In a joined work together with Nicole Eling and Prof. Buxmann from TU Darmstadt, we published a very interesting market experiment on users’ reaction to fine-grained permission requests. This work thus explores the following research questions using a self-developed mobile application:

1. How does the precision of an information request influence users’ disclosure of personal information?
2. Is this effect different for users with different security backgrounds?

These research questions are investigated using data obtained through a smartphone app offered in Google Play. By doing so, we meet the call for measuring real behavior instead of stated willingness to disclose. This is important as users’ intentions often differ from user behavior in the context of privacy. In the paper we discuss the following hypothesis:

1. A fine-grained permission request during runtime is less likely to be accepted than a generic permission request before installation.
2. A data request containing concrete user information reduces the user’s likelihood to accept it.
3. Security aware users are less likely to accept data requests.
4. Security awareness moderates the effect of the level of detail of the information requests on information disclosure.

Title: Investigating Users’ Reaction to Fine-Grained Data Requests: A Market Experiment
Abstract: The market for smartphone applications is steadily growing. Unfortunately, along with this growth, the number of malicious applications is increasing as well. To identify this malware, various automatic code-analysis tools have been developed. These tools are able to assess the risk associated with a specific app. However, informing users about these findings is often difficult. Currently, on Android, users decide about applications based on coarse- grained permission dialogs during installation. As these dialogs are quite abstract, many users do not read or understand them. Thus, to make the more detailed findings from security research accessible, new mechanisms for privacy communication need to be assessed. In our market experiment, we investigate how fine-grained data requests during runtime affect users’ information disclosure. We find that many users reverse their decision when prompted with a fine-grained request. Additionally, an effect of security awareness and level of detail on disclosure was found.

Cross-posted from SEEBlog

All join me in congratulating my Ph.D. student Kevin Falzon for receiving the Best Student Paper Award at ISC this year! His paper Dynamically Provisioning Isolation in Hierarchical Architectures describes how live migration may be used to dynamically isolate process, for instance to hinder them from forming side channels or covert channels.

Cross-posted from SEEBlog

We are happy to announce that we are organizing a Static Analysis Seminar (SAS) during the Winter Semester. Interested to know more about various topics related to static analysis such as: pointer analysis, call graphs, theory behind data-flow analysis, usability of static analysis tools, and much more? Then do not hesitate to register yourself in the seminar (TUCaN ID: 20-00-0942).

More information about the seminar and the tentative schedule are available here

Cross-posted from SEEBlog

ESSOS is accepting submissions of abstracts until the 25th and of research papers until October 2nd. We are happy to announce that both David Basin and Karsten Nohl will be presenting as invited speakers! Also, for the first time in the security community, ESSOS this year will offer a voluntary artifact evaluation! Read more in the full CFP below.

International Symposium on Engineering Secure Software and Systems (ESSoS)

April 6 – 8, 2016, Royal Holloway, London, UK

In cooperation with (pending): ACM SIGSAC and SIGSOFT

Context and motivation

Trustworthy, secure software is a core ingredient of the modern world. So is the Internet. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. High-quality security building blocks (e.g., cryptographic components) are necessary but insufficient to address these concerns. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software’s security properties.

Goal and setup

The goal of this symposium, which will be the eighth in the series, is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The symposium will feature two days of technical program including two keynote presentations. In addition to academic papers, the symposium encourages submission of high-quality, informative industrial experience papers about successes and failures in security software engineering and the lessons learned. Furthermore, the symposium also accepts short idea papers that crisply describe a promising direction, approach, or insight.

Topics

The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to):

– Cloud security, virtualization for security

– Mobile devices security

– Automated techniques for vulnerability discovery and analysis

– Model checking for security

– Binary code analysis, reverse-engineering

– Programming paradigms, models, and domain-specific languages for security

– Operating system security

– Verification techniques for security properties

– Malware: detection, analysis, mitigation

– Security in critical infrastructures

– Security by design

– Static and dynamic code analysis for security

– Web applications security

– Program rewriting techniques for security

– Security measurements

– Empirical secure software engineering

– Security-oriented software reconfiguration and evolution

– Computer forensics

– Processes for the development of secure software and systems

– Security testing

– Embedded software security

Important dates

Abstract submission: September 25, 2015 (anywhere on earth)

Paper submission: October 2, 2015 (anywhere on earth)

Paper notification: December 7, 2015

Artifact evaluation submission: December, 16, 2015

Artifact evaluation notification: January, 6, 2016

Paper camera-ready: January 8, 2016

Submission and format

The proceedings of the symposium are published by Springer-Verlag in the Lecture Notes in Computer Science Series (http://www.springer.com/lncs). Submissions should follow the formatting instructions of Springer LNCS. Submitted papers must present original, unpublished work of high quality.

