By Topic

Computer Security Foundations Symposium (CSF), 2012 IEEE 25th

Date 25-27 June 2012

Filter Results

Displaying Results 1 - 25 of 34
  • [Title page i]

    Publication Year: 2012 , Page(s): i
    Save to Project icon | Request Permissions | PDF file iconPDF (136 KB)  
    Freely Available from IEEE
  • [Title page iii]

    Publication Year: 2012 , Page(s): iii
    Save to Project icon | Request Permissions | PDF file iconPDF (60 KB)  
    Freely Available from IEEE
  • [Copyright notice]

    Publication Year: 2012 , Page(s): iv
    Save to Project icon | Request Permissions | PDF file iconPDF (136 KB)  
    Freely Available from IEEE
  • Table of contents

    Publication Year: 2012 , Page(s): v - vii
    Save to Project icon | Request Permissions | PDF file iconPDF (127 KB)  
    Freely Available from IEEE
  • Preface - CSF 2012

    Publication Year: 2012 , Page(s): viii
    Save to Project icon | Request Permissions | PDF file iconPDF (91 KB) |  | HTML iconHTML  
    Freely Available from IEEE
  • Committees

    Publication Year: 2012 , Page(s): ix - x
    Save to Project icon | Request Permissions | PDF file iconPDF (73 KB)  
    Freely Available from IEEE
  • External reviewers

    Publication Year: 2012 , Page(s): xi
    Save to Project icon | Request Permissions | PDF file iconPDF (82 KB)  
    Freely Available from IEEE
  • Information-Flow Security for a Core of JavaScript

    Publication Year: 2012 , Page(s): 3 - 18
    Cited by:  Papers (8)
    Save to Project icon | Request Permissions | Click to expandAbstract | PDF file iconPDF (483 KB) |  | HTML iconHTML  

    Tracking information flow in dynamic languages remains an important and intricate problem. This paper makes substantial headway toward understanding the main challenges and resolving them. We identify language constructs that constitute a core of Java Script: objects, higher-order functions, exceptions, and dynamic code evaluation. The core is powerful enough to naturally encode native constructs ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Secure Information Flow for Concurrent Programs under Total Store Order

    Publication Year: 2012 , Page(s): 19 - 29
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (412 KB) |  | HTML iconHTML  

    Modern multicore hardware and multithreaded programming languages expose weak memory models to programmers, which relax the intuitive sequential consistency (SC) memory model in order to support a variety of hardware and compiler optimizations. However, to our knowledge all prior work on secure information flow in a concurrent setting has assumed SC semantics. This paper investigates the impact of... View full abstract»

    Open Access
  • ENCoVer: Symbolic Exploration for Information Flow Security

    Publication Year: 2012 , Page(s): 30 - 44
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (447 KB) |  | HTML iconHTML  

    We address the problem of program verification for information flow policies by means of symbolic execution and model checking. Noninterference-like security policies are formalized using epistemic logic. We show how the policies can be accurately verified using a combination of concolic testing and SMT solving. As we demonstrate, many scenarios considered tricky in the literature can be solved pr... View full abstract»

    Open Access
  • Information-Flow Control for Programming on Encrypted Data

    Publication Year: 2012 , Page(s): 45 - 60
    Cited by:  Papers (3)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (479 KB) |  | HTML iconHTML  

    Using homomorphic encryption and secure multiparty computation, cloud servers may perform regularly structured computation on encrypted data, without access to decryption keys. However, prior approaches for programming on encrypted data involve restrictive models such as boolean circuits, or standard languages that do not guarantee secure execution of all expressible programs. We present an expres... View full abstract»

    Open Access
  • Symbolic Analysis of Cryptographic Protocols Containing Bilinear Pairings

    Publication Year: 2012 , Page(s): 63 - 77
    Cited by:  Papers (3)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (471 KB) |  | HTML iconHTML  

    Bilinear pairings are powerful mathematical structures that can be used in cryptography. Their equational properties allow constructing cryptographic primitives and protocols that would be otherwise ineffective or even impossible. In formal cryptography, the protocols are expressed through term algebras and process calculi. ProVerif, one of the most successful protocol analyzers, internally conver... View full abstract»

    Open Access
  • Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties

    Publication Year: 2012 , Page(s): 78 - 94
    Cited by:  Papers (3)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (558 KB) |  | HTML iconHTML  

    We present a general approach for the symbolic analysis of security protocols that use Diffie-Hellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as first-order formulas. We analyze them using a novel constraint-solving algorithm that supports both falsification and verification, even in the presence of an unbound... View full abstract»

    Open Access
  • Verifying Privacy-Type Properties in a Modular Way

    Publication Year: 2012 , Page(s): 95 - 109
    Cited by:  Papers (1)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (462 KB) |  | HTML iconHTML  

    Formal methods have proved their usefulness for analysing the security of protocols. In this setting, privacy-type security properties (e.g. vote-privacy, anonymity, unlink ability) that play an important role in many modern applications are formalised using a notion of equivalence. In this paper, we study the notion of trace equivalence and we show how to establish such an equivalence relation in... View full abstract»

    Open Access
  • Security Analysis of Role-Based Access Control through Program Verification

    Publication Year: 2012 , Page(s): 113 - 125
    Cited by:  Papers (1)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (947 KB) |  | HTML iconHTML  

