of constructing a protocol for performing Authenticated Encryption with Associated Data (AEAD). A technique is described which combines a collision-resistant hash function with a protocol for Authenticated Encryption (AE). The technique is both simple and generic and does not require any additional key material beyond that of the AE protocol. Concrete instantiations are shown where a 256-bit hash function is combined with some known single-pass AE protocols employing either 128-bit or 256-bit block ciphers. This results in possible efficiency improvement in the processing of the header.", acknowledgement = ack-nhfb, articleno = "33", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Schultz:2010:MMP, author = "David Schultz and Barbara Liskov and Moses Liskov", title = "{MPSS}: {Mobile Proactive Secret Sharing}", journal = j-TISSEC, volume = "13", number = "4", pages = "34:1--34:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880028", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article describes MPSS, a new way to do proactive secret sharing. MPSS provides mobility: The group of nodes holding the shares of the secret can change at each resharing, which is essential in a long-lived system. MPSS additionally allows the number of tolerated faulty shareholders to change when the secret is moved so that the system can tolerate more (or fewer) corruptions; this allows reconfiguration on-the-fly to accommodate changes in the environment. MPSS includes an efficient protocol that is intended to be used in practice. The protocol is optimized for the common case of no or few failures, but degradation when there are more failures is modest.", acknowledgement = ack-nhfb, articleno = "34", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wright:2010:USP, author = "Charles V. Wright and Lucas Ballard and Scott E. Coull and Fabian Monrose and Gerald M. Masson", title = "Uncovering Spoken Phrases in Encrypted Voice over {IP} Conversations", journal = j-TISSEC, volume = "13", number = "4", pages = "35:1--35:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880029", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Although Voice over IP (VoIP) is rapidly being adopted, its security implications are not yet fully understood. Since VoIP calls may traverse untrusted networks, packets should be encrypted to ensure confidentiality. However, we show that it is possible to identify the phrases spoken within encrypted VoIP calls when the audio is encoded using variable bit rate codecs. To do so, we train a hidden Markov model using only knowledge of the phonetic pronunciations of words, such as those provided by a dictionary, and search packet sequences for instances of specified phrases. Our approach does not require examples of the speaker's voice, or even example recordings of the words that make up the target phrase. We evaluate our techniques on a standard speech recognition corpus containing over 2,000 phonetically rich phrases spoken by 630 distinct speakers from across the continental United States. Our results indicate that we can identify phrases within encrypted calls with an average accuracy of 50\%, and with accuracy greater than 90\% for some phrases. Clearly, such an attack calls into question the efficacy of current VoIP encryption standards. In addition, we examine the impact of various features of the underlying audio on our performance and discuss methods for mitigation.", acknowledgement = ack-nhfb, articleno = "35", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Molloy:2010:MRM, author = "Ian Molloy and Hong Chen and Tiancheng Li and Qihua Wang and Ninghui Li and Elisa Bertino and Seraphin Calo and Jorge Lobo", title = "Mining Roles with Multiple Objectives", journal = j-TISSEC, volume = "13", number = "4", pages = "36:1--36:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880030", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "With the growing adoption of Role-Based Access Control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a non-RBAC system to an RBAC system has become a problem with significant business impact. Researchers have proposed to use data mining techniques to discover roles to complement the costly top-down approaches for RBAC system construction. An important problem is how to construct RBAC systems with low complexity. In this article, we define the notion of weighted structural complexity measure and propose a role mining algorithm that mines RBAC systems with low structural complexity. Another key problem that has not been adequately addressed by existing role mining approaches is how to discover roles with semantic meanings.", acknowledgement = ack-nhfb, articleno = "36", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Libert:2010:KES, author = "Beno{\^\i}t Libert and Jean-Jacques Quisquater and Moti Yung", title = "Key Evolution Systems in Untrusted Update Environments", journal = j-TISSEC, volume = "13", number = "4", pages = "37:1--37:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880031", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Forward-Secure Signatures (FSS) prevent forgeries for past time periods when an attacker obtains full access to the signer's storage by evolving the private key in a one-way fashion. To simplify the integration of these primitives into standard security architectures, Boyen et al. [2006] recently introduced the concept of forward-secure signatures with untrusted updates where private keys are additionally protected by a second factor (derived from a password). Key updates can be made on encrypted version of signing keys so that passwords only come into play for signing messages and not at update time (since update is not user-driven). The scheme put forth by Boyen et al.", acknowledgement = ack-nhfb, articleno = "37", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zage:2010:RDV, author = "David Zage and Cristina Nita-Rotaru", title = "Robust Decentralized Virtual Coordinate Systems in Adversarial Environments", journal = j-TISSEC, volume = "13", number = "4", pages = "38:1--38:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880032", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Virtual coordinate systems provide an accurate and efficient service that allows hosts on the Internet to determine the latency to arbitrary hosts without actively monitoring all of the nodes in the network. Many of the proposed systems were designed with the assumption that all of the nodes are altruistic. However, this assumption may be violated by compromised nodes acting maliciously to degrade the accuracy of the coordinate system. As numerous peer-to-peer applications come to rely on virtual coordinate systems to achieve good performance, it is critical to address the security of such systems. In this work, we demonstrate the vulnerability of decentralized virtual coordinate systems to insider (or Byzantine) attacks.", acknowledgement = ack-nhfb, articleno = "38", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Tsang:2010:BRR, author = "Patrick P. Tsang and Man Ho Au and Apu Kapadia and Sean W. Smith", title = "{BLAC}: Revoking Repeatedly Misbehaving Anonymous Users without Relying on {TTPs}", journal = j-TISSEC, volume = "13", number = "4", pages = "39:1--39:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880033", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user's privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, some systems have been proposed in which users can be deanonymized only if they authenticate ``too many times,'' such as ``double spending'' with electronic cash. While useful in some applications, such techniques cannot be generalized to more subjective definitions of misbehavior, for example, using such schemes it is not possible to block anonymous users who ``deface too many Web pages'' on a Web site.", acknowledgement = ack-nhfb, articleno = "39", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wang:2010:SRW, author = "Qihua Wang and Ninghui Li", title = "Satisfiability and Resiliency in Workflow Authorization Systems", journal = j-TISSEC, volume = "13", number = "4", pages = "40:1--40:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880034", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We propose the role-and-relation-based access control (R2BAC) model for workflow authorization systems. In R2BAC, in addition to a user's role memberships, the user's relationships with other users help determine whether the user is allowed to perform a certain step in a workflow. For example, a constraint may require that two steps must not be performed by users who have conflicts of interests. We study computational complexity of the workflow satisfiability problem, which asks whether a set of users can complete a workflow. In particular, we apply tools from parameterized complexity theory to better understand the complexities of this problem. Furthermore, we reduce the workflow satisfiability problem to SAT and apply SAT solvers to address the problem.", acknowledgement = ack-nhfb, articleno = "40", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Mukhamedov:2010:IEP, author = "Aybek Mukhamedov and Mark D. Ryan", title = "Identity Escrow Protocol and Anonymity Analysis in the Applied Pi-Calculus", journal = j-TISSEC, volume = "13", number = "4", pages = "41:1--41:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1880022.1880035", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Anonymity with identity escrow attempts to allow users of an online service to remain anonymous, while providing the possibility that the service owner can break the anonymity in exceptional circumstances, such as to assist in a criminal investigation. In the article, we propose an identity escrow protocol that distributes user identity among several escrow agents. The main feature of our scheme is it is based on standard encryption algorithms and it provides user anonymity even if all but one escrow holders are dishonest acting in a coalition. We also present analysis of the anonymity property of our protocol in the applied pi-calculus.", acknowledgement = ack-nhfb, articleno = "41", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Li:2011:ISS, author = "Ninghui Li", title = "Introduction to special section {SACMAT'08}", journal = j-TISSEC, volume = "14", number = "1", pages = "1:1--1:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952983", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bauer:2011:DRP, author = "Lujo Bauer and Scott Garriss and Michael K. Reiter", title = "Detecting and resolving policy misconfigurations in access-control systems", journal = j-TISSEC, volume = "14", number = "1", pages = "2:1--2:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952984", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Access-control policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration, and, in the context of particular applications (e.g., health care), very severe consequences. In this article we apply association rule mining to the history of accesses to predict changes to access-control policies that are likely to be consistent with users' intentions, so that these changes can be instituted in advance of misconfigurations interfering with legitimate accesses. Instituting these changes requires the consent of the appropriate administrator, of course, and so a primary contribution of our work is how to automatically determine from whom to seek consent and how to minimize the costs of doing so.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wei:2011:ARH, author = "Qiang Wei and Jason Crampton and Konstantin Beznosov and Matei Ripeanu", title = "Authorization recycling in hierarchical {RBAC} systems", journal = j-TISSEC, volume = "14", number = "1", pages = "3:1--3:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952985", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "As distributed applications increase in size and complexity, traditional authorization architectures based on a dedicated authorization server become increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization caching, which enables the reuse of previous authorization decisions, is one technique that has been used to address these challenges. This article introduces and evaluates the mechanisms for authorization ``recycling'' in RBAC enterprise systems. The algorithms that support these mechanisms allow making precise and approximate authorization decisions, thereby masking possible failures of the authorization server and reducing its load. We evaluate these algorithms analytically as well as using simulation and a prototype implementation.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bohli:2011:RAP, author = "Jens-Matthias Bohli and Andreas Pashalidis", title = "Relations among privacy notions", journal = j-TISSEC, volume = "14", number = "1", pages = "4:1--4:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952986", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article presents a hierarchy of privacy notions that covers multiple anonymity and unlinkability variants. The underlying definitions, which are based on the idea of indistinguishability between two worlds, provide new insights into the relation between, and the fundamental structure of, different privacy notions. We furthermore place previous privacy definitions concerning group signature, anonymous communication, and secret voting systems in the context of our hierarchy; this renders these traditionally disconnected notions comparable.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Oligeri:2011:REA, author = "Gabriele Oligeri and Stefano Chessa and Roberto {Di Pietro} and Gaetano Giunta", title = "Robust and efficient authentication of video stream broadcasting", journal = j-TISSEC, volume = "14", number = "1", pages = "5:1--5:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952987", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present a novel video stream authentication scheme which combines signature amortization by means of hash chains and an advanced watermarking technique. We propose a new hash chain construction, the Duplex Hash Chain, which allows us to achieve bit-by-bit authentication that is robust to low bit error rates. This construction is well suited for wireless broadcast communications characterized by low packet losses such as in satellite networks. Moreover, neither hardware upgrades nor specific end-user equipment are needed to enjoy the authentication services. The computation overhead experienced on the receiver only sums to two hashes per block of pictures and one digital signature verification for the whole received stream.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Demsky:2011:CAD, author = "Brian Demsky", title = "Cross-application data provenance and policy enforcement", journal = j-TISSEC, volume = "14", number = "1", pages = "6:1--6:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952988", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present a new technique that can trace data provenance and enforce data access policies across multiple applications and machines. We have developed Garm, a tool that uses binary rewriting to implement this technique on arbitrary binaries. Users can use Garm to attach access policies to data and Garm enforces the policy on all accesses to the data (and any derived data) across all applications and executions. Garm uses static analysis to generate optimized instrumentation that traces the provenance of an application's state and the policies that apply to this state. Garm monitors the interactions of the application with the underlying operating system to enforce policies.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Dong:2011:PDA, author = "Jing Dong and Reza Curtmola and Cristina Nita-Rotaru", title = "Practical defenses against pollution attacks in wireless network coding", journal = j-TISSEC, volume = "14", number = "1", pages = "7:1--7:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952989", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Recent studies have shown that network coding can provide significant benefits to network protocols, such as increased throughput, reduced network congestion, higher reliability, and lower power consumption. The core principle of network coding is that intermediate nodes actively mix input packets to produce output packets. This mixing subjects network coding systems to a severe security threat, known as a pollution attack, where attacker nodes inject corrupted packets into the network. Corrupted packets propagate in an epidemic manner, depleting network resources and significantly decreasing throughput. Pollution attacks are particularly dangerous in wireless networks, where attackers can easily inject packets or compromise devices due to the increased network vulnerability.", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Schneider:2011:NAL, author = "Fred B. Schneider and Kevin Walsh and Emin G{\"u}n Sirer", title = "{Nexus Authorization Logic (NAL)}: Design rationale and applications", journal = j-TISSEC, volume = "14", number = "1", pages = "8:1--8:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952990", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Nexus Authorization Logic (NAL) provides a principled basis for specifying and reasoning about credentials and authorization policies. It extends prior access control logics that are based on ``says'' and ``speaks for'' operators. NAL enables authorization of access requests to depend on (i) the source or pedigree of the requester, (ii) the outcome of any mechanized analysis of the requester, or (iii) the use of trusted software to encapsulate or modify the requester. To illustrate the convenience and expressive power of this approach to authorization, a suite of document-viewer applications was implemented to run on the Nexus operating system.