Two types of papers will be accepted:

Full papers (max 14 pages without bibliography/appendices)

Such papers may describe original technical research with a solid foundation, such as formal analysis or experimental results, with acceptance determined mostly based on novelty and validation. Or they may describe case studies applying existing techniques or analysis methods in industrial settings, with acceptance determined mostly by the general applicability of techniques and the completeness of the technical presentation details.

Idea papers (max 8 pages with bibliography)

Such papers may crisply describe a novel idea that is both feasible and interesting, where the idea may range from a variant of an existing technique all the way to a vision for the future of security technology. Idea papers allow authors to introduce ideas to the field and get feedback, while allowing for later publication of complete, fully-developed results. Submissions will be judged primarily on novelty, excitement, and exposition, but feasibility is required, and acceptance will be unlikely without some basic, principled validation (e.g., extrapolation from limited experiments or simple formal analysis). In the proceedings, idea papers will clearly identified by means of the “Idea” tag in the title.

Artifact evaluation

For possibly the first time at a security conference, ESSOS’16 will offer a voluntary artifact evaluation. Artifact evaluation is meant to encourage the submission and publication of proven, reusable research artifacts. Authors of accepted papers will be able to apply their artifacts (software, datasets, etc.) to be examined by the Artifact Evaluation Committee (AEC). Artifacts will be submitted after paper notification. If all artifacts perform to the satisfaction of the committee, in particular if they allow for the paper’s results to be reproduced, then the paper will be recognized with the Artifact Evaluation Award and the authors will enjoy the following benefits:

• Authors will be able to mention the award on the paper’s front page, in the form of a virtual award plaque.
• Awarded artifacts will be recognized on the conference web page.
• Authors can use one additional page in the proceedings, which can be used to describe their artifacts.
• Authors will be able to briefly present their awarded artifacts in a dedicated artifact session (in addition to their usual paper presentation).

Artifact evaluation submissions will be mainly evaluated based on two criteria: (1) Artifact packaging and reproducibility. (2) Artifact implementation and usability.

More information is available on the ESSOS web page. More information about previous artifact evaluations can be found at: http://www.artifact-eval.org/

Important dates:

Artifact evaluation submission: December 16, 2015

Artifact evaluation notification: January 6, 2016

Confirmed invited speakers

Apart from technical presentations, the following invited speakers have confirmed their participation in ESSOS:

• David Basin, ETH Zürich
• Karsten Nohl, Security Research Labs

Steering committee

Jorge Cuellar (Siemens AG)

Wouter Joosen (Katholieke Universiteit Leuven) – chair

Fabio Massacci (Università di Trento)

Gary McGraw (Cigital)

Bashar Nuseibeh (The Open University)

Daniel Wallach (Rice University)

Organizing committee

General chair: Lorenzo Cavallaro (Royal Holloway University of London)

Program co-chairs: Eric Bodden (Fraunhofer SIT & TU Darmstadt), Juan Caballero (IMDEA Software Institute)

Artifact evaluation co-chairs: Alessandra Gorla (IMDEA Madrid), Jacques Klein (SnT Luxembourg)

Publication chair: Elias Athanasopoulos (FORTH)

Publicity chair: Raoul Strackx (KU Leuven)

Web chair: Ghita Saevels (Katholieke Universiteit Leuven)

Program committee

Javier Alonso, Universidad de Leon & Duke University

Michele Bugliesi, Università Ca’ Foscari Venezia

Werner Dietl, University of Waterloo

Michael Franz, University of California, Irvine

Flavio Garcia, University of Birmingham

Christian Hammer, CISPA, Saarland University

Marieke Huisman, University of Twente

Martin Johns, SAP Research

Stefan Katzenbeisser, Technische Universität Darmstadt

Johannes Kinder, Royal Holloway University of London

Andy King, University of Kent

Jacques Klein, University of Luxembourg

Andrea Lanzi, University of Milan

Wenke Lee, Georgia Institute of Technology

Zhenkai Liang, National University of Singapore

Ben Livshits, Microsoft Research

Heiko Mantel, Technische Universität Darmstadt

Nick Nikiforakis, Stony Brook University

Martin Ochoa, Singapore University of Technology and Design

Mathias Payer, Purdue University

Frank Piessens, KU Leuven

Alexander Pretschner, Technische Universität München

Awais Rashid, Lancaster University

Mark Ryan, University of Birmingham

Gianluca Stringhini, University College London

Pierre-Yves Strub, IMDEA Software Institute

Helmut Veith, Vienna University of Technology

Santiago Zanella, Microsoft Research – INRIA

Cross-posted from SEEBlog

A joint project together with McAfee (Intel Security) revealed very interesting insights into current Android Malware, in particular into Command and Control communications. We will be presenting our results at the VirusBulletin 2015 conference. We are also planning to publish a blog post with more concrete information, but if you are at VirusBulletin conference, feel free to join our talk on Thursday 1 October 09:00 – 09:30.