    We propose a novel scheme for proving administrative role-based access control (ARBAC) policies correct with respect to security properties using the powerful abstraction-based tools available for program verification. Our scheme uses a combination of abstraction and reduction to program verification to perform security analysis. We convert ARBAC policies to imperative programs that simulate the p... View full abstract»

    Open Access
  • Gran: Model Checking Grsecurity RBAC Policies

    Publication Year: 2012 , Page(s): 126 - 138
    Cited by:  Papers (1)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (402 KB) |  | HTML iconHTML  

    Role-based Access Control (RBAC) is one of the most widespread security mechanisms in use today. Given the growing complexity of policy languages and access control systems, verifying that such systems enforce the desired invariants is recognized as a security problem of crucial importance. In the present paper, we develop a framework for the formal verification of grsecurity, an access control sy... View full abstract»

    Open Access
  • Labeled Sequent Calculi for Access Control Logics: Countermodels, Saturation and Abduction

    Publication Year: 2012 , Page(s): 139 - 153
    Cited by:  Papers (1)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (431 KB) |  | HTML iconHTML  

    We show that Kripke semantics of modal logic, manifest in the syntactic proof formalism of labeled sequent calculi, can be used to solve three central problems in access control: Generating evidence for denial of access (counter model generation), finding all consequences of a policy (saturation) and determining which additional credentials will allow an access (abduction). At the core of our work... View full abstract»

    Open Access
  • Mashic Compiler: Mashup Sandboxing Based on Inter-frame Communication

    Publication Year: 2012 , Page(s): 157 - 170
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (580 KB) |  | HTML iconHTML  

    We propose a new compiler, called Mashic, for the automatic generation of secure Javascript-based mashups from existing mashup code. The Mashic compiler can effortlessly be applied to existing mashups based on a wide-range of gadget APIs. It offers security and correctness guarantees. Security is achieved via the Same Origin Policy. Correctness is ensured in the presence of benign gadgets, that sa... View full abstract»

    Open Access
  • Secure Compilation to Modern Processors

    Publication Year: 2012 , Page(s): 171 - 185
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (513 KB) |  | HTML iconHTML  

    We present a secure (fully abstract) compilation scheme to compile an object-based high-level language to low-level machine code. Full abstraction is achieved by relying on a fine-grained program counter-based memory access protection scheme, which is part of our low-level target language. We discuss why standard compilers fail to provide full abstraction and introduce enhancements needed to achie... View full abstract»

    Open Access
  • Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization

    Publication Year: 2012 , Page(s): 186 - 197
    Cited by:  Papers (1)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (789 KB) |  | HTML iconHTML  

    Virtualization platforms allow multiple operating systems to run on the same hardware. One of their central goal is to provide strong isolation between guest operating systems, unfortunately, they are often vulnerable to practical side-channel attacks. Cache attacks are a common class of side-channel attacks that use the cache as a side channel. We formalize an idealized model of virtualization th... View full abstract»

    Open Access
  • A Framework for the Cryptographic Verification of Java-Like Programs

    Publication Year: 2012 , Page(s): 198 - 212
    Cited by:  Papers (3)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (416 KB) |  | HTML iconHTML  

    We consider the problem of establishing cryptographic guarantees -- in particular, computational indistinguishability -- for Java or Java-like programs that use cryptography. For this purpose, we propose a general framework that enables existing program analysis tools that can check (standard) non-interference properties of Java programs to establish cryptographic security guarantees, even if the ... View full abstract»

    Open Access
  • Constructing Optimistic Multi-party Contract Signing Protocols

    Publication Year: 2012 , Page(s): 215 - 229
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (295 KB) |  | HTML iconHTML  

    We give an explicit, general construction for optimistic multi-party contract signing protocols. Our construction converts a sequence over any finite set of signers into a protocol specification for the signers. The inevitable trusted third party's role specification and computations are independent of the signer's role specification. This permits a wide variety of protocols to be handled equally ... View full abstract»

    Open Access
  • Refining Key Establishment

    Publication Year: 2012 , Page(s): 230 - 246
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (469 KB) |  | HTML iconHTML  

    We use refinement to systematically develop a family of key establishment protocols using a theorem prover. Our development spans four levels of abstraction: abstract security properties, message-less guard protocols, protocols communicating over channels with security properties, and protocols secure with respect to a Dolev-Yao intruder. The protocols we develop are Needham-Schroeder Shared Key, ... View full abstract»

    Open Access
  • Discovering Concrete Attacks on Website Authorization by Formal Analysis

    Publication Year: 2012 , Page(s): 247 - 262
    Cited by:  Papers (4)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (1021 KB) |  | HTML iconHTML  

    Social sign-on and social sharing are becoming an ever more popular feature of web applications. This success is largely due to the APIs and support offered by prominent social networks, such as Facebook, Twitter, and Google, on the basis of new open standards such as the OAuth 2.0 authorization protocol. A formal analysis of these protocols must account for malicious websites and common web appli... View full abstract»

    Open Access
  • Measuring Information Leakage Using Generalized Gain Functions

    Publication Year: 2012 , Page(s): 265 - 279
    Cited by:  Papers (1)
    Save to Project icon | Click to expandAbstract | PDF file iconPDF (478 KB) |  | HTML iconHTML  

    This paper introduces g-leakage, a rich generalization of the min-entropy model of quantitative information flow. In g-leakage, the benefit that an adversary derives from a certain guess about a secret is specified using a gain function g. Gain functions allow a wide variety of operational scenarios to be modeled, including those where the adversary benefits from guessing a value close to the secr... View full abstract»

    Open Access