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bruns:2011:ACB, author = "Glenn Bruns and Michael Huth", title = "Access control via {Belnap} logic: Intuitive, expressive, and analyzable policy composition", journal = j-TISSEC, volume = "14", number = "1", pages = "9:1--9:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952991", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Access control to IT systems increasingly relies on the ability to compose policies. Hence there is benefit in any framework for policy composition that is intuitive, formal (and so ``analyzable'' and ``implementable''), expressive, independent of specific application domains, and yet able to be extended to create domain-specific instances. Here we develop such a framework based on Belnap logic. An access-control policy is interpreted as a four-valued predicate that maps access requests to either grant, deny, conflict, or unspecified -- the four values of the Belnap bilattice. We define an expressive access-control policy language PBel, having composition operators based on the operators of Belnap logic.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Coull:2011:ACO, author = "Scott E. Coull and Matthew Green and Susan Hohenberger", title = "Access controls for oblivious and anonymous systems", journal = j-TISSEC, volume = "14", number = "1", pages = "10:1--10:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952992", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The use of privacy-enhancing cryptographic protocols, such as anonymous credentials and oblivious transfer, could have a detrimental effect on the ability of providers to effectively implement access controls on their content. In this article, we propose a stateful anonymous credential system that allows the provider to implement nontrivial, real-world access controls on oblivious protocols conducted with anonymous users. Our system models the behavior of users as a state machine and embeds that state within an anonymous credential to restrict access to resources based on the state information. The use of state machine models of user behavior allows the provider to restrict the users' actions according to a wide variety of access control models without learning anything about the users' identities or actions.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Burmester:2011:LRA, author = "Mike Burmester and Jorge Munilla", title = "Lightweight {RFID} authentication with forward and backward security", journal = j-TISSEC, volume = "14", number = "1", pages = "11:1--11:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952993", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We propose a lightweight RFID authentication protocol that supports forward and backward security. The only cryptographic mechanism that this protocol uses is a pseudorandom number generator (PRNG) that is shared with the backend Server. Authentication is achieved by exchanging a few numbers (3 or 5) drawn from the PRNG. The lookup time is constant, and the protocol can be easily adapted to prevent online man-in-the-middle relay attacks. Security is proven in the UC security framework.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ateniese:2011:RDC, author = "Giuseppe Ateniese and Randal Burns and Reza Curtmola and Joseph Herring and Osama Khan and Lea Kissner and Zachary Peterson and Dawn Song", title = "Remote data checking using provable data possession", journal = j-TISSEC, volume = "14", number = "1", pages = "12:1--12:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952994", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking is lightweight and supports large data sets in distributed storage systems.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Liu:2011:FDI, author = "Yao Liu and Peng Ning and Michael K. Reiter", title = "False data injection attacks against state estimation in electric power grids", journal = j-TISSEC, volume = "14", number = "1", pages = "13:1--13:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952995", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and state estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system models. Various techniques have been developed to detect and identify bad measurements, including interacting bad measurements introduced by arbitrary, nonrandom causes. At first glance, it seems that these techniques can also defeat malicious measurements injected by attackers. In this article, we expose an unknown vulnerability of existing bad measurement detection algorithms by presenting and analyzing a new class of attacks, called false data injection attacks, against state estimation in electric power grids.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Crampton:2011:PEC, author = "Jason Crampton", title = "Practical and efficient cryptographic enforcement of interval-based access control policies", journal = j-TISSEC, volume = "14", number = "1", pages = "14:1--14:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/1952982.1952996", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The enforcement of access control policies using cryptography has received considerable attention in recent years and the security of such enforcement schemes is increasingly well understood. Recent work in the area has considered the efficient enforcement of temporal and geo-spatial access control policies, and asymptotic results for the time and space complexity of efficient enforcement schemes have been obtained. However, for practical purposes, it is useful to have explicit bounds for the complexity of enforcement schemes. In this article we consider interval-based access control policies, of which temporal and geo-spatial access control policies are special cases. We define enforcement schemes for interval-based access control policies for which it is possible, in almost all cases, to obtain exact values for the schemes' complexity, thereby subsuming a substantial body of work in the literature.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Wang:2011:CAF, author = "Tielei Wang and Tao Wei and Guofei Gu and Wei Zou", title = "Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution", journal = j-TISSEC, volume = "14", number = "2", pages = "15:1--15:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2019599.2019600", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Basin:2011:FRA, author = "David Basin and Srdjan Capkun and Patrick Schaller and Benedikt Schmidt", title = "Formal Reasoning about Physical Properties of Security Protocols", journal = j-TISSEC, volume = "14", number = "2", pages = "16:1--16:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2019599.2019601", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Crosby:2011:ADR, author = "Scott A. Crosby and Dan S. Wallach", title = "Authenticated Dictionaries: Real-World Costs and Trade-Offs", journal = j-TISSEC, volume = "14", number = "2", pages = "17:1--17:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2019599.2019602", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Appel:2011:SSV, author = "Andrew W. Appel", title = "Security Seals on Voting Machines: a Case Study", journal = j-TISSEC, volume = "14", number = "2", pages = "18:1--18:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2019599.2019603", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Schreuders:2011:EEU, author = "Z. Cliffe Schreuders and Tanya McGill and Christian Payne", title = "Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing {SELinux}, {AppArmor}, and {FBAC-LSM}", journal = j-TISSEC, volume = "14", number = "2", pages = "19:1--19:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2019599.2019604", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "19", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Williams:2011:POO, author = "Peter Williams and Radu Sion and Miroslava Sotakova", title = "Practical Oblivious Outsourced Storage", journal = j-TISSEC, volume = "14", number = "2", pages = "20:1--20:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2019599.2019605", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "20", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Xiang:2011:CFR, author = "Guang Xiang and Jason Hong and Carolyn P. Rose and Lorrie Cranor", title = "{CANTINA+}: a Feature-Rich Machine Learning Framework for Detecting Phishing {Web} Sites", journal = j-TISSEC, volume = "14", number = "2", pages = "21:1--21:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2019599.2019606", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "21", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Joshi:2011:GES, author = "James Joshi and Barbara Carminati", title = "Guest Editorial: {SACMAT 2009} and 2010", journal = j-TISSEC, volume = "14", number = "3", pages = "22:1--22:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043621.2043622", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "22", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Krishnan:2011:GCS, author = "Ram Krishnan and Jianwei Niu and Ravi Sandhu and William H. Winsborough", title = "Group-Centric Secure Information-Sharing Models for Isolated Groups", journal = j-TISSEC, volume = "14", number = "3", pages = "23:1--23:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043621.2043623", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Group-Centric Secure Information Sharing (g-SIS) envisions bringing users and objects together in a group to facilitate agile sharing of information brought in from external sources as well as creation of new information within the group. We expect g-SIS to be orthogonal and complementary to authorization systems deployed within participating organizations. The metaphors ``secure meeting room'' and ``subscription service'' characterize the g-SIS approach. The focus of this article is on developing the foundations of isolated g-SIS models. Groups are isolated in the sense that membership of a user or an object in a group does not affect their authorizations in other groups.", acknowledgement = ack-nhfb, articleno = "23", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Mao:2011:CDP, author = "Ziqing Mao and Ninghui Li and Hong Chen and Xuxian Jiang", title = "Combining Discretionary Policy with Mandatory Information Flow in Operating Systems", journal = j-TISSEC, volume = "14", number = "3", pages = "24:1--24:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043621.2043624", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Discretionary Access Control (DAC) is the primary access control mechanism in today's major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in DAC with the dynamic information flow techniques in MAC, therefore achieving the best of both worlds, that is, the DAC's easy-to-use discretionary policy specification and MAC's defense against threats caused by Trojan Horses and buggy programs. We propose the Information Flow Enhanced Discretionary Access Control (IFEDAC) model that implements this design philosophy. We describe our design of IFEDAC, and discuss its relationship with the Usable Mandatory Integrity Protection (UMIP) model proposed earlier by us.", acknowledgement = ack-nhfb, articleno = "24", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Leighton:2011:ACP, author = "Gregory Leighton and Denilson Barbosa", title = "Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data Federations", journal = j-TISSEC, volume = "14", number = "3", pages = "25:1--25:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043621.2043625", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Data federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies across the federation becomes a challenge. In this article, we first consider the problem of translating existing access control policies defined over source databases in a manner that allows the original semantics to be observed while becoming applicable across the entire data federation. We show that such a translation is always possible, and provide an algorithm for automating the translation. We show that verifying whether a translated policy obeys the semantics of the original access control policy defined over a source database is intractable, even under restrictive scenarios.", acknowledgement = ack-nhfb, articleno = "25", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chan:2011:PCR, author = "T.-H. Hubert Chan and Elaine Shi and Dawn Song", title = "Private and Continual Release of Statistics", journal = j-TISSEC, volume = "14", number = "3", pages = "26:1--26:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043621.2043626", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We ask the question: how can Web sites and data aggregators continually release updated statistics, and meanwhile preserve each individual user's privacy? Suppose we are given a stream of 0's and 1's. We propose a differentially private continual counter that outputs at every time step the approximate number of 1's seen thus far. Our counter construction has error that is only poly-log in the number of time steps. We can extend the basic counter construction to allow Web sites to continually give top-k and hot items suggestions while preserving users' privacy.", acknowledgement = ack-nhfb, articleno = "26", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chan-Tin:2011:FBA, author = "Eric Chan-Tin and Victor Heorhiadi and Nicholas Hopper and Yongdae Kim", title = "The {Frog-Boiling} Attack: Limitations of Secure Network Coordinate Systems", journal = j-TISSEC, volume = "14", number = "3", pages = "27:1--27:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043621.2043627", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A network coordinate system assigns Euclidean ``virtual'' coordinates to every node in a network to allow easy estimation of network latency between pairs of nodes that have never contacted each other. These systems have been implemented in a variety of applications, most notably the popular Vuze BitTorrent client. Zage and Nita-Rotaru (at CCS 2007) and independently, Kaafar et al. (at SIGCOMM 2007), demonstrated that several widely-cited network coordinate systems are prone to simple attacks, and proposed mechanisms to defeat these attacks using outlier detection to filter out adversarial inputs. Kaafar et al. goes a step further and requires that a fraction of the network is trusted. More recently, Sherr et al. (at USENIX ATC 2009) proposed Veracity, a distributed reputation system to secure network coordinate systems. We describe a new attack on network coordinate systems, Frog-Boiling, that defeats all of these defenses. Thus, even a system with trusted entities is still vulnerable to attacks. Moreover, having witnesses vouch for your coordinates as in Veracity does not prevent our attack. Finally, we demonstrate empirically that the Frog-Boiling attack is more disruptive than the previously known attacks: systems that attempt to reject ``bad'' inputs by statistical means or reputation cannot be used to secure a network coordinate system.", acknowledgement = ack-nhfb, articleno = "27", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Gorantla:2011:MKC, author = "M. C. Gorantla and Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto and Mark Manulis", title = "Modeling key compromise impersonation attacks on group key exchange protocols", journal = j-TISSEC, volume = "14", number = "4", pages = "28:1--28:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043628.2043629", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Two-party key exchange (2PKE) protocols have been rigorously analyzed under various models considering different adversarial actions. However, the analysis of group key exchange (GKE) protocols has not been as extensive as that of 2PKE protocols. Particularly, an important security attribute called key compromise impersonation (KCI) resilience has been completely ignored for the case of GKE protocols. Informally, a protocol is said to provide KCI resilience if the compromise of the long-term secret key of a protocol participant A does not allow the adversary to impersonate an honest participant B to A. In this paper, we argue that KCI resilience for GKE protocols is at least as important as it is for 2PKE protocols.", acknowledgement = ack-nhfb, articleno = "28", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Au:2011:PPT, author = "M. Ho Au and P. P. Tsang and A. Kapadia", title = "{PEREA}: Practical {TTP}-free revocation of repeatedly misbehaving anonymous users", journal = j-TISSEC, volume = "14", number = "4", pages = "29:1--29:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043628.2043630", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Several anonymous authentication schemes allow servers to revoke a misbehaving user's ability to make future accesses. Traditionally, these schemes have relied on powerful Trusted Third Parties (TTPs) capable of deanonymizing (or linking) users' connections. Such TTPs are undesirable because users' anonymity is not guaranteed, and users must trust them to judge misbehaviors fairly. Recent schemes such as Blacklistable Anonymous Credentials (BLAC) and Enhanced Privacy ID (EPID) support ``privacy-enhanced revocation''--- servers can revoke misbehaving users without a TTP's involvement, and without learning the revoked users' identities. In BLAC and EPID, however, the computation required for authentication at the server is linear in the size (L) of the revocation list, which is impractical as the size approaches thousands of entries.", acknowledgement = ack-nhfb, articleno = "29", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Li:2011:TRP, author = "Yingjiu Li and Robert H. Deng and Junzuo Lai and Changshe Ma", title = "On two {RFID} privacy notions and their relations", journal = j-TISSEC, volume = "14", number = "4", pages = "30:1--30:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043628.2043631", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Privacy of RFID systems is receiving increasing attention in the RFID community. Basically, there are two kinds of RFID privacy notions in the literature: one based on the indistinguishability of two tags, denoted as ind-privacy, and the other based on the unpredictability of the output of an RFID protocol, denoted as unp-privacy. In this article, we first revisit the existing unpredictability-based RFID privacy models and point out their limitations. We then propose a new RFID privacy model, denoted as unp*-privacy, based on the