Title: We know what you did this summer: Android banking trojan exposing its sins in the cloud

Abstract:

Backend-as-a-Service (BaaS) solutions are a very convenient way for developers to connect their apps easily with a cloud storage. There are different BaaS solutions on the market, offered by various vendors such as Amazon, Google and Facebook. All of them provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to integrate cloud storage into the app.

While usually such solutions are created for well-intentioned developers, very recently we have spotted two Android malware families that make use of BaaS solutions as well, Facebook’s in this case. Using Facebook’s BaaS solution, the malware stores stolen data, delivers commands executed remotely on the infected device and performs SMS banking fraud.

However, malware authors are apparently unaware of how to set up a BaaS solution securely, which gave us the possibility to easily obtain access to all data they store. This gave interesting insights into their C&C communication protocol and all sensitive data they stole, including requesting the current balance of credit cards associated with the device, and the attempt to perform payments and fraudulent transfer of funds via SMS messages during June and July 2015. To extract the necessary data from malicious applications automatically, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.

Cross-posted from SEEBlog

The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Achim Bruker opened the sessions with an overview of the experience of SAP in developing secure software. This was followed by a talk given by Jesus Choliz about the application of Microsoft Secure Software Development process to develop secure systems for election management. Lotfi ben Othmane continued the discussion by showing how to use the B method to detect inconsistencies of access policies in the context of incremental software development. Next, Prof. Juha Röning gave an overview about his experience in developing a security fuzzing software and their use in agile processes. The spin-off that they created out of the project was recently sold to Synopsis.

In the afternoon session, Hela Oueslati discussed the challenges of developing secure software that she found in the literature and the evaluation of the validity of these challenges with respect to the agile values and principles and security practices. She asked the participants to help her in her future empirical studies about the topic. The presentation was followed by the talk of Clemens Teichmann, who shared the experience of his team in evaluating threat modeling methods for fitness to agile development processes used by their clients.

Afterwards, the attendees discussed the common point raised in the talks: the fast feedback and adaptation that agile processes offer helps development teams reducing the cost of developing secure software. Early identification of vulnerabilities allows for fixing them fast (It is easier to fix new code). In addition, development teams can develop, early in the projects, secure programming APIs or techniques to avoid the vulnerabilities they encounter in future development.

Cross-posted from SEEBlog

I was just able to confirm Karsten Nohl as an invited speaker for ESSOS 2016. Thanks a lot for accepting! We hope to see you all there. The submission deadline is just about a month away.

Cross-posted from SEEBlog

At this year Black Hat Europe conference, we will talk about our Backend-As-A-Service investigation, which we published a couple of months ago.

The talk will contain a full disclosure about our investigation including details about our automatic “exploit generator”.

Title of the talk: “(IN-)SECURITY OF BACKEND-AS-A-SERVICE PROVIDERS”
Abstract

If you are around, feel free to join our talk and also to meet at the conference.

Cross-posted from SEEBlog

Yesterday our center was visited by the two federal ministers Wanka (minister of education and research) and De Maiziere (minister of the interior). They spent a few hours, discussing IT-security research in Darmstadt’s – as they coined it – “security valley”, and also educated themselves through a range of exhibits we had prepared on the security of the Internet of Things, but also mobile security, encryption etc. More information is available in German here.

Cross-posted from SEEBlog

Our paper on “Secure Integration of Cryptographic Software” has been accepted at OOSPLA Onward!. In this paper we propose a new approach for implementing software that uses cryptographic algorithms in a way that is secure by design. With our approach, developers can avoid the pitfalls of complex crypto APIs without having to study crypto theory and implementations first. Instead, they select their high-level goals (e.g., “encrypt a file on disk” or “transmit data over a secure channel”) and let the OpenCCE expert system create implementation blueprints for them. After they have integrated the blueprints into their applications, automatically-derived static analyses make sure that no new issues have accidentally been introduced. This research is performed within the CROSSING CRC.

Cross-posted from SEEBlog