indistinguishability of a real tag and a virtual tag. We formally clarify its relationship with the ind-privacy model.", acknowledgement = ack-nhfb, articleno = "30", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Burkhart:2011:PPD, author = "Martin Burkhart and Xenofontas Dimitropoulos", title = "Privacy-preserving distributed network troubleshooting---bridging the gap between theory and practice", journal = j-TISSEC, volume = "14", number = "4", pages = "31:1--31:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043628.2043632", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Today, there is a fundamental imbalance in cybersecurity. While attackers act more and more globally and coordinated, network defense is limited to examine local information only due to privacy concerns. To overcome this privacy barrier, we use secure multiparty computation (MPC) for the problem of aggregating network data from multiple domains. We first optimize MPC comparison operations for processing high volume data in near real-time by not enforcing protocols to run in a constant number of synchronization rounds. We then implement a complete set of basic MPC primitives in the SEPIA library. For parallel invocations, SEPIA's basic operations are between 35 and several hundred times faster than those of comparable MPC frameworks.", acknowledgement = ack-nhfb, articleno = "31", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bethea:2011:SSV, author = "Darrell Bethea and Robert A. Cochran and Michael K. Reiter", title = "Server-side verification of client behavior in online games", journal = j-TISSEC, volume = "14", number = "4", pages = "32:1--32:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2043628.2043633", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Online gaming is a lucrative and growing industry but one that is slowed by cheating that compromises the gaming experience and hence drives away players (and revenue). In this paper we develop a technique by which game developers can enable game operators to validate the behavior of game clients as being consistent with valid execution of the sanctioned client software. Our technique employs symbolic execution of the client software to extract constraints on client-side state implied by each client-to-server message, and then uses constraint solving to determine whether the sequence of client-to-server messages can be ``explained'' by any possible user inputs, in light of the server-to-client messages already received.", acknowledgement = ack-nhfb, articleno = "32", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Syverson:2012:GES, author = "Paul Syverson and Somesh Jha", title = "Guest Editorial: Special Issue on Computer and Communications Security", journal = j-TISSEC, volume = "15", number = "1", pages = "1:1--1:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2133375.2133376", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Roemer:2012:ROP, author = "Ryan Roemer and Erik Buchanan and Hovav Shacham and Stefan Savage", title = "Return-Oriented Programming: Systems, Languages, and Applications", journal = j-TISSEC, volume = "15", number = "1", pages = "2:1--2:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2133375.2133377", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences already present in a program's address space, each of which ends in a ``return'' instruction. Return-oriented programming defeats the $W \oplus X$ protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems. It also bypasses an entire category of security measures---those that seek to prevent malicious computation by preventing the execution of malicious code. To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bhargavan:2012:VCI, author = "Karthikeyan Bhargavan and C{\'e}dric Fournet and Ricardo Corin and Eugen Zalinescu", title = "Verified Cryptographic Implementations for {TLS}", journal = j-TISSEC, volume = "15", number = "1", pages = "3:1--3:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2133375.2133378", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We narrow the gap between concrete implementations of cryptographic protocols and their verified models. We develop and verify a small functional implementation of the Transport Layer Security protocol (TLS 1.0). We make use of the same executable code for interoperability testing against mainstream implementations for automated symbolic cryptographic verification and automated computational cryptographic verification. We rely on a combination of recent tools and also develop a new tool for extracting computational models from executable code. We obtain strong security guarantees for TLS as used in typical deployments.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Camenisch:2012:EAA, author = "Jan Camenisch and Thomas Gro{\ss}", title = "Efficient Attributes for Anonymous Credentials", journal = j-TISSEC, volume = "15", number = "1", pages = "4:1--4:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2133375.2133379", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We extend the Camenisch-Lysyanskaya anonymous credential system such that selective disclosure of attributes becomes highly efficient. The resulting system significantly improves upon existing approaches, which suffer from a linear number of modular exponentiations in the total number of attributes. This limitation makes them unfit for many practical applications, such as electronic identity cards. Our novel approach can incorporate a large number of binary and finite-set attributes without significant performance impact. It compresses all such attributes into a single attribute base and, thus, boosts the efficiency of all proofs of possession. The core idea is to encode discrete binary and finite-set values as prime numbers. We then use the divisibility property for efficient proofs of their presence or absence. In addition, we contribute efficient methods for conjunctions and disjunctions. The system builds on the strong RSA assumption. We demonstrate the aptness of our method in realistic application scenarios, notably electronic identity cards, and show its advantages for small devices, such as smartcards and cell phones.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Mittal:2012:ILS, author = "Prateek Mittal and Nikita Borisov", title = "Information Leaks in Structured Peer-to-Peer Anonymous Communication Systems", journal = j-TISSEC, volume = "15", number = "1", pages = "5:1--5:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2133375.2133380", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We analyze information leaks in the lookup mechanisms of structured peer-to-peer (P2P) anonymous communication systems and how these leaks can be used to compromise anonymity. We show that the techniques used to combat active attacks on the lookup mechanism dramatically increase information leaks and the efficacy of passive attacks, resulting in a tradeoff between robustness to active and passive attacks. We study this tradeoff in two P2P anonymous systems: Salsa and AP3. In both cases, we find that, by combining both passive and active attacks, anonymity can be compromised much more effectively than previously thought, rendering these systems insecure for most proposed uses. Our results hold even if security parameters are changed or other improvements to the systems are considered. Our study, therefore, shows the importance of considering these attacks in P2P anonymous communication.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Gilad:2012:LDA, author = "Yossi Gilad and Amir Herzberg", title = "{LOT}: a Defense Against {IP} Spoofing and Flooding Attacks", journal = j-TISSEC, volume = "15", number = "2", pages = "6:1--6:??", month = jul, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2240276.2240277", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 31 17:02:31 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present LOT, a lightweight plug and play secure tunneling protocol deployed at network gateways. Two communicating gateways, A and B, running LOT would automatically detect each other and establish an efficient tunnel, securing communication between them. LOT tunnels allow A to discard spoofed packets that specify source addresses in B's network and vice versa. This helps to mitigate many attacks, including DNS poisoning, network scans, and most notably (Distributed) Denial of Service (DoS). LOT tunnels provide several additional defenses against DoS attacks. Specifically, since packets received from LOT-protected networks cannot be spoofed, LOT gateways implement quotas, identifying and blocking packet floods from specific networks. Furthermore, a receiving LOT gateway (e.g., B) can send the quota assigned to each tunnel to the peer gateway (A), which can then enforce near-source quotas, reducing waste and congestion by filtering excessive traffic before it leaves the source network. Similarly, LOT tunnels facilitate near-source filtering, where the sending gateway discards packets based on filtering rules defined by the destination gateway. LOT gateways also implement an intergateway congestion detection mechanism, allowing sending gateways to detect when their packets get dropped before reaching the destination gateway and to perform appropriate near-source filtering to block the congesting traffic; this helps against DoS attacks on the backbone connecting the two gateways. LOT is practical: it is easy to manage (plug and play, requires no coordination between gateways), deployed incrementally at edge gateways (not at hosts and core routers), and has negligible overhead in terms of bandwidth and processing, as we validate experimentally. LOT storage requirements are also modest.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Danev:2012:TPI, author = "Boris Danev and Srdjan Capkun and Ramya Jayaram Masti and Thomas S. Benjamin", title = "Towards Practical Identification of {HF RFID} Devices", journal = j-TISSEC, volume = "15", number = "2", pages = "7:1--7:??", month = jul, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2240276.2240278", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 31 17:02:31 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The deployment of RFID poses a number of security and privacy threats such as cloning, unauthorized tracking, etc. Although the literature contains many investigations of these issues on the logical level, few works have explored the security implications of the physical communication layer. Recently, related studies have shown the feasibility of identifying RFID-enabled devices based on physical-layer fingerprints. In this work, we leverage on these findings and demonstrate that physical-layer identification of HF RFID devices is also practical, that is, can achieve high accuracy and stability. We propose an improved hardware setup and enhanced techniques for fingerprint extraction and matching. Our new system enables device identification with an Equal Error Rate as low as 0.005 (0.5\%) on a set 50 HF RFID smart cards of the same manufacturer and type. We further investigate the fingerprint stability over an extended period of time and across different acquisition setups. In the latter case, we propose a solution based on channel equalization that preserves the fingerprint quality across setups. Our results strengthen the practical use of physical-layer identification of RFID devices in product and document anti-counterfeiting solutions.", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Abadi:2012:PLR, author = "Mart{\'\i}n Abadi and Gordon D. Plotkin", title = "On Protection by Layout Randomization", journal = j-TISSEC, volume = "15", number = "2", pages = "8:1--8:??", month = jul, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2240276.2240279", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 31 17:02:31 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Layout randomization is a powerful, popular technique for software protection. We present it and study it in programming-language terms. More specifically, we consider layout randomization as part of an implementation for a high-level programming language; the implementation translates this language to a lower-level language in which memory addresses are numbers. We analyze this implementation, by relating low-level attacks against the implementation to contexts in the high-level programming language, and by establishing full abstraction results.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Yavuz:2012:BFB, author = "Attila A. Yavuz and Peng Ning and Michael K. Reiter", title = "{BAF} and {FI-BAF}: Efficient and Publicly Verifiable Cryptographic Schemes for Secure Logging in Resource-Constrained Systems", journal = j-TISSEC, volume = "15", number = "2", pages = "9:1--9:??", month = jul, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2240276.2240280", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 31 17:02:31 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Audit logs are an integral part of modern computer systems due to their forensic value. Protecting audit logs on a physically unprotected machine in hostile environments is a challenging task, especially in the presence of active adversaries. It is critical for such a system to have forward security and append-only properties such that when an adversary compromises a logging machine, she cannot forge or selectively delete the log entries accumulated before the compromise. Existing public-key-based secure logging schemes are computationally costly. Existing symmetric secure logging schemes are not publicly verifiable and open to certain attacks. In this article, we develop a new forward-secure and aggregate signature scheme called Blind-Aggregate-Forward (BAF), which is suitable for secure logging in resource-constrained systems. BAF is the only cryptographic secure logging scheme that can produce publicly verifiable, forward-secure and aggregate signatures with low computation, key/signature storage, and signature communication overheads for the loggers, without requiring any online trusted third party support. A simple variant of BAF also allows a fine-grained verification of log entries without compromising the security or computational efficiency of BAF. We prove that our schemes are secure in Random Oracle Model (ROM). We also show that they are significantly more efficient than all the previous publicly verifiable cryptographic secure logging schemes.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Khoury:2012:CEN, author = "Rapha{\"e}l Khoury and Nadia Tawbi", title = "Corrective Enforcement: a New Paradigm of Security Policy Enforcement by Monitors", journal = j-TISSEC, volume = "15", number = "2", pages = "10:1--10:??", month = jul, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2240276.2240281", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 31 17:02:31 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Runtime monitoring is an increasingly popular method to ensure the safe execution of untrusted codes. Monitors observe and transform the execution of these codes, responding when needed to correct or prevent a violation of a user-defined security policy. Prior research has shown that the set of properties monitors can enforce correlates with the latitude they are given to transform and alter the target execution. But for enforcement to be meaningful this capacity must be constrained, otherwise the monitor can enforce any property, but not necessarily in a manner that is useful or desirable. However, such constraints have not been significantly addressed in prior work. In this article, we develop a new paradigm of security policy enforcement in which the behavior of the enforcement mechanism is restricted to ensure that valid aspects present in the execution are preserved notwithstanding any transformation it may perform. These restrictions capture the desired behavior of valid executions of the program, and are stated by way of a preorder over sequences. The resulting model is closer than previous ones to what would be expected of a real-life monitor, from which we demand a minimal footprint on both valid and invalid executions. We illustrate this framework with examples of real-life security properties. Since several different enforcement alternatives of the same property are made possible by the flexibility of this type of enforcement, our study also provides metrics that allow the user to compare monitors objectively and choose the best enforcement paradigm for a given situation.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Danner:2012:EDD, author = "Norman Danner and Sam Defabbia-Kane and Danny Krizanc and Marc Liberatore", title = "Effectiveness and detection of denial-of-service attacks in {Tor}", journal = j-TISSEC, volume = "15", number = "3", pages = "11:1--11:??", month = nov, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2382448.2382449", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 28 17:25:14 MST 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Tor is one of the more popular systems for anonymizing near-real-time communications on the Internet. Borisov et al. [2007] proposed a denial-of-service-based attack on Tor (and related systems) that significantly increases the probability of compromising the anonymity provided. In this article, we analyze the effectiveness of the attack using both an analytic model and simulation. We also describe two algorithms for detecting such attacks, one deterministic and proved correct, the other probabilistic and verified in simulation.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Brennan:2012:ASC, author = "Michael Brennan and Sadia Afroz and Rachel Greenstadt", title = "Adversarial stylometry: Circumventing authorship recognition to preserve privacy and anonymity", journal = j-TISSEC, volume = "15", number = "3", pages = "12:1--12:??", month = nov, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2382448.2382450", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 28 17:25:14 MST 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The use of stylometry, authorship recognition through purely linguistic means, has contributed to literary, historical, and criminal investigation breakthroughs. Existing stylometry research assumes that authors have not attempted to disguise their linguistic writing style. We challenge this basic assumption of existing stylometry methodologies and present a new area of research: adversarial stylometry. Adversaries have a devastating effect on the robustness of existing classification methods. Our work presents a framework for creating adversarial passages including obfuscation, where a subject attempts to hide her identity, and imitation, where a subject attempts to frame another subject by imitating his writing style, and translation where original passages are obfuscated with machine translation services. This research demonstrates that manual circumvention methods work very well while automated translation methods are not effective. The obfuscation method reduces the techniques' effectiveness to the level of random guessing and the imitation attempts succeed up to 67\% of the time depending on the stylometry technique used. These results are more significant given the fact that experimental subjects were unfamiliar with stylometry, were not professional writers, and spent little time on the attacks. This article also contributes to the field by using human subjects to empirically validate the claim of high accuracy for four current techniques (without adversaries). We have also compiled and released two corpora of adversarial stylometry texts to promote research in this field with a total of 57 unique authors. We argue that this field is important to a multidisciplinary approach to privacy, security, and anonymity.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Basin:2012:DEA, author = "David Basin and Samuel J. Burri and G{\"u}nter Karjoth", title = "Dynamic enforcement of abstract separation of duty constraints", journal = j-TISSEC, volume = "15", number = "3", pages = "13:1--13:??", month = nov, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2382448.2382451", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 28 17:25:14 MST 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Separation of Duties (SoD) aims at preventing fraud and errors by distributing tasks and associated authorizations among multiple users. Li and Wang [2008] proposed an algebra (SoDA) for specifying SoD requirements, which is both expressive in the requirements it formalizes and abstract in that it is not bound to a workflow model. In this article, we bridge the gap between the specification of SoD constraints modeled in SoDA and their enforcement in a dynamic, service-oriented enterprise environment. We proceed by generalizing SoDA's semantics to traces, modeling workflow executions that satisfy the respective SoDA terms. We then refine the set of traces induced by a SoDA term to also account for a workflow's control-flow and role-based authorizations. Our formalization, which is based on the process algebra CSP, supports the enforcement of SoD on general workflows and handles changing role assignments during workflow execution, addressing a well-known source of fraud. The resulting CSP model serves as blueprint for a distributed and loosely coupled architecture where SoD enforcement is provisioned as a service. This concept, which we call SoD as a Service, facilitates a separation of concerns between business experts and security professionals. As a result, integration and configuration efforts are minimized and enterprises can quickly adapt to organizational, regulatory, and technological changes. We describe an implementation of SoD as a Service, which combines commercial components such as a workflow engine with newly developed components such as an SoD enforcement monitor. To evaluate our design decisions and to demonstrate the feasibility of our approach, we present a case study of a drug dispensation workflow deployed in a hospital.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Feigenbaum:2012:PAO, author = "Joan Feigenbaum and Aaron Johnson and Paul Syverson", title = "Probabilistic analysis of onion routing in a black-box model", journal = j-TISSEC, volume = "15", number = "3", pages = "14:1--14:??", month = nov, year = "2012", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2382448.2382452", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 28 17:25:14 MST 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We perform a probabilistic analysis of onion routing. The analysis is presented in a black-box model of anonymous communication in the Universally Composable (UC) framework that abstracts the essential properties of onion routing in the presence of an active adversary who controls a portion of the network and knows all a priori distributions on user choices of destination. Our results quantify how much the adversary can gain in identifying users by exploiting knowledge of their probabilistic behavior. In particular, we show that, in the limit as the network gets large, a user u's anonymity is worst either when the other users always choose the destination u is least likely to visit or when the other users always choose the destination u chooses. This worst-case anonymity with an adversary that controls a fraction b of the routers is shown to be comparable to the best-case anonymity against an adversary that controls a fraction $\sqrt b$.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Frank:2013:RMP, author = "Mario Frank and Joachim M. Buhman and David Basin", title = "Role Mining with Probabilistic Models", journal = j-TISSEC, volume = "15", number = "4", pages = "15:1--15:??", month = apr, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2445566.2445567", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Apr 4 18:18:20 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Role mining tackles the problem of finding a role-based access control (RBAC) configuration, given an access-control matrix assigning users to access permissions as input. Most role-mining approaches work by constructing a large set of candidate roles and use a greedy selection strategy to iteratively pick a small subset such that the differences between the resulting RBAC configuration and the access control matrix are minimized. In this article, we advocate an alternative approach that recasts role mining as an inference problem rather than a lossy compression problem. Instead of using combinatorial algorithms to minimize the number of roles needed to represent the access-control matrix, we derive probabilistic models to learn the RBAC configuration that most likely underlies the given matrix. Our models are generative in that they reflect the way that permissions are assigned to users in a given RBAC configuration. We additionally model how user-permission assignments that conflict with an RBAC configuration emerge and we investigate the influence of constraints on role hierarchies and on the number of assignments. In experiments with access-control matrices from real-world enterprises, we compare our proposed models with other role-mining methods. Our results show that our probabilistic models infer roles that generalize well to new system users for a wide variety of data, while other models' generalization abilities depend on the dataset given.", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Gilad:2013:FCV, author = "Yossi Gilad and Amir Herzberg", title = "Fragmentation Considered Vulnerable", journal = j-TISSEC, volume = "15", number = "4", pages = "16:1--16:??", month = apr, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2445566.2445568", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Apr 4 18:18:20 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We show that fragmented IPv4 and IPv6 traffic is vulnerable to effective interception and denial-of-service (DoS) attacks by an off-path attacker. Specifically, we demonstrate a weak attacker intercepting more than 80\% of the data between peers and causing over 94\% loss rate. We show that our attacks are practical through experimental validation on popular industrial and open-source products, with realistic network setups that involve NAT or tunneling and include concurrent legitimate traffic as well as packet losses. The interception attack requires a zombie agent behind the same NAT or tunnel-gateway as the victim destination; the DoS attack only requires a puppet agent, that is, a sandboxed applet or script running in web-browser context. The complexity of our attacks depends on the predictability of the IP Identification (ID) field which is typically implemented as one or multiple counters, as allowed and recommended by the IP specifications. The attacks are much simpler and more efficient for implementations, such as Windows, which use one ID counter for all destinations. Therefore, much of our focus is on presenting effective attacks for implementations, such as Linux, which use per-destination ID counters. We present practical defenses for the attacks presented in this article, the defenses can be deployed on network firewalls without changes to hosts or operating system kernel.", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ali:2013:AAD, author = "Muhammad Qasim Ali and Ehab Al-Shaer and Hassan Khan and Syed Ali Khayam", title = "Automated Anomaly Detector Adaptation using Adaptive Threshold Tuning", journal = j-TISSEC, volume = "15", number = "4", pages = "17:1--17:??", month = apr, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2445566.2445569", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Apr 4 18:18:20 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Real-time network- and host-based Anomaly Detection Systems (ADSs) transform a continuous stream of input data into meaningful and quantifiable anomaly scores. These scores are subsequently compared to a fixed detection threshold and classified as either benign or malicious. We argue that a real-time ADS' input changes considerably over time and a fixed threshold value cannot guarantee good anomaly detection accuracy for such a time-varying input. In this article, we propose a simple and generic technique to adaptively tune the detection threshold of any ADS that works on threshold method. To this end, we first perform statistical and information-theoretic analysis of network- and host-based ADSs' anomaly scores to reveal a consistent time correlation structure during benign activity periods. We model the observed correlation structure using Markov chains, which are in turn used in a stochastic target tracking framework to adapt an ADS' detection threshold in accordance with real-time measurements. We also use statistical techniques to make the proposed algorithm resilient to sporadic changes and evasion attacks. In order to evaluate the proposed approach, we incorporate the proposed adaptive thresholding module into multiple ADSs and evaluate those ADSs over comprehensive and independently collected network and host attack datasets. We show that, while reducing the need of human threshold configuration, the proposed technique provides considerable and consistent accuracy improvements for all evaluated ADSs.", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Jayaraman:2013:MAR, author = "Karthick Jayaraman and Mahesh Tripunitara and Vijay Ganesh and Martin Rinard and Steve Chapin", title = "{Mohawk}: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies", journal = j-TISSEC, volume = "15", number = "4", pages = "18:1--18:??", month = apr, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2445566.2445570", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Apr 4 18:18:20 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Verifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to scale commensurately. We present techniques for abstraction-refinement and bound-estimation for bounded model checkers to automatically find errors in Administrative Role-Based Access Control (ARBAC) security policies. ARBAC is the first and most comprehensive administrative scheme for Role-Based Access Control (RBAC) systems. In the abstraction-refinement portion of our approach, we identify and discard roles that are unlikely to be relevant to the verification question (the abstraction step). We then restore such abstracted roles incrementally (the refinement steps). In the bound-estimation portion of our approach, we lower the estimate of the diameter of the reachability graph from the worst-case by recognizing relationships between roles and state-change rules. Our techniques complement one another, and are used with conventional bounded model checking. Our approach is sound and complete: an error is found if and only if it exists. We have implemented our technique in an access-control policy analysis tool called Mohawk. We show empirically that Mohawk scales well to realistic policies, and provide a comparison with prior tools.", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Philippaerts:2013:CMC, author = "Pieter Philippaerts and Yves Younan and Stijn Muylle and Frank Piessens and Sven Lachmund and Thomas Walter", title = "{CPM}: Masking Code Pointers to Prevent Code Injection Attacks", journal = j-TISSEC, volume = "16", number = "1", pages = "1:1--1:??", month = jun, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2487222.2487223", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Jun 14 19:25:26 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Code Pointer Masking (CPM) is a novel countermeasure against code injection attacks on native code. By enforcing the correct semantics of code pointers, CPM thwarts attacks that modify code pointers to divert the application's control flow. It does not rely on secret values such as stack canaries and protects against attacks that are not addressed by state-of-the-art countermeasures of similar performance. This article reports on two prototype implementations on very distinct processor architectures, showing that the idea behind CPM is portable. The evaluation also shows that the overhead of using our countermeasure is very small and the security benefits are substantial.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Cobb:2013:LMS, author = "William E. Cobb and Rusty O. Baldwin and Eric D. Laspe", title = "Leakage Mapping: a Systematic Methodology for Assessing the Side-Channel Information Leakage of Cryptographic Implementations", journal = j-TISSEC, volume = "16", number = "1", pages = "2:1--2:??", month = jun, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2487222.2487224", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Jun 14 19:25:26 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We propose a generalized framework to evaluate the side-channel information leakage of symmetric block ciphers. The leakage mapping methodology enables the systematic and efficient identification and mitigation of problematic information leakages by exhaustively considering relevant leakage models. The evaluation procedure bounds the anticipated resistance of an implementation to the general class of univariate differential side-channel analysis techniques. Typical applications are demonstrated using the well-known Hamming weight and Hamming distance leakage models, with recommendations for the incorporation of more accurate models. The evaluation results are empirically validated against correlation-based differential side-channel analysis attacks on two typical unprotected implementations of the Advanced Encryption Standard.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Basin:2013:ESP, author = "David Basin and Vincent Jug{\'e} and Felix Klaedtke and Eugen Zalinescu", title = "Enforceable Security Policies Revisited", journal = j-TISSEC, volume = "16", number = "1", pages = "3:1--3:??", month = jun, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2487222.2487225", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Jun 14 19:25:26 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We revisit Schneider's work on policy enforcement by execution monitoring. We overcome limitations of Schneider's setting by distinguishing between system actions that are controllable by an enforcement mechanism and those actions that are only observable, that is, the enforcement mechanism sees them but cannot prevent their execution. For this refined setting, we give necessary and sufficient conditions on when a security policy is enforceable. To state these conditions, we generalize the standard notion of safety properties. Our classification of system actions also allows one, for example, to reason about the enforceability of policies that involve timing constraints. Furthermore, for different specification languages, we investigate the decision problem of whether a given policy is enforceable. We provide complexity results and show how to synthesize an enforcement mechanism from an enforceable policy.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Crampton:2013:PCK, author = "Jason Crampton and Gregory Gutin and Anders Yeo", title = "On the Parameterized Complexity and Kernelization of the Workflow Satisfiability Problem", journal = j-TISSEC, volume = "16", number = "1", pages = "4:1--4:??", month = jun, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2487222.2487226", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Jun 14 19:25:26 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A workflow specification defines a set of steps and the order in which these steps must be executed. Security requirements may impose constraints on which groups of users are permitted to perform subsets of these steps. A workflow specification is said to be satisfiable if there exists an assignment of users to workflow steps that satisfies all the constraints. An algorithm for determining whether such an assignment exists is important, both as a static analysis tool for workflow specifications and for the construction of runtime reference monitors for workflow management systems. Finding such an assignment is a hard problem in general, but work by Wang and Li [2010] using the theory of parameterized complexity suggests that efficient algorithms exist under reasonable assumptions about workflow specifications. In this article, we improve the complexity bounds for the workflow satisfiability problem. We also generalize and extend the types of constraints that may be defined in a workflow specification and prove that the satisfiability problem remains fixed-parameter tractable for such constraints. Finally, we consider preprocessing for the problem and prove that in an important special case, in polynomial time, we can reduce the given input into an equivalent one where the number of users is at most the number of steps. We also show that no such reduction exists for two natural extensions of this case, which bounds the number of users by a polynomial in the number of steps, provided a widely accepted complexity-theoretical assumption holds.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Leonard:2013:MAP, author = "Thomas Leonard and Martin Hall-May and Mike Surridge", title = "Modelling Access Propagation in Dynamic Systems", journal = j-TISSEC, volume = "16", number = "2", pages = "5:1--5:??", month = sep, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2516951.2516952", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Sep 23 17:04:07 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically. The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws. SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients. Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Cheng:2013:DVB, author = "Yueqiang Cheng and Xuhua Ding and Robert H. Deng", title = "{DriverGuard}: Virtualization-Based Fine-Grained Protection on {I/O} Flows", journal = j-TISSEC, volume = "16", number = "2", pages = "6:1--6:??", month = sep, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2505123", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Sep 23 17:04:07 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib; http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib", abstract = "Most commodity peripheral devices and their drivers are geared to achieve high performance with security functions being opted out. The absence of strong security measures invites attacks on the I/O data and consequently posts threats to those services feeding on them, such as fingerprint-based biometric authentication. In this article, we present a generic solution called DriverGuard, which dynamically protects the secrecy of I/O flows such that the I/O data are not exposed to the malicious kernel. Our design leverages a composite of cryptographic and virtualization techniques to achieve fine-grained protection without using any extra devices and modifications on user applications. We implement the DriverGuard prototype on Xen by adding around 1.7K SLOC. DriverGuard is lightweight as it only needs to protect around 2\% of the driver code's execution. We measure the performance and evaluate the security of DriverGuard with three input devices (keyboard, fingerprint reader and camera) and three output devices (printer, graphic card, and sound card). The experiment results show that DriverGuard induces negligible overhead to the applications.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Fu:2013:BSG, author = "Yangchun Fu and Zhiqiang Lin", title = "Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection", journal = j-TISSEC, volume = "16", number = "2", pages = "7:1--7:??", month = sep, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2505124", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Sep 23 17:04:07 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib; http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib", abstract = "It is generally believed to be a tedious, time-consuming, and error-prone process to develop a virtual machine introspection (VMI) tool because of the semantic gap. Recent advance shows that the semantic-gap can be largely narrowed by reusing the executed code from a trusted OS kernel. However, the limitation for such an approach is that it only reuses the exercised code through a training process, which suffers the code coverage issues. Thus, in this article, we present Vmst, a new technique that can seamlessly bridge the semantic gap and automatically generate the VMI tools. The key idea is that, through system wide instruction monitoring, Vmst automatically identifies the introspection related data from a secure-VM and online redirects these data accesses to the kernel memory of a product-VM, without any training. Vmst offers a number of new features and capabilities. Particularly, it enables an in-VM inspection program (e.g., ps) to automatically become an out-of-VM introspection program. We have tested Vmst with over 25 commonly used utilities on top of a number of different OS kernels including Linux and Microsoft Windows. The experimental results show that our technique is general (largely OS-independent), and it introduces 9.3X overhead for Linux utilities and 19.6X overhead for Windows utilities on average for the introspected program compared to the native in-VM execution without data redirection.", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Serwadda:2013:ELK, author = "Abdul Serwadda and Vir V. Phoha", title = "Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings", journal = j-TISSEC, volume = "16", number = "2", pages = "8:1--8:??", month = sep, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2516960", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Sep 23 17:04:07 MDT 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Research on keystroke-based authentication has traditionally assumed human impostors who generate forgeries by physically typing on the keyboard. With bots now well understood to have the capacity to originate precisely timed keystroke sequences, this model of attack is likely to underestimate the threat facing a keystroke-based system in practice. In this work, we investigate how a keystroke-based authentication system would perform if it were subjected to synthetic attacks designed to mimic the typical user. To implement the attacks, we perform a rigorous statistical analysis on keystroke biometrics data collected over a 2-year period from more than 3000 users, and then use the observed statistical traits to design and launch algorithmic attacks against three state-of-the-art password-based keystroke verification systems. Relative to the zero-effort attacks typically used to test the performance of keystroke biometric systems, we show that our algorithmic attack increases the mean Equal Error Rates (EERs) of three high performance keystroke verifiers by between 28.6\% and 84.4\%. We also find that the impact of the attack is more pronounced when the keystroke profiles subjected to the attack are based on shorter strings, and that some users see considerably greater performance degradation under the attack than others. This article calls for a shift from the traditional zero-effort approach of testing the performance of password-based keystroke verifiers, to a more rigorous algorithmic approach that captures the threat posed by today's bots.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Sun:2013:BJW, author = "Mengtao Sun and Gang Tan and Joseph Siefers and Bin Zeng and Greg Morrisett", title = "Bringing {Java}'s wild native world under control", journal = j-TISSEC, volume = "16", number = "3", pages = "9:1--9:??", month = nov, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2535505", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 9 11:22:22 MST 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/java2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib; http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib", abstract = "For performance and for incorporating legacy libraries, many Java applications contain native-code components written in unsafe languages such as C and C++. Native-code components interoperate with Java components through the Java Native Interface (JNI). As native code is not regulated by Java's security model, it poses serious security threats to the managed Java world. We introduce a security framework that extends Java's security model and brings native code under control. Leveraging software-based fault isolation, the framework puts native code in a separate sandbox and allows the interaction between the native world and the Java world only through a carefully designed pathway. Two different implementations were built. In one implementation, the security framework is integrated into a Java Virtual Machine (JVM). In the second implementation, the framework is built outside of the JVM and takes advantage of JVM-independent interfaces. The second implementation provides JVM portability, at the expense of some performance degradation. Evaluation of our framework demonstrates that it incurs modest runtime overhead while significantly enhancing the security of Java applications.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Driessen:2013:ESA, author = "Benedikt Driessen and Ralf Hund and Carsten Willems and Christof Paar and Thorsten Holz", title = "An experimental security analysis of two satphone standards", journal = j-TISSEC, volume = "16", number = "3", pages = "10:1--10:??", month = nov, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2535522", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 9 11:22:22 MST 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "General-purpose communication systems such as GSM and UMTS have been in the focus of security researchers for over a decade now. Recently also technologies that are only used under more specific circumstances have come into the spotlight of academic research and the hacker scene alike. A striking example of this is recent work [Driessen et al. 2012] that analyzed the security of the over-the-air encryption in the two existing ETSI satphone standards GMR-1 and GMR-2. The firmware of handheld devices was reverse-engineered and the previously unknown stream ciphers A5-GMR-1 and A5-GMR-2 were recovered. In a second step, both ciphers were cryptanalized, resulting in a ciphertext-only attack on A5-GMR-1 and a known-plaintext attack on A5-GMR-2. In this work, we extend the aforementioned results in the following ways: First, we improve the proposed attack on A5-GMR-1 and reduce its average-case complexity from $2^{32}$ to $2^{21}$ steps. Second, we implement a practical attack to successfully record communications in the Thuraya network and show that it can be done with moderate effort for approximately \$5,000. We describe the implementation of our modified attack and the crucial aspects to make it practical. Using our eavesdropping setup, we recorded 30 seconds of our own satellite-to-satphone communication and show that we are able to recover Thuraya session keys in half an hour (on average). We supplement these results with experiments designed to highlight the feasibility of also eavesdropping on the satphone's emanations. The purpose of this article is threefold: Develop and demonstrate more practical attacks on A5-GMR-1, summarize current research results in the field of GMR-1 and GMR-2 security, and shed light on the amount of work and expertise it takes from setting out to analyze a complex system to actually break it in the real world.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Blanton:2013:SVO, author = "Marina Blanton and Yihua Zhang and Keith B. Frikken", title = "Secure and verifiable outsourcing of large-scale biometric computations", journal = j-TISSEC, volume = "16", number = "3", pages = "11:1--11:??", month = nov, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2535523", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 9 11:22:22 MST 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Cloud computing services are becoming more prevalent and readily available today, bringing to us economies of scale and making large-scale computation feasible. Security and privacy considerations, however, stand in the way of fully utilizing the benefits of such services and architectures. In this work we address the problem of secure outsourcing of large-scale biometric experiments to a cloud or grid in a way that the client can verify that with very high probability the task was computed correctly. We conduct thorough theoretical analysis of the proposed techniques and provide implementation results that indicate that our solution imposes modest overhead.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Williams:2013:APC, author = "Peter Williams and Radu Sion", title = "Access privacy and correctness on untrusted storage", journal = j-TISSEC, volume = "16", number = "3", pages = "12:1--12:??", month = nov, year = "2013", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2535524", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 9 11:22:22 MST 2013", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce a new practical mechanism for remote data storage with access pattern privacy and correctness. A storage client can deploy this mechanism to issue encrypted reads, writes, and inserts to a potentially curious and malicious storage service provider, without revealing information or access patterns. The provider is unable to establish any correlation between successive accesses, or even to distinguish between a read and a write. Moreover, the client is provided with strong correctness assurances for its operations --- illicit provider behavior does not go undetected. We describe a practical system that can execute an unprecedented several queries per second on terabyte-plus databases while maintaining full computational privacy and correctness.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Gilad:2014:PTI, author = "Yossi Gilad and Amir Herzberg", title = "Off-Path {TCP} Injection Attacks", journal = j-TISSEC, volume = "16", number = "4", pages = "13:1--13:??", month = apr, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2597173", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon May 5 18:00:10 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a long period of time, exposing any user of that cache to cross-site scripting, cross-site request forgery, and phishing attacks. In contrast to previous TCP injection attacks, we do not require MitM capabilities or malware running on the client machine. Instead, our attacks rely on a weaker assumption, that the user only enters a malicious Web site, but does not download or install any application. Our attacks exploit subtle details of the TCP and HTTP specifications, and features of legitimate (and very common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with most popular Web sites are vulnerable. We conclude this work with practical client- and server-end defenses against our attacks.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Bilge:2014:EPD, author = "Leyla Bilge and Sevil Sen and Davide Balzarotti and Engin Kirda and Christopher Kruegel", title = "{EXPOSURE}: a Passive {DNS} Analysis Service to Detect and Report Malicious Domains", journal = j-TISSEC, volume = "16", number = "4", pages = "14:1--14:??", month = apr, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2584679", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon May 5 18:00:10 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising techniques to detect and blacklist domains involved in malicious activities (e.g., phishing, spam, botnets command-and-control, etc.). EXPOSURE is a system we designed to detect such domains in real time, by applying 15 unique features grouped in four categories. We conducted a controlled experiment with a large, real-world dataset consisting of billions of DNS requests. The extremely positive results obtained in the tests convinced us to implement our techniques and deploy it as a free, online service. In this article, we present the Exposure system and describe the results and lessons learned from 17 months of its operation. Over this amount of time, the service detected over 100K malicious domains. The statistics about the time of usage, number of queries, and target IP addresses of each domain are also published on a daily basis on the service Web page.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chen:2014:CDP, author = "Liqun Chen and Hoon Wei Lim and Guomin Yang", title = "Cross-Domain Password-Based Authenticated Key Exchange Revisited", journal = j-TISSEC, volume = "16", number = "4", pages = "15:1--15:??", month = apr, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2584681", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon May 5 18:00:10 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We revisit the problem of secure cross-domain communication between two users belonging to different security domains within an open and distributed environment. Existing approaches presuppose that either the users are in possession of public key certificates issued by a trusted certificate authority (CA), or the associated domain authentication servers share a long-term secret key. In this article, we propose a generic framework for designing four-party password-based authenticated key exchange (4PAKE) protocols. Our framework takes a different approach from previous work. The users are not required to have public key certificates, but they simply reuse their login passwords, which they share with their respective domain authentication servers. On the other hand, the authentication servers, assumed to be part of a standard PKI, act as ephemeral CAs that certify some key materials that the users can subsequently use to exchange and agree on as a session key. Moreover, we adopt a compositional approach. That is, by treating any secure two-party password-based key exchange (2PAKE) protocol and two-party asymmetric-key/symmetric-key-based key exchange (2A/SAKE) protocol as black boxes, we combine them to obtain generic and provably secure 4PAKE protocols.", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chen:2014:APS, author = "Teh-Chung Chen and Torin Stepan and Scott Dick and James Miller", title = "An Anti-Phishing System Employing Diffused Information", journal = j-TISSEC, volume = "16", number = "4", pages = "16:1--16:??", month = apr, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2584680", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon May 5 18:00:10 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The phishing scam and its variants are estimated to cost victims billions of dollars per year. Researchers have responded with a number of anti-phishing systems, based either on blacklists or on heuristics. The former cannot cope with the churn of phishing sites, while the latter usually employ decision rules that are not congruent to human perception. We propose a novel heuristic anti-phishing system that explicitly employs gestalt and decision theory concepts to model perceptual similarity. Our system is evaluated on three corpora contrasting legitimate Web sites with real-world phishing scams. The proposed system's performance was equal or superior to current best-of-breed systems. We further analyze current anti-phishing warnings from the perspective of warning theory, and propose a new warning design employing our Gestalt approach.", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Arkoudas:2014:SAC, author = "Konstantine Arkoudas and Ritu Chadha and Jason Chiang", title = "Sophisticated Access Control via {SMT} and Logical Frameworks", journal = j-TISSEC, volume = "16", number = "4", pages = "17:1--17:??", month = apr, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2595222", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon May 5 18:00:10 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce a new methodology for formulating, analyzing, and applying access-control policies. Policies are expressed as formal theories in the SMT (satisfiability-modulo-theories) subset of typed first-order logic, and represented in a programmable logical framework, with each theory extending a core ontology of access control. We reduce both request evaluation and policy analysis to SMT solving, and provide experimental results demonstrating the practicality of these reductions. We also introduce a class of canonical requests and prove that such requests can be evaluated in linear time. In many application domains, access requests are either naturally canonical or can easily be put into canonical form. The resulting policy framework is more expressive than XACML and languages in the Datalog family, without compromising efficiency. Using the computational logic facilities of the framework, a wide range of sophisticated policy analyses (including consistency, coverage, observational equivalence, and change impact) receive succinct formulations whose correctness can be straightforwardly verified. The use of SMT solving allows us to efficiently analyze policies with complicated numeric (integer and real) constraints, a weak point of previous policy analysis systems. Further, by leveraging the programmability of the underlying logical framework, our system provides exceptionally flexible ways of resolving conflicts and composing policies. Specifically, we show that our system subsumes FIA (Fine-grained Integration Algebra), an algebra recently developed for the purpose of integrating complex policies.", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Allodi:2014:CVS, author = "Luca Allodi and Fabio Massacci", title = "Comparing Vulnerability Severity and Exploits Using Case-Control Studies", journal = j-TISSEC, volume = "17", number = "1", pages = "1:1--1:??", month = aug, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2630069", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Aug 11 19:17:17 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "(U.S.) Rule-based policies for mitigating software risk suggest using the CVSS score to measure the risk of an individual vulnerability and act accordingly. A key issue is whether the `danger' score does actually match the risk of exploitation in the wild, and if and how such a score could be improved. To address this question, we propose using a case-control study methodology similar to the procedure used to link lung cancer and smoking in the 1950s. A case-control study allows the researcher to draw conclusions on the relation between some risk factor (e.g., smoking) and an effect (e.g., cancer) by looking backward at the cases (e.g., patients) and comparing them with controls (e.g., randomly selected patients with similar characteristics). The methodology allows us to quantify the risk reduction achievable by acting on the risk factor. We illustrate the methodology by using publicly available data on vulnerabilities, exploits, and exploits in the wild to (1) evaluate the performances of the current risk factor in the industry, the CVSS base score; (2) determine whether it can be improved by considering additional factors such the existence of a proof-of-concept exploit, or of an exploit in the black markets. Our analysis reveals that (a) fixing a vulnerability just because it was assigned a high CVSS score is equivalent to randomly picking vulnerabilities to fix; (b) the existence of proof-of-concept exploits is a significantly better risk factor; (c) fixing in response to exploit presence in black markets yields the largest risk reduction.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Marinovic:2014:RIB, author = "Srdjan Marinovic and Naranker Dulay and Morris Sloman", title = "{Rumpole}: an Introspective Break-Glass Access Control Language", journal = j-TISSEC, volume = "17", number = "1", pages = "2:1--2:??", month = aug, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2629502", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Aug 11 19:17:17 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Access control policies define what resources can be accessed by which subjects and under which conditions. It is, however, often not possible to anticipate all subjects that should be permitted access and the conditions under which they should be permitted. For example, predicting and correctly encoding all emergency and exceptional situations is impractical. Traditional access control models simply deny all requests that are not permitted, and in doing so may cause unpredictable and unacceptable consequences. To overcome this issue, break-glass access control models permit a subject to override an access control denial if he accepts a set of obligatory actions and certain override conditions are met. Existing break-glass models are limited in how the override decision is specified. They either grant overrides for a predefined set of exceptional situations, or they grant unlimited overrides to selected subjects, and as such, they suffer from the difficulty of correctly encoding and predicting all override situations and permissions. To address this, we develop Rumpole, a novel break-glass language that explicitly represents and infers knowledge gaps and knowledge conflicts about the subject's attributes and the contextual conditions, such as emergencies. For example, a Rumpole policy can distinguish whether or not it is known that an emergency holds. This leads to a more informed decision for an override request, whereas current break-glass languages simply assume that there is no emergency if the evidence for it is missing. To formally define Rumpole, we construct a novel many-valued logic programming language called Beagle. It has a simple syntax similar to that of Datalog, and its semantics is an extension of Fitting's bilattice-based semantics for logic programs. Beagle is a knowledge non-monotonic language, and as such, is strictly more expressive than current many-valued logic programming languages.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Jafari:2014:FEE, author = "Mohammad Jafari and Reihaneh Safavi-Naini and Philip W. L. Fong and Ken Barker", title = "A Framework for Expressing and Enforcing Purpose-Based Privacy Policies", journal = j-TISSEC, volume = "17", number = "1", pages = "3:1--3:??", month = aug, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2629689", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Aug 11 19:17:17 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Purpose is a key concept in privacy policies. Although some models have been proposed for enforcing purpose-based privacy policies, little has been done in defining formal semantics for purpose, and therefore an effective enforcement mechanism for such policies has remained a challenge. We have developed a framework for expressing and enforcing such policies by giving a formal definition of purpose and proposing a modal-logic language for formally expressing purpose constraints. The semantics of this language are defined over an abstract model of workflows. Based on this formal framework, we discuss some properties of purpose, show how common forms of purpose constraints can be formalized, how purpose-based constraints can be connected to more general access control policies, and how they can be enforced in a workflow-based information system by extending common access control technologies.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Syta:2014:SAA, author = "Ewa Syta and Henry Corrigan-Gibbs and Shu-Chun Weng and David Wolinsky and Bryan Ford and Aaron Johnson", title = "Security Analysis of Accountable Anonymity in {Dissent}", journal = j-TISSEC, volume = "17", number = "1", pages = "4:1--4:??", month = aug, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2629621", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Aug 11 19:17:17 MDT 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Users often wish to communicate anonymously on the Internet, for example, in group discussion or instant messaging forums. Existing solutions are vulnerable to misbehaving users, however, who may abuse their anonymity to disrupt communication. Dining Cryptographers Networks (DC-nets) leave groups vulnerable to denial-of-service and Sybil attacks; mix networks are difficult to protect against traffic analysis; and accountable voting schemes are unsuited to general anonymous messaging. Dissent is the first general protocol offering provable anonymity and accountability for moderate-size groups, while efficiently handling unbalanced communication demands among users. We present an improved and hardened dissent protocol, define its precise security properties, and offer rigorous proofs of these properties. The improved protocol systematically addresses the delicate balance between provably hiding the identities of well-behaved users, while provably revealing the identities of disruptive users, a challenging task because many forms of misbehavior are inherently undetectable. The new protocol also addresses several nontrivial attacks on the original dissent protocol stemming from subtle design flaws.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chapin:2014:SRP, author = "Peter Chapin and Christian Skalka", title = "{SpartanRPC}: Remote Procedure Call Authorization in Wireless Sensor Networks", journal = j-TISSEC, volume = "17", number = "2", pages = "5:1--5:??", month = nov, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2644809", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 19 12:26:42 MST 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We describe SpartanRPC, a secure middleware technology that supports cooperation between distinct security domains in wireless sensor networks. SpartanRPC extends nesC to provide a link-layer remote procedure call (RPC) mechanism, along with an enhancement of configuration wirings that allow specification of remote, dynamic endpoints. RPC invocation is secured via an authorization logic that enables servers to specify access policies and requires clients to prove authorization. This mechanism is implemented using a combination of symmetric and public key cryptography. We report on benchmark testing of a prototype implementation and on an application of the framework that supports secure collaborative use and administration of an existing WSN data-gathering system.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Gotzfried:2014:MAT, author = "Johannes G{\"o}tzfried and Tilo M{\"u}ller", title = "Mutual Authentication and Trust Bootstrapping towards Secure Disk Encryption", journal = j-TISSEC, volume = "17", number = "2", pages = "6:1--6:??", month = nov, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2663348", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 19 12:26:42 MST 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The weakest link in software-based full disk encryption is the authentication procedure. Since the master boot record must be present unencrypted in order to launch the decryption of remaining system parts, it can easily be manipulated and infiltrated by bootkits that perform keystroke logging; consequently, password-based authentication schemes become attackable. The current technological response, as enforced by BitLocker, verifies the integrity of the boot process by use of the trusted platform module. But, as we show, this countermeasure is insufficient in practice. We present STARK, the first tamperproof authentication scheme that mutually authenticates the computer and the user in order to resist keylogging during boot. To achieve this, STARK implements trust bootstrapping from a secure token to the whole PC. The secure token is an active USB drive that verifies the integrity of the PC and indicates the verification status by an LED to the user. This way, users can ensure the authenticity of the PC before entering their passwords.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Basin:2014:KYE, author = "David Basin and Cas Cremers", title = "Know Your Enemy: Compromising Adversaries in Protocol Analysis", journal = j-TISSEC, volume = "17", number = "2", pages = "7:1--7:??", month = nov, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2658996", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 19 12:26:42 MST 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present a symbolic framework, based on a modular operational semantics, for formalizing different notions of compromise relevant for the design and analysis of cryptographic protocols. The framework's rules can be combined to specify different adversary capabilities, capturing different practically-relevant notions of key and state compromise. The resulting adversary models generalize the models currently used in different domains, such as security models for authenticated key exchange. We extend an existing security-protocol analysis tool, Scyther, with our adversary models. This extension systematically supports notions such as weak perfect forward secrecy, key compromise impersonation, and adversaries capable of state-reveal queries. Furthermore, we introduce the concept of a protocol-security hierarchy, which classifies the relative strength of protocols against different adversaries. In case studies, we use Scyther to analyse protocols and automatically construct protocol-security hierarchies in the context of our adversary models. Our analysis confirms known results and uncovers new attacks. Additionally, our hierarchies refine and correct relationships between protocols previously reported in the cryptographic literature.", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Li:2014:SCA, author = "Peng Li and Debin Gao and Michael K. Reiter", title = "{StopWatch}: a Cloud Architecture for Timing Channel Mitigation", journal = j-TISSEC, volume = "17", number = "2", pages = "8:1--8:??", month = nov, year = "2014", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2670940", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 19 12:26:42 MST 2014", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib; http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib", abstract = "This article presents StopWatch, a system that defends against timing-based side-channel attacks that arise from coresidency of victims and attackers in infrastructure-as-a-service clouds. StopWatch triplicates each cloud-resident guest virtual machine (VM) and places replicas so that the three replicas of a guest VM are coresident with nonoverlapping sets of (replicas of) other VMs. StopWatch uses the timing of I/O events at a VM's replicas collectively to determine the timings observed by each one or by an external observer, so that observable timing behaviors are similarly likely in the absence of any other individual, coresident VMs. We detail the design and implementation of StopWatch in Xen, evaluate the factors that influence its performance, demonstrate its advantages relative to alternative defenses against timing side channels with commodity hardware, and address the problem of placing VM replicas in a cloud under the constraints of StopWatch so as to still enable adequate cloud utilization.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Pietro:2015:SGE, author = "Roberto {Di Pietro} and Gabriele Oligeri", title = "Silence is Golden: Exploiting Jamming and Radio Silence to Communicate", journal = j-TISSEC, volume = "17", number = "3", pages = "9:1--9:??", month = mar, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2699906", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Mar 27 17:03:46 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Jamming techniques require only moderate resources to be deployed, while their effectiveness in disrupting communications is unprecedented. In this article, we introduce several contributions to jamming mitigation. In particular, we introduce a novel adversary model that has both (unlimited) jamming reactive capabilities as well as powerful (but limited) proactive jamming capabilities. Under this adversary model, to the best of our knowledge more powerful than any other adversary model addressed in the literature, the communication bandwidth provided by current anti-jamming solutions drops to zero. We then present Silence is Golden (SiG): a novel anti-jamming protocol that, introducing a tunable, asymmetric communication channel, is able to mitigate the adversary capabilities, enabling the parties to communicate. For instance, with SiG it is possible to deliver a 128-bits-long message with a probability greater than 99\% in 4096 time slots despite the presence of a jammer that jams all on-the-fly communications and 74\% of the silent radio spectrum-while competing proposals simply fail. Moreover, when SiG is used in a scenario in which the adversary can jam only a subset of all the available frequencies, performance experiences a boost: a 128-bits-long message is delivered within just 17 time slots for an adversary able to jam 90\% of the available frequencies. We present a thorough theoretical analysis for the solution, which is supported by extensive simulation results, showing the viability of our proposal.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Rupp:2015:CTM, author = "Andy Rupp and Foteini Baldimtsi and Gesine Hinterw{\"a}lder and Christof Paar", title = "Cryptographic Theory Meets Practice: Efficient and Privacy-Preserving Payments for Public Transport", journal = j-TISSEC, volume = "17", number = "3", pages = "10:1--10:??", month = mar, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2699904", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Mar 27 17:03:46 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We propose a new lightweight cryptographic payment scheme for transit systems, called P4R (Privacy-Preserving Pre-Payments with Refunds), which is suitable for low-cost user devices with limited capabilities. Using P4R, users deposit money to obtain one-show credentials, where each credential allows the user to make an arbitrary ride on the system. The trip fare is determined on-the-fly at the end of the trip. If the deposit for the credential exceeds this fare, the user obtains a refund. Refund values collected over several trips are aggregated in a single token, thereby saving memory and increasing privacy. Our solution builds on Brands's e-cash scheme to realize the prepayment system and on Boneh-Lynn-Shacham (BLS) signatures to implement the refund capabilities. Compared to a Brands-only solution for transportation payment systems, P4R allows us to minimize the number of coins a user needs to pay for his rides and thus minimizes the number of expensive withdrawal transactions, as well as storage requirements for the fairly large coins. Moreover, P4R enables flexible pricing because it allows for exact payments of arbitrary amounts (within a certain range) using a single fast paying (and refund) transaction. Fortunately, the mechanisms enabling these features require very little computational overhead. Choosing contemporary security parameters, we implemented P4R on a prototyping payment device and show its suitability for future transit payment systems. Estimation results demonstrate that the data required for 20 rides consume less than 10KB of memory, and the payment and refund transactions during a ride take less than half a second. We show that malicious users are not able to cheat the system by receiving a refund that exceeds the overall deposit minus the overall fare and can be identified during double-spending checks. At the same time, the system protects the privacy of honest users in that transactions are anonymous (except for deposits) and trips are unlinkable.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Serra:2015:POA, author = "Edoardo Serra and Sushil Jajodia and Andrea Pugliese and Antonino Rullo and V. S. Subrahmanian", title = "{Pareto}-Optimal Adversarial Defense of Enterprise Systems", journal = j-TISSEC, volume = "17", number = "3", pages = "11:1--11:??", month = mar, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2699907", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Mar 27 17:03:46 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The National Vulnerability Database (NVD) maintained by the US National Institute of Standards and Technology provides valuable information about vulnerabilities in popular software, as well as any patches available to address these vulnerabilities. Most enterprise security managers today simply patch the most dangerous vulnerabilities-an adversary can thus easily compromise an enterprise by using less important vulnerabilities to penetrate an enterprise. In this article, we capture the vulnerabilities in an enterprise as a Vulnerability Dependency Graph (VDG) and show that attacks graphs can be expressed in them. We first ask the question: What set of vulnerabilities should an attacker exploit in order to maximize his expected impact? We show that this problem can be solved as an integer linear program. The defender would obviously like to minimize the impact of the worst-case attack mounted by the attacker-but the defender also has an obligation to ensure a high productivity within his enterprise. We propose an algorithm that finds a Pareto-optimal solution for the defender that allows him to simultaneously maximize productivity and minimize the cost of patching products on the enterprise network. We have implemented this framework and show that runtimes of our computations are all within acceptable time bounds even for large VDGs containing 30K edges and that the balance between productivity and impact of attacks is also acceptable.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ding:2015:VED, author = "Steven H. H. Ding and Benjamin C. M. Fung and Mourad Debbabi", title = "A Visualizable Evidence-Driven Approach for Authorship Attribution", journal = j-TISSEC, volume = "17", number = "3", pages = "12:1--12:??", month = mar, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2699910", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Mar 27 17:03:46 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The Internet provides an ideal anonymous channel for concealing computer-mediated malicious activities, as the network-based origins of critical electronic textual evidence (e.g., emails, blogs, forum posts, chat logs, etc.) can be easily repudiated. Authorship attribution is the study of identifying the actual author of the given anonymous documents based on the text itself, and for decades, many linguistic stylometry and computational techniques have been extensively studied for this purpose. However, most of the previous research emphasizes promoting the authorship attribution accuracy, and few works have been done for the purpose of constructing and visualizing the evidential traits. In addition, these sophisticated techniques are difficult for cyber investigators or linguistic experts to interpret. In this article, based on the End-to-End Digital Investigation (EEDI) framework, we propose a visualizable evidence-driven approach, namely VEA, which aims at facilitating the work of cyber investigation. Our comprehensive controlled experiment and the stratified experiment on the real-life Enron email dataset demonstrate that our approach can achieve even higher accuracy than traditional methods; meanwhile, its output can be easily visualized and interpreted as evidential traits. In addition to identifying the most plausible author of a given text, our approach also estimates the confidence for the predicted result based on a given identification context and presents visualizable linguistic evidence for each candidate.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Lee:2015:GAP, author = "Hyojeong Lee and Jeff Seibert and Dylan Fistrovic and Charles Killian and Cristina Nita-Rotaru", title = "{Gatling}: Automatic Performance Attack Discovery in Large-Scale Distributed Systems", journal = j-TISSEC, volume = "17", number = "4", pages = "13:1--13:??", month = apr, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2714565", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Apr 24 17:39:52 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this article, we propose Gatling, a framework that automatically finds performance attacks caused by insider attackers in large-scale message-passing distributed systems. In performance attacks, malicious nodes deviate from the protocol when sending or creating messages, with the goal of degrading system performance. We identify a representative set of basic malicious message delivery and lying actions and design a greedy search algorithm that finds effective attacks consisting of a subset of these actions. Although lying malicious actions are protocol dependent, requiring the format and meaning of messages, Gatling captures them without needing to modify the target system by using a type-aware compiler. We have implemented and used Gatling on nine systems, a virtual coordinate system, a distributed hash table lookup service and application, two multicast systems and one file sharing application, and three secure systems designed specifically to tolerate insiders, two based on virtual coordinates and one using Outlier Detection, one invariant derived from physical laws, and the last one a Byzantine resilient replication system. We found a total of 48 attacks, with the time needed to find each attack ranging from a few minutes to a few hours.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zhao:2015:PGA, author = "Ziming Zhao and Gail-Joon Ahn and Hongxin Hu", title = "Picture Gesture Authentication: Empirical Analysis, Automated Attacks, and Scheme Evaluation", journal = j-TISSEC, volume = "17", number = "4", pages = "14:1--14:??", month = apr, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2701423", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Apr 24 17:39:52 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Picture gesture authentication has been recently introduced as an alternative login experience to text-based password on touch-screen devices. In particular, the newly on market Microsoft Windows 8TM operating system adopts such an alternative authentication to complement its traditional text-based authentication. We present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from more than 800 subjects through online user studies. Based on the findings of our user studies, we propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' thought processes in selecting picture passwords. Our evaluation results show the proposed approach could crack a considerable portion of picture passwords under different settings. Based on the empirical analysis and attack results, we comparatively evaluate picture gesture authentication using a set of criteria for a better understanding of its advantages and limitations.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Erway:2015:DPD, author = "C. Chris Erway and Alptekin K{\"u}p{\c{c}}{\"u} and Charalampos Papamanthou and Roberto Tamassia", title = "Dynamic Provable Data Possession", journal = j-TISSEC, volume = "17", number = "4", pages = "15:1--15:??", month = apr, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2699909", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Apr 24 17:39:52 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "As storage-outsourcing services and resource-sharing networks have become popular, the problem of efficiently proving the integrity of data stored at untrusted servers has received increased attention. In the Provable Data Possession (PDP) model, the client preprocesses the data and then sends them to an untrusted server for storage while keeping a small amount of meta-data. The client later asks the server to prove that the stored data have not been tampered with or deleted (without downloading the actual data). However, existing PDP schemes apply only to static (or append-only) files. We present a definitional framework and efficient constructions for Dynamic Provable Data Possession (DPDP), which extends the PDP model to support provable updates to stored data. We use a new version of authenticated dictionaries based on rank information. The price of dynamic updates is a performance change from $ O(1) $ to $ O(\log n) $ (or $ O(n^\epsilon \log n)$) for a file consisting of $n$ blocks while maintaining the same (or better, respectively) probability of misbehavior detection. Our experiments show that this slowdown is very low in practice (e.g., 415KB proof size and 30ms computational overhead for a 1GB file). We also show how to apply our DPDP scheme to outsourced file systems and version control systems (e.g., CVS).", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Oren:2015:AIU, author = "Yossef Oren and Angelos D. Keromytis", title = "Attacking the {Internet} Using Broadcast Digital Television", journal = j-TISSEC, volume = "17", number = "4", pages = "16:1--16:??", month = apr, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2723159", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Apr 24 17:39:52 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content that is rendered by the television. This system is already in very wide deployment in Europe and has recently been adopted as part of the American digital television standard. Our analyses of the specifications, and of real systems implementing them, show that the broadband and broadcast systems are combined insecurely. This enables a large-scale exploitation technique with a localized geographical footprint based on Radio Frequency (RF) injection, which requires a minimal budget and infrastructure and is remarkably difficult to detect. In this article, we present the attack methodology and a number of follow-on exploitation techniques that provide significant flexibility to attackers. Furthermore, we demonstrate that the technical complexity and required budget are low, making this attack practical and realistic, especially in areas with high population density: In a dense urban area, an attacker with a budget of about 450 can target more than 20,000 devices in a single attack. A unique aspect of this attack is that, in contrast to most Internet of Things/Cyber-Physical System threat scenarios, where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network.", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{DeCarneDeCarnavalet:2015:LSE, author = "Xavier {De Carn{\'e} De Carnavalet} and Mohammad Mannan", title = "A Large-Scale Evaluation of High-Impact Password Strength Meters", journal = j-TISSEC, volume = "18", number = "1", pages = "1:1--1:??", month = jun, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2739044", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jun 10 08:04:25 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Passwords are ubiquitous in our daily digital lives. They protect various types of assets ranging from a simple account on an online newspaper website to our health information on government websites. However, due to the inherent value they protect, attackers have developed insights into cracking/guessing passwords both offline and online. In many cases, users are forced to choose stronger passwords to comply with password policies; such policies are known to alienate users and do not significantly improve password quality. Another solution is to put in place proactive password-strength meters/checkers to give feedback to users while they create new passwords. Millions of users are now exposed to these meters on highly popular web services that use user-chosen passwords for authentication. More recently, these meters are also being built into popular password managers, which protect several user secrets including passwords. Recent studies have found evidence that some meters actually guide users to choose better passwords-which is a rare bit of good news in password research. However, these meters are mostly based on ad hoc design. At least, as we found, most vendors do not provide any explanation for their design choices, sometimes making them appear as a black box. We analyze password meters deployed in selected popular websites and password managers. We document obfuscated source-available meters, infer the algorithm behind the closed-source ones, and measure the strength labels assigned to common passwords from several password dictionaries. From this empirical analysis with millions of passwords, we shed light on how the server end of some web service meters functions and provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. On the other hand, we believe these findings may help improve existing meters and possibly make them an effective tool in the long run.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Karame:2015:MBS, author = "Ghassan O. Karame and Elli Androulaki and Marc Roeschlin and Arthur Gervais and Srdjan Capkun", title = "Misbehavior in Bitcoin: a Study of Double-Spending and Accountability", journal = j-TISSEC, volume = "18", number = "1", pages = "2:1--2:??", month = jun, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2732196", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jun 10 08:04:25 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Bitcoin is a decentralized payment system that relies on Proof-of-Work (PoW) to resist double-spending through a distributed timestamping service. To ensure the operation and security of Bitcoin, it is essential that all transactions and their order of execution are available to all Bitcoin users. Unavoidably, in such a setting, the security of transactions comes at odds with transaction privacy. Motivated by the fact that transaction confirmation in Bitcoin requires tens of minutes, we analyze the conditions for performing successful double-spending attacks against fast payments in Bitcoin, where the time between the exchange of currency and goods is short (in the order of a minute). We show that unless new detection techniques are integrated in the Bitcoin implementation, double-spending attacks on fast payments succeed with considerable probability and can be mounted at low cost. We propose a new and lightweight countermeasure that enables the detection of double-spending attacks in fast transactions. In light of such misbehavior, accountability becomes crucial. We show that in the specific case of Bitcoin, accountability complements privacy. To illustrate this tension, we provide accountability and privacy definition for Bitcoin, and we investigate analytically and empirically the privacy and accountability provisions in Bitcoin.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Culnane:2015:VVV, author = "Chris Culnane and Peter Y. A. Ryan and Steve Schneider and Vanessa Teague", title = "{vVote}: a Verifiable Voting System", journal = j-TISSEC, volume = "18", number = "1", pages = "3:1--3:??", month = jun, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2746338", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jun 10 08:04:25 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The Pr{\^e}t {\`a} Voter cryptographic voting system was designed to be flexible and to offer voters a familiar and easy voting experience. In this article, we present our development of the Pr{\^e}t {\`a} Voter design to a practical implementation used in a real state election in November 2014, called vVote. As well as solving practical engineering challenges, we have also had to tailor the system to the idiosyncrasies of elections in the Australian state of Victoria and the requirements of the Victorian Electoral Commission. This article includes general background, user experience, and details of the cryptographic protocols and human processes. We explain the problems, present solutions, then analyze their security properties and explain how they tie in to other design decisions.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Doychev:2015:CTS, author = "Goran Doychev and Boris K{\"o}pf and Laurent Mauborgne and Jan Reineke", title = "{CacheAudit}: a Tool for the Static Analysis of Cache Side Channels", journal = j-TISSEC, volume = "18", number = "1", pages = "4:1--4:??", month = jun, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2756550", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jun 10 08:04:25 MDT 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present CacheAudit, a versatile framework for the automatic, static analysis of cache side channels. CacheAudit takes as input a program binary and a cache configuration and derives formal, quantitative security guarantees for a comprehensive set of side-channel adversaries, namely, those based on observing cache states, traces of hits and misses, and execution times. Our technical contributions include novel abstractions to efficiently compute precise overapproximations of the possible side-channel observations for each of these adversaries. These approximations then yield upper bounds on the amount of information that is revealed. In case studies, we apply CacheAudit to binary executables of algorithms for sorting and encryption, including the AES implementation from the PolarSSL library, and the reference implementations of the finalists of the eSTREAM stream cipher competition. The results we obtain exhibit the influence of cache size, line size, associativity, replacement policy, and coding style on the security of the executables and include the first formal proofs of security for implementations with countermeasures such as preloading and data-independent memory access patterns.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Tan:2015:IAR, author = "Rui Tan and Varun Badrinath Krishna and David K. Y. Yau and Zbigniew Kalbarczyk", title = "Integrity Attacks on Real-Time Pricing in Electric Power Grids", journal = j-TISSEC, volume = "18", number = "2", pages = "5:1--5:??", month = dec, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2790298", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 21 18:18:49 MST 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Modern information and communication technologies used by electric power grids are subject to cyber-security threats. This article studies the impact of integrity attacks on real-time pricing (RTP), an emerging feature of advanced power grids that can improve system efficiency. Recent studies have shown that RTP creates a closed loop formed by the mutually dependent real-time price signals and price-taking demand. Such a closed loop can be exploited by an adversary whose objective is to destabilize the pricing system. Specifically, small malicious modifications to the price signals can be iteratively amplified by the closed loop, causing highly volatile prices, fluctuating power demand, and increased system operating cost. This article adopts a control-theoretic approach to deriving the fundamental conditions of RTP stability under basic demand, supply, and RTP models that characterize the essential behaviors of consumers, suppliers, and system operators, as well as two broad classes of integrity attacks, namely, the scaling and delay attacks. We show that, under an approximated linear time-invariant formulation, the RTP system is at risk of being destabilized only if the adversary can compromise the price signals advertised to consumers, by either reducing their values in the scaling attack or providing old prices to over half of all consumers in the delay attack. The results provide useful guidelines for system operators to analyze the impact of various attack parameters on system stability so that they may take adequate measures to secure RTP systems.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Alexander:2015:MCD, author = "Perry Alexander and Lee Pike and Peter Loscocco and George Coker", title = "Model Checking Distributed Mandatory Access Control Policies", journal = j-TISSEC, volume = "18", number = "2", pages = "6:1--6:??", month = dec, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2785966", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 21 18:18:49 MST 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This work examines the use of model checking techniques to verify system-level security properties of a collection of interacting virtual machines. Specifically, we examine how local access control policies implemented in individual virtual machines and a hypervisor can be shown to satisfy global access control constraints. The SAL model checker is used to model and verify a collection of stateful domains with protected resources and local MAC policies attempting to access needed resources from other domains. The model is described along with verification conditions. The need to control state-space explosion is motivated and techniques for writing theorems and limiting domains explored. Finally, analysis results are examined along with analysis complexity.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ali:2015:RBI, author = "Muhammad Qasim Ali and Ehab Al-Shaer", title = "Randomization-Based Intrusion Detection System for Advanced Metering Infrastructure*", journal = j-TISSEC, volume = "18", number = "2", pages = "7:1--7:??", month = dec, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2814936", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 21 18:18:49 MST 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Smart grid deployment initiatives have been witnessed in recent years. Smart grids provide bidirectional communication between meters and head-end systems through Advanced Metering Infrastructure (AMI). Recent studies highlight the threats targeting AMI. Despite the need for tailored Intrusion Detection Systems (IDSs) for smart grids, very limited progress has been made in this area. Unlike traditional networks, smart grids have their own unique challenges, such as limited computational power devices and potentially high deployment cost, that restrict the deployment options of intrusion detectors. We show that smart grids exhibit deterministic and predictable behavior that can be accurately modeled to detect intrusion. However, it can also be leveraged by the attackers to launch evasion attacks. To this end, in this article, we present a robust mutation-based intrusion detection system that makes the behavior unpredictable for the attacker while keeping it deterministic for the system. We model the AMI behavior using event logs collected at smart collectors, which in turn can be verified using the invariant specifications generated from the AMI behavior and mutable configuration. Event logs are modeled using fourth-order Markov chain and specifications are written in Linear Temporal Logic (LTL). To counter evasion and mimicry attacks, we propose a configuration randomization module. The approach provides robustness against evasion and mimicry attacks; however, we discuss that it still can be evaded to a certain extent. We validate our approach on a real-world dataset of thousands of meters collected at the AMI of a leading utility provider.", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Chong:2015:UAR, author = "Stephen Chong and Ron {Van Der Meyden}", title = "Using Architecture to Reason about Information Security", journal = j-TISSEC, volume = "18", number = "2", pages = "8:1--8:??", month = dec, year = "2015", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2829949", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 21 18:18:49 MST 2015", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We demonstrate, by a number of examples, that information flow security properties can be proved from abstract architectural descriptions, which describe only the causal structure of a system and local properties of trusted components. We specify these architectural descriptions of systems by generalizing intransitive noninterference policies to admit the ability to filter information passed between communicating domains. A notion of refinement of such system architectures is developed that supports top-down development of architectural specifications and proofs by abstraction of information security properties. We also show that, in a concrete setting where the causal structure is enforced by access control, a static check of the access control setting plus local verification of the trusted components is sufficient to prove that a generalized intransitive noninterference policy is satisfied.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Shabtai:2016:BSU, author = "Asaf Shabtai and Maya Bercovitch and Lior Rokach and Ya'akov (Kobi) Gal and Yuval Elovici and Erez Shmueli", title = "Behavioral Study of Users When Interacting with Active Honeytokens", journal = j-TISSEC, volume = "18", number = "3", pages = "9:1--9:??", month = apr, year = "2016", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2854152", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Apr 15 13:02:47 MDT 2016", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Active honeytokens are fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders. In this article, we are interested in understanding how users (e.g., employees) behave when interacting with honeytokens, specifically addressing the following questions: Can users distinguish genuine data objects from honeytokens? And, how does the user's behavior and tendency to misuse data change when he or she is aware of the use of honeytokens? First, we present an automated and generic method for generating the honeytokens that are used in the subsequent behavioral studies. The results of the first study indicate that it is possible to automatically generate honeytokens that are difficult for users to distinguish from real tokens. The results of the second study unexpectedly show that users did not behave differently when informed in advance that honeytokens were planted in the database and that these honeytokens would be monitored to detect illegitimate behavior. These results can inform security system designers about the type of environmental variables that affect people's data misuse behavior and how to generate honeytokens that evade detection.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Benhamouda:2016:NFP, author = "Fabrice Benhamouda and Marc Joye and Beno{\^\i}T Libert", title = "A New Framework for Privacy-Preserving Aggregation of Time-Series Data", journal = j-TISSEC, volume = "18", number = "3", pages = "10:1--10:??", month = apr, year = "2016", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2873069", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Apr 15 13:02:47 MDT 2016", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Aggregator-oblivious encryption is a useful notion put forward by Shi et al. in 2011 that allows an untrusted aggregator to periodically compute an aggregate value over encrypted data contributed by a set of users. Such encryption schemes find numerous applications, particularly in the context of privacy-preserving smart metering. This article presents a general framework for constructing privacy-preserving aggregator-oblivious encryption schemes using a variant of Cramer--Shoup's paradigm of smooth projective hashing. This abstraction leads to new schemes based on a variety of complexity assumptions. It also improves upon existing constructions, providing schemes with shorter ciphertexts and better encryption times.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Zheng:2016:EUV, author = "Nan Zheng and Aaron Paloski and Haining Wang", title = "An Efficient User Verification System Using Angle-Based Mouse Movement Biometrics", journal = j-TISSEC, volume = "18", number = "3", pages = "11:1--11:??", month = apr, year = "2016", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2893185", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Fri Apr 15 13:02:47 MDT 2016", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Biometric authentication verifies a user based on its inherent, unique characteristics-who you are. In addition to physiological biometrics, behavioral biometrics has proven very useful in authenticating a user. Mouse dynamics, with their unique patterns of mouse movements, is one such behavioral biometric. In this article, we present a user verification system using mouse dynamics, which is transparent to users and can be naturally applied for continuous reauthentication. The key feature of our system lies in using much more fine-grained (point-by-point) angle-based metrics of mouse movements for user verification. These new metrics are relatively unique from person to person and independent of a computing platform. Moreover, we utilize support vector machines (SVMs) for quick and accurate classification. Our technique is robust across different operating platforms, and no specialized hardware is required. The efficacy of our approach is validated through a series of experiments, which are based on three sets of user mouse movement data collected in controllable environments and in the field. Our experimental results show that the proposed system can verify a user in an accurate and timely manner, with minor induced system overhead.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Ji:2016:GGD, author = "Shouling Ji and Weiqing Li and Mudhakar Srivatsa and Jing Selena He and Raheem Beyah", title = "General Graph Data De-Anonymization: From Mobility Traces to Social Networks", journal = j-TISSEC, volume = "18", number = "4", pages = "12:1--12:??", month = may, year = "2016", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2894760", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat May 21 08:19:26 MDT 2016", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. The source code and employed datasets are now publicly available at SecGraph [2015].", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Shay:2016:DPP, author = "Richard Shay and Saranga Komanduri and Adam L. Durity and Phillip (Seyoung) Huh and Michelle L. Mazurek and Sean M. Segreti and Blase Ur and Lujo Bauer and Nicolas Christin and Lorrie Faith Cranor", title = "Designing Password Policies for Strength and Usability", journal = j-TISSEC, volume = "18", number = "4", pages = "13:1--13:??", month = may, year = "2016", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2891411", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat May 21 08:19:26 MDT 2016", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make passwords more difficult for attackers to guess. However, many users struggle to create and recall their passwords under strict password-composition policies, for example, ones that require passwords to have at least eight characters with multiple character classes and a dictionary check. Recent research showed that a promising alternative was to focus policy requirements on password length instead of on complexity. In this work, we examine 15 password policies, many focusing on length requirements. In doing so, we contribute the first thorough examination of policies requiring longer passwords. We conducted two online studies with over 20,000 participants, and collected both usability and password-strength data. Our findings indicate that password strength and password usability are not necessarily inversely correlated: policies that lead to stronger passwords do not always reduce usability. We identify policies that are both more usable and more secure than commonly used policies that emphasize complexity rather than length requirements. We also provide practical recommendations for service providers who want their users to have strong yet usable passwords.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", } @Article{Serwadda:2016:TRR, author = "Abdul Serwadda and Vir V. Phoha and Zibo Wang and Rajesh Kumar and Diksha Shukla", title = "Toward Robotic Robbery on the Touch Screen", journal = j-TISSEC, volume = "18", number = "4", pages = "14:1--14:??", month = may, year = "2016", CODEN = "ATISBQ", DOI = "https://doi.org/10.1145/2898353", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat May 21 08:19:26 MDT 2016", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Despite the tremendous amount of research fronting the use of touch gestures as a mechanism of continuous authentication on smart phones, very little research has been conducted to evaluate how these systems could behave if attacked by sophisticated adversaries. In this article, we present two Lego-driven robotic attacks on touch-based authentication: a population statistics-driven attack and a user-tailored attack. The population statistics-driven attack is based on patterns gleaned from a large population of users, whereas the user-tailored attack is launched based on samples stolen from the victim. Both attacks are launched by a Lego robot that is trained on how to swipe on the touch screen. Using seven verification algorithms and a large dataset of users, we show that the attacks cause the system's mean false acceptance rate (FAR) to increase by up to fivefold relative to the mean FAR seen under the standard zero-effort impostor attack. The article demonstrates the threat that robots pose to touch-based authentication and provides compelling evidence as to why the zero-effort attack should cease to be used as the benchmark for touch-based authentication systems.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", journal-URL = "http://portal.acm.org/browse_dl.cfm?idx=J789", }